Internet Newsletter for Lawyers |
|---|
The aim of Governments and the EU is to protect consumers by establishing
a framework in which consumers and businesses can conduct e-commerce
confidently. 2002 will be see the implementation of some major pieces of
legislation designed to regulate further the on-line world. So far we have seen
the implementation of the Electronic Signatures Regulations and the Brussels
Regulation in March 2002. We can also expect to see Regulations
implementing the E-money Directive by the end of April 2002 and the
Regulations transposing the E-commerce Directive into UK law by this summer.
This article gives some information about each of these developments.
For links to these regulations, see notes provided by Kolvin at the end of this article, here.
The Brussels Regulation converts the 1968 Brussels Convention on the enforcement of judgments in civil and commercial matters between member states into a European Regulation. In order to take account of the Internet, the Regulation includes a new "country of destination" principle under which European consumers will be able to sue e-commerce suppliers for breach of contract in their (the consumers') home jurisdiction.
As well as this practical advantage, consumers will now have the benefit of national mandatory consumer protection laws regardless of the law governing the e-contract. For example, UK consumers will be able to rely on the Unfair Contract Terms Act 1977 where the consumer initiates proceedings in England and Wales. This may not have been the case where the consumer is forced to initiate proceedings in a supplier's jurisdiction which does not contain similar unfair terms regulation.
Not surprisingly, the changes have not been popular with e-commerce businesses who have complained that the new Regulations will result in web based suppliers having to become familiar with different mandatory consumer protection laws in various EU jurisdictions. They argue that the impact of the Regulations could be costly for business and could hinder rather than promote e-commerce.
The Electronic Signatures Regulations were made on 13 February 2002 and came into force on 8 March 2002. An electronic signature is the on-line equivalent of making your mark or signing your name. It could be anything; an email, clicking an "I accept" button on a web page, a fax. The area of law relating to signatures was rarely visited until e-commerce came along. It was thought to need attention in order to promote confidence in e-commerce and to harmonise the law internationally.
The Regulations link electronic signatures with the use of "certificates". A certificate can be thought of as an electronic identity card. Third parties (known as Certification Service Providers or CSPs) provide certificates in order to link an encrypted electronic signature with the holder of the certificate. In this way, use of a certificate with an electronic signature allows the parties to an e-commerce transaction to know who they are dealing with and also aids in the execution of online contracts. The nearest equivalent in the world of paper, ink and ribbon is the notary public.
The CSP is in a trusted position as it must verify the identity of the person applying for a certificate and issue a certificate to him/her. The CSP must also be in a position to "revoke" a certificate speedily if it is being used fraudulently, for example.
The two key issues regarding CSPs are:
Supervision of CSPs
The Directive allowed member states to decide the extent of the supervision to be applied to CSPs. The UK Government decided on a minimal, or "light touch", approach. The Secretary of State must establish and maintain a register of CSPs which must be open to public inspection as well as publishing details of unbefitting conduct of a CSP.
The Regulations must be viewed alongside the provisions of Part One of the Electronic Communications Act 2000. This established powers for a statutory voluntary approvals regime for CSPs. In fact, this has not yet been implemented and may not be if the Government continues to be happy with the non-statutory voluntary scheme being put in place by the Alliance for Electronic Business (a consortium of industry bodies involved in the promotion of electronic business) known as the tScheme.
Liability of CSPs
The typical e-commerce transaction involving use of a certificate is a tripartite relationship between the signatory, the CSP who issues the certificate and the party that relies on the certificate to verify the electronic signature (the relying party).
A contractual relationship exists between the signatory and the CSP, but no contractual relationship may exist between the CSP and the relying party. However, the liability of the CSP to the relying party is central to the legal security of the certificate. This liability is founded in tort, assuming that the CSP owes a duty of care to the relying party. Under common law it would seem hard to deny that such a duty exists and the Regulations support this explicitly.
Indeed, they go much further. In certain circumstances, the CSP may be deemed to be negligent and liable in damages to the relying party (notwithstanding that there is no proof that he was negligent) unless he can prove that he was not negligent. This is an extraordinary reversal of the usual burden of proof in tort. CSPs should manage their risk by clearly defining and narrowing scope of their responsibility and limiting their liability (subject to the Unfair Contract Terms Act).
The Order implementing the E-money Directive should take effect on 26 April 2002. This will make the issue of e-money - an electronic surrogate for notes and coins - in the UK a regulated activity under the Financial Services and Markets Act. The Directive will be implemented into UK law by secondary legislation which will amend The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001. The legislation will be accompanied by specialist rules and guidance.
The new regime creates a new category of credit institution called an "electronic money institution" (EMI). They will be regulated like banks, but subject to less stringent requirements. However, non-bank EMIs are restricted in some ways e.g. the granting of credit is prohibited and account limits are not to exceed £250.
E-money is defined as "monetary value as represented by a claim on the issuer which is stored on an electronic device and which is accepted as a means of payment by persons other than the issuer".
E-money may be used in the physical world by a smart card, wireless technology and over the Internet. The regime intends to be technology neutral. The new regime will set out the principles for authorisation, supervision and enforcement by the FSA. EMIs will also have to fulfil a number of prudential criteria that are similar to the requirements for banks. The criteria include:
* maintaining a minimum level of initial capital and ongoing own funds;
* having in place the appropriate corporate structures, management systems and internal accounting controls.
EMIs are also required to include certain obligations in contracts with consumers. For example, consumers should receive information on potential areas of risk, redemption rights and the date (if any) beyond which the e-money ceases to be valid. Consumers also need to be told about:
* their liabilities in the event of third party misuse, loss, malfunction, theft or damage to or of any electronic device on which e-money may be stored; and
* the fact that the Financial Services Compensation Scheme does not cover claims made in connection with e-money issues.
The 1993 Money Laundering Regulations and the FSA rules and guidance on money laundering apply to EMIs. EMIs will be required to appoint a money laundering reporting officer with appropriate seniority.
In March, the DTI released a draft of the Electronic Commerce Regulations which, if adopted, would implement the E-commerce Directive, albeit several months late. The draft Regulations closely follow the Directive. They are wide in scope and may apply to web sites that sell goods or services online; distribute on-line information and advertise online; provide search access and retrieval services; transmit information; provide access to communications networks; provide hosting services.
"Country of Origin" Principle
The draft Regulations establish a "country of origin" principle where the web site owner is only required to comply with the law of the Member State in which the owner is established. This principle applies notwithstanding the location of the recipient of the service and the fact that the national laws of the recipient might be stricter. At first glance, this principle looks revolutionary. However, after examining the exceptions relating to the "country of origin" principle, the principle is of limited use. The principle, amongst other things, does not apply to:
There are general information requirements - such as stating the identity of the person on whose behalf the communication is sent - that apply when sending "commercial communications". This is any communication, such as an email, that is designed to promote the goods or services of any person pursuing a commercial activity. The important part of this definition is "designed to promote".
There is a distinction between general communications - which may be sent for informational purposes - and those communications which are sent for the purpose of promoting the sender's business. The distinction may be difficult to recognise in practice and, as the information requirements are not too onerous, it may be simpler to configure emails systems to comply with these requirements in every communication.
The draft Regulations make a distinction between commercial communications and unsolicited commercial communications. They set out specific requirements in relation to unsolicited commercial communications which will include "Spam". This is so that users or their ISPs can delete unsolicited communications (or use filtering software to block or delete them) without the need to read them.
As presently drafted, the Regulations do not fully implement the provisions relating to unsolicited commercial communications in the Directive. However, the Government may have adopted this approach as the treatment of unsolicited commercial communications by email is likely to be revisited after the adoption of a further piece of impending legislation - the draft Directive for the Protection of Privacy.
Liability of ISPs
The Regulations set out circumstances in which an internet service provider will not be liable for content posted on the internet providing certain conditions are complied with:
* Mere conduit - where a service provider plays a passive role as a transmitter of information from third parties or stores information from third parties in order to enable it to be transmitted (for example, telecoms service provider, internet access provider) (includes transient storage).
* Caching - where copies of information are temporarily stored on local servers in order to speed up the onward transmission of the information (e.g. temporary storage by an ISP to make information more rapidly accessible).
* Hosting - where the ISP provides server storage space for third party web sites.
There are also provisions in the draft Regulations concerning the formation of contracts concluded by electronic means. These include information requirements, an obligation to acknowledge an order promptly and a right of cancellation.
Kolvin Stone is a solicitor specializing in IT and e-commerce at City law firm Fox Williams.
email Kstone@foxwilliams.com.
Note from Delia: Fox Williams produces an excellent free e-commerce email newsletter;
subscribe by emailing Kolvin Stone.
Notes on finding these regulations online - as of 3rd May 2002
The Brussels Regulation is available (with luck)
here.
However, this is a temporary address and by the time you are reading this, it may no longer be valid. If not, go through the following set of actions:
The Electronic Signatures Regulation 2002 is available here.
The Consultation Paper for the Regulation of Electronic Money Issuers is available here (pdf). Note that, although the new regime is in place as of 26 April 2002, the FSA has not made any major changes to the framework on which it consulted. There have been some changes, for example, to the purse limits but as far as I can tell from the FSA web site, the FSA Consultation Paper has not been updated yet.
The Electronic Commerce (EC Directive) Regulations 2002 is available here (pdf).
Back to Contents.