As one of the fastest-growing eCommerce markets in the world, India has attracted many global giants such as Xiaomi and OPPO which have successfully entered the Indian market through cross-border eCommerce. From the initial Information Technology Act (2000) to the upcoming Digital Personal Data Protection Act, 2023 (also referred to as DPDP Act), India's data protection system has become more sound in recent years. This latest bill fills the gaps in previous laws and raises new data compliance requirements and challenges for cross-border eCommerce companies.

Expanding Overseas? Our Global eCommerce Solutions ensure your operation remains fully compliant with local regulations.

While brands conducting business through third-party marketplaces can easily abide by local regulations thanks to each platform’s policies, companies running self-operated branded eCommerce stores face significant compliance challenges when conducting cross-border operations and directly processing user data. Understanding and complying with these data regulations is the basis for successful market entry and avoiding unnecessary compensation or legal liability.

This article will explore in-depth the key data regulations that self-operated eCommerce brands must understand and comply with when expanding to India.

You can also read about Data Protection Laws in China: Overview (2024)An overview of the current data protection laws in China, including recent updates, and implications for cross-border eCommerce businesses.data regulations in Southeast Asia, Data Protection Laws in China: Overview (2024)An overview of the current data protection laws in China, including recent updates, and implications for cross-border eCommerce businesses.China, Data Protection Laws in Japan: Overview (2024)This article serves as a data compliance guide for eCommerce businesses expanding into Japan, analyzing privacy law changes and compliance needs for cross-border eCommerce.Japan, and Data Protection Laws in China: Overview (2024)An overview of the current data protection laws in China, including recent updates, and implications for cross-border eCommerce businesses.Australia according to the latest laws.

1. Legal Background: Implementation of the 2023 DPDP Act

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection bill, which was passed by the Parliament in August 2023 and is expected to be formally implemented after notification by the Indian government. The introduction of this bill marks an important step forward in India's personal data protection, requiring companies to follow strict compliance standards in data processing activities.

Prior to this, India's data protection mainly relied on the Information Technology Act and the Information Technology (Reasonable Security Measures and Protection of Sensitive Personal Data or Information) Rules. These regulations provide certain guidance for the processing of sensitive personal data but lack comprehensiveness and systematization. The introduction of the new bill fills this gap and sets higher standards for data protection.

This bill aims to comprehensively regulate the processing and protection of personal data and is the first global data protection law introduced in India. The key contents of the bill include the following aspects:

1. Personal data protection: The bill stipulates that any data processing activities must be based on the explicit consent of the data subject and follow the principles of legality, necessity and proportionality.
2. Responsibilities of Data Processors: Data processors are required to take reasonable security measures to prevent data breaches and promptly report any data breaches to the Data Protection Board of India.
3. Rights of data subjects: Data subjects have a number of rights, including the right to know, the right to access, the right to rectify, and the right to delete. Data processors need to ensure the implementation of these rights.

2. Key Regulations for branded eCommerce companies

Cross-border eCommerce companies should pay close attention to the latest developments in business-related laws and regulations and ensure that their business operations comply with the requirements of these regulations. In addition, since regulations may be updated or revised at any time, companies also need to regularly review their compliance strategies to adapt to changes in the legal environment.

Digital Personal Data Protection Act (2023)

This is India’s first comprehensive data protection law and once implemented by the Government of India, it will become the primary law for the protection of personal data.

Information Technology Act (2000)

The Act contains provisions concerning sensitive personal data, which are relevant to data protection.

Information Technology Rules (2011)

These rules focus specifically on the protection of sensitive personal data and, although they will be replaced by the Digital Personal Data Protection Bill of 2023, understanding them helps to understand the context of data protection.

Industry-specific regulations:

Specific regulations in areas such as banking, telecommunications, insurance, and consumer protection may contain provisions related to data protection, which will come into effect in conjunction with the Digital Personal Data Protection Act.

Constitutional Right to Privacy Judgment:

The Supreme Court of India in the case of Justice KS Puttaswamy and Anr v. Union of India and Ors [Writ Petition (Civil) No. 494 of 2012] established the right to privacy as a fundamental right, which has guiding significance for the interpretation and implementation of data protection laws.

If you want to know more detailed regulations and their implementation in cross-border eCommerce, you can learn about our eCommerce legal compliance services

3. Cross-border eCommerce Enterprise Operations

Data fiduciary responsibilities

The data fiduciary in the Digital Personal Data Protection Act, 2023 bears the primary responsibility for data processing. When eCommerce companies collect user data, they must clearly inform users of the purpose of collection, usage, and storage period of the data to ensure that the collection and processing of user data is transparent.

Rights of the data subject

The bill emphasizes the rights of data subjects, including the right to access, correct, and erase their personal data. This means that eCommerce websites should provide an interface that allows users to view, update, or delete their personal information, as well as withdraw previously given consent for data processing.

Requirement of consent

The bill stipulates that effective consent must be free, informed, specific, unconditional, clearly expressed, and revocable. When users register or make purchases, eCommerce companies should provide clear consent options, allowing users to check the terms of consenting to data collection and use, and provide a simple process for withdrawing consent.

Data Protection Impact Assessment (DPIA):

The Act requires important data fiduciaries to conduct regular DPIAs (Data Protection Impact Assessments) to assess and manage the risks of data processing activities to the rights of data subjects. For example, before launching new data processing functions (such as personalized recommendations based on user behavior), eCommerce companies should conduct DPIAs, assess potential risks, and develop corresponding risk mitigation measures.

Localization and cross-border transfer of data:

In terms of localization, after the implementation of the Digital Personal Data Protection Act of 2023, although it will be the main personal data protection regulation, existing industry-specific regulations will continue to be valid and consistent with the Act. If there is a conflict, the Act will take precedence, but certain exceptions, such as data localization requirements for specific industries, may override the relevant provisions of the Act.

In terms of cross-border data transfer, although personal data is allowed to be transferred to a third country, it must comply with the regulations of the Indian government and must not violate the list of jurisdictions where the government explicitly prohibits transfer. In addition, cross-border transfers must ensure that the data protection standards in the destination country are equivalent to those in India, or that there are appropriate protection measures and agreements. When working with overseas data processors, data protection clauses must be clearly stated in the contract to ensure the security of data overseas. In addition, when data is processed or stored overseas, the access and correction rights of data subjects must also be protected.

Special protection of children's data:

The bill imposes special requirements on the processing of children's personal data, including obtaining verifiable consent from legal guardians. If eCommerce companies' target users include children, they must ensure that they obtain consent from parents or legal guardians before collecting children's data and must not conduct targeted advertising to children.

Ensuring Legal Compliance with TMO

In the case of India, when companies expand through cross-border eCommerce, data privacy compliance becomes particularly critical in the face of the upcoming implementation of the DPDP Act. Companies need to invest more resources to ensure that data processing complies with the requirements of the new act. This includes but is not limited to formulating data protection specifications, conducting data protection impact assessments (DPIAs), and establishing data breach response mechanisms.

TMO has many years of experience in implementing overseas eCommerce projects for brands. Our data and regulatory consultants will conduct website compliance scans for target markets such as Japan, assess all aspects of the website, and assist you in solving problems related to data protection, infrastructure protection, security testing, user authentication and access management, and data auditing, and put them into practice during eCommerce website development.

If your company is considering overseas expansion, you can learn about our Global eCommerce Solutions.

For a more detailed regulations exploration and their implementation in cross-border eCommerce, you can also check out our learn about our eCommerce Legal Compliance Services, where we interpret the laws and regulations of your target market, including consumer protection, data compliance, privacy compliance, and eCommerce, as well as assist you in formulating appropriate compliance strategies. You can also directly contact our eCommerce experts!