Digital business in India: overview
A Q&A guide to digital business in India.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
The key laws governing business-to-business and business-to-consumer e-commerce are discussed below.
Information Technology Act 2000 (ITA)
Recognises and validates (with a few exceptions) contracts concluded through electronic means, provided that such contracts are otherwise valid under the law.
Imposes an obligation on bodies corporate that possess, deal with or handle any sensitive personal data to maintain reasonable security practices and procedures (RSPPs).
Imposes penalties for breach of confidentiality and privacy, violation of privacy, disclosure of information in breach of any agreement, and identity theft and impersonation.
Sets out the liability (and exemptions) of intermediaries that receive, store or transmit electronic records or provide any service with respect to any record including telecommunications service providers, network service providers, internet service providers, online payment sites, online marketplaces, and so on.
Payment and Settlement Systems Act 2007 (PSSA)
Under the PSSA, anyone commencing a payment system in India must obtain prior authorisation from the Reserve Bank of India (RBI). Examples of payment systems include systems enabling payment between a payer and a beneficiary, involving clearing, payment and/or settlement services (including systems enabling credit card, debit card, smart card and/or money transfer operations), and so on.
In addition, system participants and intermediaries (such as aggregators, payment gateway service providers, e-commerce/m-commerce platform providers, and so on) must comply with certain additional security and risk mitigation protocols prescribed by the RBI for online transactions.
Consumer Protection Act 1986 (CPA)
The CPA governs the relationship between consumers and sellers/service providers. There are no specific provisions relating to online transactions. However, online sellers/service providers are subject to the CPA in the same way as offline sellers/service providers.
Services rendered free of charge are not governed by the CPA.
Foreign Exchange Management Act 1999 (FEMA)
The FEMA regulates foreign direct investment (FDI) in India, along with the FDI Policy developed by the Government of India (GOI).
Under the FDI Policy, e-commerce activities relate to the "buying and selling by a company through an e-commerce platform". Currently, 100% FDI is only permitted in business-to-business e-commerce. No FDI is allowed in entities that carry out single brand or multi-brand retail trading through an e-commerce platform.
However, FDI is permitted in entities that are:
Operating under a marketplace model (rather than an inventory-based model) under which such entities only provide a marketplace to various buyers and sellers for transacting in goods/services.
Purely technology providers.
Various other models (such as back-end and front-end model and the step-down subsidiary model) have been used in the past by Indian e-commerce companies for receiving FDI, but such models have not been considered favourably by the regulators.
Contract and sale of goods laws
The Indian Contract Act 1872 (ICA), sets out the key principles governing contracts in India (for example, offer, acceptance, consideration, free consent, and so on)
The Sale of Goods Act 1930 (SGA), sets out the key principles governing transfers of goods and agreements to transfer goods.
These acts must be read in conjunction with the provisions of the ITA and the Indian Evidence Act 1872 (IEA) regarding the validity of e-contracts.
Other relevant regulations
In addition to the legislation and regulations above, various other regulations may be relevant, such as:
State-specific shops and establishment laws.
Direct and indirect taxation laws.
Intellectual property laws.
Various sector-specific laws if the e-commerce entity also carries out warehousing, logistics or packaging operations.
India has a federal constitutional government. The Constitution of India (COI) defines the legislative competence of the Parliament of India and the state legislative assemblies. The executive powers of the Government of India (GOI) and the state governments (SG) extend to the matters for which the Parliament or the state assemblies, respectively, have the power to make laws.
The Information Technology Act 2000 (ITA), Payment and Settlement Systems Act 2007 (PSSA), Consumer Protection Act 1986 (CPA) and Foreign Exchange Management Act 1999 (FEMA) were passed by the Parliament of India.
State assemblies are authorised to make laws on value added tax (VAT) and sales tax, certain other direct and indirect taxes, public order, trade and commerce, police, and so on. The Parliament and the state assemblies can also legislate in the areas of contracts, evidence and civil procedure.
The following laws, regulations and policies are administered by the following bodies:
ITA: Department of Electronics and Information Technology (GOI).
PSSA: RBI and Ministry of Finance (GOI).
FEMA: Ministry of Finance (GOI) and Reserve Bank of India (RBI).
Foreign direct investment (FDI) policy: Ministry of Commerce and Industry and Ministry of Finance (both GOI).
CPA: Department of Consumer Affairs (GOI).
Setting up a business online
A business can be set up in India as a sole proprietorship, partnership, limited liability partnership and company. Non-residents cannot carry out business in India except through a company or a limited liability partnership (in certain permitted cases) incorporated in India. However, non-residents can set up a branch or liaison, representative or project offices in India.
To set up a business online in India, a company must take the following steps:
Incorporate a company in India with the object of engaging in online business.
Apply for a permanent account number (PAN), under income tax laws, which is a unique tax identification number, and open the bank account of the Indian company.
Capitalise the Indian company, and provide required information to the registrar of companies before starting the business.
Obtain necessary licences and registrations required for carrying out business operations in India.
Obtain or transfer a registered domain name in the name of the Indian company.
Obtain other tax registrations such as VAT and service tax.
Execute relevant operational agreements (for example vendor, service provider, subscriber and payment-related agreements).
Typically, an online business entity can expect to execute contracts with the following parties:
Domain name providers.
Payment gateway providers.
Marketplace platforms providers.
The nature of the contracts to be executed will depend on the nature and activities of the online business entity.
There are no regulations governing the manner in which an app must be developed or distributed. The procedures depend on the platform on which the app is to be provided. Generally, this entails enrolment and verification requirements set out by the platform (including a data universal numbering system (DUNS) registration number). The app must be developed based on the specific requirements set out by the platform on which it is intended to be provided, and must not contain any content or information that is in violation of the laws.
The launch and distribution of the app often entails the creation of an "app-ID" and a provisioning profile under which the app can be launched (these requirements may vary depending on the platform on which the app is to be provided).
Running a business online
Contracts can be formed electronically under Indian law. The requirements for formation are similar to general contract formation requirements under the India Contracts Act 1872 (ICA).
The Information Technology Act 2000 (ITA) guarantees the enforceability of electronic contracts. In addition, if any matter must be in writing, such requirement is satisfied if the writing is in an electronic form and accessible for future reference.
There is no mandatory "cooling off" period under Indian law. E-commerce entities usually provide for a return/refund policy for certain specified reasons (for example, in the case of damaged goods, poor quality, and so on), which is a requirement under the Consumer Protection Act 1986 (CPA).
The laws governing internet contracts are similar to those that govern other types of contracts.
The key laws governing both electronic and non-electronic contracts are the:
Information Technology Act 2000 (ITA).
Sale of Goods Act 1930 (SGA).
Specific Relief Act 1963 (SRA).
Additionally, the relevant provisions of the ITA and the Indian Evidence Act 1872 (IEA) on presumption, relevancy and other evidentiary principles apply to internet contracts.
Website accreditation is available in India, for example through www.indusface.com.
The Information Technology Act 2000 (ITA), Consumer Protection Act 1986 (CPA) and Sale of Goods Act 1930 (SGA) govern matters related to contracts, including breach of contract and damages/remedies for breach.
The CPA provides for remedies against a seller/service provider for:
Defects and deficiencies in the goods sold or services provided.
Unfair or restrictive trade practices.
Charging excessive prices.
Providing hazardous goods/services.
If liable, sellers/service providers may be ordered to carry out one or more of the following:
Replace the goods.
Return the price already paid.
Discontinue the unfair or restrictive trade practice.
In addition, failure to comply with an order of the authorities under the CPA may entail imprisonment of up to three years or a fine of up to INR10,000, or both.
The Specific Relief Act 1963 (SRA) provides for remedies such as specific performance and other equitable remedies.
Indian law recognises e-signatures in the Information Technology Act 2000 (ITA).
Definition of e-signatures
An e-signature means authentication of any electronic record by a subscriber by means of an electronic technique that is:
Specified in the Second Schedule of the ITA.
Format of e-signatures
E-signatures include digital signatures using asymmetric crypto system and hash function that transforms a record from one form to another. Essentially, the hash function yields a hash result which is the same each time the algorithm of the same electronic record is executed. It is not possible to reconstruct the original electronic record from the hash result produced by the algorithm. A digital signature can be verified by any person by using a public key that, along with the private key, is unique to each subscriber.
There continues to be some ambiguity as to whether e-signatures other than digital signatures issued by certifying authorities under the ITA are enforceable.
Until recently, the Second Schedule of the Information Technology Act 2000 (ITA) did not set out any specific authentication technique. The government recently issued the Electronic Signature or Electronic Authentication Technique and Procedure Rules 2015 which introduces an authentication technique using "Aadhaar e-KYC". This is an integrated service for digitally signing a document by an Aadhar holder using a digital signature issued by a licensed certifying authority.
However, it is important to note that e-signatures are still limited to digital signatures until such time the Government of India (GOI) further amends the Second Schedule of the ITA.
There are certain limitations on the use of e-contracts and e-signatures under the ITA (see Question 8).
Implications of running a business online
Cyber security/privacy protection/data protection
Information Technology Act 2000 (ITA)
A body corporate that possesses, deals with or handles any sensitive personal data in a computer resource that it owns, controls or operates is liable to compensate any affected person if it is negligent in implementing and maintaining reasonable security practices and procedures (RSPPs), resulting in wrongful loss or wrongful gain to any person. A body corporate includes a sole proprietorship and an association of individuals engaged in commercial/professional activities.
The Government of India (GOI) has issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules), which set out the RSPPs for data handled by bodies corporate.
Personal data means any information that relates to a natural person which, either directly or indirectly, in combination with any other information is capable of identifying such person. Sensitive personal data means personal information relating to:
Financial information such as bank account, credit card or debit card or other payment instrument details.
Physical, physiological and mental health condition.
Medical records and history.
Any detail regarding the above information provided to a body corporate for the provision of any services.
Any of the above information received by a body corporate which is stored and processed under a lawful contract.
The IT Rules include provisions relating to the:
Collection, storing and holding of information by bodies corporate.
RSPPs to be adopted by bodies corporate.
Disclosure and transfer of information by bodies corporate.
In addition, any person (including an intermediary) who is providing services to another person under a lawful contract and has secured access to any material containing personal information about such other person, and intentionally or knowingly causes wrongful loss or wrongful gain by disclosing such information to any third person (without the consent of the other person or in breach of the lawful contract), is liable to imprisonment for a term of up to three years and/or to a fine of up to INR500,000 (section 72A, ITA).
While the IT Rules and corresponding ITA provisions only apply to bodies corporate, section 72A of the ITA is applicable to all "persons". However, section 72 is limited to breaches committed by a person who has access to information pursuant to the powers conferred on such person by the ITA or any rules/regulations issued under the ITA.
The ITA has extra-territorial effect (unless otherwise provided). However, the IT Rules only apply to bodies corporate or persons located in India, and do not apply to foreign corporations or persons located outside India, or when information is collected from persons located outside India. In addition, bodies corporate providing services regarding the collection, storage, dealing or handling of sensitive personal data pursuant to any contract with any other entity (whether located in or outside of India) are not required to follow the conditions governing the collection and disclosure of information under the IT Rules.
In addition to the provisions of the ITA mentioned above, various laws regulate data protection and privacy (for example, laws pertaining to banking regulation, public financial institutions, income tax, credit information companies, and so on). Sectoral regulators (including the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority, and the Securities and Exchange Board of India) have issued regulations and/or guidelines relating to the protection of data held by various market participants in the respective sectors.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) govern mostly personal and sensitive personal data. The Information Technology Act 2000 (ITA) also provides for penalties in the event of a general breach of confidentiality and privacy obligations by a person who has access to any information, pursuant to the powers conferred on such person by the ITA, or any regulations issued under the ITA (see Question 14, Information Technology Act 2000 (ITA)).
The protection of business, proprietary or non-personal data is usually regulated under general intellectual property laws, criminal laws and confidentiality arrangements between parties.
Sensitive personal data can only be collected after obtaining written consent (through letter, fax, e-mail or any other mode of electronic communication) from the data provider regarding the purpose of use of such data.
In addition, sensitive personal data cannot be collected unless:
It is collected for a lawful purpose in relation to a function or activity of the body corporate or any person on its behalf.
The collection of such data is considered necessary for that purpose.
The data provider must also be informed of:
The fact that those data are being collected.
The purpose of collection.
Details concerning the intended recipients and any collection agency (that is, an entity collecting and/or retaining data on behalf of a body corporate).
Personal data cannot be retained for a period longer than what is required for the intended purpose of collection, or as otherwise provided for under law. Personal data can only be used for the purpose for which they have been collected, and the data provider has the right to review (and to correct, if required) the data provided by him/her. The body corporate (or any person on its behalf) must keep personal data secure and address any grievance from the data provider regarding the processing of such data.
There are no specific rules on storage of personal data on cloud. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) will therefore apply to cloud storage, depending on the nature and location of the cloud.
Internet service providers must comply with the various security obligations set out in the telecommunication licences granted by the Government of India (GOI). These obligations include:
Protecting privacy of communication.
Preventing unauthorised interception.
Formulating and submitting to the GOI a policy on security and security management.
Conducting periodical network security audits.
Additionally, the Reserve Bank of India (RBI) has issued various notifications, circulars and guidelines relating to security and risk mitigation measures for internet transactions. These security measures include:
The two-step authentication for "card not present" (CNP) transactions.
Informing customers about transactions via texts and/or e-mails.
While internet transactions always remain vulnerable to various security breaches, companies must comply with the rules above to mitigate security risks in electronic transactions.
Under the Information Technology Act 2000 (ITA), the Government of India (GOI) can issue rules and guidelines prescribing the modes or methods of encryption for secure use of electronic media and for the promotion of e-governance and e-commerce. However to date, the GOI has not issued any such rules or guidelines.
The Reserve Bank of India (RBI) prescribed that the minimum encryption-level that banks must put in place for facilitating internet banking is SSL/128 bit encryption.
In addition, under various telecommunication licences issued by the GOI, encryption beyond certain prescribed levels can only be used with the prior approval of the relevant authorities.
The Government of India (GOI) and state governments (SGs) can compel disclosure of personal data.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) provide that disclosure of sensitive personal data requires prior consent of the provider of such data unless either:
Disclosure was made pursuant to an agreement with the data provider.
Disclosure is necessary for compliance with any legal obligation.
In addition, disclosure must also be made to governmental agencies in the following situations:
Agencies that are entitled under the law to obtain such information for purposes of:
prevention, detection and/or investigation of crimes; or
prosecution or punishment of offences.
Pursuant to an order in accordance with the law (for example, an order of any competent court).
The governmental authorities are also empowered to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource if it is necessary in the interest of national security, public order, or for the investigation of any offence. The monitoring of traffic data by governmental authorities is also permitted.
Under the Payment and Settlement Systems Act 2007 (PSSA), no payment system can be operated without the Reserve Bank of India's (RBI's) authorisation. The application for obtaining such authorisation must be made in the prescribed format, and the applicant must provide information to the RBI including information relating to its financial position, features of the payment system, security features, and so on.
In deciding whether to grant authorisation, the RBI considers the following aspects:
The technical standards or the design of the proposed payment system.
The terms and conditions of operation of the proposed payment system, including any security procedure.
The manner in which transfer of funds can be effected within the payment system.
The interests of consumers, including the terms and conditions governing their relationship with payment system providers.
In addition, the RBI is authorised under the PSSA to issue directions and circulars concerning payment systems and settlement mechanisms.
Indian law imposes limitations (although partially) on linking to a third party website and other practices such as:
Deep linking, that is a hypertext link that provides direct access to an internal page of a third party website, bypassing the home page of the linked-to-site (and therefore bypassing the advertisements, registration forms, disclaimers, terms and conditions for using that website).
Caching, which is the temporary storage of web information, for later use (that is, the creation of a copy).
The use of meta-tags (that is, source codes used to index and categorise web pages).
While the courts have held that surface linking (that is, a hypertext link to the home page of a third party website) does not result in any copyright infringement, the practice of deep linking (see above) has been held violate the copyright protection available to third party websites. The underlying rationale is that, by facilitating access to only certain identified internal content of a third party website, deep linking creates an unlawful diversion of internet traffic as it obviates the need to visit the third party website directly, which in turn adversely affects its popularity and results in great financial loss (including loss of revenue from advertisements) to the developer/owner of the third party website.
Framing may violate the provisions of the:
Copyright Act 1957 (CA), as any importation from a third party website and reproduction in a special "frame" on the page of the importing website without the consent or authority of the owner of the third party website does not only amount to copyright infringement, but may also be a violation of its special statutory rights (such as the right to integrity or the right to create derivative works).
Trade Marks Act 1999 (TMA), if the display of the address of the framing site is deemed to confuse users as to the origin of the site.
Regarding caching, the settled position is that any intentional caching of copyrighted work available online will be deemed to amount to copyright infringement if it is carried out for any purpose that does not fall within the scope of defences to copyright infringement.
Finally, the Indian courts have recognised that metatags can potentially be misused to unlawfully divert internet traffic from a particular website if the defendant uses the claimant's trade mark and/or domain name (or any trade mark or domain name that is deceptively similar to the claimant's trade mark and/or domain name) as part of the metatags in its domain name and/or in the content of its website without the claimant's authorisation, express or implied.
Indian courts have held that domain names (which are capable of distinguishing the subject of trade or service made available to potential internet users) have the same characteristics as those of a trade mark, and are therefore governed by the legal regime regarding the use, licensing, and protection of trade marks in India.
The Trade Marks Act 1999 (TMA) only sets out rules for the assignment or transmission of a trade mark by the owner and/or registered user (that is, a person who has registered his contractual right (granted by the owner of the trade mark) to use a trade mark with the prescribed authority under the TMA) of such trade mark. The licensing of a trade mark by an unregistered licensee/user is not covered by the TMA, but courts have held that such licensing is governed by the principles of common law and contract law provided that all the following conditions are satisfied:
The use of the trade mark by the licensee does not cause confusion or deception to the public.
The use of the trade mark by the licensee does not destroy the distinctiveness of the trade mark.
A connection is maintained between the proprietor and the goods sold under the trade mark.
Similarly, the licensing of a domain name by the registered owner/user will be governed by the provisions of the TMA, and any licensing by an unregistered user will be subject to contract law and the principles of common law.
It is possible for a non-Indian resident to register an India-specific domain name with the relevant Indian authority (that is, the National Internet Exchange of India (INRegistry). This is supported by the fact that the rules and regulations published by the INRegistry on its website permits anyone to register and use ".in" domain names.
Domain names that are capable of distinguishing the subject of trade or services made available to potential internet users have the same characteristics as trademarks. Accordingly, they will be granted the same protection as trademarks under the Trade Marks Act 1999 (TMA). Therefore, infringement actions can be initiated in the case of a domain name that is a registered trade mark. Domain names that have the characteristics of unregistered trademarks can be protected though passing off.
In addition, the rights of proprietors of registered trademarks under the TMA are reflected in the IN Dispute Resolution Policy and Procedure of the National Internet Exchange of India (INRegistry).
Under Indian law, the following restrictions apply to the selection and use of a proposed business name:
Its use must not be prohibited under the Emblems and Names (Prevention and Improper Use) Act 1950.
It cannot contain the name of a registered trade mark or a trade mark that is the subject of an application for registration, unless the consent of the owner or applicant for registration of the trade mark has been obtained and produced by the promoter(s).
It cannot include any word or words that are offensive to any section of the public and must not be scandalous or obscene.
It must not deceive the public or cause confusion.
It should be of a distinctive character (that is, it must be capable of distinguishing the goods or services of one person from those of another).
It must not consist exclusively of marks or indications that may serve in the trade to designate the kind, quality, quantity, intended purpose, values, geographical origin or time of production of the goods or rendering of the services, or other characteristics of the goods or services.
It must not consist exclusively of marks/indications that have become customary in the current language or established practices of the trade, which is an absolute ground for refusal of registration.
Any person seeking to register a business name (to be used as a trade mark) must make an application in writing to the Trade Marks Registry (Registrar). The Registrar can accept the application with or without modification. In the case of refusal, the Registrar must provide reasons in writing. On acceptance, the application is advertised and open for opposition. If the application remains unopposed or if any opposition is adjudged in favour of the applicant, the Registrar must register the name/mark within 18 months from the date of the application.
Jurisdiction and governing law
For determining territorial jurisdiction, courts consider two fundamental factors:
The place of the defendant's residence.
The place of the cause of action.
In cases of internet transactions/disputes, courts have followed the tests of active and passive interaction. Courts have held that for a court to accept jurisdiction, the claimant must establish the following:
The defendant purposefully availed itself of the jurisdiction of the court.
The activities of the defendant were prima facie aimed at the conclusion of a commercial transaction in the court's jurisdiction.
Such activities resulted in an injury or harm to the claimant within the court's jurisdiction.
Therefore, merely operating an interactive website is not sufficient to come under the jurisdiction of an Indian court, and "intentional targeting" must be established.
Under Indian law, if the contracting parties have expressly selected the law that applies to the contract, then such an express choice will be recognised by the courts provided that the choice is explicit, clear, unambiguous, bona fide, legal and not contrary to public policy.
In the absence of an express choice of law, the governing law must be inferred from the intention of the parties, relying on various factors including the terms and conditions and the general circumstances surrounding the contract. If the courts are unable to infer the intention of the parties, the governing law of the contract is that of the jurisdiction that has the closest connection with the contract, based on the specific facts and circumstances.
The principles above apply to internet transactions.
ADR options are available and usually used by online traders and their customers in India. Online traders usually include arbitration as the primary dispute resolution mechanism in their terms and conditions.
ODR methods are still in their infancy in India and have not received significant attention.
India does not have a single consolidated law that deals with all aspects of advertising. Various laws and regulations (not primarily directed at advertising) regulate advertising based on the:
Content and impact of the content on the public.
Nature of goods/services advertised/sold (see Question 30).
Particular medium used.
The following laws regulate advertising content regardless of media:
Consumer Protection Act 1986 (CPA). The CPA prohibits "false advertisements including misrepresentations or false allurements" and imposes penalties for making such false claims.
Young Persons (Harmful Publications) Act 1956. This act imposes penalty for advertising or making known by any means (including online media) that any "harmful publication" can be obtained from or through any person.
Indecent Representation of Women (Prohibition) Act 1986. This act prohibits indecent representations of women through the depiction of the figure of a woman, her form of body, or any part of such body.
Emblems and Names (Prevention of Improper Use) Act 1950. This act prohibits the improper use of certain emblems and names for commercial/professional purposes.
Drug and Magic Remedies (Objectionable Advertisement) Act 1954. This act prohibits references that are likely to lead the public to infer special, miraculous or supernatural properties or qualities for any medicine and which are difficult to establish.
Cigarettes and Other Tobacco Products (Prohibition of Advertisement and Regulation of Trade and Commerce, Production, Supply and Distribution) Act 2003. This act prohibits the direct or indirect promotion of the production, sale or consumption of cigarettes and other tobacco products.
Certain laws are specific to some forms of media and do not directly apply to online marketing.
The Advertising Standards Council of India (ASCI) is the self-regulatory body for the Indian advertising industry. The ASCI has issued a Code for Self-Regulation in Advertising (ASCI Code) that sets out the basic principles regarding advertorial content in India. The primary objective of the Code is to ensure that advertisements:
Are not misleading/making false claims.
Are not obscene or otherwise offensive to the public, or a section or class of public.
Do not promote habits or behaviours that are illegal, immoral, and so on.
The ASCI processes complaints through its consumer complaints council. An advertisement that violates the above principles will be modified or withdrawn.
Indian e-commerce laws are still developing and there is no consolidated policy that deals specifically with the online advertising/sale of certain types of services or products. Generally, the applicable restrictions on the sale and promotion of goods/services are as follows:
The sale (both offline and online) of certain products or services is prohibited per se (for example, narcotic substances, pornographic materials, and so on).
For certain products, online sale is not possible as the legal requirements for sale cannot be completed in an online environment (for example, prescription drugs).
In addition, the sale/advertising (both offline and online) of certain products or services must comply with specific requirements (for example, foods and beverages, insurance products and legal services).
Online advertisers must also ensure that the content hosted on electronic platforms complies with the requirements of the Information Technology Act 2000 (ITA), including that the material is not:
Grossly offensive or of a menacing character.
Sent to the addressees with the intention of causing inconvenience and/or misleading them.
There are no specific laws governing spam e-mails in India. The Information Technology Act 2000 (ITA) prohibits the transmission or publication of any material that is lascivious, or appeals to the prurient interest or depraves/corrupts persons who are likely to read, see or hear such material in an electronic form. Any spam e-mail violating this provision is prohibited.
In addition, the issue of the liability of internet service providers (ISPs) in relation to spam e-mails is unclear, since such e-mails are transmitted through an ISP server, and an ISP can technically be considered to be involved in the transmission. Courts have acknowledged the lack of legislation on this subject, and have stated that spam e-mails must be assessed under the principles of tort law.
Under the telecommunications regulations in India, all access providers of basic and mobile telephony must maintain a customer preference registration facility that allows customers to register/de-register their preferences regarding the receipt of commercial communications, including text messages. Customers can opt for a complete or partial blocking of all types of commercial communications. Unsolicited commercial communications exclude "transactional messages" that pertain to information related to the particular transactions carried out by the customer.
Entities transmitting commercial communications through a telecommunication service must be registered as "telemarketers". Entities that are not registered as such are restricted from sending more than 100 text messages per day.
Regardless of the e-commerce model used (that is, manufacturing model or marketplace model), profits arising from online sales concluded by retailers are subject to income tax in India at the corporate tax rate of about 35% (for financial year 2015-16). If the amount of tax payable under the normal provisions of income tax laws is lower than 18.5% of the "book profits" of the retailer, then the effective rate of about 20% applies.
Value added tax (VAT)/central sales tax
Online sales of goods are subject to VAT in the relevant state if the sale is to a customer within that state, and subject to central sales tax (CST) if the sale is to a customer located outside such state. VAT rates are prescribed under the VAT legislation of each state, and may differ depending on the products. The current rate of CST is 2%, subject to any prescribed concessional tax form issued by the registered buyer. Some Indian states laws may also subject online marketplace entities to such taxes.
For VAT (intra-state sales), a seller must register with the state VAT authorities that have jurisdiction over the seller's principal place of business.
For central sales tax (CST) (inter-state sales), a seller must register with the CST authorities of the state from which the goods originate.
VAT and CST registrations must be obtained at different times, depending on the respective state laws.
Online companies providing services from India must register with service tax authorities and pay service tax on the gross value of fees earned. Whether an online company is a seller or service provider depends on its business model.
For income tax purposes, an entity must register with the income tax authorities and obtain a permanent account number (PAN). The PAN should be obtained after incorporation and commencement of the business, and in any case before the due date for filing the first income tax return. In addition, obtaining a PAN is a condition for opening a bank account.
If there is a requirement to make any payment subject to withholding tax to be deposited to the credit of the Government of India (GOI), then a company will also be required to obtain a tax deduction account number (TAN). For example, payments received by companies relating to rent, fees for professional services, commissions and brokerage are subject to withholding tax.
Protecting an online business
Liability for content online
The liability (or exemptions) for website content or information gathered by websites is governed by the:
Information Technology Act 2000 (ITA).
Rules and regulations issued under the ITA, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules).
Due diligence guidelines for intermediaries.
Liability for online copyright and trade mark infringements is governed by the Copyright Act 1957 (CA) and the Trade Marks Act 1999 (TMA)
The Code for Self-Regulation in Advertising (ASCI Code) (see Question 29) governs online advertising to promote fair competition and ensure that advertisements are:
Not offensive to the public.
Not promoting harmful products.
In addition, websites must publish the terms and conditions for access to and use of the website
Unless it is an intermediary, a website owner is liable for the content that is displayed. However, an intermediary may also be liable for the content a website displays in some cases (see Question 38).
The liability of online marketplaces for deficiencies of goods/services sold to customers is unclear. While such websites have a "good faith" duty to sell genuine products, the primary liability rests with the supplier of the goods/services.
An internet service provider (ISP) is an intermediary under the Information Technology Act 2000 (ITA), which also includes online payment sites, online market places, and so on.
Under the ITA, intermediaries are not liable for any third party information, data or link that may be made available or hosted by them provided that:
The intermediary's function is limited to providing access to a communication system over which third party information, data or links are transmitted or temporarily hosted.
The intermediary does not:
initiate the transmission;
select the recipient of the transmission; or
select or modify the information contained in the transmission.
The intermediary observes due diligence and other guidelines prescribed by the Government of India (GOI) while discharging its duties under the ITA.
However, an intermediary's liability arises if either:
It has conspired, abetted or aided in the commission of any unlawful act.
It has actual knowledge or is notified by the GOI (or a state government (SG) or agency) that any information connected to and controlled by the intermediary is being used to commit an "unlawful act", and it fails to expeditiously remove or prevent access to such information without removing the evidence in any manner.
In a recent judgment, the Supreme Court has restricted the meaning of "unlawful act" to those acts that are mentioned in Article 19(2) of the Constitution of India (COI). In addition, the intermediary must be notified either by the GOI, SG or an agency or by way of a court order.
There is a proposal to open the e-commerce sector in India to foreign investment. Currently, foreign investment in business-to-consumer e-commerce is prohibited to prevent disruption to local industries. E-commerce businesses in India with foreign participation can currently only operate as business-to-business and under marketplace models (see Question 1, Foreign Exchange Management Act 1999 (FEMA)).
Recently, the Securities and Exchange Board of India (SEBI) has proposed an "alternate capital raising platform" where e-commerce companies could raise money from institutions and high net-worth individuals under a relaxed regulatory regime, rather than having to comply with the capitalisation, net-worth and financial performance requirements for accessing public markets in India.
Additionally, the Government of India (GOI) is planning to amend the Consumer Protection Act 1986 (CPA) to expressly cover e-commerce transactions.
Telecom Regulatory Authority of India
Description. Updated list of laws and regulations governing the Indian telecommunications sector.
Department of Revenue, Government of India
Description. Laws governing direct and indirect taxes levied by the Union Government (potentially out-of-date).
National Consumer Disputes Redressal Commission
Description. Access to consumer protection laws (potentially out-of-date and not exhaustive).
National Commission for Protection of Child Rights- Young Persons
Description. Access to the Harmful Publications Act 1956 (potentially out-of-date).
National Commission for Women
Description. Access to the Representation of Women (Prohibition) Act 1986 (potentially out-of-date).
Delhi Government website
Description. Access to the Emblems and Names (Prevention of Improper Use) Act 1950 (potentially out-of-date).
Government of Karnataka, Drugs Control Department
Description. Access to the Drug and Magic Remedies (Objectionable Advertisement) Act 1954 (potentially out-of-date).
Cigarettes and Other Tobacco Products (Prohibition of Advertisement and Regulation of Trade and Commerce, Production, Supply and Distribution) Act 2003.
Description. Access to the Cigarettes and Other Tobacco Products (Prohibition of Advertisement and Regulation of Trade and Commerce, Production, Supply and Distribution) Act 2003 (potentially out-of-date).
Union Government of India
Description. Access to all enactments of the Union Government from 1836 (potentially out-of-date).
Gazette of India
Description. This website provides access to authorised legal documents of the Government of India. All parts, sections and sub-sections of the Gazette of India are uploaded on the e-gazette website by the Government of India Printing Press. Notifications are published by the Department of Publication. Publications available on this website are potentially out-of-date.
Information Technology Act 2000 (ITA)
Description. Access to ITA (potentially out-of-date).
Reserve Bank of India
Description. Access to the Payment and Settlement Systems Act 2007 (PSSA) (potentially out-of-date).
Department of Electronics and Information and Technology
Description. Official website of the Department of Electronics and Information and Technology. Publications available on this website are potentially out-of-date.
Advertising Standards Council of India
Description. Official website of the Advertising Standards Council of India. Publications available on this website are potentially out-of-date.
Khaitan & Co
Professional qualifications. India
Areas of practice. E-commerce.