This article covers recent developments in the law on e-commerce in the UKand the EU.
UK Developments
Electronic trading (eg over the Internet) is currently valued at US $12billion per year worldwide. By 2002, it will be valued at US $350 billion peryear, according to the Under Secretary of State for Competition and ConsumerAffairs, Dr Kim Howells MP.
Laws that regulate e-commerce will affect almost every business. Manybusinesses have recently made decisions on the technology in which to invest tomake full use of the Internet and the opportunities that it offers. It appearsinevitable, in the light of proposals at national and international levels toupdate existing legislation and to introduce some form of regulation, that someof them will have to revisit their decisions. Prudent companies have, for sometime, been involved in the various e-commerce debates in order to influence thedesign and implementation of the eventual legislation.
The Current UK Position
On 5 March 1999, after considerable delay, the DTI and the Home Officepublished a consultation paper outlining proposals aimed at making the UK ‘theworld’s best place in which to trade electronically’. The Government hopesthat the proposals will build consumer and business trust in e-commerce servicesand ensure consumer protection.
The Government intends to update laws to afford legal recognition toelectronic instruments and, in particular, electronic signatures. It proposes toimpose, by legislation, equivalence between traditional and electronic means ofcommunications though not in one fell swoop. Part of the consultation processwas to obtain views on how best to achieve this objective. The Governmentproposes to create a rebuttable presumption that an electronic signaturemeeting certain conditions correctly identifies the signatory it purports toidentify and, where it purports to guarantee that the accompanying data has notbeen altered since signature, that it has not.
The Government also confirmed that it proposes to introduce, and OFTEL willadminister, a voluntary licensing regime for ‘Trust ServiceProviders’. The licensing regime would cover providers of encryption (orconfidentiality) services as well as Certification Authorities or CAs (ie theentities that issue the electronic certificates from which electronic signaturesare generated).
Prior to the consultation paper’s publication, industry and civil libertygroups had expressed fears that licensed bodies would be required to retaincopies of private keys and to provide access to them to law enforcement bodies.This would enable the law enforcement body to read all communications of theperson whose private key had been disclosed, perhaps even with that person notknowing this. The various groups had fiercely opposed the suggestion thatservice providers should be required to retain copies of customers’ privatekeys on the grounds that this would invade privacy and constrain the developmentof e-commerce in the UK. It would constrain the development of e-commerce because a system would need to be created to hold such private keys securely andbecause customers would not wish to use a service provider if it meantdepositing their private key.
Immediately prior to publication of the consultation paper, the PrimeMinister intervened and earlier proposals making key ‘escrow’ or key‘recovery’ mandatory for licensed service providers have been dropped (forthe moment at least). The Government confirmed that there will not be anobligation on users to store keys. Instead, industry has been left with thechallenge of suggesting alternative ways in which the legitimate concerns of lawenforcement agencies can be addressed. In the meantime, current legislationwhich permits law enforcement agencies to intercept communications and powers ofsearch and seizure will be reviewed to take into account electronic instrumentsand the use of encryption technology. Clearly legislation will be of littleeffect where keys are not available to service providers and the user cannot beapproached or refuses to disclose keys.
An area of particular concern to industry is the extent of potentialliabilities where they provide e-services. The Government states in theconsultation paper that its initial view is that a statutory limit on liability,that could not be decreased by contractual terms, would be imposed on licensedservice providers with different limits being set for different types ofservice. The existing law would apply to unlicensed service providers. TheGovernment is seeking views on a number of specific issues relating to theextent (if at all) to which liability should be prescribed by legislation.
The debate in the UK is only one of several debates that are currently takingplace, notably, at European Union level. The European Commission has adoptedproposals entitled ‘Proposal for a European Parliament and Council Directiveon certain legal aspects of electronic commerce in the Internal Market’. Theseare wider proposals but cover much of the same ground as the UK proposals. Inparticular, the Commission aims to clarify the existing legal framework (eg thelegal validity of e-contracts) so that obstacles to offering and usinge-commerce services throughout the EU are removed; to provide for legalrecognition of electronic signatures in e-contracts; to regulate the selling offinancial products by telephone or the Internet; and to address liability issuesof service providers such as CAs but in the context of a wider range of‘Information Society Services’ – eg for acting as a ‘mere conduit’ forinformation or for ‘hosting’ or ‘cashing’.
A Bill containing the UK proposals will probably be introduced into thissession of Parliament, that is to say, before the end of July. It is to receiveRoyal Assent during the 1999/2000 session of Parliament.
(The Consultation Paper Building Confidence in Electronic Commerce isavailable at http://www.dti.gov.uk/CII/elec/elec_com.html.Comments were due by 1 April 1999. This was extended but is now final. sec@ciid.dti.gov.uk.)
EU Developments
Background
On 18 November 1998, the European Commission announced ‘a proposal for aEuropean Parliament and Council Directive on certain legal aspects of electroniccommerce in the Internal Market’. The proposal was anticipated in aCommunication from the European Commission in April 1997 in relation toelectronic commerce, ‘A European Initiative on Electronic Commerce’(IP/97/313).
The proposed Directive would set harmonised rules only in those areas whereit is perceived as necessary to ensure that visitors and citizens cansupply and receive information society services throughout the European Union,irrespective of international frontiers. It describes itself as having a‘light, enabling and flexible approach’. It also says that it will‘interfere as little as possible’ with national legal rules. Industrypublicly supports a ‘light touch’ of government regulation.
What Services are Covered by the Proposal?
Article 1 of the draft Directive states the objective of the Directive whichis ‘to ensure the proper functioning of the internal market, particularly thefree movement of Information Society services between the Member States.’ TheDirective is intended to complement Community law applicable to InformationSociety services without prejudice to the existing level of protection forpublic health and consumer interests, as established by Community legislation,including those legislative acts adopted for the functioning of the internalmarket.
The proposal therefore covers all ‘Information Society services’, ie allservices normally provided for remuneration and at a distance by electronicmeans and on the request of an individual or service receiver – even thoseprovided free of charge to the recipient – for example, because they arefunded by advertising or sponsorship. It applies to both business-to-businessand business-to-consumer services. It will cover a number of sectors, includingonline databases, newspapers and magazines, online entertainment services suchas a video on demand (or near demand) and even online professional services(legal, accountancy, etc).
In debating the draft, a number of Member States, including the UK, havesought clarification of exactly what services are covered, as the definitionappears to be rather wide and capable of applying to a whole range of services.There are some specific exceptions in the draft Directive. For example, it doesnot apply to taxation, or to certain matters listed in Annex 1 of the document,such as the activities of notaries.
The Core Elements of the Proposal
The core elements of the proposal are:
1. The Place of Establishment/Supervision
There is a degree of legal uncertainty as to the applicable jurisdiction inrelation to such services.
If content is stored on a server in one country but accessed by a customer inanother country, whose laws apply? There are also, for example, differencesbetween the approach in civil-law and common-law countries.
The proposal will regard the place of establishment of the providers of suchservices as the place where that operator pursues an economic activity through afixed establishment, irrespective of where the Web sites or services aresituated or where the operator may have a mail box. That is the jurisdictionwith which the service provider must comply. Thus, the ability to access anInternet site in a Member State or the fact that a service provider establishedin one Member State offers services targeted at the territory of another MemberState would not amount to a place of establishment.
The proposal is concerned that this approach should be in keeping with theprinciples in the EU Treaty (Article 52, now renumbered as Article 43) and caselaw of the European Court of Justice.
2. Non-Discrimination/Service Providers to inform users about their Services
Article 3(2) of the draft Directive provides that Member States may not, forreasons falling within the Directive’s coordinated field, restrict the freedomto provide Information Society services from another Member State.
Article 4 of the draft Directive provides that Member States shall lay downin their legislation that access to the activity of Information Society serviceproviders may not be made subject to prior authorisation or any otherrequirement the effect of which is to make such access dependent on a decision,measure or particular act by an authority. The proposal would prevent MemberStates discriminating against those who provide Information Society services byrequiring that no special authorisation schemes should be applied to them whichare not applied to the same services provided by other, usually moretraditional, means.
The trade-off for this benefit and the clarification of the serviceproviders’ position would be that Member States would be required (by virtueof Article 5 of the Directive) to oblige service providers to make available tocustomers and competent authorities certain information about themselves such astheir name, address, professional authorisation, VAT number, trade registernumber, etc and clear pricing details. This information should be easilyaccessible while the service is being provided.
3. Exceptions to the Non-Discrimination Principle
Member States may, on a case-by-case basis, still impose restrictions onInformation Society services supplied from another Member State but onlyfor:
- the protection of the public interest on grounds of, for example, protection of minors or rules against racial, sexual or religious discrimination
- the protection of public health
- ‘public security’
- consumer protection rules.
This principle appears in Article 22 of the draft Directive. However, therestrictions would have to be proportionate to the objective and should beimposed (emergencies excepted) only after:
- the relevant Member State where the service provider is established has been asked to take measures appropriate to the case and has failed to do so; and
- the intention to impose restrictions has been notified in advance to the European Commission and to the Member State where the service provider is established.
Notification of measures taken in emergencies would have to be made as soonas possible to the Commission and the Member State, indicating the reasons forthe emergency. Article 22 also provides for the Commission to decide on thecompatibility with European Community law of any measures taken.
In addition, Annex II sets out derogations from the Article 3non-discrimination principle in various fields, including:
- copyright, industrial property rights and rights under the legal protection of the Databases Directive (Directive 96/9/EC)
- ‘contractual obligations concerning consumer contracts’
- unsolicited commercial communications by electronic mail or an equivalent individual communication.
The extent of some of these is unclear.
4. Online Contracts
Another uncertainty in electronic commerce is the issue of when and howcontracts are concluded online and what legal factors are holding back theprocedure of contracting online. Some laws in Member States still require paperand ‘traditional’ signatures and therefore the proposal (in Article 9)exhorts Member States to adjust their national regime to remove restrictions onthe use of electronic media to enter into contracts.
Article 9 of the draft Directive provides that Member States shall ensurethat their legislation allows contracts to be concluded electronically. Inparticular, they are required to ensure that the legal requirements applicableto the contractual process ‘neither prevent the effective use of electroniccontracts nor result in such contracts being deprived of legal effect andvalidity on account of their having been made electronically’.
At present, there could be different results, in the courts of differentjurisdictions, as to when (and where) contracts at a distance are formed, sosome level of consistency is clearly necessary.
This is not something which is currently being addressed in the UK in detailas part of the UK Government’s proposals for secure electronic commerce,published on 5 March 1999, ‘Building Confidence in Electronic Commerce – aConsultation Document’. That paper contains a section on ‘Legal Recognitionof Electronic Instruments’, looking at electronic signatures and electronicwriting. It does not really address contract issues, as such, but concentratesmore on the validity of digital signatures.
Article 9(2) permits Member States to lay down some fairly limited exceptionsto the general rule in relation to electronic contracts – for example,contracts requiring the involvement of a notary, contracts which in order to bevalid are required to be registered with a public authority, contracts governedby family law, and contracts governed by the law of succession. The UKconsultation paper of March mentions birth, marriage and death certificates asbeing an area where, perhaps, old-fashioned ‘paper’ should not be disturbedby a new regime.
Article 10, headed ‘information to be provided’, provides that MemberStates shall lay down in their legislation that, except when otherwise agreed byprofessional persons, the manner of the formation of a contract by electronicmeans should be explained by the service provider clearly and unequivocally and priorto the conclusion of the contract. The information to be provided must include:
- the different stages to follow to conclude the contract
- whether or not the concluded contract will be filed and whether it will be accessible
- the means for correcting handling errors.
Member States are required to provide in their legislation that the differentsteps to be followed for concluding a contract electronically shall be set outin such a way as to ensure that parties can ‘give their full and informedconsent’.
Article 11 requires Member States to lay down in their legislation that, savewhere otherwise agreed by professional persons, in cases where a recipient, inaccepting a service provider’s offer, is required to give his consent throughtechnological means, such as clicking on an icon, certain principles will applywhich provide for when the contract is concluded. Those principles are:
- the contract is concluded when the recipient of the service:
(i) has received from the service provider, electronically, an acknowledgement of receipt of the recipient’s acceptance; and
(ii) has confirmed receipt of the acknowledgement of receipt;
- acknowledgement of receipt is deemed to be received and conformation is deemed to have been given when the parties to whom they are addressed are able to access them;
- acknowledgement of receipt by the service provider and confirmation by the service recipient shall be sent as quickly as possible.
5. Liability of Intermediaries
‘Mere Conduit’ Another area which is inhibiting thegrowth of electronic commerce is the need for online service providers to havetheir legal status clarified, in terms of their responsibility to those for whomthey transmit and store information or give access (ie when they act as‘intermediaries’). The proposal seeks to set up an exemption forintermediaries where their role is essentially passive and where they are a‘mere conduit’ of information from and to third parties. The exception isnot available in the face of a ‘prohibitory injunction’.
The exclusion from liability applies only on condition that theprovider:
- does not initiate the transmission
- does not select the receiver of the transmission
- does not select or modify the information contained in the transmission.
The acts of transmission and of provision of access include the automatic,intermediate and transient storage of the information transmitted insofar asthis takes place for the sole purpose of carrying out the transmission in thecommunication network, and provided that the information is not stored for anyperiod longer than is reasonably necessary for the transmission.
