The Electronic Commerce (EC Directive) Regulations 2002 (the “Regulations”) are the vehicle for the general UK imple­mentation of the Electronic Com­merce Directive (2000/31/EC of 8 June 2000).

The Directive and Regulations ad­dress three main areas:

  • liberalising the European Eco­nomic Area internal market in e­commerce services;
  • requiring providers of e-com­merce services to incorporate certain features in their online ordering process and to provide particular information to users; and
  • defining the liability of online in­termediaries such as Internet ser­vice providers.

Separate regulations apply the Di­rective to the financial services regu­latory regime. Although the Directive was due to be implemented before 17 January 2002 the UK, like several other EU Member States, imple­mented late. The Regulations came into force on 21 August 2002.

In addition to the Regulations, compliance with other legislation such as the Consumer Protection (Dis­tance Selling) Regulations 2000, the Data Protection Act 1998 and the Disability Discrimination Act 1995 has also to be considered for any e-com­merce service.


The Directive applies to the provision of “information society services” (“ISSs”), in summary: “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (in­cluding digital compression) and stor­age of data, and at the individual request of a recipient of the service”.

Some illustrations of ISSs include:

  • selling goods online;
  • online information services; online commercial communica­tions;
  • online search, data access and re­trieval tools;
  • transmission of information via a communication network; providing access to a communi­cation network;
  • hosting information provided by a recipient of the ISS; video-on-demand (but not broad­casting, since it is not provided at individual request);
  • provision of commercial commu­nications by electronic mail.

Voice telephony is not an ISS (al­though commercial text messages and voicemail can be). The position of fax is unclear.

The requirement for remunera­tion does not restrict ISSs to services giving rise to online contracting, but extends to services not remunerated by those receiving them in so far as they represent economic activity.

ISSs do not include delivery of goods as such, or provision of ser­vices off-line. So a website selling print books would be covered, but the de­livery of a book ordered from the website would not. If the book were downloaded in electronic form, that would be covered.

Recital 58 of the Directive states that it should not apply to services supplied by service providers estab­lished in a third country (ie outside the European Economic Area).

The following are excluded from the scope of the Regulations:

  • taxation;
  • anything within the Data Protec­tion Directive, the Telecommuni­cations Data Protection Directive and the Directive on privacy and electronic communications;
  • questions relating to agreements or practices governed by cartel law (as defined in the Regulations);
  • the activities of a public notary or equivalent professions;
  • the representation of a client and defence of his interests before the courts; and
  • betting, gaming or lotteries which involve wagering a stake with monetary value.

The Regulations do not apply to any Act or other legislation passed on or after the date of the Regulations. That creates the potential for direct conflicts between future legislation and the terms of the Directive, par­ticularly the internal market and lia­bility of intermediaries provisions.

Internal market

The internal market provisions of the Directive seek to encourage the free flow of ISSs within the EEA by reducing the extent to which ISS providers (“ISSPs”) are exposed to the laws of EEA countries other than that in which the service provider is established. How far the Directive achieves this has been hotly debated, resulting in differ­ences in implementation across Europe.

In addition to the general exclu­sions from the scope of the Regula­tions noted above, the internal market provisions do not apply to the following:

  • most intellectual property rights;
  • the freedom of the parties to a contract to choose the applicable law;
  • contractual obligations concern­ing consumer contracts; formalities relating to the trans­fer of land; and
  • the permissibility of unsolicited commercial communications by electronic mail.

For outgoing ISSs Reg 4 provides that any “requirement” which falls within the “co-ordinated field” shall apply to the provision of an ISS by an ISSP established in the United King­dom irrespective of whether that ISS is provided in the UK or another Member State. So any previous UK legislation that restricts such a re­quirements to ISSs provided within the UK is broadened. To the extent that any new crim­inal offence is thereby created, the penalties are re­stricted by Reg 4(6).

The Directive and Regulations are silent as to what constitutes a "requirement". Some light is shed by the definition of the co-ordinated field:

“requirements applicable to [ISSPs] or [ISSs], re­gardless of whether they are of a general nature or specifically designed for them, and covers require­ments with which the service provider has to com­ply in respect of-the taking up of the activity of an [ISS], such as requirements concerning qualifications, authorisation or notification, and the pursuit of the activity of an [ISS], such as requirements concern­ing the behaviour of the [ISSP], requirements re­garding the quality or content of the service including those applicable to advertising and contracts, or re­quirements concerning the liability of the [ISSP], but does not cover requirements such as those appli­cable to goods as such, to the delivery of goods or to services not provided by electronic means."

From this definition it seems that "requirements" are broader than mere licensing or regulatory re­quirements and can extend to, for instance, some aspects of liability.

For ISSs incoming from an ISSP established in another Member State the Regulations lay down the general principle that any requirement shall not be applied to the provision of that ISS for reasons which fall within the co-ordinated field where its ap­plication would restrict the freedom to provide ISSs to a person in the UK from that Member State-This does not apply to a requirement maintaining the level of protection for public health and consumer interests established by a Community act.

To be disapplied to an incoming ISS, a UK law must amount to a "requirement" and its application must restrict the freedom to provide the incoming ISS.

Whether a requirement constitutes a restric­tion should be considered in the light of ECJ case law. A domestic law may amount to a restriction not only if on its face it discriminates against imports from other Member States, but also if in fact it does so.

In limited circumstances an enforcement au­thority (or, in the absence of an enforcement au­thority, a court) may take measures amounting to a restriction against a given incoming ISS. The mea­sure must be necessary for reasons of public pol­icy, the protection of public health, public security or the protection of consumers, including investors. A measure must be proportionate to those objec­tives and is subject to a number of procedural pre­conditions.

Electronic contracting requirements Except where a contract has been concluded ex­clusively by an exchange of emails or (in a B2B con­text) where the parties have opted out, the Regulations impose certain rules where an order

clicking on an “Order Now” button). An ISSP must allow the party placing the order to identify and correct errors prior to placing the order and must acknowledge receipt of the order by electronic means and without delay. This does not affect ap­plicable rules as to when the contract is formed. The order and its acknowledgement are deemed received when the addressee is able to access them (except that the acknowledgement may take the form of the provision of the ordered services, if they are online services). Although error identifi­cation and correction must be permitted until the time the contractual offer is made, in all other cases “order” may (but need not) be a contractual offer as such.

If an ISSP fails to provide this error identifica­tion and correction facility, the other party may rescind the contract unless a court orders other­wise. This rescission right is not time-limited. The Regulations provide no guidance as to when a court might deny rescission.

Information provision requirements

The Regulations identify four circumstances in which particular information must be provided, pri­marily to the recipient of the service but also (in the case of the first type) to any relevant enforce­ment authority.

Information Society Services

Regardless of whether it is dealing with a business or a consumer, an ISSP must provide:

  • its name, the address where it is established (according to the Regulations) and appropriate contact details (including an email address) al­lowing rapid, direct and effective communica­tion with the ISSP-no guidance is given whether email alone is sufficient;
  • details of the ISSP’s entry on any trade regis­ter;
  • details of any supervisory or authorisation regime applicable to the ISSP;
  • details of the ISSP's registration with any relevant regulatory body;
  • the ISSP's VAT details; and
  • clearly and unambiguously displayed price information (with details of applicable VAT and postage costs).

This information must be provided in a way that is easily, directly and permanently accessible. In re­spect of this and commercial communications, the DTI has suggested that the means of provision of information and of the ISS do not have to be the same. So an ISSP providing SMS services could dis­play the information on its website. However, no guidance is given about the meaning of "perma­nent".

Commercial communications

These include all communications in any form which are designed to promote goods or services and which form part of an ISS. This may include websites themselves (even if merely passive). How­ever, they do not include communications con­sisting only of information allowing direct access to the sender's activity (eg its address), or prepared independently of and without payment by the per­son to whose activity it relates. A commercial com­munication must be clearly identified as such and must set out clearly and unambiguously on whose behalf it is sent, any promotional offer and its terms and any promotional competition or game and its terms.

Unsolicited commercial communications

If a person sends unsolicited commercial commu­nications by email, these must be clearly and un­ambiguously identified as such as soon as they are received. This is an interim position prior to the implementation of Directive 2002/58/EC which will subject to limited exceptions, prohibit the sending of such communications unless with the recipient's express prior consent.

Contracts concluded by electronic means

Where a contract is to be concluded by electronic means, the ISSP must make the applicable term: and conditions available in such a way that the other party can store or reproduce them. It is not cleat whether there is any distinction between this and the obligation to make the general information above “permanently accessible”. The Regulations do state that failure to provide the terms and conditions as required will entitle the other party to seek a court order for their provision. In addition to the terms and conditions, and except where the contract has been concluded exclusively by an exchange of emails or (in a B2B context) where the parties have opted out, the ISSP must make the following available to the other party clearly, comprehensively and unambiguously:

  • details of the technical steps to follow to con elude the contract;
  • whether the contract will be filed by the ISSI and, if so, whether it will be accessible;
  • the technical means for identification and correction of errors prior to placing of order: (which in this context means the contractual offer);
  • the languages offered for conclusion of the contract; and
  • any relevant codes of conduct and how the; may be obtained electronically.


Except in respect of the obligations covered by the two specific remedies described above, the Regulations provide that a failure to comply with these requirements to provide information will entitle the other party to seek damages against the ISSI for breach of statutory duty.

Implementing the E-Commerce Directive

In addition to this damages remedy, and where the failure to provide in­formation or comply with the electronic contracting requirements harms the collective interests of consumers, the DGFT or others may, from 23 Octo­ber 2002, seek a “Stop Now” order from a UK court to compel the ISSP in question to cease its infringing behaviour. The "others" who may seek an order are currently the DGFT's counterparts from other EEA countries act­ing on behalf of the consumers in those countries, but may in future include other consumer bodies both within and outside the UK.

Intermediary liability

The remainder of the Regulations concern the situations in which (unless otherwise agreed by contract) an intermediary may avoid criminal or civil liability (other than for an injunction) when acting as a "mere conduit" or when caching or hosting certain information. In determining whether an intermediary has "actual knowledge" in relation to the caching and hosting provisions, courts are required to take account of "all the relevant circumstances" including whether the intermediary has received notice by way of the contact details it is required to provide under the Regulations and the extent to which that no­tice gives sufficient details of its sender, the location of the information and the infringement in question.

Mere conduit

An intermediary who transmits information provided by a recipient of the ISS or who provides access to a communications network will not be liable as a result of that transmission if it did not initiate the transmission, select the re­ceiver of the transmission and did not select or modify the information in the transmission. For these purposes, transmission includes the automatic, inter­mediate or transient storage of information if this is done solely in order to carry out the transmission and for no longer than is reasonably necessary for the transmission.


An intermediary will not be liable for caching (automatic, intermediate and temporary storage) if its sole purpose is to provide more efficient access to the information in question for subsequent users and if it does not modify the information. To benefit from this exemption, an intermediary must:

  • comply with conditions on access to the information and industry standards on updating; and
  • act expeditiously to remove or disable access to the information on actual knowledge that the information has been removed from the network, that access to it has been disabled, or that a court or other authority has ordered such removal or disablement.


An intermediary will not be liable for hosting information at the request of a recipient of an ISS if the intermediary has no actual knowledge of unlawful ac­tivity or information or (in the case of a claim for damages) of facts from which such unlawfulness would have been apparent, and if (on obtaining such knowledge) it acts expeditiously to remove or disable access to the information. The Regulations make clear that this exemption is not available if the recipient of the ISS was acting under the authority or control of the ISSP. However they do not explain how, for instance, the exemption would apply where the person responsible for a website chatroom is not the same as the person who hosts the website (as in the common case of outsourced hosting).

Written by Graham Smith and Alex Hand. First published on 25 October 2002 in the New Law Journal (Information Technology Supplement)

Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.