Seán Mac Cann looks at how EU legislators are ensuring that transactions based on our common currency will be under-pinned by a common regulatory treatment of online contracts.

A variant of this article was originally published in the May 2001 edition of The Law Society Gazette, the official journal of the Law Society of Ireland.

The European Council held in Lisbon on 23/24 March 2000 set an ambitious objective - namely, that Europe should become the most competitive and dynamic economy in the world. These lofty objectives needed to be founded on, among other things, EU-wide legal consistency in the key area of providing a consistent regulatory framework for online contracts. Legally, the scale of this undertaking was complicated from the outset by much residual commercial and consumer mistrust of the very concepts of (1) online contracts and (2) electronic signatures. Whilst the EU's legislators have addressed such text-book legal issues as a fundamental necessity; they are further working to ensure that a shared regulatory context for online contracts will deal comprehensively with practical legal issues such as (3) on-line consumer protection and (4) on-line fiscal policy. This article summarises some key legal developments in each of the foregoing areas.

1. Legal Status Of On-Line Contracts

Apart from some classes of contracts falling under residual aspects of the Statute of Frauds (or equivalent) in various jurisdictions; e.g. in Ireland, in England & Wales and in the US; and apart from other isolated instances where paper may still be mandatory (e.g., wills, codicils, other testamentary instruments, trusts and powers of attorney); it is trite law that a contract may be validly formed online. Nonetheless, Article 9 (1) of Directive 2000/31/EC (the "E-Commerce" Directive) is explicitly worded:

"…Member States shall ensure that their legal system allows contracts to be concluded by electronic means. Member States shall in particular ensure that the legal requirements applicable to the contractual process neither create obstacles for the use of electronic contracts nor result in such contracts being deprived of legal effectiveness and validity on account of their having been made by electronic means."

This un-exceptional iteration of an existing principle is nonetheless welcome - in the wider commercial arena, it is likely to neutralise some of the alarmist debate that might otherwise have been permitted to cloud this issue.

All of the E-Commerce Directive's provisions are to be implemented into domestic laws before 17 January 2002.

2. Legal Status Of Electronic Signatures

Article 2 of Directive 1999/93/EC (the "Electronic Signatures" Directive) defines an "electronic signature" as "… data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication …".

In keeping with the Directive's principle of technical-neutrality, this is a generic definition. Logically, it could encompass signing methods as diverse as a typed name at the end of an e-mail, a biometric method (such as iris or voice recognition), a personal identification number ("PIN"), a full digital signature (see post), or a smart card etc. Ironically, certain of those methods might need to be supported by "low-tech" extrinsic corroborative evidence (such as paper-based evidence) of a signatory's identity and intent.

That is why the Electronic Signatures Directive makes additional provision for "advanced electronic signatures" that are "… uniquely linked to the signatory … [and] … capable of identifying the signatory …". These are more widely-known as "digital signatures". Their raison d'etre is nothing less than the holy grail of e-commerce - intrinsic authentication and verification of an online signatory's identity and intent, respectively - without any need for supporting extrinsic evidence.

Article 5 of the Electronic Signatures Directive directs Member States to ensure that digital signatures shall "… satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and are admissible as evidence in legal proceedings…"; and that "… an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form …".

All of the Electronic Signatures Directive's provisions are to be implemented into domestic laws before 19 July 2001. (Ireland's Electronic Commerce Act, 2000 has implemented the provisions of the Electronic Signatures Directive.)

2.1. How Do Digital Signatures Work?

A digital signature uses large numbers called "keys". Typically, a sender (the signatory) and a recipient at either end of a communication channel will each have both a "public" and a "private" key. The sender signs (encrypts) a message / contract with the sender's private key; and the recipient decrypts the message / contract, using the sender's publicly-available key. Since, in IT terms, it is "computationally infeasible" to derive someone's private key from knowledge of that person's public key, it follows that the recipient cannot "forge" the sender's digital signature.

2.2. Final Judgment On Digital Signatures?

As noted, the Electronic Signatures Directive is scrupulous about maintaining parity of legal validity between "advanced" digital signing and generic electronic signing / authentication mechanisms. However, the un-avoidable downside to this principle of technical neutrality is that the Electronic Signatures Directive primarily gives but negative clearance to new technologies - each particular technology will still have to prove its worth - to businesses and to the courts. At the time of writing, there has been no such authoritative judicial imprimatur on digital signatures. However, since legal validity is a question of technical fact, it is possible to predict the court's attitude by looking at the technical facts of how a digital signature can be said to be "… uniquely linked to the signatory …" in the manner prescribed by the Electronic Signatures Directive. A digital signature's legal worth turns on whether or not - as a matter of technical fact - the signatory's digital signature (private key) is in fact "uniquely linked" to him / her. Is it so linked?

Bruce Schneier, a well-respected U.S. computer security expert, argues that it isn't. He explained why in a recent edition of his e-zine, Crypto-Gram:

Today … digital signatures are a fundamental component of business in cyberspace. And numerous laws … have codified digital signatures into law. These laws are a mistake. Digital signatures are not signatures, and they can’t fulfil their promise … [the] problem is that while a digital signature authenticates the document up to the point of the signing computer, it doesn't authenticate the link between that computer and … [the purported signatory].

Schneier's point is that "proof" that a signature is "genuine" in an online environment only amounts to proof that the public and private keys match - this does not prove who in fact used the private key in the first place.

Does this mean, then, that the Electronic Signatures Directive is mistaken by opting to expressly recognise digital signatures?

Probably not. It is unduly alarmist to contend that digital signatures do not work and that the laws are a mistake. Digitally, the bottom line is that so long as you follow best practice in restricting access to your private key, it's safe to sign online.

The nub of the issue, as Schneier correctly notes, is that a digital signature does not authenticate the link between a computer and a purported signatory. However, the vulnerability of that person-to-PC link can be remedied by ancillary methods. An obvious method is to remove the private key from the computer and store it on a smart card. The smart card should itself be secured by a PIN and / or a biometric device. Equally, the private key can be taken off the computer and stored in a physically-secured proxy service where responsibility for safe storage of the private key passes to a reputable third-party organisation.

Admittedly, such methods (there are others) do not 100% eliminate the vulnerability of that person-to-PC link. But this does not mean that the laws are mistaken. The real-world issue is whether that link, when secured by such an ancillary method - a smart card or a proxy service - would persuade a court that it was secure enough to be a valid digital signature. Commercial law is, after all, informed by reasonableness and practicability - courts understand that there is no technological "silver bullet". Schneier himself readily accepts that "security is a process, not a product".

To further the point, compare a digital signature with the working realities of the paper world. In classical legal theory, contractual signatories in the paper world should all sign one original document in the presence of all the signatories.

In the writer's experience, this rarely happens. Instead, one party will sign; and the paper document will be passed between the remaining signatory or signatories (who may be in separate locations or countries). Whilst all signatories will eventually receive a counterpart copy, the working reality is that ink signatures are accepted without active verification.

The fact that paper documents and signatures are at least as susceptible to fraudulent manipulation as their online equivalents has never been a bar to their acceptance in business as being legally-binding.

To put it another way, no one blindly accepts any document simply because it is signed in ink. Instead, the decision to accept a paper document is always taken in a wider business context. Equally, in the online world, the onus will still be on users to manage their authentication and security solutions.

3. On-Line Consumer Protection

3.1. Web-Based Retail Contracts

The E-Commerce Directive makes explicit provision for web-based retail contracts. Article 10 of that Directive requires that, before any order is placed, a web-based retailer must "… clearly, comprehensibly and unambiguously …" provide the following information:

  • the different technical steps to follow to conclude the contract;
  • whether or not the concluded contract will be filed by the service provider and whether it will be accessible;
  • the technical means for identifying and correcting input errors prior to the placing of the order;
  • the languages offered for the conclusion of the contract;

and must further ensure that the contract terms and general conditions provided to the recipient will be made available in a way that allows the recipient to store and reproduce them.

Article 11 of the E-Commerce Directive further provides that:

  • the service provider has to acknowledge the receipt of the recipient's order without undue delay and by electronic means;
  • the order and the acknowledgement of receipt are deemed to be received when the parties to whom they are addressed are able to access them; and
  • the service provider must make available "appropriate, effective and accessible" technical means sufficient to allow the recipient of the service to identify and correct input errors, prior to the placing of any order.

The E-Commerce Directive notes that many of these stipulations would not be applicable to contracts " … concluded exclusively by exchange of electronic mail…"; and also provides for derogation rights therefrom when this is "… agreed by parties who are not consumers …".

3.2. Practical Legal Points For Web-Retailers

Various common-sense legal points, whilst not always explicit in the Directive, flow from the foregoing stipulations. Some obvious points:

  • Do not place terms and conditions in pages using technology (such as Java) that may be disabled in the user's browser - pages containing standard terms and conditions should be written in HTML.
  • Design your site so that the terms and conditions page can not be bypassed - either from the home page (as a result of sloppy navigation design); or by hyper-text linking; or by book-marking.
  • The terms and conditions should appear in the "order" page - not in the "confirmation" page.
  • One term should state that goods / services are being advertised - not offered - to prospective purchasers. This ensures that the seller retains the discretion to accept or reject the order. Otherwise, a goods / services provider may find itself inadvertently bound into contracts that it may not either be able to, or wish to, carry out.
  • A scroll-down presentation of terms and conditions is acceptable; subject always to compliance with the "Red Hand" rule (see below).
  • The Red Hand rule - few people bother to read online terms and conditions. At best, such terms and conditions receive a cursory once-over. Since most online terms seem to have been plagiarised from a common source(!), contracting parties do not expect to encounter any unusually onerous terms. The so-called Red Hand rule stipulates that unusual or unusually onerous clauses should be sufficiently detached from the bulk of the terms and conditions to make them noticeable. Some jurisdictions require that such clauses be separately signed by the party who is intended to bear the burden of the obligations therein.

Best practice dictates that all such clauses should have a specific "accept" button; and, ideally, a facility (such as appears on Napster's site) whereby one cannot proceed until one has at least scrolled through all the clauses.

3.3. Choice Of Jurisdiction And Law In On-Line Consumer Contracts

Existing choice of jurisdiction and choice of law legislation (primarily contained in various multi-lateral treaties) are unaffected by the E-Commerce Directive. Whilst there is room for debate about the extent to which existing geographically-derived criteria can or ought to be applied on-line, it is arguable that any term purporting to deprive consumers of the right to seek the protection of their own courts would be struck out as being unfair under Directive 93/13 EC on Unfair Terms in Consumer Contracts.

However, such theoretical assurances notwithstanding, the EU and the US Federal Trade Commission have, in late December 2000, issued a joint statement endorsing dispute resolution as a practical and first-preference method of resolving on-line consumer contractual disputes.

3.4. Distance Selling

Directive 97/7/EC for the protection of consumers in respect of distance contracts (the "Distance Selling" Directive) should have been implemented by all member states by 4 June 2000. The Distance Selling Directive applies only in a retail context and focuses on: (1) sales effected when seller and buyer do not meet face to face; and (2) unsolicited direct marketing by post or email. This Directive obliges long-distance sellers to provide prescribed information and a cancellation right. In the related area of un-solicited direct e-mail marketing, or "spam", the Distance Selling Directive gives member states a choice - they can either forbid their retailers to send such un-solicited mails unless consumers had indicated in advance that they wished to receive it (opt-in) or allow it unless consumers made it clear they did not wish to receive it (opt-out).

However laudable such Directives may be, there is emerging evidence that stipulations contained therein or derived therefrom are simply not being adhered to - in March 2001, the UK's Office of Fair Trading launched a "Consumer and Business Awareness" campaign in the wake of a survey that revealed that most of over 600 UK retail web-sites surveyed failed to comply with essential articles of the Distance Selling Directive.

4. On-Line Fiscal Policy

On June 7, 2000, the European Commission launched a proposal to change the EU Value Added Tax ("VAT") regime for e-commerce operators. The Commission had previously stated, in a working paper of June 1999, that a new VAT regime for direct e-commerce should be clear and consistent (providing legal certainty), simple (keeping the burdens of compliance to a minimum), neutral and non-discriminatory. International cooperation would be necessary to prevent distortions in competition between e-commerce companies inside and outside the EU.

The proposal made an important distinction between direct and indirect electronic commerce. Indirect electronic commerce concerns electronic ordering and the subsequent physical delivery of goods (e.g. ordering CDs over the Internet that are subsequently physically supplied). Direct electronic commerce concerns electronic ordering and the subsequent electronic delivery of the ordered product or service. Since the EU VAT regime follows the actual flow of goods, indirect electronic commerce that still involves physical delivery of goods would not have raised any substantive new issues. Accordingly, the proposal focussed on the supply of direct, or "digital" electronic goods and services.

The proposed legislation would have required non-EU sellers to collect VAT on sales of digital products and services to consumers in Europe. However, this proposal has seemingly been abandoned in the face of widespread opposition from both within and outside the EU. US businesses expressed concerns about the practicability of requiring US companies with no physical European presence to act as tax-collectors within the EU. Equally, many European commentators felt that the proposal to require non-EU companies to only register for VAT in one EU country was un-workable - given that internal EU VAT rates varied by as much 10%, the non-EU company would inevitably register in the lower-rate country. Far from being "non-discriminatory", this could only tend to exacerbate inequalities.

The European Commission is currently re-working the proposals.

5. Conclusion

Given the high-tech and supra-national nature of the subject, it is perhaps understandable that it is long on statements of principle - and somewhat shorter on detailed implementation guidelines (as in VAT or digital signatures), or on practical enforcement guidelines (as in the patchy adherence to the provisions of the Distance Selling Directive). Paradoxically however, the strength of the various EC Directives lies in their lack of grainy detail - in an evolving market-place, an excess of premature detail is the stuff of policy and technical dead-ends; and there is arguably sufficient common political will throughout the EU to ensure that any such currently-outstanding details will be agreed upon and implemented in the near future.

Seán Mac Cann is Legal & Operations Manager at Vordel Limited in Dublin. Vordel specialises in XML-based cohesion technologies for eBusiness.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.