ADM blue paper: The conflict between theory and reality. Legal aspects of e-commerce

Transcription

1 ADM blue paper: The conflict between theory and reality Legal aspects of e-commerce

2 Contents Legal aspects of e-commerce... 3 e-commerce Presentation by Patrick Van Eecke - DLA Piper... 4 e-privacy Presentation by David Lenaerts Deloitte... 5 e-signature Presentation by Georgia Skouma Deloitte... 6 e-money Presentation by Maarten Truyens DLA Piper... 7 e-invoicing Presentation by Lieven Woets KPMG Tax Advisers... 8 e-archiving Presentation by Patrick Van Eecke - DLA Piper

3 Legal aspects of e-commerce Gradually, more and more organizations are making use of the opportunities offered by e-commerce. However, it will still be a while before everything operates digitally both on the business side and the customer side. Moreover, the legislation on e-commerce cannot always keep up with the ever-changing reality. For companies that want to digitize their business, it is sometimes unclear what the legal obligations and potential risks are exactly. This is the reason for putting together this summary of the current position. The info session on Legal aspects of e-commerce, held on 28 September 2010, presented a concise overview of the current opportunities, legal guidelines and potential pitfalls of e-commerce. This session was also the last in a series of five sessions organized by the Legal Counsel working group in 2009 and During these meetings the members of the working group (lawyers) were informed about different technological innovations and they discussed the legal aspects of these. In this summary, there is a list of the main points of interest for each of the subjects dealt with: e-commerce Presentation by Patrick Van Eecke - DLA Piper e-privacy Presentation by David Lenaerts Deloitte e-signature Presentation by Georgia Skouma Deloitte e-money Presentation by Maarten Truyens DLA Piper e-invoicing Presentation by Lieven Woets KPMG Tax Advisers e-archiving Presentation by Patrick Van Eecke - DLA Piper The presentations themselves can be found on the ADM extranet. 3

4 e-commerce Presentation by Patrick Van Eecke - DLA Piper Starting around the year 2000 there has been more and more legislation on e-commerce. Many new rules were established at the European level. At the national level too including in our country a parallel legal framework was created, which covered the protection of personal privacy, electronic signatures and the claiming of domain names. However, many companies are unclear about which rules they have to comply with in order to do e-commerce legally. What are your rights and obligations for online business? In any event, there are some rules of thumb: Information on the website (such as contact details and price information) must be simple, direct and accessible at all times. Digital contracts must be available in the same language as the website. The visitor must always be able to go back a step when entering into a contract. The customer must receive a confirmation of his or her order. If there is a problem, the onus of proof lies with the e-shop, not with the customer. A new law since September 2010: the customer has 14 days (instead of the earlier period, one week) in which to cancel his or her purchase. The copyright on original and personal creations lasts for 70 years after the death of the author. Copyright does not just apply to images and texts, but also to audiovisual files, music, software, multimedia, databases, etc. Be careful about freeware and the layout designs of websites these may also be copyrighted. When posting a picture online, take into account the copyright and also the portrait rights of the persons in the picture. Copyright can also apply to famous buildings or objects (e.g. the Atomium, the Barcelona chair). Sending advertising by is permitted only with the explicit permission of the contact persons. You are allowed to send advertising by to existing customers to offer similar products and services. Sending commercial messages by to the general addresses of companies and organizations (e.g. an info@... address) is also permitted. The recipients of advertising sent by must have the option of unsubscribing to the mailing list. Advertising to mobiles devices is still fairly limited due to the restricted length with advertising through sms, the customer must again be comprehensively informed. Advertising through sms is permitted only with the explicit permission of the customer. 4

5 e-privacy Presentation by David Lenaerts Deloitte One big advantage of e-commerce is the opportunity to collect information about customers and prospects. In this context, it is important to collect and store personal data in a legal way. E-privacy is very important for the reputation of your company. The Privacy Commission will increase checks on e-privacy. This is already the case in other EU countries. The public is increasingly aware of the fact that their personal data can be used by companies. By paying attention to e-privacy, you give consumers more confidence. Privacy tools can improve data management. In this way, efficiency increases and costs decrease. Personal data: any information relating to an identified or identifiable natural person. Details such as race or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, sex life, health records or litigations submitted to courts. or criminal record, are considered sensitive information and should not, in principle, be used for e- commerce. Personal data may be used only with the permission of the customer or as far as is necessary to comply with a contract, e.g. to deliver a package. The data may not be stored for longer than is necessary for the purpose for which they were collected. Access to personal data should be restricted to your own staff, according to the position that they have in the organization. Take sufficient measures, both at the organizational and technical level (e.g. using a firewall), for preventing the loss, alteration or misuse of personal data. The new European e-privacy guidelines must be incorporated into Belgian law by May This will mean that not only must a visitor to a website be informed about the use of cookies, but the visitor must also give permission for their use. How the guidelines will be practically implemented in Belgium is not yet clear. The customer has the right to correct, block or delete his or her stored personal data. Provide a clear point of contact for this. Personal data may be circulated within the EU and other countries that have an adequate level of protection of personal data without additional conditions. Transfers to other countries are only possible if one respects additional legal protection measures, such as concluding an EU model contract, US Safe Harbor, Binding Corporate Rules or other conditions provided by the Privacy Law. It is important to think about e-privacy at the start of e-commerce activities: privacy by design. It may become compulsory to inform people and/or the Privacy Commission in the case of illegal access to or the loss of personal data ( data breach notification ). 5

6 e-signature Presentation by Georgia Skouma Deloitte An electronic document has the same legal validity as a paper document if you can prove that the file has not been changed and that it is the original version. The digital signature also plays an important role here. A digital signature has legal validity under the same conditions as a signature on paper. These parameters are the date of the signature (which is important in employment contracts, for example), the identity and the commitment of the signatory. Because of these parameters, not all forms of digital signature are equally valid. Only the Qualified Electronic Signature (QES) is considered to be the equivalent of the handwritten signature, but even then its validity is debatable. For the other categories of electronic signatures, the equivalence must be explicitly proved with the help of specific tools, such as certificates. Some digital signatures are legally recognized: the signature with an eid, an signature combined with other proof, the signature of a company so not a natural person Ask yourself a number of crucial questions before you, as an organization, begin to use digital signatures: Is there a legal reason for the implementation of a digital signature? Is there a business reason for the implementation of a digital signature? Do the mandatory obligations allow digital signatures? Should the digital signature take into account specific requirements in the business context? Is the preferred type of digital signature generally accepted for the specific types of transactions for which they will be used? Is the creation of a digital signature a component of a broader context of signing? Can the digital signature provide a better solution than other forms of authentication? How much will it cost? 6

7 e-money Presentation by Maarten Truyens DLA Piper In the future, digital business will undoubtedly become simpler. Through more unambiguous legislation, through partners and customers changing over to digital communication, and also through new possibilities for paying online. e-money also offers many opportunities for simplifying e- commerce. In the standard scenario, the trader has to conclude a contract with a payment processor, such as Ogone or Atos, and with a banking institution. There are no specific rules for the usual credit card transactions. But there are new rules for payment options. Moreover, since May 2010 it is no longer prohibited to ask consumers to pay in advance for an online transaction. The problem is: the usual online payment with a credit card is intrinsically an unsafe method of payment. That s why there are more and more opportunities for paying with digital money (e-money). Here the money is kept in a so-called digital wallet. Of course, the user has to make sure that there is actually enough money available by filling the wallet through a bank transfer. People are trying to stimulate initiatives on e-money both at the European and at the national level. This is can be done by imposing less stringent requirements for the establishment of an e-money bank'. On the other hand, the potential activities and investments of these initiatives are also more limited than those of real banks. So far there have been few players in this e-money market. Currently the only big European success story is PayPal, and in the meantime this has become a fully fledged bank. At the national level, there have been a couple of successful initiatives, including Proton and ChipKnip (in the Netherlands). Meanwhile, a couple of stumbling blocks have been removed, amongst others by a broader definition of e-money and the possibility of developing business activities. Still, there remain a number of obstacles, such as too great a difference in the legislation on waivers in the different countries. But in any case, the market for e-money is in flux. So there are already many new trends: App shops: Apple itunes, Google Android Market, BlackBerry App World, Nokia Ovi store, Java shop, Platform credits: Nintendo Wii, Sony PlayStation, Microsoft Xbox, Facebook Credits. P2P payments. Payments through a mobile device. 7

8 e-invoicing Presentation by Lieven Woets KPMG Tax Advisers The VAT legislation on electronic invoicing has changed recently. However, the new legislation has not removed all the stumbling blocks. Potential problems and ambiguities relating to electronic invoicing: Currently a digital invoice does not automatically have the same legal validity as a paper invoice. The method used for e-invoicing must always prove the authenticity and the integrity of the invoice. There are no guidelines for what is and what is not acceptable, so that both suppliers and customers are unclear about whether they are complying with the legal requirements. The recipient of the digital invoice must agree to e-invoicing. In practice, implicit agreement is probably accepted by the tax authorities, e.g. by informing the consumer of the general conditions beforehand. For transactions that fall under the VAT rules of another EU country, Belgian companies must apply the rules of that country. However, this is not always possible (in an efficient way). Specific obligations relating to the archiving of digital invoices: The authenticity and integrity must be guaranteed during the entire storage period. Digital invoices must also be stored electronically (so not printed and stored in a paper archive). The data that guarantee the authenticity and integrity must also be archived. The new guideline that comes into force on 1 January 2013 should remove a number of the stumbling blocks cited above by equalizing the requirements for digital and paper invoices. However, this will not happen by placing less stringent requirements on digital invoices, but by strengthening the rules for paper invoices. These will be subject to the same requirements for proving the authenticity of the origin and the integrity of the content. Companies will be free to choose the way in which they do this. They can themselves build in the necessary business controls to create a secure audit trail between the invoicing and the delivery or receipt of goods or services. Guarantee authenticity and integrity. The recipient of the digital invoice still has to agree to e-invoicing. The stringent conditions relating to archiving remain in place. 8

9 e-archiving Presentation by Patrick Van Eecke - DLA Piper The legislation on electronic archiving shows little consistency and is a complex mishmash of legal requirements. In any case, long-term storage is a technological challenge because of the constantly changing file formats and the validity of electronic signatures. An electronic document that is secured or signed in a legal way today may not be that in five years time because the technology that was used is no longer watertight. The legislation did not take this risk into account. Another problem is the lack of a homogeneous European legal framework. This means that it is very difficult for multinationals in particular to comply simultaneously with all the various national laws. What is crucial for businesses is the minimum and maximum storage period of digital documents. In principle, files that contain personal data (and these can also be s and contracts) must be removed if they are no longer necessary for the purpose for which they were originally created. However, it is not always clear was necessary means exactly. Selective removal (e.g. within large archives) can be achieved, for instance, with the help of metadata. In addition, there are other factors that make e-archiving complex: Storage outside the EU is not always permitted. Now that we are working more and more with the Cloud, this is not always realistic. What do you do with data that are stored on servers in Singapore? Documents of the same type can still have different storage time limits. The legal requirements relating to security are not clear. The access rights to stored information. Moreover, legal claims based on digital documents must be submitted within a certain period. The period is then again dependent on the type of document. For instance, employees contracts can be challenged up to a year after the end of the agreement. Documents for the support of claims relating to property may be used for 30 years after their creation. The period relating to the possible submission of claims obviously means an equally long period for the storage of the documents involved. s and information from traffic may only be stored to prove a commercial transaction or a business communication. Moreover, the parties involved must be informed of the registration, the purpose and the duration of the archiving. The data must be deleted if no more claims can be submitted in relation to the transaction or communication. Telecommunications: the data from telephony, mobile and Internet traffic must be deleted as quickly as possible. The only exception is information relating to invoicing, your own direct marketing and data that are necessary for fraud investigations. 9

10 New legislation on the way A new bill on e-archiving has already been drawn up but due to the fall of the Belgian government in summer 2010 it had still not been passed at the time of writing. When the bill gets the green light, everyone will be free to offer e-archiving services, provided this happens in a secure way. If companies ensure that they comply with the legislation, then they will be able to offer digital archiving services to other organizations. 10

11 This paper came into being thanks to the cooperation of DLA Piper, Deloitte, KPMG and the members of the ADM Legal Counsel working group. Special thanks also to the coordinators of this working group: Patrick Van Eecke, Partner DLA Piper and David Lenaerts, Sr. Consultant Deloitte.. ADM