Home » Blog » DRESSED IN DATA: APPLYING INDIA’S DIGITAL PERSONAL DATA PROTECTION ACT, 2023 TO FASHION E-COMMERCE PLATFORMS AND THELEGAL GAPS IN CONSUMER PROFILING

DRESSED IN DATA: APPLYING INDIA’S DIGITAL PERSONAL DATA PROTECTION ACT, 2023 TO FASHION E-COMMERCE PLATFORMS AND THELEGAL GAPS IN CONSUMER PROFILING

Authored By: H.Mohammed Abdul Razak Saad

ICFAI Hyderabad

ABSTRACT

India’s Digital Personal Data Protection Act, 2023 is a legislation of the constitutional rights to privacy which was upheld in the landmark judgement of Justice K.S. Puttaswamy v Union of India. However, the way it can be applied to the growing area of fashion online shopping is still not developed systematically. Today’s fashion platforms profiling, AI-powered recommendation systems, virtual try-on innovations, and behavioral analytics to build detailed user profiles from data collected across various digital interactions. The practices are caught in a legal grey zone: the Act’s consent, algorithmic transparency, inferred personal data and cross-border data flow framework are structurally ambiguous and suits the interests of the sector of fashion retailers that is incentivized to commercialize intimate consumer data. Using a doctrinal-comparative methodology drawing on the GDPR, CCPA, EU AI Act, and DSA, the article recommends four statutory reforms to ensure consumer autonomy and dignity in the algorithmic fashion economy.

Keywords: Digital Personal Data Protection Act 2023; Consumer Profiling; Algorithmic Transparency; Fashion E-Commerce; GDPR; Behavioral Advertising; Informational Self-Determination

  1. INTRODUCTION

A consumer at midnight on Myntra clicks on a kurta, leaves her cart, spends time on a page of fancy blouse, then returns the next morning and sees exactly that blouse in the front page, along with algorithmically generated list of matching accessories. But the law will have to contend with something else, much more elemental: the gradual, invisible construction of her digital persona her preferences, fears, earnings indicators, beliefs, and body image, and so on into a data profile that can be monetized. In the modern economy, data is not just a byproduct, it’s the business.

The global fashion industry is valued at over USD 1.7 trillion per annum with fashion platforms such as Myntra, Nykaa, Reliance Trends and a growing number of D2C luxury players clocking in growth rates of CAGR at double digits, which have garnered significant foreign investment and driven intense data infrastructure development.[1] Fashion AI systems now routinely feed on data of an intimacy that is unparalleled before: such as a consumer’s body measurements, skin tone, purchasing habits based on their menstrual cycle, and religious preferences for clothing and footwear.

The legislative solution has been provided by the enactment of Digital Personal Data Protection Act, 2023(DPDPA) which had been long awaited after the Supreme Court’s landmark pronouncement of making privacy a fundamental right for individuals.[2] The Act sets the conditions for consent, the notice requirements, the rights of data principals and their obligations for major data fiduciaries.

This article contends that, DPDPA has some structural ambiguities that can be leveraged by fashion platforms, since it does not require transparency around algorithms, the architecture of the consent provisions is flawed, there is no clear definition of inferred personal data, and the framework for cross-border data transfers is permissive. These gaps can be addressed, it is also argued, by drawing on comparisons with the GDPR, the CCPA/CPRA, the EU AI Act and the EU Digital Services Act, but without necessarily taking in their structural assumptions in full into India’s regulatory environment.

  1. BACKGROUND AND CONCEPTUAL FRAMEWORK

The concept of consumer profiling refers to the systematic collection, aggregation, and analysis of data generated by an individual’s commercial interactions with a view to constructing a predictive model of their future behaviour, preferences, and vulnerabilities.[3] In the fashion e-commerce domain, there are at least three ways profiling is done: explicit data collection (return history, size input, wishlist activity, and purchase history); implicit behavioral tracking (dwell time on product pages, cursor movement, depth of page scrolling, and search queries); and inferred attributes (patterns of purchasing that generate inferences of customer income, religion, pregnancy, or sexual orientation).

The GDPR defines ‘profiling’ expressly as any form of automated processing evaluating personal aspects of an individual to analyse or predict preferences, economic situation, or behaviour.[4]  India’s DPDPA, by contrast, contains no equivalent definitional provision.[5] This lacuna is not simply a drafting error it has doctrinal implications. The Act’s consent and transparency requirements are not easily implemented with algorithmic profiling, as they can refer to an inference that is not necessarily a single identifiable data-processing operation, but might be a ‘coherent inference’ that emerges from the combination of hundreds of seemingly harmless data elements.

The normative basis for the regulation of consumer profiling is informational self-determination as conceptualized in the German Federal Constitutional Court’s Census Act Case (1983) and later in Puttaswamy judgment. It asserts that each person should have the ability to decide who has the information about him, why and for how long[6]. Informational self-determination applied to fashion e-commerce requires meaningful tools for consumers to be able to control the algorithmic construction of their commercial identities, rather than only formal consent mechanisms which, in practice, are illusory.

The academic research on consent fatigue the empirically-documented consumer acceptance of terms and conditions for data processing without true comprehension compounds the dearth of effectiveness in notice-and-consent regimes in the context of opaque algorithmic environments.[7] Strahilevitz and Kugler have shown that no statistically significant effect on consumer decision making occurs as a result of the legibility and relevance of privacy policies.

The use of AI in fashion retail, such as collaborative filtering, deep learning-powered visual similarity search tools, and sentiment analysis via natural language processing of social media platforms, is especially legally ambiguous. The question of whether they do so under the DPDPA, as this article shows, is far from a settled one of commercial and constitutional significance.

  1. LEGAL ANALYSIS

3.1 The DPDPA’s Consent Framework and its application to fashion profiling

The DPDPA imposes the obligation to process personal data only when there is consent, which must be free, specific, informed, unconditional and unambiguous.[8] The Act also stipulates that consent should be withdrawn as easily as it is obtained.[9] Dark patterns are commonly used on fashion websites to manipulate consumers decision-making processes, often exploiting cognitive flaws, as the FTC puts it, to push them into signing up for a service they would not have agreed with otherwise.[10] Pre-ticked check boxes for behavioral advertising, multiple click-through steps to opt-out and personalization consent tied to core services are industry common practices. The DPDPA’s definition of consent being ‘free’ and ‘unconditional’ does not align with these practices.

GDPR Article 7(4) makes crystal clear that ‘bundled consent’ is not a legal basis for data processing. The EDPB’s guidance on targeting of social media users further reinforces the GDPR’s requirement for consent obtained through layered and confusing interfaces to not be considered compliant with the GDPR.[11] The CCPA[12]/CPRA, on the other hand, establishes an affirmatively stated right to opt out of the ‘sale’ of personal information and, from automated decision-making based on personal information.[13] The DPDPA currently doesn’t contain a GDPR equivalent ban on bundled consent (as it does for advertising platforms), nor a CCPA equivalent right to withdraw from profiling.

3.2 Inferred Personal Data and the Problem of Sensitive Data Inference

One of the most significant omissions in the scope of the DPDPA with regards to fashion e-commerce is its failure to address inferred personal data. The Act defines ‘personal data’ as data about an individual who is identifiable by or in relation to such data.[14] It categorizes ‘sensitive personal data’ as a subcategory which requires special protection, with the details of this to be laid down by the Central Government.[15]

This vulnerability is made real in the context of fashion e-commerce. If the consumer makes regular purchases of moderate, all inclusive, clothing items during Ramadan, Eid and Diwali, but not Christmas or Holi, she has a purchasing pattern that an advanced algorithm can be used to reliably determine her religion. If a consumer buys maternity wear and baby clothes, infers pregnancy. The buying patterns of a consumer who has bought gender non-conforming clothing are a signal that can be used to infer his or her sexual orientation.The GDPR tackles this issue in Article 9 which bans processing of the so-called special category data” such as data on health, religious beliefs, sexual orientation, racial or ethnic origin, including inferred sensitive attributes .The Convention 108+ also places greater requirements in the case of processing that brings to light sensitive attributes.[16]

3.3 Algorithmic Transparency and the Right Against Automated Decision-Making

The DPDPA establishes a set of obligations for data fiduciaries (those who set the purpose and means of data processing), including obligations of notice, accuracy and data minimization.[17]However, the Act does not give rise to a right against automated decision making in the same way as GDPR Article 22, apart from a very limited number of exceptions. It also does not impose algorithmic transparency requirements like the ones present in the EU AI Act, which considers AI systems that process emotions in real-time and AI systems that analyse personal attributes such as creditworthiness to be high-risk, which would mandate documentation, human oversight and accuracy requirements for those systems.[18]

The lack of this presence is hugely significant in the fashion world. Recommendation systems that show cheaper products to people in certain lower income postal codes which can lead to the creation and magnification of social inequalities by their opaque and automated processes[19], as described by researchers studying algorithmic redlining. Likewise, if the algorithm that creates a personalized discount offer based on inferred price sensitivity or sensitivity can push individual consumers to make a decision which is of some legal consequence, such processing would conceivably be regarded under the Consumer Protection Act, 2019, as unfair trade practices, but not as a ‘decision’ under the DPDPA.[20]

However, some scholars believe that the scope of the right to explanation is more restricted than it is often believed to be, and that it only applies to decisions which are automated, but also legally or otherwise significantly affecting. The DPDPA’s lack of anything akin to this provision greatly disadvantages India, even compared to the flawed GDPR benchmark, and deprives fashion consumers of any legal means to learn about or challenge the algorithmic decisions that affect their commercial worlds.

3.4 Cross-Border Data Transfers and the Fashion Advertising Technology Stack

The transfer of personal information for cross-border purposes is regulated by the DPDPA, with a list of countries that are permitted for transfers under Section 17 notified by the government[21]. The blacklist-compatible, executive-discretion dependent mechanism is structurally different from the GDPR, where transfers are permitted only to countries that provide an equivalent level of protection by applying the notion of ‘adequacy decisions’ or the ‘standard contractual clauses’ or ‘binding corporate rules’.[22]

This structural difference has implications in the context of fashion e-commerce. The underlying technology of fashion platform personalization is advertising technology (adtech), and it is important to note that the adtech stack involves multiple third-party data processors (many US or EU-based), demand-side platforms, data management platforms, and cross-device identity resolution services. The Schrems II judgment demonstrated, at significant cost to the transatlantic digital economy, that such flows cannot be insulated from human rights scrutiny by contractual mechanisms alone.[23] India’s solution, of allowing the substantive adequacy assessment to be made at a future stage by executive notification, this risks either under-protecting consumers or creating opacity for legitimate commercial actors.

3.5 DSA Profiling Opt-Out, and India’s Unaddressed Equivalent

Very large online platforms will have to provide users access to at least one recommender system that is not based on profiling, thanks to the EU Digital Services Act (DSA) that became fully effective in 2024.[24] While certainly not a sweeping doctrinal revolution. The DPDPA does not have a similar provision in India. There is no duty on the fashion platform in India to provide a non-personalized browsing or search experience to its consumers, nor a duty to notify of the presence of a profiling-based recommendation system. The Consumer Protection (E-Commerce) Rules 2020 have limited disclosure requirements for e-commerce entities, but these are those of the product and not the algorithm.[25] The IT (Intermediary Guidelines) Rules 2021 impose due diligence obligations on intermediaries,[26] but do not address the profiling practices of e-commerce operators qua data fiduciaries.

  1. CASE LAW DISCUSSION

4.1 Justice K.S. Puttaswamy (Retd) v Union of India (2017) 10 SCC 1

The judgment by the Supreme Court of India with nine judges, in Puttaswamy is the constitutional foundation of the data protection jurisprudence in India.[27] The Court in a unanimous decision, declared privacy to be fundamental rights under Article 14, 19 and 21 of the Constitution. Justice Chanduchur’s concurring opinion, which enunciated the principle of informational self-determination, defined the ability to shape information relating to oneself as a component of personal dignity, is of particular interest for fashion e-commerce.

Puttaswamy’s relevance to fashion e-commerce is that it affirmed the constitutional validity of the ‘data protection principle’, which states that data gathered from trade and commerce is constitutionally protected. On Chandrachud J’s reasoning, the purchase history of a consumer, a profile of a consumer’s preferences and the algorithmically inferred attributes are part of her informational identity that she is constitutionally entitled to exercise meaningful control over. It also affords grounds for constitutional challenge if the limitations placed by the Act (including those regarding obligatory automated decision-making) are shown to be less than is required for proper constitutional protection of informational privacy.

4.2 Google Spain SL v AEPD (Case C-131/12) [2014] EUECJ

The CJEU’s ruling in Google Spain is the bedrock European decision concerning the liability of the data controller for algorithmic processing.[28] The Court held that a search engine aggregating third-party data is a controller liable to the data subject.[29]

A platform that combines third-party purchase data, social media signals and participation in loyalty programmes to build a single profile of a consumer is, on the Google Spain analysis, a data controller for the aggregated profile if none of the individual data sources are illegal. It has far-reaching consequences under the DPDPA because it appears that fashion websites may have a controller responsibility even in respect of the derived profiles that are formed algorithmically, rather than from direct collection of data.

4.3 Data Protection Commissioner v Facebook Ireland (Schrems II) [2020] EUECJ (Case C-311/18)

The CJEU’s Schrems II ruling, has far-reaching consequences for the adtech infrastructure powering Indian fashion e-commerce.[30] The Court ruled that transfers of personal data to a third country where the country’s law allows public authorities to access the data in a way that is inconsistent with European fundamental rights principles may be prohibited or made subject to additional technical and contractual safeguards that ensure an equivalent level of protection.[31]

It is because the Indian fashion e-commerce ecosystem relies heavily on US-based advertising technology companies such as Meta’s Audience Network, Google’s Display & Video 360, programmatic adtech exchanges which are subject to US surveillance law like FISA. The permissive cross-border transfer provisions in the DPDPA, which depend on executive notification, do not include equivalent safeguards for Indian consumers as in Schrems II. Their fashion data, which may include inferred religious, health and lifestyle data, can be transferred to jurisdictions that offer the same level of protection, without the consumer being meaningfully informed, let alone consenting.

  1. CRITICAL ANALYSIS AND FINDINGS

The four systemic failures India’s regulatory standards have with regard to fashion e-commerce consumer profiling require legislative correction.

The first one is the definition one. The lack of a definition of profiling in the DPDPA, and of any specific reference to inferred sensitive data, is not a side-effect of the DPDPA’s architecture, but rather is one of its major shortcomings. It leaves a doctrinal gap which platforms exploit as they label profiling as ‘analytics’ that is not covered by the Act. The minimum necessary reform is to amend the legislation to include definitions of profiling that are equivalent to those in the GDPR, and to clearly extend the protections on sensitive data to data used for the purpose of determining sensitive attributes.

Secondly, the consent illusion. In the fashion e-commerce landscape, the requirement for free, informed and unambiguous consent has become a near-impossible-to-achieve goal due to the ubiquitous use of dark patterns, bundled consent, and consent fatigue. Effective regulation requires not merely setting a standard for consent quality but mandating specific interface design obligations  prohibiting pre-ticked boxes, requiring genuine choice architecture, and imposing affirmative obligations to offer non-profiled service alternatives, as the DSA has done in the EU.[32]

Third, the algorithmic opacity problem. In India, there is no statutory provision to make fashion consumers aware of the logic behind the algorithm that determines their commercial environments, challenge automated decisions, or demand that these decisions be human reviewed. The obligations of the DPDPA for significant data fiduciaries[33] impose further accuracy and transparency requirements, but don’t make individual algorithmic rights. India’s DPDPA does not even provide this foothold. As the discussion on AI governance in India continues to evolve, the EU AI Act’s horizontal framework of algorithmic governance, which imposes risk-based obligations on AI systems in commercial applications, provides a more structurally appropriate model to consider.

Fourthly, the transfer gap across the border. The DPDPA’s executive-discretion transfer mechanism is inadequate to safeguard consumers whose fashion data streams, through the technical course of routine, flow by way of adtech infrastructures located in jurisdictions with surveillance systems incompatible with sensible data protection. India needs a statutory mechanism of adequacy, based on an independent expert review, which takes into account the features of the fashion sector, such as its ability to disclose sensitive attributes, rather than the country-wide determination.

Who pays the price of these failures? The informational and autonomy costs of transparent profiling accrue to consumers. The advantages are for platforms. UN Guiding Principles on Business and Human Rights,[34] and highlights that the regulatory gaps outlined in this article are not simply technical deficiencies but structural characteristics that sustain commercial power imbalances at the expense of individual dignity.

  1. CONCLUSION

The Digital Personal Data Protection Act, 2023 of India is a welcome yet inadequate measure in addressing the privacy issues brought to the fore by the algorithmic economy of fashion e-commerce. It offers doctrinal building blocks in its fundamental architecture, which includes consent, transparency, data principal rights, and meaningful data fiduciary responsibilities.

The four reforms advocated statutory profiling definitions, consent interface design standards, individual algorithmic objection rights, and a statutory cross-border adequacy mechanism require legislative will, not structural overhaul, and are fully consistent with the Puttaswamy mandate.

The analysis undertaken by India’s legislature, courts and regulators in the short term as well as whether the right to privacy enshrined in 2017 will remain a constitutional dream or a commercial reality – may hinge on the doctrinal decisions that are made.

REFERENCE(S):

  1. Legislation

Digital Personal Data Protection Act 2023 (India)

Information Technology Act 2000 (India)

Consumer Protection Act 2019 (India)

Consumer Protection (E-Commerce) Rules 2020 (India)

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (India)

Constitution of India, Arts 14, 19, 21

Regulation (EU) 2016/679 (General Data Protection Regulation)

Regulation (EU) 2024/1689 (Artificial Intelligence Act)

Regulation (EU) 2022/2065 (Digital Services Act)

California Consumer Privacy Act 2018 (Cal Civ Code §§ 1798.100–1798.199)

California Privacy Rights Act 2020 (amending CCPA)

UK General Data Protection Regulation (UK GDPR), incorporated by UK Data Protection Act 2018

B. Cases

Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (Supreme Court of India)

Google Spain SL and Google Inc v AEPD and Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317 (CJEU)

Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (Case C-311/18) [2020] ECLI:EU:C:2020:559 (Schrems II) (CJEU)

Federal Trade Commission v Amazon.com Inc (No 2:23-cv-00932, USDC WD Wash, 21 June 2023)

In re TikTok Inc Consumer Privacy Litigation 565 F Supp 3d 1076 (ND Ill 2021)

WhatsApp LLC v Union of India WP(C) 609/2021 (Delhi High Court)

C. Journal Articles and Books

Ariel Ezrachi and Maurice Stucke, Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy (Harvard University Press 2016)

Lilian Edwards and Michael Veale, ‘Slave to the Algorithm? Why a Right to an Explanation Is Probably Not the Remedy You Are Looking For’ (2017) 16 Duke Law & Technology Review 18

Lior Jacob Strahilevitz and Matthew B Kugler, ‘Is Privacy Policy Language Irrelevant to Consumers?’ (2016) 45 Journal of Legal Studies S69

Niva Elkin-Koren and Michal Gal, ‘The Chilling Effect of Governance-by-Data on Data Markets’ (2019) 86 University of Chicago Law Review 403

Paul M Schwartz and Karl-Nikolaus Peifer, ‘Transatlantic Data Privacy Law’ (2017) 106 Georgetown Law Journal 115

Sandra Wachter, Brent Mittelstadt and Luciano Floridi, ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’ (2017) 7 International Data Privacy Law 76

Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (PublicAffairs 2019)

D. Official Publications and Reports

European Data Protection Board, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (Version 2.0, 20 October 2020)

European Data Protection Board, Guidelines 8/2020 on the Targeting of Social Media Users (Version 2.0, 13 April 2021)

Federal Trade Commission, Bringing Dark Patterns to Light (FTC Staff Report, September 2022)

FTC, In the Matter of Epic Games Inc (FTC Docket No C-4793, 19 December 2022)

McKinsey & Company, The State of Fashion 2024 (McKinsey Global Fashion Index 2024)

Ministry of Electronics and Information Technology, Government of India, Report of the Expert Committee on Non-Personal Data Governance Framework (Kris Gopalakrishnan Committee Report, December 2020)

OECD, Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD 2013) (revised)

UNCTAD, Data Protection and Privacy Legislation Worldwide (UNCTAD 2023)

UK Information Commissioner’s Office, Guidance on AI and Data Protection (ICO, March 2023)

UK Information Commissioner’s Office, TikTok Monetary Penalty Notice (ICO-00148221, 27 September 2023)

E. International Instruments

Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+) CETS No 223

International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171, art 17

UN Guiding Principles on Business and Human Rights (UN Doc A/HRC/17/31, 2011)

UN Guidelines for Consumer Protection (UN Doc A/RES/70/186, 2015)

[1] McKinsey & Company, The State of Fashion 2024 (McKinsey Global Fashion Index 2024) 14–18.

[2] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (Supreme Court of India), Chandrachud J (concurring), ¶ 169 (affirming informational privacy as a component of fundamental dignity under Article 21 of the Constitution of India).

[3] Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (PublicAffairs 2019) 89–101.

[4] GDPR, art 4(4) (defining ‘profiling’ as any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyse or predict their performance, economic situation, personal preferences, or behaviour).

[5] Digital Personal Data Protection Act 2023 (India), s 2(t); contrast GDPR, art 4(4).

[6] ibid, Chandrachud J, 167–180 (informational self-determination and the right to control the narrative of one’s own life).

[7] Lior Jacob Strahilevitz and Matthew B Kugler, ‘Is Privacy Policy Language Irrelevant to Consumers?’ (2016) 45 Journal of Legal Studies S69, S71–72.

[8] Digital Personal Data Protection Act 2023 (India), ss 4–8 (lawfulness of processing, notice, and consent obligations).

[9] Digital Personal Data Protection Act 2023 (India), s 8(7) (data principal’s right to withdraw consent at any time, as easily as consent was given).

[10] Federal Trade Commission, In the Matter of Epic Games Inc (FTC Docket No C-4793, 19 December 2022) (US); see also FTC, Bringing Dark Patterns to Light (FTC Staff Report, September 2022) 1–45.

[11]Meta Platforms Inc, Data Use Policy (5 January 2022); European Data Protection Board, Guidelines 8/2020 on the Targeting of Social Media Users (adopted 13 April 2021) Version 2.0, ¶ 44–52.

[12] California Consumer Privacy Act 2018 (Cal Civ Code §§ 1798.100–1798.199), s 1798.120 (right to opt-out of sale of personal information).

[13] California Privacy Rights Act 2020 (Cal Civ Code § 1798.185(a)(16)) (amending CCPA to introduce opt-out from automated decision-making).

[14] Digital Personal Data Protection Act 2023 (India), s 2(t) (defining ‘personal data’ as ‘any data about an individual who is identifiable by or in relation to such data’).

[15] Digital Personal Data Protection Act 2023 (India), s 16 (obligations of significant data fiduciaries).

[16] Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+) CETS No 223, art 9 (additional safeguards for sensitive data).

[17] Digital Personal Data Protection Act 2023 (India), ss 4–8 (lawfulness of processing, notice, and consent obligations).

[18] Regulation (EU) 2024/1689 (Artificial Intelligence Act) [2024] OJ L2024/1689, art 6 (classification of high-risk AI systems) and Annex III.

[19] Niva Elkin-Koren and Michal Gal, ‘The Chilling Effect of Governance-by-Data on Data Markets’ (2019) 86 University of Chicago Law Review 403, 427–435.

[20] Consumer Protection Act 2019 (India), s 2(9) (definition of unfair trade practice) and s 28 (Consumer Protection Authority powers).

[21] Digital Personal Data Protection Act 2023 (India), s 17 (cross-border data transfer subject to government notification of permitted territories).

[22]GDPR, arts 44–49 (restrictions on international data transfers and mechanisms for adequacy, standard contractual clauses, binding corporate rules).

[23]ibid, 134–202 (invalidation of Privacy Shield, standard contractual clauses remain valid subject to supplementary measures, and the primacy of fundamental rights in cross-border transfers).

[24] Regulation (EU) 2022/2065 (Digital Services Act) [2022] OJ L277/1, art 26 (obligation of very large online platforms to provide at least one option not based on profiling for recommender systems).

[25] Consumer Protection (E-Commerce) Rules 2020 (India), r 4 (duties of e-commerce entities).

[26]Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (India), r 3 (due diligence by intermediaries).

[27] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (Supreme Court of India).

[28] Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317 (Court of Justice of the European Union).

[29] ibid, 80–88 (controller responsibility for processing carried out within search result listings and the right to de-indexing).

[30]Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems (Case C-311/18) [2020] ECLI:EU:C:2020:559 (Schrems II) (Court of Justice of the European Union).

[31] ibid, 134–202 (invalidation of Privacy Shield, standard contractual clauses remain valid subject to supplementary measures, and the primacy of fundamental rights in cross-border transfers).

[32]Regulation (EU) 2022/2065 (Digital Services Act) [2022] OJ L277/1, art 26 (obligation of very large online platforms to provide at least one option not based on profiling for recommender systems).

[33] Digital Personal Data Protection Act 2023 (India), s 16 (obligations of significant data fiduciaries).

[34] UN Guiding Principles on Business and Human Rights (UN Doc A/HRC/17/31, 2011) Principle 17 (human rights due diligence for business enterprises).

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top