Centre for Internet and Society

Comments on proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020

Vipul Kharbanda, Rajat Misra, Arindrajit Basu and Aman Nair — 2021-07-27T14:45:07Z

The Consumer Protection (E-commerce) Rules, 2020 were first introduced in an attempt to ensure that consumers were granted adequate protections and to prevent the adoption of unfair trade practices by E-commerce entities. The amendments have proposed several rules which will protect the consumer with a restriction on misleading advertisements and appointment of grievance officers based in India. However, while on this path, the proposed rules have created hurdles in the operations of e-commerce, reducing the ease of business and increasing the costs of operations especially for smaller players; which could eventually pass on to the consumers.

In our submission to the Ministry of Consumer Affairs, we focussed our analysis on eight points: Definitions and Registration, Compliance, Data Protection and Surveillance, Flash Sales, Unfair Trade Practices, Jurisdictional Issues with Competition Law, Compliance with International Trade Law and Liabilities of Marketplace E-commerce Entities.

A snapshot of our recommendations and analysis is listed out below. To read our full submission, please click here.

Definitions and Registrations

The registration of entities with the DPIIT must be made as smooth as possible especially considering the wide definition of E-commerce entities in the rules, which may include smaller businesses as well. In particular, we suggested doing away with physical office visits.

Compliance

As a general observation, compliance obligations should be differentiated based on the size of the entity and the volume of transactions rather than adopting a ‘one size fits all’ approach which may harm smaller businesses, especially those that are just starting up. Before these rules come into force, further consultations with small and medium-sized business enterprises would be vital in ensuring that the regulation is in line with their needs and does not hamper their growth. Excessive compliance requirements may end up playing into the hands of the largest players as they would have larger financial coffers and institutional mechanisms to comply with these obligations.

There is some confusion in the law as to whether the Chief Compliance officer mentioned in the amended rules is the same as the “nodal person of contact or an alternate senior designated functionary who is resident of India” under Rule 5(1).

The safe harbour should therefore refer to due diligence by the CCO and not the e-commerce entity itself. The requirement for the compliance officer to be an Indian citizen who is a resident and a senior officer or managerial employee may place an undue burden on small E-commerce players not located in India.

Data Protection and Surveillance

In the absence of a Personal Data protection bill these rules do not adequately protect consumers’ personal data and reduce the powers given to the Central Government to access data or conduct surveillance

Flash Sales

Conventional flash sales should be defined. Clear distinction must be made between conventional flash sales and fraudulent flash sales. The definition should not be limited to interception of business “using technological means”, which limits the scope of the fraudulent flash sales. Further parameters must be provided for when a flash sale will be considered a fraudulent flash sale.

Unfair Trade Practices

The rules place restrictions on marketplace E-commerce entities from selling their own goods or services or from listing related enterprises as sellers on their platforms. No such restriction applies to brick and mortar stores, and this blanket ban must be rethought.

Jurisdictional Issues with Competition Law

This rule brings the issue of ‘abuse of dominant power’ under the fora of the Consumer Protection Authority or the Consumer Disputes Redressal Commissions. Overlapping jurisdiction of this nature could introduce regulatory delays into the dispute resolution process and can be a source of tension for the parties and regulatory authorities. The intention behind importing a competition law concept such as “abuse of dominant position” in the consumer protection regulations may be understandable, such a step might be effective in jurisdictions which have a common regulatory authority for both competition law as well as consumer protection issues, such as Australia, Finland, Ireland, Netherlands. However, in a country such as India which has completely separate regulatory mechanisms for competition and consumer law issues, such a provision may lead to logistical difficulties.

Compliance with International Trade Law

A robust framework on ranking with transparent disclosure of parameters for the same would also go a long way towards addressing concerns with discrimination and national treatment under WTO law. Further, the obligation to provide domestic alternatives should be clarified and amended to ensure that it does not cause uncertainty and open India up to a national treatment challenge at the WTO.

Liabilities of Marketplace E-commerce Entities

Fallback liability is an essential component of consumers’ protection in the E-commerce space. However, as currently envisioned there is a lack of clarity surrounding the extent to which fallback liability is applicable on E-commerce entities as well as exemptions to this liability. We have recommended alternate approaches adopted in other jurisdictions, which include

Liability through negligence
Liability as an exemption to safe harbour

For more details visit https://cis-india.org/internet-governance/blog/comments-on-proposed-amendments-to-the-consumer-protection-e-commerce-rules-2020

The Competition Law Case Against Whatsapp’s 2021 Privacy Policy Alteration

Aman Nair and Arindrajit Basu — 2021-03-24T16:12:09Z

Having examined the privacy implications of Whatsapp's changes to its privacy policy in 2021, this issue brief is the second output in our series examining the effects of those changes. This brief examines the changes in the context of data sharing between Whatsapp and Facebook as being an anticompetitive action in violation of the Indian Competition Act, 2002.

Executive Summary

On January 4, 2021, Whatsapp announced a revised privacy policy through an in-app notification. It highlighted that the new policy would impact user interactions with business accounts, including those which may be using Facebook's hosting services. The updated policy presented users with the option of either accepting greater data sharing between Whatsapp and Facebook or being unable to use the platform post 15th May, 2021. The updated policy resulted in temporarily slowed growth for Whatsapp and increased growth for other messaging apps like Signal and Telegram. While Whatsapp has chosen to delay the implementation of this policy due to consumer outrage, it is important for us to unpack and understand what this (and similar policies) mean for the digital economy, and its associated competition law concerns. Competition law is one of the sharpest tools available to policy-makers to fairly regulate and constrain the unbridled power of large technology companies.

While it is evident the Indian competition landscape will benefit from revisiting the existing law and policy framework to reign in Big technology companies, we argue that the change in Whatsapp’s privacy policy in 2021 can be held anti-competitive using legal provisions as they presently stand. Therefore, in this issue brief, we largely limit ourselves to evaluating the legality of Whatsapp’s privacy policy within the confines of the present legal system.

First, we dive into an articulation of the present abuse of dominance framework in Indian Competition Law. Second, we analyze whether there was abuse of dominance-bearing in mind an economic analysis of Whatsapp’s role in the relevant market by using tests laid out in previous rulings of the CCI

The framework for determining abuse of dominance as per The Competition Act is based on three factors:

1. Determination of relevant market

2. Determination of dominant position

3. Abuse of the dominant position

In two previous orders in 2016 and 2020, CCI has held that Whatsapp is dominant in its relevant market based on several factors which we explore. These include:

Advantage in user base, usage and reach,
Barriers to entry for other competitors
Power of acquisition over competitors.

However, in both orders, CCI held that Whatsapp did not abuse its dominance by arguing that the practices in question allowed for user choice. We critique these judgments for not reflecting the market structures and exploitative practices of large technology companies. We also argue that even if we use the test of user choice laid down by the CCI in its previous orders concerning Whatsapp and Facebook, the changes made to the privacy policy in 2021 did abuse dominance,and should be held guilty of violating competition law standards.

Our analysis revolves around examining the explicit and implicit standards of user choice laid out by the CCI in its 2016 and 2020 judgements as the standard for evaluating fairness in an Abuse of Dominance claim.We demonstrate how the 2021 changes failed to meet these standards.

Finally, we conclude by noting that the present case offers a crucial opportunity for India to take a giant step forward in its regulation of big tech companies and harmonise its rulings with regulatory developments around the world.

The full issue brief can be found here

For more details visit https://cis-india.org/internet-governance/blog/the-competition-law-case-against-whatsapp2019s-2021-privacy-policy-alteration

Reading the Fine Script: Service Providers, Terms and Conditions and Consumer Rights

jyoti — 2014-07-04T06:31:37Z

This year, an increasing number of incidents, related to consumer rights and service providers, have come to light. This blog illustrates the facts of the cases, and discusses the main issues at stake, namely, the role and responsibilities of providers of platforms for user-created content with regard to consumer rights.

On 1st July, 2014 the Federal Trade Commission (FTC) filed a complaint against T-Mobile USA,[1] accusing the service provider of 'cramming' customers bills, with millions of dollars of unauthorized charges. Recently, another service provider, received flak from regulators and users worldwide, after it published a paper, 'Experimental evidence of massive-scale emotional contagion through social networks'.[2] The paper described Facebook's experiment on more than 600,000 users, to determine whether manipulating user-generated content, would affect the emotions of its users.

In both incidents the terms that should ensure the protection of their user's legal rights, were used to gain consent for actions on behalf of the service providers, that were not anticipated at the time of agreeing to the terms and conditions (T&Cs) by the consumer. More precisely, both cases point to the underlying issue of how users are bound by T&Cs, and in a mediated online landscape—highlight, the need to pay attention to the regulations that govern the online engagement of users.

I have read and agree to the terms

In his statement, Chief Executive Officer, John Legere might have referred to T-Mobile as "the most pro-consumer company in the industry",[3] however the FTC investigation revelations, that many customers never authorized the charges, suggest otherwise. The FTC investigation also found that, T-Mobile received 35-40 per cent of the amount charged for subscriptions, that were made largely through innocuous services, that customers had been signed up to, without their knowledge or consent. Last month news broke, that just under 700,000 users 'unknowingly' participated in the Facebook study, and while the legality and ethics of the experiment are being debated, what is clear is that Facebook violated consumer rights by not providing the choice to opt in or out, or even the knowledge of such social or psychological experiments to its users.

Both incidents boil down to the sensitive question of consent. While binding agreements around the world work on the condition of consent, how do we define it and what are the implications of agreeing to the terms?

Terms of Service: Conditions are subject to change

A legal necessity, the existing terms of service (TOS)—as they are also known—as an acceptance mechanism are deeply broken. The policies of online service providers are often, too long, and with no shorter or multilingual versions, require substantial effort on part of the user to go through in detail. A 2008 Carnegie Mellon study estimated it would take an average user 244 hours every year to go through the policies they agree to online.[4] Based on the study, Atlantic's Alexis C. Madrigal derived that reading all of the privacy policies an average Internet user encounters in a year, would take 76 working days.[5]

The costs of time are multiplied by the fact that terms of services change with technology, making it very hard for a user to keep track of all of the changes over time. Moreover, many services providers do not even commit to the obligation of notifying the users of any changes in the TOS. Microsoft, Skype, Amazon, YouTube are examples of some of the service providers that have not committed to any obligations of notification of changes and often, there are no mechanisms in place to ensure that service providers are keeping users updated.

Facebook has said that the recent social experiment is perfectly legal under its TOS,[6] the question of fairness of the conditions of users consent remain debatable. Facebook has a broad copyright license that goes beyond its operating requirements, such as the right to 'sublicense'. The copyright also does not end when users stop using the service, unless the content has been deleted by everyone else.

More importantly, since 2007, Facebook has brought major changes to their lengthy TOS about every year.[7] And while many point that Facebook is transparent, as it solicits feedback preceding changes to their terms, the accountability remains questionable, as the results are not binding unless 30% of the actual users vote. Facebook can and does, track users and shares their data across websites, and has no obligation or mechanism to inform users of the takedown requests.

Courts in different jurisdictions under different laws may come to different conclusions regarding these practices, especially about whether changing terms without notifying users is acceptable or not. Living in a society more protective of consumer rights is however, no safeguard, as TOS often include a clause of choice of law which allow companies to select jurisdictions whose laws govern the terms.

The recent experiment bypassed the need for informed user consent due to Facebook's Data Use Policy[8], which states that once an account has been created, user data can be used for 'internal operations, including troubleshooting, data analysis, testing, research and service improvement.' While the users worldwide may be outraged, legally, Facebook acted within its rights as the decision fell within the scope of T&Cs that users consented to. The incident's most positive impact might be in taking the questions of Facebook responsibilities towards protecting users, including informing them of the usage of their data and changes in data privacy terms, to a worldwide audience.

My right is bigger than yours

Most TOS agreements, written by lawyers to protect the interests of the companies add to the complexities of privacy, in an increasingly user-generated digital world. Often, intentionally complicated agreements, conflict with existing data and user rights across jurisdictions and chip away at rights like ownership, privacy and even the ability to sue. With conditions that that allow for change in terms at anytime, existing users do not have ownership or control over their data.

In April New York Times, reported of updates to the legal policy of General Mills (GM), the multibillion-dollar food company.[9] The update broadly asserted that consumers interacting with the company in a variety of ways and venues no longer can sue GM, but must instead, submit any complaint to “informal negotiation” or arbitration. Since then, GM has backtracked and clarified that “online communities” mentioned in the policy referred only to those online communities hosted by the company on its own websites.[10] Clarification aside, as Julia Duncan, Director of Federal programs at American Association for Justice points out, the update in the terms were so broad, that they were open to wide interpretation and anything that consumers purchase from the company could have been held to this clause. [11]

Data and whose rights?

Following Snowden revelations, data privacy has become a contentious issue in the EU, and TOS, that allow the service providers to unilaterally alter terms of the contract, will face many challenges in the future. In March Edward Snowden sent his testimony to the European Parliament calling for greater accountability and highlighted that in "a global, interconnected world where, when national laws fail like this, our international laws provide for another level of accountability."[12] Following the testimony came the European Parliament's vote in favor of new safeguards on the personal data of EU citizens, when it’s transferred to non-EU.[13] The new regulations seek to give users more control over their personal data including the right to ask for data from companies that control it and seek to place the burden of proof on the service providers.

The regulation places responsibility on companies, including third-parties involved in data collection, transfer and storing and greater transparency on concerned requests for information. The amendment reinforces data subject right to seek erasure of data and obliges concerned parties to communicate data rectification. Also, earlier this year, the European Court of Justice (ECJ) ruled in favor of the 'right to be forgotten'[14]. The ECJ ruling recognised data subject's rights override the interest of internet users, however, with exceptions pertaining to nature of information, its sensitivity for the data subject's private life and the role of the data subject in public life.

In May, the Norwegian Consumer Council filed a complaint with the Norwegian Consumer Ombudsman, “… based on the discrepancies between Norwegian Law and the standard terms and conditions applicable to the Apple iCloud service...”, and, “...in breach of the law regarding control of marketing and standard agreements.”[15] The council based its complaint on the results of a study, published earlier this year, that found terms were hazy and varied across services including iCloud, Drop Box, Google Drive, Jotta Cloud, and Microsoft OneDrive. The Norwegian Council study found that Google TOS, allow for users content to be used for other purposes than storage, including by partners and that it has rights of usage even after the service is cancelled. None of the providers provide a guarantee that data is safe from loss, while many, have the ability to terminate an account without notice. All of the service providers can change the terms of service but only Google and Microsoft give an advance notice.

The study also found service providers lacking with respect to European privacy standards, with many allowing for browsing of user content. Tellingly, Google had received a fine in January by the French Data Protection Authority, that stated regarding Google's TOS, "permits itself to combine all the data it collects about its users across all of its services without any legal basis."

To blame or not to blame

Facebook is facing a probe by the UK Information Commissioner's Office, to assess if the experiment conducted in 2012 was a violation of data privacy laws.[16] The FTC asked the court to order T-Mobile USA, to stop mobile cramming, provide refunds and give up any revenues from the practice. The existing mechanisms of online consent, do not simplify the task of agreeing to multiple documents and services at once, a complexity which manifolds, with the involvement of third parties.

Unsurprisingly, T-Mobile's Legere termed the FTC lawsuit misdirected and blamed the companies providing the text services for the cramming.[17] He felt those providers should be held accountable, despite allegations that T-Mobile's billing practices made it difficult for consumers to detect that they were being charged for unauthorized services and having shared revenues with third-party providers. Interestingly, this is the first action against a wireless carrier for cramming and the FTC has a precedent of going after smaller companies that provide the services.

The FTC charged T-Mobile USA with deceptive billing practices in putting the crammed charges under a total for 'use charges' and 'premium services' and failure to highlight that portion of the charge was towards third-party charges. Further, the company urged customers to take complaints to vendors and was not forthcoming with refunds. For now, T-Mobile may be able to share the blame, the incident brings to question its accountability, especially as going forward it has entered a pact along with other carriers in USA including Verizon and AT&T, agreeing to stop billing customers for third-party services. Even when practices such as cramming are deemed illegal, it does not necessarily mean that harm has been prevented. Often users bear the burden of claiming refunds and litigation comes at a cost while even after being fined companies could have succeeded in profiting from their actions.

Conclusion

Unfair terms and conditions may arise when service providers include terms that are difficult to understand or vague in their scope. TOS that prevent users from taking legal action, negate liability for service providers actions despite the companies actions that may have a direct bearing on users, are also considered unfair. More importantly, any term that is hidden till after signing the contract, or a term giving the provider the right to change the contract to their benefit including wider rights for service provider wide in comparison to users such as a term that that makes it very difficult for users to end a contract create an imbalance. These issues get further complicated when the companies control and profiting from data are doing so with user generated data provided free to the platform.

In the knowledge economy, web companies play a decisive role as even though they work for profit, the profit is derived out of the knowledge held by individuals and groups. In their function of aggregating human knowledge, they collect and provide opportunities for feedback of the outcomes of individual choices. The significance of consent becomes a critical part of the equation when harnessing individual information. In France, consent is part of the four conditions necessary to be forming a valid contract (article 1108 of the Code Civil).

The cases highlight the complexities that are inherent in the existing mechanisms of online consent. The question of consent has many underlying layers such as reasonable notice and contractual obligations related to consent such as those explored in the case in Canada, which looked at whether clauses of TOS were communicated reasonably to the user, a topic for another blog. For now, we must remember that by creating and organising social knowledge that further human activity, service providers, serve a powerful function. And as the saying goes, with great power comes great responsibility.

[1] 'FTC Alleges T-Mobile Crammed Bogus Charges onto Customers’ Phone Bills', published 1 July, 2014. See: http://www.ftc.gov/news-events/press-releases/2014/07/ftc-alleges-t-mobile-crammed-bogus-charges-customers-phone-bills

[2] 'Experimental evidence of massive-scale emotional contagion through social networks', Adam D. I. Kramera,1, Jamie E. Guilloryb, and Jeffrey T. Hancock, published March 25, 2014. See:http://www.pnas.org/content/111/24/8788.full.pdf+html?sid=2610b655-db67-453d-bcb6-da4efeebf534

[3] 'U.S. sues T-Mobile USA, alleges bogus charges on phone bills, Reuters published 1st July, 2014 See: http://www.reuters.com/article/2014/07/01/us-tmobile-ftc-idUSKBN0F656E20140701

[4] 'The Cost of Reading Privacy Policies', Aleecia M. McDonald and Lorrie Faith Cranor, published I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. See: http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf

[5] 'Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days', Alexis C. Madrigal, published The Atlantic, March 2012 See: http://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/

[6] Facebook Legal Terms. See: https://www.facebook.com/legal/terms

[7] 'Facebook's Eroding Privacy Policy: A Timeline', Kurt Opsahl, Published Electronic Frontier Foundation , April 28, 2010 See:https://www.eff.org/deeplinks/2010/04/facebook-timeline

[8] Facebook Data Use Policy. See: https://www.facebook.com/about/privacy/

[9] 'When ‘Liking’ a Brand Online Voids the Right to Sue', Stephanie Strom, published in New York Times on April 16, 2014 See: http://www.nytimes.com/2014/04/17/business/when-liking-a-brand-online-voids-the-right-to-sue.html?ref=business

[10] Explaining our website privacy policy and legal terms, published April 17, 2014 See:http://www.blog.generalmills.com/2014/04/explaining-our-website-privacy-policy-and-legal-terms/#sthash.B5URM3et.dpufhttp://www.blog.generalmills.com/2014/04/explaining-our-website-privacy-policy-and-legal-terms/

[11] General Mills Amends New Legal Policies, Stephanie Strom, published in New York Times on 1http://www.nytimes.com/2014/04/18/business/general-mills-amends-new-legal-policies.html?_r=0

[12] Edward Snowden Statement to European Parliament published March 7, 2014. See: http://www.europarl.europa.eu/document/activities/cont/201403/20140307ATT80674/20140307ATT80674EN.pdf

[13] Progress on EU data protection reform now irreversible following European Parliament vote, published 12 March 201 See: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm

[14] European Court of Justice rules Internet Search Engine Operator responsible for Processing Personal Data Published by Third Parties, Jyoti Panday, published on CIS blog on May 14, 2014. See: http://cis-india.org/internet-governance/blog/ecj-rules-internet-search-engine-operator-responsible-for-processing-personal-data-published-by-third-parties

[15] Complaint regarding Apple iCloud’s terms and conditions , published on 13 May 2014 See:http://www.forbrukerradet.no/_attachment/1175090/binary/29927

[16] 'Facebook faces UK probe over emotion study' See: http://www.bbc.co.uk/news/technology-28102550

[17] Our Reaction to the FTC Lawsuit See: http://newsroom.t-mobile.com/news/our-reaction-to-the-ftc-lawsuit.htm

For more details visit https://cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights

Open Standards Workshop at IGF '09

pranesh — 2011-08-23T02:54:03Z

The Centre for Internet and Society co-organized a workshop on 'Open Standards: A Rights-Based Framework' at the fourth Internet Governance Forum, at Sharm el-Sheikh. The panel was chaired by Aslam Raffee of Sun Microsystems and the panellists were Sir Tim Berners-Lee of W3C, Renu Budhiraja of India's DIT, Sunil Abraham of CIS, Steve Mutkoski of Microsoft, and Rishab Ghosh of UNU-MERIT.

Sir Tim Berners-Lee started the session with an address on various rights. Rights, he noted can range from being things like the rights to air and water to the right not to have the data carrier you use determine which movie you watch. Then, there are tensions between rights: the right to anonymity can clash with the right to know who posted information on making a bomb. Berners-Lee stated that for 2009, he has chosen to pursue one particular right: the right to government-held data. This data can include everything from where schools are to emergency services such as locations of hospitals. Today, we are talking about standards.

The World Wide Web Consortium (W3C) is a fifteen-year old body in which all kinds of people come together for purposes of setting standards around the World Wide Web. Thus, everything from HTML, which is used to write Web pages to WCAG, which are guidelines to enable people with disabilities access websites through assistive technologies. W3C conducts its discussions openly: anybody who has a good idea has a right to participate in its discussions -- it does not matter who one works for, who one represents -- what does matter are the ideas one brings to the table. The kinds of standards that W3C deals with are of interest to an immensely wide-ranging group of people. Even ten-year olds have actually expressed their opinions about standards like HTML. All this openness of participation must be guaranteed while ensuring that the processes move forward.

Next spoke Renu Budhiraja of the Department of Information and Technology, which is a part of the Indian government. She started off by hoping that this workshop would be not only a platform to share knowledge, but also to reach consensus on a few matters. Next, she laid out why open standards are extremely important for the Indian government. What citizens want in their interactions with the government are ease of interaction and efficiency. For them it is immaterial whether a certain service is provided by Department A or Department B. Thus we need to move towards a single-window government service for citizens, enabling them to interact easily with the government's various departments. While such an initiative must be centralized for it to be effective, it is crucial that its implementation be decentralized and suited to each district or localities' needs.

There is, understandably, a huge institutional mechanism behind ensuring that these systems are based on open standards. We have expert committees, consisting of academics and knowledgeable bureaucrats, and working groups, which include industry groups. Through these, we have evolved a National Policy on Open Standards, which is currently in a draft stage, but shall be notified soon. This policy outlines the principles based on which particular standards required for governmental functioning are to be chosen or evolved. This document will ensure long-term accessibility to public documents and information, and seamless interoperability of various governmental services and departments. It will also reduce the risk of vendor lock-in and reduce costs, and thus ensure long-term, sustainable, scalable and cost-effective solutions.

Ms. Budhiraja noted that there are a few aspects of the policy that bear discussion in a forum such as the IGF. First is the issue of whether royalty-free is the only choice for innovation. All other things equal, between royalty-free and reasonable and non-discriminatory (RAND) standards, of course royalty-free is to be preferred. But what if a superior technology (JPEG200 vs. JPEG) is RAND? What should the government's position be in such a case? Further, what should the government's position be when in a particular domain a RAND standard is the only option?

Next is the issue of single vs. multiple open standards. When interoperability is what we are aiming at, can multiple standards be recommended as some in the industry are asking us to do? And then is the issue of market maturity. The government sometimes finds itself in a situation where a standard is available, but well-developed products around that standard aren't and there aren't sufficient vendors using that standard. All these issues are of great practical importance when a government works on a policy document on standards.

Next up was Sunil Abraham, Executive Director of the Centre for Internet and Society. His presentation was on open standards as citizens' and consumers' rights. He started off by citing the example of the Smart Card Operating System for Transport Application (SCOSTA) standard, and the implications that the SCOSTA story has on large-scale projects such as the National Unique ID project currently under way in India. SCOSTA, an open standard, was being written off as unimplementable by all the MNC smart card vendors who wished to push RAND standards. IIT Kanpur helped the government develop a working implementation. Within twenty days, the card manufacturers submitted modified cards for compliance testing by NIC. Because of SCOSTA being an open standard, local companies also joined the tender. The cost went down from Rs. 600 per card to Rs. 30 per card. This shows the benefits of open standards as a means of curbing oligopolistic pricing, and working for the benefit of consumers.

From a rights-based perspective, access to the state machinery is a primary right. Citizens should not be required to pirate or purchase software to interact with the state. If e-governance solutions are based on proprietary standards, not all citizens would be equal. The South African example or requiring a particular browser to access the election commission's website shows that in a rather drastic fashion. When intellectual property interferes with governmental needs, governments have not been shy of issuing compulsory licences. This was seen when during the Great War the United States government pooled various flight-related patents and compulsorily licensed them, as well as what we are currently seeing with many Aids-related drugs being compulsorily licensed in developing countries. Thus, there are precedents for such licensing, and governments should explore them in the realm of e-governance. Many countries now have statutes that guarantee the right to government-held information. Government Interoperability Frameworks should take these into account, and mandate all government-to-citizen (G2C) information be transacted via open standards. This must be backed up by a strong accessibility policy to ensure that the governments don't discriminate between their citizens.

Proprietary standards act like pseudo-intellectual property rights, just as DRMs do. They add a layer on top of rights such as copyright, and can prevent the exercise of fair use and fair dealing rights because of an inability to legally negotiate the standards in which the content is encoded in a cost-free manner. In guaranteeing this balance between copyrights and fair dealing rights, free software and alternative IP models play a crucial role. Because of software patents being recognized in a few countries, development of free software which allows citizens to exercise their fair use rights is harmed in all countries.

Steve Mutkoski of Microsoft spoke next and placed the standards debate in a large context. He noted that standards are a technicality that are only a small part of the large issue which is interoperability in e-governance and delivery to citizens. The real challenges are organizational and semantic interoperability. Frequently interoperability is not harmed by technical issues, but by legal and organizational issues. Governments used to work on paper; during the shift to electronic data, they didn't engage in any organizational changes. Thus they continue to function with electronic data the same way that they did with paper-based data. Governments often lack strong privacy policies regarding the data that each of their departments holds. This harms governmental functioning. Additionally, legacy hardware and software have to be catered to by the standards we are talking about: sometimes an open standard just will not work.

Standards don't guarantee interoperability, and there is significant work done on this by noted academics ("Why Standards Are Not Enough To Guarantee End-to-End Interoperability" Lewis et al.; "Difficulties Implementing Standards" Egyedi & Dahanayake; "Standards Compliant, But Incompatible?" Egyedi et al.). Mandated standards lists will not help address interoperability issues between different implementations of the same standard. What would help? Transparency of implementations; collaboration with community; active participation in maintenance of standards, etc., would help. There is a need for continued public sector reform, with a focus on citizen-centric e-governance, and a need to engage with the question of whether government-mandated standards lists lead the market or follow the market.

Rishab Aiyer Ghosh, a senior researcher at UN University, Maastricht, spoke next. He started by noting that technical standards are left to technical experts. That needs to change, which is why discussing open standards at the IGF is important. He next set off a hypothetical: imagine you go to the city council office in Sharm el Sheik, and at the parking lot there it says that your car has to be a Ford if you are to park there; or if the Dutch government insists that you have a Philips TV if you are to receive the national broadcaster's signal. While these might seem absurd, situations like this arise all the time when it comes to the realm of software. Thus, the social effects of open standards are of utmost importance, and not just their technical qualities. Analysing the social effects of open standards takes us back to the economics of technology and technological standards. Technological standards exhibit network externalities: their inherent value is less than the value of others using them. Being the only person in the world with a telephone won't be very useful. Technological standards also exhibit path dependence: once you go with one technological format, it is difficult to change over to another even if that other format is superior to the first. Thus, clearly, standards benefit when there is a 'natural monopoly'. The challenge really arises when faced with the question of how to ensure a monopoly in a technology without the supplier of that technology exhibiting monopolistic tendencies. This can only be done when the technology is open and developed openly, of which the web standards and the W3C are excellent examples. If the technology or the process are semi-open, then because of the few intellectual property rights attached to the technology, some would be better off than others. Just as governments cannot insist on driving a particular make of cars as a prerequisite for access to them, they cannot insist on using a particular proprietary standard as a means of accessing them.

Many interesting questions arose when the floor was thrown open to the audience. "Should governments only mandate a particular standard when it is certain that market maturity exists?" Not really, since governmental decisions also give signals to the market and help direct attention to those standards. It would be best if roadmaps were provided, with particular under-mature standards being designated as "preferred standards", thus helping push industry in a particular direction. Examples where this strategy has borne fruit abound. This is also the strategy found in the Australian GIF. On the issue of multiplicity of standards, Sir Tim was very clear that they have to be avoided at all costs. He gave the example of XSLT and CSS, which are both stylesheet formats. He noted that their domain of operation was very different (with one being for servers and the other for clients), so having two standards with similar functions but different domains of operation does not make them multiple standards. Multiple standards defeat the purpose of the standardization process.

It was noted that governmental choices are of practical importance to citizens. During the Hurricane Katrina emergency, the federal emergency website only worked properly if Internet Explorer was used. How do we move forward? We must move forward by having policies that strike a balance between allowing for the natural evolution of standards and stability. The Government Interoperability Frameworks must be dynamic documents, allowing for categorization between standards and having clear roadmaps to enable industry to provide solutions to the government in a timely fashion. Governments must be strong in order to push industry towards openness, for the sake of its citizens, and not let industry dictate proprietary standards as the solution. Some opined that since there are dozens of domains that governments function in, maintaining lists of standards is a time-consuming process that is not justified, but others rebutted that by noting that for enterprise architectures to work, governments have to maintain such lists internally. Opening up that list to citizens and service providers would not entail greater overheads.

Sunil Abraham talking Open Standards at IGF09

(Video added on December 30, 2009)

For more details visit https://cis-india.org/openness/blog-old/dcos-workshop-09

Consumer Privacy

praskrishna — 2012-09-13T09:21:26Z

This chapter will examine the present legal state of consumer privacy in India and seek to understand the gap between policy and implementation of policy. In doing so, it will look at what are the existing avenues for protection of consumer privacy in India, how is the definition of consumer privacy evolving through case law and public opinion, and what are the current challenges to consumer privacy in India. Traditionally speaking, and according to the Consumer Protection Act, 1986, in India, a consumer is a broad label for any person who buys goods or services with the intent of using them for non-commercial purposes. In the typical sense, when people think of themselves as being consumers, they think about transactions with a vendor through a physical exchange of money in a store or through an online exchange for a product or service. Certain services that consumers use put an extraordinary amount of sensitive personal information into the hands of vendors.

For more details visit https://cis-india.org/internet-governance/consumer-privacy.pdf

Are Indian Consumer Laws Ready for the Digital Age?

vipul — 2013-08-08T11:52:40Z

The Economic and Social Council of the United Nations, recognizing the need for protection of the rights of consumers, drafted a set of model guidelines on consumer protection which were adopted by the General Assembly in 1985. The United Nations Guidelines for Consumer Protection (UNGCP) act as an international reference point of the consumer movement, however since it has been over a quarter of a century since they were first drafted, there is a strong argument for revising them to bring them in line with new developments in technology and business practices.

It is for this reason that that United Nations Conference on Trade and Development has undertaken a revision of the UNGCP. Consumers International, an international consumer rights organization has along with CIS and other groups been trying to represent the voice of consumers at the negotiations for this revision. As part of this effort, Consumers International has produced a book titled "Updating the UN Guidelines for Consumer Protection for Consumers in the Digital Age". This blog has been produced through a filteration of the essence of some of the arguments and issues addressed in that book.

In December 2012 there was a news report that pegged the market for online commerce in India at roughly USD 14 billion,[1] which is why some of the poster children of online retail in India are getting stratospheric valuations even though they are yet to show any major profits, case in point, Flipkart had a valuation of around USD 800 million[2] in 2012 and is looking for an IPO in around three to four years. Such huge numbers give a sneak peek into the size and scope of the Indian e-commerce marketplace which begs the question, if there are so many transactions occurring in the online marketplace and since a large number of those transactions are between retailers and domestic consumers, then are there any specific laws out there protecting the interests of consumers in the online world.

Apart from the Information Technology Act, 2000 and various circulars by the Reserve Bank of India regarding online banking and money transfer activities which are more generic in nature trying to secure the online space as a whole, there are no specific laws that seek to protect consumers in the online space. However, that does not necessarily mean that the consumers are left without any recourse and in this post we shall examine whether it is possible to use the Consumer Protection Act, 1986 to protect consumer rights in the online environment as well.

The Consumer Protection Act, 1986 (“COPRA”) was enacted with the purpose of empowering consumers to take on the might of large corporations and preventing unscrupulous businessmen from taking undue advantage of the weak position which consumers are inherently placed in under the archaic Indian judicial system. It set up special tribunals, simpler procedures and enacted special provisions to help consumers get a better bargaining position vis-à-vis manufacturers and retailers, etc. However, since this law was enacted more than a quarter of a century ago and it is not entirely geared towards protecting consumer rights in the digital era. However, that does not mean it is entirely toothless in the online environment although it certainly needs some major provisions to come to grasp with the special circumstances and practices of the online marketplace, as the rest of the discussion will demonstrate.

For any transaction to come under the purview of COPRA, it should have the following three essential requirements:

There should be a ‘good’ or ‘service’ sold or provided to a consumer;
Such good or service must be ‘sold’ i.e. there must be a ‘sale’;
There should be a ‘defect’ in the good or ‘deficiency’ in the service;

We will now examine different types of e-commerce transactions and discuss whether they fulfill the requirements given above and therefore are amenable to the jurisdiction of COPRA.

There should be a ‘good’ or ‘service’
This is issue is not very complicated so far as digital purchases of physical items are concerned. Since a book or a mobile phone is considered as a ‘good’ then it will always be considered as a ‘good’ irrespective of whether it has been bought from a physical shop or an online retailer. However, the question does take on an air of some complexity when dealing with digital items such as mp3 files and software programmes. The General Clauses Act, 1897 states that all property which is not immovable property is considered as movable property. Since immovable property is defined as land and things attached to the land, therefore it is pretty clear that ‘computer software’ would in all likelihood be considered as movable property. Whether such movable property can be considered as a ‘good’ or not is a question which is yet to be tested in the courts of law in India, however it must be mentioned that in the context of the Sales Tax Act, the Supreme Court of India has held canned software to be a ‘good’. Laying down a test for determining whether a property is a ‘good’ or not, the Supreme Court in that case laid down the following test:

“A 'goods' may be a tangible property or an intangible one. It would become goods provided it has the attributes thereof having regard to (a) its utility; (b) capable of being bought and sold; and (c) capable of transmitted, transferred, delivered, stored and possessed. If a software whether customized or non-customized satisfies these attributes, the same would be goods.”[3]

It must be emphasized again that the Supreme Court’s ruling was given in the context of the Sales Tax Act and it may not be accepted by a court deciding a case on COPRA. This is one issue which could and should be addressed under Indian laws to ensure that the large numbers of Indian consumers who buy items in the online marketplace are not left in a lurch and without the protection of the COPRA.

There must be a “Sale” of the good or service
Just as the previous issue, this question again can be simple when asked in relation to sale of physical goods using the internet but may not be so when talking about digital goods. When a physical item is purchased using the internet, a sale may be said to have occurred when the ownership of the good passes from the seller (online retailer) to the buyer (consumer) and the payment and delivery are complete. However, the question whether sale of software (here we are using this generic term for all sorts of computer programmes and data because the reasoning and legal analysis can be applied to both types of data) in an online environment would actually constitute a ‘sale’ requires a little more analysis. A huge problem in labeling online software purchases as a ‘sale’ is that most of these ‘sales’ are made in the form of a license. The manufacturers or retailers would argue that such an online purchase is not really a sale since the consumer usually only gets a license to use the product under strict conditions and does not buy the product as an owner, further this is really the industry standard when it comes to software purchases. The argument on the other side is that most websites advertise these products as an outside sale, for example, if you go to the Quick Heal antivirus website today and go to the page for “Home Users”[4] the page clearly shows a “Buy Now” tab and indicates the price at Rs. 1549/-. In fact in a number of cases you can actually buy the file containing the software without ever being shown the contractual terms of the agreement. These terms usually specify that you are only getting a license to use the product and may not have the right to resell or lend the product to others, rights which a traditional buyer of a product enjoys under law.

This issue was also discussed by a Full Bench of the Supreme Court of India in the case of Tata Consultancy Services v. State of Andhra Pradesh,[5] which ultimately held that the ‘sale’ of canned software (the term the court used for non customized software which is sold off the shelf) would be a sale of goods and therefore liable to be taxed under the Sales Tax Act. As is evident this decision was given in the context of the Sales Tax Act, but it could be argued that since tax statues are anyways supposed to be interpreted strictly and beneficial statutes such as the COPRA are required to be interpreted broadly, as per the accepted rules of legal interpretation, therefore it is possible that such a ‘license’ for computer software bought by an ordinary consumer could be considered as a ‘sale’ so as to bring the item within the ambit of the COPRA.

Here again we see that although there might be arguments which could be made to justify such licences for computer software as a ‘sale’, however it is still an untested issue and the COPRA certainly needs to take these issues into account if we want to protect the rights of the ever growing number of online consumers.

There should be a “defect” in the goods
If I order a pair of shoes from flpikart.com and the shoes arrive with one of the soles torn off, it’s a pretty straightforward case of there being a defect. In such a scenario unless the retailer has a specified return policy (which incidentally flipkart has) the consumer would have a right to approach the consumer forum to lodge a compliant. Similarly, if I buy a software from a manufacturer for my personal use and the file has a bug in it, it can fairly easily be considered as a defect since any fault, imperfection or shortcoming in the quality, quantity, potency, purity or standard or the good can be considered as a defect.

This is where things get a little interesting. What if we argue that stringent Digital Rights Management techniques by some online retailers are actually a defect in the goods since they do give the consumer all the rights that a buyer of goods would traditionally have. For example, if I buy an e-book with DRMs which restrict lending and on-selling, then two of my rights as a traditional book buyer are straightaway rescinded. Let us now examine the issue in the traditional context of the term ‘defect’.

If an article bought has any fault, imperfection or shortcoming in the quality, etc., then it would be considered as a defective good. For example, if a person buys a generator which is creating excessive noise, then it can be said that there is a shortcoming in the quality or the standard which is required to be maintained. A generator may supply electricity perfectly well and there may not be any fault at the time of running the machine but while operating the machine if it is creating more noise than the prescribed level, it can be said that there is a defect in the manufacture. An e-book with DRMs may also let a consumer read its contents but that may not be the only criteria to determine whether an item is defective or not. Using the traditional definition of a ‘buyer’, we can argue that a traditional buyer commonly has rights such as the right to resale, the right to make copies for personal use, the right to lend, the right to gift, etc., which may not exist in a an e-book with DRMs. Thus, an argument could be made that such measures constitute a ‘defect’ in the goods under the COPRA.

Again, this is only an argument and it is entirely possible that a court of law may reject such an argument, especially in light of the fact that the consumer has entered into a license agreement while completing the transaction which specifically grants the consumer only specific and limited rights in regard to the item being purchased. A possible counter to this argument could be that the agreement is generally long and verbose and is only presented to the consumer towards the end of the transaction when the consumer generally does not have the time to read it. Further, there is hardly ever a situation where the consumer can negotiate the terms of the contract, it is usually a standard form of contract which is heavily tilted in favour of the seller and the consumer is given no real choice in this regard. This is why in common law jurisdictions the courts have laid down certain principles or extra conditions which a standard form of contract has to abide by for it to be enforceable viz.,:

Sufficient notice: This principle requires that the major and specially the unusual terms in a contract should be displayed in a sufficiently highlighted manner so that a reasonable consumer is not likely to miss these unusual terms.[6]
Fundamental breach of contract: If the contract is so drafted that it would impose additional obligations on the consumer or restrict the liability and obligations of the seller in such a way that it would result in breaching any of the fundamental or main terms or obligations that one expects in such a contract, then such a contract may not be enforceable.[7]
Exclusion of unreasonable terms: Another type of protection that is available to consumers is the principle which seeks to exclude unreasonable terms from a contract i.e. a term which would defeat the very purpose of the contract or if it is repugnant to the public policy.[8]

Relying on the above principles of standard form contracts, it is possible to at least argue that highly strict and limiting terms which are put into a long verbose standard form contract which backs the Technology Protection Measures on a protected software may not be entirely enforceable, in which case the alleged consent of the consumer for such DRMs gets negated and the software with all its DRM limitations could be considered as ‘defective’.

Conclusion
From the discussion above it is clear that the nature of online transactions and digital goods presents certain unique problems for the legal regime which seeks to protect consumer rights. The law needs to be amended to take into account the unique circumstances of this fledging marketplace that exists online and ensure that the legal regime is fully capable of facing the challenges thrown up by e-commerce. One of the initiatives in this regard is the effort by Consumers International to include amendments in the Model United Nations Guidelines for Consumer Protection to include various provisions which deal with the online marketplace and its unique challenges as well as issues relating to access to knowledge (A2K). Perhaps it is time for the establishment in India to also take this into account and bring our quarter of a century old consumer protection legislation in line with the digital age.

[1]. http://goo.gl/Mh74vB

[2]. http://goo.gl/By5x3i

[3]. Tata Consultancy Services v. State of Andhra Pradesh, 5 November, 2004, available at http://goo.gl/Bn7KRp

[4]. http://goo.gl/lMdoI

[5].http://goo.gl/Bn7KRp

[6]. Henderson & others v. Stevenson, 1875 2 R (HL) 71, Interfoto Picture Library Ltd v. Stiletto Visual Programmes Ltd. [1988] 1 All ER 348.

[7]. Harbutt's "Plasticine" Ltd. v. Wayne Tank and Pump Co Ltd [1970] 1 QB 447.

[8]. Lily White v. R. Mannuswami, AIR 1966 Mad.13.

For more details visit https://cis-india.org/a2k/blogs/are-indian-consumers-laws-ready-for-digital-age

Consumers International Global Meeting 2012

praskrishna — 2012-04-03T07:54:56Z

Pranesh Prakash participated in the Consumers International Global Meeting held in Kuala Lumpur on March 8 and 9, 2012. He spoke on UN Consumer Guidelines. Robin Brown, Tobias Schönwetter and Guilherme Varella were the other speakers in the session.

Wednesday 7 March

6:45pm	Anwar Fazal speech on 50th anniversary of JFK Consumer Rights
7:00pm	Dinner hosted by FOMCA

Thursday 8 March

8:30am	Registration
9:00am	Welcome (Helen McCallum)
9:30am	Introduction and overview (Jeremy Malcolm)
10:00am	Introduction to Digital Personal Property (Paul Sweazey)
11:00am	Break
11:30am	UN Consumer Guidelines (Robin Brown, Tobias Schönwetter, Pranesh Prakash, Guilherme Varella)
1:00pm	Lunch
2:00pm	Consumer Protection and IP Abuse Prevention under the WTO Framework (George Tian)
3:00pm	Internet governance and consumers (Peng Hwa Ang)
4:00pm	Break
4:30pm	Public Interest Representation in the Information Society (Norbert Bollow)
5:30pm	Consumers in the information society (Jeremy Malcolm)
6:30pm	Break
7:30pm	Cultural and culinary outing to pasar malam

Friday 9 March

8:30am	Registration
9:00am	M-Lab (Lih Shiun Goh from Google Singapore)
10:00am	Internet and human rights (Alan Finlay from Association for Progressive Communications)
11:00am	Break
11:30am	Global consumer survey on broadband (Jeremy Malcolm, Veridiana Alimonti, Elise Davidson, Marzena Kisielowska-Lipman)
1:00pm	Lunch
2:00pm	Cyber-security concerns for consumers and businesses (Raj Kumar, IMPACT)
3:00pm	Broadband nutrition label (Benjamin Lennett, New America Foundation)
4:00pm	Break
4:30pm	Reporting back – open time for member presentations
6.00 pm	Close

Abstracts and biographies

United Nations Guidelines for Consumer Protection

This paper provides background to the proposed amendments to update the United Nations Guidelines for Consumer Protection for the digital age. A soft-law instrument, the Guidelines provide an influential standard for the dissemination of good practices in consumer protection, as a mechanism to foster and promote social and economic development. They outline eight areas for developing policies for consumer protection, which are reflected by the eight consumer rights declared by the global consumer movement: rights to satisfaction of basic needs, safety, choice, information, consumer education, redress, representation and a health environment.

The paper outlines the current global regime of public policy developmment and regualtion relating to access to knowledge. Indicating that many of the issues of concern in terms of access to knowledge are essentially consumer issues it argues that amendments to the Guidelines would form the basis for progress. The paper then details the proposed amendments explaining the basis for each one.

Joining Robin Brown on the panel will be representatives from our research partners in India, Brazil and South Africa who will be contributing to our research on the Guidelines.

Robin Brown has 25 years of experience in consumer and business regulatory affairs. He spent 10 years as the chair and chief executive of Australia’s national consumer body, the Australian Federation of Consumer Organisations. Robin has been involved in projects to advance consumer protection and competition policy and regulation in a number of developing countries. In recent years Robin has served as a Councilor of the Australian Consumers’ Association. He holds a BA and a Master of Public Policy from the Australian National University.

Pranesh Prakash is Programme Manager at the Centre for Internet and Society, Bangalore. He is a graduate with a degree in Arts and Law from National Law School, Bangalore, with a keen interest in the law, economics, and culture of intellectual property rights. He helped found the Indian Journal of Law and Technology, and was part of its editorial board for two years. He is most interested in interdisciplinary research on IP and property law, freedom of speech, and privacy. He has worked with practising lawyers, civil society organizations, and law firms.

Tobias Schönwetter is a Senior Manager within PricewaterhouseCoopers' South African practice performing legal advisory services specifically relating to innovation, technology and intellectual property (copyright and trademarks). Tobias has studied and practised law in Germany, the US and South Africa and he has led the copyright division at UCT's Intellectual Property Law and Policy Research Unit for several years. His international experience, together with his leadership roles in a number of intellectual property-related projects and research collaborations such as the African Copyright and Access to Knowledge (ACA2K) project and the Open AIR (African Innovation Research and Training) project, has secured his place as an industry expert within the intellectual property and technology sector.

Guilherme Varella is a lawyer at Idec (Brazilian Institute for Consumer Defense) in telecomunications, Internet and access to knowledge and Master's student in public policies of culture in the Law School of Universidade de São Paulo (University of São Paulo - USP).

The event was sponsored by the Ford Foundation, the Open Society Institute and IDRC/CRDI. For more information, see here on the Access to Knowledge website.

For more details visit https://cis-india.org/news/consumers-international-meeting-2012