UNIVERSITY OF CAPE TOWN Faculty of Law – School for Advanced Legal Studies

Consumer Protection in E-Commerce An examination and comparison of the regulations in the European Union, Germany and South Africa that have to be met in order to run internet services and in particular online-shops.

Helge Huffmann

Supervisor: Professor Julien Hofman

Cape Town 2004

Research dissertation presented for the approval of Senate in fulfilment of part of the requirements for the degree of Master of Laws in approved courses and a minor dissertation. The other part of the requirement for this qualification was the completion of a programme of courses. I hereby declare that I have read and understood the regulations governing the submission of Master of Laws dissertations, including those relating to length and plagiarism, as contained in the rules of this University, and that this dissertation conforms to those regulations.

Consumer Protection in E-Commerce

An examination and comparison of the regulations in the European Union, Germany and South Africa that have to be met in order to run internet services and in particular online-shops.

"Consumers, by definition, include us all, they are the largest economic group, affecting and affected by almost every public and private economic decision. Yet they are the only important group...whose views are not often heard." (President of the United States John F. Kennedy in his 15 March 1962 declaration to the US Congress.)

II

Table of Contents

I.

INTRODUCTION .............................................................................................1

1.

What is E-Commerce? ...................................................................................................................... 1

2.

What is Consumer Protection?.................................................................................................... 2

3.

Consumer Protection in South Africa before ECT Act.................................................... 4

4.

Why protect the Consumer? ......................................................................................................... 7

5.

Facts and Statistics............................................................................................................................ 8

II. GLOBAL INITIATIVES AND PROPOSALS FOR E-CONSUMER PROTECTION........................................................................................................10 1.

UNCITRAL .............................................................................................................................................. 11

2.

ICC ............................................................................................................................................................. 12

3.

OECD ......................................................................................................................................................... 13

III. 1.

EUROPEAN APPROACH ON E-CONSUMER PROTECTION ...........14 Directive 97/7/EC on Distant Selling Contracts............................................................. 15

a.

Scope of the Directive .................................................................................................................... 16

b.

Suppliers Obligation and Consumer Protection Rights....................................................... 17 (i)

Prior Information (Article 4) .................................................................................................... 18

(ii)

Written Confirmation of Information (Article 5).......................................................... 18

(iii)

Right of Withdrawal (Article 6) .......................................................................................... 19

c.

Performance and Binding Nature ............................................................................................... 20

d.

Exemptions from the Scope of the Directive ......................................................................... 20

2.

Directive 2000/31/EC on E-Commerce ............................................................................... 21 a.

Objective and Scope of the Directive ....................................................................................... 21

b.

Information Requirements ............................................................................................................ 24 (i)

General Information (Article 5).............................................................................................. 24

(ii)

Commercial Communications (Article 6 and 7)........................................................... 24

(iii)

Online Contracts (Article 10).............................................................................................. 25

III 3.

Directive 95/46/EC on Personal Data Protection ......................................................... 27 a.

Scope of the Directive .................................................................................................................... 27

b.

Principles of the Directive relating to Data Quality ............................................................. 28

c.

Legitimate Data Processing .......................................................................................................... 28

4.

Directive 2002/58/EC on Privacy and Electronic Communications ................... 29 a.

Network security (Article 4) ......................................................................................................... 30

b.

Confidentiality of Communication (Article 5)......................................................................... 30

c.

Traffic Data (Article 6).................................................................................................................... 31

d.

Location Data (Article 9)................................................................................................................ 31

e.

Unsolicited Communications (Article 13) ................................................................................ 32

IV.

E-COMMERCE AND RELATED LEGISLATION IN GERMANY .......33

1.

Tele- and Mediaservices ............................................................................................................... 35 a.

Information to be provided according to § 6 TDG............................................................... 36 (i)

How to provide the Information............................................................................................. 36

(ii)

What Information to provide .............................................................................................. 38

b.

Information to be provided according to § 10 MdStV ........................................................ 39

c.

Further Information ......................................................................................................................... 40

2.

Distance Selling Contracts (312b BGB) ............................................................................... 40 a.

Information to be provided (§ 312c BGB) .............................................................................. 40

b.

Right of Withdrawal (§ 312d BGB) ............................................................................................ 43

c.

Additional Information (§ 312e BGB) ....................................................................................... 45

d.

Contrary agreements ...................................................................................................................... 46

e.

Business Standard Terms and Conditions............................................................................... 46

3.

Data Protection .................................................................................................................................. 48 a.

Scope and regulation of the BDSG ............................................................................................ 48

b.

Scope and regulation of the TDDSG ......................................................................................... 49

c.

Web-Cookies ...................................................................................................................................... 50

d.

Information to be provided........................................................................................................... 51

4.

Unsolicited Communication (‘Spam’) ................................................................................... 53

V. SOUTH AFRICAN LEGISLATION – THE ECT ACT ..............................54 1.

Chapter VII of the ECT Act – Consumer Protection...................................................... 55 a.

Information to be provided (Section 43 ECT Act)................................................................ 55

b.

Cooling-off Period (Section 44 ECT Act).................................................................................. 58

IV c.

Performance (Section 46 ECT Act) ............................................................................................ 60

d.

Unsolicited Goods, Services, or Communication (Section 45 ECT Act) ....................... 60

e.

Keep Records ..................................................................................................................................... 62

2.

Chapter VIII of the ECT Act – Protection of personal Information .................... 63 a.

Data Protection Principles (Section 51 ECT Act) .................................................................. 63

b.

Applicability of Data Protection Principles............................................................................... 63

VI.

CONCLUSION.............................................................................................65

V

Table of Cases South African Cases Standard Credit Corporation Ltd. v Strydom 1991 (3) SA 644 (W) at 651.

European Cases EuGH, Heininger ./. Bayerische Hypo- und Vereinsbank AG, Urteil vom 13.12.2001, Rs C-481/99, in: Neue Juristische Wochenschrift (NJW) 2002, p. 281.

German Cases BGH, (Widerrufsrecht bei Fernabsatzvertrag) Urteil vom 19.03.2003 - III ZR 295/01, in: Neue Juristische Wochenschrift (NJW) 2003, p. 1665.

OLG München (Impressumspflicht), Urteil v. 11.9.2003 – 29 U 2681/03, in: Multi Media Recht (MMR) 2004, p. 36.

OLG Hamburg (Impressums- und Informationspflicht einer Homepage), Beschluß vom 20.11.2002, 5 W 80/02, in: Multi Media Recht (MMR) 2003, p. 105.

LG Wuppertal, Urteil vom 16.5.1990 – 8 S 21/90, in: Neue Juristische Wochenschrift – Rechtsprechung Report (NJW-RR) 1991, p. 1148.

LG Traunstein (Wettbewerbswidrigkeit von e-mail-Werbung), Beschluß vom 18.12.1997- 2 HKO 3755/97, available at http://www.jurpc.de/rechtspr/19980013.htm.

VI LG Münster (Internetauktionen), Urteil vom 21.1.2000 – 4 O 424/99, in: JurPC Web-Dok. 60/2000, Abs. 1 – 67, available at: http://www.jurpc.de/rechtspr/20000060.htm.

LG Kleve (Informationspflichten beim Fernabsatz), Urteil vom 22.11.2002, 5 S 90/02, in: Neue Juristische Wochenschrift – Rechtsprechung Report (NJW-RR) 2003, 196.

LG Freiburg, Urteil vom 7.4.1992 – 9 S 139/90, in: Neue Juristische Wochenschrift – Rechtsprechung Report (NJW-RR) 1992, p. 1018.

LG Essen (Vertragsschluß im Internet) , Urteil vom 13.02.2003 - 16 O 416/02, in: Multi Media Recht (MMR) 2004, p. 49.

LG Ellwangen (Wettbewerbsrechtliche Unzulässigkeit von E-Mail-Werbung), Urteil vom 27.08.1999 – 2 KfH O 5/99, JurPC Web-Dok. 198/1999, Abs. 1 – 34, available at http://www.jurpc.de/rechtspr/19990198.htm.

LG Braunschweig, Urt. vom 11.08.1999 – 22 O 1638/99, in: Multi Media Recht (MMR) 2000, 50.

LG Berlin (E-Mail Werbung), Urteil vom 13.10.1998 -16 O 320/98, available at http://www.jurpc.de/rechtspr/19980187.htm.

LG Berlin (Anbieterkennzeichnung) Urteil vom 17.9.2002 – 103 O 102/02, in: Multi Media Recht (MMR) 2003, p. 202.

LG Aachen (Zur Einbeziehung von Allgemeinen Bedingungen bei Vertragsschluß mittels Bildschirmtext (Btx)), Urteil vom 24.1.1991 – 6 S 192/90, in: Neue Juristische Wochenschrift (NJW 1991), p. 2159.

VII

Bibliography

Articles Bafana Makhubo

“The right to have access to information and consumer rights“, 1999, Consumer Institute of South Africa, available at http://www.pmg.org.za/odb/consumer%20institute.htm

Bizer, Johann

“Die Anbieterkennzeichnung im Internet.“, in

Trosch, Daniel

Datenschutz und Datensicherheit (DuD) 1999, 621.

Borges, Georg

“Internet-Shopping“, in Zeitschrift für Wirtschaftsrecht (ZIP) 1999, p. 130.

Brunst, Phillip W.

“Umsetzungsprobleme der Impressumspflicht bei Webangeboten“, in Multi Media Recht (MMR) 2004, 8.

Buckley, Patricia

“The emerging digital economy”, U.S. Department of Commerce, June 1999, available at: http://www.sipeb.aoyama.ac.jp/~ida/courses/emergdig-econ2-jun99.pdf.

Buys, Reinhardt

“How Will The Consumer Protection Provisions Of The New Ect Act Affect Your Web Site?”, available at: http://www.buys.co.za.

Cassim, N A

“Consumer protection and the Credit Agreements Act” in Tydskrif vir Hedendaagse Romeins-Hollandse Reg, 1984 (47).

VIII Clarke, Roger

„Electronic Commerce Definitions“, revised Definitions of 3 February 1999, available at: http://www.anu.edu.au/people/Roger.Clarke/EC/ECDe fns.html

Commission of the Euro-

“A European Initiative in Electronic Commerce“, 1997,

pean Communities

available at http://www.cordis.lu/esprit/src/ecomcom.htm

Fringuelli, Pietro Graf

“Formerfordernisse“, in

Wallhäuser, Matthias

Computer und Recht (CR) 1999, p. 93.

Gola, Peter

“Die Entwicklung des Datenschutzrechts in den Jahren

Klug, Christoph

2001/2002“, in Neue Juristische Wochenschrift (NJW) 2002, p. 2431.

Gola, Peter

“Die Entwicklung des Datenschutzrechts in den Jahren 1999/2000“, in Neue Juristische Wochenschrift (NJW) 2000, p. 3749.

Hoenike, Mark

“Die Gestaltung von Fernabsatzangeboten im elektro-

Hülsdunk, Lutz

nischen Geschäftsverkehr nach neuem Recht - Gesetzesübergreifende Systematik und rechtliche Vorgaben vor Vertragsschluss“, in Multi Media Recht (MMR) 2002, 415.

“Rechtliche Vorgaben für Fernabsatzangebote im elektronischen Geschäftsverkehr bei und nach Vertragsschluss - Ein Überblick über die gesetzlichen Anforderungen und die Rechtsfolgensystematik bei Verstößen“, in Multi Media Recht MMR 2002, p. 516.

IX Hoffmann, Helmut

“Die Entwicklung des Internet-Rechts von Anfang 2001 bis Mitte 2002“, in Neue Juristische Wochenschrift (NJW) 2002, p. 2602.

Horn, Christian

“Verbraucherschutz bei Internetgeschäften”, in Multi Media Recht (MMR) 2002, p. 209.

International Chamber of

“ICC Guidelines on Advertising and Marketing on the

Commerce

Internet”, Principles for Responsible Advertising and Marketing over the Internet, World Wide Web, Online Services and Electronic Networks, April 1998, available at http://www.iccwbo.org/home/statements_rules/rules/1 998/internet_guidelines.asp

Lodder, A. R.

“Legal aspects of Electronic Commerce”, Vrije Universiteit Amsterdam, 2000, available at: http://www.rechten.vu.nl/~lodder/enlist/ec.pdf

Mehrings, Josef

“Verbraucherschutz im Cyberlaw – Zur Einbeziehung von AGB im Internet“, in Betriebs Berater (BB) 1998, p. 2373.

Ranke, Johannes

“M-Commerce - Einbeziehung von AGB und Erfüllung von Informationspflichten“, in Multi Media Recht (MMR) 2002, p. 509.

Schaar, Peter

“Orientierungshilfe Tele- und Mediendienste”, Der

Möller, Frank

Hamburgische Datenschutzbeauftragte, 2002, available at: http://www.hamburg.datenschutz.de.

X Schulz, Wolfgang

“Rechtsfragen des Datenschutzes bei Online – Kommunikation“, Expertise zum Datenschutz im Rahmen des Projektes InfoCity NRW, 1998, available at: http://www.rrz.uni-hamburg.de/hans-bredow-institut/ ws-lehr/aktuelles/lfr-datenschutz.pdf

Sorkin, David E.

“Technical and Legal Approaches to Unsolicited Electronic Mail”, University of San Fransisco, in Law Review, Vol 35, p. 325, 2001.

Weiler, Frank

“Spamming - Wandel des europäischen Rechtsrahmens“, in Multi Media Recht (MMR 2003), p. 223.

Wichert, Michael

“Web-Cookies – Mythos und Wirklichkeit”, in Datenschutz und Datensicherheit (DuD) 1998, p. 273.

Woitke, Thomas

“Das „Wie“ der Anbieterkennzeichnung gemäß § 6 TDG“, in Neue Juristische Wochenschrift (NJW) 2003, 871.

Wolters, Sabine

“Einkauf via Internet: Verbraucherschutz durch Datenschutz“, in Datenschutz und Datensicherheit (DuD) 1999, p. 277.

Wright, Bianca

“Act on ECT”, available at: http://www.sacm.co.za/FeatureTitle.asp?NewsID=568 3&Title=Act%20On%20ECT.

Zyl, M.M. van

“Consumer protection in the South African Electronic

Wyk, G.A. van

Communications and Transactions (ECT) bill”, a commentary on Chapter VII (sections 43-50) of the ECT Bill, Polytechnic of Namibia, Windhoek, Namibia, 2002.

XI

Books Aronstam, Peter

“Consumer Protection, Freedom of Contract and the Law“, Juta & Co. Ltd., 1997.

Goldring, John

“Consumer protection law in Australia”, 3rd Edi-

Maher, Lawrence W.

tion, Butterworths, 1987.

McKeough, Jill Hoeren, Thomas

“Internetrecht”, Skriptum, Institut für Informations-, Telekommunikations- und Medienrecht, University of Münster, Februar 2004, available at: http://www.uni-muenster.de/Jura.itm/hoeren/ materialien.

Hornby, Albert Sydney

“Oxford advanced learner's dictionary of current

Ashby, Michael

English”, Cornelsen & Oxford, 2001.

Wehmeier, Sally Jauernig, Othmar

“Bürgerliches Gesetzbuch“ (Commentary), 10th Edition, Munich, Beck, 2003.

McQuoid-Mason, David

“Consumer Law in South Africa”, Juta & Co. Ltd., 1997.

Michalson, Lance

“Spam“, available at: http://www.emessagex.com/systems/rsvp/s_summ it/Spam_Article_SPAM_Summit-20.10.2003.doc.

Palandt, Otto

“Bürgerliches Gesetzbuch“ (Commentary), 63rd Edition, Munich, Beck, 2004.

XII Pappi, Urban

“Teledienste, Mediendienste und Rundfunk“, 1st Edition, Baden Baden, Nomos, 2000.

Strömer, Tobias H.

“Online-Recht. Rechtsfragen im Internet“, 3rd Edition, dpunkt-Verlag, Heidelberg, 2002.

XIII

Table of Websites www.anu.edu.au

[accessed on 10/02/2004]

www.bfai.de

[accessed on 10/02/2004]

www.buys.co.za

[accessed on 18/02/2004]

www.consumer.gov.uk

[accessed on 30/01/2004]

www.consumer.gov.uk

[accessed on 26/01/2004]

www.cordis.lu

[accessed on 28/01/2004]

www.dmmv.de

[accessed on 13/02/2004]

www.emessagex.com

[accessed on 19/02/2004]

www.export.gov

[accessed on 05/02/2004]

www.export.gov

[accessed on 05/02/2004]

www.gfk.de

[accessed on 10/02/2004]

www.hamburg.datenschutz.de

[accessed on 15/02/2004]

www.heise.de

[accessed on 10/02/2004]

www.iccwbo.org

[accessed on 23/01/2004]

www.iccwbo.org/

[accessed on 25/11/2003]

www.iuscomp.org

[accessed on 12/02/2004]

www.jurpc.de

[accessed on 15/02/2004]

www.michalson.com.

[accessed on 19/02/2004]

www.nielsen.de

[accessed on 10/02/2004]

www.oecd.org

[accessed on 28/01/2004]

www.pmg.org.za

[accessed on 08/11/2003]

www.polity.org.za

[accessed on 08/11/2003]

www.polytechnic.edu.na

[accessed on 07/11/2003]

www.rechten.vu.nl

[accessed on 02/02/2004]

www.sacm.co.za

[accessed on 19/02/2004]

www.sipeb.aoyama.ac.jp

[accessed on 10/02/2004]

www.uncitral.org

[accessed on 28/01/2004]

www.unece.org

[accessed on 26/01/2004]

www.weforum.org

[accessed on 10/02/2004]

1

I.

Introduction

On 30th August of 2002 the Electronic Communications and Transactions Act 25 of 2002 came into force.1 The decree of this Act put an end to a four yearlong discussion about regulations for electronic business transactions in South Africa. The ECT Act is an advancement of the ‘Green Paper on electronic commerce’.2 Most participants in the economy appreciated the ECT Act. This was due to the fact that the main problems of e-commerce had finally found a legislative regulation. Before the ECT Act there was a big legal uncertainty as far as business transactions were concerned because the former legislation and the common law applied only partially. The question is whether this uncertainty has been resolved regarding consumer protection by the regulations of the ECT Act. The purpose of this paper is to analyse the new provisions in chapter VII and VIII of the ECT Act on consumer protection with regard to service providers and online-shops and how they should be transferred in practice. It will be useful to look at the European approach and legislation on consumer protection in form of directives. Further on, the examination will be done in comparison to German legislation. Germany has already implemented most of the European directives in this matter and has passed a variety of legislation in order to protect econsumers. A number of authors have committed themselves to these new regulations in Germany and there are already court decisions in this field of law. It will be helpful to take the authors’ and judges’ thoughts into consideration in order to find possible proposals of solutions for South African legislation. Advice and examples will also be provided on how to arrange websites, especially those that contain onlineshops, according to the new consumer protection regulations. 1. What is E-Commerce? Electronic Commerce is often interpreted as being just Internet commerce. Take for example Patricia Buckley’s definition.3 •

1 2 3

"(...) Electronic Commerce (i.e., business processes which shift transactions to the Internet or some other non-proprietary, Web-based system). Electronic Commerce is a means of conducting transactions that, prior to the evolution of

Act No. 25, 2002; Government Gazette No. 23708; further on cited as ‘ECT Act’. Available at http://www.polity.org.za/html/govdocs/green_papers/greenpaper/. Patricia Buckley, U.S. Department of Commerce, “The emerging digital economy II”, p 1, available at http://www.sipeb.aoyama.ac.jp/~ida/courses/emerg-dig-econ2-jun99.pdf.

2 the Internet as a business tool in 1995, would have been completed in more traditional ways--by telephone, mail, facsimile, proprietary electronic data interchange systems, or face-to-face contact." Buckley's definition of Electronic Commerce is actually a definition of Internet Commerce. Most of the ‘traditional ways' that are mentioned refer to electronic means. So, commercial activities performed using these means belong to Electronic Commerce. Actually, a variant of EDI (‘proprietary electronic data interchange systems'), namely open EDI, is one of the early examples of Electronic Commerce (probably the main example before the rapid growth of the Internet as a place to conduct commercial activities in the mid 1990s). A pure definition of Electronic Commerce is one by Roger Clarke4, who has been working on Electronic Commerce related topics since the late 1980s. He claims that Electronic Commerce is usefully defined as: •

"the conduct of commerce in goods and services, with the assistance of telecommunications and telecommunications-based tools."

A very useful definition is the one of A.R. Lodder5. He defines e-commerce as: •

“Commercial activities concerning goods and services as well as any business transaction, where participants are not necessarily at the same physical location and therefore do apply telecommunication means.”

2. What is Consumer Protection? In 1973 Senator Murphy, the Australian attorney-general, introducing the Trade Practice Bill of the Commonwealth of Australia justified consumer protection measures as follows: “In consumer transactions unfair practices are widespread. The existing law is still founded on the principle known as caveat emptor – meaning ‘let the buyer beware’. That principle may have been appropriate for transactions conducted in village markets. It has ceased to be appropriate as a general rule. Now the marketing of goods and services is conducted on an organized basis and by trained business executives. The untrained consumer is no match for the businessman who attempts to persuade the consumer to buy goods or 4

5

Clarke, “Electronic Commerce Definitions”, available at http://www.anu.edu.au/people/Roger.Clarke/EC/ECDefns.html. Lodder, “Legal Aspects of Electronic Commerce”, p. 4, available at http://www.rechten.vu.nl/~lodder/enlist/ec.pdf.

3 services on terms and conditions suitable to the vendor. The consumer needs protection by law...”6 The principle purpose of consumer law is to prevent the abuse of superior bargaining power by the sellers and suppliers of goods and services, and to regulate the inequality of bargaining power between them and the consumers.7 But who are the consumers? The Oxford Advanced Learner’s Dictionary defines a consumer as “a person who buys goods or uses services”. McQuoid-Mason8 defines a consumer in a narrow sense as being “any person who buys or hires goods or services, or any person who uses such goods or services” and in a broad sense as “any person who is affected by the use of goods or services, whether or not he or she bought, hired or used them”. In the Consumer Affairs (Harmful Business Practices) Act, Act 71 of 1988 a “consumer” is defined as: •

"any natural person to whom any commodity is offered, supplied or made available;

•

any natural person from whom any investment is solicited or who supplies or makes available any investment;

•

any other person who the Minister with the concurrence of the committee declares to be a consumer by notice in the Gazette;

•

any person who is a consumer for the purposes of this Act in terms of any other law,"

while the courts9 have held that the word “consumer” should be restricted to transactions where credit receivers in terms of the Credit Agreements Act 75 of 1980 use the goods and do not sell or lease them, and suggested that the idea behind the Act was to protect the consumer and not the trader. However, McQuoid-Mason submits that in view of the large number of small businesses trading in the informal sector of South Africa’s economy, “the courts should not adopt a restrictive meaning when interpreting the word ‘consumer’ for the purpose of these sections.”10 The ECT Act defines a consumer as

6

Quoted in Goldring Maher McKeough, Consumer Protection Law in Australia [101], p. 2. Cassim, “Consumer protection and the Credit Agreements Act”, THRHR 1984 (47), p. 311. 8 McQuoid-Mason, Consumer Law in South Africa, Chapter 1, p. 1. 9 Standard Credit Corporation Ltd. v Strydom 1991 (3) SA 644 (W) at 651. 10 McQuoid-Mason, Consumer Law in South Africa, Chapter 1, p. 5. 7

4 “any natural person who enters or intends entering into an electronic transaction with a supplier as the end user of the goods or services offered by that supplier”. The ECT Act omits to define the term “supplier”. The question arises whether this was done on purpose to keep it as wide as possible or whether the idea is that the current definitions in the Consumer Affairs (Harmful Business Practices) Act should serve as proper definitions in view of part (d) of the definition of “consumer” in the latter Act. However, it is clear that the ECT Act narrows the definition of a consumer down to buying for consumption and not for trade purposes. Therefore, it rather follows the above mentioned court’s approach. 3. Consumer Protection in South Africa before ECT Act There is no tradition on consumer protection in South Africa hence it has not been a major concern in the past. Legal protection for consumers in South Africa is not adequately provided by the common law.11 Certainly, one may say that the law of contract or freedom of contract gives consumers some protection. Nevertheless, the words “freedom of contract” referring to the relationship between suppliers of goods and services and consumers in the commercial world may be very misleading and untrue.12 The classical theory of contract assumes that the parties are free to bargain about terms and conditions of an agreement from positions of equal strength.13 This theory fails to take into account that true equality rarely exists. Consumer protection is present in self-regulation. South Africa has an array of consumer protection bodies14. The most important of these bodies include; the Business Practices Committee, the Provincial Governments Departments of Consumer Affairs, the South African Bureau of Standards, statutory professional regulatory bodies and 'industry-specific' self-regulatory bodies. However, one should keep in mind, that it is unlikely that businesses will introduce self-regulatory measures contrary to their interests. Business malpractices are the cause for the consumer’s concern; and this prompts the law to take sides in the economic interest of the community. In 1962 President John F. Kennedy15 referred to a “consumers’ bill of rights” and suggested that it should include:

11 12 13 14

15

Cassim, “Consumer protection and the Credit Agreements Act”, THRHR 1984 (47), p. 312. Ibid. E von Hippel, quoted in Aronstam, Consumer Protection, Freedom of Contract and the Law, p. 13. Bafana Makhubo, “The right to have access to information and consumer rights“, available at http://www.pmg.org.za/odb/Consumer%20Institute.htm. McQuoid-Mason, Consumer Law in South Africa, Chapter 1, p. 13.

5 •

the right to safety (protection against marketing of goods which are hazardous to health or life.);

•

the right to be informed (protection against fraudulent, deceitful, or grossly misleading information, advertising, labelling or other practices, and to be given the facts to make an informed choice.);

•

the right to choose (assurance of access to a variety of products and services, where possible, at competitive prices and assurance of satisfactory quality and services at fair prices.);

•

the right to be heard (assurance that consumer interests will receive full and sympathetic consideration in the formulation of Government policy and fair, expeditious treatment in its administrative tribunals.).

Consumers International (CI)16, which South Africa is a member of, has adopted an expanded version of the list of consumer rights suggested by John F. Kennedy. It has recognized the following:

16

•

the right to satisfaction of basic needs (having access to essential goods and services);

•

the right to safety (see above);

•

the right to be informed (see above);

•

the right to choose (see above);

•

the right to be heard (see above);

•

the right to redress (reception of a fair settlement of just claims, including compensation of misrepresentation, shoddy goods or unsatisfactory services);

•

the right to consumer education (acquirement of knowledge and skills needed to make informed, confident choices about goods and services, while being aware of basic consumer rights and responsibilities and how to act on them);

•

the right to a healthy environment (life and work in an environment which is non-threatening to the well-being of present and future generations).

A body originally formed by the American Consumers’ Union, the English Consumers’ Association, the Australian Consumers’ Association, the Dutch Consent and the Belgian Association Des Consommateurs.

6 The Constitution of the Republic of South Africa (Act 108 of 1996) protects such rights in Chapter 2.17 As seen above, there also exists other legislation on consumer protection in South Africa such as the Usury Act 73 of 1968, the Credit Agreements Act 75 of 1980, the Consumer Affairs (Unfair Business Practices) Act 71 of 1988. Section 2 of the Consumer Affairs (Unfair Business Practices) Act provides for the establishment of a Business Practices Committee to be known as the Consumer Affairs Committee18. This committee has the power to investigate business practices and to recommend that they be declared harmful. The committee then publishes a list of these deceptive practices.19 The Consumer Affairs Committee has furthermore designated certain acts as being unconscionable. And by so doing, factors such as the following will be given consideration: •

consumer was subjected to undue pressure to enter into the consumer transaction;

•

consumer was taken advantage of by reason of his inability or incapacity reasonably to protect his own interest due to his physical or mental infirmity, ignorance, illiteracy, age or inability to understand the character, nature or language of the consumer transaction, or any matter related to it;

•

the terms and conditions entered into by the consumer were so harsh or adverse to the consumer as to be inequitable;

•

at the time of the transaction, the other party to the transaction was or should have been aware that there was no reasonable probability of full payment of the price by the consumer.

However, consumer protection has never been recognized by legislation as extensive and far ranging as in the ECT Act. Thus, the ECT Act is the first legislation that provides “real” consumer protection, even though its scope is limited to electronic transactions. It is assumed that a consumer shall still enjoy all the protection provided by the common law (such as the risk doctrine, the guarantee against latent defects and the

17

18 19

Although these rights might not address consumers expressively they do apply to consumers; see further Bafana Makhubo, “The right to have access to information and consumer rights“, available at http://www.pmg.org.za/odb/Consumer%20Institute.htm. As referred to in section 1 of the ECT Act. McQuoid-Mason, Consumer Law in South Africa, Chapter 4, p. 123 – 126.

7 guarantee against eviction), although it has not been expressly stated.20 An attempt to this effect was made in section 91 of the ECT Act where it is stated that Chapter XIV does not affect criminal or civil liability in terms of the common law. It is submitted that the common law principles and protection should be retained and still applied to all the provisions in the Act. 4. Why protect the Consumer? It is evident that the problems facing consumers on-line are not much different from transactions concluded off-line, but it cannot be denied that online-consumers have special needs; e.g. the issue of privacy poses a greater risk in cyberspace. Unlike the off-line environment where consumers get an opportunity to inspect potential purchases and to judge for themselves the trustworthiness of a seller, in the online world, consumers are forced to proceed on faith, knowing very little about the seller to whom they are entrusting a variety of information, including credit card information. One of the objectives of the ECT Act is set out in section 2(1)(e), i.e. “to promote legal certainty and confidence in respect of electronic transactions”. Trust is essential in electronic commerce and the importance of trust for the success thereof is widely recognised. The Commission of the European Communities for example noted the following: “The first objective is to build trust and confidence. For e-commerce to develop, both consumers and businesses must be confident that their transaction will not be intercepted or modified, that the sellers and the buyers are who they say they are and that transaction mechanisms are available, legal and secure. Building such trust and confidence is the prerequisite to win over businesses and consumers to ecommerce”.21 According to the principles of John F. Kennedy introduced above, consumer sovereignty has four key elements, i.e. protection, information, choice and redress. Consumers would like to be confident that the goods and services offered online are fairly represented, that the merchants with whom they are dealing will deliver goods on time, and that they are not engaged in illegal practices. Consumers should further be protected against unsolicited communication; illegal or harmful goods, services and

20

21

“Consumer Protection In The South African Electronic Communications And Transactions (Ect) Bill”, a commentary on Chapter VII (sections 43-50) of the ECT Bill jointly prepared by M.M. van Zyl and G.A. Van Wyk, Polytechnic of Namibia, Windhoek, Namibia, available at http://www.polytechnic.edu.na/Legal/Elaw.htm#_ftnref4. Commission of the European Communities, A European Initiative in Electronic Commerce, (COM (97) 157 final, Apr, 16, 1997) available at http://www.cordis.lu/esprit/src/ecomcom.htm

8 content; insufficient information about goods or their suppliers; the accessibility of websites; invasion of privacy; lack of protection through unfamiliar, inadequate or conflicting laws of a foreign country being applicable to the contract and cyberfraud. As with any consumer market, things can go wrong in global commerce and consumers are usually confronted with the following consumer type protection issues: •

information deficiencies (inability of consumer to find out basic information about the trader, product or service, on which to make informed choices);

•

after sales difficulties (such as failure to supply the goods or services after payment has been made, problems with the delivery of the goods, unsatisfactory goods or services, or goods or services that present health and safety risks);

•

fraud and unethical conduct (such as identity deception, false advertising, receiving payment without intending to supply, and scams like pyramid selling schemes, and some work from home or investment schemes);

•

problems with privacy issues (such as consumer data protection, privacy of the consumers’ communication);

•

making payment over the Internet (such as loss, errors and unauthorised transactions as well as the security of payment details such as credit card numbers and bank account details).

Furthermore, it has to be considered, that e-commerce often crosses borders. All ecommerce is potentially international and not all countries subscribe to the same consumer protection standards. Legislation about consumer protection is the best way to harmonize standards. 5. Facts and Statistics According to the “E-Commerce and Development Report 2003” of the United Nations Conference on Trade and Development (UNCTAD)22 enormous growth rates are expected in the field of e-commerce. The report also states that 95 % of this form of trade takes place in the industrial nations. Africa and Latin America together run less than 1 % of the e-commerce.

22

Available at: http://unctad/en/docs//ecdr2003_en.pdf.

9 The forecasts for the worldwide development of the electronic trade lie (2004) between 1.4 and 3.8 trillions U.S. dollars (1.1 and 3.2 trillions euros) this year. Increases of up to 12.8 trillions U.S. dollar are expected in 2006 as stated in the report. Nevertheless, 95 per cent of this is allotted to the so-called business to business trade (B2B). The private customers primarily consist of better earning people in the Scandinavian States, in Great Britain and in the USA. 38 % of these private customers actually purchased goods and services through the internet; in Mexico however, only some 0.6 % utilised electronic trade. These statistics refer to the years 2000 and 2001. About one third of the purchases (32 %) covered software, 17 % tickets and 12 % books. Journey or hotel and hire car bookings already made up about half of all bookings in the USA in April 2003. In the European Union electronic sales worth about 30 billion U.S. dollars took place in 2002. That corresponds to 1.6 % of the complete sales volume. The sceptical judgement of the safety of credit cards dampens the desire to buy products. Germany for instance has the largest e-commerce community in Europe with 18 million euros. But the sales figures of 2.2 billion euros around the Christmas time 2002 were lower than in Great Britain where 2.6 billion euros were spent. According to another survey23 in the Member States Belgium, Germany, France, Great Britain, the Netherlands and Spain, internet purchase has become more and more popular. This is equally regarded as far as the whole European market is concerned. Germany is clearly located at the lead, followed by Great Britain with 18.7 million e-consumers which spent 7.9 billion euros. Against this, Spaniards (5.6 million) and Frenchmen (3.2 million) hold back noticeably. Already 90 % of the businesses in the European Union are connected to the internet, which is an important basis for the growth of electronic trade in Europe.24 In Europe, the number of the Internet users is already higher than in the USA. The broadband transmission booms and the entrance costs are sinking. Most of the internet users are using the internet solely for the information, but the number of the online buyers is increasing. In the year 2005 the share of the electronic trade in the complete retail sales will reach about 260 billion euros in Europe, which is 5.6 %25, according to forecasts.

23 24

25

Survey of the market-research institute GfK for the year 2002, available at: http://www.gfk.de. “E-Commerce in der EU”, Bundesagentur für Außenwirtschaft (Agency of the Federal Ministry of economy and work), available at: http://www.bfai.de. “Günstige Perspektiven für E-Commerce in Europa“, news at heise online, 10 April 2003, available at http://www.heise.de.

10 In Germany more than half of the citizens older than 14 years were connected to the internet in 200226, and 93 % of the businesses present themselves in the internet. According to a recent study by Nielsen-NetRatings27 approximately 94 % of the German households attached to the internet inform themselves via the internet before making a purchase decision. The price comparison is the most important to 81 % of the users, followed by the search for product information or test reports with 68 % and the search for the right dealer with 62 %. For further information it is useful to take a look at the "Global Information Technology Report" of the World Economic Forum in Geneva.28 The core of this report is the determination of the so-called “Network Readiness Index”29. The Networked Readiness Index (NRI) is defined as “the degree of preparation of a nation or community to participate in and benefit from information and communication technology (ICT) developments.” According to this index the USA is in the lead followed by Singapore and Finland. Germany is ranking on 15th place, the United Kingdom also 15, while South Africa is located to rank 37.

II.

Global Initiatives and Proposals for e-Consumer Protection

E-Commerce is a global and transborder matter. Its successful development and acceptance will largely depend on international and transborder solutions. Those solutions have to be found in harmonized regulation and legislation based on policy coordination between the countries.30 Considering the international relevance of the topic, it is not surprising that international organisations are interested in contributing to regulate e-commerce. Therefore international organisations have released proposals for regulations in the area of electronic transactions and e-commerce. Most of these proposals dealt with electronic contracting, such as the Electronic Commerce Agreement of 200031 by the United Nations Economic Commission for Europe (UN/ECE), which is referred to as E-Agreement. The idea of this agreement is that despite all the efforts undertaken to regulate legal aspects of electronic commerce, still, several issues can better be addressed through a contractual process. 26

27 28 29

30

31

According to new statistics, 55 % of the German population went online either at home, at work or at internet cafes in 2003. The average usage per person was 11 hours a month. Available at http://www.nielsen.de. Available at http://www.weforum.org. See chapter 1 of the report, “The Networked Readiness Index 2003-2004: Overview and Analysis Framework”. See table on p. 5. Organisation for Economic Co-operation and Development (OECD), Electronic Commerce, About, available at http://www.oecd.org/about/0,2337,en_2649_37441_1_1_1_1_37441,00.html Available at http://www.unece.org/trade/untdid/sessdocs/.

11 The intended scope of the E-Agreement is on business-to-business electronic commerce, since no provisions relating to consumer protection are incorporated. Indeed, consumer protection has not been a major concern. It was verbally recognized by the United Nations Commission on International Trade Law (UNCITRAL)32, the Organisation for Economic Co-operation and Development (OECD)33 and the International Chamber of Commerce (ICC) “Guidelines on Advertising and Marketing on the Internet”. Only the latter proposals, as shown further down, considered consumer protection in a fruitful manner, but it should be noted that none of the initiatives have binding force. However, on a global level they represent the basis for regulating e-commerce. 1. UNCITRAL The UNCITRAL released the UNCITRAL Model Law on Electronic Commerce with Guide to enactment in 199634. Unfortunately, consumer protection was intentionally not recognized within these regulations. The UNCITRAL Model Law mainly deals with the legal recognition of data messages in general and electronic contracting. It is applicable to “any kind of information in the form of a data message used in the context of commercial activities”.35 The purpose of the Model Law is twofold: 1. to offer national legislators a set of international rules for creating a more secure legal environment for e-commerce in order to facilitate its use; and 2. to provide equal treatment “to users of paper-based documentation and to users of computer-based information”36, known as the functional-equivalent approach37. Unfortunately it was felt that an indication should be given that the Model Law had been drafted without special attention being given to issues that might arise in the context of consumer protection. At the same time, it was felt that there was no reason why situations involving consumers should be excluded from the scope of the Model Law by way of a general provision, particularly since the provisions of the Model Law might be found appropriate for consumer protection, depending on legislation in each

32

33 34 35 36

37

The United Nations Commission on International Trade Law was established by General Assembly Resolution 2205 (XXI) of 17 December 1966, web site: www.uncitral.org Web site: www.oecd.org. Available at http://www.uncitral.org/en-index.htm. See Article 1. See “Guide to Enactment of the UNCITRAL Model Law on Electronic Commerce (1996)”, contained in Model Law (Objectives No. 5). Article 5 of the Model Law states: “Information shall not be denied legal effect, validity or enforceability solely on the grounds that it is in the form of a data message.”

12 enacting State. The question of which individuals or corporate bodies would be regarded as "consumers" was left to applicable law outside the Model Law. Another aim was to recognize that consumer-protection or other national or international law of a mandatory nature (e.g., rules protecting weaker parties in the context of contracts of adhesion) should not be interfered with by the Model Law regulations. 2. ICC In the 90s, the ICC, as the world’s foremost developer of self-regulatory codes of ethical conduct for advertising and marketing practices, recognized that advertising and marketing in the interactive media were at an early stage of development and thus acknowledged that the relevant principles and guidelines had to change and evolve as we learn more about the new technologies and their specific uses. In 1996, the ICC released “Guidelines on Advertising and Marketing on the Internet”. These guidelines were meant to serve as a recommendation and, in light of experience acquired, the ICC presented hereafter an updated version of the 1996 Guidelines due to new developments in this area in 1998.38 Those guidelines apply to all marketing and advertising activities on the Internet for the promotion of any form of goods or services. They set standards of ethical conduct to be observed by all involved with advertising and marketing activities on the Internet. The ICC recommends the worldwide promulgation of the guidelines below, which intend to fulfil the following objectives: •

to enhance the confidence of the public at large in advertising and marketing provided over the new interactive systems;

•

to safeguard an optimum of freedom of expression for advertisers and marketers;

•

to minimize the need for governmental and/or inter-governmental legislation or regulations; and

•

to meet reasonable consumer privacy expectations.

In particular, the guidelines consist of 7 Articles, which provide for basic principles such as legal and fair practice, and for different kind of rules. Besides other issues, those Articles include: • 38

the disclosure of identity;

Available at http://www.iccwbo.org/home/statements_rules/rules/1998/internet_guidelines.asp.

13 •

complete disclosure of costs and responsibilities associated with electronic sales and marketing;

•

user’s rights, especially personal data protection, such as data collection and data use, data privacy, disclosure of data, correction and blocking of data, private policy statements and unsolicited commercial messages.

3. OECD The OECD’s Committee on Consumer Policy represents the main forum for regulation of e-commerce at global level. It should be noted that electronic commerce is a central element in the OECD’s vision of the potential that our networked world holds for sustainable economic growth. The OECD produced important papers concerning e-commerce. The most significant being the “OECD Action Plan for Electronic Commerce”,39 which attaches particular importance to OECD work in the areas of privacy, authentication, consumer protection, taxation, and secondly the “Guidelines for Consumer Protection in the Context of Electronic Commerce”,40 which apply only to business-to-consumer electronic commerce, and not to business-to-business transactions. The guidelines are designed to help ensure that consumers are no less protected when shopping on line than when they buy from their local store or order from a catalogue. They are indented to help eliminate some of the uncertainties that both consumers and business encounter when buying and selling online. The Guidelines reflect existing legal protection available to consumers in more traditional forms of commerce. Indeed, consumer protection is probably the most important issue in the context of e-commerce. The inherently international nature of ecommerce and the global network environment (i.e. the Internet) challenge the abilities of each country or jurisdiction to adequately address consumer protection. Therefore international consultation and co-operation is necessary in order to address this issue more effectively and to avoid national policies impeding the growth of e-commerce.

39

40

The OECD Action Plan for Electronic Commerce was endorsed by Ministers at the OECD Ministerial Conference, “A Borderless World: Realising the Potential of Global Electronic Commerce”, held on 7-9 October 1998 in Ottawa, Canada; available at http://www.olis.oecd.org/olis/1998doc.nsf/linkto/sg-ec(98)9-final. The Guidelines for Consumer Protection in the Context of Electronic Commerce, approved on 9 December 1999 by the OECD Council, available at www.oecd.org.

14 The OECD Guidelines are technology-neutral, encourage private sector initiatives, and emphasise the need for co-operation among governments, businesses and consumers. Their aim is to basically encourage:

III.

•

fair business;

•

clear information about an online business’s identity;

•

a transparent process for the confirmation of transactions;

•

fair and affordable dispute resolution and redress;

•

consumer and business education; and

•

privacy protection.

European Approach on e-Consumer Protection

“Europe is well placed to capitalise on the global business opportunities now opening up. The completion of the Single Market, the development of Europe’s know-how and skills, and the introduction of the EURO create the strengths for the European economy and European Business to be at the forefront of the emerging global electronic marketplace. The challenge is to promote widespread adoption of electronic commerce as an integral part of the European way of doing business”.41 In order to improve and support the growth of the electronic market the European Union had to build trust and confidence among businesses on one hand, and most importantly among consumers on the other hand. This is not an easy task and can only be established by promoting a consistent harmonized legal framework that builds up security and certainty between business partners. In order to allow ecommerce participants to reap the full benefits of the digitalized market, it is essential to avoid regulatory inconsistencies and to ensure a coherent legal and regulatory framework for electronic commerce at European Union level. Only a uniform and harmonized legislation in Europe is able to support and foster the development of the electronic economy.

41

Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions COM(97)157, para. 3; available at http://www.cordis.lu/esprit/src/ecomcom0.htm.

15 Therefore, the European Union took the international proposals into consideration and enacted various directives. For the purpose of this paper, the most important legislative initiatives42 affecting e-commerce are the following: •

the “Distance Selling Directive”43;

•

the “E-Commerce Directive”44;

•

the Data Protection Directives.45

1. Directive 97/7/EC on Distant Selling Contracts Not only chronologically but also as far as its significance is concerned it is reasonable to begin and outline the Directive 97/7/EC on ‘the protection of consumers in respect of distant contracts’. This Directive is one of the most important and severe European legal initiatives concerning consumer protection and it applies only to business to consumer (B2C) transactions. The initiative of the 'Distance Selling Directive’ stems from a period in which the Internet already existed, but the first WWW-browser (Mosaic) had not appeared yet, let alone that there was any commerce on the Internet. However, during the drafting of this directive the WWW was launched, and even before the 'Distance Selling Directive’ was published in its final form, the first commerce on the Internet had begun. It goes without saying that Internet commerce is an example of distance selling. Since this text focuses on business-consumer electronic commerce, and the ‘Distance Selling Directive’ deals with consumer protection, it needs to be discussed in some detail here. The definition of a consumer is rather wide and includes every natural person who is consuming or purchasing goods and services on a private basis for private use. According to Article 2(1) ‘consumer’ means

42

43

44

45

There are other initiatives at European level related to e-commerce, namely: the “E-Signature Directive” (Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic Signatures); the “EU Database Protection Directive” (Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases – see Official Journal of the EC of 27th March 1996, no. L77); “E money Directive” (Directive 2000/46/EC of the European Parliament of 18 September 2000 on the taking up, pursuit of and prudential supervision of the business of electronic money institutions), and the ”Electronic Payments Recommendation”. Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

16 •

means any natural person who, in contracts covered by this Directive, is acting for purposes which are outside his trade, business or profession;

whereas the supplier is defined as •

“any natural or legal person who, in contracts covered by this Directive, is act-

ing in his commercial or professional capacity.” According to Article 15 of the Directive, Member States have to implement this Directive “no later than three years after it enters into force.” As shown further down, Germany implemented this Directive in 2000 by enacting the “Fernabsatzgesetz”46 as well as by adding new provisions to the “Bürgerliches Gesetzbuch”47. a. Scope of the Directive The Directive obviously applies to the internet and has therefore particular relevance for e-commerce. Its object is “to approximate the laws, regulations and administrative provisions of the Member States concerning distance contracts between consumers and suppliers.”48 In order to protect consumers some Member States have already taken different (or diverging) measures with respect to distance selling and this diversion has had a detrimental effect on competition between businesses in the internal market; therefore, as underlined in recital 4 of the Directive, it is thought necessary to introduce at Community level a minimum set of common rules in this area. The Directive 97/7/EC applies to all forms of distance selling contracts between consumers and suppliers. According to Article 2(1) of the Directive ‘distance contract’ means •

“any contract concerning goods or services concluded between a supplier and a consumer under an organized distance sales or service-provision scheme run by the supplier, who, for the purpose of the contract, makes exclusive use of one or more means of distance communication up to and including the moment at which the contract is concluded”.

The Directive only applies to contracts that have been concluded in an organized manner.49 The regulations do not apply if a business does not normally sell to con46 47

48 49

Distance Selling Act, that came into force on 30 June 2000. German Civil Code, the new sections were §§ 13, 14, 361a, 361b BGB. Amongst other things the new

sections legally define the terms "Consumer" and "Supplier" and regulate the consumer’s right to rescind from consumer contracts. Accordingly, the Act does not apply to contracts between professionals, even if they were concluded in distance business. See Article 1. See the definition of ‘distance contract’ in Article 2(1).

17 sumers via means of distance communication, for instance in response to letters, fax, phone calls, emails etc., and if the business does not operate an interactive shopping web site. In case a business sells goods to a consumer as an exemption on request via distance communication means but normally does not do so, it does not have to comply with the regulations. However, if the business regularly handles one-off requests and is organized to deal with these kinds of requests (i.e. by mail order facility), it has to make sure to fulfil the regulations of the Directive.50 The supplier has to make exclusive use of one or more means of distance communications. To comply with this prerequisite there must not be any face-to-face contact with a representative of the supplier or someone acting indirectly on the suppliers’ behalf, such as in a showroom or a door-to-door salesman.51 More than one means may be used. 'Means of distance communication` means according to Article 2(1) of the Directive •

“any means which, without the simultaneous physical presence of the supplier and the consumer, may be used for the conclusion of a contract between those parties. An indicative list of the means covered by this Directive is contained in Annex I.”52

The introduction of new technologies increases the number of ways for consumers to obtain information about offers and to place orders anywhere in the Community. Therefore, the intention of this directive is to cover up a wide scope of (distance) contracts, as stated in recital 9 of the directive “…the constant development of these means of communication does not allow an exhaustive list to be compiled but does require principles to be defined which are valid even for those which are not as yet in widespread use.”53 b. Suppliers Obligation and Consumer Protection Rights The Directive introduces a variety of obligations the supplier has to meet in order to sell goods and services using distance selling contracts. Consequently, there are consumer rights manifested that emerge if the supplier fails to fulfil these obligations.

50

“Distance Selling Regulations (Summary)” available at http://www.consumer.gov.uk/ccp/topics1/guide/distsell.htm. 51 Ibid. 52 Annex I contains a list of means of communications covered by this definition such as: unaddressed printed matter, addressed printed matter, standard letter, press advertising with order form, catalogue, telephone with human intervention, telephone without human intervention (automatic calling machine, audiotext), radio, videophone (telephone with screen), videotext (microcomputer and television screen) with keyboard or touch screen, electronic mail, facsimile machine (fax), television (teleshopping). 53 Thus, the list stated in Annex I of the directive is not exhaustive.

18 (i)

Prior Information (Article 4)

According to Article 4 of the Directive the supplier must provide the consumer clearly and comprehensibly with certain basic information before a distance contract is concluded. This information includes: a) the supplier’s name and address; b) the description of the significant characteristics and features of the goods and services the supplier is offering; c) the price of the goods and services including all taxes; d) the delivery costs, where they apply; e) the arrangements for payment, delivery and performance; f) the right of withdrawal according to Article 6 of the Directive; g) the costs for means of communication if they are other than the basic rate; h) how long the offer and the price remain valid; and i) the minimum duration of the contract in the case of contracts for the supply of products or services to be performed permanently and recurrently. (ii)

Written Confirmation of Information (Article 5)

Article 5 of the Directive requires that the consumer receives written confirmation about the information a) – f) referred to above. Additionally and in any case the consumer must be provided with the following information: •

written information on the conditions and procedures for exercising the right of withdrawal, within the meaning of Article 6, including the cases referred to in the first indent of Article 6(3);

•

the supplier’s address to which the consumer may address any complaints;

•

information on after-sales services and guarantees which exist;

•

when to cancel a contract of unspecified duration or a duration exceeding one year.

19 This confirmation of information may also be received by the consumer in another durable medium available and accessible to him other than written.54 The information can be provided before or after the purchase, but must be provided in good time during the performance of the contract and at the latest at the time of delivery. (iii)

Right of Withdrawal (Article 6)

One of the most important provisions given by the Directive is the right of withdrawal described in Article 6. Recital 14 of the Directive suggests that this is necessary as the consumer is unable to see the product or ascertain the nature of the service provided before concluding the contract. The consumer shall then have a period of at least seven working days in which he may cancel the contract without penalty and without giving any reason for the withdrawal. The only charge that may be made to the consumer is the direct cost of returning the goods. Since this seven working day period is a minimum, the Member States are allowed to extend this period in their legislation. In the case of purchasing goods the seven day period begins from the day the consumer receives the goods. In case of services the period begins the day the contract was concluded or, if the supplier’s obligations manifested in Article 5 of this Directive are fulfilled after the conclusion of the contract, the day these obligations are fulfilled. If the supplier fails to fulfil his obligations as laid down in Article 5 of this Directive at all, the period shall be three months; beginning the day the goods were received by the consumer or in the case of services, the day of contract conclusion. If the supplier fulfils these obligations within the three-month period, the seven working day period of withdrawal begins at the moment of fulfilment. In case the consumer exercises his right of withdrawal the supplier is obliged to reimburse the money paid by the consumer free of charge. The only charge that may be imposed to the consumer is the cost of returning the goods. In respect of the following contracts there shall be no right of withdrawal unless agrees otherwise between the supplier and the consumer:

54

Article 5 is for the purposes of Electronic Commerce a little ambiguous. First it states that the consumer must receive written confirmation or confirmation of the information described in Article 4(1) (a) to (f) in another durable medium, at the latest at the time of delivery of the good. So the demand of the information to be in writing is also met in case this information is available and accessible to the consumer in any other durable medium (e.g. a Web-page). However, further on in this Article an alternative to written information is not mentioned in case information about the right of withdrawal is concerned: "written information on the conditions and procedures for exercising the right of withdrawal". The German implementation of this Directive dissolves this ambiguity, see footnote 134.

20 •

“for the provision of services if performance has begun, with the consumer's agreement, before the end of the seven working day period referred to in paragraph (1);

•

for the supply of goods or services the price of which is dependent on fluctuations in the financial market which cannot be controlled by the supplier;

•

for the supply of goods made to the consumer's specifications or clearly personalized or which, by reason of their nature, cannot be returned or are liable to deteriorate or expire rapidly;

•

for the supply of audio or video recordings or computer software which were unsealed by the consumer,

•

for the supply of newspapers, periodicals and magazines,

•

for gaming and lottery services.”55

c. Performance and Binding Nature The time for the supplier to perform is rather long, namely 30 days (Article 7 of the Directive). However, this is a maximum, so here Member States are allowed to define in their legislation a shorter period. Concerning both consumer protection and applicable law to contractual obligations, Article 12 of the Directive has an important role to play. According to this Article the consumer may not waive the right conferred on him by the transposition of the Directive into national law. Furthermore, Member States shall take the measures needed to ensure that the consumer does not lose the protection granted by the Directive by virtue of the choice of law of a non-member country as the law applicable to the contract if the latter has close connection with the territory of one or more Member State. The issue of “choice of law” is not settled by the Directive, but by the Rome Convention of 1980, setting the applicable law as that of consumers’ habitual residence. d. Exemptions from the Scope of the Directive As a result of some lobby interests and due to the nature of some contracts Article 3 provides exemptions from the scope of the Directive. On the following contracts the regulations of this Directive shall not be applicable:

55

See Article 6(3) of the Directive.

21 •

contracts relating to financial services56;

•

contracts concluded by means of automatic vending machines or automated commercial premises;

•

contracts concluded with telecommunications operators through the use of public payphones;

•

contracts concluded for the construction and sale of immovable property or relating to other immovable property rights, except for rental;

•

contracts concluded at an auction.

Articles 4, 5, 6 and 7(1) of the Directive shall not apply: •

to contracts for the supply of foodstuffs, beverages or other goods intended for everyday consumption supplied to the home of the consumer, to his residence or to his workplace by regular roundsmen;

•

to contracts for the provision of accommodation, transport, catering or leisure services, where the supplier undertakes, when the contract is concluded, to provide these services on a specific date or within a specific period; exceptionally, in the case of outdoor leisure events, the supplier can reserve the right not to apply Article 7(2) in specific circumstances.

2. Directive 2000/31/EC on E-Commerce On 18 November 1998, the Commission adopted a proposal for a European Parliament and Council Directive on certain legal aspects of electronic commerce in the Internal Market. The Parliament approved the proposal on 6 May 1999, subject to amendments. The commission presented the amended proposal on 17 August 1999. Political agreement was reached in December 1999. The common position of the Council stems from February 28. Finally, the directive was completed on May 4 2000. a. Objective and Scope of the Directive The main purpose and goal of this Directive is to provide a legal infrastructure that supports the smooth functioning of the European internal market and to ensure that both businesses and consumer benefit from the fundamental EU principles of free-

56

There is a non-exhaustive list of certain financial services in Annex II of the Directive.

22 dom of movement, freedom of establishment and freedom of services.57 The objective is also to ensure legal certainty and consumer confidence (recital 11 and 55), which is of basic importance for the growth of e-commerce. The European Union tried to realize this in the Directive by regulating the following issues: •

establishment and information requirements;

•

commercial communications;

•

formation of online contracts;

•

liability of intermediaries;

•

codes of conduct;

•

dispute resolution.

It may seem that the topics were randomly chosen but they almost represent a life cycle of electronic commerce activities.58 First, a service provider establishes itself, then it will communicate commercially, and consecutively contracts will be concluded. While carrying out the contracts, liability of intermediaries may occur, and finally eventual disputes have to be resolved. Only the codes of conduct are not located in the right place in the Directive. A more logical place would have been before the commercial communications. The scope of the ‘E-Commerce Directive’ is quite broad and it applies to service providers that run ‘Information Society Services’. The Directive covers all Information Society services, both business-to-business, and business-to-consumer, and services provided free of charge to the recipient e.g. funded by advertising or sponsorship revenue and services allowing for on-line electronic transactions such as teleshopping of goods and services, and online shopping malls. The Directive only applies to service providers located inside the European Union. The crucial place of business is the place where a company providing an internet website pursues its economic activity, not the place at which the website supporting technology is located, nor the place at which the website is accessible.59 The criteria are worked out in Article 2(c) that defines the term ‘established service provider’ as 57

58

59

Article 1(1) of the Directive states: “This Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.” Lodder, “Legal Aspects of Electronic Commerce”, p. 20; available at http://www.rechten.vu.nl/~lodder/enlist/ec.pdf. See recital 19 that states: "The place at which a service provider is established should be determined in conformity with the case-law of the Court of Justice according to which the concept of establishment involves the

23 •

“a service provider who effectively pursues an economic activity using a fixed establishment for an indefinite period. The presence and use of the technical means and technologies required to provide the service do not, in themselves, constitute an establishment of the provider."

Although the Directive specifies that in view of the global dimension of electronic commerce, it is appropriate to ensure that the Community rules are consistent with international rules. Therefore, the E-Commerce Directive is without prejudice to the result of discussions within international organisations (e.g. WTO, OECD and UNCITRAL). The definition in Article 2(a) of "Information Society Services" (any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services) that was used in the original proposal was deleted in the amended proposal and replaced by a reference to the definition in Article 1(2) of the Directive 98/34/EC of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations as amended by Directive 98/48/EC of 20 July 1998. The other definitions in Article 2 of the Directive include "service provider" •

“any natural or legal person providing an Information Society service”;

"recipient of the service" •

“any natural or legal person who, for professional ends or otherwise, uses an Information Society service, in particular for the purposes of seeking information or making it accessible”.

In the amended proposal the definition of consumer is the same as in Directive 97/7/EC: •

“any natural person who is acting for purposes which are outside his or her trade, business or profession.”

According to Article 4 Member States may not impose special authorization schemes for Information Society Services. Only in case the authorization is required to the same services provided by other means, it is allowed. For example, a license to sell alcohol is also required in an electronic environment. actual pursuit of an economic activity through a fixed establishment for an indefinite period; this requirement is also fulfilled where a company is constituted for a given period; the place of establishment of a company providing services via an Internet website is not the place at which the technology supporting its website is located or the place at which its website is accessible but the place where it pursues its economic activity (·)."

24 b. Information Requirements Notwithstanding information requirements established by other Community law60 this Directive establishes further additional information obligations. Unlike the ‘Distance Selling Directive’61 those obligations must not only be met by service providers who are selling goods and services (and therefore concluding contracts) but also for those service providers who simply supply recipients with information. (i)

General Information (Article 5)

Article 5(1) of the Directive demands service providers to provide recipients with the following information in an easy, direct and permanent accessible way: •

their name;

•

geographic address of establishment;

•

details of the provider including email address which allows recipients to contact the service provider rapidly and in an effective manner;

•

trade register number;

•

if appropriate, the relevant supervisory authority;

•

if appropriate, the details of a regulated profession (registration with professional body or institution, title, applicable rules)62;

•

if appropriate, VAT identification number.

According to Article 5(2) of the Directive service providers must also indicate prices “clearly and unambiguously and, in particular, [service providers] must indicate whether [the prices] are inclusive of tax and delivery costs”. (ii)

Commercial Communications (Article 6 and 7)

Commercial communications such as advertising and direct marketing are important for any company. In the off-line world it costs a lot of effort and money to advertise. In an electronic environment, on the other hand, commercial communications can be

60 61 62

Such as the Distance ‘Selling Directive’ 97/7/EC. 97/7/EC. In Germany, for instance, attorneys have to give the details of the ‘chamber of attorney’ and in which geographical district they are registered.

25 made almost for free and the group of possible customers that can be reached is almost infinitive. If a consumer who wants to read his email also has to download a bulk of commercial communications, this costs him a lot of extra money for services he never asked for. In order to diminish this inconvenience for the consumers Article 6 of the Directive requires the service provider to clearly identify commercial communication that are part, or constitute, their information society service (paragraph (a)), also to clearly identify on whose behalf the commercial communication is made (paragraph (b)) as well as promotional offers (paragraph (c)) and promotional competitions or games (paragraph (d)). Article 7 deals with unsolicited communications by electronic mail (‘Spam’). These communications should be identifiable clearly and unambiguously as such (paragraph (1)). Paragraph (2) obliges service providers to regularly contact “opt-out registers in which natural persons not wishing to receive such commercial communications can register themselves.” A problem with opt-out registers is that if a company is not a member of the organization that manages the register, registering does not stop direct mails of these companies. Therefore the Directive leaves the possibility open for Member States to forbid unsolicited commercial communications. If Member States, however, allow unsolicited commercial communications, they should ensure that the service providers consult regularly and respect the opt-out registers.63 Because the state has supervision over such a register, in principle all companies should consult this register. Although an explicit duty to create such an opt-out register does not exist, the Member States have an indirect duty to create such a register.64 (iii)

Online Contracts (Article 10)

Article 10(1) of the Directive states the following information the service provider must provide for before a contract is concluded:

63 64

•

the different technical steps to follow to conclude the contract;

•

whether or not the concluded contract will be filed by the service provider and whether it will be accessible;

See recital 31. Lodder, Legal Aspects of Electronic Commerce, page 23; available at http://www.rechten.vu.nl/~lodder/enlist/ec.pdf.

26 •

the technical means for identifying and correcting input errors prior to the placing of the order;

•

the languages offered for the conclusion of the contract.

At this moment not so many sites offer more than one language to conclude a contract. Maybe this will change in the course of time, especially if the translation into another language can be performed automatically by software. Article 10(2) of the Directive demands that the service provider indicates relevant codes of conduct to which he subscribes and to inform the consumer on how to access the code electronically. If a service provider uses terms and conditions he must provide them to the recipient according to Article 10(3) in a way the recipient can store and reproduce them. Article 10(4) indicates that paragraphs (1) and (2) do not apply to contracts that were concluded exclusively by exchange of electronic mail or by equivalent communications.65 An interesting question for the future will be whether an email offering a service or good, and containing a 'buy now' button, falls under the scope of Article 10(4) or not. Article 11 lays down some principles related to the placing of an order.66 Article 11(1) states: "Member States shall ensure, except when otherwise agreed by parties who are not consumers, that in cases where the recipient of the service places his order through technological means, the following principles apply". The first principle (first indent) obliges the service provider to acknowledge the receipt of the recipient’s order without undue delay by electronic means. The second one is also contained in the UNCITRAL Model Law on e-commerce and determines that the order and the acknowledgement of receipt are deemed to be received when they are accessible by the parties. Article 11(2) is about technical means to identify and correct input errors. Since the moment the contract is concluded is no longer determined, it depends on the way in which the directive is implemented whether the objections expressed above about the concluding of unwanted contracts is still in place. The Member States can determine at what moment the contract is concluded. If they decide, for example, that like in the off-line world mere offer and acceptance suffice to conclude a contract, the

65 66

See Article 10(4). See heading “Placing of the order”.

27 opportunity to correct input errors is only of value if corrections within a reasonable period of time can lead to a change in the contract or annulling of the contract. Article 11(3) is about individual communications.67 “Paragraph 1, first indent, and paragraph 2 shall not apply to contracts concluded exclusively by exchange of electronic mail or by equivalent individual communications." 3. Directive 95/46/EC on Personal Data Protection The main objective of the Directive 95/46/EC is to protect “the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”68 The Directive also acknowledges that data privacy and protection is an international matter. Any company operating on an international level and respectively engages in (international) e-commerce or receives personal data across borders should undertake a comprehensive review of applicable privacy regulations. Therefore the Directive requires the Member States to prohibit the transfer of personal data to non-Member States that do not meet the European Union standards for “adequate”69 privacy protection.70 a. Scope of the Directive The Directive applies to the processing of personal data by automatic means whereas ‘personal data’ means •

“any information relating to an identified or identifiable natural person (`data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”

and whereas ‘processing of personal data (processing)’ means

67 68 69 70

Just like Article 10(4) of the Directive. See Article 1. See Article 25. In order to prevent the stagnation of trans-Atlantic transfer of information the U.S. Department of Commerce negotiated the Safe Harbor agreement with the European Commission. Eligible U.S. companies may certify to the Department of Commerce that they are willing to comply with the Safe Harbor principles. EU Member States are precluded from cutting off personal data flows to those companies. For details, see: http://www.export.gov/safeharbor/SafeharborDocuments.htm.

28 •

“any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”71

b. Principles of the Directive relating to Data Quality The Directive prescribes five principles relating to data quality. According to Article 6 Member States must ensure that personal data is: a) processed fairly and lawfully; b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; and e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. c. Legitimate Data Processing Article 7 provides circumstances under which the processing of personal data is legitimate. According to this provision personal data may be processed only if a) the data subject has unambiguously given his consent72; or b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

71 72

See Articles 2 and 3. `The data subject's consent' means any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed, Article 2.

29 c) processing is necessary for compliance with a legal obligation to which the controller73 is subject; or d) processing is necessary in order to protect the vital interests of the data subject; or e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party74 to whom the data are disclosed; or f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1). 4. Directive 2002/58/EC on Privacy and Electronic Communications Directive 2002/58/EC basically harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedom, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data. Moreover the provisions of this Directive “particularise and complement Directive 95/46/EC, and they provide for protection of the legitimate interests of subscribers who are legal person.”75 The Directive applies to the processing of personal data related to electronic communication services that are available in public communication networks (e.g. internet) in the Community.76 This Directive is very much connected with the Directive 95/46/EC on Data Protection and therefore its definitions also apply to Directive 2002/58/EC. The Directive provides a variety of obligations to be followed by the provider of a publicly available electronic communications service. The relevant obligations for the purpose of this paper are the following.

73

74

75 76

`Controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. `Third party' means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data. See Article 1. See Article 3.

30 a. Network security (Article 4) Article 4 requires providers to guarantee the security of the networks and services they provide. The provider must take appropriate technical and organisational steps to safeguard his services. The level of security should be appropriate in view of the risks. If for some reason it is not possible for providers to guarantee the security of their network or service, they must inform the users of the risks they run and give them advice on measures they can take to secure their communications, for instance by using encryption. b. Confidentiality of Communication (Article 5) The secrecy of correspondence has protected the content of letters against prying eyes ever since the transportation of such letters was confided to public postal services. According to Article 5(1), the provider must ensure the confidentiality of communications and the related ‘traffic data’.77 His obligation is to prohibit “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1).” Personal computers and sophisticated mobile phones with extensive storage capacity and open software, offer the users many new possibilities for communications over public networks. However, they also offer third parties many new possibilities to gain access to information stored on this terminal equipment or even to install or store their own information or programs on other people’s PCs (e.g. cookies). The purpose of such invisible forms of intrusion vary from intentional destruction of files and programs (e.g. viruses) to theft of information, verification of copyright infringements, profiling for marketing, checking of access permission for restricted services or recording user preferences. Some of these purposes are perfectly harmless or even useful for the user, while other objectives are very harmful and threatening. A major concern in all cases is that users are very often not aware of the fact that others can gain access to their PCs and store information or programs on it, so they have no means to control, let alone stop such activities. To remedy this problem, Article 5(3) requires that gaining access to or storing information on a user’s terminal equipment (a PC, mobile phone or other device) is only allowed if the user is given clear information about the purpose of any such invisible activities and is offered the right to refuse it. This will enable the user to 77

‘Traffic data’ means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; see Article 2(b).

31 decide which forms of access to his equipment are acceptable and which are not. The new provision will not only apply to so-called spyware (hidden espionage programs) and Trojan horses (programs hidden in messages or in other innocent looking programs) but also to ‘cookies’ (tracking devices which register users’ preferences as they visit websites). c. Traffic Data (Article 6) Article 6 also refers to traffic data. As we make phone calls, send e-mails or SMS messages, data trails are generated within the public networks that we use for these communications. These data are necessary to ensure that our messages or calls reach their destination even across various networks. Traffic data may consist of data referring to routing, duration, volume or time of a communication, to the protocol used, to the location of the terminal equipment of the sender and the recipient, to the originating and terminating networks over which the communications travels, to the beginning, end or duration of a connection, of telephone numbers, e-mail addresses, and website addresses. While traffic data are necessary for the provision of communication services, they are also very sensitive data. They can give a complete picture of a person’s contacts, habits, interests, activities and whereabouts. In short, they can describe a large part of the life you lead and of the person you are, and all this would be done with increasing detail as more and more of our daily activities are conducted on-line. This kind of data must be erased or made anonymous when no longer needed for its purpose. The data for billing and interconnection payment may be processed but only “up to the end of the period during which the bill may lawfully be challenged or payment pursued.”78 Traffic data may be processed for marketing reasons with the consent of the user.79 d. Location Data (Article 9) Article 9 refers to ‘location data’ other than ‘traffic data’.80 Data that indicate where the terminal equipment of a user is geographically located are called location data. They may be very broad, e.g. only indicating in which area the user is, or very pre78 79

80

See Article 6(2). ‘User’ means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; see Article 2(a). ‘Location data’ means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service; see Article 2(c).

32 cise, pinpointing the user’s whereabouts up to a few meters exactly. Some location data are a subset of traffic data meaning that they are necessary for the transmission of a communication or for setting up a connection, and are also treated as traffic data under the Privacy and Electronic Communications Directive. Location data, especially if they are very precise, can be used for the provision of services such as route guidance, location of stolen or missing property, tourist information, etc. Precise location data can also be useful for emergency services to be able to send assistance or rescue teams to mobile users in distress who may not always be able to describe where they are exactly. This kind of data may only be processed with the consent of the user or if the data is made anonymous. In this case the provider must inform the subscriber.81 e. Unsolicited Communications (Article 13) Article 13(1) of the Directive requires Member States to prohibit the sending of unsolicited commercial communications by fax or e-mail or other electronic messaging systems such as SMS and MMS unless the prior consent of the addressee has been obtained (opt-in system).82 The only exception to this rule is in cases where contact details for sending e-mail or SMS messages (but not faxes) have been obtained in the context of a sale. Within such an existing customer relationship the company who obtained the data may use them for the marketing of similar products or services as those it has already sold to the customer. Nevertheless, even then the company has to make clear from the first time of collecting the data, that they may be used for direct marketing and should offer the right to object. Moreover, each subsequent marketing message should include an easy way for the customer to stop further messages (opt-out). The opt-in system is mandatory for any e-mail, SMS or fax addressed to natural persons for direct marketing. It is optional with regard to legal persons. For the latter category Member States may choose between an opt-in or an opt-out system. For all categories of addressees, legal and natural persons, Article 13(4) of the Directive prohibits direct marketing messages by e-mail or SMS which conceal or disguise

81 82

See Article 9. This regulation seems to be contrary to Article 7(2) of Directive 2000/31/EC where an opt-out method is permitted. Recital 45 of Directive 2002/58/EC leaves the possibility of setting up opt-out registers to the Member States and refers to the applicability of Article 7 of Directive 2000/31/EC in such cases.

33 the identity of the sender and which do not include a valid address to which recipients can send a request to cease such messages. For voice telephony marketing calls, other than by automated machines, Member States may also choose between an opt-in or an opt-out approach.

IV.

E-Commerce and related Legislation in Germany

As shown in the introduction83, e-commerce in Germany is widespread and constantly growing and progressing. The necessary changes of the relevant national law to meet the European requirements as well as to fit the technical developments, have caused augmented activities of the German legislator during the last years. Germany has already implemented most of the above illustrated regulations into national legislation84 except for the regulations on unsolicited communication of the Directive 2002/58/EC on privacy and electronic communications85. Directive 2002/58/EC had to be implemented by the Member States by 31 October 2003. Germany intends to implement these regulations within the new amendment of the “Act against unfair Competition” (Gesetz gegen den unlauteren Wettbewerb (UWG)),86 which is expected to be passed within the first half of 2004. The present UWG does not contain the possibility of direct action of the consumer against ‘Spam’. Only competitors of the ‘spamming’ businesses, consumer protection agencies87 and competition head offices88 are able to take legal action. Last year’s new proposal of the UWG did not contain any changes concerning who is entitled to take legal action. This led to intense criticism of the new outline. The European Union already started a procedure for breach of contract according to the “Treaty establishing the European Community” against Germany.89 The regulation of teleservices and mediaservices in connection with data protection began even before the European Data Protection Directives were introduced, when the “Federal Act Establishing the General Conditions for Information and Communication Services - Information and Communication Services Act“ (Informations- und Kommunikationsdienste-Gesetz (IuKDG)) came into force on 1 August 1997. This package of legislation enacted among other legislation, the “Act on the Utilization of

83 84

85 86 87 88 89

See chapter I.5, “Facts and Statistics”, p. 8. English versions of most of the following illustrated Acts and legislation are available at http://www.iuscomp.org/gla/statutes/statutes.htm. Article 13 of Directive 2002/58/EC. The translations of German legislation used in this paper are not official translations. “Verbraucherschutzverbände” according to § 13 UWG. “Wettbewerbszentralen” according to § 13 UWG. As well as against Belgium, Greece, France, Luxemburg, the Netherlands, Portugal, Finland und Sweden.

34 Teleservices -Teleservices Act” (Teledienstegesetz (TDG))90 and the “Act on the Protection of Personal Data Used in Teleservices -Teleservices Data Protection Act” (Teledienstedatenschutzgesetz (TDDSG)).91 The design of a new regulatory framework for the Internet economy and e-commerce started with the "Act on Distance Selling" (Gesetz über Fernabsatzverträge und andere Fragen des Verbraucherrechts sowie zur Umstellung von Vorschriften auf den Euro (FernabsatzG)), which became effective on 30 June 2000 and implemented Directive 97/7/EC on Distance Selling Contracts92. The "Act to adapt the formal Requirements of Private Law and other Provisions to Modern Business Transactions" (Gesetz zur Anpassung der Formvorschriften des Privatrechts und anderer Vorschriften an den modernen Rechtsgeschäftsverkehr) passed the chambers of the parliament and became effective 1 August 2001. This ensured the legal recognition of data messages.93 Further on, another important piece of legislation was released containing the core provisions of the new framework. This was the "Act on Framework Conditions for Electronic Business" (Gesetz über rechtliche Rahmenbedingungen für den elektronischen Geschäftsverkehr - Elektronischer Geschäftsverkehr-Gesetz (EEG)), which implemented the E-Commerce Directive 2000/31/EC together with the revised “State Treaty on Media Services” (Mediendienstestaatsvertrag (MdStV). The EEG came into force on 21 December 2001 and amended the TDG and the TDDSG as well as the German “Code of Civil Procedure” (Zivilprozessordnung (ZPO)). Finally, by releasing the “Act to Modernize the Law of Obligations” (Schuldrechtsmodernisierungsgesetz) the provisions of the FernabsatzG were incorporated into the German “Civil Code” (Bürgerliches Gesetzbuch (BGB)).94 The Schuldrechtsmodernisierungsgesetz entered into force on 1 January 2002. In addition, the German legislator ‘outsourced’ information obligations by releasing the “Ordinance on Civil Code-Information Obligations” (BGB-Informationspflichten-Verordnung (BGBInfoV))95 where all the information to be provided relating to distance contracts are listed.

90 91

92

93

94

95

Entered into force on 22 July 1997. Entered into force on 22 July 1997 and amended by the "Act on Framework Conditions for Electronic Business" (Gesetz über rechtliche Rahmenbedingungen für den elektronischen Geschäftsverkehr - Elektronischer Geschäftsverkehr-Gesetz (EEG)) in 2002. New provisions were also implemented to the German Code Civil (Bürgerliches Gesetzbuch (BGB)) such as §§ 13, 14, 361a, 361b. This Act implemented among other provisions the new sections §§ 126a, 126b to the Code Civil (“Bürgerliches Gesetzbuch” (BGB)). Relevant in this context §§ 312b-d Code Civil (BGB) and also implemented Article 10(f) of the E-Commerce Directive 2000/31/EC by codifying a service providers obligations in § 312e Code Civil (BGB). Relevant in this context §§ 1, 3 BGB-InfoV.

35 In the following it will be necessary to take a look at all these regulations. In foresight of the relevant provisions of the ECT Act (Chapters VII and VIII) the focus will be put on regulations that are related to online-shops, respectively, the selling of goods and services via the internet. 1. Tele- and Mediaservices German legislation divides service providers into two categories. There are teleservices on one hand and mediaservices on the other. To the former services the TDG96 is applicable and the latter services fall under the scope of the MdStV.97 Both pieces of legislation contain provisions that oblige either teleservices or mediaservices to provide the user with certain identification information irrespectively whether they offer goods or services. The crucial provisions are found in § 6 TDG for teleservices and § 10 MdStV for mediaservices. The difference between such services is marginal and the legal distinction difficult for the appropriate classification of contents in the WWW. The evaluation of the scope of the TDG and MdStV is also very controversial in legal literature. Within these legislations, namely § 2 TDG, there are clues to the effect that teleservices rather serve the individual communication between supplier and user, and conversely, mediaservices are rather aimed at the general public.98 But if one looks at private homepages (e.g. self-portrayals of businesses), websites mostly seem to appear as mediaservices because they address to an uncertain and indeterminable number of users and therefore to the general public (except for intra- and extranets). Thus, a common way of distinguishing between tele- and mediaservices is to look at the appearance and the content of the website.99 If a service uses its websites more in a journalistic way, respectively to spread opinions and information, the service qualifies as a mediaservice. This is the case if services represent themselves as an electronic counterpart to conventional printed journals (e.g. electronic newspapers).100 The assessment is a matter of degree in each case and it is necessary to regard all circumstances.101 If the journalistic parts of a website dominate the service, the service falls under the scope of the MdStV and vice versa.

96

“Teleservice Act“. “State Treaty on Media Services”. 98 Brunst, “Umsetzungsprobleme der Impressumspflicht bei Webangeboten”, MMR 2004, p. 8 (8). 99 Ibid. 100 Pappi, “Teledienste, Mediendienste und Rundfunk“, p. 161. 101 Brunst, MMR 2004, p. 8 (9). 97

36 Although to qualify as a teleservice it is insignificant whether the service is run commercially and respectively free of charge or not,102 § 2(2)(5) TDG states that services that are offering goods and services via the internet are teleservices and fall under the scope of the TDG. Since this paper is focussing on e-commerce and in particular online-shops, and since the information obligations within § 6 TDG and § 10 MdStV are nearly the same, the attention will be put on the former provision. a. Information to be provided according to § 6 TDG According to § 6 TDG providers of a commercial teleservices must provide a variety of information concerning the provider’s identification in an easily recognizable, directly accessible, and constantly available way. Unlike the general qualification as a teleservice according to § 2 TDG, the applicability of the information obligation according to § 6 TDG requires a commercial teleservice. To interpret the feature ‘commercial’, the prevalent opinion falls back on the definition given in § 3(5) of the Telecommunication Act (Telekommunikationsgesetz (TKG)). There it is stated that commercial provision of telecommunications services •

means telecommunications offered on a sustained basis, including transmission line offers to third parties, with or without the intention to realise profits.

In many cases it might be difficult to draw the line between commercial websites and exclusively private websites. This is the reason why some authors approve a general information obligation for every website.103 Although such demand supports legal certainty, it does however infringe the right of personality and privacy protection. A person must have the right to chose whether he wants his private data disclosed or not. Therefore the interpretation of § 6 TDG has to be restricted, which is appropriate when taking the consumer protective intention into account. Nevertheless when private homepages contain advertisements (e.g. commercial banners), these cases might be classified as being ‘commercial’ according to § 6 TDG.104 (i)

How to provide the Information

The information must be provided to the consumer in an easily recognizable state. The evaluation of whether the information is easily recognizable, has to be made

102 103 104

Woitke, “Das „Wie“ der Anbieterkennzeichnung gemäß § 6 TDG“, NJW 2003, 871 (872). Supra. Brunst, MMR 2004, p. 8 (9).

37 from the perspective of an average service user without any special knowledge.105 The ‘surfer’ should literally be able to stumble over the providers identification. To comply with this obligation, the main navigation elements provided to the user are naturally of greatest relevance. A placing at the end of a page which allows scrolling is not easily recognizable and may not meet the obligation of § 6 TDG.106 According to a Higher Regional Court (Oberlandesgericht Hamburg) § 6 TDG even requires a screen resolution auf 800x600 pixel.107 However, the court overlooks that the resolution does not depend on the screen or monitor but on the graphics card, which can be easily adapted in most cases.108 The details must be presented in an easily readable font size. The font colour must be of sufficient contrast to the background so as to stand out clearly. The choice of a standard font like Arial or Times New Roman, guarantees easy readability. The usual name of the link under which the information is to be found is “Anbieterkennzeichnung” (meaning “identification of provider”) or “Impressum” (meaning “imprint”). Even the expression “Kontakt” (meaning “contact”) might be sufficient.109 The identification information must be directly accessible. This is not only the case in which all the information is recognizable at first sight on every webpage; a link suffices also. Consumer protection agencies110 initiated the “One and two click”requirement. According to this requirement one click to the identification information from the homepage (the starting or index page) is sufficient. From all other pages of a website the information must not be further away than two mouse clicks.111 Of course the identification information may not be hidden in general business terms and conditions or data protection explanations.112 However, this requirement is difficult to meet in cases of larger websites (e.g. websites of a university or larger enterprise with subdomains). Does the user suspect the home page merely under the main domain or also under the respective Subdomains?

105 106

107 108

109 110

111

112

Bizer/Trosch, “Die Anbieterkennzeichnung im Internet.“, DuD 1999, 621 (624). In this sense Strömer, “Online-Recht. Rechtsfragen im Internet“, chapter 5.1; these demands however, do

not correspond with the modalities of the medium and are not technically realizable either: the html language underlying the website does not know any absolute dimensional size-information with respect to the screen mode, it is a page description language merely, see Brunst, MMR 2004, p. 8 (13). OLG Hamburg, Beschluß vom 20.11.2002, 5 W 80/02, MMR 2003, p. 105. The service provider could establish a pop up message, telling the user that the website is optimzed for a higher resolution, which may cause a wrongful dsiplay of the website. OLG München, Urteil v. 11.9.2003 – 29 U 2681/03, MMR 2004, p. 36; Brunst, MMR 2004, p. 8 (13). “Convention about provider identification in the electronic commercial traffic with final consumers”(“Konvention zur Anbieterkennzeichnung im Elektronischen Geschäftsverkehr mit Endverbrauchern“), available at http://www.dmmv.de. The Higher Regional Court in Munich also considered two clicks as sufficient, OLG München, Urteil v. 11.9.2003 – 29 U 2681/03, MMR 2004, p. 36. District Court of Berlin, LG Berlin Urteil vom 17.9.2002 – 103 O 102/02, MMR 2003, p. 202; Woitke, NJW 2003, p. 871 (872).

38 A solution could be to put a link on every page that appears to the user as a portal or entry page, as well as on every initial, starting or index page of every head-and subdomain. This procedure is not only recommended from a legal point of view but also from practical considerations. If the user has only reached a fragment of a website (e.g. by using a search engine), he will delete the path behind the head- or subdomain in the browser line trying to reach the starting page. Finally the identification information has to be constantly available. Generally, the information is constantly available if the “two-click”-requirement is met. Other techniques such as framing, graphics and flash applets must also be evaluated with regard to constant availability (e.g. sometimes it depends on the browser settings whether graphics can be illustrated or not). Therefore the information should be provided compatible to common browsers and their default settings.113 The safest way to provide the information is in ASCII-Text form. (ii)

What Information to provide

The following identification information has to be provided: 1. The name and address under which they are established; legal persons must identify their authorized representative. This information must contain the full address under which a consumer may take legal action against the provider in the event of a dispute. A P.O. box for instance is insufficient as an address. In case of doubt the provider must give the name and address of his head office or main place of business.114 2. Information that allows the user rapid and direct electronic contact. The provider must display his telephone and fax number as well as his email address. The following information is self-explanatory: 3. the responsible supervisory agency where applicable;

113 114

Woitke, NJW 2003, p. 871 (873). Hoenike/Hülsdunk, “Die Gestaltung von Fernabsatzangeboten im elektronischen Geschäftsverkehr nach neuem Recht - Gesetzesübergreifende Systematik und rechtliche Vorgaben vor Vertragsschluss“, MMR 2002, 415 (418).

39 4. the commercial register, register of associations, register of partnerships, or public register of cooperatives listing the provider, along with the corresponding registry number. 5. where applicable,115 information on a) the chamber to which the provider belongs; b) the legal designation of the profession and the country in which the occupational designation was issued; c) the designation of the professional regulations and how these may be accessed; 6. the turnover tax identification number under § 27a of the “Sales Tax Act” (Umsatzsteuergesetz (UStG)), if the provider has been assigned such a number. b. Information to be provided according to § 10 MdStV Mediaservices, commercial or not, have to provide the consumer with some of the information mentioned above , and with additional information according to § 10(3) MdStV. In particular, they always have to display the name and address under which they are established and if they are legal persons they must identify their authorized representative. In addition, they have to name a person (e.g. editor) who is responsible for the content of the journalistic service. There may just be one person responsible for the whole service, however, there may be different individuals accountable for the different columns of the service (e.g. sports, economy, politics). It is nonetheless important to name just one responsible person for each column with the individual’s corresponding address.116

115

116

To the extent that the teleservice, in the exercise of a profession as defined under Article 1 Letter d of Council Directive 89/48/EEC of December 21, 1988 on a General System for the Recognition of Higher-Education Diplomas Awarded on Completion of Professional Education and Training of at Least Three Years' Duration (Official Journal L 019, p. 16) or as defined in Article 1 Letter f of Council Directive 92/51/EEC of June 18, 1992 on a Second General System for the Recognition of Professional Education and Training to Supplement Directive 89/48/EEC (Official Journal L 209, p. 25) amended most recently by Commission Directive 97/38 EC of June 20, 1997 (Official Journal Nr. 184, p. 31), is offered or rendered. Brunst, MMR 2004, p. 8 (8).

40 c. Further Information According to § 6 TDG (and § 10(2) MdStV) further information obligations remain unaffected, especially those obligations that result from the “Act on Distance Selling”117. 2. Distance Selling Contracts (312b BGB) § 312b BGB (Civil Code) defines the scope of distance selling contracts. The provisions in § 312b (1), (2) and (3) BGB implement Article 2(1), (4) and (3) of the Directive 97/7/EC on Distance Selling Contracts. § 312b (1) BGB defines ‘distance contract’ and § 312b (2) BGB defines ‘means of distance communications similar to the Directive 97/7/EC on Distant Selling Contracts.118 § 312b (3) BGB lists the same exemptions from the scope of distance selling contracts as the Directive.119 a. Information to be provided (§ 312c BGB) According to § 312c (1) BGB read together with § 1 BGB-InfoV120 the supplier has to provide the consumer with certain information in good time prior to the conclusion of a distant contract (pre-contractual information obligation). This information may be provided on a website.121 The information has to be given in any way appropriate to the means of distance communication used in a clear and comprehensible manner. This information must contain (§ 1 (1) BGB-InfoV): 1. the identity of the service provider;122 2. the provider’s address;123 3. main characteristics of goods or services as well as how and when the contract is concluded; This requires a extra description of the main characteristics of the performance; a description in standard terms and conditions is insufficient. The description must be detailed but clear to understand and concise.124 The supplier must also inform how

117

118 119 120 121 122 123 124

The Act on Distance Selling (Fernabsatzgesetz (FernabsatzG)) has been implemented to the German Civil Code (Bürgerliches Gesetzbuch (BGB)). See chapter III.1.a, “Scope of the Directive”, p. 16. See chapter III.1.d, “Exemptions from the Scope of the Directive”, p. 20. “Ordinance of Civil Code-Information Obligations” (“BGB-Informationspflichten-Verordnung”). Palandt, “Bürgerliches Gesetzbuch“, § 312c, no. 3. See explanations about identification information (IV.1.a(ii) p. 38). Supra. Palandt, § 1 BGB-InfoV, no. 3.

41 and when the contract is concluded. This can be done by naming the action which leads from the supplier’s point of view to the conclusion of the contract (e.g. confirmation of the offer or delivery).125 If the contract is legally concluded earlier the objective legal position is decisive.126 4. minimum duration of the contract in the case of agreements for the supply of products or services to be performed on an ongoing basis or recurrently; This information must only be provided if the contract can only be ended by cancellation. In this case the period of notice has to be given as well.127 5. the reservation of providing a performance equal to quality and price (goods or service) and a reservation not to render the promised service in the case of its non-availability.128 6. the price of the goods or services including all taxes and other fees or costs; 7. the costs of transport if charged; 8. the details of payment, delivery and performance; The supplier must inform the consumer of the payment details, i.e. how and when, as well as when the delivery is taking place. 9. the existence of a right of withdrawal or return of goods;129 10. the costs for the consumer that arise by using means of telecommunication, should they exceed the expected common basis rates;130 11. the validity of temporary offers. Further on, according to § 312c (2) BGB, the information under 1.- 9. has to be given to the consumer in ‘textual form’ within good time, at the latest by the completion of performance of the contract or, where goods are concerned, at the latest at the time of delivery to the consumer. The term ‘textual form’ is defined in § 126b BGB meaning a hard copy document or in any other manner that allows a durable reproduction of graphic characters. Therefore the display of this information on a website is usually

125

Supra. Supra. 127 Palandt, § 1 BGB-InfoV, no. 4. 128 These reservations can only be part of the contract if they meet the provisions of §§ 307 – 309 BGB about the ‘Incorporation of standard business terms into the contract’, Palandt, ibid. 129 Details will be demonstrated later. 130 The term expected refers to the consumer. If the consumer is using the internet this could only occur if there is a dialer that charges extra fees. 126

42 not sufficient as it is not durable131. A website can be changed by the supplier at any time and does not represent a reliable source of information for the consumer. The consumer must have the opportunity of saving or printing this information.132 This can be done by mail, fax, floppy discs, CD-Roms and email.133 According to § 312c (3) BGB the provider must provide the consumer with additional information. This subsection refers to subsection § 312c (2), meaning that this information has to be given in ‘textual form’ as well134 and it must contain according to § 1(3) BGB-InfoV: 1. information on the conditions, details and procedures for exercising the right of withdrawal, as well as its legal consequences and reasons for an exclusion of this right. This information must refer to the specific contract. The details of the right of withdrawal are illustrated in the next chapter. If the notice of withdrawal must be sent to a different address than the supplier’s address, this different address must be displayed. 2. The supplier’s address to which the consumer may address any complaints. 3. Information on after-sales services and guarantees which exist. The supplier must only provide detailed information on guarantees if they differ from the legal provisions. 4. When to cancel a contract of unspecified duration or a duration exceeding one year. The supplier must give the information under what circumstances a cancellation is valid and about the period of notice.

131 132

133

134

District Court of Kleve, LG Kleve, Urteil vom 22.11.2002, 5 S 90/02, NJW-RR 2003, 196. Horn, “Verbraucherschutz bei Internetgeschäften”, MMR 2002, p. 209 (212); Hoenike/Hülsdunk, “ Rechtliche Vorgaben für Fernabsatzangebote im elektronischen Geschäftsverkehr bei und nach Vertragsschluss - Ein Überblick über die gesetzlichen Anforderungen und die Rechtsfolgensystematik bei Verstößen“, MMR 2002, p. 516 (517). Palandt, § 312c, no. 8, where the author suggests that the information on a website is only sufficient if it is actually downloaded by the consumer. The author might think about saving the website as html- or mht-files. It seems to be doubtful that the average consumer is aware of this possibility. Here the German legislator has resolved the ambiguity of Article 5 of the Directive 97/7/EC, see footnote 54.

43 b. Right of Withdrawal (§ 312d BGB) In the case of a distance contract the consumer has a right of withdrawal according to §§ 312d (1), 355 BGB. The right of withdrawal includes the right of the consumer to cancel the distance contract within a period of two weeks. The consumer must declare the withdrawal to the supplier in ‘textual form’,135 making the moment of dispatch of the declaration crucial. He does not have to name reasons for his withdrawal, § 355(1) BGB. According to § 356 BGB the supplier may also grant (in textual form) the consumer a right of returning the goods instead of the right of withdrawal, in the case of a contract of delivery of goods. Instead of a textual declaration the consumer just has to send back the goods, thus the moment of the dispatch of the goods is decisive.136 The beginning of the two-weeks-period is regulated in § 312d (2) BGB. As far as a contract of the delivery of goods is concerned the two-weeks-period begins when two conditions are met: •

the supplier must have informed the consumer according to § 312c (2) BGB;137 and

•

the consumer must have received the goods, in case of an instalment contract the first instalment must have been received.

The two-weeks-period does not begin before these conditions are met. In the case of a contract of services the latter condition is not relevant. Here, the two-weeks-period does not start before the day the contract was concluded and the supplier has fulfilled his obligations according to § 312c (2) BGB.138 In conclusion, if the supplier does not fulfil139 his information obligations resulting from § 312c (2) BGB, the two-weeks-period never starts and would consequently never end. In this case § 355(3)(sentence1) BGB states that the right of withdrawal expires latest six month after the conclusion of the contract and the reception of the goods. Similarly in the case of a contract of service, the right of withdrawal expires latest six month after the conclusion of the contract or according to § 312d (3) BGB if the supplier begins to provide the service with the express consent of the consumer.

135 136 137 138

139

See footnote 131 about the meaning of ‘textual form’. The rules of the right of withdrawal are similarly applicable to the right of returning the goods. Meaning the information according to § 1 (2) and (3) BGB-InfoV. Supra; if the supplier informs the consumer before the conclusions of the contract in the proper way, which he is allowed to, the moment of the day conclusion of the contract is crucial. Meaning the supplier does not inform at all or wrong.

44 Although the supplier must already inform the consumer according to § 312c (2) BGB read with § 1(3) BGB-InfoV, he must give the consumer according to § 355(2) BGB an instruction about the right of withdrawal in ‘textual form’ before the contract is concluded. The difference between these two obligations seems to be unclear.140 The instruction has to contain information about the right receiver of the withdrawal notice, about the two-weeks-period and about the fact that the consumer does not have to give any reasons for his withdrawal. There is a precedent given by the legislator within § 14 BGB-InfoV. If the supplier uses this precedent he fulfils his obligations properly. The instruction according to § 355(2) BGB and the information according § 312c (2) BGB can be combined and provided to the consumer together.141 If the supplier instructs the consumer after the conclusion of the contract about the right of withdrawal, the two-weeks-period will extend to one month beginning from the day of instruction, § 355(2) BGB. If the supplier fails to instruct the consumer or instructs him in a wrong way the right of withdrawal never expires according to § 355(3)(sentence3) BGB.142 Although this causes legal uncertainty for the supplier this is considered to be tolerable since the supplier may instruct the consumer any time after the conclusion of the contract, which leads to a one month period of the right of withdrawal.143 The same rules apply to a contract of services unless the supplier begins to provide the service with the express consent of the consumer. In this case the right of withdrawal expires according to § 312d (3) BGB.144 However, there are certain type of contracts where the consumer’s right of withdrawal is excluded. According to § 312d (4) BGB this is the case with distance contracts •

for the supply of goods made to the consumer's specifications or clearly personalized or which, by reason of their nature, cannot be returned or are liable to deteriorate or expire rapidly or where the recommended period for their consumption would be exceeded;

Recently the Federal Supreme Court (Bundesgerichtshof) ruled that a product is not made to the customer’s specification if it is compound of prefabricated standard

140

141 142

143 144

The instruction according to § 355(2) BGB seems to be more detailed, but in the German legal literature the authors are opposing each other and sometimes even themselves within one commentary. Palandt, § 312d, no. 5. This provision results from a decision of the European Supreme Court, EuGH, Urteil vom 13.12.2001, Rs C481/99 (Heininger ./. Bayerische Hypo- und Vereinsbank AG), NJW 2002, p. 281. See Jauernig, “Bürgerliches Gesetzbuch“, § 355, no. 6. Palandt, § 312d, no. 7.

45 components which can be separated with proportionally low effort without impairment of its substance or function ability.145 •

for the supply of audio or video recordings or computer software which were unsealed by the consumer;

•

for the supply of newspapers, periodicals and magazines;

•

for gaming and lottery services; or

•

concluded by way of auction.

If the consumer exercises his right of withdrawal, the supplier and the consumer must return the received performance. The consumer must send back the received goods and the supplier must pay back the received amount of money within 30 days after acknowledgement of the declaration of withdrawal. According to § 357(2) BGB the supplier must bear the regular return costs. This duty he may impose on the consumer, up to an order-amount of 40 Euros unless the delivered goods do not correspond with the ordered goods and unless the right of withdrawal has been exchanged for a right of returning the goods according to § 356 BGB.146 The supplier may impose the costs of return on the consumer by his standard business terms and condition or within his information obligation, respectively within his instruction of the right of withdrawal to the consumer. c. Additional Information (§ 312e BGB) §§ 312e BGB, 3 BGB-InfoV147 contain additional obligations for suppliers who use a teleservice in order to conclude contracts. These provisions are applicable to internet- or online-shopping and must be recognised by online-sellers.148 The supplier has to: 1. provide the customer with appropriate, effective and accessible technical means allowing the customer to identify and correct input errors, prior to sending his order;149

145

146 147 148 149

BGH, Urteil vom 19.03.2003 - III ZR 295/01, NJW 2003, p. 1665. In this case the consumer ordered a notebook compound of certain components and configured in a certain way. Jauernig, § 357, no. 5. These sections implement the European Directive 2000/31/EC on E-Commerce. § 312e BGB does not only apply to B2C contracts but also to B2B contracts. The order means not only the offer or acceptance but also the invitation to make an offer, see Palandt, § 312e, no. 5.

46 2. communicate to the customer, in good time before the sending of his order, the following information clearly and comprehensibly:150 a. the different technical steps to follow to conclude the contract, b. whether or not the concluded contract will be filed by the service provider and whether it will be accessible, c. how to identify and correct input errors with the provided technical means prior to the placing of the order,151 d. the languages offered for the conclusion of the contract, e. any relevant codes of conduct to which he subscribes and information on how those codes can be consulted electronically; 3. acknowledge to the customer the receipt of his order without undue delay and by electronic means;152 and 4. enable the customer to retrieve and save in reproducible form the conditions of the contract including standard business terms incorporated in it upon conclusion of the contract. The two-week-period for exercising the right of withdrawal does not begin before the supplier has fulfilled this information obligation. d. Contrary agreements It is worth mentioning that according to § 312f BGB, no alteration of the provisions illustrated above may be made to the detriment of the consumer or customer unless provided otherwise by law. e. Business Standard Terms and Conditions There is no question that the supplier may, like for any other contracts, include his business standard terms and conditions into a distance contract. The question that arises is how the supplier would go about the inclusion of the standard terms and conditions into a distance contract concluded via internet, and how these terms and conditions must be designed. According to § 305(2) BGB the customer must have 150 151 152

These informations are stated in § 3 BGB-InfoV. See footnote 149. See footnote 149.

47 the opportunity to acknowledge the standard terms and conditions in a reasonable manner during the conclusion of the contract. There is no legal doubt that the supplier has the possibility of including his standard terms and conditions by using a “Click-Wrap-Agreement”.153 In this case the costumer is able to read the terms and conditions digitally via a hyperlink integrated in the order procedure and may accept them by clicking on the acceptance-checkbox. Some authors in legal literature hold the opinion that the principles of Btx-Commerce in the early 90ies must be applied with the consequence that standard terms and conditions must not be longer than one page (on the display).154 However, if standard terms and conditions are longer than one page there must be the option of printing out the page.155 On the other hand, this would assume the existence of a printer and lead to additional costs for the customer, which should not be the consumer’s responsibility.156 Another argument against the implementation of standard terms and conditions by displaying them on the website states that they may be changed to the disadvantage of the customer afterwards. This argumentation cannot be supported and stresses consumer protection too much. Especially in the WWW the customer is free to download standard terms and conditions and read them carefully offline.157 Additionally he may print out these terms and conditions and read them in written form.158 One has to keep in mind that the customer is using the internet to conclude a contract on a free basis and must accept the common means of this medium. Of course the supplier might change the terms and condition afterwards to the disadvantage of the customer. In this case he would commit fraud, a criminal offence, which is punishable.159 Therefore extensive standard business terms and conditions may also be used by the supplier as long as the customer has the opportunity to save and print them out in a simple way without any extra costs.160

153

154

155 156

157

158 159 160

District Court of Essen, LG Essen, Urteil vom 13.02.2003 – 16 O 416/02, MMR 2004, p. 49; Hoeren, “Internetrecht“, p. 252 at http://www.uni-muenster.de/Jura.itm/hoeren/materialien; Hoenike/Hülsdunk, MMR, 2002, 516 (516); Horn, MMR 2002, p. 209 (210). District Court of Freiburg, LG Freiburg, Urteil vom 7.4.1992 – 9 S 139/90, NJW-RR 1992, p. 1018 (1018); District Court of Aachen, LG Aachen, Urteil vom 24.1.1991 – 6 S 192/90, NJW 1991, p. 2159 (2160); District Court of Wuppertal, LG Wuppertal, Urteil vom 16.5.1990 – 8 S 21/90, NJW-RR 1991, p. 1148 (1149); Mehrings, “Verbraucherschutz im Cyberlaw – Zur Einbeziehung von AGB im Internet“, BB 1998, p. 2373 (2380). In this sense Borges, “Internet-Shopping“, ZIP 1999, p. 130 (135). Ranke, “M-Commerce - Einbeziehung von AGB und Erfüllung von Informationspflichten“, MMR 2002, p. 509 (510); See Mehrings, BB 1998, p. 2373 (2378). As mentioned earlier, the average customer may not know how to save webpages (.html- or .mht-files for instance). Therefore the supplier should prepare the download with the means of a hyperlink. The supplier should design a webpage with a layout made for printing purposes. Horn, MMR 2002, p. 209 (210). District Court of Münster, LG Münster, Urteil vom 21.1.2000 – 4 O 424/99, JurPC Web-Dok. 60/2000, Abs. 1 – 67, available at: http://www.jurpc.de/rechtspr/20000060.htm; Hoenike/Hülsdunk, MMR 2002, p. 516 (516); Horn, MMR 2002, p. 209 (210); Fringuelli/Wallhäuser, “Formerfordernisse“, CR 1999, p. 93 (94).

48 The mere reference to the standard terms and conditions on a website is not sufficient. It is advisable to place the reference and the hyperlink on the order-form including the acceptance checkbox. Even clearer would be a pop-up window that closes by the consumer’s clicking. The acceptation by the consumer should be stored in a log-file for the purpose of proof. 3. Data Protection As far as data protection is concerned, tele- and mediaservices underlie the regulations of the “Federal Data Protection Act” (Bundesdatenschutzgesetz (BDSG)), the “Act on the Protection of Personal Data Used in Teleservices -Teleservices Data Protection Act” (Teledienstedatenschutzgesetz (TDDSG))161 as well as the “State Treaty on Media Services” (Mediendienstestaatsvertrag (MdStV).162 Since the regulations on data protection are similar in the TDDSG and the MdStV and the service of an onlineshop represents a teleservice163 the focus will be put on the former Act. It is important to distinguish between the applicability of the BDSG and the TDDSG. Within the use of an online-shop there are two kinds of personal data involved. The TDDSG is applicable to personal data that are used for the utilization of a teleservice.164 Thus, the mere offering of goods and services is a teleservice and the related data involved fall under the scope of the TDDSG. However, if the user enters his personal data in order to make an offer to conclude a contract, these data have a different character. They do not concern the utilization of the service but the information necessary for the contract. Such data must be collected and processed according to the provisions of the BDSG. a. Scope and regulation of the BDSG The BDSG is applicable to personal data of natural persons, § 3(1) BDSG. It contains some general principles that always have to be taken into account when processing personal data. According to § 3a BDSG data processing systems have to be organised in a way that none or as little data as possible is collected and processed. Further on, data shall be made anonymous or held under a pseudonym. In general, the collection and processing of personal data is prohibited, unless it is permitted by law or the data subject give his or her consent, § 4 BDSG.

161 162 163 164

See footnote 91; the TDDSG is applicable to teleservices. The MdStV is applicable to mediaservices. See chapter IV.1, “Tele- and Mediaservices” at p. 35. Hoeren, “Internetrecht“, p. 294.

49 § 28 BDSG permits the processing of personal data in the context of a contract. This is important as far as data of an online-shop customer is concerned. The data may be processed to an extent that is necessary for the performance of the contract. They must not be used for a different purpose. Once the purpose for processing the data is fulfilled, e.g. the performance of a contract is completed, the data must be erased immediately. If the supplier wants to use the data for a different purpose he needs the customer’s consent. Consent must be given according to § 4a BDSG. It is only valid if the data subject has been informed about the purpose, the extent of the processing and about the consequences of consent denial. Usually the consent has to be given in written form unless there are special circumstances that justify another form. The mere use of the internet is not an exception from this rule.165 Therefore it is only possible for the user to declare the consent by using a qualified electronic signature according to § 126a BGB. Nevertheless, in the case of an online-shop that represents a teleservice the legislator permits an electronic consent according to § 3(3) TDDSG. However, a simple mouse-click may not suffice. The user must take conscious and deliberate action, which must be taken down and saved by a protocol or log-file that the user may access at any time he wants, § 4(2) TDDSG. The user must, prior to his declaration of consent, also be informed about his right to withdraw his consent at any time, § 4(3) TDDSG.166 b. Scope and regulation of the TDDSG The TDDSG regulates the protection of personal data that is collected and processed in relation to the utilization of teleservices, § 1(1) TDDSG. Like the BDSG (and the MdStV), the TDDSG applies the same principles mentioned above. The collection and processing of data must be avoided if possible or kept as little as possible, and the data may be only be processed within the designated purpose. According to § 3(1) and (2) TDDSG the collection and processing of personal data in the context of the internet is only allowed if permitted by law or if the data subject has given his consent, which may be given electronically, § 3(3) TDDSG. The service 165 166

Ibid, p. 303. Possible example: “We would like to inform you that his data imposed in the context of his order are of use for the order for the execution and carrying out. Furthermore we would like to use your name, address and electronic mail address to inform you about similar interesting products. Therefore, we need your consent which you can be given by clicking the yes button. The consent isn't necessary for the execution of your order. You can decide freely whether you give us your consent for the sending of further information. Provided that you don't want to receive the information in future any more, we ask for sending a short e-mail to ____.”

50 provider must inform the data subject, prior to the beginning of the procedure, about the type, scope, and purpose of the collection, processing, and use of his personal data, as well about the processing of his data in countries outside the European Union, § 4 TDDSG. The TDDSG distinguishes between contractual data (§ 5 TDDSG) and utilization data (§ 6 TDDSG). Contractual data means data that is necessary to conclude, determine the terms of, or modify the contractual relationship between the user and the service provider (e.g. the data entered by the user to register for a service). Utilization data means data required to facilitate and invoice the use of teleservices (e.g. IP-Adress, ID-data, browser version, etc.). Without the consent of the user these data may only be used to the extent they are needed for. If they are not longer needed they must be erased. For instance, utilization data must be erased when the connection between the user and the service provider has been separated, unless this data serves payment purposes, § 6(4) TDDSG. Contractual data must be erased if the user cancels the contract (e.g. the user signs out or deregisters). The processing of non-personal data, especially data related to server clients, does not fall under the scope of the TDDSG (or MdStV), as this often relates to the collection of utilization data in log-files (e.g. for compilation of user profiles or statistics).167 These non-personal utilization data (e.g. dynamic IP-addresses) may be logged if a reference to the user cannot be constructed.168 According to § 6(4) TDDSG the provider may compile pseudonym-based userprofiles for purposes of advertising, market research and structuring the teleservice if the user does not object. Prior to the compilation of such profiles the provider must inform the user about this procedure and about the right of objection. To ensure the user’s anonymity these profiles must not be combined with data about the pseudonym bearer. c. Web-Cookies Since internet-cookies have become a main concern it is worth dedicating a separate chapter to this issue. A cookie is a data record produced by a web-server sent to a web-browser where it is stored on the user’s computer.169 Conversely, cookies that have been placed on the user’s computer are sent to the web-server. The user usually takes no notice of this procedure. Cookies generally serve the purpose to collect 167 168

169

See Wolters, “Einkauf via Internet: Verbraucherschutz durch Datenschutz“, DuD 1999, p. 277. See Schulz, “Rechtsfragen des Datenschutzes bei Online –Kommunikation“, p. 40, available at http://www.rrz.uni-hamburg.de/hans-bredow-institut/ws-lehr/aktuelles/lfr-datenschutz.pdf. Hoeren, “Internetrecht“, p. 324.

51 information about the user of a web-browser and to transmit these information to the web-server (e.g. to compile user profiles). The information stored in a cookie only contains data that were produced by the user himself during the communication with the web-server. Cookies cannot be used to spy out further data that is located on the user’s computer.170 Thus, in general cookies are harmless as far as personal data protection is concerned. Nevertheless, an evaluation of all the cookies that have been stored on the user’s computer by a webserver allows the compilation of a user specific profile, which may contain personal data if the user has registered by name or (email) address at least with one service.171 Besides that, a reference to the user can only be constructed through a static IP-address. Therefore, if cookies contain personal data providers may only use them, according to § 3(1) TDDSG, if this is permitted by law or if the user has given his consent. In addition, § 6(3) TDDSG states that the provider may only compile profiles under pseudonym and that those profiles must not be combined with the data of the pseudonym bearer. Hence, a combination of the data stored by the internet-provider (cookies) with the data of the service-provider, who holds the dynamic IP-address (pseudonym), is not allowed. However, if cookies only serve the purpose to facilitate the service or to make the use easier (e.g. shopping-basket)172 a combination of the data is only allowed for charging purposes, § 6(2) TDDSG. If the cookies contain utilization data, they must be erased immediately after the use of the service has ended. d. Information to be provided If a service provider collects and processes personal data he must inform the user about the identity of the processing authority, § 4(3) BDSG. The service provider may display this information within his identification information according to § 6 TDG. Additionally, the service provider must inform the user comprehensively about the processing of his contractual and utilization data. This includes respectively the

170 171 172

Ibid. See Wichert, “Web-Cookies – Mythos und Wirklichkeit”, DuD 1998, p. 273 (274). The use of those cookies is permitted, see Gola/Klug, “Die Entwicklung des Datenschutzrechts in den Jahren 2001/2002“, NJW 2002, p. 2431 (2434). The service provider must inform the user at the beginning of the use of the service about the type, purpose and duration of the cookies as well as about the user’s right of objection.

52 user’s rights to object to certain use of his data (e.g. compilation of profiles, § 6(3) TDDSG) as well as his right to withdraw given consents.173 With respect to commercial communications teleservices have additional duties to inform users, § 7 TDDSG. Teleservices must fulfil the following conditions: 1. commercial communications shall be clearly recognizable as such; 2. the natural or legal person on whose behalf commercial communications are transmitted must be clearly identifiable (e.g. the person on whose behalf an advertisement banner is presented on a website); 3. promotional offers such as discounts, premiums, and gifts must be clearly identifiable as such and the terms of compliance must be easy to access and clearly and unambiguously outlined. 4. contests or sweepstakes of a promotional nature must be clearly recognizable as such and the terms of participation must be easy to access and clearly and unambiguously outlined. It is recommended, not only for legal but also for business reasons, to integrate a data protection policy at the beginning of the use of the service. This policy should contain all information about the type, extent and purpose of the data collection and processing, including the use of cookies. This can be realised by a link on the starting or index page or on the main navigation. It can also be realised by a pop-up window that appears when the user enters any of the service’s web pages. It is not just sufficient to inform the user of or within the standard terms and conditions. Within the order procedure of an online-shop, an extra information should be provided about the collection and processing of the contractual data. This can be done in the same way standard terms and conditions are integrated by a “Click-WrapAgreement”.174 The information provided to the user must be constantly available. The user is also entitled to demand access to all his personal data that has been stored, and also to reverse all the consents he had given throughout the use of the service, § 4(7) TDDSG.

173

174

For realisation purposes see Schaar/Möller, “Orientierungshilfe Tele- und Mediendienste”, available at http://www.hamburg.datenschutz.de. See chapter IV.2.e, “Business Standard Terms and Conditions”, p. 46.

53 The user must also be notified of any re-forwarding to another provider, § 4(5) TDDSG. This may also be done by a pop-up window or for instance by the appearance of a little info box next to the mouse-cursor. 4. Unsolicited Communication (‘Spam’) As demonstrated above175, Article 13(1) of the Directive 2002/58/EC on Privacy and Electronic Communications requires Member States to prohibit the sending of unsolicited commercial communications by fax or e-mail or other electronic messaging systems such as SMS and MMS unless the prior consent of the addressee has been obtained (opt-in system). Germany has not yet implemented for regulations on unsolicited communication of the Directive 2002/58/EC on privacy and electronic communications but intends to implement these regulations within the new amendment of the “Act against unfair Competition” (Gesetz gegen den unlauteren Wettbewerb (UWG)), which is expected to be passed within the first half of 2004. In Germany ‘Spam’ is a matter of competitive law and therefore ruled by the UWG. The current legal situation is based on case law of lower courts.176 Unfortunately a decision concerning unsolicited email marketing by the Federal Supreme Court (Bundesgerichtshof) does not exist. Although there is a great tendency among the courts to prohibit unsolicited email marketing177 the decisions are not uniform. There are decisions that deny the protection against such unsolicited communication under certain circumstances.178 As mentioned before179 the consumer himself may not take any direct action against the ‘Spammer’. Only competitors of the ‘spamming’ businesses, consumer protection agencies and competition head offices may take legal action. The new outline of the UWG does not provide for direct legal action of the consumer either. The consumer must consult consumer protection associations to defend himself against ‘Spam’.

175 176

177

178 179

See chapter III.4.e, “Unsolicited Communications (Article 13)”, p. 32. See Weiler, “Spamming - Wandel des europäischen Rechtsrahmens“, MMR 2003, p. 223 (229); Hoffmann: “Die Entwicklung des Internet-Rechts von Anfang 2001 bis Mitte 2002“, NJW 2002, p. 2602 (2610); Gola, “Die Entwicklung des Datenschutzrechts in den Jahren 1999/2000“, NJW 2000, p. 3749 (3756). See District Court of Ellwangen, LG Ellwangen, Urteil vom 27.08.1999 – 2 KfH O 5/99, JurPC Web-Dok. 198/1999, Abs. 1 – 34, available at http://www.jurpc.de/rechtspr/19990198.htm; District Court of Traunstein, LG Traunstein, Beschluß vom 18.12.1997- 2 HKO 3755/97, available at http://www.jurpc.de/rechtspr/19980013.htm; District Court of Berlin, LG Berlin, Urteil vom 13.10.1998 -16 O 320/98, available at http://www.jurpc.de/rechtspr/19980187.htm. See District Court of Braunschweig, LG Braunschweig, Urt. vom 11.08.1999 – 22 O 1638/99, MMR 2000, 50. See chapter IV, “E-Commerce and related Legislation in Germany”, p. 33.

54

V.

South African Legislation – The ECT Act

The ECT Act is one of the most controversial pieces of legislation aimed at the business community. The Act calls for a number of changes in the ways in which organisations conduct business on and through the Internet and in the way companies store information. The goals of the Act include providing for the facilitation and regulation of electronic communications and transactions, the development of a national e-strategy for the Republic, promoting universal access to electronic communications and transactions and the use of electronic transactions by SMMEs180, preventing abuse of information systems, and encouraging the use of e-government services. This is a tall order for an act that many deem too vague and unclear really to do the job. The Act has its critics. Nevertheless, South African companies need to ensure that they are in compliance with the provisions of the ECT Act, which subsequently results in more work for the companies. Companies need to be clear not only about what the Act stipulates, but also as to what applies to them specifically. As far as consumer protection is concerned, the Act steps on new grounds in the South African market. Although there are provisions in certain areas on consumer protection, as we have seen earlier181, the ECT Act contains comprehensive regulations aimed at a variety of transactions. These regulations being the first to be drawn in the South African legislature. The ECT Act has also addressed consumer protection very specifically. This is good for the consumer but negative for online merchants, which will have to make changes to the way that they conduct business online. These stipulations only apply to consumer transactions and not to businessto-business transactions. The Act tackles the typical problems of consumer protection: data protection and privacy, trust, redress and jurisdiction. The European Directives 97/7/EC and 200/31/EC served the legislator as models. Some of the European provisions have been taken over nearly without any changes. Nevertheless, the ECT Act is applicable on electronic transactions only, section 42(1) ECT Act. Contrary to the European and German approach, transactions that have been concluded via conventional mail, catalogue, fax or telephone do not fall under the scope of the ECT Act. Very importantly, the mandatory consumer protection rights afforded to a user of a website cannot be varied or excluded by agreement between the contracting parties,

180 181

Small, Medium and Micro Enterprises. See chapter I.3, “Consumer Protection in South Africa before ECT Act”, p. 4.

55 and therefore must be given special attention in assessing whether a website complies with the new legislation, or not. 1. Chapter VII of the ECT Act – Consumer Protection Chapter VII of the ECT Act contains a number of mandatory consumer protection provisions which, if not complied with, may have devastating consequences for any transaction concluded on the website as well as, in certain cases, the incurring of criminal liability and penalties. In this regard there are five fundamental protections. a. Information to be provided (Section 43 ECT Act) There are 18 pieces of relevant information that must be made ‘available’ for the consumer on a website that offers goods and services. These information in section 43(1) (a) – (r) ECT Act is self-explanatory and they can all be found, with slight differences, in the European Directives illustrated within the earlier chapters as well as in German legislation. In comparison to the European and German legislation it seems a lot more interesting with regards to who falls under the scope of this section and how the information has to be provided instead of what information. Since the section uses the term ‘on the website’, it is indicated that it affects only suppliers that have an internet website. Further on, the term ‘offering’ has to be looked at closely, since there are also service providers that have designed their services without making ‘legal’ offers, but rather offer an invitation to the consumer to make a ‘legal’ offer. By looking at the purpose of the Act (consumer protection), it becomes evident that all service providers that sell goods and services via electronic transactions shall fall under the scope of this section. Thus, the term ‘offering’ does not have a technical or legal meaning but a meaning of common language. Article 5(1) of the E-Commerce Directive 2000/31/EC demands service providers to provide recipients with information in an easy, direct and permanent accessible way. § 6 TDG obliges the service provider to make the information easily recognizable, directly accessible and constantly available to the consumer. According § 312c BGB the service provider must inform the consumer in any way appropriate to the means of distance communication used in a clear and comprehensible manner. The terms used in German legislation have tried to put the European terminology in more tangible terms, which are to a certain extent self-explanatory. Nevertheless,

56 these terms are open terms and they leave room for interpretation. If these terms are transferred to individual cases (e.g. websites) they require interpretation. Therefore, they must be flexible in order to enable them to adapt to each individual case. Eventually, it is up to the courts’ discretion as how to interpret these open terms. The same will happen within South African case law. Courts will have to interpret the term ‘making available’. Just by looking at the wording of the provision, one may assume that suppliers may provide the consumer with the necessary information in whatever way they like. This is a fallacy. Although the South African legislator did not use adverbs to describe the term ‘making available’, judges will sooner or later interpret this term and revise their own definitions on how to provide information to the consumer. In order to do so, they will probably be looking at European approaches. Thus, such open terms within legislation may prevent uncertainties. To a certain extent they are descriptive and will help the addressee (e.g. the service provider) to comply with the legal standards. If that fails, at least it will make him reflect on the issue. Section 43(1) ECT Act states that the information must be provided to the consumer ‘on the web site’. Compared to the European and German requirements this is a lower standard and easier for the service provider to comply to. In Germany, the service provider must inform the consumer at least once in ‘textual form’182, which cannot be done simply by displaying the information on a website because a website is not considered to be durable. Reinhardt Buys183 recommends to include these information in the "terms of use" on the website. These "terms of us" should be available as a hyperlink from every page of the website. The safest option would be to allow a consumer to click on "I agree to the terms of use" before being allowed to finalise any transaction. Buys’ recommendation clearly states the vitality of the acceptance of the terms by the consumer prior to making the intended transaction (e.g. order goods and services). For clarity reason the hyperlink containing the necessary information should be included within the order procedure, e.g. on the page on which the consumer enters his personal data. For proving purposes, the supplier should keep records or log-files on the consumer’s acknowledgment. Further on, it should be mentioned that the structure of section 43(1) ECT Act is much clearer compared to the provisions on information obligations of service provider in Germany. In the latter case the provisions must be found in a variety of Acts, 182 183

E.g. email, see chapter IV.2.a, “Information to be provided (§ 312c BGB)”, p. 40. Buys, “How Will The Consumer Protection Provisions Of The New Ect Act Affect Your Web Site?”, available at http://www.buys.co.za.

57 in particular, within the TDG, the BGB and the BGB-InfoV. The BGB-InfoV must even be read into the provisions of the BGB. This makes it difficult and unclear to the reader to overview all the mandatory obligations, especially one without any legal background. According to section 43(2) ECT Act the consumer must have an opportunity to review the entire electronic transaction, to correct any mistakes and to withdraw from the transaction before finally placing an order. The supplier must design his order procedure appropriately, e.g. just before the consumer submits his order. Reinhardt Buy suggests that this opportunity should be allowed just before the consumer submits his credit card details.184 This bears the advantage of avoiding further effort and online time. If the supplier fails to comply with these obligations the consumer may cancel the transaction within 14 days after receiving the ordered goods or services, section 43(3) ECT Act. Section 43(4) ECT Act states that “if a transaction is cancelled in terms of subsection (3)— a) the consumer must return the performance of the supplier or, where applicable, cease using the services performed; and b) the supplier must refund all payments made by the consumer minus the direct cost of returning the goods. As far as subsection a) is concerned, German legislation has a different approach if the supplier has begun to provide his service. According to § 312d BGB the consumer’s right of withdrawal expires if the supplier has begun to provide the service with the express consent of the consumer. This approach seems to be more reasonable regarding the difficulties of liquidating a service.185 However, in such a case the South African legislator protects the consumer to a greater extent. According to subsection (b) the consumer must bear the costs of returning the goods. Lastly, the supplier has to provide a high standard payment system. He is also liable for any damages suffered due to his failure to comply with this requirement to the consumer. This duty on the supplier should be read together with the King II Report

184 185

Supra. What happens if the consumer has ordered German lessons and received the service for 10 days? How can he cease the service? He will have to pay the utilization according to common law and therefore the right of cancellation is obsolete.

58 on corporate governance. The Report places the liability of security failure on the shoulders of the supplier. The Act also states that the supplier shall be liable for any damages caused to the consumer if discovered that the website was not secure (e.g. disclosure of personal or credit card detail). Although this stresses the supplier’s obligation incredibly, this obligation promotes a high security standard. b. Cooling-off Period (Section 44 ECT Act) Section 44 in chapter VII of the ECT Act contains the core provision of consumer protection rights in the buying procedure. According to this provision the consumer is entitled to cancel without reason and without penalty any (electronic) transaction a) “of goods within seven days after the day of the receipt of the goods; or b) of service within seven day after the date of the conclusion of the agreement.” The difference to the European and German approach is the length of the cancellation period. The European legislator chose in Article 6 of the Directive 97/7/EC a cancellation period of seven working days, whereas the German legislator chose to extend the protection of the consumer by granting a two-week-period in § 355 BGB. This period even extends to one month, if the consumer was informed about his right to cancel after the conclusion of the contract. Once again, the ECT Act has no regulation for the case in which the supplier has already begun to provide his service. In this case the right to cancel seems to remain unreserved. Further on, the ECT Act, in contrary to the German legislation, does not provide a right to just return the goods as it is regulated in § 356 BGB.186 Two things remain unresolved. Firstly, in the case of a supply of goods, it is unclear whether the consumer may exercise his right to withdraw according to the previous section 43(3) as well as according to the section 44(1) ECT Act before he receives the goods or services. The provisions state ‘within 14 days of receiving the goods’ and ‘within seven days after the date of receipt of the goods’. This allows the interpretation that the consumer may not exercise his right to cancel before he receives the goods. The German approach is different. § 312d (1) BGB grants the consumer a general right to withdraw the contract while the deadline period for the expiration of the right to cancel is regulated in §§ 312d (2), 355(1) and (2) BGB. This indicates (and this is how the provisions are understood) that the consumer may cancel the transaction at 186

See chapter IV.2.b, “Right of Withdrawal (§ 312d BGB)”, p. 43.

59 any time before the expiration period has run out. As shown earlier, in some cases, this leads to the result of the right of withdrawal never expiring.187 In this sense the South African provisions should be understood also. Otherwise if the supplier does not perform his contractual duties (delivery) the consumer must wait for the 30 day performing period of section 46(1) ECT Act and cancel according to section 46(2) ECT Act. Secondly, it is not mentioned within section 43 and 44 ECT Act how the consumer is supposed to cancel the transaction. In German legislation he must cancel by means of a notice in ‘textual form’ according to § 355(2) BGB. A clause is found in section 46(2) ECT Act where it is stated that the consumer has to cancel with ‘written notice’. Whether this is transferable to sections 43 and 44 ECT Act cannot be said. However, within electronic transactions it is not reasonable to impose the consumer with the obligation of a written cancellation notice, since the digital signature that maintains the written form is practically not in use yet. To avoid uncertainty, the supplier should detail within his information terms how the consumer must execute his right of withdrawal (e.g. email, similar to the textual form in German legislation). Additionally, there is no regulation about the crucial moment of cancelling, in particular, whether the time of dispatch or the time of reception of the cancellation notice is decisive to cancel in time.188 According to section 44(2) ECT Act the direct costs of returning the goods may be levied on the consumer. This section also leaves uncertainty relating to the question of what the rule is by law and what must be agreed on. In the case of section 43(4)(b) ECT Act, the supplier must refund all payments made by the consumer ‘minus the direct cost of returning the goods’. Here it is clear that it is the consumer’s burden to pay these costs. The term ‘may levy’ in section 44(2) ECT Act does not clarify if in general the supplier must pay the costs of returning, but may impose this obligation by agreement on the consumer, like it is the case in German legislation, or whether the costs have to be borne by the consumer and, if it is at the discretion of the supplier to pay for them himself. In comparison § 357(2) BGB contains an unambiguous rule.189 Section 42(2) ECT Act provides a self-explanatory exemption list containing types of contracts to which section 44 ECT Act, the right of withdrawal, does not apply. The German pendant is § 312d (3) BGB. Both lists are not similar as the list in § 312d (3) BGB does not contain the contracts mentioned in section 42(1)(a), (c) and (j). These 187 188 189

See explanation to § 355(3)(sentence3) BGB in chapter IV.2.b, “Right of Withdrawal (§ 312d BGB)”, p. 43. The European and German approach favour the time of dispatch. See chapter IV.2.b, “Right of Withdrawal (§ 312d BGB)”, p. 43.

60 type of contracts are listed in § 312b (3) BGB with the consequence that they do not fall under the scope of the provisions on distance contracts at all. Therefore in German legislation, not only the right of withdrawal is excluded regarding these contracts but the provisions on the information obligation referring to distance contracts are not applicable neither. E.g. an online-grocery store in South Africa, that sells foodstuffs and other goods intended for everyday consumption, must comply with the information obligations. The online-grocery store in Germany must only regard the information obligations contained in the TDG but not those on distance contracts. It is worth mentioning that section 42(2)(h) ECT Act excludes the right of withdrawal not only for the sale of newspapers, periodicals and magazines but also for books. The German pendant, § 312d (4)(3.) BGB, does not exclude books from the right of withdrawal. This is a legislative decision that was criticised, because customers would be able to buy books online, read or copy them and return them afterwards. This section could make amazon.com a lending library. c. Performance (Section 46 ECT Act) In accordance to the European Directive 97/7/EC on Distance Selling Contracts190 section 46 ECT Act the supplier must execute the consumer’s order within 30 days unless, inter alia, agreed otherwise. A 30 day period seems a rather long time but regarding the capability of alteration of this regulation there should not be any reservations. Germany has not made any extra regulation on the performance within the provisions on distance contracts. Here the common civil law rules apply according to which the performance is due immediately. Failure to comply within 30 days (or any period which has been varied by agreement) gives the consumer the right to cancel the contract on 7 days written notice and on the basis of a full refund of payments made to the consumer within 30 days after the date of notification, section 46(2) ECT Act. As mentioned before, the written form of the notice seems to stress the execution of the consumer’s right to cancel the contract. d. Unsolicited Goods, Services, or Communication (Section 45 ECT Act)191 “Unsolicited commercial communications, also known as “SPAM”, whether in the form of e-mail, SMSs or instant messages, have been described as being the mos190 191

See chapter III.1.c, “Performance and Binding Nature”, p. 20. This is the official heading of section 45 ECT Act. The question remains unsolved why unsolicited goods are mentioned while the provisions only deal with communications.

61 quitoes of the Internet – numerous, annoying and often carrying objectionable content and nasty viruses.”192 50% of South African websites that collect personal information share this information with third parties without the person's consent, and 83% send more communication without having obtained the prior person’s consent. This is according to a study of the top 100 websites in South Africa conducted by students at the University of Cape Town. Section 45 of the ECT Act requires the sender of an unsolicited commercial communication to observe 3 rules: •

to provide the consumer “with the option to cancel his or her subscription to the mailing list”, section 45(1)(a) ECT Act;

•

to furnish the consumer “with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer”, section 45(1)(b) ECT Act;

•

not to send a second unsolicited commercial communication to a person “who has advised the sender that such communications are unwelcome”, section 35(4) ECT Act.

Any person who contravenes the above may incur criminal liability and may be fined to an unspecified amount or imprisoned for a period not exceeding 12 months.193 In contrast to the European and German approach, section 45 ECT Act applies only to natural persons.194 If ‘Spam’ is sent to legal persons, such as companies the provisions of section 45 ECT Act do not apply.195 ‘Spam’ is not only a matter of consumer protection. The rights of legal persons can also be interfered with by ‘Spam’. Thus, the European approach seems to be more favourable. South Africa has chosen the opt-out method. The sender is obliged to provide the ‘option to cancel’ (e.g. in the form of an email address or a hyperlink to be clicked on). The effectiveness of an “opt-out” request is placed under question as all it often serves to do is validate the existence of an e-mail address being spammed. The European Directive left the choice between an opt-out and an opt-in method up to the

192

Michalson, “SPAM“, p. 1, available at http://www.emessagex.com/systems/rsvp/s_summit/ Spam_Article_SPAM_Summit-20.10.2003.doc; see for further information www.michalson.com. 193 In terms of section 89(1) ECT Act. 194 See definition of ‚consumer’ in chapter I.2, “What is Consumer Protection?”, p. 2. 195 Michalson, “SPAM“, p. 3.

62 Member States. As demonstrated above196, Germany tends to forbid ‘Spam’ unless a person signs in or demands for information. A tendency that is appreciated by many “victims” of ‘Spam’. New legislation on this matter is expected within the UWG. Another problem is to identify the sender. There is no legal obligation for the sender to provide accurate information about his identity. Section 45 ECT Act does not require the sender to provide his name or physical or electronic address. On the contrary, Article 13(4) of Directive 2002/58/EC forbids this kind of communication without providing details by which to identify the sender. This seems to be the smarter solution. The most severe problem with section 45 ECT Act seems to be the meaning of the term ‘unsolicited’. In general it could be said a communication is unsolicited197 •

if there is no prior relationship between the parties;

•

the consumer has not expressly consented to receive that communication; and

•

the consumer has previously sought to terminate the relationship, usually by instructing the sender not to send any more communication in the future.

A similar approach is contained in Article 13(2) of the Directive 2002/58/EC that allows mail that is sent ‘in the context of the sale of a product or a service’. It is often difficult to assess whether an e-mail communication is unsolicited. This is particularly so if the prior relationship comprised something other than a previous exchange of email messages. A broad interpretation of ‘unsolicited’ might include all contracts that are not part of a current transaction but eventually this open term in section 45 ECT Act will have to be interpreted by courts. Therefore suppliers must take very careful consideration when using the direct marketing means of ‘Spam’; especially regarding the criminal sanctions. e. Keep Records For businesses who conduct commercial activities via internet it is recommended to adequately protect themselves in terms of preserving and storing electronic documents and communications. Despite the fact that the ECT Act does not specifically requires companies to do this, it is strongly advisable for South African companies to maintain a complete track record of their transactions, communications, and inten-

196 197

See chapter IV.4, “Unsolicited Communication (‘Spam’), p. 53. Sorkin, “Technical and Legal Approaches to Unsolicited Electronic Mail”, University of San Francisco Law Review, Vol 35, p. 325, 2001.

63 tions, including all declarations consumers are transmitting to the companies as long as data protection policies allows them to. In case of litigation the onus of burden for many of the facts stated in the provisions of chapter VII of the ECT Act (e.g. comprehensive information given, acceptance of user terms by the consumer, etc.) will be on the supplier. 2. Chapter VIII of the ECT Act – Protection of personal Information In the area of data protection the ECT Act also steps on new grounds. The Act provides a voluntary code which sets forth principles to be adhered to by the volunteer subscriber in respect of personal information obtained through electronic means. Any data controller who intends to subscribe to the voluntary code of principles must subscribe to all of them and not merely parts thereof. The principles only apply to personal data that has been obtained through electronic transactions. a. Data Protection Principles (Section 51 ECT Act) For the collection, collation, processing or disclosure (e.g. to a third party) of any personal information the data subject must give his express written permission or the data collector is permitted or required by law. The data collector must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored. Only for this purpose may the personal data be used unless the data subject has given his written consent to the different utilization. All personal data that have become obsolete must be erased. In case the data controller has (legally) submitted personal data to a third party he must keep the information about the date and the purpose of the submission as well as the identity of the receiver. This information has to be stored for the period of one year at least. A data controller may use personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles cannot be linked to any specific data subject by a third party. b. Applicability of Data Protection Principles As indicated above, the principles of section 51 ECT Act are not mandatory for every data controller. Only those who subscribe to all the principles within an agreement with a data subject are bound to them. Chapter VIII does not contain any state assistance to enforce data privacy and there is no indication what authority will litigate an agreement between the data controller and the data subject. Hence, the ECT Act

64 provides only for data protection on a voluntary basis, which does not seem to be enforceable. Not only due to the fact that chapter VIII contains data protection on a voluntary basis but also as far as the stated principles in section 51 ECT Act are concerned the South African consumer is less protected compared to European standards. The European and German legislation on data protection is much more detailed in order to prevent data controllers to go around and avoid the regulations. In consequence South Africa cannot yet be considered a safe country for the export of personal data according to Articles 25 and 26 of the Directive 95/46/EC. Nevertheless, the ECT Act might represent the beginning of comprehensive data protection in South Africa. The South African Law Commission is planning to produce a comprehensive draft of legislation relating to privacy and data protection soon. This will be a good chance to strengthen the protection of private and personal data. However, the ECT Act should spur South African companies to do something to build up trust for internet users: draft and clearly display their privacy policy on their website. Privacy policy is important, especially for large companies that expect to do a lot of business online. That does not mean that they have to subscribe to the provisions of the ECT Act. They might also comply to other privacy benchmarks. However, to comply with legislative rules seems to be reasonable for two reasons: firstly, consumers might trust regulations by law the most, and secondly, with respect to future legislation the companies will probably be stepping into the right direction. They should ensure to communicate their policy to the consumers though. Further on, the management should ensure that every employee is aware of the company’s policy and knows how to implement it. A good privacy policy should spell out the exact identity of the service provider, and how information is collected and used. It should also provide users the opportunity to opt out of receiving communications from you if they have given their email addresses. Contact information should be clearly displayed so that users can contact the service provider if they have any queries or concerns about privacy issues. In addition, users should be kept up to date with any changes that are made to your privacy policy and given the choice to opt out of these changes.198

198

Bianca Wright, “Act on ECT”, available at http://www.sacm.co.za/FeatureTitle.asp?NewsID=5683&Title=Act%20On%20ECT.

65

VI.

Conclusion

The Internet is highly important for economic growth. It is global and represents a unique market place in terms of market penetration. Any computer, anywhere in the world, connected to the internet can access a website and may carry out an electronic transaction. As e-commerce will grow rapidly and the number of both commercial (B2B transactions) and consumer contracts (B2C transactions) through the Internet will rise, the legal framework governing both the Internet and e-commerce is of particular importance. The initiatives adopted both at global level (e.g. the OECD’s ‘Guidelines on ecommerce’) and at European level (e.g. the ‘E-commerce Directive) seem to be heading in the right direction by seeking to create a more secure and uniform legal environment. This is of great importance to the promotion of confidence among consumers, and also, for providing the predictability for businesses to what regulations they have to comply. With regards to the harmonization of legislation within the Member States, the current European legal framework governing e-commerce is effective. As technical standards are developing it is necessary to notice the changes and revise regulations. Furthermore, it will be necessary to establish a binding legal framework all over the world in order to provide worldwide equal consumer protection standards as well as to keep competition between service providers, which have their places of business in different countries, balanced. With the ECT Act the South African legislator has succeeded in making a first and important step for the legal regulation of the electronic age. Due to the lack of applicable legal regulations a large juridical insecurity prevailed before. Now, many ranges of e-commerce are regulated. Especially in contrast to European, respectively German legislation it appears as a large advantage to have one uniform and comprehensive regulation. The South African legislator decided to regulate overlapping areas and different procedures within one piece of legislation instead of choosing a solution consisting of several laws. Unfortunately this uniform approach also bears the disadvantage that some areas are regulated insufficiently. In particular the provisions of data protection drops back behind international standards. Although some aspects might be negative too vague, and excessive the Act will be beneficial to e-commerce in South Africa. There will be a refining and redrafting of the Act in the future and issues will be settled by courts. The key for businesses is to fa-

66 miliarise themselves with the Act. It is recommended that owners of websites should immediately scrutinise the content of their sites in order to determine whether they are in compliance with the ECT Act's mandatory consumer protection provisions. To the extent that non-compliance is detected, the necessary changes should be made in order to avoid the sanctions contemplated in the ECT Act. The ECT Act seems set to go a long way towards promoting e-commerce in South Africa, a goal that some hope will put South Africa on par with international counterparts. While it does place certain burdens on companies, those accepting the responsibilities and ensuring compliance eagerly will be leaders in the online arena. In the end, the ECT Act is a reality and companies must comply or face legal action. The special meaning of the ECT Act may be found in the fact that the South African legislator has recognized the economic meaning of e-commerce as vital for South Africa and therefore created the necessary legal frame conditions for both the consumers and the providers of electronic services. Thereby the legislator sends out an important signal to the domestic economy and to foreign investors. A part of Africa recognized the importance e-commerce and its legal regulation.