European Union (EU) - E-Commerce Directive

Newsletters and Bulletins / February 2002 / European Union

The European Union has adopted a directive requiring its member states to harmonize certain aspects of their laws relating to electronic commerce. The Directive was adopted on June 8, 2000 and went into immediate effect. The directive applies to "Information Society Services" which are defined as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services".

The directive provides that member states must ensure that their legal systems "allow contracts to be concluded by electronic means". No particular type of electronic means is specified. Exceptions to this general rule are, however, permitted with respect to certain types of contracts, including those relating to the transfer of real property, certain contracts with public authorities, certain contracts relating to suretyship and contracts governed by family law or the law of succession. Although contracting parties who are not consumers have the right to agree otherwise, in general, formation of contracts concluded by electronic means between a service provider and a recipient of the service requires that the service provider furnishes the following information:

a) the different technical steps to follow to conclude the contract;

b) whether or not the concluded contract will be filed by the service provider and whether it will be accessible;

c) the technical means for identifying and correcting input errors prior to the placing of the order;

d) the languages offered for the conclusion of the contract.

These provisions do not, however, apply to contracts concluded exclusively by exchange of electronic mail or by equivalent individual communications.

The directive also requires that, although in general setting up as a provider of services of the type covered shall not require prior authorization by the state, member states that permit certain activities must impose certain restrictions on such activities. For example, countries that permit unsolicited e-mail must require that service providers established in their territory must ensure that such commercial communication by a service provider established in their territory shall be identifiable clearly and unambiguously as such as soon as it is received by the recipient.Additionally, commercial communications from a service provider covered by the directive must comply with at least the following requirements:

a) the commercial communication shall be clearly identifiable as such;

b) the natural or legal person on whose behalf the commercial communication is made shall be clearly identifiable;

c) promotional offers, such as discounts, premiums and gifts, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions which are to be met to qualify for them shall be easily accessible and be presented clearly and unambiguously;

d) promotional competitions or games, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions for participation shall be easily accessible and be presented clearly and unambiguously.

Finally the directive provides for exclusion of liability for service providers in respect of information which they transmit where the service provider has acted as a mere conduit without initiating the communication, selecting the receiver of the information or modifying the information. Similar protection is provided for temporary caching of information in the course of carrying out the service providers' activities. Additionally those responsible for longer term storage of information by a host site are to be excluded from liability in respect of information which they store as long as:

a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

An earlier EU directive on data privacy became the subject of an agreement between the United States and the EU which came into effect on November 1, 2000. The EU's data protection directive had caused concern in the United States as a result of its provisions that prohibit the transfer of personal data outside the EU to countries that do not provide "an adequate level of protection" for personal data. "Personal data" is defined broadly as:

any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The word "adequate" is defined to take account a different circumstance that may surround particular data transfers. However, within the EU, personal data may be subjected to automatic processing only if inter alia one of the following criteria is met:

a) the data subject has unambiguously given his consent; or

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

c) processing is necessary for compliance with certain legal obligations; or

d) processing is necessary in order to protect the vital interests of the data subject; or

e) processing is necessary for the performance of certain tasks carried out in the public interest or in the exercise of official authority.

Additionally within the EU it is in general, subject to a number of specific exceptions, unlawful to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. Additionally, there are requirements relating to providing information to persons on whom data is being collected.

There was fear in the United States that these provisions could be used to prevent the transfer out of Europe of, for example, data legitimately used for marketing purposes. Hence an agreement has been reached whereby organizations in the United States which agree to abide by specific practices will be able to take advantage of a "safe harbor" and by registering themselves with the Department of Commerce. Such registration will result in those who effect it being deemed to comply with EU requirements for adequate protection of personal data. To take advantage of the safe harbor provisions, U.S. organizations will have to accept the following obligations:

(1) to notify individuals about the purposes for which they collect and use information about them;

(2) to give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual;

(3) when disclosing information to a third party, to apply the notice and opt-out principles set out above;

(4) to give individuals access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated;

(5) to take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction;

(6) to confine personal information stored to that which is relevant for the purposes for which it is to be used and take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current; and

(7) in order to ensure compliance with the safe harbor principles, to provide (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles.

Organizations may register with the Department of Commerce, self-certifying that they will accept these obligations. The Commerce Department will issue a list of organizations that have registered themselves under the safe harbor provisions so that European organizations will know that such organizations are deemed to have adequate protection for personal data sent to them. Failure to abide by the obligations that have been undertaken could result in action by the FTC under its powers to deal with unfair and deceptive practices.

The safe harbor provisions have been subject to some criticism in the United States as having the potential to damage the value of trade secrets, such as customer lists, by requiring outsiders to have access to data held in them.

February 2002 Index

[Home] [About Ladas & Parry LLP] [Contact Us] [Search]
[Trademarks] [Domain Names & E-Commerce] [Patents & Copyrights]
[Litigation] [IP Rights Maintenance] [IP as Property] [News & Bulletins]