Internet Newsletter for Lawyers |
|---|
The law in Ireland as it relates to e-commerce, the Internet and related sectors has developed significantly in the past couple of years mainly due to the legislative impetus created at an EU level. I propose, here, to outline some of the more topical pieces of new and pending legislation in this area. By and large the approach of the Irish legislature to date has been to transpose the relevant EU Directive by means of secondary legislation with one or two exceptions.
See also Recent E-Commerce Regulation in the UK by Kolvin Stone, May/June 2002
The Electronic Commerce Act 2000, which became law on the 20th September 2000 was the first important piece of Irish legislation in this area. This Act substantially implemented the Electronic Signatures Directive (1999/93/EC) and went some way towards implementing the Electronic Commerce Directive (2000/31/EC). The Act provides (with some exceptions) for the legal recognition of electronic signatures, electronic writing and electronic contracts and is drafted in a technologically neutral way. It authorises the use of encryption and unlike in the UK, does not require the mandatory disclosure of private keys. It is stated Irish Government policy that Irish law shall not provide for compulsory or forced disclosure of private encryption keys. The Act provides that Certification Service Providers (CSP's) do not need prior authorisation before setting up in business. However CSP's will be liable to pay compensation for damage caused to any person who relies on a certificate that has been negligently issued by a CSP. In simple terms the CSP must ensure that the information provided in the certificate is accurate at the time that it issues the certificate.
Draft Regulations to transpose the remaining portions of the Electronic Commerce Directive were submitted to the EU Commission and the member states on the 7th August 2002. If no comments arise within the three-month "stand still period" under the EU Notification Procedure then these Regulations should become law sometime after the 7th November 2002. To comply with the requirements of the Regulations, Irish businesses providing or advertising goods or services online will have to adapt the medium used by them to transact or advertise online. Non-compliance could lead to the imposition of fines of up to €3,000 or three month's imprisonment or both.
For online businesses, especially those dealing with consumers, data privacy is one of the most important legal issues that they have to deal with. The principal piece of Irish legislation governing data protection at present is the Data Protection Act 1988, which pre-dated the Data Protection Directive (1995/46/EC). The Act introduced a reasonably comprehensive set of data privacy rights and obligations and established the Office of the Data Protection Commissioner to oversee its implementation. Ireland has been slow to transpose the Data Protection Directive into Irish law although the pace has picked up in the last year or so. The European Communities (Data Protection) Regulations, 2001 (S.I. No. 626 of 2001) which partially transpose the Data Protection Directive became law on the 1st April 2002. These Regulations essentially deal with the requirements for the lawful transfer of personal data from Ireland to countries outside the European Economic Area.
In February 2002 the Data Protection (Amendment) Bill 2002 was published. This Bill provides for the transposition of the remaining sections of the Data Protection Directive and the consolidation of Irish law in this important area. Under its provisions the powers and functions of the Data Protection Commissioner will be significantly increased. These new powers will include the right to publish codes of practice, the power to conduct privacy audits and the power at the point of registration, to evaluate and to be satisfied that there is nothing objectionable in what is proposed by way of data processing. All data controllers (with some limited exceptions) and data processors operating in Ireland will have to register annually with the Data Protection Commissioner.
The Bill extends the fair processing principles set down in the 1988 Act. The rules governing how personal data may be collected, processed, stored and kept secure will be extended. Personal data may only be processed for the specific notified purpose for which it has been collected. Data subjects will have to be informed of the data controller's identity, why the data is being collected, by whom and for what purpose. The data subject will have the right to request the data controller for access to his or her personal data and if appropriate to have it corrected or deleted. Specific additional rules will govern the collection, processing and use of what is defined as "sensitive personal data", principally data relating to the racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, health, sexual life, or criminal offences whether alleged or otherwise of the data subject.
In addition to these rules if the data is to be used for direct marketing purposes the data subject must be informed at the time of collection of his or her right to object to such processing. Furthermore direct marketers will have to cease to use and will have to erase an individual's personal data within 40 days of being requested to do so by the individual concerned.
The rules governing the transfer of data to countries outside the European Economic Area are restated. Data controllers who retain the services of data processors will have to conclude a written contract containing certain essential terms including but not limited to the obligation on the part of the data processor to act only on the instructions of the data controller and to keep the personal data secure.
At an EU level the Privacy and Electronic Communications Directive (2002/58/EC) has officially come into force and member states are required to transpose the Directive into national law by 31st October 2003. This latest Directive has particular significance for businesses using electronic communications or indirect marketing as well as telecommunication service providers. It has implications for the use of cookies as well as mandating an "opt-in" regime for the use of "electronic mail". Other major changes include provisions mandating the retention of certain traffic and billing data by telecommunication service providers.
On the 15th May 2001 the European Communities (Protection of Consumers in respect of Contracts Made by Means of Distance Communication) Regulations, 2001 (S.I. No.207 of 2001) became law. These Regulations transposed the provisions of EU Directive 1997/7/EC on the protection of consumers in respect of distance contracts. The Regulations govern contracts concluded with consumers for the supply of goods or services (excluding financial services) exclusively by means of distance communication. Among the key requirements of the Regulations are those which deal with the information that must be given to the consumer before the contract is made, the requirement of providing subsequent written confirmation of that information to the consumer and a cooling off period within which the consumer may cancel the contract. Before the contract is made the information to be provided includes the supplier's identity and in certain instances its address, the main descriptors of the goods or services, the price inclusive of all taxes, any delivery charges, the arrangements for payment, delivery or performance, the right of cancellation, the cost of using the means of distance communication, the period for which the offer remains valid and where appropriate the minimum contract terms. A person found guilty of an offence under these Regulations shall be liable on conviction to a fine not exceeding €3,000.
On the 29th May 2002 the European Communities (Electronic Money) Regulations 2002 (S.I. No. 221 of 2002) was enacted governing the issue of electronic money in Ireland. These Regulations give effect to the provisions of Directive 2000/28/EC relating to the taking up and pursuit of the business of credit institutions as well as the provisions of the E-money Directive (2000/46/EC) and reflect one of the more important elements of the range of E-Commerce measures being implemented at an EU level. The Regulations define "e-money" (essentially an electronic medium which replaces bank notes and coins) as well as setting out the requirements in terms of capital adequacy and operations for the issuers of e-money. The electronic money institution may not issue e-money at a discount or on credit terms. The business activities that such institutions may engage in are limited and must be closely related to the administration of e-money. The Regulations state that e-money must be redeemed at par value on demand. To protect the consumer and to limit the opportunity for money laundering the Regulations limit the value of a single "e-purse" to €5,000. The Regulations provide that electronic money institutions from other member states can issue e-money in Ireland with mutual recognition of home state supervisory responsibility.
In December 2000 the European Council agreed a new Regulation on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters (the Brussels 1 Regulation) which effectively overhauled the way such judgements obtained in one EU member state are enforced in another. This Regulation came into effect on the 1st March 2002 and did not require implementing legislation in any EU member state. The European Communities (Civil and Commercial Judgements) Regulations 2002 (S.I. No. 52 of 2002) were implemented in Ireland on the 21st February 2002 to set out the procedures to be followed for the successful operation in Ireland of the Brussels 1 Regulation.
The pace at which legislation that is relevant to e-commerce and the online business community is being brought forward in Ireland as in other EU member states is largely driven by developments at an EU level and is certain to increase. So too will the challenges posed to all businesses that transact or advertise online to comply with an expanding body of law. To operate effectively online, businesses in Ireland need to keep up to date with relevant legal developments both at home and at an EU level just as much as they need to keep up to date with relevant technological and market developments. This is both a challenge and an opportunity for their legal advisors.
Patrick Ryan is a partner in the Dublin law firm of Kilroys Solicitors practising
primarily in the areas of E-Business and IT law. Kilroys Solicitors was
established in 1954 and since then has become one of Ireland's most
progressive corporate law firms representing a broad spectrum of Irish and
international clients. Their site is at www.kilroys.ie.
Email pryan@kilroys.ie.
Trying to find the most current Irish legislation on the Internet can sometimes prove to be a bit of a "mystery tour". Finding the legislation that I have referred to in this paper is no exception. The Office of the Attorney General at www.irlgov.ie/ag hosts "the Irish Statute Book" but at present the legislation that can be accessed only goes to 1998. The Data Protection legislation that I have referred can be accessed on the Data Protection Commissioner's site; www.dataprivacy.ie.
The text of the draft Electronic Commerce Regulations as notified can be found on the europa site at europa.eu.int but then does involve a further search.
For all other references I would recommend that you visit http://www.firstlaw.ie which is a very good site affording access to the most recently published legislation. It is a subscription service but if you are interested there is a free trial currently running.
Back to Contents.