Super Apps Hamstrung By Legal Challenges In India

Posted On - 17 January, 2022 • By - Abhilasha SG

Super apps legal challenges are a new problem that such apps are facing which combine social media, payment systems, services, merchant platforms and more under a single umbrella, are on the rise. They’ve been a major facet of the digital ecosystem since 2011 and have garnered billions of consumers worldwide who are attracted to the convenience a super app offers. Having grown from simple single-payment platforms, they have steadily expanded into a type of virtual supermall that seeks to deliver on all aspects of consumer needs.

Super apps have become an inexorable feature of the average consumer’s life; such apps now dominate the commercial ecosystems of South Asia. As with everything digital, these apps also witnessed an upsurge in usage post-COVID and have continued to gain momentum in the era of accelerated digitization. A few well-known examples are WeChat (China), Gojek (Indonesia), Paytm, Jio (India), etc. The industry is expected to expand exponentially as smartphone usage continues to grow rapidly and more so in the Southeast Asian regions – companies are eager to get a slice of this pie with major conglomerates like the Tata Group working on their own version of a super app called TataNeu. [1]

The World Economic Forum estimates that 70% of new value created in the economy over the next decade will be based on digitally-enabled platform business models. In India however, the expansion of such technological services is directly tied to the body of legal policies required to regulate the spectrum.

Super Apps Legal Challenges & Regulatory Hurdles

The development of a super app involves the handling and protection of the sensitive personal information provided by customers in the course of everyday transactions. The internet has become a commercial marketplace and consumer data privacy remains a serious concern for all platforms. A majority of the regulations currently in place are an attempt to protect consumer privacy from data mining and privacy exploitation. Here are some of the legal bottlenecks faced by super-app platforms[2] :-

  • Limitations on personal data collection: One of the biggest Super Apps Legal Challenges is that as per the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (“IT Rules”), the personal data of a person must be collected by a company only with lawful and written consent and the corporate can use that data solely for the purpose for which it is collected.
    Comment:
    Limitations on the right to personal data protection must be provided for by law. This requirement implies that limitations must be placed on a legal basis that is adequately accessible, foreseeable, and formulated with sufficient precision to enable individuals to understand their obligations and regulate their conduct. The legal basis must also clearly define the scope and manner of the exercise of power by competent authorities to protect individuals against arbitrary interference.[3] 
  • Sensitive data pitfalls: Rule 3 of the IT Rules provides for a list of items that are to be treated as “sensitive personal data”, and includes inter alia information relating to passwords, credit/debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological, mental health conditions, etc.
    Comment:
    While India is yet to pass a Personal Data Protection legislation, companies need to be mindful not to exploit or misuse the vast consumer data for commercial gains at the cost of consumers’ interest. One can expect the Indian government to become involved in demands from the public to safeguard their data more effectively even as the space for super apps becomes more contested.[4]  Confidentiality of user data must be strictly safeguarded and used for legitimate purposes in accordance with the law.
  • Stringent privacy policy compliances: Rule 4 of the IT Rules imposes a duty on body corporates seeking sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, type of data collected under Rule 3, purpose and usage of such information and ensure that reasonable security practices have been undertaken to maintain the confidentiality of such information.
    Comment:
    Customers’ limited familiarity with these systems can sometimes cause misgivings about their use arising out of privacy concerns surrounding data analysis or the worry that their information could be stolen or compromised in security breaches.[5] Weak privacy regulations (or lack of it thereof) is another potential risk for consumers as their data becomes vulnerable to hacking and other cyber-crimes.
  • Responsibility towards enforcing consumer awareness: Rule 5 of IT Rules provides the guidelines that need to be followed by a body corporate while collecting information and imposes certain duties on the body corporate[6] such as making users aware of the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies while retaining only what is required for the purposes for which the information may lawfully be used, among other considerations.
    Comment: Although this is beneficial from a consumer perspective, the regulatory oversight is a major challenge as the technical aspect is ever-changing. As such, unless the “purpose” for which the data is collected does not breach the line of privacy, it protects the consumer interests.

These are some important factors to be considered before launching super apps.

Recent Legal Developments And Super Apps Legal Challenges

As per the proposed Consumer Protection (E-Commerce) Amendment Rules, 2021 (“Amendment Rules”), Super Apps will be considered e-commerce platforms under Section 3(1)(b)[7]. These rules also do not allow related parties to provide services in the same marketplace, defeating the very purpose of super apps. The threshold limit to be a related party enterprise is where the common shareholders hold not less than 5 per cent of the shareholding in the related enterprises and enterprises having 10 per cent or more common ultimate beneficial ownership. This is a major drawback for business giants as such thresholds are exceptionally low. This implies that Tata will not be able to involve its group entities such as Titan and Taj in TataNeu.[8]

The proposed regulations could impact the super app strategies of many companies as rules on related parties, data sharing and cross-selling clauses could become major hurdles for such entities.[9] This proposal discourages e-commerce players from forming joint ventures in India that are primarily meant to ensure faster product deliveries to consumers.[10]

Additionally, there is Super Apps Legal Challenges regarding increased limitations on sharing consumer data with related entities. Typically, with the consent of users, an e-commerce entity should be allowed to share data with sister companies. As long as the consumer has consented to such data sharing, the same is not likely to affect consumer interests.[11] But with such an update, e-commerce entities would not be permitted to share data with related entities and in the absence of consumer consent, the entities within the Super App will not be able to share customer trends and consumer behaviour data across platforms to cross-sell or customise advertisements for consumers based on their predicted needs.

Such a restriction further implies that brands by multiple companies could be blocked on platforms, such as BigBasket (recently acquired by the Tata Group for a 64 per cent stake).

Concerns also revolve around the practices of unethical data mining – it is natural that super app platforms would have access to vast amounts of personal consumer information, and it is considered a widely known and accepted practice nowadays to sell such information to third party entities for profit.  Moreover, concerns also arise due to the nature of Super Apps where it has control over a large amount of sensitive consumer data. Such metadata is vulnerable to being sold to artificial intelligence machines. Privacy issues also emanate when the Super App uses third party data. This data can be accessed individually or in aggregate to create data banks that can become goldmines of profit by those that have access to it. [12]

Nevertheless, these rules, while well-intentioned, are largely restrictive to the functions of e-commerce companies since it hampers affiliates engaged in cross-sales on multiple platforms. For instance, digital (i.e., non-brick and mortar stores) flash sales have been restricted even though the term ‘flash sale’ itself has not been clearly defined by the act, casting doubt and uncertainty about what breaks the rules or not.

If notified, the amendments stand to hamper the fledgling super app ecosystem in India. The Indian market continues to be a lucrative region for tech platforms, considering the sheer population size and the growing userbase of smartphone users; the amendments need to balance both user privacy concerns and regulatory compliance issues to allow the super app ecosystem space to breathe and develop across the region.

Conclusion – Super Apps Legal Challenges

Super apps are here to stay, and this will undoubtedly cause regulatory challenges – however, regulations should not be restrictive enough to hamper their growth in the digital consumer space.   


  • [1] https://yourstory.com/2021/03/india-becoming-land-rising-super-apps/amp
  • [2]https://www.timesnownews.com/business-economy/companies/article/ahead-of-super-app-launch-tata-digital-seeks-consumer-consent-to-meet-data-privacy-norms/830250
  • [3] https://www.echr.coe.int/documents/handbook_data_protection_eng.pdf
  • [4] https://www.rediff.com/business/special/tech-who-will-win-the-super-app-race-in-india/20211010.htm
  • [5] https://www.pymnts.com/authentication/2021/transunion-behavioral-analytics-2/
  • [6] https://www.mondaq.com/india/data-protection/626190/information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011
  • [7]https://consumeraffairs.nic.in/sites/default/files/file-uploads/latestnews/Comments_eCommerce_Rules2020.pdf
  • [8]https://economictimes.indiatimes.com/industry/services/retail/draft-rules-possibly-ruins-super-app-plans-for-tatas-and-adanis/articleshow/85508642.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
  • [9] https://theoutreach.in/proposed-e-commerce-rules-could-dampen-super-app-plans-of-many-indian-players/
  • [10]https://www.livemint.com/industry/retail/ecommerce-companies-to-write-to-govt-against-draft-rules-11624910348605.html
  • [11] https://theoutreach.in/proposed-e-commerce-rules-could-dampen-super-app-plans-of-many-indian-players/
  • [12] https://www.indiaglobalbusiness.com/analyses/in-focus/tata-walmart-super-app-sets-the-stage-for-3-way-fight-in-indian-market

Contributed by Abhilasha SG, Associate