The Belgian authorities have enacted a legal framework regulating certain trusted third party services. Whilst this Act does not apply only to services provided remotely or by electronic means, in practice most of the affected services will be delivered in that way. The third party services affected are archiving, time registering, registered mailing and the temporary blocking of monetary funds. The Act imposes obligations on the trusted third parties (TTPs) in relation to impartiality, security, employee duties, insurance and the provision of mandatory information to its customers.
Trusted services are usually offered on a commercial basis by TTPs at the individual request of the recipients. These TTP services help to foster trust and security between commercial partners and consumers. The role of TTPs in the development of trade via electronic networks where most transactions are effected without direct physical interaction, is growing continuously worldwide. However, until now, almost no country has adopted a legal framework that harmonizes the minimal quality requirements and imposes any governmental supervision. The Belgian government took the viewpoint that the pre-existing legal framework, which was principally based on the law of contract and torts, unfair trade practices and information society services, did not fully ensure the required trust and security for all parties concerned.
The Act came into force on 17 July 2007. It was adopted independently of any duty or guideline derived from pre-existing EU legislation, but it supplements the EU Directive 2000/31 of 8 June 2000 (‘the E-Commerce Directive’) as implemented in Belgium on 11 March 2003 (‘the E-Commerce Act’).
The Act’s provisions will only apply to certain TTPs who are established in the Belgian territory. In accordance with the position of the EU Commission on article 49 of the EU Treaty (free movement of services), the Act does not apply to any foreign TTPs established abroad who would offer services to Belgian service recipients. The Act is technology neutral and it does not in itself require that the TTP services are performed remotely or via electronic means, however these circumstances will mostly in practice occur.
The Act only relates to four well defined TTP service activities, namely those contracts entered into between a supplier and a private individual or professional service recipient (B2C and B2B), relating to archiving, time registering, registered mailing and temporary blocking of monetary funds services, whereby these services constitute an essential element of the total offered service. Other similar services, such as source code and key escrow, are not subject to this regulation. The electronic archiving of authentic deeds and documents of fiscal, judicial or social nature are equally – but most probably only temporarily – excluded from the scope of this Act.
Pursuant to the Act, TTP service providers have to be impartial towards the service recipients and any other third parties. Irrespective of the applicable obligations under the Belgian Data Protection Act of 1992, TTPs are not entitled to consult or store transmitted data for any purpose whatsoever, except insofar as this is necessary for the performance of their service. They have to deploy all reasonable means in light of the current state of the technology in order to secure the data that they receive and to prevent it being modified, damaged or made accessible to unauthorized third parties. Moreover, TTPs may only employ staff members who have all the required specific characteristics necessary for the performance of the services and these members will be each individually bound by a non disclosure obligation. Finally, TTP service providers must have sufficient financial means in order to comply with all the operational and legal duties imposed by the Act, including the obligation to conclude an insurance contract and compensate for any damages for which they are held liable.
The Act also supplements the information and transparency provisions of the Belgian E-Commerce Act, which already established information rules for information society services. The Act provides for the recipient’s right to certain information before the conclusion of the contract with a TTP service provider. The recipient has to be informed, amongst other things, about the precise means and conditions of the use of the relevant TTP services; the operation and accessibility of their services; the security measures in place; the applicable notification proceedings for incidents, complaints and disputes; the possible warranties; the extent of their liability and insurance cover; and the reference number of the voluntary accreditation. Such mandatory information has to be easily and directly accessible in an unambiguous, transparent and comprehensive fashion in a way adapted to the chosen communication technique.Finally, the Act introduces a supervision procedure that applies when certain provisions of the Act are infringed upon. The Act stipulates that
in cases of infringement the inspectors of the Ministry of Economic Affairs may send a warning to first-time offenders, to cease the infringing acts or negligence. Persisting infringements relating to breach of confidentiality or of transparency may lead to criminal fines of up to 100.000 EUR, confiscation of assets of the provider and publication of the sanction on their websites. All other provisions under the Act are subject to general civil liability principles.
It is predicted that the Act will be complemented by secondary royal decrees providing for more specific conditions for the four specific categories of TTP services. These royal decrees will also clarify the legal value of electronic registered mails, the voluntary accreditation procedure and the rules regarding liability, supervision and sanctioning of TTP service providers in general. It is expected that these decrees will be issued by the end of 2007.
As a general conclusion, the Belgian government hopes that the Act will ensure a higher level of protection for both private and professional recipients of TTP services and provide TTP service suppliers with a more clearly defined legal framework. It remains to be seen however whether or not other European countries will follow the same regulatory example.