Πέμπτη 24 Σεπτεμβρίου 2015

Transfer of the data of European Facebook subscribers to servers located in the United States

The EU legal framework on electronic signatures

 

Electronic signatures and related services that allow data authentication can play an important role in ensuring security and trust in electronic transactions. Certainly, in open networks such as the Internet, security issues are emerging, which hinder the development of electronic services. In particular, concerns are raised on the confidentiality and security of electronic communications, which hold back the exploitation of the Internet as a platform for e-commerce.

To deal with the issues of security and trust in electronic transactions, the EU adopted in 1999 the eSignature Directive. This Directive (Directive 1999/93/EC) establishes the legal framework at EU level for electronic signatures and certification services. The aim is to make electronic signatures easier to use and help them become legally recognised within the Member States. The Directive does not favour any specific technology.
The Directive lays down the rule of legal recognition of electronic signatures;[1] it establishes a legal framework for electronic signatures and certification services and defines two levels of security that organizations may apply to e-signatures depending on the sensitivity of the transaction, that is: (a) simple e-signatures, which provide a minimum level of security and (b) advanced electronic signatures, which provide a higher level of security and can be used as a substitute for a handwritten signature.

In order for a signature to be qualified as an advanced signature, certain requirements have to be fulfilled (Article 5(1) of the Directive). These requirements concern the technical function of the signature software and the existence of a qualified certificate, which is provided by a certification service provider which meets certain criteria. As is obvious, apart from the regulation of the legal effect of electronic signatures, the legal regulations concerning the certification of e-signatures and the accreditation of service providers are also of great importance.

As already mentioned, the Directive adopts a technology neutral approach regarding the recognition of electronic signatures. It defines electronic signatures in an abstract manner, so that different technologies can be used to fulfil the legal requirements in order to be qualified as electronic signatures. However, advanced electronic signatures correspond essentially to digital signatures, since the requirements laid down are only met by public key crypto systems.

Regarding the legal effect of e-signatures, a two-tier system is created, in accordance with Article 5 of the directive. Firstly, advanced electronic signatures, which are based on a qualified certificate and are created by a secure signature creation device, are equal in their effect, that is legal validity and probative effect, to handwritten signatures in paper documents. Secondly, the rule of non-discrimination of e-signatures is laid down. Accordingly, EU Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:
— in electronic form, or
— not based upon a qualified certificate, or
— not based upon a qualified certificate issued by an accredited certification-service-provider, or
— not created by a secure signature-creation device.

Furthermore, the |Directive includes rules on market access (Article 3) and establishment of providers of e-signatures services (Article 4), which are in line with EU principles. The liability of certification service providers is regulated in Article 6, which provides for a strict liability regime; accordingly, as a minimum, by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification service provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate.

The recognition of certificates issued by providers established in third countries is regulated in Article 7. Certification service providers are further under the obligation to comply with data protection requirements, laid down in directive 95/46 and more specifically, to collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate. The data may not be collected or processed for any other purposes without the explicit consent of the data subject.

On the basis of this Directive, Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products was issued. The Annex of this legal act includes a list of standards in compliance with the requirements in Annex I f of the Directive, i.e., CWA 14167-1 (March 2003): security requirements for trustworthy systems managing certificates for electronic signatures - Part 1: System Security Requirements and CWA 14167-2 (March 2002): security requirements for trustworthy systems managing certificates for electronic signatures - Part 2: cryptographic module for CSP signing operations - Protection Profile (MCSO-PP) and a list of standards in compliance with the requirements in Annex III, i.e., CWA 14169 (March 2002): secure signature-creation devices.

Furthermore, the Commission Decision 2000/709 was issued, which lays down the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC, that is, when a national body is designated as responsible for the conformity assessment of signature-creation-devices.

A report on the operation of the Directive 1999/93 was issued in 2006.[2] The conclusions of this report concentrated on the legal aspect and the market effect of the Directive. Regarding the former, it is acknowledged that the directive introduced legal certainty with respect to the general admissibility of electronic signatures: the need for the legal recognition of electronic signatures has been met by the transposition of the EU-Directive into the legislation of the EU-Member States. As far as the market effect of e-signatures is concerned, this has been relatively low. In particular, it was found that the use of qualified electronic signatures had been much less than expected and the market was not very well developed. The main reason for the slow take-off of the market is that service providers had little incentive to develop multi-application electronic signature and preferred to offer solutions for their own services. The banking sector and e-government were the sectors where e-signatures were mostly used.

Consequently, extensive consultations on a review of the e-signatures directive took place, and also, on the initiative of the EU Commission, a number of studies were conducted in relation to electronic identification, authentication, signature and related trust services (eIAS). It was made clear that a large majority of stakeholders agreed on the need to review the current framework to fill the gaps left by the directive. It was concluded that this would better respond to challenges posed by the rapid development of new technologies (particularly online and mobile access) and by increased globalisation, while maintaining the technological neutrality of the legal framework.

Critics also highlight the fact that the e-Signatures Directive mistakenly combines identification and authentication with signing, while those should be treated separately.[3]  And also, the combining of PKI technology and the legal status of signatures seems frustrating. 

As a result, the e-Signatures Directive was replaced with the Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation), adopted on 23 July 2014. The eIDAS Regulation shall apply from 1 July 2016, with the exception of certain provisions which will apply in different stages.

The eIDAS Regulation creates a European internal market for electronic identification and electronic trust services, including:
· electronic signatures; the rules related to the legal effect of e-signatures are provided for, as well as the requirements for qualified signature certificates, for qualified e-signature creation devices etc.
· Time stamping, i.e. the date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then;
· Electronic seal, i.e. the electronic equivalent of a seal or stamp which is applied on a document to guarantee its origin and integrity;
· Electronic delivery, i.e. a service that, to a certain extent, is the equivalent in the digital world of registered mail in the physical world;
· Legal admissibility of electronic documents to ensure their authenticity and integrity;
· Website authentication, i.e. trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity/person owning the website.

The Regulation obliges public bodies to accept cross-border identification/authentication services that are provided under a scheme that has been properly notified to the European Commission. Thus, it ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in the EU countries where eIDs are available.

It also creates a European internal market for electronic trust services in that it guarantees that they will operate across borders and have the same legal status as traditional paper based processes.

EU Member States should establish supervisory bodies that will supervise certification service providers, but also trust service and qualified trust service providers. The conditions for the supervision of those providers are laid down in the provisions of the Regulation.

The EU adopt measures for the implementation of the Regulation:

Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 


Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 


Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 

Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 

Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 laying down specifications relating to the form of the EU trust mark for qualified trust services (Text with EEA relevance) 

Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market Text with EEA relevance




[3]  See M. Voulon, “European Union introduces new legal framework for identity management”, online available at: http://www.idnext.eu/en/home/european-union-introduces-new-legal-framework-for-identity-management/

Τρίτη 22 Σεπτεμβρίου 2015

Το δικαίωμα της διανομής στο κοινό περιλαμβάνει και την προσφορά προστατευόμενων έργων, ακόμα και όταν δεν καταλήγει σε πώληση


Μια ενδιαφέρουσα απόφαση εξέδωσε το ΔικΕΕ στην υπόθεση C‑516/13, Dimensione Direct Sales Srl, Michele Labianca κατά Knoll International SpA, στις 13-5-2015 που αφορούσε το ζήτημα αν η διαφήμιση προστατευόμενων έργων εμπίπτει στο δικαίωμα της διανομής στο κοινό, υπό την έννοια του άρθρου 4 της οδηγίας 2001/29

Τα πραγματικά περιστατικά της υπόθεσης αυτής είχαν ως εξής:

Η Knoll ανήκει στον όμιλο Knoll του οποίου η μητρική εταιρία, η Knoll Inc., έχει έδρα στην Πενσυλβανία (Ηνωμένες Πολιτείες). Ο όμιλος αυτός κατασκευάζει και πωλεί σε ολόκληρο τον κόσμο έπιπλα αξίας. Η Dimensione είναι εταιρία περιορισμένης ευθύνης διαχειριστής της οποίας είναι ο M. Labianca. Διανέμει στην Ευρώπη με απευθείας πώληση έπιπλα σχεδιασμένα από δημιουργούς και προτείνει προς πώληση έπιπλα στον διαδικτυακό της τόπο. Κατά τα έτη 2005 και 2006, η Dimensione διαφήμισε την πώληση επίπλων που αντιστοιχούν σε προστατευόμενες δημιουργίες στον διαδικτυακό της τόπο, ο οποίος είναι διαθέσιμος στη γερμανική γλώσσα, σε διάφορες γερμανικές εφημερίδες και περιοδικά καθώς και σε διαφημιστικό φυλλάδιο το οποίο ανέφερε: «Αγοράστε τα έπιπλά σας στην Ιταλία και πληρώστε μόνο κατά την ανάληψη ή κατά την παράδοση από εξουσιοδοτημένο για την είσπραξη μεταφορέα (υπηρεσία παρεχόμενη κατόπιν αιτήσεώς σας)».  Εκτιμώντας ότι τα προτεινόμενα από την Dimensione προς πώληση έπιπλα ήσαν απομιμήσεις ή παρομοιώσεις προστατευόμενων δημιουργιών, η Knoll ενήγαγε την Dimensione και τον M. Labianca ενώπιον του Landgericht Hamburg (περιφερειακού δικαστηρίου του Αμβούργου) ζητώντας να τους απαγορευθεί να προσφέρουν προς πώληση τα έπιπλα αυτά στη Γερμανία. Προς στήριξη της αγωγής της, η Knoll ισχυρίστηκε ότι τα εν λόγω έπιπλα προστατεύονται από το δικαίωμα του δημιουργού ως έργα εφαρμοσμένης τέχνης. Το γερμανικό Ακυρωτικό (Bundesgerichtshof) επισήμανε ότι η ευδοκίμηση του εν λόγω ενδίκου μέσου εξαρτάται από την ερμηνεία του άρθρου 4, παράγραφος 1, της οδηγίας 2001/29 και ιδίως από το αν το δικαίωμα διανομής που προβλέπει η διάταξη αυτή περιλαμβάνει το δικαίωμα προσφοράς προς πώληση στο κοινό του πρωτοτύπου ή αντιγράφου ενός προστατευόμενου έργου.  

Συνακόλουθα, το Γερμανικό Ακυρωτικό υπέβαλε στο Δικαστήριο τα ακόλουθα ερωτήματα:
1) Περιλαμβάνει το δικαίωμα διανομής, κατά το άρθρο 4, παράγραφος 1, της οδηγίας 2001/29, το δικαίωμα προσφοράς, προς πώληση στο κοινό, του πρωτοτύπου ή αντιγράφου ενός έργου; 
Σε περίπτωση καταφατικής απαντήσεως στο πρώτο ερώτημα: 
2) Περιλαμβάνει το δικαίωμα προσφοράς, προς πώληση στο κοινό, του πρωτοτύπου ή αντιγράφου ενός έργου μόνο προτάσεις για τη σύναψη συμβάσεως ή και διαφημιστικές πράξεις;
3) Υπάρχει προσβολή του δικαιώματος διανομής αν η προσφορά δεν κατέληξε στην απόκτηση του πρωτοτύπου ή αντιγράφου ενός έργου;»

Το Δικαστήριο απάντησε θετικά σε όλα τα ερωτήματα. Ειδικότερα, δέχθηκε ότι μπορεί να συντρέχει προσβολή του αποκλειστικού δικαιώματος διανομής, προβλεπόμενου στο άρθρο 4, παράγραφος 1, της οδηγίας 2001/29, όταν έμπορος, ο οποίος δεν είναι κάτοχος δικαιώματος του δημιουργού, πωλεί προστατευόμενα έργα ή αντίγραφά τους, μέσω του διαδικτυακού του τόπου, με ταχυδρομικές διαφημίσεις ή με δημοσιεύσεις στον Τύπο, σε καταναλωτές εγκατεστημένους στο έδαφος κράτους μέλους εντός του οποίου τα εν λόγω έργα προστατεύονται για να τους παροτρύνει να τα αποκτήσουν (σκέψη αρ. 31). Από το συμπέρασμα αυτό προκύπτει ότι, για να διαπιστωθεί προσβολή του δικαιώματος διανομής, δεν ασκεί επιρροή το γεγονός ότι τη διαφήμιση αυτή δεν επακολούθησε μεταβίβαση της κυριότητας του προστατευόμενου έργου ή αντιγράφου του στον αποκτώντα (σκ. αρ. 32).

Το Δικαστήριο απέκλινε από την προηγούμενη νομολογία του και συγκεκριμένα, έκρινε διαφορετικά από ό,τι στην απόφαση Peek & Cloppenburg (C‑456/06, EU:C:2008:232, σκέψεις 33, 36 και 41), η οποία αφορούσε τη δυνατότητα χρήσεως των αντιγράφων προστατευόμενου έργου, ότι η έννοια της διανομής στο κοινό προστατευόμενου έργου ή αντιγράφου του, κατά το άρθρο 4 παρ. 1 της οδηγίας 2001/29, συνεπάγεται μεταβίβαση της κυριότητας του αντικειμένου αυτού, μπορεί εντούτοις να διαπιστωθεί προσβολή του δικαιώματος διανομής εφόσον προσφέρεται, μέσω στοχευμένης διαφημίσεως, σε καταναλωτές εγκατεστημένους στο έδαφος κράτους μέλους εντός του οποίου το έργο αυτό προστατεύεται, η απόκτηση της κυριότητας του πρωτοτύπου ή αντιγράφου του. Σϋμφωνα με το Δικαστήριο, η ερμηνεία αυτή είναι σύμφωνη με τους σκοπούς της εν λόγω οδηγίας, κατά τις οποίες η εναρμόνιση του δικαιώματος του δημιουργού πρέπει να βασίζεται σ’ ένα υψηλό επίπεδο προστασίας, οι δημιουργοί πρέπει να λαμβάνουν εύλογη αμοιβή για τη χρήση των έργων τους και το σύστημα προστασίας του δικαιώματος του δημιουργού πρέπει να είναι αποτελεσματικό και αυστηρό (βλ. απόφαση Peek & Cloppenburg, C‑456/06, EU:C:2008:232, σκέψη 37).

Κατ' ακολουθία, το ΔικΕΕ έκρινε ότι το άρθρο 4 παρ. 1 της οδηγίας 2001/29 έχει την έννοια ότι παρέχει σε κάτοχο αποκλειστικού δικαιώματος διανομής προστατευόμενου έργου τη δυνατότητα να απαγορεύει την προσφορά πωλήσεως ή στοχευμένη διαφήμιση αφορώσα το πρωτότυπο ή αντίγραφο του έργου αυτού, ακόμα και όταν δεν αποδεικνύεται ότι η εν λόγω διαφήμιση κατέληξε στην απόκτηση του προστατευόμενου έργου από αγοραστή της Ένωσης, καθόσον η διαφήμιση αυτή παροτρύνει τους καταναλωτές κράτους μέλους, εντός του οποίου το έργο αυτό προστατεύεται από το δικαίωμα του δημιουργού, να το αποκτήσουν.

Το συμπέρασμα από την απόφαση αυτή του ΔικΕΕ είναι τα όρια του δικαιώματος διανομής είναι ευρεία και φτάνουν να εκτείνονται και σε πράξεις που καλύπτονταν μέχρι πρότινος από το δικαίωμα επιγραμμικής διάθεσης (άρθρο 3 της οδηγίας 2001/29).







Πέμπτη 10 Σεπτεμβρίου 2015

The Legal framework for E-Commerce in the EU


Ioannis Iglezakis
Associate Professor, Aristotle University, Faculty of law

Important Aspects of the EU acquis on E-Commerce
The E-Commerce Directive (Directive 2000/31/EC), adopted in 20001, sets up a legal framework for electronic commerce in the European Union, which aims at providing legal certainty for business and consumers. It establishes harmonized rules on issues such as the transparency and information requirements for online service providers, commercial communications, electronic contracts and limitations of liability of intermediary service providers.
This Directive applies to information society services, e.g., any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of a service. Examples of such services include online information services (such as online newspapers), online selling of products and services (books, e-books, financial services and travel services), online advertising, professional services (lawyers, doctors, estate agents), entertainment services and basic intermediary services (access to the Internet and transmission and hosting of information). These services include also services provided free of charge to the recipient and funded, for example, by advertising or sponsorship; this is the case of social networking sites, such as Facebook, as well as news sites, etc.
An important principle introduced in the Directive is the Internal Market clause (Article 3 (1)), which provides that information society services are subject to the law of the Member State in which the service provider is established. This is complemented by the non-discrimination principle (Article 3 (2)), according to which the Member State in which the information society service is received cannot restrict incoming services. In addition, the Directive enhances administrative cooperation between the Member States and the role of self-regulation.
The E-Commerce Directive is supplemented by the E-Signatures Directive (Directive 1999/93), which lays down the criteria that form the basis for legal recognition of electronic signatures by focusing on certification services.
These encompass the following:
 ·         common obligations for certification service providers in order to secure transborder recognition of signatures and certificates throughout the EU;
·         common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;
·         cooperative mechanisms to facilitate transborder recognition of signatures and certificates with third countries.

This Directive was replaced with the Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted on 23 July 2014. It shall apply from 1 July 2016, with the exception of certain provisions which will apply in different stages.
The eIDAS Regulation creates a European internal market for electronic identification and electronic trust services, which includes electronic signatures, electronic seals, time stamp, and electronic delivery service and website authentication.

Other EU legislation, which is relevant, is:

·         The E-Money Directive (2009/110/EC). The Directive focuses on modernizing EU rules on electronic money, especially bringing the regime for electronic money institutions, into line with the requirements for payment institutions in the Payment Services Directive.
·         Directive 2010/45/EU amending Directive 2006/112/EC on the common system of  value added tax as regards the rules on invoicing - This Directive sets out new VAT rules as regards e-invoicing and removes the obstacles to the uptake of e-invoicing by creating equal treatment between paper and e-invoices, while also ensuring that no additional requirements are imposed on paper invoices. According to the new Article 233 of the Directive, businesses will be free to send and receive e-invoices providing they maintain "business controls which create a reliable audit trail between an invoice and a supply of goods or services" in the same way as is currently  done for paper invoices.
·         The Information Society Directive (2001/29/EC on copyright in the information society) - This Directive aims at the harmonization of certain aspects of copyright and related rights in the information society, in order to adapt legislation on copyright and related rights to reflect technological developments in the era of Internet.
·         The E-Privacy Directive (2002/58 as amended by Directive 2009/136) regulating electronic communications - This Directive mainly concerns the processing of personal data relating to the delivery of communications services. It includes provisions on security of electronic services, confidentiality of communications, unsolicited communications (spamming), Cookies, etc.
·         The Consumer Rights Directive (Directive 2011/83) - This Directive aims at achieving a real business-to-consumer (B2C) internal market, striking the right balance between a high level of consumer protection and the competitiveness of enterprises. It includes, inter alia, provisions on distance contracts, which apply to e-commerce. The Directive lays down information requirements for distance contracts, including information about the functionality and interoperability of digital content. It regulates the right of withdrawal, including a standard withdrawal form that must be provided by traders and may be used by consumers to notify the withdrawal from the contract, etc.

It is also notable that in the Digital Single Market Strategy for Europe, presented by the European Commission in 6.5.20152, e-commerce is amongst the top priorities of the European Union. In the Communication it is mentioned that:

A Digital Single Market is one in which the free movement of goods, persons, services and capital is ensured and where individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence. Achieving a Digital Single Market will ensure that Europe maintains its position as a world leader in the digital economy, helping European companies to grow globally.”

The EU Commission issued its first report on the implementation of the Directive in 2003. In this report, several issues are addressed. These include the following:

1.      Internal Market
2.      Establishment and information requirements
3.      Commercial communications
4.      Regulated professions
5.      Electronic contracting
6.      Liability of internet intermediaries
7.      Notice and take down procedures
8.      Codes of conduct and out-of-court dispute settlement
9.      National e-commerce contact points
10.International issues

The Commission's report concludes that the Internal Market objectives of the Directive have been met and that it has provided a sound legal framework for information society services in the Internal Market. The Directive has also led to modernization of existing national legislation, for example in contract law, to ensure the full validity of online transactions. In the press release for this report it is mentioned that a revision of the Directive would be premature. Instead, it is stated that the Commission will focus on ensuring that the Directive is correctly applied and on collecting feedback and practical experience from business and consumers alike.
The EU has commissioned two studies regarding the application of the E-Commerce Directive, one on the economic impact of this Directive3 and another on the liability of Internet intermediaries in 20074.
The first study provides some estimates of the effect of the Electronic Commerce Directive. Three provisions are highlighted as being particularly important.
First, it is found that the harmonized provisions on limited liability have significantly improved the framework conditions for intermediary service providers. This in turn has reduced their risks and costs of conducting business. The limited liability provisions state that the primary suppliers and not the intermediary providers acting as mere conduits, caches, or hosts of information are liable for online content. Neither can a conduit of information be automatically held liable for linking to a website providing information of an illegal nature.
Second, the harmonized provision allowing for concluding contracts electronically has reduced firm costs. Prior to the Directive it was uncertain in most Member States whether or not a contract concluded by electronic means, an e-contract, carried the same legal status as an off-line contract. After transposition of the Directive, firms have certainty that an e-contract carries the same legal status as an off-line contract. E-contracts have not only reduced firm costs because they are more efficiently handled than offline contracts. For many information society service providers business processes are carried out online, which means that an offline contract is a particular imposition on their very business model reducing firm productivity beyond what may be the case for more traditional firms.
Third, it is stressed out that the country of origin principle has reduced legal heterogeneity across Member States in the areas covered by the Directive. This has reduced search costs for firms as the need for keeping up to date with foreign legislation has been reduced.
The second study attaches great importance to notice and take-down procedures. The e-commerce Directive provides in Art. 14 for an exemption of liability in case the service provider does not have actual knowledge of illegal activity or information; however, there is a diverging practice concerning the implementation of this requirement in national laws of EU member states as regards the assessment of actual knowledge. While some member states require a formal procedure and an official notification by authorities or a court decision, others rely on a ‘notice and take down’ procedures or a common notification.
The study sees the ‘notice and take down’ procedures as a potential solution in this regard. In particular, to balance the competing interests, two extremes should be excluded: mere reliance upon official notification by authorities on the one hand and assuming actual simple notification on the other. A focus on official notification may easily lead to a de facto exemption from liability of providers even if they are aware of illicit activities going on. Simple notification, on the other hand, would invite anyone to inform providers of content or activities, regardless of the reliability, of the quality and of the correctness of the notification. Thus, there is a high risk of abuse. It is, therefore, suggested that a potential solution could be the adoption of a modified notice and take-down-procedure combined with a counter-notice and put-back option.
Under such a system, it would be up to the right holder to notify the provider about the infringement. Having received the notification, the provider would be required to act expeditiously in provisionally withdrawing the content and informing the customer about the notification. In order, however, to avoid any liability these procedures should be supported by legal provisions to ensure that the provider does not incur any liability or responsibility as a result of sending a notification to its customers. The customer should make the choice whether he should send the provider a counter-notice. After receiving a counter-notice, the provider would be obliged to put the content again online. If the provider does not receive an answer from the right holder indicating that he will file an action against the client, the provider is obliged to put the content again online. If, on the other hand, the right holder files an action against the client, the provider is obliged to take down the content until the final decision of the court. To avoid any abuse of this procedure, it is suggested that rapid preliminary review proceedings are introduced.
Furthermore, the notification could follow certain rules, e.g., require the name the other details of the person tendering a notice and identifying specifically the incriminating content. Providers could be obliged to publish corresponding templates on their websites. An exception to such schemes should be applied where the public interest is concerned, i.e., where the illegality of some activities or content is easily assessed.


Establishment of Internet Service Providers (ISPs)

Article 4(1) of the E-Commerce Directive prohibits EU Member States from making the taking up and pursuit of the activity of an information society service provider subject to prior authorization (or any other requirement having equivalent effect). As a result, no authorization scheme has been introduced in the EU Member States with the exception of general authorization, e.g. for pharmacies, etc.
The Implementation Report of 2003 indicates that those EU Member States which had considered introducing such schemes in relation to all or some information society services refrained from doing so and in some cases abolished existing authorization requirements. This has ensured that establishing as an information society service provider in a Member State is easy and not subject to bureaucratic hurdles.
In the absence of controls by state authorities, transparency and information requirements are laid down in Article 5 of the E-Commerce. It is notable that these provisions are complemented by the provisions of the Consumer Rights Directive (2011/83/EU), which provides extensive information requirements in Article 6 and in other provisions.

Monitoring of ISPs

Furthermore, the supervision of providers of e-commerce services can be seen as a restriction of freedom of entrepreneurship that can be justified by general, non-economic considerations, such as public security, public policy, etc. In the EU, this is recognized in the Article 36 TFEU, which allows Member States to take measures having an effect equivalent to quantitative restrictions when these are justified by general, non-economic considerations (e.g. public morality, public policy or public security). However, such exceptions to the general principle must be interpreted strictly, and national measures cannot constitute a means of arbitrary discrimination or disguised restriction on trade between Member States. And also, the measures must have a direct effect on the public interest to be protected, and must not go beyond the necessary level, that is, they should respect the principle of proportionality.
One such measure could be the registration of companies which use the Internet to sell goods and/or services, with state authorities. In Greece, for example, the Law on consumer protection (law No 2251/1994) included previously a provision on the obligation of suppliers which conclude distance contracts to register in a special register of the Ministry of Development. This registration was a necessary prerequisite for the authorization of the required tax books and records by the competent public financial authority and was proved with a certification issued by the competent department of the Ministry of Development. The Minister of Development had the power to refuse registration, due to significant reasons, or proceed, apart from imposing penalties, to the temporary or permanent erasure of the supplier from the register, if the stipulations of this law have been violated by the supplier.
Nevertheless, this provision was amended with Law No 4242 of 2014, which abolished such obligation and introduced the sole obligation of suppliers of goods and services that conclude distance contracts to register with the General Electronic Commercial Registry (G.E.MI.).5 Due to the fact that all commercial entities (natural and legal persons, alike) are required to register with GEMI, any commercial entity selling goods or services at a distance are under such obligation, anyway. So, this is not specific for e-commerce agents.
Thus, if there is a general system of registration of commercial entities, there is no need to introduce a specific system for the registration of those who engage in sales over the Internet.
As regards the protection of the online consumers, far more important than an authorization regime for ISPs is to allow consumer to report complaints about online transactions, and seek relief. To make complaint handling more efficient, online platforms are being built. On international level, one could mention www.econsumer.gov, a portal to report complaints, which is an initiative of the International Consumer Protection and Enforcement Network (ICPEN). In the EU, the Regulation No 524/2013 on online dispute resolution (ODR) provides for a European ODR platform for the out-of-court resolution of disputes between consumers and traders online. The regulation applies only to contractual obligations stemming from online sales or service contracts between a consumer resident in the Union and a trader established in the Union. The Regulation shall apply from 9 January 2016; thus, the online platform is not yet operational.
Another system of registration exists with regard to personal data. Article 18 of the Data Protection Directive (Directive 95/46/EC) provides for the obligation to notify the data supervisory authority. This is deemed as a bureaucratic requirement, which will have to be abolished in the EU, once the Draft Regulation on Data Protection is enacted6. In more particular, Article 28 of the Draft Regulation introduces the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the supervisory authority required by Articles 18(1) and 19 of the Data Protection Directive. The reason for this amendment of the EU law is that the obligation of notification produces administrative and financial burdens, whereas it did not in all cases contribute to improving the protection of personal data. According to the preamble of the Draft regulation, such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes.7
The E-Commerce Directive provides in Article 19 for the cooperation between Member States and the appointment of national contact points. The aim of establishing these contact points is to ensure that consumers and business have access to general information on e-commerce issues relevant to the application of the Directive and details of authorities and other bodies providing further information and assistance. A list of these contact points and contact details are available on the e-commerce website of the Internal Market Directorate General.8 Administrative cooperation between Member States can also be facilitated through the use of the Internet Market Information System (IMI system)9, which is planned to extend its ambit to e-commerce; an extension is also planned as regards the Consumer Protection Cooperation network (CPC)10.11
The CPC network annually identifies common enforcement priorities and carries out specific activities, for example, Sweeps, i.e. systematic checks carried out simultaneously in different Member States to investigate breaches of consumer protection law in the particular on-line sector. The 2013 sweeps targeted websites offering travel services. In 2013-2014 the CPC network, launched a new coordinated enforcement activity resulting in a common enforcement approach on the issue of in-app purchases.12 It is notable that the Member States together with the CPC reached a common position as regards online games.13


   Dealing with Illegal content on the Internet 
The E-Commerce Directive establish the principle that Internet intermediary service providers should not be liable for the content that they transmit, store or host, as long as they act in a strictly passive manner. However, when illegal content is found, so e.g., terrorism/child pornography or content violating copyright, intermediaries should take action to remove it, once they are notified of its existence. This entails certain problems, since the disabling of access and the removal of illegal content can be slow and complicate, whereas it is also possible that content which is legal is taken down erroneously.
It should be noted that it is not easy to define the limits on what Internet intermediaries can do with the content they transmit, store or host in order not to lose the exemption from liability established in the E-Commerce Directive.
An enhancement of Internet providers’ liability for hosting information is signaled by the decisions of the European Court of Human Rights (ECHR) in the Delfi AS decision (no.64569/09). In this case, the Estonian courts had found that Delfi AS, a news portal in Estonia, should have prevented defamatory comments from being published in the portal’s comments section, even though it had taken down the offensive comments as soon as it had been notified about them. Delfi AS appealed before the ECHR, but the Court with two decisions held that the national courts’ findings were a justified and proportionate restriction on Delfi’s right to freedom of expression. This would mean that web editors could be forced to remove defamatory comments as soon as they appear, rather than wait for 'take-down' requests as they do now. In the author’s view, this ruling only affects the legal regime of online editors and cannot be applied to other categories of online providers.
To deal with the issue of battling against illegal content on the Internet, it seems necessary to introduce rules that will provide for procedures for removing illegal content while avoiding legal content to be deleted, in order to respect the right to freedom of expression and information, as well as the economic freedom and entrepreneurial activity. Such rules are characterized as ‘notice-and-take-down’ procedures, which were discussed above.

     Cooperation with state authorities 
ISPs and in particular, access and host providers may need to cooperate with state authorities and provide information regarding users of their services and/or block Internet content. Such measures, however, may infringe upon fundamental rights and in particular, the right to freedom of information, the right to economic freedom and the right to data protection as regards personal data of users of ISPs’ services.
The European Court of Justice (ECJ) dealt already with such issues. In particular, in the case C-275/06 (Promusicae) it considered the relationship between the protection of intellectual property rights and data protection. In that case, Promusicae, a non-profit-making organisation of producers and publishers of musical and audiovisual recordings, brought an action against Telefónica, which operates inter alia in the field of the provision of Internet access services. The purpose of the action was to obtain the disclosure of personal data relating to use of the internet by means of connections provided by Telefónica with a view to bringing civil judicial proceedings against users who, via the KaZaA file exchange programme, were allegedly improperly accessing phonograms in which members of Promusicae hold the exploitation rights. The Spanish court referred to the ECJ a question on the compatibility between the various EU provisions applicable and the Spanish law on, inter alia, information society services which provided that the personal data of internet users must be retained for twelve months and should be used, if necessary, solely in the context of criminal judicial proceedings.
The ECJ held that it is necessary to reconcile the requirements of the protection of different fundamental rights in the case, namely the right to respect for private life on the one hand and the right to the protection of personal data and an effective remedy on the other hand. The Court gave the referring court the task of weighing up the rights in this specific case and reconciling those conflicting rights, on the basis of the provisions contained in Directive 2002/58/EC, as well as in Directives 2000/31/EC, 2001/29/EC and 2004/48/EC, which concern information society services, the harmonisation of copyright and the enforcement of intellectual property rights respectively.
The ruling of the European Court in the case of Promusicae v. Telefonica stated that EU Member States are not under an obligation to impose an obligation on ISPs to disclose their subscribers’ personal data in civil copyright cases under their national law, but they are not precluded from so doing. If they choose to include such an obligation in national law, this law should be proportionate and find a fair balance between the right to respect for privacy and the right to property. The need to protect the privacy of users of electronic communication services is thereby expressly recognized. Thus, a Member State may introduce procedures that provide for effective enforcement of copyright, but these provisions must respect the data protection rights of individuals.
Similarly, in the case C-557/07 (LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH LSG), the Court of Justice held that EU law does not preclude Member States from imposing an obligation to disclose personal data relating to Internet traffic to private third parties, to enable them to bring civil proceedings for copyright infringements, and also that access providers are ‘intermediaries’ within the meaning of Articles 5(1)(a) and 8(3) of Directive 2001/29.
Furthermore, in the case C-314/12 (UPC Telekabel), the ECJ found that an ISP may be ordered to block its customers’ access to a copyright-infringing website, after an injunction is filed by a right-holder. However, such an injunction and its enforcement must ensure a fair balance between the fundamental rights concerned. In particular, the Court held that, copyrights and related rights primarily enter into conflict with the freedom to conduct a business, which economic agents enjoy, and with the freedom of information of internet users. Where several fundamental rights are at issue, Member States must ensure that they rely on an interpretation of EU law and their national law which allows a fair balance to be struck between those fundamental rights. With regard, more specifically, to the ISP’s freedom to conduct a business, the Court considered that an injunction does not seem to infringe the very substance of that right, given that, first, it leaves its addressee to determine the specific measures to be taken in order to achieve the result sought, with the result that he can choose to put in place measures which are best adapted to the resources and abilities available to him and which are compatible with the other obligations and challenges which he will encounter in the exercise of his activity, and that, secondly, it allows him to avoid liability by proving that he has taken all reasonable measures.
Consequently, the Court held that the fundamental rights concerned do not preclude such an injunction, on two conditions: (i) that the measures taken by the ISP do not unnecessarily deprive users of the possibility of lawfully accessing the information available and (ii) that those measures have the effect of preventing unauthorized access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging users from accessing the subject-matter that has been made available to them in breach of the intellectual property right. The Court stated that Internet users and also, indeed, the ISP must be able to assert their rights before the court. It is a matter for the national authorities and courts to check whether those conditions are satisfied.
The jurisprudence of the ECJ in the above cases should be taken into account also where the actions of state authorities conflict with fundamental rights.

VAT on e-commerce services 
In the EU of the 28 Member states, having to deal with many different national systems represents a real obstacle for companies trying to trade cross-border both on and offline. Since 1 January 2015, the "place of supply" rules have entered into force, i.e. Regulation No 1042/2013 amending Regulation No 282/2011 as regards the place of supply of services14. Accordingly, VAT on all telecommunications, broadcasting and electronic services, is levied where the customer is based, rather than where the supplier is located. In parallel, an electronic registration and payment system has been implemented in the EU to reduce the costs and administrative burdens for businesses concerned, which should be extended to tangible goods ordered online both within and outside the EU. Instead of having to declare and pay VAT to each individual Member State where their customers are based, businesses would be able to make a single declaration and payment in their own Member State.
Regarding the online ordering of goods from a third country, there is a small consignment import exemption allowing shipment free of VAT to EU private customers, which is beneficial to suppliers, as it gives them a competitive advantage over EU suppliers and market distortions have already been signalled in various Member States. According to the EU Communication on the Digital Single Market Strategy, such an exception would no longer be needed if VAT were to be collected through a single and simplified electronic registration and payment mechanism.

         FOOTNOTES:
2 OJ L 178, 17/7/2000, pp. 1-16, online available at: http://ec.europa.eu/priorities/digital-single-market/docs/dsm-communication_en.pdf
3 EU Commission, Study on the Economic Impact of the Electronic Commerce Directive, 7 September 2007, http://ec.europa.eu/internal_market/e-commerce/docs/study/ecd/%20final%20report_070907.pdf
4 Study on the Liability of Internet Intermediaries, November 12th, 2007,http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf
7 See Draft Regulation, nr. 70.
11 See Communication of 11.1.2012, pp. 5, 7.