The end of the EU eCommerce Directive in the UK: Impact on cloud service providers

Written By

roger bickerstaff module
Roger Bickerstaff

Partner
UK

With over 25 years' experience as a leading technology lawyer and now based in both our London and San Francisco offices, I have extensive experience advising on tech infrastructure and outsourcing projects.

This article explores two important but overlooked aspects of the impact on cloud service providers of the UK's departure from the EU resulting from the eCommerce Directive ceasing to apply in the UK from the end of the EU transition period. The UK government has made clear that at the end of the Brexit transition period, the eCommerce Directive will no longer apply to the UK. 

Article 3 of the eCommerce Directive provides protection for cloud service providers (as online service providers) by allowing them to operate in any EEA country while only following relevant rules in the country in which they are established. Article 4 of the eCommerce Directive has the effect that cloud service providers that provide services in a regulated field, such as financial services, only need to obtain prior authorisation to do business in the country where they are established. As the eCommerce Directive will not apply in the UK after the end of the EU transition period these protections will no longer be available.

The loss of these protections will mean that cloud service providers based in the UK and providing services to customers across the EEA will need to consider and take steps to comply with the national rules applicable to their cloud services in each EEA country where their services are available.  Similarly, EEA cloud services providers doing business in the UK will need to consider and take steps to comply with the UK law applicable to their cloud services.

Scope of the eCommerce Directive

Article 3 of the eCommerce Directive allows EEA online service providers to operate in any EEA country, while only following relevant rules in the country in which they are established. This rule will no longer apply to UK providers after the end of the EU transition period.

The eCommerce Directive applies to ‘information society services’. These are defined in the Directive as any service that is normally provided:

  • for payment, including indirect payment such as advertising revenue;
  • ‘at a distance’ (where customers can use the service without the provider being present);
  • by electronic means; and
  • at the individual request of a recipient of the service.

As well as the vast majority of online service providers, for example online retailers and internet service providers, this definition covers most cloud service provision arrangements, including SaaS, IaaS and PaaS solutions.

The Directive refers to the ‘place of establishment’ of the service provider. This is the fixed establishment where the entity carries out its economic activities over an indefinite period. The Directive clarifies that for a company providing services via the Internet the place of establishment is not the place at which the technology supporting its website is located (i.e. the data centre location) or the place at which its website is accessible but the place where it pursues its "economic activities".  Where a services provider has several places of establishment the relevant place of establishment for the service concerned is the place where the provider has the centre of its activities relating to this particular service.

The Article 3 protection provided by the eCommerce Directive applies to rules that fall within its ‘coordinated field’. This covers rules relating to online information, online advertising, online shopping and online contracting. The Article 3 principle does not apply to:

  • public policy issues, such in particular the prevention, investigation, detection and prosecution of crime, including hate crimes, and violations of human dignity,
  • the protection of public health,
  • public security, including the safeguarding of national security and defence, and
  • the protection of consumers, including investors

Information services do not obtain the benefit of the Article 3 protection in respect of these excluded areas.  They need to ensure that their services are compliant with local law requirements for these issues.


Impact on UK Service Providers Providing Services in EEA Countries

After the end of the EU transition period, service providers with a place of establishment within the UK will lose the Article 3 protection and will need to comply with the relevant legal requirements within the "coordinated fields" of the Directive in each EEA country that they operate in. Also, UK online service providers may also become subject to ‘prior authorisation’ schemes, such as licensing requirements, in EEA countries where they operate.  This is currently prohibited under Article 4 of the Directive but UK providers will lose this protection from the end of the EU transition period.

For UK-based cloud services providers the impact of the loss of Article 3 protection may be relatively limited as the differences in legal requirements across the EEA in the "coordinated fields" of the Directive which relate to cloud service provision are, in general terms, not significant, but there are some subtle differences on a country-by-country basis.  Diligent UK-based service providers will review the legal environment in each of the coordinated fields of the Directive in each EEA country in which they operate in order to be sure that they are legally compliant.  Of course, it is open to UK-based cloud service providers to retain the benefit of the Article 3 protection by moving their place of establishment to an EEA country.   

For cloud service providers the "coordinated fields" of the Directive that are applicable are the rules relating online information, online advertising and online contracting.  Online shopping is unlikely to be relevant for cloud service providers as most business focussed cloud services do not facilitate online shopping arrangements.

In order to exemplify the extent of the variations in these areas of law across the EEA the next section reviews the relevant legal framework in each area in Germany, France and Denmark.  These examples indicate that whilst the legal framework in the coordinated fields of the eCommerce Directive across EAA countries is reasonably harmonised there are differences which cloud service providers based in the UK will need to take into account for their pan-European business from the end of the EU transition period, which is due to end on 31 December 2020. 

Legal Framework in the Relevant Coordinated Fields in Denmark, France and Germany

(a)       Online Information Requirements

There should be a good degree of commonality across EEA countries in online information requirements as the eCommerce Directive (Article 5) establishes the basis for the information which is required to be provided by information society service providers.  However, there are some differences in the way that the Directive has been implemented on a country-by-country basis.

As an example, Article 5(c) relating to the details of the service provider that must be disclosed has been implemented somewhat differently on a country-by-country basis. In France there is a requirement for the publication of the name of the publishing director of the website (which must be a natural person, not a company) and for the telephone number to be provided of the website host. In Germany, the requirement is implemented on the basis that the legal form is identified (in the case of a legal person) and its authorised representative and, to the extent that details are provided of the equity of the company, the share and nominal capital must also be provided.  In Denmark, information requirements are more basic – there is no requirement for either natural person identities or for share capital must to be provided.

(b)       Online Contracts

The formation of online contracts has not been harmonised at an EU level to the same extent as the online information requirements.  The EU has not attempted to harmonise the contract formation rules of the EU member states but the eCommerce Directive includes some baseline requirements relating to on-line contracting, such as the requirement for member states to allow contracts to be concluded by electronic means (Article 9(1)), the information to be provided when contracts are concluded (Article 10) and some specific requirements relating to placing orders through technological means (Article 11).

As a result, there is less specificity around variations in online contract formation requirements on a country by country basis.  In England, the common law requirements of offer, acceptance, consideration and incorporation of terms apply equally to online contracts. The terms of the contract must be sufficiently brought to the attention of the customer prior to the contract being completed, although the English courts have not given definitive guidance as to how online terms and conditions must be incorporated.  "Click-wrap", "browse-wrap" and "shrink-wrap" contracts are all generally regarded as binding on the recipient.

In Germany the formation of contracts electronically is subject to general contract formation rules including those in the German Civil Code, such as those relating to the conclusion of contracts, the capacity of the parties and the validity of the parties’ consent. Offer and acceptance as well as incorporation of terms are of particular importance when contracting online.  If contracts are in English language, rather than German, there can be an impact on the incorporation of the contract terms. Although there are no explicit language requirements for websites targeting Germany under the German Civil Code, general terms and conditions must be transparent to become effective. German courts have generally deemed English language terms and conditions targeting consumers as void because they have not been translated into the German language. This is not likely to be the case for business transactions.

In France, electronic contracts are subject to general contract formation rules including those in the Civil Code. The Civil Code includes provisions concerning the capacity of the parties, the validity of the parties’ consent, and the content of the contract (including the consideration). The Civil Code includes additional requirements for electronic contracts, based on the requirements of the eCommerce Directive, although in a business-to-business context, the parties can agree to deviate from these requirements.  Under the French Language Act any information directed to French consumers must be translated into French. 

In a business-to-consumer situation, consumers must receive the mandatory information on a durable medium. Therefore, making contract terms available to consumers only via a hyperlink on a website is not adequate. However, in a business-to-business environment, click-wrapped contracts are regarded as constituting a communication by electronic means which provides a durable record of the agreement.

In addition, a Regulation on online platforms’ transparency obligations was introduced in 2018 relating to certain online platforms and marketplaces and websites referencing customers’ reviews.   Under this Regulation, online platforms must include details of their relationship with sellers or companies referenced on their platform or marketplace and also the criteria for ranking their offers for the sake of fairness towards consumers.

The Danish Contracts Act provides a general legal framework for entering into contracts in Denmark.  The rules are technology neutral and apply to both businesses and consumers. The Act provides that unreasonable or dishonest contracts or clauses can be declared null and void. In practice, the general clause is primarily used to declare a contract or a specific provision null and void in exceptional cases, where retention of the contract or provision is unreasonable. The Act also provides mandatory protections in favour of consumers, including in relation to entering into and the validity of consumer contracts.

(c)       Online Advertising

At an EU level, the Unfair Commercial Practices Directive (2005/29/EC) regulates unfair business practices across the EEA as a component of EU consumer law. The Directive focuses primarily on the standards of behaviour required of businesses, with greater flexibility afforded to member states on the choice of enforcement procedures and penalties for non-compliance.

In Germany the Unfair Trade Practices Act does not specifically relate to online advertising and applies generally to businesses that advertise goods and services. As well as codifying aspects of the Unfair Commercial Practices Directive, the Act codifies and clarifies aspects of the previous German case law in this area. Under this law, an unfair trade practice is generally a practice contrary to the requirements of professional diligence that materially distorts the economic behaviour of the average consumer. The Act specifies prohibited behaviour for businesses and covers misleading, aggressive and pestering commercial practices.

In France the main legal provisions relating to advertising in France are the provisions of the Consumers Code on Misleading and Aggressive Commercial Practices.  The Code implements the Unfair Commercial Practices Directive into French law with very few variations from the underlying Directive.

The Marketing Practices Act in Denmark relates to marketing activities. The Act applies to online advertising online or via social media, as well as offline advertising. Under section 3 of the Marketing Practices Act businesses must exercise good marketing practice towards consumers, other businesses and public interests. Accordingly, an action which is not necessarily contrary to any of the more specific provisions of the Act, for example provisions on misleading and improper marketing, comparative advertising and marketing directed at children and young people, may be contrary to the provisions of good marketing practice.

Impact on EEA Service Providers Providing Services in the UK

The government intends to fully remove the eCommerce Directive’s country of origin principle from UK legislation, to bring EEA online service providers in scope of UK laws, which they were previously exempt from. The principle is expressed currently in a number of pieces of UK legislation. For example, in the financial services sector, the relevant provisions are:

  • Article 72A of the Financial Services and Markets Act (Regulated Activity) Order 2001;
  • Article 20B of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005; and
  • and some elements of the Electronic Commerce Directive (Financial Services and Markets) Regulations 2002.

Following the end of the Brexit transition period, EEA-based cloud service providers will no longer be able to take advantage of the Article 3 protection of the eCommerce Directive in order to provide services in the UK.  Instead, they will need to comply with the UK legal requirements in the field in which they operate in respect of the "coordinated fields" of the eCommerce Directive.

EEA-based cloud service providers should take steps to understand whether they are affected by this change. If they are, they should address any impacts to their business models and their approach to marketing before the end of the Brexit transition period.

In addition, cloud service providers in regulated fields, such as financial services, should check to see if they require authorisation from a regulator.  As well as the Article 3 protection, Article 4 of the eCommerce Directive gives protection from authorisation requirements such as licensing requirements, in EEA countries where they operate (other than their place of establishment).  This protection will end in the UK from the end of the EU transition period.

Actions for Cloud Service Providers

Cloud service providers based in the UK and providing services to customers across the EEA need to consider and take steps to comply from the end of the Brexit transition period with the national rules applicable to their cloud services in each EEA country where their services are available.  EEA cloud services providers doing business in the UK will need to consider and take steps to comply from the end of the Brexit transition period with the UK law applicable to their cloud services.

The variations identified in the Danish, French and German examples as set out above are indicative of the variations that may exist across the EEA.  Diligent cloud service providers based in the UK should check the legal framework for each country that they provide services to across the EEA to make sure that they remain fully legally compliant.  Changes to business practices and information provided on-line may be needed in order to remain fully legally compliant.