The Electronic Commerce (EC Directive) Regulations 2002 (the “Regulations”) are the vehicle for the general UK implementation of the Electronic Commerce Directive (2000/31/EC of 8 June 2000).
The Directive and Regulations address three main areas:
- liberalising the European Economic Area internal market in ecommerce services;
- requiring providers of e-commerce services to incorporate certain features in their online ordering process and to provide particular information to users; and
- defining the liability of online intermediaries such as Internet service providers.
Separate regulations apply the Directive to the financial services regulatory regime. Although the Directive was due to be implemented before 17 January 2002 the UK, like several other EU Member States, implemented late. The Regulations came into force on 21 August 2002.
In addition to the Regulations, compliance with other legislation such as the Consumer Protection (Distance Selling) Regulations 2000, the Data Protection Act 1998 and the Disability Discrimination Act 1995 has also to be considered for any e-commerce service.
The Directive applies to the provision of “information society services” (“ISSs”), in summary: “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of the service”.
Some illustrations of ISSs include:
- selling goods online;
- online information services; online commercial communications;
- online search, data access and retrieval tools;
- transmission of information via a communication network; providing access to a communication network;
- hosting information provided by a recipient of the ISS; video-on-demand (but not broadcasting, since it is not provided at individual request);
- provision of commercial communications by electronic mail.
Voice telephony is not an ISS (although commercial text messages and voicemail can be). The position of fax is unclear.
The requirement for remuneration does not restrict ISSs to services giving rise to online contracting, but extends to services not remunerated by those receiving them in so far as they represent economic activity.
ISSs do not include delivery of goods as such, or provision of services off-line. So a website selling print books would be covered, but the delivery of a book ordered from the website would not. If the book were downloaded in electronic form, that would be covered.
Recital 58 of the Directive states that it should not apply to services supplied by service providers established in a third country (ie outside the European Economic Area).
The following are excluded from the scope of the Regulations:
- anything within the Data Protection Directive, the Telecommunications Data Protection Directive and the Directive on privacy and electronic communications;
- questions relating to agreements or practices governed by cartel law (as defined in the Regulations);
- the activities of a public notary or equivalent professions;
- the representation of a client and defence of his interests before the courts; and
- betting, gaming or lotteries which involve wagering a stake with monetary value.
The Regulations do not apply to any Act or other legislation passed on or after the date of the Regulations. That creates the potential for direct conflicts between future legislation and the terms of the Directive, particularly the internal market and liability of intermediaries provisions.
The internal market provisions of the Directive seek to encourage the free flow of ISSs within the EEA by reducing the extent to which ISS providers (“ISSPs”) are exposed to the laws of EEA countries other than that in which the service provider is established. How far the Directive achieves this has been hotly debated, resulting in differences in implementation across Europe.
In addition to the general exclusions from the scope of the Regulations noted above, the internal market provisions do not apply to the following:
- most intellectual property rights;
- the freedom of the parties to a contract to choose the applicable law;
- contractual obligations concerning consumer contracts; formalities relating to the transfer of land; and
- the permissibility of unsolicited commercial communications by electronic mail.
For outgoing ISSs Reg 4 provides that any “requirement” which falls within the “co-ordinated field” shall apply to the provision of an ISS by an ISSP established in the United Kingdom irrespective of whether that ISS is provided in the UK or another Member State. So any previous UK legislation that restricts such a requirements to ISSs provided within the UK is broadened. To the extent that any new criminal offence is thereby created, the penalties are restricted by Reg 4(6).
The Directive and Regulations are silent as to what constitutes a "requirement". Some light is shed by the definition of the co-ordinated field:
“requirements applicable to [ISSPs] or [ISSs], regardless of whether they are of a general nature or specifically designed for them, and covers requirements with which the service provider has to comply in respect of-the taking up of the activity of an [ISS], such as requirements concerning qualifications, authorisation or notification, and the pursuit of the activity of an [ISS], such as requirements concerning the behaviour of the [ISSP], requirements regarding the quality or content of the service including those applicable to advertising and contracts, or requirements concerning the liability of the [ISSP], but does not cover requirements such as those applicable to goods as such, to the delivery of goods or to services not provided by electronic means."
From this definition it seems that "requirements" are broader than mere licensing or regulatory requirements and can extend to, for instance, some aspects of liability.
For ISSs incoming from an ISSP established in another Member State the Regulations lay down the general principle that any requirement shall not be applied to the provision of that ISS for reasons which fall within the co-ordinated field where its application would restrict the freedom to provide ISSs to a person in the UK from that Member State-This does not apply to a requirement maintaining the level of protection for public health and consumer interests established by a Community act.
To be disapplied to an incoming ISS, a UK law must amount to a "requirement" and its application must restrict the freedom to provide the incoming ISS.
Whether a requirement constitutes a restriction should be considered in the light of ECJ case law. A domestic law may amount to a restriction not only if on its face it discriminates against imports from other Member States, but also if in fact it does so.
In limited circumstances an enforcement authority (or, in the absence of an enforcement authority, a court) may take measures amounting to a restriction against a given incoming ISS. The measure must be necessary for reasons of public policy, the protection of public health, public security or the protection of consumers, including investors. A measure must be proportionate to those objectives and is subject to a number of procedural preconditions.
Electronic contracting requirements Except where a contract has been concluded exclusively by an exchange of emails or (in a B2B context) where the parties have opted out, the Regulations impose certain rules where an order
clicking on an “Order Now” button). An ISSP must allow the party placing the order to identify and correct errors prior to placing the order and must acknowledge receipt of the order by electronic means and without delay. This does not affect applicable rules as to when the contract is formed. The order and its acknowledgement are deemed received when the addressee is able to access them (except that the acknowledgement may take the form of the provision of the ordered services, if they are online services). Although error identification and correction must be permitted until the time the contractual offer is made, in all other cases “order” may (but need not) be a contractual offer as such.
If an ISSP fails to provide this error identification and correction facility, the other party may rescind the contract unless a court orders otherwise. This rescission right is not time-limited. The Regulations provide no guidance as to when a court might deny rescission.
Information provision requirements
The Regulations identify four circumstances in which particular information must be provided, primarily to the recipient of the service but also (in the case of the first type) to any relevant enforcement authority.
Information Society Services
Regardless of whether it is dealing with a business or a consumer, an ISSP must provide:
- its name, the address where it is established (according to the Regulations) and appropriate contact details (including an email address) allowing rapid, direct and effective communication with the ISSP-no guidance is given whether email alone is sufficient;
- details of the ISSP’s entry on any trade register;
- details of any supervisory or authorisation regime applicable to the ISSP;
- details of the ISSP's registration with any relevant regulatory body;
- the ISSP's VAT details; and
- clearly and unambiguously displayed price information (with details of applicable VAT and postage costs).
This information must be provided in a way that is easily, directly and permanently accessible. In respect of this and commercial communications, the DTI has suggested that the means of provision of information and of the ISS do not have to be the same. So an ISSP providing SMS services could display the information on its website. However, no guidance is given about the meaning of "permanent".
These include all communications in any form which are designed to promote goods or services and which form part of an ISS. This may include websites themselves (even if merely passive). However, they do not include communications consisting only of information allowing direct access to the sender's activity (eg its address), or prepared independently of and without payment by the person to whose activity it relates. A commercial communication must be clearly identified as such and must set out clearly and unambiguously on whose behalf it is sent, any promotional offer and its terms and any promotional competition or game and its terms.
Unsolicited commercial communications
If a person sends unsolicited commercial communications by email, these must be clearly and unambiguously identified as such as soon as they are received. This is an interim position prior to the implementation of Directive 2002/58/EC which will subject to limited exceptions, prohibit the sending of such communications unless with the recipient's express prior consent.
Contracts concluded by electronic means
Where a contract is to be concluded by electronic means, the ISSP must make the applicable term: and conditions available in such a way that the other party can store or reproduce them. It is not cleat whether there is any distinction between this and the obligation to make the general information above “permanently accessible”. The Regulations do state that failure to provide the terms and conditions as required will entitle the other party to seek a court order for their provision. In addition to the terms and conditions, and except where the contract has been concluded exclusively by an exchange of emails or (in a B2B context) where the parties have opted out, the ISSP must make the following available to the other party clearly, comprehensively and unambiguously:
- details of the technical steps to follow to con elude the contract;
- whether the contract will be filed by the ISSI and, if so, whether it will be accessible;
- the technical means for identification and correction of errors prior to placing of order: (which in this context means the contractual offer);
- the languages offered for conclusion of the contract; and
- any relevant codes of conduct and how the; may be obtained electronically.
Except in respect of the obligations covered by the two specific remedies described above, the Regulations provide that a failure to comply with these requirements to provide information will entitle the other party to seek damages against the ISSI for breach of statutory duty.
Implementing the E-Commerce Directive
In addition to this damages remedy, and where the failure to provide information or comply with the electronic contracting requirements harms the collective interests of consumers, the DGFT or others may, from 23 October 2002, seek a “Stop Now” order from a UK court to compel the ISSP in question to cease its infringing behaviour. The "others" who may seek an order are currently the DGFT's counterparts from other EEA countries acting on behalf of the consumers in those countries, but may in future include other consumer bodies both within and outside the UK.
The remainder of the Regulations concern the situations in which (unless otherwise agreed by contract) an intermediary may avoid criminal or civil liability (other than for an injunction) when acting as a "mere conduit" or when caching or hosting certain information. In determining whether an intermediary has "actual knowledge" in relation to the caching and hosting provisions, courts are required to take account of "all the relevant circumstances" including whether the intermediary has received notice by way of the contact details it is required to provide under the Regulations and the extent to which that notice gives sufficient details of its sender, the location of the information and the infringement in question.
An intermediary who transmits information provided by a recipient of the ISS or who provides access to a communications network will not be liable as a result of that transmission if it did not initiate the transmission, select the receiver of the transmission and did not select or modify the information in the transmission. For these purposes, transmission includes the automatic, intermediate or transient storage of information if this is done solely in order to carry out the transmission and for no longer than is reasonably necessary for the transmission.
An intermediary will not be liable for caching (automatic, intermediate and temporary storage) if its sole purpose is to provide more efficient access to the information in question for subsequent users and if it does not modify the information. To benefit from this exemption, an intermediary must:
- comply with conditions on access to the information and industry standards on updating; and
- act expeditiously to remove or disable access to the information on actual knowledge that the information has been removed from the network, that access to it has been disabled, or that a court or other authority has ordered such removal or disablement.
An intermediary will not be liable for hosting information at the request of a recipient of an ISS if the intermediary has no actual knowledge of unlawful activity or information or (in the case of a claim for damages) of facts from which such unlawfulness would have been apparent, and if (on obtaining such knowledge) it acts expeditiously to remove or disable access to the information. The Regulations make clear that this exemption is not available if the recipient of the ISS was acting under the authority or control of the ISSP. However they do not explain how, for instance, the exemption would apply where the person responsible for a website chatroom is not the same as the person who hosts the website (as in the common case of outsourced hosting).
Written by Graham Smith and Alex Hand. First published on 25 October 2002 in the New Law Journal (Information Technology Supplement)
Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.