Tag Archives: ecommerce policy

Ecommerce: Intermediary’s liabilities and duties

The Delhi High Court in the case of Christian Louboutin SAS v. Nakul Bajaj and Ors.[i], (hereinafter Louboutin case) has dealt in detail the circumstances where an E-commerce platform could be considered as an intermediary and when it loses the safe harbour  under the Information Technology Act, 2000 (“Act”).

The facts of the case are as follows. The defendant has been operating a website named www.darveys.com (“Website”) offering for sale, various luxury products including the plaintiff’s brand of luxury shoes under the brand “Christian Louboutin”. The plaintiff (Christian Louboutin SAS), claims that the Website gives an impression that it is in some manner affiliated, sponsored or has been approved by the plaintiff for selling the plaintiff’s luxury products. The plaintiff therefore claimed that the display of plaintiff’s product on the Website results in the infringement of trade mark rights of the plaintiff and dissolution of the luxury status enjoyed by its products and brands.

The defendant’s claimed that the Website is an intermediary, as it not selling the products, but is merely enabling booking of such products through its online platform and that it is only booking orders on behalf of the sellers whose products are being displayed on their platform.

E-commerce platform and their role as intermediaries

In an e-commerce marketplace platform, it usually displays the name of the sellers and assists the customers by providing reviews of the various sellers who are listed on the platform. It also provides for other services such as online payment, maintaining warehouses, delivery and the like. The question that arises is at what point can the platform can say it is only an intermediary.

Section 2(w) of the Information Technology Act defines an intermediary as an “intermediary, with respect to any particular electronic records, means any person who on behalf of another person receives, stores, or transmits that record or provides any service with respect to that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites online auction sites, online- market places, and cyber cafes.”

In Google France SARL, Google Inc. v. Louis Vuitton Malletier SA & Ors. (hereinafter, ‘Google France’), one of the point noted it that “it is necessary to examine whether the role played by that service provider is neutral, in the sense that its conduct is merely technical, automatic and passive, pointing to a lack of knowledge or control of the data which it stores.”

The Google France case has laid out certain principles on the liability of intermediaries and the Louboutin case makes a reference to it. Below are some useful excerpts from the judgement:

  1. Exemptions from liability of intermediaries are limited to the technical process of operating and giving access to a communication network. Such an exemption is needed for the purposes of making the transmission more efficient.
  2. The activity of the intermediary is merely technical, automatic and passive – meaning thereby that the intermediary does not have any knowledge or control over the information which is transmitted or stored.
  3. The intermediary gets the benefit of the exemption for being a “mere conduit” and for “caching”, when it is not involved in the information which is transmitted/translated.
  4. If any service provider deliberately collaborates with the recipient of a service, the exemption no longer applies.
  5. In order for the service provider to continue to enjoy the exemption, upon obtaining knowledge of any illegal activity, the service provider has to remove or disable access to the information.
  6. In order to constitute a mere conduit, the service provider should not initiate the transmission, select the receiver of the transmission, or select or modify the information contained in the transmission.
  7. The storage of the information has to be automatic, intermediate and transient.
  8. The provider should not obtain any data based on the use of the information.
  9. For claiming exemption from damages, the service provider should not have any knowledge of the illegal activity, and upon acquiring knowledge, should expeditiously remove or disable the information.
  10. Service providers do not have a general obligation to monitor the information which is transmitted or stored.

In the case of  L’Oreal SA & Ors. v. eBay International AG & Ors.[ii], the Court of Justice of European Union held that an operator which provides assistance “which entails, in particular, optimizes the presentation of the offers for sale in question, or promotes them”, even if the operator has not played active role and he provides the above service, the operator can claim protection as an intermediary. However, the said intermediary, if upon becoming aware of the facts which lead to an inference that the offers made on the website were unlawful, failed to act expeditiously, then the exemption ceases.

It is essential to determine whether the service provider played an active role or not, and whether it has the knowledge or control over the data which is stored by it. Further, if the service provider has no knowledge, then upon obtaining knowledge of the unlawful activity, it should expeditiously remove the data or disable access, failing which the service provider may become liable.

In Inwood Laboratories, Inc. v. Ives Laboratories, Inc.[iii], the question of contributory negligence with regard to infringement of trademark by the online service provider and the manufacturer (famously known as ‘Inwood Test’) observed that “if a manufacturer or distributor intentionally induces another to infringe a trademark, or if it continues to supply its product to one, whom it knows or has reasons to know is engaging in trademark infringement, the manufacturer or the distributor is contributorially responsible for any harm done as a result of the deceit”.

In the Louboutin case, the Honourable High Court of Delhi, observed that the defendant had a membership fee to place an order for goods on the Website, guaranteed authenticity that the products procured and sold were from the international boutiques and luxury stores, shipping to customers would be only after quality checking.

The Court opined that the safe harbour provisions for intermediaries under section 79 of the Act is not absolute. An active participation by the intermediaries is to be examined and if there is an active participation then the ring of protection or exemption granted to the intermediaries would not apply.

With regards to trademark infringement, section 101 of the Trade Marks Act states “that a person shall be deemed to apply a trade mark when (a) the mark is placed, enclosed or annexed to any good which are sold or are exposed for sale, (b) when the mark is used in relation to the goods or services in any sign, advertisement, invoice, catalogue, business paper price list”. Further, section 102 states that “a person shall be deemed to falsely apply to goods or services a trade mark, who without the assent of the proprietor of the trade mark (a) applies such mark or a deceptively similar mark to goods or services or any package containing goods; (b) uses any package bearing a mark which is identical with or deceptively similar to the trade mark of such proprietor, for the purpose of packaging filling or wrapping therein any goods other than the genuine goods of the proprietor of the trade mark”. Therefore, when an ecommerce website actively participates and allows storing of counterfeit goods, it would be aiding in the infringement of the trademark.

In the Louboutin case, the Delhi HighCourt held that the defendant had not sold the plantiff’s products on its Website, though the Website did advertise and promote the plaintiff’s brand and products. The Court did not order for damages/ rendition of accounts.

The Court did give the following directions to the defendant on the activities of running the Website as an intermediary so as to (i) disclose the complete details of all its sellers, their addresses and contact details on its website (ii) obtain a certificate from its sellers that the goods are genuine (iii) If the sellers are not located in India, prior to uploading a product bearing the Plaintiff’s marks, it shall notify the plaintiff and obtain concurrence before offering the said products for sale on its platform (iv) If the sellers are located in India, it shall enter into a proper agreement, under which it shall obtain guarantee as to authenticity and genuinity of the products as also provide for consequences of violation of the same (v) Upon being notified by the Plaintiff of any counterfeit product being sold on its platform, it shall notify the seller and if the seller is unable to provide any evidence that the product is genuine, it shall take down the said listing and notify the plaintiff of the same, as per the Intermediary Guidelines 2011 (vi) It shall also seek a guarantee from the sellers that the product has not been impaired in any manner and that all the warranties and guarantees of the Plaintiff are applicable and shall be honoured by the Seller. Products of any sellers who are unable to provide such a guarantee would not be, shall not be offered on the Defendant’s platform (vii) All meta-tags consisting of the Plaintiff’s marks shall be removed with immediate effect.

It is certainly interesting to note the thought process of the Court and the direction that it took, in this judgment.

Author: Mr. Anuj Maharana

 

[i] Christian Louboutin SAS v. Nakul Bajaj and Ors., CS (COMM) 344/2018

[ii] L’Oreal SA & Ors. v. eBay International AG & Ors., Case C-324/09

[iii] Inwood Laboratories, Inc. v Ives Laboratories, Inc.,456 U.S. 844

Advertisements

Data Localisation: India’s policy framework

The Personal Data Protection Bill, 2018 (“Bill”) and the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018) contains the framework and the policymakers’ insight on protection of personal data in India. The recent Draft e-commerce policy indicates Government’s thought process on storing data in India. The Reserve Bank of India (RBI) in April this year mandates that all data generated by the payment systems in India, is to be stored in India. The Ministry of Health and Welfare has published the draft legislation called Digital Information Security in Healthcare Act, to safeguard e-health records and patients’ privacy.  Thus, all these new rules/policies/regulations (collectively referred as “the Data Protection Framework”) indicate a very strong direction that the Government wishes to undertake on data localisation, which helps in enforcing data protection, secure nation’s security and protect its citizen’s data, better control on transmission of data outside the country and more.

We believe initial steps were taken when under the Companies Act, 2013, the maintenance of books of account in electronic form, required copies to be kept in servers physically located in India.

Many questions abound that the Government take fast paced measures in enabling the infrastructure to build data-centres, which in-turn requires land clearance, electricity etc., ability to keep the operational costs for SMEs low, jump-starting initiatives on artificial intelligence, delicate balance to be maintained on surveillance and protection.  On a positive note, this provides entrepreneurial opportunities in building data centres, alternative energy/ solar grids etc.

Data Localisation under the Data Protection Committee’s Report and the Bill

Chapter 6 of Committee’s Report provides compelling arguments on ‘Transfer of Personal Data Outside India’, where the Committee notes Laissez Faire economy of data, i.e. where free flow of data is the norm and to restrict as an exception. It also recognizes that an embargo on data crossing borders as curbing personal liberty of people. The Committee recommended that even if the intended destination is across borders, all data to which Indian laws would apply would need to be stored locally as well. The Central Government may decide that certain data may not be permitted to be taken out of the country and requiring its processing to be done locally. To highlight sections 40 and 41:

  • The Central Government shall determine categories of sensitive personal data which are ‘critical’ in nature having regard to strategic interests and enforcement, this personal data can only be processed in India.
  • Transfer of other non-critical personal data will be allowed subject to one serving copy of it being stored in India.
  • Cross border transfers of personal data, other than critical personal data will be through model contract clauses with the data transferor being directly liable to the data principal.

Mandatory Data Localisation being prescribed under different aspects

Localisation of Payment Systems Data mandated by RBI: Even before the release of the Committee’s Report and the Bill, data localisation was touched upon by RBI in its Notification of 9 April 2018, where it directed all payment system providers to ensure that all data relating to the payment systems are to be stored in systems situated only in India. Under the said notification, the RBI includes ‘full end-to-end transaction details’, ‘payment instructions’ and other information collected, processed, carried, etc. to be within the ambit of data which is required to be stored. The maintained are to be annually audited and reported to RBI.

Localisation of Data under the National E-Commerce PolicyThe Draft National Policy Framework (the “National e-commerce Policy”) concerning the ‘Digital Economy’ seeking to regulate the ‘e-commerce’ sector in India, proposes localisation of several categories of data involved in e-commerce. The intent stated is to create a ‘facilitative eco-system’ to promote India’s digital economy through measures such as, data generated by users in India from sources such as e-commerce platforms, social media, search engines, etc., and all community data collected by Internet of Things (IoT) devices in public spaces are to be stored exclusively in India and sharing of such data within the country is proposed to be regulated.

The localisation of data is not absolute and cross-border flow is allowed for a handful of cases, such as for software and cloud-computing services involving technology related data-flow (which are free of any personal or community implications) and other standard exceptions consistent with the views expressed in the Committee’s report.

Localisation under the draft amendment to Drugs and Cosmetics Rules, 1945

The recent draft amendment proposed to the Drugs and Cosmetics Rules, 1945, for regulating e-pharmacies, makes it clear that e-pharmacies web-portals have to be established in India for conducting its business in India and data generated to be stored locally. The draft rules states that under no means the data generated or mirrored through e-pharmacy portal shall be sent or stored by any means outside India.  

Data Centres in India

For the data to be stored locally, data centres need to be established, regulated and function under the law. The demand for companies to host their data in India stemmed from  security perspective. The major issues with data localisation is not only of cyber security but also jurisdiction. Cloud computing softwares have taken advantage of the economies of scale and an infrastructural architecture across the world. Thus when there is a threat presumed in one part of the world, the algorithm would move the data to another location or even in multiple locations. In addition to this the Cyber Security Report, 2017 released by Telstra have reported that businesses in India were most at risk to cyber security attacks. Further the organisation in India have experienced the highest number of weekly security incidents of all Asian countries surveyed.

The Privacy Bill provides that the Central Government to notify categories of personal data for which the data centres have to be established in India and the Authority to be established under the legislation to be responsible for the compliances.  Further for achieving its goal of facilitating India’s ‘Digital Economy’, the National e-Commerce Policy purports to grant “infrastructure status” to data centres and server farms in India. An infrastructure status by getting listed under the Harmonized Master List of Infrastructure Sub-sectors by the Department of Industrial Policy and Promotion (DIPP) entails that it’ll be easier to get credit to enter into these operations. This would be accompanied by tax-benefits, custom duties rebates and also 2-year sunset period before localisation becomes mandatory. However, these incentives are only being considered and not promised as of yet.

Cost-Benefit Analysis on Data Localisation

In Chapter 6 of its report, the Committee takes up a detailed analysis of the benefits and repercussions of adopting mandatory data localisation in India. Benefits as stated in the report include:

  • Reduction in the costs of enforcement of India’s own laws because of easier availability of data within its jurisdiction, the cost and time spent on co-ordinating with foreign agencies for access to requisite data being reduced.
  • Overseas transactions of data involve reliance on fibre optic cable networks spread around the world, which are vulnerable to attacks and perhaps localisation of data may reduce this security risk.
  • Having copies of all data collected in India will be a huge boost to the digital infrastructure as the domestic industry will now be able to harness a lot of data. For instance, the report points out that developments in Artificial Intelligence will see a great boost from this.
  • As a matter of national security, the complete localisation of critical data prevents any foreign surveillance of India’s internal affairs.

The report also states that the localisation of data can have its costs too, however it severely downplays them. The report recognizes that to make storing of data mandatory in India, will result in a burden on the domestic enterprises which use foreign infrastructure like cloud computing for running their businesses. The implications include the increased costs of doing business for small and medium businesses, also there may be the danger of monopolization in the digital infrastructure because only a few firms would have the expertise and capital to invest in creating huge data centres in India. However, the Committee states that they are not persuaded by this argument and are confident that the potential of the Indian market will adequately trump the additional cost of setting up the infrastructure.

 Our observations

Digital India and building a thriving Digital Economy in India, building strong competencies in artificial intelligence, protecting nation’s security and data of its citizens are very critical and is now becoming mandatory for India. Establishing a strong domestic infrastructure is a big commitment for the Government, which includes making available vast tracts of land, uninterrupted power supply to the data centres and such other pre-requisites. It is to be seen how India can harvest the long term benefits.

Important reading material:

https://economictimes.indiatimes.com/news/economy/policy/draft-ecommerce-policy-champions-india-first/articleshow/65206404.cms

https://economictimes.indiatimes.com/news/economy/policy/as-ministries-argue-draft-ecommerce-policy-lands-with-pmo/articleshow/65495585.cms

https://inc42.com/features/draft-indian-ecommerce-bill-favouring-domestic-players-at-the-cost-of-the-ecosystem/