Πέμπτη, 10 Σεπτεμβρίου 2015

The Legal framework for E-Commerce in the EU


Ioannis Iglezakis
Associate Professor, Aristotle University, Faculty of law

Important Aspects of the EU acquis on E-Commerce
The E-Commerce Directive (Directive 2000/31/EC), adopted in 20001, sets up a legal framework for electronic commerce in the European Union, which aims at providing legal certainty for business and consumers. It establishes harmonized rules on issues such as the transparency and information requirements for online service providers, commercial communications, electronic contracts and limitations of liability of intermediary service providers.
This Directive applies to information society services, e.g., any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of a service. Examples of such services include online information services (such as online newspapers), online selling of products and services (books, e-books, financial services and travel services), online advertising, professional services (lawyers, doctors, estate agents), entertainment services and basic intermediary services (access to the Internet and transmission and hosting of information). These services include also services provided free of charge to the recipient and funded, for example, by advertising or sponsorship; this is the case of social networking sites, such as Facebook, as well as news sites, etc.
An important principle introduced in the Directive is the Internal Market clause (Article 3 (1)), which provides that information society services are subject to the law of the Member State in which the service provider is established. This is complemented by the non-discrimination principle (Article 3 (2)), according to which the Member State in which the information society service is received cannot restrict incoming services. In addition, the Directive enhances administrative cooperation between the Member States and the role of self-regulation.
The E-Commerce Directive is supplemented by the E-Signatures Directive (Directive 1999/93), which lays down the criteria that form the basis for legal recognition of electronic signatures by focusing on certification services.
These encompass the following:
 ·         common obligations for certification service providers in order to secure transborder recognition of signatures and certificates throughout the EU;
·         common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;
·         cooperative mechanisms to facilitate transborder recognition of signatures and certificates with third countries.

This Directive was replaced with the Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted on 23 July 2014. It shall apply from 1 July 2016, with the exception of certain provisions which will apply in different stages.
The eIDAS Regulation creates a European internal market for electronic identification and electronic trust services, which includes electronic signatures, electronic seals, time stamp, and electronic delivery service and website authentication.

Other EU legislation, which is relevant, is:

·         The E-Money Directive (2009/110/EC). The Directive focuses on modernizing EU rules on electronic money, especially bringing the regime for electronic money institutions, into line with the requirements for payment institutions in the Payment Services Directive.
·         Directive 2010/45/EU amending Directive 2006/112/EC on the common system of  value added tax as regards the rules on invoicing - This Directive sets out new VAT rules as regards e-invoicing and removes the obstacles to the uptake of e-invoicing by creating equal treatment between paper and e-invoices, while also ensuring that no additional requirements are imposed on paper invoices. According to the new Article 233 of the Directive, businesses will be free to send and receive e-invoices providing they maintain "business controls which create a reliable audit trail between an invoice and a supply of goods or services" in the same way as is currently  done for paper invoices.
·         The Information Society Directive (2001/29/EC on copyright in the information society) - This Directive aims at the harmonization of certain aspects of copyright and related rights in the information society, in order to adapt legislation on copyright and related rights to reflect technological developments in the era of Internet.
·         The E-Privacy Directive (2002/58 as amended by Directive 2009/136) regulating electronic communications - This Directive mainly concerns the processing of personal data relating to the delivery of communications services. It includes provisions on security of electronic services, confidentiality of communications, unsolicited communications (spamming), Cookies, etc.
·         The Consumer Rights Directive (Directive 2011/83) - This Directive aims at achieving a real business-to-consumer (B2C) internal market, striking the right balance between a high level of consumer protection and the competitiveness of enterprises. It includes, inter alia, provisions on distance contracts, which apply to e-commerce. The Directive lays down information requirements for distance contracts, including information about the functionality and interoperability of digital content. It regulates the right of withdrawal, including a standard withdrawal form that must be provided by traders and may be used by consumers to notify the withdrawal from the contract, etc.

It is also notable that in the Digital Single Market Strategy for Europe, presented by the European Commission in 6.5.20152, e-commerce is amongst the top priorities of the European Union. In the Communication it is mentioned that:

A Digital Single Market is one in which the free movement of goods, persons, services and capital is ensured and where individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence. Achieving a Digital Single Market will ensure that Europe maintains its position as a world leader in the digital economy, helping European companies to grow globally.”

The EU Commission issued its first report on the implementation of the Directive in 2003. In this report, several issues are addressed. These include the following:

1.      Internal Market
2.      Establishment and information requirements
3.      Commercial communications
4.      Regulated professions
5.      Electronic contracting
6.      Liability of internet intermediaries
7.      Notice and take down procedures
8.      Codes of conduct and out-of-court dispute settlement
9.      National e-commerce contact points
10.International issues

The Commission's report concludes that the Internal Market objectives of the Directive have been met and that it has provided a sound legal framework for information society services in the Internal Market. The Directive has also led to modernization of existing national legislation, for example in contract law, to ensure the full validity of online transactions. In the press release for this report it is mentioned that a revision of the Directive would be premature. Instead, it is stated that the Commission will focus on ensuring that the Directive is correctly applied and on collecting feedback and practical experience from business and consumers alike.
The EU has commissioned two studies regarding the application of the E-Commerce Directive, one on the economic impact of this Directive3 and another on the liability of Internet intermediaries in 20074.
The first study provides some estimates of the effect of the Electronic Commerce Directive. Three provisions are highlighted as being particularly important.
First, it is found that the harmonized provisions on limited liability have significantly improved the framework conditions for intermediary service providers. This in turn has reduced their risks and costs of conducting business. The limited liability provisions state that the primary suppliers and not the intermediary providers acting as mere conduits, caches, or hosts of information are liable for online content. Neither can a conduit of information be automatically held liable for linking to a website providing information of an illegal nature.
Second, the harmonized provision allowing for concluding contracts electronically has reduced firm costs. Prior to the Directive it was uncertain in most Member States whether or not a contract concluded by electronic means, an e-contract, carried the same legal status as an off-line contract. After transposition of the Directive, firms have certainty that an e-contract carries the same legal status as an off-line contract. E-contracts have not only reduced firm costs because they are more efficiently handled than offline contracts. For many information society service providers business processes are carried out online, which means that an offline contract is a particular imposition on their very business model reducing firm productivity beyond what may be the case for more traditional firms.
Third, it is stressed out that the country of origin principle has reduced legal heterogeneity across Member States in the areas covered by the Directive. This has reduced search costs for firms as the need for keeping up to date with foreign legislation has been reduced.
The second study attaches great importance to notice and take-down procedures. The e-commerce Directive provides in Art. 14 for an exemption of liability in case the service provider does not have actual knowledge of illegal activity or information; however, there is a diverging practice concerning the implementation of this requirement in national laws of EU member states as regards the assessment of actual knowledge. While some member states require a formal procedure and an official notification by authorities or a court decision, others rely on a ‘notice and take down’ procedures or a common notification.
The study sees the ‘notice and take down’ procedures as a potential solution in this regard. In particular, to balance the competing interests, two extremes should be excluded: mere reliance upon official notification by authorities on the one hand and assuming actual simple notification on the other. A focus on official notification may easily lead to a de facto exemption from liability of providers even if they are aware of illicit activities going on. Simple notification, on the other hand, would invite anyone to inform providers of content or activities, regardless of the reliability, of the quality and of the correctness of the notification. Thus, there is a high risk of abuse. It is, therefore, suggested that a potential solution could be the adoption of a modified notice and take-down-procedure combined with a counter-notice and put-back option.
Under such a system, it would be up to the right holder to notify the provider about the infringement. Having received the notification, the provider would be required to act expeditiously in provisionally withdrawing the content and informing the customer about the notification. In order, however, to avoid any liability these procedures should be supported by legal provisions to ensure that the provider does not incur any liability or responsibility as a result of sending a notification to its customers. The customer should make the choice whether he should send the provider a counter-notice. After receiving a counter-notice, the provider would be obliged to put the content again online. If the provider does not receive an answer from the right holder indicating that he will file an action against the client, the provider is obliged to put the content again online. If, on the other hand, the right holder files an action against the client, the provider is obliged to take down the content until the final decision of the court. To avoid any abuse of this procedure, it is suggested that rapid preliminary review proceedings are introduced.
Furthermore, the notification could follow certain rules, e.g., require the name the other details of the person tendering a notice and identifying specifically the incriminating content. Providers could be obliged to publish corresponding templates on their websites. An exception to such schemes should be applied where the public interest is concerned, i.e., where the illegality of some activities or content is easily assessed.


Establishment of Internet Service Providers (ISPs)

Article 4(1) of the E-Commerce Directive prohibits EU Member States from making the taking up and pursuit of the activity of an information society service provider subject to prior authorization (or any other requirement having equivalent effect). As a result, no authorization scheme has been introduced in the EU Member States with the exception of general authorization, e.g. for pharmacies, etc.
The Implementation Report of 2003 indicates that those EU Member States which had considered introducing such schemes in relation to all or some information society services refrained from doing so and in some cases abolished existing authorization requirements. This has ensured that establishing as an information society service provider in a Member State is easy and not subject to bureaucratic hurdles.
In the absence of controls by state authorities, transparency and information requirements are laid down in Article 5 of the E-Commerce. It is notable that these provisions are complemented by the provisions of the Consumer Rights Directive (2011/83/EU), which provides extensive information requirements in Article 6 and in other provisions.

Monitoring of ISPs

Furthermore, the supervision of providers of e-commerce services can be seen as a restriction of freedom of entrepreneurship that can be justified by general, non-economic considerations, such as public security, public policy, etc. In the EU, this is recognized in the Article 36 TFEU, which allows Member States to take measures having an effect equivalent to quantitative restrictions when these are justified by general, non-economic considerations (e.g. public morality, public policy or public security). However, such exceptions to the general principle must be interpreted strictly, and national measures cannot constitute a means of arbitrary discrimination or disguised restriction on trade between Member States. And also, the measures must have a direct effect on the public interest to be protected, and must not go beyond the necessary level, that is, they should respect the principle of proportionality.
One such measure could be the registration of companies which use the Internet to sell goods and/or services, with state authorities. In Greece, for example, the Law on consumer protection (law No 2251/1994) included previously a provision on the obligation of suppliers which conclude distance contracts to register in a special register of the Ministry of Development. This registration was a necessary prerequisite for the authorization of the required tax books and records by the competent public financial authority and was proved with a certification issued by the competent department of the Ministry of Development. The Minister of Development had the power to refuse registration, due to significant reasons, or proceed, apart from imposing penalties, to the temporary or permanent erasure of the supplier from the register, if the stipulations of this law have been violated by the supplier.
Nevertheless, this provision was amended with Law No 4242 of 2014, which abolished such obligation and introduced the sole obligation of suppliers of goods and services that conclude distance contracts to register with the General Electronic Commercial Registry (G.E.MI.).5 Due to the fact that all commercial entities (natural and legal persons, alike) are required to register with GEMI, any commercial entity selling goods or services at a distance are under such obligation, anyway. So, this is not specific for e-commerce agents.
Thus, if there is a general system of registration of commercial entities, there is no need to introduce a specific system for the registration of those who engage in sales over the Internet.
As regards the protection of the online consumers, far more important than an authorization regime for ISPs is to allow consumer to report complaints about online transactions, and seek relief. To make complaint handling more efficient, online platforms are being built. On international level, one could mention www.econsumer.gov, a portal to report complaints, which is an initiative of the International Consumer Protection and Enforcement Network (ICPEN). In the EU, the Regulation No 524/2013 on online dispute resolution (ODR) provides for a European ODR platform for the out-of-court resolution of disputes between consumers and traders online. The regulation applies only to contractual obligations stemming from online sales or service contracts between a consumer resident in the Union and a trader established in the Union. The Regulation shall apply from 9 January 2016; thus, the online platform is not yet operational.
Another system of registration exists with regard to personal data. Article 18 of the Data Protection Directive (Directive 95/46/EC) provides for the obligation to notify the data supervisory authority. This is deemed as a bureaucratic requirement, which will have to be abolished in the EU, once the Draft Regulation on Data Protection is enacted6. In more particular, Article 28 of the Draft Regulation introduces the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the supervisory authority required by Articles 18(1) and 19 of the Data Protection Directive. The reason for this amendment of the EU law is that the obligation of notification produces administrative and financial burdens, whereas it did not in all cases contribute to improving the protection of personal data. According to the preamble of the Draft regulation, such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes.7
The E-Commerce Directive provides in Article 19 for the cooperation between Member States and the appointment of national contact points. The aim of establishing these contact points is to ensure that consumers and business have access to general information on e-commerce issues relevant to the application of the Directive and details of authorities and other bodies providing further information and assistance. A list of these contact points and contact details are available on the e-commerce website of the Internal Market Directorate General.8 Administrative cooperation between Member States can also be facilitated through the use of the Internet Market Information System (IMI system)9, which is planned to extend its ambit to e-commerce; an extension is also planned as regards the Consumer Protection Cooperation network (CPC)10.11
The CPC network annually identifies common enforcement priorities and carries out specific activities, for example, Sweeps, i.e. systematic checks carried out simultaneously in different Member States to investigate breaches of consumer protection law in the particular on-line sector. The 2013 sweeps targeted websites offering travel services. In 2013-2014 the CPC network, launched a new coordinated enforcement activity resulting in a common enforcement approach on the issue of in-app purchases.12 It is notable that the Member States together with the CPC reached a common position as regards online games.13


   Dealing with Illegal content on the Internet 
The E-Commerce Directive establish the principle that Internet intermediary service providers should not be liable for the content that they transmit, store or host, as long as they act in a strictly passive manner. However, when illegal content is found, so e.g., terrorism/child pornography or content violating copyright, intermediaries should take action to remove it, once they are notified of its existence. This entails certain problems, since the disabling of access and the removal of illegal content can be slow and complicate, whereas it is also possible that content which is legal is taken down erroneously.
It should be noted that it is not easy to define the limits on what Internet intermediaries can do with the content they transmit, store or host in order not to lose the exemption from liability established in the E-Commerce Directive.
An enhancement of Internet providers’ liability for hosting information is signaled by the decisions of the European Court of Human Rights (ECHR) in the Delfi AS decision (no.64569/09). In this case, the Estonian courts had found that Delfi AS, a news portal in Estonia, should have prevented defamatory comments from being published in the portal’s comments section, even though it had taken down the offensive comments as soon as it had been notified about them. Delfi AS appealed before the ECHR, but the Court with two decisions held that the national courts’ findings were a justified and proportionate restriction on Delfi’s right to freedom of expression. This would mean that web editors could be forced to remove defamatory comments as soon as they appear, rather than wait for 'take-down' requests as they do now. In the author’s view, this ruling only affects the legal regime of online editors and cannot be applied to other categories of online providers.
To deal with the issue of battling against illegal content on the Internet, it seems necessary to introduce rules that will provide for procedures for removing illegal content while avoiding legal content to be deleted, in order to respect the right to freedom of expression and information, as well as the economic freedom and entrepreneurial activity. Such rules are characterized as ‘notice-and-take-down’ procedures, which were discussed above.

     Cooperation with state authorities 
ISPs and in particular, access and host providers may need to cooperate with state authorities and provide information regarding users of their services and/or block Internet content. Such measures, however, may infringe upon fundamental rights and in particular, the right to freedom of information, the right to economic freedom and the right to data protection as regards personal data of users of ISPs’ services.
The European Court of Justice (ECJ) dealt already with such issues. In particular, in the case C-275/06 (Promusicae) it considered the relationship between the protection of intellectual property rights and data protection. In that case, Promusicae, a non-profit-making organisation of producers and publishers of musical and audiovisual recordings, brought an action against Telefónica, which operates inter alia in the field of the provision of Internet access services. The purpose of the action was to obtain the disclosure of personal data relating to use of the internet by means of connections provided by Telefónica with a view to bringing civil judicial proceedings against users who, via the KaZaA file exchange programme, were allegedly improperly accessing phonograms in which members of Promusicae hold the exploitation rights. The Spanish court referred to the ECJ a question on the compatibility between the various EU provisions applicable and the Spanish law on, inter alia, information society services which provided that the personal data of internet users must be retained for twelve months and should be used, if necessary, solely in the context of criminal judicial proceedings.
The ECJ held that it is necessary to reconcile the requirements of the protection of different fundamental rights in the case, namely the right to respect for private life on the one hand and the right to the protection of personal data and an effective remedy on the other hand. The Court gave the referring court the task of weighing up the rights in this specific case and reconciling those conflicting rights, on the basis of the provisions contained in Directive 2002/58/EC, as well as in Directives 2000/31/EC, 2001/29/EC and 2004/48/EC, which concern information society services, the harmonisation of copyright and the enforcement of intellectual property rights respectively.
The ruling of the European Court in the case of Promusicae v. Telefonica stated that EU Member States are not under an obligation to impose an obligation on ISPs to disclose their subscribers’ personal data in civil copyright cases under their national law, but they are not precluded from so doing. If they choose to include such an obligation in national law, this law should be proportionate and find a fair balance between the right to respect for privacy and the right to property. The need to protect the privacy of users of electronic communication services is thereby expressly recognized. Thus, a Member State may introduce procedures that provide for effective enforcement of copyright, but these provisions must respect the data protection rights of individuals.
Similarly, in the case C-557/07 (LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH LSG), the Court of Justice held that EU law does not preclude Member States from imposing an obligation to disclose personal data relating to Internet traffic to private third parties, to enable them to bring civil proceedings for copyright infringements, and also that access providers are ‘intermediaries’ within the meaning of Articles 5(1)(a) and 8(3) of Directive 2001/29.
Furthermore, in the case C-314/12 (UPC Telekabel), the ECJ found that an ISP may be ordered to block its customers’ access to a copyright-infringing website, after an injunction is filed by a right-holder. However, such an injunction and its enforcement must ensure a fair balance between the fundamental rights concerned. In particular, the Court held that, copyrights and related rights primarily enter into conflict with the freedom to conduct a business, which economic agents enjoy, and with the freedom of information of internet users. Where several fundamental rights are at issue, Member States must ensure that they rely on an interpretation of EU law and their national law which allows a fair balance to be struck between those fundamental rights. With regard, more specifically, to the ISP’s freedom to conduct a business, the Court considered that an injunction does not seem to infringe the very substance of that right, given that, first, it leaves its addressee to determine the specific measures to be taken in order to achieve the result sought, with the result that he can choose to put in place measures which are best adapted to the resources and abilities available to him and which are compatible with the other obligations and challenges which he will encounter in the exercise of his activity, and that, secondly, it allows him to avoid liability by proving that he has taken all reasonable measures.
Consequently, the Court held that the fundamental rights concerned do not preclude such an injunction, on two conditions: (i) that the measures taken by the ISP do not unnecessarily deprive users of the possibility of lawfully accessing the information available and (ii) that those measures have the effect of preventing unauthorized access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging users from accessing the subject-matter that has been made available to them in breach of the intellectual property right. The Court stated that Internet users and also, indeed, the ISP must be able to assert their rights before the court. It is a matter for the national authorities and courts to check whether those conditions are satisfied.
The jurisprudence of the ECJ in the above cases should be taken into account also where the actions of state authorities conflict with fundamental rights.

VAT on e-commerce services 
In the EU of the 28 Member states, having to deal with many different national systems represents a real obstacle for companies trying to trade cross-border both on and offline. Since 1 January 2015, the "place of supply" rules have entered into force, i.e. Regulation No 1042/2013 amending Regulation No 282/2011 as regards the place of supply of services14. Accordingly, VAT on all telecommunications, broadcasting and electronic services, is levied where the customer is based, rather than where the supplier is located. In parallel, an electronic registration and payment system has been implemented in the EU to reduce the costs and administrative burdens for businesses concerned, which should be extended to tangible goods ordered online both within and outside the EU. Instead of having to declare and pay VAT to each individual Member State where their customers are based, businesses would be able to make a single declaration and payment in their own Member State.
Regarding the online ordering of goods from a third country, there is a small consignment import exemption allowing shipment free of VAT to EU private customers, which is beneficial to suppliers, as it gives them a competitive advantage over EU suppliers and market distortions have already been signalled in various Member States. According to the EU Communication on the Digital Single Market Strategy, such an exception would no longer be needed if VAT were to be collected through a single and simplified electronic registration and payment mechanism.

         FOOTNOTES:
2 OJ L 178, 17/7/2000, pp. 1-16, online available at: http://ec.europa.eu/priorities/digital-single-market/docs/dsm-communication_en.pdf
3 EU Commission, Study on the Economic Impact of the Electronic Commerce Directive, 7 September 2007, http://ec.europa.eu/internal_market/e-commerce/docs/study/ecd/%20final%20report_070907.pdf
4 Study on the Liability of Internet Intermediaries, November 12th, 2007,http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf
7 See Draft Regulation, nr. 70.
11 See Communication of 11.1.2012, pp. 5, 7.



Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου