Legal Framework for e-pharmacy in India

E-pharmacy or Online Medical Shop : Legal Framework in India

In India, 50-plus e-pharmacies including Medlife, 1MG, NetMeds, PharmEasy and others continue to do online sale-purchase of drugs, medicines, etc. even today. Because they have physical medical stores that are licensed to sell drugs.

In India, the legal and regulatory provisions for manufacture and sale of medicines are covered under the Drugs and Cosmetics Act, 1940 (D&C Act), Drugs and Cosmetics Rules, 1945 (D&C Rule), Pharmacy Act, 1948, The Information Technology Act, 2000 (IT Act,2000)., Indian Medical Act, 1956 and Code of Ethics Regulations, 2002, Narcotic Drug and Psychotropic Substances Act, 1985 and Drugs and Magic Remedies (Objectionable Advertisement) Act, 1954. Consumer Protection (E-Commerce) Rules, 2020

However, these donot define the regulations for online sale and monitoring of pharmaceutical medicines clearly. Accordingly, various stakeholders approached the government which then constituted an expert committee under the chairmanship of Maharashtra’s ex-Food and Drug Commissioner Dr. Harshdeep Kamble in the 2015, to assess the possibility of online pharmacy sector in India. After continued discussions and various deliberations, the Ministry of Health and Family Welfare vide its notification G.S.R. 817 (E) dated August 28, 2018 came out with a draft to amend the Drugs and Cosmetics Rules, 1945 (“Rules”).

The Draft Rules include certain provisions added Part VIB for sale of drug by e-pharmacy. Under the draft rules, the term ‘e-pharmacy’ has been introduced to define it as the business of distribution or sale, stock, exhibit or offer for sale of drugs through a web portal or any other electronic mode. Further, the terms ‘e-pharmacy portal’ and ‘sale by way of e-pharmacy’ has been suitably defined.

In addition, provisions for application for registration and its validity; conditions for registration imposed on the e-pharmacy like location, disclosure of information, procedure for distribution and sale etc. were provided. Certain restrictions are imposed on the e-pharmacy which include the prohibition of advertisement any drugs on radio, television, internet, print or any other media for any purpose; and restriction on dealing in narcotic and psychotropic drugs as defined under the Narcotic Drugs and Psychotropic Substances Act, 1985, tranquilizers and the drugs specified in the Schedule X of the Rules.

Additionally, monitoring of e-pharmacy, complaint redressal mechanism has been introduced which provides the rights to file a complaint to the state drugs controller (the “Drugs Controller”) for any suspicion of supply of non-standard quality, adulterated or misbranded drugs through the e-pharmacy besides the Consumer Protection Act, 1986. However, the Draft Rules are still pending for approval.

Delhi and Madras High Court orders

Pursuant to issuance of the Draft Rules, various petitions were filed in Delhi and Madras High Court(s) seeking a ban on all e-pharmacy operations, due to public safety.

Later, the Madras High Court pronounced a decision for temporarily banning the online sale of drug and also directed the government to notify the regulations by January 31, 2019 on a petition filed by Tamil Nadu Chemists and Druggists Association,which was later extended by July 31, 2019.

Further, in an official letter dated November 28, 2019, the Drugs Controller General of India (DCGI) issued a notification to all drug Controllers to enforce an order given by Delhi High Court in December 2018 in the case of Zaheer Ahmed v.Union of India which prohibited the online sales of medicines without a valid license. The order was given in response to a public interest litigation (PIL) filed by Delhi-based dermatologist Dr. Zaheer Ahmed who submitted that in absence of monitoring, online sale of medicines would be a risk to patients and doctors.

The said letter is the latest progress about development of e-pharmacy policy and regulation in India, which seems to be reconfirming the existing position of the scenario that online sale should not be done by the pharmacies not having valid license for the same.

The Drug Controller General of India (DGCI) had formed a panel to look into the issue of online drug sales and even suggested the licensing of pharmacies three years ago. As per the draft guidelines which have yet to become law, e-pharmacies will need to register with the DCGI for a fee of Rs 50,000, which will be valid for three years.

In these rules, there are several stringent clauses that prevent e-pharmacies from selling narcotic drugs, tranquillisers, and Schedule X drugs. They also cannot advertise any drugs on their portals. Periodic inspections and stringent penalties for violators are prescribed. Basically, the e-pharmacy draft rules will provide sector-specific e-commerce regulations so as to harmonise existing laws/ guidelines which is similar to FSSAI guidelines for e-commerce food operators, etc. All are waiting for these rules to be notified.

Under the new Consumer Protection (E-Commerce) Rules, 2020, e-tailers have to compulsorily display details about return, refund, exchange, warranty and guarantee, delivery and shipment, modes of payment, and grievance redressal mechanism as well as the ‘country of origin’. Any e-commerce marketplace provider, whether local- or foreign-owned, cannot generate more than 25 percent of its total sales from a single vendor. 

Companies are also not allowed to “manipulate the price" of goods and services offered on their platforms to make “unreasonable profit", discriminate between consumers or make any arbitrary classification of consumers affecting their rights under the Act.

Jurisdiction of Courts under The IT Act,2000 : Case Law

Jurisdiction of Courts in India under The IT Act,2000

A Division Bench of the Allahabad High Court had occasion to deal with the statutory framework pertaining to data breaches in a proceeding for quashing of FIR. In Amit Kumar Jaduan v State of UP and others [MANU/UP/3289/2018] the court examined Sections 43, 47 and 66 of the Act. Some of the important observations of the court are summarised hereunder:

• The act of default must have been committed without the permission of the person who is owner or a person-in-charge of the computer, computer system or computer network.

• The act of the defendant must have caused some damage or loss to the person so affected.

• The difference between Section 43 and 66 is that the pre-requisite of the latter is the existence of mens rea, while under Section 43 of the Act, it is whether the Act committed is without the permission of the owner or person who is in charge of the computer, computer network, or computer system

• Simultaneous actions can be maintained under Section 43 (civil) and Section 66 (criminal) as there is no provision which bars the same.

• While the jurisdiction of civil courts is barred for offences related to Section 43 and there is a special court in the form of an adjudicating authority under the Act to try offences under Chapter IX of the Act, there is no special court created for offences prescribed under chapter XI which consists of Sections 65 to 74 related to offences. Regular criminal courts (JMFC in non metropolitan region and MM Courts in metropolitan cities) will have the jurisdiction depending on their power to adjudicate depending upon the quantum of punishment prescribed in the Code of Criminal Procedure.

  Civil Proceedings instituted will go before an adjudicating officer (Section 46) He is the Principal IT Secratary of the State. Appeals from a decision of the adjudicating officer will go to the TDSAT (Section 57) at Delhi. Appeals from the decision of the TDSAT will go to the High Court (Section 62).

  To conclude lemme sum it up by an real life case example Which I handled.

  SVC Bank Limited a 2nd largest and oldest cooperative bank came to me with a Data Theft Case by a ex employee in connivance with some current employees.

  Criminal & Civil action which I took in Person : I & my team drafted and Liason with police to file an FIR (criminal) under S43(a),S43(b) read with S(66) of The IT Act,2000 and S408, S109 with S34 of the IPC . Then filed a civil suit for damages and compensation under S43(a) & S43(b) along with Injunction application to stop further spread of stolen data in the original side of Bombay High Court .( it was not filed with adjudication officer as the loss was more than ₹ 5 crores i.e. around 20 Cr. So if the place of crime is in Mumbai, Chennai, Kolkata  and Delhi the respective HC will have the jurisdiction or else it is the Civil Judge Senior Division CJSD in non metropolitan areas where the jurisdiction lies).I got the injunction against the accused and the Criminal trial is going on in the JMFC .

  
  

  Advocate (Dr.) Prashant Mali, PhD International Cyber Law & Cyber Warfare 

Consumer Protection Act,2019: What’s New? What it Lacks?

The Consumer Protection Act, 2019 today becomes a Law in India: Whats New?

Why New Law was needed ?

New modes of business like telemarketing, direct selling, multilevel marketing, e-commerce etc which were not envisaged thirty years before and now had made consumers more vulnerable to unfair trade practices. Earlier, direct selling and multilevel marketing were regulated through guidelines issued by state governments and the consumer affairs ministry. This new Consumer Protection Act brings these activities in its fold. Besides expanding the scope of grievances that consumers can complain against, the new framework also gives the regulator suo moto powers. The 1986 Act had a three-tier structure that could be utilised by an aggrieved consumer for adjudicating any complaint. However, it did not provide for a regulator who could initiate or intervene on a preventive basis. For instance, direct product recalls or withdrawal of services which are dangerous or unsafe, directing discontinuation of unfair practices or reimbursement of the price of recalled goods and services to the consumers.

Definition of consumer: A consumer is defined as a person who buys any good or avails a service for a consideration.  It does not include a person who obtains a good for resale or a good or service for commercial purpose.  It covers transactions through all modes including offline, and online through electronic means, teleshopping, multi-level marketing or direct selling.

Rights of consumers: Six consumer rights have been defined in the Bill, including the right to: (i) be protected against marketing of goods and services which are hazardous to life and property; (ii) be informed of the quality, quantity, potency, purity, standard and price of goods or services; (iii) be assured of access to a variety of goods or services at competitive prices; and (iv) seek redressal against unfair or restrictive trade practices.

Central Consumer Protection Authority: The central government will set up a Central Consumer Protection Authority (CCPA) to promote, protect and enforce the rights of consumers.  It will regulate matters related to violation of consumer rights, unfair trade practices, and misleading advertisements.  The CCPA will have an investigation wing, headed by a Director-General, which may conduct inquiry or investigation into such violations.

CCPA will carry out the following functions, including: (i) inquiring into violations of consumer rights, investigating and launching prosecution at the appropriate forum; (ii) passing orders to recall goods or withdraw services that are hazardous, reimbursement of the price paid, and discontinuation of the unfair trade practices, as defined in the Bill; (iii) issuing directions to the concerned trader/ manufacturer/ endorser/ advertiser/ publisher to either discontinue a false or misleading advertisement, or modify it; (iv) imposing penalties, and; (v) issuing safety notices to consumers against unsafe goods and services.

Penalties for misleading advertisement: The CCPA may impose a penalty on a manufacturer or an endorser of up to Rs 10 lakh and imprisonment for up to two years for a false or misleading advertisement.  In case of a subsequent offence, the fine may extend to Rs 50 lakh and imprisonment of up to five years.

CCPA can also prohibit the endorser of a misleading advertisement from endorsing that particular product or service for a period of up to one year. For every subsequent offence, the period of prohibition may extend to three years.  However, there are certain exceptions when an endorser will not be held liable for such a penalty.

Consumer Disputes Redressal Commission: Consumer Disputes Redressal Commissions (CDRCs) will be set up at the district, state, and national levels.  A consumer can file a complaint with CDRCs in relation to: (i) unfair or restrictive trade practices; (ii) defective goods or services; (iii) overcharging or deceptive charging; and (iv) the offering of goods or services for sale which may be hazardous to life and safety.  Complaints against an unfair contract can be filed with only the State and National   Appeals from a District CDRC will be heard by the State CDRC.  Appeals from the State CDRC will be heard by the National CDRC.  Final appeal will lie before the Supreme Court.

Jurisdiction of CDRCs: The District CDRC will entertain complaints where value of goods and services does not exceed Rs one crore.  The State CDRC will entertain complaints when the value is more than Rs one crore but does not exceed Rs 10 crore.  Complaints with value of goods and services over Rs 10 crore will be entertained by the National CDRC.

Product liability: Product liability means the liability of a product manufacturer, service provider, or seller to compensate a consumer for any harm or injury caused by a defective good or deficient service.  To claim compensation, a consumer has to prove any one of the conditions for defect or deficiency, as given in the Bill. A product liability action will lie against the manufacturer if its product has manufacturing or design defects or if it deviates from manufacturing specifications or express warranties.

What the law lacks ?

Independence of these quasi-judicial bodies:

The Act empowers the central government to appoint, remove and prescribe conditions of service for members of the District, State, and National Consumer Disputes Redressal Commissions. The Act leaves the composition of the Commissions to the central government. This could affect the independence of these quasi-judicial bodies.

Qualification:

The Act delegates the power of deciding the qualifications of the Commission’s President and members to the central government. It is in contrast to the 1986 Act which specifies the minimum qualification of the members.

Unfair trade by rivals and penalizing misleading celebrity endorsement:

It does not include unfair trade practices by rival companies, which may negatively affect the sale of products.

The Act also hints at imposing penalties upon any celebrities who endorse misleading products and the extent of liability of advertisers or endorsers and celebrity rights and protection. The Act falls short on the extent of liability on stakeholders in such cases.

Suggestion for further Improvement

Ecommerce companies' first level grievance handling could be via ODR Online Dispute Resolution on their own platform in compliance with ecommerce rules and this law. 

Ecommerce company registration numbers with the consumer commission to know how they treat their consumers by numbering them based on cases handled and resolved.

Section 65B Certificate under Evidence Act is Compulsory for Admission of Electronic evidence : Case Law

Certificate Under Section 65B(4) Evidence Act Is Compulsory for Admissibility of Electronic Evidence: Three Judge Bench of SC - 14 July 2020

Case Law : Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, 2020 SCC OnLine SC 571  , decided on 14.07.2020

The Indian Supreme Court has held in the above case that the certificate required under Section 65B(4) is a condition precedent to the admissibility of evidence by way of an electronic record. The bench headed by Justice RF Nariman further held that, in a fact-circumstance where the requisite certificate has been applied for from the person or the authority concerned, and the person or authority either refuses to give such certificate or does not reply to such demand, the party asking for such certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC.

The bench has also clarified that the required certificate under Section 65B(4) is unnecessary if the original document itself is produced. The court said that the judgment in Anvar P.V. v. P.K. Basheer & Ors. (2014) 10 SCC 473 need not be revisited, subject to the above clarifications.

"Is requirement of certificate U/s 65-B(4) Evidence Act mandatory for production of electronic evidence?" before the three judge bench of SC

Earlier, a two-Judge Bench of Justices Ashok Bhushan and Navin Sinha had referred the question in view of the conflict between Shafhi Mohammad Vs. The State Of Himachal Pradesh SLP (Crl.)No.2302 of 2017 and Anvar P.V. v. P.K. Basheer and Others, (2014) 10 SCC 473. It was held in Shafhi Mohammad vs. State of Himachal Pradesh that, a party who is not in possession of a device from which the electronic document is produced, cannot be required to produce a certificate under Section 65B (4) of the Evidence Act. In that case, the bench was considering the issue of whether videography of the scene of crime or scene of recovery during the investigation should be necessary to inspire confidence in the evidence collected. In Anvar P.V. vs. P.K. Basheer , it was observed that an electronic record by way of secondary evidence shall not be admitted in evidence unless the requirements under Section 65B are satisfied. Thus, in the case of CD, VCD, chip, etc., the same shall be accompanied by the certificate in terms of Section 65-B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible.

 

Application Can Be Made To Court When Requisite Person Refuses To Issue Such Certificate

The court observed that the major premise of Shafhi Mohammad (supra) that such certificate cannot be secured by persons who are not in possession of an electronic device is wholly incorrect. An application can always be made to a Judge for the production of such a certificate from the requisite person under Section 65B(4) in cases in which such person.

In a fact-circumstance where the requisite certificate has been applied for from the person or the authority concerned, and the person or authority either refuses to give such certificate or does not reply to such demand, the party asking for such certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC. Once such application is made to the Court, and the Court then orders or directs that the requisite certificate be produced by a person to whom it sends a summons to produce such certificate, the party asking for the certificate has done all that he can possibly do to obtain the requisite certificate.

In Anvar P.V. (supra), it was observed that such a certificate must accompany the electronic record when the same is produced in evidence. In this regard, the Court clarified thus:

"We may only add that this is so in cases where such certificate could be procured by the person seeking to rely upon an electronic record. However, in cases where either a defective certificate is given, or in cases where such certificate has been demanded and is not given by the concerned person, the Judge conducting the trial must summon the person/persons referred to in Section 65B(4) of the Evidence Act, and require that such certificate be given by such person/persons. This, the trial Judge ought to do when the electronic record is produced in evidence before him without the requisite certificate in the circumstances aforementioned. This is, of course, subject to discretion being exercised in civil cases in accordance with law, and in accordance with the requirements of justice on the facts of each case. When it comes to criminal trials, it is important to keep in mind the general principle that the accused must be supplied all documents that the prosecution seeks to rely upon before commencement of the trial, under the relevant sections of the CrPC. "

 Sec. 65B(4) of the Evidence Act of furnishing certificate is to be applied when such electronic evidence is produced by a person who is in a position to produce such certificate being in control of the said device and not of the opposite party. In a case where electronic evidence is produced by a party who is not in possession of a device, the party asking for such a certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC.

Conclusion : Section 65B(4) stands compulsory for admission of Electronic evidence 

What is Zohnerism? Media Bloating or else

Zohnerism

Why we need to Avoid watching too much of breaking news, panel discussions, twitter feeds, WhatsApp university gyan on Cyberspace and TV news channels now a  days! Specially local TV channels.

The notorious concept of  Zohnerism

 Zohnerism -  all about twisting of simple facts to confuse people. 

In 1997, 14 year old Nathan Zohner presented his science fair project to his classmates, seeking to ban a highly toxic chemical from it’s everyday use.

The chemical in question? Dihydrogen monoxide.

Throughout his presentation, Zohner provided his audience scientifically correct evidence as to why this chemical should be banned.

He explained that dihydrogen monoxide:

Causes severe burns in while it’s in gas form

Corrodes and rusts metal

Kills countless amounts of people annually

Is commonly found in tumors, acid rain etc.

Causes excessive urination and bloating if consumed

Zohner also noted that the chemical is able to kill you if you depend on it and then experience an extended withdrawal.

He then asked his classmates if they actually wanted to ban dihydrogen monoxide.

And so 43 out of the 50 children present voted to ban this clearly toxic chemical.

However…this chemical isn’t typically considered toxic at all.

In fact, dihydrogen monoxide is simply an unconventional name for water.

Nathan Zohner’s experiment wasn’t a legitimate attempt to ban water, but instead an experiment to get a representation of how gullible people can really be.

Also, all of the points that Zohner used to convey his point were 100% factually correct; he just skewed all of the information in his favor by omitting certain facts.

In recognition of his experiment, journalist James K. Glassman coined the term "Zohnerism" to refer to "the use of a true fact to lead a scientifically and mathematically ignorant public to a false conclusion".

And this occurs a lot more often than you think, especially when politicians, conspiracy theorists, etc., use proven facts to persuade people into believing false claims.

The fact that people can mislead, and be misled so easily, is highly unsettling. 

Why was TikTok Banned ? What was TikTok Doing

TikTok was a data collection service that was thinly-veiled as a social network, for tons of data few rupees were paid to TikToker’s.

It use to get information on you, your contacts, or your device, Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc), Other apps you have installed. Privacy Violated to the core.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name), Whether or not you're rooted/jailbroken.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC.

They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication.

The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don't forget about users' real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM'd the application.

They provide users with a taste of "virality" to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there's also a ton of creepy old men who have direct access to children on the app, and I've personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do "duets" with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.

Here's the thing though.. they don't want you to know how much information they're collecting on you, and the security implications of all of that data in one place, en masse, are really huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can't see what they're doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

Now, I when I spoke to my TikToker friends they were completely blanketed with the fame and money. Their addiction made them question me , even if TiKTok has taken my data or knows where I am so what ? I don’t mind and what happens to the data already gone?

I had to explain them with my examples that when u models and TikTokers go near my BMW car and make video because it is Kul even my location is compromised. This is because your location shows my cars location, date and time. The car owners database is openly available on Internet. Joining these data points My movement’s get tracked, my privacy even though I don’t have TiKTok in my mobile is compromised.

Your front camera and microphone is compromised means who you meet, what you do and what you talk all is comprised.

Since, other Apps On your mobile data gets accessed by TikTok, that means what photos you take , what medicines you buy online even which all other competitors social media Apps you use is known to them.

What is your heart beat or pulse rate or blood pressure is also known to them thanks to your health Apps, they even know how much square foot is your house or terrace where you shoot your videos, Google to find out how if you don’t trust me 😊

Researchers have reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare. TikTok was clearly the states cyber Weapon in the larger Cyberwarfare to collect Data. 

Advocate (Dr.) Prashant Mali

Cyber & Privacy Law Expert 

Google to pay $57 Million GDPR Fine in France

The French Supreme Court of Administrative Law rejected Google’s claim that it had to pay a $57 million fine last year for failing to tell its users how to handle their personal information. On June 19, the French State Council officially released the trial results, confirming the previous investigation results of the data regulator CNIL, that Google did not provide Android users with “clear enough” information reminders. This means that it did not have lawful consent to use user data for specific advertising. Considering the seriousness and continuity of Google’s violations, the $57 million fine is also justified.

More importantly, the court also confirmed the French national regulatory authority’s jurisdiction over Google. Based on the GDPR regulations, the multi-million-dollar fines faced by Google are by far the highest fines against technology giants. This incident will also have a certain symbolic significance, mainly for those who think whether the GDPR can play the role.

This penalty seems insignificant relative to the global revenue of Google’s parent company Alphabet. Nevertheless, Google will make corresponding adjustments in the future. It will work on how to collect user data and its advertising positioning bottom line.