Ioannis Iglezakis
Associate Professor, Aristotle University, Faculty of law
Important Aspects of the EU acquis on E-Commerce
The E-Commerce
Directive (Directive 2000/31/EC), adopted in 20001,
sets up a legal framework for electronic commerce in the European Union, which
aims at providing legal certainty for business and consumers. It establishes
harmonized rules on issues such as the transparency and information
requirements for online service providers, commercial communications, electronic
contracts and limitations of liability of intermediary service providers.
This Directive applies to information
society services, e.g., any
service normally provided for remuneration, at a distance, by electronic means
and at the individual request of a recipient of a service. Examples of such
services include online information services (such as online newspapers),
online selling of products and services (books, e-books, financial services and
travel services), online advertising, professional services (lawyers, doctors,
estate agents), entertainment services and basic intermediary services (access
to the Internet and transmission and hosting of information). These services
include also services provided free of charge to the recipient and funded, for
example, by advertising or sponsorship; this is the case of social networking
sites, such as Facebook, as well as news sites, etc.
An important principle introduced in the
Directive is the Internal Market
clause (Article 3 (1)), which
provides that information society services are subject to the law of the Member
State in which the service provider is established. This is complemented by the
non-discrimination principle (Article 3 (2)), according to which the Member
State in which the information society service is received cannot restrict
incoming services. In addition, the Directive enhances administrative
cooperation between the Member States and the role of self-regulation.
The E-Commerce Directive is supplemented by the
E-Signatures Directive (Directive
1999/93), which lays down the criteria that form the basis for legal
recognition of electronic signatures by focusing on certification services.
These encompass the following:
· common
obligations for certification service providers in order to secure transborder
recognition of signatures and certificates throughout the EU;
· common rules on
liability to help build confidence among users, who rely on the certificates,
and among service providers;
· cooperative
mechanisms to facilitate transborder recognition of signatures and certificates
with third countries.
This Directive was replaced with the Regulation 910/2014 on electronic
identification and trust services for electronic transactions in the internal
market (eIDAS Regulation) adopted
on 23 July 2014. It shall apply from 1 July 2016, with the exception of certain
provisions which will apply in different stages.
The eIDAS Regulation creates a European
internal market for electronic identification and electronic trust services,
which includes electronic signatures, electronic seals, time stamp, and
electronic delivery service and website authentication.
Other EU legislation, which is relevant, is:
· The E-Money Directive (2009/110/EC). The
Directive focuses on modernizing EU rules on electronic money, especially
bringing the regime for electronic money institutions, into line with the
requirements for payment institutions in the Payment Services Directive.
· Directive
2010/45/EU amending Directive 2006/112/EC on the common system of value added tax as regards the
rules on invoicing - This
Directive sets out new VAT rules as regards e-invoicing and removes the
obstacles to the uptake of e-invoicing by creating equal treatment between
paper and e-invoices, while also ensuring that no additional requirements are
imposed on paper invoices. According to the new Article 233 of the Directive,
businesses will be free to send and receive e-invoices providing they maintain
"business controls which create a reliable audit trail between an invoice
and a supply of goods or services" in the same way as is currently done for paper invoices.
· The Information
Society Directive (2001/29/EC on copyright in the information society) - This Directive aims at the
harmonization of certain aspects of copyright and related rights in the
information society, in order to adapt legislation on copyright and related
rights to reflect technological developments in the era of Internet.
· The E-Privacy
Directive (2002/58 as amended by Directive 2009/136) regulating electronic
communications - This Directive
mainly concerns the processing of personal data relating to the delivery of
communications services. It includes provisions on security of electronic
services, confidentiality of communications, unsolicited communications
(spamming), Cookies, etc.
· The Consumer Rights Directive (Directive
2011/83) - This Directive aims at
achieving a real business-to-consumer (B2C) internal market, striking the right
balance between a high level of consumer protection and
the competitiveness of enterprises. It includes, inter alia, provisions on
distance contracts, which apply to e-commerce. The Directive lays down information requirements for
distance contracts, including information about the functionality and
interoperability of digital content. It regulates the right of withdrawal,
including a standard withdrawal form that must be provided by traders and may
be used by consumers to notify the withdrawal from the contract, etc.
It is also notable that in the Digital Single Market Strategy for
Europe, presented by the European Commission in 6.5.20152,
e-commerce is amongst the top priorities of the European Union. In the
Communication it is mentioned that:
“A Digital Single
Market is one in which the free movement of goods, persons, services and
capital is ensured and where individuals and businesses can seamlessly access
and exercise online activities under conditions of fair competition, and a high
level of consumer and personal data protection, irrespective of their
nationality or place of residence. Achieving a Digital Single Market will
ensure that Europe maintains its position as a world leader in the digital
economy, helping European companies to grow globally.”
The EU Commission issued its first report on the
implementation of the Directive in 2003. In this report, several issues are
addressed. These include the following:
1. Internal Market
2. Establishment and
information requirements
3. Commercial
communications
4. Regulated
professions
5. Electronic
contracting
6. Liability of
internet intermediaries
7. Notice and take
down procedures
8. Codes of conduct
and out-of-court dispute settlement
9. National
e-commerce contact points
10.International issues
The Commission's report concludes that the Internal
Market objectives of the Directive have been met and that it has provided a
sound legal framework for information society services in the Internal Market.
The Directive has also led to modernization of existing national legislation,
for example in contract law, to ensure the full validity of online
transactions. In the press release for this report it is mentioned that a
revision of the Directive would be premature. Instead, it is stated that the
Commission will focus on ensuring that the Directive is correctly applied and
on collecting feedback and practical experience from business and consumers
alike.
The EU has commissioned two studies
regarding the application of the E-Commerce Directive, one on the economic
impact of this Directive3 and another on the liability of
Internet intermediaries in 20074.
The first study provides some estimates of the effect
of the Electronic Commerce Directive. Three provisions are highlighted as being
particularly important.
First, it is found
that the harmonized provisions on limited liability have significantly improved
the framework conditions for intermediary service providers. This in turn has
reduced their risks and costs of conducting business. The limited liability
provisions state that the primary suppliers and not the intermediary providers
acting as mere conduits, caches, or hosts of information are liable for online
content. Neither can a conduit of information be automatically held liable for
linking to a website providing information of an illegal nature.
Second, the harmonized
provision allowing for concluding contracts electronically has reduced firm
costs. Prior to the Directive it was uncertain in most Member States whether or
not a contract concluded by electronic means, an e-contract, carried the same
legal status as an off-line contract. After transposition of the Directive,
firms have certainty that an e-contract carries the same legal status as an
off-line contract. E-contracts have not only reduced firm costs because they
are more efficiently handled than offline contracts. For many information
society service providers business processes are carried out online, which
means that an offline contract is a particular imposition on their very
business model reducing firm productivity beyond what may be the case for more
traditional firms.
Third, it is stressed
out that the country of origin principle has reduced legal heterogeneity across
Member States in the areas covered by the Directive. This has reduced search
costs for firms as the need for keeping up to date with foreign legislation has
been reduced.
The second study attaches great importance to notice and take-down procedures.
The e-commerce Directive provides in Art. 14 for an exemption of liability in
case the service provider does not have actual knowledge of illegal activity or
information; however, there is a diverging practice concerning the
implementation of this requirement in national laws of EU member states as
regards the assessment of actual knowledge. While some member states require a
formal procedure and an official notification by authorities or a court
decision, others rely on a ‘notice and take down’ procedures or a common
notification.
The study sees the ‘notice and take
down’ procedures as a potential solution in this regard. In particular, to
balance the competing interests, two extremes should be excluded: mere reliance
upon official notification by authorities on the one hand and assuming actual
simple notification on the other. A focus on official notification may easily
lead to a de facto exemption from liability of providers
even if they are aware of illicit activities going on. Simple notification, on
the other hand, would invite anyone to inform providers of content or
activities, regardless of the reliability, of the quality and of the
correctness of the notification. Thus, there is a high risk of abuse. It is,
therefore, suggested that a potential solution could be the adoption of a
modified notice and take-down-procedure combined with a counter-notice and
put-back option.
Under such a system, it would be up to the
right holder to notify the provider about the infringement. Having received the
notification, the provider would be required to act expeditiously in
provisionally withdrawing the content and informing the customer about the
notification. In order, however, to avoid any liability these procedures should
be supported by legal provisions to ensure that the provider does not incur any
liability or responsibility as a result of sending a notification to its
customers. The customer should make the choice whether he should send the
provider a counter-notice. After receiving a counter-notice, the provider would
be obliged to put the content again online. If the provider does not receive an
answer from the right holder indicating that he will file an action against the
client, the provider is obliged to put the content again online. If, on the
other hand, the right holder files an action against the client, the provider
is obliged to take down the content until the final decision of the court. To
avoid any abuse of this procedure, it is suggested that rapid preliminary
review proceedings are introduced.
Furthermore, the notification could follow
certain rules, e.g., require the name the other details of the person tendering
a notice and identifying specifically the incriminating content. Providers
could be obliged to publish corresponding templates on their websites. An
exception to such schemes should be applied where the public interest is
concerned, i.e., where the illegality of some activities or content is easily
assessed.
Establishment of Internet Service
Providers (ISPs)
Article 4(1) of the E-Commerce Directive prohibits EU
Member States from making the taking up and pursuit of the activity of an
information society service provider subject to prior authorization (or any
other requirement having equivalent effect). As a result, no authorization
scheme has been introduced in the EU Member States with the exception of
general authorization, e.g. for pharmacies, etc.
The Implementation Report of 2003
indicates that those EU Member States which had considered introducing such
schemes in relation to all or some information society services refrained from
doing so and in some cases abolished existing authorization requirements. This
has ensured that establishing as an information society service provider in a
Member State is easy and not subject to bureaucratic
hurdles.
In the absence of controls by state
authorities, transparency and information requirements are laid down in Article
5 of the E-Commerce. It is notable that these provisions are complemented by
the provisions of the Consumer Rights Directive (2011/83/EU), which provides
extensive information requirements in Article 6 and in other provisions.
Monitoring of ISPs
Furthermore, the supervision of providers of
e-commerce services can be seen as a restriction of freedom of entrepreneurship
that can be justified by general, non-economic considerations, such as public
security, public policy, etc. In the EU, this is recognized in the Article 36
TFEU, which allows Member States to take measures having an effect equivalent
to quantitative restrictions when these are justified by general, non-economic
considerations (e.g. public morality, public policy or public security).
However, such exceptions to the general principle must be interpreted strictly,
and national measures cannot constitute a means of arbitrary discrimination or
disguised restriction on trade between Member States. And also, the measures
must have a direct effect on the public interest to be protected, and must not
go beyond the necessary level, that is, they should respect the principle of
proportionality.
One such measure could be the registration
of companies which use the Internet to sell goods and/or services, with state
authorities. In Greece, for example, the Law on consumer protection (law No
2251/1994) included previously a provision on the obligation of suppliers which
conclude distance contracts to register in a special register of the Ministry of Development. This
registration was a necessary prerequisite for the authorization of the required
tax books and records by the competent public financial authority and was
proved with a certification issued by the competent department of the Ministry
of Development. The Minister of Development had the power to refuse
registration, due to significant reasons, or proceed, apart from imposing
penalties, to the temporary or permanent erasure of the supplier from the
register, if the stipulations of this law have been violated by the supplier.
Nevertheless, this provision was amended
with Law No 4242 of 2014, which abolished such obligation and introduced the
sole obligation of suppliers of goods and services that conclude distance
contracts to register with the General Electronic Commercial Registry
(G.E.MI.).5 Due to the fact
that all commercial entities (natural and legal persons, alike) are required to
register with GEMI, any commercial entity selling goods or services at a
distance are under such obligation, anyway. So, this is not specific for
e-commerce agents.
Thus, if there is a general system of
registration of commercial entities, there is no need to introduce a specific
system for the registration of those who engage in sales over the Internet.
As regards the protection of the online
consumers, far more important than an authorization regime for ISPs is to allow
consumer to report complaints about online transactions, and seek relief. To
make complaint handling more efficient, online platforms are being built. On
international level, one could mention www.econsumer.gov, a
portal to report complaints, which is an initiative of the International
Consumer Protection and Enforcement Network (ICPEN). In the EU, the Regulation
No 524/2013 on online dispute resolution (ODR) provides for a European ODR
platform for the out-of-court resolution of disputes between consumers and
traders online. The regulation applies only to contractual obligations stemming
from online sales or service contracts between a consumer resident in the Union
and a trader established in the Union. The Regulation shall apply from 9
January 2016; thus, the online platform is not yet operational.
Another system of registration exists with
regard to personal data. Article 18 of the Data Protection Directive (Directive
95/46/EC) provides for the obligation to notify the data supervisory authority.
This is deemed as a bureaucratic requirement, which will have to be abolished
in the EU, once the Draft Regulation on Data Protection is enacted6.
In more particular, Article 28 of the Draft Regulation introduces the
obligation for controllers and processors to maintain documentation of the
processing operations under their responsibility, instead of a general
notification to the supervisory authority required by Articles 18(1) and 19 of
the Data Protection Directive. The reason for this amendment of the EU law is
that the obligation of notification produces administrative and financial
burdens, whereas it did not in all cases contribute to improving the protection
of personal data. According to the preamble of the Draft regulation, such
indiscriminate general notification obligation should be abolished, and
replaced by effective procedures and mechanism which focus instead on those
processing operations which are likely to present specific risks to the rights
and freedoms of data subjects by virtue of their nature, their scope or their
purposes.7
The E-Commerce Directive provides in
Article 19 for the cooperation between Member States and the appointment of
national contact points. The aim of establishing these contact points is to
ensure that consumers and business have access to general information on e-commerce
issues relevant to the application of the Directive and details of authorities
and other bodies providing further information and assistance. A list of these
contact points and contact details are available on the e-commerce website of
the Internal Market Directorate General.8 Administrative cooperation between
Member States can also be facilitated through the use of the Internet Market
Information System (IMI system)9,
which is planned to extend its ambit to e-commerce; an extension is also
planned as regards the Consumer Protection Cooperation network (CPC)10.11
The CPC network annually identifies common
enforcement priorities and carries out specific activities, for example, Sweeps,
i.e. systematic checks carried out simultaneously in different Member
States to investigate breaches of consumer protection law in
the particular on-line sector. The 2013 sweeps targeted websites offering
travel services. In 2013-2014 the
CPC network, launched a new coordinated enforcement activity resulting in a
common enforcement approach on the issue of in-app purchases.12 It is notable that the Member States
together with the CPC reached a common position as regards online games.13
Dealing with Illegal content on the
Internet
The E-Commerce Directive establish the principle that
Internet intermediary service providers should not be liable for the content
that they transmit, store or host, as long as they act in a strictly passive manner.
However, when illegal content is found, so e.g., terrorism/child pornography or
content violating copyright, intermediaries should take action to remove it,
once they are notified of its existence. This entails certain problems, since
the disabling of access and the removal of illegal content can be slow and
complicate, whereas it is also possible that content which is legal is taken
down erroneously.
It should be noted that it is not easy to
define the limits on what Internet intermediaries can do with the content they
transmit, store or host in order not to lose the exemption from liability
established in the E-Commerce Directive.
An enhancement of Internet providers’
liability for hosting information is signaled by the decisions of the European Court of Human Rights (ECHR)
in the Delfi AS decision (no.64569/09). In this case,
the Estonian courts had found that Delfi AS, a news portal in Estonia, should
have prevented defamatory comments from being published in the portal’s
comments section, even though it had taken down the offensive comments as soon
as it had been notified about them. Delfi AS appealed before the ECHR, but the
Court with two decisions held that the national courts’ findings were a
justified and proportionate restriction on Delfi’s right to freedom of
expression. This would mean that web editors could be forced to remove
defamatory comments as soon as they appear, rather than wait for 'take-down'
requests as they do now. In the author’s view, this ruling only affects the
legal regime of online editors and cannot be applied to other categories of
online providers.
To deal with the issue of battling against
illegal content on the Internet, it seems necessary to introduce rules that
will provide for procedures for removing illegal content while avoiding legal
content to be deleted, in order to respect the right to freedom of expression
and information, as well as the economic freedom and entrepreneurial activity.
Such rules are characterized as ‘notice-and-take-down’ procedures, which were
discussed above.
Cooperation with state authorities
ISPs and in particular, access and host providers may
need to cooperate with state authorities and provide information regarding
users of their services and/or block Internet content. Such measures, however,
may infringe upon fundamental rights and in particular, the right to freedom of
information, the right to economic freedom and the right to data protection as
regards personal data of users of ISPs’ services.
The European Court of Justice (ECJ) dealt already with such issues. In
particular, in the case C-275/06
(Promusicae) it considered the
relationship between the protection of intellectual property rights and data
protection. In that case, Promusicae, a non-profit-making organisation of
producers and publishers of musical and audiovisual recordings, brought an
action against Telefónica, which operates inter alia in the field of the
provision of Internet access services. The purpose of the action was to obtain
the disclosure of personal data relating to use of the internet by means of
connections provided by Telefónica with a view to bringing civil judicial
proceedings against users who, via the KaZaA file exchange programme, were
allegedly improperly accessing phonograms in which members of Promusicae hold
the exploitation rights. The Spanish court referred to the ECJ a question on
the compatibility between the various EU provisions applicable and the Spanish
law on, inter alia, information society services which provided that the
personal data of internet users must be retained for twelve months and should
be used, if necessary, solely in the context of criminal judicial proceedings.
The ECJ held that it is necessary to
reconcile the requirements of the protection of different fundamental rights in
the case, namely the right to respect for private life on the one hand and the
right to the protection of personal data and an effective remedy on the other
hand. The Court gave the referring court the task of weighing up the rights in
this specific case and reconciling those conflicting rights, on the basis of
the provisions contained in Directive 2002/58/EC, as well as in Directives
2000/31/EC, 2001/29/EC and 2004/48/EC, which concern information society
services, the harmonisation of copyright and the enforcement of intellectual
property rights respectively.
The ruling of the European Court in the
case of Promusicae v. Telefonica stated that EU Member States are not under an
obligation to impose an obligation on ISPs to disclose their subscribers’
personal data in civil copyright cases under their national law, but they are
not precluded from so doing. If they choose to include such an obligation in
national law, this law should be proportionate and find a fair balance between
the right to respect for privacy and the right to property. The need to protect
the privacy of users of electronic communication services is thereby expressly
recognized. Thus, a Member State may introduce procedures that provide for
effective enforcement of copyright, but these provisions must respect the data
protection rights of individuals.
Similarly, in the case C-557/07 (LSG-Gesellschaft zur Wahrnehmung von
Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH LSG), the
Court of Justice held that EU law does not preclude Member States from imposing
an obligation to disclose personal data relating to Internet traffic to private
third parties, to enable them to bring civil proceedings for copyright
infringements, and also that access providers are ‘intermediaries’ within the
meaning of Articles 5(1)(a) and 8(3) of Directive 2001/29.
Furthermore, in the case C-314/12 (UPC Telekabel), the ECJ
found that an ISP may be ordered to block its customers’ access to a
copyright-infringing website, after an injunction is filed by a right-holder.
However, such an injunction and its enforcement must ensure a fair balance
between the fundamental rights concerned. In particular, the Court held that,
copyrights and related rights primarily enter into conflict with the freedom to
conduct a business, which economic agents enjoy, and with the freedom of
information of internet users. Where several fundamental rights are at issue,
Member States must ensure that they rely on an interpretation of EU law and
their national law which allows a fair balance to be struck between those
fundamental rights. With regard, more specifically, to the ISP’s freedom to
conduct a business, the Court considered that an injunction does not seem to
infringe the very substance of that right, given that, first, it leaves its
addressee to determine the specific measures to be taken in order to achieve the
result sought, with the result that he can choose to put in place measures
which are best adapted to the resources and abilities available to him and
which are compatible with the other obligations and challenges which he will
encounter in the exercise of his activity, and that, secondly, it allows him to
avoid liability by proving that he has taken all reasonable measures.
Consequently, the Court held that the
fundamental rights concerned do not preclude such an injunction, on two
conditions: (i) that the measures taken by the ISP do not unnecessarily deprive
users of the possibility of lawfully accessing the information available and
(ii) that those measures have the effect of preventing unauthorized access to
the protected subject-matter or, at least, of making it difficult to achieve
and of seriously discouraging users from accessing the subject-matter that has
been made available to them in breach of the intellectual property right. The
Court stated that Internet users and also, indeed, the ISP must be able to
assert their rights before the court. It is a matter for the national
authorities and courts to check whether those conditions are satisfied.
The jurisprudence of the ECJ in the above
cases should be taken into account also where the actions of state authorities
conflict with fundamental rights.
VAT on e-commerce services
In the EU of the 28 Member states, having to deal with
many different national systems represents a real obstacle for companies trying
to trade cross-border both on and offline. Since 1 January 2015, the
"place of supply" rules have entered into force, i.e. Regulation No
1042/2013 amending Regulation No 282/2011 as regards the place of supply of
services14.
Accordingly, VAT on all telecommunications, broadcasting and electronic
services, is levied where the customer is based, rather than where the supplier
is located. In parallel, an electronic registration and payment system has been
implemented in the EU to reduce the costs and administrative burdens for
businesses concerned, which should be extended to tangible goods ordered online
both within and outside the EU. Instead of having to declare and pay VAT to
each individual Member State where their customers are based, businesses would
be able to make a single declaration and payment in their own Member State.
Regarding the online ordering of goods
from a third country, there is a small consignment import exemption allowing
shipment free of VAT to EU private customers, which is beneficial to suppliers,
as it gives them a competitive advantage over EU suppliers and market
distortions have already been signalled in various Member States. According to
the EU Communication on the Digital Single Market Strategy, such an exception
would no longer be needed if VAT were to be collected through a single and
simplified electronic registration and payment mechanism.
FOOTNOTES:
7 See Draft
Regulation, nr. 70.
11 See Communication
of 11.1.2012, pp. 5, 7.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου