Skip to main content Skip to navigation

JILT 1998 (3) - Swindells & Henderson


Article Contents

Abstract

1.

Introduction

2.

Legal Regulation of E-Commerce

2.1

Formulation of Policy

2.2

Jurisdiction

2.3

Global Attempts at a Solution

2.4

The EU Perspective

3.

Technical Solutions and Legislation

3.1

Digital Signatures

3.2

Certificate Authorities

3.3

Legal Position of Digital Signatures

3.4

Encryption

3.4.1

Clipper Chip

3.4.2

New Legislative Moves

4.

Cryptography Regulation

4.1

Data Protection

4.2

Data Protection Legislation

4.3

European Directive on Data Privacy

4.4

Data Protection Act

5.

Electronic Commerce and the Abuse of Data

5.1

New Measures to Protect Users

6.

Taxation

6.1

Possible Solutions to Electronic Tax Issues

6.2

Taxing the Internet

6.3

Bit Tax

7.

Conclusion

References

Word icon and download article in .rtf format Download

Legal Regulation of Electronic Commerce

Chris Swindells

Kay Henderson

 kay@dis.strath.ac.uk

University of Strathclyde

Abstract

Electronic commerce is a new technology which is growing rapidly. It has the ability to create a truly global digital economy, but at present current legislation does not encourage the uptake of this technology. The nature of the Internet and the globalisation of the world economy mean that developments in electronic commerce create legal problems concerning security of transactions and legal jurisdiction of transactions. The growth of electronic commerce has made current and future legal requirements difficult to assess. In order for electronic commerce to develop these issues have to be addressed on an international level. This paper attempts to highlight the problems of legislating electronic commerce. The role of the United States, European Union and Organisation for Economic Co-operation and Development (OECD) in formulating legal policy is discussed. The legal position regarding digital signatures, certificate authorities and trusted third parties are addressed as, is the issue of data protection.

Keywords: Electronic commerce, legislation, encryption, digital signatures, certificate authorities, trusted third parties, OECD, USA, European Union.


This is a Refereed Article published on 30 October 1998.

Citation: Swindells C et al, 'Legal Regulation of Electronic Commerce', 1998 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/98-3/swindells.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1998_3/swindells/>



1. Introduction

The term 'electronic commerce' has been defined by Kalakota and Whinston (1997, p 3) as having many perspectives - communications, business, service and on-line. For the purpose of this paper electronic commerce is defined as any action undertaken by a business which requires a financial transaction to be carried out over a network such as the Internet. Electronic Data Interchange (EDI) is a form of electronic commerce concerned with the exchange of business documentation such as invoices and orders. Businesses have been slow to adopt EDI (Kalakota and Whinston: 1997, pp 379-380) due to high costs, limited consumer access to proprietary networks and the inability to automate only part of the transaction. Electronic commerce has the ability to eliminate the time span between ordering, delivery invoicing and payment by using the world wide web. Electronic commerce transactions can be divided into two categories - business to business or business to individuals - and may involve the electronic supply of goods and services.

Electronic commerce offers benefits to both vendor and buyer. The vendor can create a global presence – thus generating more potential business, reducing costs, increasing competition, and allowing the ability to customise products. The buyer benefits through increased choice which encourages better standards of service, price reductions and a more tailored service.

At present only eighty-five per cent of companies are using the Internet (Feher and Towell: 1997, p3) and uptake of electronic commerce is small. However the OECD estimates a two hundred per cent growth in electronic commerce transactions. (OECD: 1997a)This rapid increase inevitably leads to problems on a global scale with legislation and regulation.

This paper highlights some of the legal issues surrounding electronic commerce and the measures taken by international bodies and organisations to address these problems.

2. Legal Regulation of Electronic Commerce

Fraud, financial misdemeanours and tax avoidance are not found just in electronic commerce, but electronic commerce presents new ways to commit old crimes. Electronic commerce is difficult to regulate for two main reasons. Firstly, the scope of electronic commerce and the technology involved changes rapidly. Traditionally, the formulation of the law has been an evolutionary process, adapting to suit the needs of society. Where electronic commerce is concerned the pace of change is and has been too great for this process to take place. This results in a situation where there is a choice of either applying current legislation or enacting new legislation specifically formulated to meet the challenge of electronic commerce. Secondly, the very nature of the technology involved means that it is transnational. This leads to problems as to which legal system has jurisdiction over electronic commerce transactions.

2.1 Formulation of Policy

Even in this era of supra-national bodies and trade blocs, the nation-state is still responsible for almost all of the legislation that affects its citizens. To date, few have enacted laws to deal specifically with electronic commerce; that may reflect the speed of legal change in most countries rather than a desire to wait until international agreement has been reached. In fact, some countries (such as France and Germany) have already introduced legislation governing the use and legality of electronic signatures. [3.3]

The OECD is dedicated to promoting measures that will benefit both members and non-members and the to development of international trade. Naturally, this organisation has considered the impact of electronic commerce. The report Global Information Infrastructure - Global Information Society (OECD: 1997b), although addressed to governments, acknowledges the need for all social partners to become involved and places importance on allowing the private sector to take the lead in the economic and commercial development and implementation of GII – GIS. Government efforts should concentrate on breaking down barriers and creating opportunities for digital commerce, rather than increasing regulation. The OECD recognises that the different legal and political traditions among members mean that different solutions will be appropriate for each nation, but states that the global nature of the digital economy requires them to look at ways of ensuring access and enforcing certain safeguards. The report also points out the need for consensus on security and authentication measures that will make electronically transmitted documents legally binding. Policy should remain flexible and dialogue with the private sector continuous. In addition, the OECD has issued proposals of a more detailed nature on topics such as cryptography and digital signatures. (OECD: 1997c) [3.3]

Groups comprising business representatives fall into two categories: those who lobby governments for control and legislation and those who provide advice and guidance for business wishing to enter into electronic commerce. In the former category, groups such as the World Wide Web Consortium (W3C), the Electronic Commerce Association and the Internet Law and Policy Forum (IPLF)) share information, encourage debate and engage in discussion with legislators to promote their cause. More often than not, the message they promote is the less regulation the better. It would be simplistic to say that they are in favour of no legislation at all, but they are of the opinion that they are in a better position than many to know what regulation is required. In addition they argue any regulation could not hope to be as reactive to changing circumstances and technology as they themselves could.

Thus far, the response to these claims has been receptive. Governments seem to appreciate the fact that it is not practical for them to regulate electronic commerce completely. This has led to a large degree of co-operation between the public and private sector. In June 1998 EC Commissioner Bangemann invited business leaders from throughout the world to participate in a discussion on ways to increase global co-operation in electronic commerce. (Bangemann: 1998)

The conference concluded that regulation should be kept to a minimum as the global nature of electronic commerce made government regulation impossible anyway: therefore industry self regulation was the way ahead. They also arranged mechanisms by which industry could continue to consult with each other and play a leading part in the formulation of policy. (Bangemann: 1998) The Global Standards Conference, hosted by the EU, came to similar conclusions regarding self regulation. (EU: 1997a)

The Interactive Media in Retail Group is an example of a business group less inclined to lobby; although the IMRG has developed a standard for web sites which indicates to users that they are using an approved and secure site. (IMRG: 1998)

2.2 Jurisdiction

Although consumers are prepared to conduct business by telephone and by fax, for some reason there appears to be a psychological barrier to transactions over the Internet. As the Internet has no regard for national boundaries the question of which legal system is responsible for cross-border transactions is central to the success of electronic commerce. Users are less likely to feel confident about making a transaction electronically if they are unsure of the legal protection they will be afforded. They may not be offered the same means of redress as in a purely domestic transaction. They may also be reluctant to transact with parties in a foreign or unknown jurisdiction due to lack of legal protection. This has implications for the development of global electronic commerce and raises several important issues.

Firstly, how is a vendor to be expected to comply with the law of all the countries in which their clients reside? This would place an unacceptable burden on the vendor - forcing them either to be aware of the legal situation throughout the world or to limit themselves to dealing with a few countries where they feel reassured by the law. The former is unfeasible and the latter is undesirable as it would be contrary to the spirit of electronic commerce which it is hoped will stimulate world-wide trade.

One solution would be to establish international agreements stating that any contract signed in cyberspace comes under the jurisdiction of the territory in which the vendor resides. This, of course, raises questions as to what constitutes a residence and the problem is compounded if a business has operations in several countries. There is also the question of server location. In the digital global economy it is quite feasible for an organisation to have a server, but nothing else, in one country. The 'virtual organisation' is therefore outwith the jurisdiction of any one country.

2.3 Global Attempts at a Solution

The USA has the highest instance of electronic commerce transactions, but the legal issues are far from being resolved. The recent 'Framework for Global Electronic Commerce' outlines the US Government's plans for assisting the growth of electronic commerce (Clinton and Gore: 1997). This document takes the popular view that government should avoid regulation where possible and allow the private sector to take the initiative.

The Report does, however, advocate the creation of a Commercial Code setting down basic rules for transactions over the Internet and possibly providing a means for governmental recognition of electronic contracts, mutual recognition of electronic signatures, dispute settlement etc. The USA has already begun adapting the Uniform Commercial Code, which governs US commercial law, for this purpose. Case law in the US appears to offer some sort of precedent in the area of jurisdictional liability. It appears that business sites can be categorised according to the level of interactivity involved. Thus, a web site that is purely informative is not likely to convey any liability outside the state of the publisher, whereas if the site allows, for example, online purchasing, the vendor will be liable in those states where the purchasing may take place.

The United Nations Commission on International Trade Law (UNCITRAL) has produced a model law for regulating electronic commerce, which appears to be similar to the US proposals for a Commercial Code. (UNCITRAL: 1996) Its effects are not binding and it is up to individual nations whether they introduce legislation based on the US model.

The OECD has also raised the issue of applicable law for the purposes of dispute resolution. (OECD: 1997c) It states that there is a need for mechanisms to resolve international disputes and suggests that existing international commercial bodies should be encouraged to take on this role.

lilacbar2

"At present there are no effective means for solving cross border dispute resolution in the area of electronic commerce."

lilacbar2
The European Union has recently been formulating policy in a number of areas and is keen to ensure that regulation in Europe takes place in a unified way. Legislation on digital signatures, encryption and certificate authorities is imminent, and a Directive on data protection has been issued. (EU: 1995b) An outline of Commission policy can be found in 'A European Initiative in Electronic Commerce'. (EU: 1997c)

At present there are no effective means for solving cross border dispute resolution in the area of electronic commerce. The proposals suggested by the UN and US should go some way to addressing this problem, although individual countries must accept the proposals and adopt national legislation. It is to be hoped this is done as soon as is practicable, in order to reassure consumers and businesses that electronic commerce is a safe and reliable way to conduct their business. The proposed legislation is based on a model of electronic commerce that would not have evolved naturally, and thus will be constrictive by attempting to shape electronic commerce instead of letting the needs of electronic commerce shape the law.

2.4 The European Union Perspective

The EU is unique amongst international organisations in that it is able to make norms that are legally binding on its member states or which confer rights and obligations directly on the citizens of the EU. Harmonisation within the EU is a priority in order to ensure the single market is not distorted.

Europe, together with the US, is one of the key test-beds for electronic commerce. As the US and the EU are the largest trading blocs in the world, agreement between them would cover a large proportion of electronic commerce transactions. Agreement would also lead the way to a global legal environment, as other states dependent on trade with the US and the EU would be keen to enact similar legislation or enter into agreements which would make electronic commerce easier. Any kind of joint agreement must be swift, since it is inevitable that more and more nation-states will implement their own measures. It would be much more difficult to try to harmonise many individual laws than to encourage nations to follow a particular model from the beginning.

It appears that all parties are in agreement as to what is required – a flexible system led by the private sector allowing for the use of governmental rules in certain key areas. Example guidelines are already in place (UNCITRAL: 1996 ) and it seems likely that more will follow adhering to the same formula. If world-wide agreement is to be found, one system needs to be adopted by the EU and USA in the hope that their trading partners will follow suit.

In the absence of concrete international regulations the inevitable conclusion is for the buyer and seller to enter into a contract stating the conditions that have been agreed upon and the jurisdiction in which any dispute will be settled.

3. Technical Solutions and Legislation

Although the number of businesses on the Internet has grown, many of these organisations are simply maintaining a 'web presence' by providing information about themselves and their products and have not yet undertaken Internet-based transactions. This inertia is probably due to concern about security of transactions and user authorisation. Technologies concerned with authorisation include firewalls, password access, smart cards and biometric fingerprinting. However, in order to provide secure electronic transactions (SET), encryption technologies are used. Encryption technologies, which are supported by the appropriate legal mechanisms, have the potential to allow global electronic commerce to develop.

3.1 Digital Signatures

Digital signatures provide information regarding the sender of an electronic document. The technology has assumed huge importance recently with the realisation that it may be the remedy to one of the major barriers to growth of electronic commerce: fears of lack of security. Digital signatures provide data integrity, thereby allowing the data to remain in the same state in which it was transmitted. The identity of the sender can also be authenticated by third parties.

The most widely used type of cryptography is public key cryptography where the sender is assigned two keys – one public, one private. The original message is encrypted using the public key while the recipient of the message requires the private key to decrypt the message. The recipient can then determine whether the data has been altered. However, although this system guarantees the integrity of the message, it does not guarantee the identity of the sender (public key owner). In order to remedy this a Certificate Authority is required.

3.2 Certificate Authorities

Trusted Third Parties (TTP) provide a variety of cryptography services to their clients. Certificate Authorities (CAs) are TTPs who have been given licence to produce digital certificates authenticating digital signatures. In order for this system to work, the Licensed CA must be reliable and have the confidence of the public and business community. In addition, those who rely on the services of the Licensed CA must be able to hold them legally liable for any loss suffered as a result of their error. Licensed CAs promote the use of electronic commerce technology by reassuring the user that the authentication process is reliable, that is, the owner of the digital signature is who they say they are. This provides business with the reassurance that the electronic commerce transaction is secure.

3.3 Legal Position of Digital Signatures

Although digital signature technology has been available for some time, it has only recently become feasible to use digital signatures to authenticate a document. This breakthrough has made digital signatures one of the most important areas of development within electronic commerce. It is important because the technology, and the law governing it, must develop in a way that promotes, or at the very least does not inhibit, the growth of electronic commerce.

A substantial amount of legislation regulating the use of digital signatures and their legal status has been enacted. So far, this has been enacted on a state by state basis, resulting in those countries taking contrasting legal positions. Germany has recently introduced the Digital Signature Law (Federal Act: 1998). France has enacted a law introducing Trusted Third Parties (Law Decrees: 1998)and the United Kingdom has released a consultation paper. (DTI: 1997) Belgium, Italy and Sweden have also introduced legislation. Legislation on digital signatures has taken place on a state by state basis in the United States and so far nineteen states have legislated. (HR; 1996) International law on digital signatures has yet to be formulated.

As part of its plan to develop electronic commerce and create user confidence, the European Commission has unveiled a proposal for a directive on digital signatures. (EU: 1998d) The draft directive would lay down minimum requirements for electronic signature certificates and certification services and require legal recognition of electronic signatures to the same extent as written signatures, especially in cross border transactions (EU; 1998d). This is vital if electronic commerce is to become a viable alternative to traditional ways of conducting business. The proposal also envisages co-operation with third countries to enable recognition of digital signatures that have been certified by a CA in a third country, provided that CA meets the requirements of the directive or is situated in a country which has negotiated an agreement with the EU. (EU: 1998b). Negotiations with the US and Japan to this end have already begun. This is a very positive step as from its inception electronic commerce was intended to be global and this must be reflected in the law. Unfortunately, this concept does not fit well with legal tradition, and movement to create an international framework has not been swift. One important provision of the draft directive was that Certification Authorities should be allowed to operate without obtaining authorisation in advance, although stating that they may seek voluntary accreditation if they wished.

Developments are also taking place at a global level. Bodies such as the Internet Engineering Task Force (IETF), the International Organization for Standardisation (ISO) and W3C are currently working on standardisation of digital signatures. The OECD has issued 'Guidelines for Cryptology Policy (OECD: 1997c) which includes a guide for states on the creation of legislation governing the use of digital signatures. UNCITRAL has also released draft legislation on electronic commerce, including guidelines for digital signatures. (UNCITRAL: 1998)

3.4 Encryption

The role of encryption, CAs and digital signatures go hand in hand. Cryptography provides the technology used in digital signatures as well as for encryption. Encryption renders an electronic document unreadable, thereby providing another level of security and increasing the attractiveness of the Internet as a means of transferring confidential data of the type often used in electronic commerce. Encryption is either a powerful tool or a dangerous weapon. As a tool it is an important aid to the security of legitimate data transactions, but as a weapon it could be used for criminal means. The US government intends to use key recovery to counter this problem. Concerned about the possible uses of encryption software, it has also legislated to prohibit the export of such software (stronger than 56 bits) without prior authorisation.

3.4.1 Clipper Chip

Since 1993 the US Government has consistently attempted to introduce legislation on the Clipper Chip, or a similar alternative. The Clipper Chip is a device enabling the government to gain access to communications by obtaining a key held by two escrow agents. These agents are usually government bodies: in the case of the USA, NIST and the Department of the Treasury are the agents.

The outrage provoked by the initial proposal led to its abandonment and subsequent attempts to legislate in this area have featured watered down versions of the original idea, none of which have been particularly well received. The administration is persisting with attempts to introduce some sort of key recovery scheme (Abelson et al: 1998). In fact, according to the US Administration document A Framework for Electronic Commerce 'the US government will work internationally to promote development of market-driven key management infrastructure with key recovery.' (Clinton and Gore: 1997)

Many civil liberties groups have campaigned bitterly against these laws (ACLU, EFF, EPIC: 1998) and it is still unclear whether any kind of key recovery mechanism will become law in the USA.

3.4.2 New Legislative Moves

The E-Privacy Act (Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace) was brought before the US Senate in May 1998. The aim is to provide stronger privacy safeguards for those who use encryption, and promising to lift the export ban on certain encryption software. (EPIC: 1998) The imposition of five- to ten-year prison sentences for those who use encryption to hide criminal acts has been proposed. Most of the proposals were well received by civil libertarians, but concern has been voiced over the criminalisation of the concealment of criminal activities using encryption. In its analysis of the Act the EPIC stated (1998):

'We believe it is a mistake to create criminal penalties for the use of a particular device or technique or device. Such a provision tends to draw attention away from the underlying criminal act and casts a shadow over a valuable technology that should not be criminalised'

Apart from the unnecessary stigmatisation of encryption the EPIC believes that these provisions will encourage enforcement agencies to investigate cases where the only evidence of criminal conduct is the use of encryption.

As yet, there is no UK legislation in place governing the use of cryptography. However, moves are now being made with the recent DTI consultation paper. (DTI: 1997) The paper proposes the creation of licensed Trusted Third Parties, which will have access to the private key of those communicating. Civil liberties groups have compared the proposal to the Clipper laws in USA in 1993 and argued that Government should not have access to escrowed keys.

As in other areas of electronic commerce, the OECD has taken a lead in the establishment of a legal framework by publishing the Guidelines for Cryptography policy. (OECD: 1997c) This was the first such attempt at international level. Principles 2 and 5 of these guidelines are especially relevant to the subject of licensing of TTPs:

Principle 2: 'Users should have the right to choose any cryptographic method, subject to applicable law.'

Principle 5: 'Fundamental rights of individuals to privacy including secrecy of communications and protection of personal data, should be respected in national cryptographic policies.'

Some have voiced their concern that in the rush to act, many have neglected to look at the consequences of regulation.

For example, Akdeniz (1997) has argued:

1. Regulation is simply unnecessary, as the private sector is best placed to decide how it wants to operate security aspects of electronic commerce

2. Licensing TTPs, instead of increasing security, will in fact make electronic commerce less secure. This is because centralised authorities will become the targets of hackers, are susceptible to corruption and are reliant on the honesty of staff.

3. The whole notion that government agencies should have the ability to access the private keys of suspected criminals is misplaced. Criminals will not use TTPs – only law-abiding citizens will be affected.

Perhaps the solution might be to focus on traffic not protected by TTPs as this is likely to be where criminal activity will occur.

4. Cryptography regulation

lilacbar2

Cryptography authorisation "legislation simply adds another layer of bureaucracy to the process of electronic commerce - possibly to the extent of discouraging its use."

lilacbar2
Security concerns may appear to justify strict regulation of cryptographic products. It can be argued that if one has nothing to hide one should have no hesitation in seeking authorisation for use of cryptography. However, the introduction of such legislation simply adds another layer of bureaucracy to the process of electronic commerce - possibly to the extent of discouraging its use. A cryptography law would be difficult to enforce, as cryptographic products are freely available over the Internet where national restrictions do not apply.

Moreover, fundamental human rights issues are raised here. Encryption technology allows the secure passing of information from one party to another, safe in the knowledge that the information cannot be intercepted and accessed by a third party. It allows the user to transmit confidential business documents, medical records, financial information and other personal details securely. Not to not allow strong encryption in the first place is to deny people this security. To enforce key escrow is to restrict these rights. Many may then choose not to use cryptography at all rather than allow any government agency access to personal communications. The national proposals in place in both the US and UK appear to defer too significantly to law enforcement and offer less rights to the individual. Both seem at odds with international human rights treaties, which establish the existence of a right of privacy. OECD guidelines do follow the spirit of these treaties and could be used as starting point for legislation resulting in more balanced laws on an international level.

Ultimately it is a question of balancing the need for millions of people to pass data securely with the need of security forces to access material that may be criminal or provide evidence of criminal activities. Almost any technology could be used for criminal purpose, so it is senseless to concentrate on encryption and it seems disproportionate to take measures that will severely affect everyone to achieve an unproved result. It is important to remember that non-encrypted paper documents containing personal information can be obtained quite easily. Here we have yet another example of the phobia surrounding electronic commerce and the invasion of privacy.

4.1 Data Protection

The rise in Internet based transactions over the last few years has resulted in a vast increase in the amount of personal and financial information being transmitted. Personal details are requested even if physical delivery is not required. This means that the vendor may be much more knowledgeable about the other party than a typical high street retailer. While such an instance does of course concern security of electronic transactions, the use made of the data is also important. Data protection legislation is therefore crucial.

4.2 Data Protection Legislation

The right of privacy is guaranteed by both the European Convention on Human Rights and the UN Universal Declaration of Human Rights. However, these are only frameworks or broad guidelines, the spirit of which should influence the domestic legislation of signatories. As with other international treaties, there is no way to ensure that other countries carry out their obligations. For many years the OECD's Guidelines on the protection of Privacy and Transborder Flows of Personal Data have provided a basis for national legislation in this area. (OECD: 1980) Although these guidelines were general in nature and not technology specific it was thought beneficial to consider how they applied to the digital age. In 1997 the OECD issued Implementing the OECD Privacy Guidelines in the Electronic Environment: Focus on the Internet. (OECD: 1997) Although the guidelines were recommended, nothing was enforced; once again creating inconsistencies in the law.

4.3 European Directive on Data Privacy

The Bangemann Report, published in 1994, was the first real attempt to set a direction for EU policy on electronic commerce and it has influenced the formulation of the subsequent EU Directives. (EU: 1994) One of these was the Data Privacy Directive which sets common standards for the protection of data within the EU and states that data may not be transmitted out of the EU to a country which does not have equally stringent standards. (EU: 1995b)

4.4 Data Protection Act

EU Directives do not take effect automatically in the member states. Each state is left to implement the Directive in their domestic legislation in a manner in keeping with the text of the Directive. The Data Protection Directive required member states to pass national legislation by October 1998. (EU: 1995b)

To this end, the United Kingdom introduced the Data Protection Act 1998, (HMSO: 1998) which will repeals the Data Protection Act 1984. (HMSO: 1984) The new Act, like the 1984 Act before it, places obligations on those who hold information and bestows rights on the subjects of that information. Of particular interest to electronic commerce is the provision that:

'Personal Data shall not be transferred to a country of territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.' (HMSO: 1998)

There are practical difficulties in imposing such a restriction. Who decides what is adequate? How do you stop the data being transmitted? How do you prevent the data being transmitted to an intermediary country outside the EU with adequate protection and then onto another without? Information is often stored in a remote location after transmission, therefore who is responsible for any infringement? Questions such as these will only be answered over time when some sort of code of practice is established. It is, of course, preferable that the law should derive from a common EU standpoint, as has happened, rather than allowing disparate national policies to be enacted within the EU. However, these problems highlight the difficulty in legislating for one political area in something that is clearly of global concern.

5. Electronic Commerce and the Abuse of Data

So what threat, if any, does electronic commerce pose to the right of privacy? Personal databases of customer information allow businesses to tailor their marketing strategy to suit the individual and pinpoint the type of person they wish to target. Problems arise when that company chooses to share the data with someone to whom we have not chosen to give data or when details are taken without our knowledge.

Technologies such as data mining have made it possible to use information much more productively. Misuse of personal data is not something that is limited to electronic commerce; we provide a great deal of information to various organisations on a daily basis. Again, a phobia about electronic commerce makes an appearance. Many high street stores provide in customer loyalty cards, with which our purchases can be monitored and we receive details of the latest offers which might interest us. Why should information taken from web sites regarding our buying preferences be treated so differently? The online equivalent of a store loyalty card is a cookie. The disturbing fact about cookies is that they have been designed to operate without the user knowing they are there thus, according to the OECD, could be said to be an invasion of privacy.

Cookies are tiny pieces of data which are sent by web servers and which can be placed on the user's system for later retrieval. Cookies may be used perfectly innocuously, for example to find out if a visitor to a web site has been there before and thus show customised information. However, cookies placed on your computer may be combined with malicious Javascript or other code or may be designed in such a way as to reveal other sites your computer has visited, allowing marketers to attempt to create a picture of your interests and lifestyle. Cookies can be disabled, but this has implications for interaction with the web site as messages constantly appear asking the user to enable the cookie, thus wasting time and money.

'If consumers do not have control over the collection and use of their personal data, electronic commerce will facilitate the invasion of their privacy' (OECD: 1997e)

It has also been argued that the use of cookies contravenes the principles of the Data Protection Directive. For example, the fact that no consent is given violates Articles 10-12 of the Directive. (EU: 1995b)

Although several groups concerned with privacy have objected to the use of cookies there appears to be little chance of their use lessening in the immediate future. This may change when the Data Protection Directive becomes part of the national law of states around Europe, and challenges to the use of cookies are made either by individuals or groups under the new laws.

5.1 New Measures to Protect Users

On June 25 1998 the Director General for Financial Services and Internal Market of the European Commission met his American counterpart to discuss the issue of personal data protection in the electronic era. Such international co-operation is necessitated by the fact that the EU legislation affects transactions not only within the EU but also with third countries including the US. Until now measures to protect privacy in the US have largely taken the form of voluntary codes of conduct. The unanswered questions as to where liability lies for an infringement of the EU Directive and who could take action against such an infringement are detrimental to both parties as it has consequences for international trade. Discussions are continuing: the aim being to find some sort of solution before the Directive takes effect in October 1998.

There are competing forces at work here. To increase levels of confidence we require accurate and reliable information about the person with whom we are transacting, presumably the more details the better. Yet we also fear what the result of disclosing this information will be and perhaps desire a means of conducting transactions anonymously, as we might on the high street.

It is important that in all the discussions on data protection that the consumer is adequately represented. It could be argued that this is not so at present. Businesses which use data are accustomed to being heard by government when legislation is in its formative stage. They can obtain expert advice and have the capability to form associations with like-minded organisations. To a certain extent this does not happen with consumers, leading to a danger that legislation is more suited to the users of data rather than the owners of it.

The EU Directive is among the first pieces of legislation to be introduced with the intention of controlling the use of data in the information age. The problem with such far-reaching legislation is that if everyone else must comply with it, the country (or group of countries) of origin may be seen as trying to impose its standards on others. However, this is preferable to no common standards at all, which would make it difficult for business to operate on the international stage. The EU Directive was influenced by the OECD guidelines, and it realistic that those guidelines should, when updated, be the model for others, since most industrialised countries are members of the OECD and have agreed to the Guidelines. However, it remains the case that there will be many different interpretations of the guidelines. For that reason the EU, US, Japan and others need to devise a common regulatory framework that will prevent any restrictions on trade.

6. Taxation

Globalisation has some problematic consequences, one of which impacts on the collection of taxes. Electronic commerce itself poses a number of distinct problems for taxation authorities around the world.

Electronic commerce is borderless and promotes disintermediation, which makes tax collection complex. Where previously an undertaking from one state would export to an importer from another, which would then resell to local businesses, the local business are now faced with the opportunity to deal directly with the exporter. This results in a whole swathe of cross border transactions instead of only one. (OECD: 1997d)

'The communication revolution has opened up new possibilities for tax administrations to improve the efficiency of their operations. But these new technologies also open-up new probabilities for tax evasion and avoidance'. (OECD: 1997d)

One such technology that could make tax avoidance easier is electronic cash. This technology allows the instant transmission of cash from one account to another, with no record of the transaction. This leads to obvious difficulties for tax collection authorities.

Electronic cash combined with digital networks also makes it possible for individuals and businesses to open bank accounts abroad. This has very obvious tax implications as it could lead to the widespread opening of foreign accounts to benefit from lower tax rates, thus depriving some national governments of tax revenue.

It may be impossible to trace the operator of a web site that is the 'shop window' of a business thus preventing the collection of income tax on that business. Similarly the person who buys electronically may give no indication as to their place of residence, only an Internet address, thus making VAT difficult to collect. Encryption technology also makes it easier to disguise the nature of transactions and thus avoid paying tax on them.

Cordell states (1997)

'The growing use of information technology marks the change from an economy that produces and consumes hardware to an economy that produces and consumes software. We are moving from an economy of tangibles to one of intangibles'

Electronic Commerce is bringing about changes not only in the physical characteristics of products but also in the way in which they are delivered. A common example is software that is able to be downloaded over the Internet instead of being bought in a shop. This raises important questions as to the nature of the software. Few would argue that software bought in the shop is a product. The same software downloaded must also be a product. Not necessarily. This is more than simply some irrelevant debate over definitions. The classification of sales into goods and services is a vitally important part of VAT legislation in the EU and many other countries. For example, EU VAT legislation deems that the place of supply for services is different from the place of supply of goods. On 17 June 1998 the EC Commission issued a Policy Statement, which stated that digital products e.g. downloaded software, are to be taxed as services.

According to a report by the Committee on Fiscal Affairs, the OECD body concerned with taxation, the classification of a good or service should not depend on the means of distribution. (OECD: 1997d) This would mean that the software example must always be a good or always a service. The OECD report goes on to admit, 'it may well be that the growth of electronic commerce may lead to a re-evaluation of the way certain transactions are traditionally classified' (OECD: 1997d)

'Disparities in the level of protection of such privacy rules create the risk that national authorities might restrict free circulation of a wide range of new services between Member States in order to protect personal data.' (Bangemann: 1994)

6.1 Possible Solutions to Electronic Tax Issues

According to the Committee on Fiscal Affairs, new legislation should not be rushed. The committee recommends a period of appraisal, examining the extent to which electronic commerce could be governed by existing tax frameworks, domestic and international. This would have the additional benefits of not inhibiting the growth of electronic commerce through restrictive taxation, and allow the possibility of reaching international agreement as to how to proceed in a uniform manner. This report, as its name suggests, does little more than highlight the problems in this area and suggests mechanisms to find solutions, but stops short of making suggestions as to what those solutions may be.

If electronic commerce continues to expand, the sooner new tax laws are instituted the better as governments will begin to lose vast amounts of tax revenue. It has been argued by some that this is not the case. The Information Technology Association of America (ITAA) claims that what is lost in some taxes will be compensated for in other areas such as hardware and telecommunications. The ITAA also claim that as electronic commerce will boost jobs, governments face the pleasant prospect of increased income tax revenues and a reduced benefits bill. All of this has led the ITAA to claim that new taxes are not necessary to deal with the problem, as there is in fact no problem to deal with. Internet commerce should simply be left alone. (ITAA: 1998)

If, in the long term, it is decided that erosion of the tax base is taking place and current tax laws are inadequate to deal with the problem, something must be done to claw back the revenues that are slipping away from the state. The problem is that any taxes imposed will be far reaching in effect which could at best make them difficult to collect, and at worst discourage foreign businesses from dealing with the state which imposed the tax regime in question.

6.2 Taxing the Internet

On 23 June 1998 the US House of Representatives passed the Internet Tax Freedom Act which creates a body designed to consider possible changes in the law of taxation on the Internet. (HR: 1998) This is to report back in two years as to whether and how taxation should take place. The Act includes provisions for a ban on new local and state taxes which discriminate against electronic commerce. It also calls for the US Administration to put pressure on other countries to refrain from taxation of the Internet. This Act still requires approval by Senate before becoming law.

Most have welcomed this moratorium on Internet taxes. Not so the Center of Budget and Policy. The center claims that it is, in effect, giving a tax break to the wealthy who can afford to shop on-line, while leaving those who are not a part of the digital revolution to face higher taxes in shops. It also claims that there is no evidence that taxation would have a detrimental effect on Internet commerce and complains that the three year ban on taxes practically rules out any future taxes on electronic commerce as the principle of non-taxation will be accepted as normal after three years. (Maserov: 1998)

On 15 May 1998 the US and Japan issued a joint statement on the taxation of electronic commerce. (ISPO: 1998) This stated their joint desire to avoid any kind of 'bit tax' and emphasised the need to develop a common international framework, suggesting the OECD as the appropriate mechanism for this. The EU and the US have been in close consultation over this issue in the hope that a coherent and co-ordinated approach can be reached internationally. This fits with the policy announced earlier this year by the EU that there would be no new taxes placed on electronic commerce; rather, attempts would be made to adapt existing taxes – this appears to have signalled the end of the possibility of a bit tax being implemented. (EU: 1997)

According to the Information Technology Association of America, there should be no discrimination between products on the basis of whether they were sold on-line or by conventional means. They single out the case of purchasing tangible goods over the Internet, which are later delivered. These, says the ITAA, should be treated in the same way as mail order purchases. This the least difficult of the problems thrown up by electronic commerce as the legal and tax implications have already been established by its predecessor. In any event it is relatively straightforward, as there is a physical address to which the product is sent, thus the jurisdiction in which sales tax is to be applied is known.

6.3 Bit Tax

One possible solution to the question of taxation of Internet transactions is the bit tax. This is a tax on every bit of 'value added' data transmitted at a rate of around 0.000001c. It would be collected by telecommunications companies, satellite and cable networks and passed on to the relevant treasury. (Cordell: 1997)

Cordell (1997) is not of the opinion that the existing laws are adequate to deal with electronic commerce and considers this tax to be the only way governments can continue to raise taxes at the previous levels. He does not believe either that electronic commerce will stimulate the economy to such an extent that tax revenue will be generated from new sources. He admits that it has created a 'new wealth' but argues that it is also responsible for unemployment, a result of downsizing as well as tax avoidance. The only way, he claims, that governments can access this 'new wealth' is by way of a 'bit tax'.

There are, of course, problems with such a tax. It could discourage people from using the Internet. It would also be an unfair tax as would not discriminate on the basis of the nature of the data transmitted or the status of the parties involved. Thus a child's video game would be subject to more tax than the transfer of valuable business information. It is also unclear which government would be entitled to the tax resulting from a cross border data flow.

It could be argued that these are not new problems at all but simply new manifestations of old ones. For example, ordering a tangible item over the Internet is, in fact, no different to ordering one from a mail order catalogue (which could equally be done across international borders). However this example is but one aspect of electronic commerce. Electronic commerce as a whole raises a whole host of problems that are truly new, such as the downloading of software, the use of electronic money, the potential for instantaneous transactions and global access. (OECD: 1997d)

The taxation problems raised by electronic commerce problems are very real, especially if growth is as rapid as some have predicted. There is the possibility that a large percentage of government revenue may be removed from the system. It is unlikely that any agreement on taxation is imminent as there seems to be a willingness to wait and see how electronic commerce develops, and a desire to make sure it is not inhibited.

If treated correctly, electronic commerce could be a major source of wealth creation, which has the potential to benefit everyone. The challenge is to ensure this happens. It must be given the opportunity to grow and create wealth, but that wealth must not be restricted to those who are able to take advantage of the technology to avoid their obligations.

7. Conclusion

Electronic commerce raises many new problems. It is not only the pace of its adoption that causes difficulty but the fact that a it is an entirely new form of doing business which disregards national barriers and traditional means of forming contracts. The ease by which information may be transferred is partly responsible for the success of electronic commerce. It is also the cause of many of the problems, for example new mass marketing techniques have been made possible, thus raising privacy issues.

With the rapid uptake of electronic commerce, predictably, there has been a rush to enact laws. However, these laws suffer from two fundamental problems: The changing nature of the technology has the potential to render any legislation redundant within a short period of time. In addition, national laws are inadequate to govern what is truly a global issue. Regulation poses further threats in that it risks stifling electronic commerce if it is unduly burdensome.

The aim of any regulation of electronic commerce should therefore be to facilitate the adoption of electronic commerce, or at the very least to avoid distortion of the market through laws which are not appropriate or which create strong local differences. Although there is an argument that legislation is not necessary, that clearly is not the case. Existing laws are not capable of being adapted to this truly new sphere of business. However, because no clear picture exists of what electronic commerce encompasses, how widespread it has become, and how it is likely to evolve in the future, it is difficult to reach a consensus on suitable laws. To some extent, this has been achieved through the various international agreements that have been signed, although no one agreement takes precedent over another and none are strictly binding. Of more legal effect are interstate agreements such as have taken place between the EU, the US and Japan. If a model can be created between these countries it will serve to encourage others to adopt similar legislation, perhaps leading to the certainty that is craved by business.

References

Abelson H et al The Risks of Key Recovery, Key Escrow and Trusted Third Parties Center for Democracy and Technology <http://www.cdt.org>

Akdeniz et al Cryptography and liberty: can trusted third parties be trusted? A critique of the recent UK proposals < http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/default.htm>

Bangemann M (1998) Launching a global business dialogue: business round table on global communications <http://www.ispo.cec.be/Ecommerce/english.htm>

Commission of the European Communities (1995) Directive (95/5046/EC) OJ L281 23.11.95 p31

Commission of the European Communities (1997) COM (97) 157 OJ C 157/97 24.5.97

Cordell Arthur J (1997) Taxing the Internet: the proposal for a bit tax. Speech to the International Tax Program at Harvard Law School

DTI (1997) Licensing of Trusted Third Parties for the Provision of Encryption Services

EPIC (1998) Preliminary analysis of E-PRIVACY encryption bill < http://www.epic.org/crypto/legislation/epriv_analysis.html>

Feher A & Towell E (1997) 'Business use of the Internet' Internet Research 7 (3)

HMSO (1984) Data Protection Act, s1

HMSO (1998) Data Protection Act <http://www.hmso.gov.uk/acts/acts1998/19980029.htm>

'Information and Communication Services Act' Federal Law Gazette 1 1998 <http://www.urjura.uni-sb.de/BGBL/PEIL1/1997/19971870.1.html>

Information Society Project Office (1997) 'Building the Global Information Society for the 21st Century', New applications and business opportunities - coherent Standards and regulations, October 1997, <http://www.ispo.cec.be/standards/conf97>

Information Society Project Office (1997) A global market place for SMEs <http://www.ispo.cec.be/ecommerce/g7init.html>

Interactive media in retail <http://www.imrg.org>

ITAA <http://www.itaa.org>

J.O. Numero 48 du 26 Fevrier 1998 - Decret du 24 fevrier 1998 portant delegation de signature. J.O. Numero 47 du 25 Fevrier 1998 portant delegation de signature. < http://www.legifrance.gouv.fr/citoyen/index.cgi?heure=051723088541>

Joint Statement by American Civil Liberties Union, Electronic Frontier Foundation, Electronic Privacy Information Center (1998) Center for Democracy and Technology <http://www.cdt.org>

Kalakota R and Whinston A B (1997) Electronic Commerce: a managers guide (Mass: Addison Wesley)

Mazerov M (1998) The Internet Tax Freedom Act Advisory Commission on electronic commerce: preserving flexibility to consider all options Centre on Budget Priorities and Policies <http://www.cbpp.org/9-25-98tax.htm>

OECD (1980) Guidelines on the protection of privacy and transborder flows of personal data <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM>

OECD (1997) Electronic commerce Policy Brief 1

OECD (1997a) Measuring electronic commerce, Working Paper 5

OECD (1997b) Global information infrastructure-Global information society, Working Paper 81

OECD (1997c) Cryptography Policy Guidelines and the Report on Background Issues of Cryptography Policy, OECD Privacy Guidelines in the Electronic Environment: Focus on the Internet <http://www.oecd.org/dsti/sti/it/secur/prod/GD97-204.htm>

OECD committee on Fiscal Affairs (1997) Electronic commerce: The challenges to tax authorities and taxpayers

Proposal for European Parliament and Council Directive on a Common Framework for Electronic Signatures Com (1998) 297 final).

Recommendations to the European Council (1994) – Europe and the Global Information Society.

UNCITRAL (1996) Model Law on Electronic Commerce with Guide to Enactment General Assembly Resolution 51/162

United States Department of Commerce - A framework for electronic commerce <http://www.iitf.nist.gov/eleccomm/execsu.htm>

US House of Representatives (1998) Internet Tax Freedom Act (HR4105)

Utah Digital Signatures Act 1996 < http://www.commerce.state.ut.us/web/commerce/digsig/act.htm>

JILT logo and link to JILT home page