Legal aspects of the Digital Single Market

Transcription

1 Legal aspects of the Digital Single Market Current framework, barriers and developments Martine Wubben LLM MA Bart W. Schermer PhD LLM Deniece Teterissa

2 Legal aspects of the Digital Single Market Current framework, barriers and developments January 2012 is essay was commissioned by the Ministry of Economic Affairs, Agriculture and Innovation of the Netherlands. e essay does not, however, express the Ministry's official views. e views expressed and all conclusions drawn are those of the authors. Martine Wubben LLM MA Bart W. Schermer PhD LLM Deniece Teterissa Considerati Postbus KE Amsterdam the Netherlands 2

3 Management Summary ICT in general and the Internet in particular have opened new possibilities for cross-border commerce. While e- commerce has grown spectacularly over the past decades, Europe is still a patchwork of national online markets. As a result, the consumption of goods and services as well as commercial and cultural content, is in large parts still limited to national markets. In part, this can be attributed to legal barriers. is essay explores the current legal framework for e-commerce in Europe. Five topics that are of key importance for trust in cross-border e-commerce are discussed. ey are: 1) General e-commerce legislation 2) Online contracts and consumer law 3) (Online) dispute resolution 4) Personal data protection 5) Electronic signatures For each of these topics, existing legal barriers for consumers and retailers are identified. Finally, the latest legal developments are described. General e-commerce legislation e e-commerce Directive is the foundation of e-commerce legislation in Europe. While stakeholders recognise the importance of the Directive for e-commerce in Europe, they do signal issues when it comes the application of the Directive. In particular, the fragmentation resulting from diverging national implementations is troublesome. Furthermore, clarification of the rules on the liability of intermediary service providers in the light of new services and technologies seems necessary. Online contracts and consumer law In the area of contract law and consumer protection, legal barriers mainly flow forth from the fact that national law still pre-dominantly governs contract law, and that European harmonisation of consumer protection law is based on minimum harmonisation. In 2011, two Directives (97/7/EC and 85/577/EC) were updated and integrated into a single Consumer Rights Directive (2011/83/EU). Furthermore, a Proposal for a Regulation on Common European Sales Law was introduced. is is an optional instrument, however. e question remains whether the trader and the consumer will choose to apply the optional instrument. (Online) dispute resolution A lack of harmonisation of the current legal framework governing the out-ofcourt settlement of disputes has led to a fragmented ADR and ODR landscape. While more than 750 different ADR schemes currently operate in Europe, their success is mainly limited to a national context. Fragmentation has led to a lack of awareness and difficulties for consumers and businesses to choose the appropriate system for their cross-border disputes. While the harmonisation of rules for ADR via a new Directive and the creation of a new ODR system via a Regulation will strengthen the uptake out-of-court settlement of disputes, the fact that legislation governing contracts 3

4 and civil procedures still vary across Europe presents difficulties for further uptake of ADR and ODR. Personal data protection Trust in the fairness, legitimacy and security of data processing is of vital importance for the success of (crossborder) e-commerce. Although the introduction of a uniform, harmonised European system in 1995 has strengthened the internal market and provided higher levels of protection for European citizens, the Directive is not flawless. Differences between national implementations of the Data Protection Directive have led to r i s i n g c o m p l i a n c e c o s t s a n d administrative burdens for data controllers, hampering cross-border trade. is problem is magnified by different approaches to enforcement by national Data Protection Authorities. Furthermore, limited awareness about the rights and obligations under the Data Protection Directive undermines consumer trust. To truly harmonise data protection in Europe, a new proposal for a General Data Protection Regulation will be released. e draft of this proposal shows an ambitious framework for the future of data protection of Europe. However, given the far-reaching implications for data controllers, the draft was met with quite some criticism. Electronic signatures e uptake of electronic signatures as a means of trust in cross-border e-commerce has been limited. is is mainly due to the vagueness in the current legal framework, questions about liability, limited interoperability, complexity and costs associated with the use of electronic signatures. It is necessary that any new legislation remains technology neutral, strives to avoid acting as a barrier or a slowing factor in developing new or improving existing solutions and focuses on services that are likely to be used in cross-border scenarios where mutual legal recognition and clear legal effect presents a certain added value. Practical guidance based on good standards in addition to legislation is also necessary to ensure that the rules of the internal market can be applied correctly and homogeneously. Supervision and certification of certification service providers should be harmonised in the EU. In all the topics we see that the legal barriers identified primarily arise from the fact that the legal framework in Europe is still a patchwork of national laws and regulations. Divergences exist not only in areas which have not been regulated by EU law, but also in areas which have been partially harmonised at the EU level on the basis of minimum harmonisation. is has left room for different national approaches to legislation. Differing legal regimes and interpretations of supervisory bodies throughout Europe further raise the costs of compliance for retailers and undermine the trust of consumers in cross-border e- commerce. 4

5 Table of contents 1. Introduction Problem statement Research goal Methodology Overview General e-commerce legislation Current legal framework Barriers Developments Interim conclusions Online contracts and consumer protection Current legal framework Barriers Developments Interim conclusions (Online) dispute resolution Current legal framework Barriers Developments Interim conclusions Data protection Current legal framework Barriers Developments Interim conclusions Electronic signatures Current legal framework Barriers Developments Interim conclusions Conclusions

6 6

7 1 Introduction e EU Single Market, the common area of the 27 EU Member States where goods, services, capital and persons can move freely, forms the core of the European Union. Between 1992 and 2006 the Single Market generated 2.75 million jobs and 2.15% of extra growth for the European economy. 1 Currently, 21 million European companies cater to 175 million jobs and supply 500 million consumers in the Single Market. 2 As such, the Single Market is of great impor-tance for the future prosperity and welfare of all Europeans. ICT has facilitated the growth and integration of the Single Market. e ICT sector itself is directly responsible for 5% of European GDP, with a market value of 660 billion annually. Furthermore, it contributes significantly to overall productivity growth (20% directly from the ICT sector and 30% from ICT investments). 3 e Internet in particular has allowed businesses, governments and consumers to communicate and interact faster, cheaper and more efficient. e Internet has also allowed for new forms of e-business and e-commerce, enabling consumers to access goods and services from all over Europe. e Internet eco-nomy creates 2.6 jobs for every offline job lost and the gains brought by lower online prices and a wider choice of available products and services are estimated at EUR 11.7 billion, equivalent to 0.12 % of European GDP Problem statement While e-commerce has grown spectacularly over the past decades, Europe is still a patchwork of national online markets. As a result, the consumption of goods and services as well as commercial and cultural content is still predominantly limited to national markets. e volume of crossborder e-commerce transactions lags far 1 Barnier, M. (2006), A Single Act of Togetherness, in: Public Service Review European Union: issue 22, p European Commission, DG Internal Market and Services (2010), Your Digital Market? Single Market Act for a highly competitive social market economy, Luxembourg: Publications Office of the European Union, p Communication from the European Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Digital Agenda for Europe, Brussels, COM(2010) 245, 19 May 2010 (Digital Agenda for Europe), p Commission Staff Working Paper, Online services, including e-commerce, in the Single Market, Accompanying the document: Communication from the Commission to the European Parliament, the Council, e European Economic and Social Committee and the Committee of the Regions, A coherent framework to boost confidence in the Digital Single Market of e-commerce and other online services. 7

8 behind the e-commerce volumes within national markets. As part of the Digital Agenda, the European Commission aims to have 20% of European consumer buying online cross-border by Stimulating the growth of a Digital Single Market means removing the barriers that currently exist. ese barriers are technical, cultural, and legal in nature. In this essay we will focus on the legal barriers. An important barrier for the further development of cross-border e-commerce is a lack of harmonisation in the legal framework for e-commerce. 6 Divergences exist not only in areas which have not been regulated by EU law (e.g. general contract law), but also in areas which have been partially harmonised at Union level on the basis of minimum harmonisation (e.g. consumer protection law). 7 is has left room for different national approaches to consumer protection legislation. Differing legal regimes and interpretations of supervisory bodies throughout Europe raise the costs of compliance for retailers and undermine the trust of consumers in cross-border e-commerce. 8 Apart from an effective and efficient legal framework for current forms of crossborder e-commerce, we should also look towards the future and ensure that the legal framework also facilitates new market opportunities for new types of content. 9 e twofold problem statement for this essay is thus formulated as follows: What legal obstacles do retailers and consumers experience when it comes to cross-border e-commerce? How are these obstacles addressed in the current legal framework and/or proposals for changes to the legal framework for e-commerce? 1.2 Research goal e goal of this essay is to give an overview of the current legal framework for crossborder e-commerce in Europe, describe regulatory developments, and outline the legal obstacles retailers and consumers face when it comes to cross-border e-commerce. As such, this essay will fuel the discussion on what regulatory and legislative steps need to be taken to further stimulate the (Digital) Single Market in Europe and reach the ambitious goals set in the Digital Agenda. is essay focuses on business-to-consumer (B2C) cross-border commerce. To a lesser extent the consumer-to-consumer (C2C) market is taken into account. 1.3 Methodology is essay is descriptive in nature and gives a state of play based on desk research and 5 Commission Staff Working Paper, Digital Agenda Scoreboard SEC (2011) For instance: 31% of retailers think a more harmonised regulatory environment would boost their cross-border sales. 7 Green Paper from the Commission on policy options for progress towards a European Contract Law for consumers and businesses, Brussels, COM(2010) 348 final. 8 A small poll we did under Dutch online retailers as part of this essay showed that 14 out of 19 retailers (73%) felt that the fragmented legal framework in Europe dissuaded them from doing cross-border e-commerce. 9 Kroes, N. (2011), e Digital Agenda: Europe's key driver of growth and innovation, Speech/11/629. 8

9 interviews with relevant stakeholders. e stakeholders include Dutch representatives of consumers (Consumentenbond), retailers ( uiswinkel.org), the online market places (Overleg online handelsplaatsen), supervisory authorities (Consumentenautoriteit), and a public-private partnership aimed at stimulating e-commerce (ECP-EPN) Overview is essay explores the current legal framework for e-commerce in Europe. Five topics that are of key importance for trust in cross-border e-commerce will be discussed. ey are: 1) General e-commerce legislation 2) Online contracts and consumer law 3) (Online) dispute resolution 4) Personal data protection 5) Electronic signatures For each of these topics, an overview of the current legal framework and relevant regulatory developments is given. Subsequently, we explore the obstacles online retailers and consumers experience in relation to these topics. 10 e statements in this paper do not necessarily reflect the opinions of the individual stakeholders. 9

10 10

11 2 General e-commerce legislation Directive 2000/31/EU of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (the e-commerce Directive) is the foundation of the European legal framework for e-commerce. e internal market clause in particular, which states that the Member States may not restrict the freedom to provide information-society services from another Member State, is the cornerstone of the Digital Single Market. 11 In this chapter we address several of the key provisions of the e-commerce Directive. 2.1 Current legal framework e e-commerce Directive covers different legal aspects of the information society in general and e-commerce in particular. e Directive covers topics like applicable law, information requirements for information society services, online commercial commu-nication, (treatment of) online c o n t r a c t s, a n d t h e l i a b i l i t y o f intermediaries such as Internet service providers (ISPs). e e-commerce Directive determines that the applicable law for information society service providers is based on the country of origin. is principle, set forth in article 3 of the e-commerce Directive, stipulates that Member States must ensure that the (national) provisions of the Member State on which territory the service provider is established applies to the information society services it provides. Article 5 of the e-commerce Directive prescribes general information requirements for information society providers. It states that information society service providers have the duty to give clear and easily accessible information about their identify and contact details, including e- mail address, as well as information about trade registries. Article 6 and 7 deal with commercial communications, such as online marketing. Commercial communications should, on top of other EU information requirements, be clearly identifiable as such, as well as the identity of the sender. Article 7 addresses the issue of unsolicited commercial communication. Article 9 prohibits Member States to create obstacles for the use of electronic contracts and/or provisions in national law that result in contracts being deprived of legal effectiveness and validity on account of their having been made by electronic means. Member States must also takes measures to ensure that a service provider acknowledges the receipt of the recipient's order without undue delay and by electronic means in an accessible form, unless agreed otherwise by business parties (article 11). In addition to the aforementioned information obligations, article 10 of the e-commerce Directive establishes that, on top of other EU information requirements, certain information about the contract must be given by the 11 Commission communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A coherent framework for building trust in the Digital. Single Market for e- commerce and online services, p

12 information society service prior to the conclusion of the online order. Articles 12, 13 and 14 of the e-commerce Directive concern the conditions under which certain types of intermediary service providers are exempted from liability with regards to the information they transmit, cache or host upon the request of others. 2.2 Barriers Although stakeholders throughout Europe think the e-commerce Directive is an instrument that has promoted the development of information society services in the EU, they do identify several issues with the Directive. 12 Fragmentation Often mentioned as a specific obstacle to the development of e-commerce is the fragmentation of EU law. Many respondents considered the Internal Market clause (article 3) to be absolutely essential for the development of e-commerce within the EU, but note that there is divergence in the national implementation of the Directive that hampers harmonisation nonetheless. Some respondents called on the Commission to exercise more control over the application of the Internal Market clause. 13 Limitations of the scope Several barriers experienced by consumers concerning online trade fall outside the scope of the Directive, for example problems related to receiving and returning the goods. 14 In 2010, 16% of the EU consumers engaged in cross-border trade experienced a delay in the delivery of their order, and 5% said that their order had not been delivered at all. 15 Retailers also experience barriers when it comes to receiving and returning goods. Differences of postal systems between EU Member States cause a barrier for retailers to engage in crossborder commerce. ere is uncertainty about the costs, time, tracking possibilities and flexibility of delivering the goods. Furthermore, the core principle of the e- Commerce Directive is the country of origin principle. However, contractual obligations fall outside the scope of the country of origin principle. 16 In a study from 2006, 43% of the interviewed firms stated that cross-border sales would increase if the country of origin principle covered the contractual obligations. 17 Transparency obligations e e-commerce Directive requires online service providers to comply with several transparency obligations. From the pers- 12 Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC). 13 Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC). 14 Copenhagen Economics, Study on the Economic impact of the Electronic Commerce Directive, final report September 2007, page Flash Barometer 299, Consumer attitudes towards cross-border trade and consumer protection, Analytical report September 2010, p Article 3 (3) and Annex, Directive 2000/31/EU. 17 Flash Eurobarometer, Business Attitudes Towards Cross Border Sales,

13 pective of the retailer, these transparency obligations have mainly led to increased compliance costs, while they have provided only limited protection from the perspective of the consumer. It is suggested that the e-commerce's transparency obligations require further refinement, and may even have become superfluous. 18 ISP liability e diverging interpretations of the Articles 12, 13 and 14 by both the legislators and the courts at the national level, have led to a fragmented framework on ISP liability. is has mainly to do with the wording of the articles. First of all, it seems unclear what has to be classified as mere conduit, caching and hosting. Secondly, there are difficulties concerning the interpretation of actual knowledge in the exemption from liability of hosting service providers. 19 To assume actual knowledge some Member States require a formal procedure and official notification by authorities, while other Member States let the courts determine when an ISP has actual knowledge. 20 In part, this fragmentation of the regime for ISP liability is the result of new and changing business models. Although articles 12, 13, and 14 are considered technology neutral, they are obviuously fashioned around the classic models of ISPs. Uncertainty regarding the liability of new Internet services such as search engines, online marketplaces, social media and cloud computing services hampers the roll out of these services in Europe. 21 Finally, there is consensus in favour of harmonisation of notice-and-takedown procedures and clarity on the rules for filtering and blocking of Internet traffic. e absence of a pan-european notice-andtakedown regime leads to legal uncertainty for online intermediaries and practical difficulties for rights holders to take down illegal content. 22 e same goes for filtering and blocking. While there is no prior obligation for ISPs to monitor Internet traffic there is an increasing pressure on ISPs to take an active role in online enforcement. is has led to blockades of sites like the Pirate Bay in countries such as Italy and Finland, but a ban on blockades in for instance Germany. 2.3 Developments e Commission recognises that there are problems with the current e-commerce 18 DLA Piper, EU study on the legal analysis of a Single Market for the Information Society, New rules for a new age? November 2009, Executive summary, p Article 14 (1)(a), Directive 2000/31/EU. 20 Study on the liability of internet intermediaries, November 2007, p DLA Piper, EU study on the legal analysis of a Single Market for the Information Society, New rules for a new age?, November 2009, Executive summary, p DLA Piper, EU study on the legal analysis of a Single Market for the Information Society, New rules for a new age?, November 2009, Executive summary, p

14 Directive. erefore it has announced the evaluation of the impact of the e-commerce Directive as point nine in its planned actions for the Digital Single Market within the Digital Agenda for Europe. 23 Electronic commerce is also selected as the fifth most important action point in preparation of the EU Single Market Act. 24 e European Parliament, in reaction to the proposed e-commerce revisions announced in the Digital Agenda, calls for a study on harmonised rules within the EU to promote a common market in cloud com-puting and e-commerce. It takes the view that the Directives constituting the legal framework for the information society appear out of date due to the increased complexity of the online environment, the introduction of new technologies and the fact that EU citizens data are increasingly processed outside of the EU. 25 BEUC, the European Consumers' Organisation, is opposed to any revision of the e- Commerce Directive and, instead, calls for a clarification of some of its provisions with the aim of enhancing legal certainty. BEUC takes the view that the exception to the internal market clause regarding consumer contracts should be maintained. It finds that the rules on unsolicited commercial communications should be technology neutral and apply to all communication technologies. e provisions on ISPs liability provide a balanced framework that clarifies the obligations of service providers and protects the interests of rights holders and should therefore be maintained. However, new Internet services should be included in the scope of the liability provisions of the e-commerce Directive. On the other hand the application of technical measures, such as filtering, to prevent infringements on intellectual property rights should be rejected. 26 EMOTA, the European Mail Order and e- Commerce Trade Association, signals issues with the internal market clause of the Directive. EMOTA argues that there are still national protectionist tendencies that hamper the uptake of e-commerce. EMOTA specifically notes that the reserved area component of the European Postal Directive, VAT exemptions and prohibitive authorization and licensing procedures can distort the marketplace and discourage new players from entering a market. According 23 Planned actions for the Digital Single Market (pillar I) of the Digital Agenda for Europe, via ec.europa.eu/information_society/newsroom/cf/fiche-dae.cfm. 24 Commission Staff Working Paper, Overview of responses to the public consultation on the Communication Towards a Single Market Act, Accompanying document to the Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of e Regions, A Single Market Act: Twelve levers to boost growth and strengthen confidence "Working together to create new growth", {COM(2011) 206 final} Brussels, SEC(2011) 467 final. 25 A new Digital Agenda for Europe: 2015.eu, European Parliament resolution of 5 May 2010 on a new Digital Agenda for Europe: 2015.eu, P7_TA(2010)0133, May 2010, Public Consultation On e Future Of Electronic Commerce In e Internal Market And e Implementation Of e Directive On Electronic Commerce (2000/31/EC) BEUC Response. 14

15 to EMOTA different laws on credit makes and piracy (e.g. music file-sharing) are also legal barriers to the further uptake of online services. 27 With regard to commercial communications, respondents to the Commission consultation on the e-commerce Directive noted several problems. First, the lack of adequate enforcement of the rules on unsolicited commercial communications. Second, the divergence in the application of the EU legal framework in different Member States, such as different definitions of electronic mail. Mentioned as a third obstacle, is the lack of clarification about the application of EU rules to new technologies, for instance on Bluetooth marketing and in relation to social networks. 28 Based on the results of the consultation, the Commission adopted an e-commerce Communication in January of e Communication contains sixteen actions aimed at doubling the volume of e- commerce in Europe by e Commission s first action point is to ensure that the E-Commerce Directive is correctly applied by improving administrative cooperation with the Member States Interim conclusions e e-commerce Directive provides the foundation of e-commerce legislation in Europe. While stakeholders recognise the importance of the Directive for e- commerce in Europe, they do signal issues when it comes the application of the Directive. e fragmentation resulting from diverging national implementations is particularly troublesome. Furthermore, the rules on intermediary service provider liability need clarification. Although they do not need a complete overhaul, clarification in the light of new services and technologies does seem necessary. With regard to intermediary liability, the majority of respondents argued that a revision of the e-commerce Directive s liability regime is unnecessary. e existing rules, however, do require clarification. A vast majority is in favour of developing a harmonised EU notice-and- takedown procedure EMOTA Response to the public consultation on the future of electronic commerce in the internal market and the implementation of the Directive on Electronic Commerce (2000/31/EC). 28 Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC). 29 Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC). 30 European Commission, Commission Communication To e European Parliament, e Council, e Economic And Social Committee And e Committee Of e Regions, A coherent framework for building trust in the Digital Single Market for e-commerce and online services, {SEC(2011) 1640} {SEC(2011) 1641}, COM(2011)

16 16

17 3 Online contracts and consumer protection e 493 million consumers in the EU generate about half of the EU s wealth, and therefore are central to the success of the Single Market. 31 New technologies give consumers new options for purchasing goods and services without physical presence in a store. As more and more consumers are engaged in so-called distance sales the rules governing these contracts and the protection of consumer rights become increasingly important. 3.1 Current legal framework Consumer protection law and the rules for distance sales (e.g., mail order, e-commerce) are enshrined in national law. Furthermore, there are three different Directives that cover the relation between consumer protection and distance sales at the EU level. ey are: Directive 97/7/EC (Distance Selling Directive), Directive 93/13/EEC (Unfair Contract Terms Directive), and Directive 1999/44/EC (Sale of Consumer Goods and Guarantee Directive). 32 Together with a fourth Directive, the Doorstep Selling Directive (85/577/EC) these Directives provide the core of the legal framework for consumer protection in Europe ( the consumer acquis ). 33 Also relevant in this respect is the Unfair Commercial Practices Directive (2005/29/ EC). 34 e Distance Selling Directive lays down detailed provisions with respect to a distance contract between a supplier and a consumer. e Directive s main purpose is to provide protection to consumers entering into distance contracts. A distance contract is: any contract concerning goods or services concluded between a supplier and a consumer under an organized distance sales or serviceprovision scheme run by the supplier, who, for the purpose of the contract, makes exclusive use of one or more means of distance communi-cation up to and including the moment at which the contract is concluded. 35 One of the most important provisions for the consumer is the right to withdrawal Communication from the European Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, on the enforcement of the consumer acquis, Brussels, COM(2009) 330 final, p Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts; Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts; Directive 1999/44/EC of the European Parliament and of the Council of 25 May 1999 on certain aspects of the sale of consumer goods and associated guarantees. 33 Council Directive 85/577/EEC of 20 December 1985 to protect the consumer in respect of contracts negotiated away from business premises. We shall not discuss the Doorstep Selling Directive any further, as it is not relevant to the issue of cross-border e-commerce. 34 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council. 35 Article 2, paragraph 1, Directive 97/7/EC. 36 Article 6, Directive 97/7/EC. 17

18 is means the consumer has a period of at least seven working days in which it is allowed to withdraw from the contract without penalty and without giving any reason (cooling-off period). Furthermore, the Distance Selling Directive imposes rules on the distance seller, for instance the obligation to inform the consumer about certain conditions of the contract. e supplier must provide the consumer written information on the conditions and procedures for exercising the right of withdrawal in due time prior to the conclusion of any distance contract. In addition, the consumer shall be provided with information regarding the main characteristics of the goods or services and the arrangements for payment, delivery or performance of the contract. 37 e period for exercise of withdrawal starts when the consumer receives the ordered goods, or in case of a service agreement, with the conclusion of the contract. A contract generally includes the terms and conditions of the sale. In most cases the consumer cannot negotiate these terms and conditions. erefore, Directive 93/13/ EEC (the Unfair Contract Terms Directive) aims to protect the consumer against unfair terms, which might be included in the contract between the consumer and the supplier. With respect to this Directive, one of the most important provisions is the obligation that terms are drafted in plain and intelligible language. Where there is doubt about the meaning of a term, the interpretation most favourable to the consumer shall prevail (the contra proferentem rule). 38 Directive 99/44/EC (the Sale of Consumer Goods and Guarantees Directive) regards certain aspects of the sale of consumer goods and associated guarantees. e purpose of the Directive is to ensure a uniform minimum level of consumer protection in the context of the European internal market, by offering guarantees to consumers. An important provision is the obligation of the seller to deliver goods to the consumers, which are in conformity with the contract of the sale. e seller shall be held liable where the lack of conformity becomes apparent within two years as from delivery of the goods. 39 e consumer must inform the seller of the lack of conformity within a period of two months from the date on which he detected such lack of conformity. 40 Furthermore, any contrac-tual term or agreement concluded with the seller before the lack of conformity is brought to the seller's attention, which directly or indirectly waives or restricts the rights resulting from this Directive, shall not be binding on the consumer. 41 It is relevant to note is that all three Directives discussed above are based on minimum harmonisation, which means Member States can maintain more stringent provisions than mentioned in the Directives. In other words, the actual level of protection consumers enjoy may differ from Member State to Member State. Directive 2005/29/EC of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market 37 Article 4, Directive 97/7/EC. 38 Article 5, Directive 93/13/EEC. 39 Article 5, (1), Directive 99/44/EC. 40 Article 5, (2), Directive 99/44/EC. 41 Article 7, (1), Directive 99/44/EC. 18

19 (the Unfair Commercial Practices Directive) is based on maximum harmonisation and provides a general framework for protecting the economic interests of consumers who conclude commercial transactions with traders by defining the unfair commercial practices that are prohibited EU. Unfair commercial practices are those that do not comply with the principle of professional diligence or may influence consumers transactional decisions. Annex 1 to the Directive sets out a so-called blacklist of "commercial practices that are, in all circumstances, considered unfair". ese unfair commercial practices are divided into 'misleading commercial practices' and 'aggressive commercial practices. 3.2 Barriers In the area of consumer protection retailers and consumers experience the following legal barriers to cross-border e-commerce. Fragmentation e fact that the legal framework governing distance sales and consumer contracts is based on minimum harmonisation, has led to different implementations of the Directives and different levels of protection for the consumer within Europe in practice. For instance, the Directive prescribes a cooling-off period with a minimum of 7 working days. e Netherlands provides a 7 working days cooling-off period, while Germany has a 14 day cooling-off period. 42 erefore, it is often unclear to consumers what their right are, which is important for consumer confidence in the cross-border market. However, consumers are always entitled to the European minimum and in many cases the consumer rights of the consumer s country of origin apply. erefore, the newly adopted Directive on Consumer Rights fully harmonises parts of the consumer acquis. For distance selling contracts the cooling off period will become 14 days in all Member States. e legal status of digital goods Directive 99/44/EC (the Sale of Consumer Goods and Guarantees Directive) concerns tangible goods. 43 However, nowadays consumers also purchase intangible, digital products on Internet. In that case there are contracts with respect to the purchase digital content, which is content produced and supplied in digital form, such as computer programs, videos, music and applications. In order to apply this Directive and Directive 97/7/EC to the purchase of digital content, digital content has to fall within the scope of the definition of a good or service. Besides, the hybrid character of digital content seems to add to the uncertainty and difficulty on defining digital content. 44 e purchase of digital content can encompass both a physical copy of the software, an online update service, and a real-time (re-mote) software 42 Article 7:46d Dutch Civil Code; Article 355(1) Bürgerliches Gezetsbuch. 43 Article 2, (2), (b) Directive 99/44/EC. 44 Cseres, K. J., Guibault L., Helberger, N., Loos, M. B. M., Mak, C., Pessers, L., Van der Sloot, B., Tigner, R. (2011), Comparative analysis, Law & Economics analysis, assessment and development of recommendations for possible future rules on digital content contracts. 19

20 ser-vice. 45 erefore, digital content can be considered both a service and a good. us, what rules apply to the purchase of digital content is not clear yet. Enforcement and redress While EU consumer protection law provides a high level of protection, it must be enforced effectively to actually help consumers. In the area of enforcement there are significant challenges. First of all, effective enforcement by supervisory authorities is hampered by the fragmentation of consumer protection law. Crossborder enforcement calls for agreement on the principles determining the applicable law and the reconciliation of differing administrative capacities and enforcement traditions in Member States. 46 Secondly, there are jurisdictional boundaries that limit the effectiveness of the supervisory authorities. Apart from the enforcement of consumer protection law by supervisory authorities, consumers themselves can also seek redress. However, seeking redress through the courts is costly and difficult for consumers (see chapter 4). 3.3 Developments e differences in national legislation regarding contract law can lead to legal uncertainty for businesses and a lack of consumer confidence in the internal market. Surveys show the differences in contract law as one of the main obstacles in cross-border trade. 47 Already in 2001, the Commission launched her Communication on European Contract Law, which aims to address the issue of fragmentation of EU contract law. e Common European Sales Law e most recent development regarding European Contract Law is e Proposal for a Regulation on Common European Sales Law, launched by the European Parliament and Council on October 11, is Regulation is partly a reaction on the published Green paper on policy options for progress towards a European contract law for consumers and businesses of the Commission launched in e overall objective of the proposal is to improve the establishment and the functioning of the internal market by facilitating the expansion of cross-border trade for business and cross- border purchases for consumers. 50 us, the focus is on B-C transactions. 51 Furthermore, the purchase of digital content is completely implemented in the Regulation. e terms 'goods' and 'digital content' are often used simultaneously, so 45 Cseres, K. J., Guibault L., Helberger, N., Loos, M. B. M., Mak, C., Pessers, L., Van der Sloot, B., Tigner, R. (2011), Comparative analysis, Law & Economics analysis, assessment and development of recommendations for possible future rules on digital content contracts, p Communication from the European Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, on the enforcement of the consumer acquis, Brussels, COM(2009) 330 final, p Eurobarometer 321 of 2011, European Contract Law in consumer transactions, COM(2011) 635 final, Proposal for a Regulation on Common European Sales Law, 11 October COM(2010) 348 final, Green paper on policy options for progress towards a European contract law for consumers and businesses, Brussels July COM(2011) 635 final, p Recital 21, COM (2011)635 final. 20

21 most provisions apply to goods as well as to digital content. e purpose of the proposed Regulation is to introduce into the laws of the Member States an alternative sales law regime, which contracting parties can choose as the law governing their relationship. is means that the Common European Sales Law will exist alongside the existing national rules of the Member State regarding contract law. Also, the Common European Sales Law is only applicable law in those cases where parties explicitly agree on this, which means it is an optional instrument. Modernisation and harmonisation of the consumer acquis e Directives regarding the protection of the consumer with respect to contract law only entail minimum harmonisation. 52 Minimum harmonisation can lead to different implementations and thus to different national regulation on consumer protection. Directive 2011/83/EU (the Consumer Rights Directive) was adopted on October Member States have two years to implement the Directive from the date of publication. is Directive will replace Directive 85/577/EC (the Doorstep Selling Directive) and Directive 97/7/EC (the Distance Selling Directive). It is based on the principle of full harmonisation, meaning Member States must stay as close to the Directive as possible in their national implementation. 53 Full harmonisation will lead to more clarity and protection for the consumer. e Directive prescribes that Member States all have the same right of withdrawal term of 14 days, instead of the minimum of 7 working days as prescribed by the Distance Selling Directive. 54 Furthermore, the trader has to provide the consumer with more comprehensive and detailed infor-mation before the consumer is bound by distance and off-premises contracts. If the trader has not provided the consumer with the information on the right of withdrawal, the withdrawal period shall be extended to 12 months. 55 e Directive also provides a withdrawal form to give more clarity on how the right to withdraw can be exercised. Another important aspect in adopting the Directive was the protection of the consumer who purchases digital content. e Directive explicitly states contracts for the supply of digital content also fall within the scope of the Directive. Digital content is defined as data which are produced and supplied in digital form. 56 Furthermore, if digital content is supplied on a tangible medium, such as a CD or DVD, it should not be considered as digital content. 57 is means that in case a consumer purchases digital content, which is supplied on a 52 See for example: Directive 93/13/EC, Directive 85/577/EC, Directive 99/44/EEC, Directive 97/7/EC, Directive, Directive 90/314/EEC, Directive 94/47/EC and Directive 98/6/EC. 53 Article 4, Directive 2011/83/EU. 54 Article 9,(1), Directive 2011/83/EU; Article 6,(1), Directive 97/7/EU. 55 Article 10, (1), Directive 2011/83/EU. 56 Article 2, (11), Directive 2011/83/EU. 57 Recital 19, Directive 2011/83/EU. 21

22 tangible medium, he/she has the right of withdrawal, starting from the day of the conclusion of the contract. 58 Also, the trader has to provide the consumer with information before the conclusion of the contract, such as any relevant interoperability of digital content with hardware and software that the trader is aware of or can reasonably be expected to have been aware of Interim conclusions e Proposal for the Regulation on Common European Sales Law is an optional instrument. As this proposal has only been published a few months ago, there has not been much feedback on the proposal just yet. However, some critics say the optional instrument does not add enough value to the contract process for traders, to want to adopt it and use it as an alternative to the legal system that they know and trust. Furthermore, the consumer who does not understand the legal obligations is unlikely to elect to use it unless they feel it provides them with some additional benefit over and above existing law. 60 In addition, critics say that for the optional instrument to work effectively, it is necessary the trader and the consumer have the ability to compare their national law with the Common European Sales Law. 61 e question remains whether or not the trader and the consumer will choose for the optional instrument and the European internal market can actually be improved. Although the new Consumer Rights Directive provides harmonisation on consumer rights with respect to contract law, it does not impose any further set of rules relating to guarantees or unfair terms. 62 As such, fragmentation of national rules on consumer protection will likely remain to exist. 58 Article 9, (2) (c) Directive 2011/83/EU. 59 Article 6, (1) (s) Directive 2011/83/EU. 60 Euro Commerce (2011), EuroCommerce Response to the European Commission consultation on the Feasibility Study carried out by the Expert Group on European Contract Law for stakeholders and legal practitioners. 61 EMOTA (2011), EMOTA Response to the public consultation on the Green Paper on policy options for progress towards a European Contract Law for consumers and businesses COM (2010) 348 final, page SEC (2011) 1641, Commission staff working paper, Online services, including e-commerce, in the Single market. 22

23 23

24 4 (Online) dispute resolution In 2010, approximately 20% of European consumers encountered problems when buying goods and services in the internal market. It is estimated that about 56% of these complaints flow forth from e-commerce transactions. 63 e losses incurred by European consumers as a result of these problems are estimated at 0.4% of the EU GDP. 64 Despite a generally high level of consumer protection guaranteed by legislation, problems encountered by consumers are often left unresolved. e reason for this is that it is often difficult for consumers to exercise their rights. A lack of knowledge about their rights and a language barrier play an important role in this regard, but also the fact that legal proceedings are often expensive and/or time consuming play a prominent role. In many cases the costs and time involved in legal proceedings actually outweigh the loss a consumer incurs as a result of a problem with an online transaction. is undermines the trust in (cross-border) e-commerce, since consumers feel they do not have access to effective remedies. To mitigate this problem alternative forms of dispute resolution (ADR) have been developed. Forms of alternative dispute resolution (ADR) include: complaints assistance, non-binding evaluation, mock-trials, mediation and arbitration. 65 Apart from alternative dispute resolution the so-called small claims procedures are also relevant for the further development of cross-border dispute resolution. Small claims procedures are a middle ground between formal litigation and ADR procedures. While a form of formal litigation, the small claims process is cheaper, faster and less formal than traditional formal litigation and therefore more accessible. 4.1 Current legal framework e current legal framework for alternative dispute resolution (ADR) and online dispute resolution (ODR), is still primarily governed by the national law of member states. As such, there is no common legal framework for ADR and ODR in the EU, rather the efforts of the EU have focussed on promoting the use of ADR and ODR. 63 e European Consumer Centres Network (ECC-net) 2010 Annual Report. 64 Proposal for a Directive of the European Parliament and the Council, on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on consumer ADR, COM/2011/0793 final /0373 (COD), Explanatory Memorandum. 65 Hörnle, J. (2002), Online Dispute Resolution in Business to Consumer E-commerce Transactions', in: e Journal of Information, Law and Technology (JILT) 2002(2). 24

25 Article 17 of the e-commerce Directive requires member states not to hamper outof-court settlement of disputes through national law, but does not provide a legal framework harmonising the use of ADR and ODR. e Commission has also adopted two Recommendations on ADR in 1998 and While these Recommendations do set out quality criteria for ADR entities, they have no binding legal force. Specifically to stimulate the use of mediation, a Directive on certain aspects of mediation in civil and commercial matters was adopted in e Directive establishes common rules in the Community on a number of key aspects of civil procedure and provides the necessary tools for the courts of the Member States to actively promote the use of mediation, without making mediation compulsory or subject to specific sanctions. 68 Apart from the legal framework for ADR and ODR there is also a framework for small claims procedures. e European small claims procedure applies in crossborder litigation to civil and commercial matters where the claim does not exceed 2,000 euro. 69 Finally, in the area of formal litigation the EU has also taken steps to improve access to the courts in cross-border disputes, for instance by adopting a Council Directive establishing minimum common rules relating to legal aid for cross border disputes Barriers Even though both retailers and consumers who have used ADR schemes are positive about the costs, speed, flexibility and userfriendliness, ADR is not yet used extensively in cross-border dispute resolution. Several legal barriers that hamper the further uptake can be identified. Awareness Although not a legal barrier per se, from the consumer perspective a lack of aware-ness on the existence of ADR and ODR mechanisms is perhaps the most important reason for not using them in cross-border disputes. In 2010, only 5% of European consumers took their case to an ADR entity and only 9% of businesses report ever having used ADR. 71 Because there is no common and harmonised legal framework for ADR and ODR, raising awareness on ADR schemes effectively has proven to be difficult. To raise awareness and facilitate the use of ADR and ODR schemes, the ECC-net was established. Although the ECC-Net plays an important role in helping consumers to find the relevant ADR entity, most con-sumers are unaware of its existence. 72 Moreover, the CPC Network (a network of national 66 Commission Recommendation 98/257/EC on the principles applicable to the bodies responsible for the outof-court settlement of consumer disputes, OJ 115, ; and Commission Recommendation 2001/310/EC on the principles for out-of-court bodies involved in the consensual resolution of consumer disputes, OJ 109, Directive 2008/52/EC Of e European Parliament And Of e Council of 21 May 2008 on certain aspects of mediation in civil and commercial matters. 68 Background Document Workshop On Alternative Dispute Resolution For Consumers In e European Union, Vienna - 23 February Regulation (EC) No 861/2007 of the European Parliament and of the Council of 11 July 2007 establishing a European small claims procedure. 70 Council Directive 2002/8/EC of 27 January 2003 to improve access to justice in cross-border disputes by establishing minimum common rules relating to legal aid for such disputes. 71 EuroBarometer 300, p

26 enforcement authorities) is also not used to its full potential. Fragmentation If and when consumers are aware of the existence of ADR and ODR as alternatives for traditional formal litigation, they are often unable to find or select the appropriate entity. Because there is no common, harmonised legal framework for ADR and ODR in Europe, the ADR and ODR landscape has become highly fragmented. Currently, there are over 750 ADR entities in Europe, all governed by different national legal regimes. Many of these ADR and ODR schemes are only competent in specific business sectors, only cover a specific territory and/or only apply to a specific group of goods or services. is fragmentation has generated complexity, which has had an adverse impact on the efficiency of ADR and dissuades consumers and businesses from using them. Trust Whereas the 1998 and 2001 Recommendations on ADR set out general criteria for ADR entities to meet, the lack of a harmonised, enforceable legislation on the requirements for ADR entities means that it is difficult for both consumers and retailers to establish whether an ADR entity is competent and whether it meets the standards of quality, impartiality and fairness. Any doubts about the quality criteria that ADR entities meet will undermine trust in ADR. Applicable law and harmonisation A prerequisite for the successful operation of a pan-european ADR system from the perspective of the retailers is that it must be clear which ADR entity is competent for a given case. Furthermore, if ADR is to be successful, cross-border differences in the levels of consumer protection from country to country (and thus from ADR entity to ADR entity) will mean legal uncertainty and rising costs of compliance for retailers. From the perspective of the consumer, one level of consumer protection within the EU is also preferable, as a uniform level of protection means there are no ADR entities that offer less protection than that of other ADR entities or the local court of the consumer. Enforceability e fact that many ADR and ODR schemes are not binding in nature is a barrier, particularly from the consumer perspective. When a retailer does not comply with the verdict of the ADR entity, the consumer still faces the prospect of litigation. is may lead to the idea that ADR/ODR is a waste of time and effort. erefore, to counterbalance the weaker position of the consumer, Consumer organisation BEUC argues that an ADR scheme should be voluntary for consumers, but binding for businesses. 73 Flexibility Flexibility, speed and efficiency are the greatest benefits of ADR. A possible barrier for the use of ADR and ODR systems is that they will become less flexible if there are too many legal requirements. It is therefore essential to find a balance between legal certainty and flexibility. In particular businesses argue that ADR/ODR systems should be as flexible as possible and not mandated through EU law Alternative Dispute Resolution, European Commission s Consultation, BEUC response, 15 March Alternative Dispute Resolution, European Commission s Consultation, EMOTA response, 15 March

27 4.3 Developments One of the actions under the Digital Agenda for Europe is the creation of an improved framework for ADR and ODR. Under its proposal for a consumer programme for the Commission aims to strengthen the use of ADR and ODR through amongst others, funding and awareness campaigns. 75 To strengthen and harmonise the legal framework for ADR and ODR, the Commission has proposed a Directive on ADR and a Regulation on ODR on 29 November e goal of the Commission is to tackle the issue of fragmentation and ensure that EU consumers can solve their problems without going to court, regardless of the kind of product or service that the contractual dispute is about and regardless of where they bought it in the Single Market. For consumers shopping online from another EU country, the Commission wants to create an EU-wide single online platform, which will allow to solve contractual disputes entirely online within 30 days. e ADR Directive aims to ensure that quality out-of-court entities exist to deal with any contractual dispute between a consumer and a business. Under the proposal, ADR entities will have to meet certain quality criteria (i.e., they have to be well-qualified, impartial, transparent, effective and fair), businesses will have to inform customers about the ADR entity which can deal with a potential contractual dispute with them, and ADR entities will resolve the disputes within 90 days. e Regulation on ODR will create a EUwide online platform providing consumers and businesses with a single point of entry for resolving on-line the disputes concerning purchases made online in another EUcountry. is single European point of entry will automatically send the consumer s complaint to the competent national ADR entity and facilitate the resolution of a dispute within 30 days. Both the Directive and the Regulation are set for adoption in late Member States will have 18 months to implement the ADR Directive. is means that ADR options should be available everywhere in the EU in the second half of e single EU-wide platform for online dispute resolution will become fully operational six months after that deadline (i.e., in early 2015), as its operation requires the setting up and upgrading of out-of-court entities where needed. 4.4 Interim conclusions A lack of harmonisation of the current legal framework governing the out-of-court settlement of disputes has led to a fragmented ADR and ODR landscape. Although more than 750 different ADR schemes currently operate in Europe, their success is mainly limited to a national context. Fragmentation has led to a lack of awareness and difficulties for consumers and businesses to choose the appropriate system for their cross-border disputes. Despite the harmonisation of rules for ADR via a new Directive and the creation of a new ODR system via a Regulation will strengthen the uptake out-of-court settlement of disputes, the fact that legislation governing contracts and civil procedure still diverge across Europe presents difficulties for further uptake of ADR and ODR. 75 Proposal for a Regulation of the European Parliament and the of the Council, on a consumer programme , Brussels, COM(2011) 707 final. 76 Proposal for a Directive of the European Parliament and the of the Council, on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on consumer ADR); and a Proposal for a Regulation of the European Parliament and of the Council on online dispute resolution for consumer disputes (Regulation on consumer ODR). 27

28 28

29 5 Data protection e processing and the protection of personal data form a key aspect of the legal framework for cross border e-commerce. A legitimate, secure, safe and free flow of personal data in the private and public sector both within and between Member States increases trust in cross border e- commerce and stimulates economic activity on the Digital Internal Market. 5.1 Current legal framework e cornerstone of European data protection legislation is Directive 95/46/EC (Data Protection Directive). However, several provisions in other directives also deal with data protection and informational privacy. Relevant for the topic of cross-border e-commerce are direct marketing and data breaches. Personal data protection e Data Protection Directive applies to almost all forms of online retail in the EU, because of the nature of any online transaction: the retailer needs a certain amount of personal data to deliver the order, to send the invoice, to have contact with the consumer, to process the payment, or even before a transaction: so that visi-tor s to his web shop can register for a personal account. e Data Protection Directive determines that all data, directly or indirectly identifying a natural person, is personal data. e Directive establishes several obligations on the controller of personal data. A controller for instance has the duty to ensure that personal data is processed in a proper and careful manner (article 5) as well as fairly and lawfully (article 6a). In addition, personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (article 6b). e Directive also determines that personal data has to be adequate, relevant and not excessive in relation to the purposes for which they are collected or processed (article 6c), as well as accurate and kept up to date, erased or rectified where necessary (article 6d). All data should be kept in a form that permits identification of data subjects for no longer than necessary (article 6e). Furthermore, the Data Protection Directive demands that personal data may only be processed if the data subject has unambiguously given his consent or if data processing is necessary for a selected number of grounds (article 7). Besides principles safeguarding data quality and legitimate processing, the Data Protection Directive also requires the controller to inform the data subject about his identity, the way personal data is handled (article 10), for instance in a privacy policy and his rights to object to processing of his personal data (article 12). In addition, the controller is obliged to implement appropriate technical and organisational measures to protect personal data (article 13) and to notify the national supervisory authority about his data processing (article 18). Article 28 of the Data Protection Directive establishes that every Member State shall have at least one independent, national supervisory authority that is responsible for monitoring the application of the Directive. Article 29 of the Data Protection Directive sets up a Working Party (the so- 29

30 called article 29 WP). e Article 29 Working Party has an advisory status and acts independently and has the liberty to determine if draft Community codes and amendments or extensions to existing Community codes are in accordance with national provisions adopted pursuant to the Directive. Besides the Article 29 WP, the Commission has also established two other EU bodies. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 establishes the European Data Protection Supervisor (EDPS). EDPS is an independent supervisory authority that monitors the application of the data protection principles following from the Data Protection Directive to all processing operations carried out by EU bodies and institutions. Direct marketing Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the e- Privacy Directive), together with Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services (e-commerce Directive ) and Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts (the Distance Selling Directive) regulates the use of personal data for direct marketing purposes. e Distance Selling Directive determines that techniques of distance communication may be used only where there is no clear objection from the consumer. 77 e e- Commerce Directive also contains a provision that regulates the use of personal data for direct marketing purposes: Member States must take measures to ensure that service providers undertaking unsolicited commercial communications by electronic mail consult regularly and respect the opt-out registers in which natural persons not wishing to receive such commercial communications can register themselves. 78 e most relevant provision for direct marketing, however, is found in the e- Privacy Directive s provision on unsolicited communications. It requires that the use of for direct marketing is only allowed when subscribers have given their prior consent (opt-in). 79 Also of importance is the addition in article 13.2 that determines, in short, that when a business has received the address of a customer in the context of the sale of a product or service, that business may (re)use this address for direct marketing of its own similar products or services, provided that customers are clearly and distinctly given the opportunity to object (opt-out). Data breach notification Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC, Directive 2002/58/EC and Regulation (EC) No 2006/2004 (Citizens Rights Directive) provides a structure for notifying the competent authorities and individuals concerned in case of a breach of security leading to the accidental or 77 Article 10, paragraph 2, Directive 97/7/EC. 78 Article 7, paragraph 2, Directive 2000/31/EC. 79 Article, paragraph 1, Directive 2002/58/EC. 30

31 unlawful processing of personal data (a personal data breach). 80 In short, the data breach notification ensures that providers of publicly available electronic commu-nications services shall, without undue delay, notify a personal data breach to its competent national authority. When the breach is likely to adversely affect the personal data or privacy of the subscriber or individual, the provider shall also notify the subscriber or individual without undue delay. 81 e Commission emphasises that, although the notification requirements are limited to security breaches that occur in the electronic communications sector, the interest of users in being notified is not limited to the electronic communications sector. erefore, explicit mandatory notification requirements should become applicable to all sectors at Community level as a matter of priority. 82 Profiling A topic that has gained significance over the past years is the issue of profiling. In particular the use of cookies for behavioural targeting has become a hot issue. Directive 2009/136/EC updates the rules on the use of cookies and other methods to track and monitor users for commercial purposes. Under the Directive, the use of cookies requires the consent of the user. 5.2 Barriers Although the Data Protection Directive was drawn up in a time when the use of personal data and the possibilities for automatic processing of personal data were far more limited than in today s Internet society, few Member States or interest groups explicitly advocate a fundamental change to the structure of the Directive. 83 Having said that, there are significant difficulties with the Data Protection Directive that in practice have led to barriers for both businesses and consumers. Member States like for instance Austria, Sweden, Finland and the UK have raised questions with regards to the provisions on applicable law, sensitive data, the right of access, notification and data transfers to third countries. 84 Furthermore, stakeholders from the private sector (retailers and consumers) have raised issues with Data protection legislation in Europe. Fragmentation When it comes to the cross-border flows of personal data, the main point of criticism is that due to differences between the implementation in different Member States, data protection legislation has become highly fragmented. 85 Particularly businesses complain that disparities prevent multinational organisations from developing pan-european policies on data protection. It is noted that divergences may also occur from correct implementation by 80 Article 2, paragraph 1, Directive 2009/136/EC. 81 Article 2, paragraph 4, Directive 2009/136/EC. 82 Recital 59, Directive 2009/136/EC. 83 EMOTA, EMOTA s Response to the European Commission s public consultation on the legal framework for the fundamental right to protection of personal data, December 2009; and First report on the implementation of the Data Protection Directive (COM (2003) 265). 84 First report on the implementation of the Data Protection Directive (COM (2003) 265). 85 EMOTA, EMOTA s Response to the European Commission s public consultation on the legal framework for the fundamental right to protection of personal data, December 2009; Report from the Commission of 15 May 2003 [COM(2003) 265 final, First report on the implementation of the Data Protection Directive (95/46/EC). 31

32 a Member State but result from a different choice of direction within the margin of appreciation allowed by the Directive. e national differences in the approach to data protection stand in the way of a flexible and simplified regulatory system and are therefore of concern (for example the differences in the notification requirements). Articles 10 and 11, on the provision of information to data subjects were found to show a number of divergences as a result of incorrect implementation. Enforcement Apart from differences in the actual implementation of the Directive in national law, differences in enforcement within the Member States are also an issue. Within the current legal framework, the national Data Protection authorities cooperate with each other and coordinate within the Article 29 Working Party, but still have a lot of room to interpret the (national implementations) of the Data Protection Directive. 86 In practice, this leads to diverging interpretations of the law and approaches to enforcement. ere is also criticism on the enforcement of the Data Protection Directive. Significant shortcomings in the application and the enforcement of existing rules at national level are noted. 87 Enforcement efforts are under-resourced and data protection authorities have a wide range of tasks of which enforcement actions had a rather low priority. Data Protection Authorities in many Member States report to be concerned about their lack of resources. ey also mention a low level of compliance by data controllers. ey argue that data controllers are reluctant to undertake changes to comply with complex and burdensome rules, when the risks of getting caught seem low. e apparently low level of knowledge with data subjects of their rights also does not help compliance. 88 Applicable law e most criticised provision is article 4 regarding the applicability of national law. Many stakeholders, particularly from the perspective of business argue for a country of origin rule. is would allow multinational organisations to operate with one set of rules across the EU. 89 While the article 29 Working Party has published an Opinion on Applicable law that provides guidance, in practice questions concerning applicable law still form a barrier to crossborder trade. Vagueness Because of the technology neutral approach of the Data Protection Directive, there is an inherent vagueness in the provisions of the Data Protection Directive. While this has allowed the Data Protection Directive to stand the test of time, it has also led to 86 Report from the Commission of 15 May 2003 [COM(2003) 265 final, First report on the implementation of the Data Protection Directive (95/46/EC). 87 EMOTA, EMOTA s Response to the European Commission s public consultation on the legal framework for the fundamental right to protection of personal data, December Report from the Commission of 15 May 2003 [COM(2003) 265 final, First report on the implementation of the Data Protection Directive (95/46/EC). 89 Report from the Commission of 15 May 2003 [COM(2003) 265 final, First report on the implementation of the Data Protection Directive (95/46/EC). 32

33 legal uncertainty, in particular for data control-lers. Examples include the interpretation of the notion of personal data and what constitutes consent, particularly in online scenarios. 90 Administrative burdens & compliance costs Since the Data Protection Directive sets forth rules on privacy for data controllers, there are compliance costs and administrative burdens involved. ese costs rise significantly when data controllers operate in different EU member States. 91 In particular requirements such as registering data processing activities in national registries place a burden on data controllers. Apart from the general rules on data protection, many online retailers also fear that with the introduction of stricter rules on the use of cookies, compliance costs will rise further. Awareness Albeit not so much a legal obstacle, it should be noted that, although the Data Protection Directive aims to deliver a high level of protection, most individuals actually consider the level of protection a minimum and a vast majority of individuals believe there is insufficient awareness on data protection. Even though confidence in organisations data privacy policies has increased, a majority of EU citizens are still very much concerned about data protection issues, particularly as to whether organi-sations that held their p e r s o n a l d a t a h a n d l e d t h i s d a t a appropriately. 92 Also, the vast majority of citizens have low levels of awareness on data protection, such as data subject rights, special legal protection for sensitive data and the existence of national data protection authorities. Many European Internet users feel uneasy about the use of their personal data on the Internet and are concerned about any provisions that would allow authorities to relax data protection laws. 93 Recent reports show that individuals still demand more and better personal data protection and continue to feel an increasing loss of control over their personal data Developments Privacy and data protection are the topic of a lively public debate within the EU. e European Parliament for instance, has repeatedly called for strengthening individuals rights, further advancing the internal market dimension and ensuring better enforcement of data protection rules and strengthening the global dimension of data protection Article 29 Working Party, Opinion 4/2007 on the concept of personal data (WP136); and Article 29 Working Party, Opinion 15/2011 on the definition of consent (WP187). 91 Rambøll Management (2005), Economic Evaluation of the Data Protection Directive 95/46/EC, Final Report, May 2005, p Data Protection in the European Union, Citizens perceptions, Analytical Report, the Gallup Organisation, Data Protection in the European Union, Citizens perceptions, Analytical Report, the Gallup Organisation, European Commission, Summary of replies to the public consultation about the future legal framework for protecting personal data, Brussels, 4 November Report on a comprehensive approach on personal data protection in the European Union (2011/2025(INI), Committee on Civil Liberties, Justice and Home Affairs, Rapporteur: Axel Voss, 22 June

34 General Data Protection Regulation e most recent development with regard to the legal framework for personal data protection is a new proposal for a General Data Protection Regulation. 96 e new regulation will be important for crossborder e-commerce, because it brings a new level of harmonisation into the legal framework for the processing of personal data, as well as a stronger focus and safeguards for the rights of data subjects. e proposal for a General Data Protection Regulation aims to strengthen the legal position of the consumer by broadening the scope for personal data and definition of the data controller and changing the way data subjects give consent. While the General Data Protection Regulation will retain the logic and structure of the Data Protection Directive it is nevertheless a significant overhaul of the current legal framework. It introduces, amongst other things: the notion of privacy by default, the requirement of prior consent for all direct marketing purposes, the so-called right to be forgotten and the right to data portability. Furthermore, the accountability of the data controller is significantly enhanced, and new and severe sanctions, remedies and liabilities are introduced. e structure for enforcement will also be changed. e Data Protection Regulation aims to strengthen the position of the national supervisory authority (the Data Protection Authority) and introduces a new entity: the EU Data Protection Board. One of the primary roles of the EU Data Protection Board is to harmonise enforcement efforts throughout the EU. Because of the major changes to the current legal framework, a draft version of the proposal was met with quite some criticism. 97 Data breach notification e Citizens Rights Directive introduced a data breach notification for providers of public communications network services. Although some Member States are still implementing the Citizens' Rights Directive s data breach notification into national law, there are examples of countries that have already implemented data breach notification systems into national law. For instance, Germany implemented an obligation to issue a data breach notification in the Federal Data Protection Act in September e law applies to bank and credit card data, telecommunications data and data collected online, data related to criminal offences and other particularly sensitive data. In Spain, data controllers have to draw up a security policy that amongst others contains a provision related to a procedure of notification and a register in case of incidents that effect personal data. e United Kingdom s Information Commissioners Office (ICO) has issued a guideline on notification of data security breaches. Although there is no general data breach notification obligation as of yet, the ICO does advise to report data breaches. e Irish DPA holds a Code Of Practice that includes provisions regarding the notifi- 96 Proposal for a Regulation of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11/4 Draft. 97 Out-Law (2012), EU data protection Regulation may not be finalised until March, January 13th 2012 (via: 34

35 cation of data subject in case of a breach. Finally, the Netherlands has a concept data breach bill under consultation. e bill would expand the scope of the data breach notification obligation to all data controllers. To create a uniform system for data breach notification, the draft General Data Protection Regulation also includes a data breach notification obligation for all data controllers. 5.4 Interim conclusions Personal data processing is an integral and essential part of (cross-border) e- commerce. erefore trust in the fairness, legitimacy and security of data processing is of vital importance for the success of (cross-border) e-commerce. While the introduc-tion of a uniform, harmonised European system in 1995 has strengthened the internal market and provided higher levels of protection for European citizens, the Directive it is not without its problems. Differences between national implementations of the Data Protection Directive lead to rising compliance costs and administrative burdens for data controllers, hampering cross-border trade. is problem is magnified by different approaches to enforcement by national Data Protection Authorities. Furthermore, limited awareness about the rights and obligations under the Data Protection Directive undermines consumer trust. To truly harmonise data protection in Europe, a new proposal for a General Data Protection Regulation has been released recently. is proposal shows an ambitious framework for the future of data protection of Europe. However given the far-reaching implications for data controllers, an earlier draft was met with quite some criticism. 35

36 36

37 6 Electronic signatures Secure, reliable, user friendly and interoperable electronic signatures and identification an authentication measures are necessary for the further development of cross-border e-commerce within the European Digital Single Market. Although e-identification and e-authentication mechanisms are already widely used in the governmental and banking sector (for instance, the use of tokens for online banking), their use in other economic sectors is still in its infancy. e electronic signature is hardly used in electronic commerce. 6.1 Current legal framework Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (the Electronic Signature Directive) establishes a (minimum) harmonised legal framework for the recognition of electronic signatures and for certain certification services. e Directive entered in to force on 19 January 2000 and its provisions had to be implemented into national law by Member States by January e Electronic Signature Directive aims to strike a balance between consumer and business needs. e Electronic Signature Directive defines three types of electronic signatures; the (basic) electronic signature, the advanced electronic signature and the advanced electronic signature based on a qualified certificate created by a secure-signaturecreation device (a so called qualified electronic signature ). It also defines the requirements for certification-service-providers issuing qualified certificates. e main provisions of the Directive are set out in article 5. Paragraph 1 under a stipulates that a qualified electronic signature satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data. Article 5 paragraphs 1 under b and 2 provide that electronic signatures are admissible as evidence in legal proceedings. Following the Electronic Signature Directive the European Commission has adopted several directives and decisions, such as Commission Decision 2000/709/EC that sets out the criteria that Member States should take into account when designating national bodies to evaluate the conformity of secure signature-creation devices. Commission Decision 2003/511/ EC provides the references of three generally recognised standards for electronic signature products that presume compliance with the qualified electronic signature. Directive 2006/123/ EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (the Services Directive, also known as the Bolkestein Directive) aims to establish a single market for services within EU. 37

38 Official European standardisation bodies such as the European Telecommunications Standards Institute (ETSI) and the European Committee for Standardisation (CEN) have adopted guidelines and standardisation documents (a CEN Work-shop Agreement is called a CWA), such as for signature creation, 98 verification of electronic signatures, 99 signature format 100 and signature policies Barriers Since the Electronic Signatures Directive entered into force, several aspects have been identified as problematic. Divergences and legal uncertainty Most problems can be attributed to (mis)interpretation of the Directive s wording, which in turn leads to divergences in national law and/or divergences in the practical application of the rules. Most of the barriers are related to areas in which the Directive has apparently left a margin of appreciation and where diverging implementations have caused market disruptions. 102 Also seen as significant obstacles are the heterogeneous approach to security requirements, the unclear terminology in the Electronic Signatures Directive and heterogeneous terminology in national legislations, insufficient harmonisation of profiles of qualified certificates and the lack of an EU list of signature equipment formally recognised as secure signature 98 CWA and CWA CWA and CWA ETSI TS , ETSI TS , ETSI TS and ETSI TS ETSI TS , ETSI TR , ETSI TS and ETSI TS Study for the European Commission, DG Information Society, e legal and market aspects of electronic signatures, Legal and market aspects of the application of Directive 1999/93/EC and practical applications of electronic signatures in the Member States, the EEA, the Candidate and the Accession countries, Final Report, September

39 creation devices. e divergent interpretations of what is meant by the sole control of the signatory (article 2.2) and the missing of legal provisions on signature verification and validation are also deemed problematic. 103 e technical demands that electronic signatures have to meet should be clear and the same in all Member States. Recognition, interoperability and standardisation e mutual recognition and cross-border interoperability of e-signatures are seen as obstacles. 104 Th e l a c k o f p recise requirements and standards within the Directive leads to different interpretations i n M e m b e r S t a t e s, r e s u l t i n g i n incompatible applications and interoperability problems. 105 Specific interoperability or security aspects should be taken into consideration to advance the usage of electronic signatures, identification and authentication through mobile devices. It is suggested that standardisation problems and legal barriers (including liability rules) are currently perceived as a larger interoperability challenge than technical and operational business issues. 106 e electronic signature is perceived as expensive and complex to use. Liability An issue that also has a significant impact on cross-border interoperability of electronic signatures is the undefined legal status of signature validation, the liabilities of validation service providers and heterogeneous financial liability for qualified certificate issuance. 107 is leads to legal uncertainty, especially in cases of transactions requiring the exchanges of documents and when claims need to be certified. 108 Supervision Some impact on the cross-border interoperability of electronic signatures is assigned to the heterogeneous status and roles of the national security certification bodies (art. 3.4), lack of a common approach to the supervision of providers issuing qualified certificates to the public (art. 3.2) and ambiguities between super- 103 European Commission, Information Society and Media Directorate-General, Public consultation on electronic identification, authentication and signatures in the European digital single market, Overview of responses, Brussels, Ares , Augsust 2011; Report from the Commission to the European Parliament and the Council - Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures, COM/2006/0120, final; Study on the standardisation aspects of esignature, A Study for the European Commission (DG Information Society and Media), by SEALED, DLA Piper and Across communications, Final Report, November 2011; Study on Cross-Border Interoperability of esignatures (CROBIES), Head Document, A report to the European Commission from SEALED, time.lex and Siemens, Final Report, July Report from the Commission to the European Parliament and the Council - Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures, COM/2006/0120, final. 105 Study on the standardisation aspects of esignature, A Study for the European Commission (DG Information Society and Media), by SEALED, DLA Piper and Across communications, Final Report, November European Commission, Information Society and Media Directorate-General, Public consultation on electronic identification, authentication and signatures in the European digital single market, Overview of responses, Brussels, Ares , Augsust 2011; Study on Cross-Border Interoperability of esignatures (CROBIES), Head Document, A report to the European Commission from SEALED, time.lex and Siemens, Final Report, July European Commission, Information Society and Media Directorate-General, Public consultation on electronic identification, authentication and signatures in the European digital single market, Overview of responses, Brussels, Ares , August A Pan-European framework for electronic identification, authentication and signature,

40 vision and accreditation (art. 3.2 and 2.13). 109 Costs and complexity While costs and complexity are not by definition a legal issue, the legal framework cannot solve this problem. In particular the costs and complexity associated with the use of qualified electronic signatures discourages retailers from using these mechanisms. Oftentimes, cheaper and easier methods for identification and authentication (for instance federated identification) suffice in the context of cross-border e-commerce. 6.3 Developments Since the introduction of the e-signatures Directive steps have been taken to better facilitate the uptake of electronic signatures in Europe. e Commission has adopted several Decisions to clarify or give more harmonisation to the legal framework regarding electronic signatures. Commission Decision 2009/767/EC concerns the use and acceptance of electronic signatures through the points of single contact under Article 8 of Directive 2006/123/EC and the establishment, maintenance and publiccation of trusted lists (containing the minimum information related to the certification service providers issuing qualified certificates) by Member States. With its Action Plan on e-signatures and e- identification of 2008, the Commission aimed to remove interoperability barriers by increasing trust and user friendliness of e-signatures and e-identification. Several of the Action Plan s points have currently been fulfilled. e Commission has created a central list of links to the national list, Decision 2009/767/EC was updated in 2010 to facilitate the automated use of trusted lists and to further enhance trust in them and ETSI has updated its standard on trusted lists (TS ) in A study into the mutual recognition of e-signatures for e-government applications in Europe has been concluded. Research into the feasibility of a European federated e- signature validation service has been carried out. e study finds that a European system may be difficult to implement and suggested that solving validation issues require a revision of the e- signature Direc-tive. Other Action Plan points are still being worked on. Decision 2003/511/EC, containing three generally recognised standards, is being updated by CEN. Also, the Commission has mandated CEN and ETSI in 2010 to rationalise e-signature standards (due 2014). e Commission has forward-ed the draft proposal for implementation guidelines for e-signatures t o t h e E u r o p e a n S t a n d a r d i s a t i o n Organisations for consider-ation. A Commission Decision on common signature formats that aims to ensure that Points of Single Contact will be able to handle incoming signatures from other Member States, is being negotiated. Finally, a federated approach to validation is currently being tested in the context of the PEPPOL project. 110 In the meantime the Commission published its Digital Agenda for Europe in Listed as the ninth action is the revision of the Electronic Signatures Directive. e Commission, recognising 109 European Commission, Information Society and Media Directorate-General, Public consultation on electronic identification, authentication and signatures in the European digital single market, Overview of responses, Brussels, Ares , August See: 40

41 that electronic identity technologies and authentication services are essential for all kinds of online transactions, aims to establish cooperation between EU Member States to create electronic identity systems that work at a European level. Commission Decision 2011/130/EU establishes minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC. Finally, in its recently released Communication on the Digital Single Market, the European Commission proposes new legislation to ensure the mutual recognition of electronic identification and authentication across Europe, as well a revision of the Electronic Signatures Directive Interim conclusions e success of electronic signatures as a means for trust in cross-border e- commerce has been limited. is is mainly due to the vagueness in the current legal framework, limited interoperability costs and complex-ity associated with the use of electronic signatures. It is found to be important that any new legislation remains technology neutral, strives to avoid acting as a barrier or a slowing factor in developing new or improving existing solutions, and focuses on services that are likely to be used in crossborder scenarios where mutual legal recognition and clear legal effect generate a certain added value. Practical guidance based on good standards in addition to legislation is also important to ensure that the rules of the internal market can be correctly and homogeneously applied Commission staff working paper, Online services, including e-commerce, in the Single Market, accompanying the document, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A coherent framework to boost confidence in the Digital Single Market of e-commerce and other online services, {COM(2011) 942} {SEC(2011) 1640}. 112 European Commission, Information Society and Media Directorate-General, Public consultation on electronic identification, authentication and signatures in the European digital single market, Overview of responses, Brussels, Ares , August

42 Conclusions Retailers and consumers experience legal difficulties when it comes to cross-border e-commerce in areas such as the rules for online contracting, consumer protection, dispute resolution, data protection and the use of e-signatures. Most of these issues arise from the fact that the legal frame-work in Europe is still a patchwork of national laws and regulations. Divergences exist not only in areas which have not been regulated by EU law (e.g. general contract law), but also in areas which have been partially harmonised at Union level on the basis of minimum harmonisation (e.g. consumer protection law). is has left room for different national approaches to legislation. Differing legal regimes and interpretations of supervisory bodies throughout Europe further raise the costs of compliance for retailers and undermine the trust of consumers in cross-border e- commerce. harmonisation or are drafted in the form of a Regulation. Further harmonisation will likely address many of the current issues that act as barriers to the further growth of cross-border e-commerce. ere are, however, drawbacks to further harmonisation. e fear, in particular from the perspective of the consumer, is that full harmonisation will trigger a race to the bottom, possibly lowering consumer protection standards in many countries to meet the consensus point. For SME s a lack of harmonisation usually means that they do not engage in crossborder e-commerce. Whereas large companies and multinationals do engage in cross-border e-commerce, the lack of har-monisation means high costs of compliance and administrative burdens. Oftentimes these multinationals start up localised operations, thereby avoiding the burdens and pitfalls of cross-border trade. To consumers, uncertainty about their rights usually means that they prefer not to buy goods or services across the border. To improve the current situation, there are different legislative proposals in the works. What many of these proposals share is that they aim for maximum 42

43 43