UK: IT and e commerce Briefing

Article by Mark Turner and Dominic Callaghan

In February we discussed the decision of the Australian High Court in Dow Jones v Gutnick. Gutnick, a businessman from Melbourne, Australia sued the US company Dow Jones over an allegedly defamatory magazine article. Dow Jones & Company publishes the Wall Street Journal and also operates www.wsj.com, a news website. The website allows subscribers and registered users to access a number of newspapers including the magazine where the article appeared. Gutnick successfully argued that the Australian Court has jurisdiction as he had suffered damage to his reputation in Australia. Gutnick also conducts business in the US and has contributed to charities in the US and Israel but the Court accepted that much of his business and social life was focused in Victoria, Australia.

In Harrods Limited v Dow Jones & Co Inc the UK High Court has reached the same conclusion in a case involving very similar facts. In the Harrods' case the defamatory article appeared in the US edition of the Wall Street Journal and on the US website www.wsj.com. The article did not appear in the European hard copy edition of the Wall Street Journal. Only 10 hard copies of the US edition were sent to subscribers in Europe out of a total US circulation of 1.8 million copies. There had only been a small number of hits on the website.

Justice Eady was asked to decide the preliminary issue of whether a UK court had jurisdiction. He acknowledged the limited amount of publication in England, but found that if a company or person has a reputation to protect in England, they have the right to seek to protect that reputation in England. He made it clear that UK law does not mirror the United States’ ‘single publication’ rule. That rule provides that a defendant should only be sued in the place of the first publication of the defamatory material. English law recognises that publication can occur in many places. Each publication will be sufficient to found a separate cause of action.

The decision is a timely reminder to website owners that publication on the web may require consideration of the law in multiple countries.

Please click here for a copy of the decision in Harrods Limited v Dow Jones & Co Inc

EU approves FEDMA Direct Marketing Code

The EU Data Privacy Directive provides for the EU to approve community level codes of conduct drawn up by trade associations and other bodies representing categories of data controllers. The Codes are aimed at ensuring compliance with the Directive.

The European Federation of Direct Marketing (FEDMA) represents the direct marketing sector at the European level. Its national members are the Direct Marketing Associations of 12 countries of the European Union (all except Belgium, Luxembourg and Denmark) and Switzerland, Norway, Hungary, Poland, the Czech and Slovak Republics. The FEDMA code is designed primarily as an instrument of best practice. All the national members of FEDMA, have agreed that their own national codes will maintain standards at least as high as those provided by the Code. In essence the Code applies the Directive to some of the specific situations that arise in Direct Marketing including:

• Processing for purposes other than originally intended;
• Host mailing (i.e. including material from other sources in your mailing);
• Disclosure of lists;
• Protection of children;
• Responsibilities of the Data controller; and
• Objections to processing

The EU has concluded that the FEDMA Code complies with the Directive but adds that it could be improved by the inclusion of an annex. The annex would detail some specific direct marketing data protection issues that arise in the online world and then suggest how those issues should be handled.

EU recognises that Argentina provides adequate protection for personal data

Article 25 of the Data Protection Directive prohibits the transfer of personal data from inside the European Economic Area (EEA) to third parties in countries that do not have "adequate levels of protection". Personal data is any information which by itself or together with other data held by the data controller can identify a person.

On 30 June 2003 the European Commission officially declared that the data protection laws in Argentina provide an adequate level of protection for personal data. Argentina now joins Switzerland and Hungary on the "approved list". Canada is also on the list but only in relation to certain classes of data export. Companies in the US can join the Safe Harbour scheme which has also been approved by the Commission.

The June 2003 approval now means that companies in the EEA can legally transfer personal data (e.g. for processing) to Argentina in the same way that they could previously transfer data within the EEA. Argentina is the first Latin American country to be added to the approved list of data export countries. The EU hopes the approval of Argentina will encourage other countries in the region to work towards improving data protection rights for individuals.

As well as the "approved list" the Data Protection Directive also provides a number of other exceptions to the prohibition on data transfers outside the EEA. The exceptions include the use of data export contracts using the EU approved "controller to controller" or "controller to processor" model clauses. Please click through for a copy of the Commission’s decision

As mentioned in Item 1.3 above, Article 25 of the Data Privacy Directive (95/46/EC) prohibits the transfer of personal data outside the EU unless it is to a country which provides "an adequate level of protection" or one of the other exceptions apply.

The EU Data Protection Working Party recently considered the problems that this prohibition causes multinational companies when transferring data internally to offices outside the EU. It concluded that one solution is for the multinational companies to adopt a global internal policy for international transfers of personal data within the corporate group. However the Working Party report makes it very clear that:

• The final decision on whether a particular multinational corporation’s internal policy will comply with the Directive lies with the national regulator;
• The approved Model contract clauses have not been superseded;
• Corporate internal policies must in any event still comply with all the Data Protection Principles and the relevant national legislation;
• Onward transfers of the personal data from an arm of the company based outside the EU should comply with the normal transfer requirements in the Directive. The Art 29 Paper suggests that this should be a condition in all corporate internal policies. This is to ensure that the Directive is not circumvented by using a non-EU office merely as an intermediary before sending it to the intended non-EU outside party; and
• The corporate internal policies must not only be binding in law but must also be binding in practice (e.g. internal corporate education, audits and sanctions). Data subjects must be able to enforce compliance.

The EU Working Party report is a step in the right direction for multinationals. However it stops short of providing a template internal policy that would guarantee compliance with the Directive. Herbert Smith has already provided advice to a number of well-known multinationals on global internal data protection policies.

Please click through for a copy of the EU Working Party Report

There are a number of EU Directives that impact on selling goods and services online. These include the eCommerce Directive, the Distance Selling Directive, the Data Protection Directive and the Distance Marketing of Consumer Financial Services Directive. As well as putting in place certain consumer safeguards and rights of redress, all of those Directives place obligations on sellers to provide consumers with specified information about the seller, the product/s and the consumer’s rights.

Despite the steady flow of eCommerce legislation from the EU, recent studies have shown that compliance with those Directives is poor. A study of websites from France, Germany, the Netherlands, Portugal, Spain, Switzerland and the United Kingdom revealed that more than half of the researched websites lack the mandatory information about the on-line buying procedure or consumer rights. In addition, almost half of the websites lacked a privacy policy.

It is not surprising therefore that National governments are beginning to take a close interest in websites and their compliance with eCommerce laws.

In April 2003, the OFT conducted a review of UK travel websites for breaches of a range of consumer protection legislation including the E-Commerce Regulations and the Distance Selling Regulations. This was the fifth time the OFT had participated in a 'global internet sweep'. The sweep was conducted under the auspices of the International Consumer Protection and Enforcement Network (ICPEN), a network of consumer protection authorities of 31 countries.

In May 2003, a well known website selling wine agreed at the request of the OFT to amend its terms and conditions. The OFT had concerns that certain terms did not comply with the Distance Selling Regulations including those that:

• allowed delivery to be delayed for certain products beyond the statutory 30 days or the date agreed without refund;
• prevented reimbursement of delivery charges when a consumer cancelled. The Regulations state that the full sum paid must be refunded;
• prevented re-imbursement following cancellation until certain conditions had been met. The Regulations give consumers an unconditional right to a refund following cancellation; and
• allowed cancellation to be made only by telephone or e-mail. The Regulations allow other methods too.

On 13 June 2003, the UK Office of Fair Trading (OFT) announced it had investigated a number of computer companies regarding the use of unfair terms and breaches of distance selling laws. The OFT is also currently looking at around ten other computer companies that may be breaching unfair contract or distance selling laws. In its report on Consumer IT Goods and Services in December 2002 the OFT said it would produce specific guidance to the IT sector on unfair contract terms and distance selling laws by September 2003.

The recent focus by the OFT on website compliance with consumer legislation is set to continue according to the 2003/2004 Action Plan for the OFT, released in June 2003. One of the goals of the OFT is to investigate between 1,500 and 2,000 cases under unfair contract terms, distance selling and misleading advertising law as well as the consumer parts of the Enterprise Act and to tackle breaches of the law in 250 to 300 of these cases. It also aims to lauch a campaign regarding distance selling information aimed at businesses.

The OFT is not the only UK government department that is taking a keen interest in compliance by UK websites with EU eCommerce legislation. In May 2002, the UK Office of the Information Commissioner (OIC) in conjunction with the University of Manchester Institute of Science and Technology released the findings of a study of website compliance with the Data Privacy Act 1998. The Study revealed the vast majority of websites were in breach of the Act. The new Information Commissioner, Richard Thomas, has also made it clear he is keen for the OIC to begin to engage in proactive enforcement of the Act rather than be mainly reactive as it has in the past.

On 17 June 2003, the European Commission adopted a proposal for a Directive on unfair business practices in sales to consumers. The proposed Directive forbids practices like pyramid and inertia selling. It also bans paid-for media coverage/advertorials unless it is made clear that the coverage is paid for.

The Directive lays down rules for determining whether a commercial practice is unfair. Its aim is to define a limited range of "sharp practices" which are prohibited EU-wide. The Directive prevents Member States from imposing additional requirements. The proposal provides a general test for unfair practices as well as defining two specific types of unfair commercial practice in more detail - "misleading" and "aggressive" practices.

Please click through for a copy of the proposed Directive

Business may to some extent have been lulled into a false sense of security by the failure of the UK government in the past to wield a big stick to enforce compliance with the range of eCommerce legislation. It appears that now the tide is turning. The UK government may still be a long way from imposing large fines or other sanctions on the private sector for non-compliance but some government departments are not hesitating to "name and shame" non-compliant websites. Credibility and trust are precious assets in the online business world. Adverse publicity arising from a "name and shame" exercise will be a lot more damaging to the bottom line than investing the time and effort to be compliant with eCommerce related legislation.

For more information on this or other Herbert Smith publications, please email us.