Richard Harris looks into the regulatory framework pertaining to electronic commerce in the United States and the European Union and considers the implications for Singapore-based companies having business relations with these places.
SingCo,
a hypothetical Singapore-based supplier of electrical components, has recently
decided to add an electronic commerce ('e-commerce') business to its retail
operation. The e-commerce business will be operated as a separate unit, with a
US division headquartered in California, a European division headquartered in
London and an Asian division headquartered in Singapore. Each division office
will comprise a storage facility, a distribution facility and a data room which
will house the PC-based servers used in that division's online business. Each
office will collect identification information and medical data from its
employees. The company plans to share the identification information among and
between its divisions and to donate the medical data to a biomedical research
company located in Singapore.
Which jurisdiction's laws will govern SingCo's contractual relationships? Will SingCo's Asian division be subject to US laws if the company sells to US consumers? Will the US division be subject to EU legislation if that division sells to European customers? Must the US, European and Asian divisions abide by different data protection and privacy requirements? Can SingCo develop a standard electronic contracting methodology that can be consistently applied in each of the jurisdictions where it intends to act?
Introduction
The United States ('US') and the European Union ('EU') are two of the world's largest markets for technology-related products and services. The explosive growth of the internet has fostered the corresponding growth of e-commerce as a preferred means of distributing these products and services. The resulting laws relating to e-commerce have important implications for Singapore-based companies.
Although US and EU regulatory philosophies differ, policies in both jurisdictions reflect concerns with the enforceability of contracts, the security of transactions and the protection of consumer privacy. Companies operating in the US and/or the EU should be familiar with the legal systems of those jurisdictions and should understand the respective laws pertaining to electronic contracting, electronic signatures and data protection.
The US and EU Legal Systems
In the US, e-commerce may be affected by federal law and/or by state law. Federal law often provides baseline requirements which must be observed by the individual states in fashioning state laws. As federal law is the 'national' law of the US, it will generally pre-empt conflicting state law. SingCo's US division must observe the federal laws relevant to e-commerce. As the US division is headquartered in California, this division must also comply with applicable California state law where there is no conflicting, pre-emptive federal law.
The goal of the European Commission is to establish a single market in the European Community. Consistent with this goal, the European Commission proposes legislation ('Directives') intended to harmonise e-commerce laws among and between the EU member states. Each member state is obliged to implement the EU's Directives by passing national legislation. Therefore, before SingCo's London-based European division acts in any EU member state, it should consult the provisions of the relevant implementing legislation to determine the precise obligations imposed by that member state's national law.
Electronic Contracting
The US has enacted laws to establish a framework for electronic contracting among and between the fifty states. Likewise, the European Commission has enacted legislation to harmonise electronic contracting rules among the EU Member States.
US electronic contracting legislation
The Electronic Signatures in Global and National Commerce Act ('ESIGN') was enacted in June 2000 and became effective in October 2000. ESIGN establishes the legality of electronic contracts and electronic signatures in the US. The law ensures that a contract may not be denied legal effect, validity or enforcement solely because it is in electronic form. ESIGN further provides that an electronic record may be sufficient to satisfy a 'written record' requirement if prior consent is obtained (before consent may be obtained, the consumer must be informed of the scope of the consent, the right to withdraw consent and the procedures by which a paper copy of the transaction may be obtained, in spite of the consent). Consistent with the general rule that new-economy contract law is based on traditional contract law, ESIGN expressly does not alter existing contract law.
Several states in the US have also adopted legislation related to electronic contracting. The Uniform Computer Information Transactions Act ('UCITA') and the Uniform Electronic Transactions Act ('UETA') are proposed uniform state laws which have been the subject of extensive debate in various state legislatures. UCITA addresses contract formation, contract performance, and remedies for breach, but does not directly address electronic signatures. To date, UCITA has been enacted in only two of the fifty US states (Virginia and Maryland). UETA addresses contract formation and performance and, consistent with ESIGN, also gives legal effect to both electronic records and electronic signatures. To date, UETA has been enacted in 22 US states.
SingCo's US division must comply with both the federal laws and state laws pertaining to electronic contracting. As ESIGN is a federal law, it will pre-empt the conflicting provisions of any state statute unless that statute either constitutes an enactment of UETA (by express provision of ESIGN) or includes alternative requirements for electronic contracting which are consistent with those of ESIGN. As previously noted, SingCo's US headquarters is located in California. As California is one of the 22 US states which have enacted UETA, SingCo's US division must observe the provisions of both ESIGN and UETA.
EU electronic contracting legislation
The Electronic Commerce Directive ('E-Commerce Directive') was adopted on 17 July 2000; EU member states must implement its requirements in their national legal systems by 17 July 2001. The E-Commerce Directive attempts to harmonise the law relating to electronic contracting in the EU. Pursuant to this goal, the E-Commerce Directive sets forth rules which ensure the legality, validity and enforceability of electronic contracts. The E-Commerce Directive expressly allows parties in business-to-business relationships to contract around the provisions specifying the information to be provided and the rules governing placement of orders.
The E-Commerce Directive applies to Information Society Services ('ISS') (Information Society Services span a wide range of economic activities, including online sales of goods and services, online information services, online advertising, provision of network access and hosting of information). ISS providers offer services through electronic means, at a distance, for remuneration, at the request of the recipient of the services. Importantly, the E-Commerce Directive only applies to the activities of ISS providers 'established' within the EU. Under the provisions of the E-Commerce Directive, the place of establishment of a company is the place where the company actually pursues an economic activity through a fixed location, regardless of where web-sites, servers or other 'technical means' are situated.
SingCo's European division will qualify as an ISS provider because it provides goods by electronic means, at a distance, for remuneration (the European division will be 'established' in the EU because it pursues an economic activity through a fixed location in the EU). As SingCo is engaged in business-to-business transactions, SingCo may negotiate preferred terms pertaining to the information to be provided to conclude an electronic contract and the specific means of placing an order. If the company does not negotiate contract terms, it will be subject to the provisions of the E-Commerce Directive relating to these matters. As the E-Commerce Directive does not apply to e-commerce supplied by service providers established outside the EU, the US and Asian divisions of SingCo will not be subject to the provisions of the E-Commerce Directive.
Electronic Signatures
The success of electronic commerce depends on the ability to form binding contracts through paperless transactions. Electronic signature legislation addresses the methods of achieving the secure and authenticated communications which promote consumer confidence in such transactions.
US electronic signature legislation
As previously noted, ESIGN established the legality of electronic signatures in the US. Under ESIGN, an electronic signature is 'an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record' (ESIGN, section 106).
EU electronic signature legislation
The Electronic Signatures Directive was adopted in December 1999 and must be transposed into the national law of all EU member states by mid-July 2001 (to date, Austria, France, Germany, Ireland, Italy, Spain, and the UK have enacted implementing legislation). The Directive provides that all electronic signatures will have legal effect and be enforceable. It further provides that a properly certified electronic signature will be admissible as evidence in legal proceedings and will be deemed the electronic equivalent of a handwritten signature. (The Directive also provides for free circulation of products and services related to electronic signatures and, in recognition of global concerns, includes mechanisms for ensuring co-operation with non-EU countries.)
Implications for SingCo
Both ESIGN and the Electronic Signatures Directive provide a technology-neutral definition of electronic signatures. This ensures that electronic contracts in both jurisdictions may be executed either with simple, non-secure electronic signature methods or with secure digital signatures (a digital signature is a mathematical algorithm which can be used in conjunction with a software-based algorithm to encrypt a message for purposes of security and authentication). If SingCo chooses to use secure digital signatures in either jurisdiction, it may enlist the services of trusted third parties to ensure that its customers are properly identified and that electronic communications are secure and authenticated (consumer protection issues and industry security concerns may eventually make digital signatures the de facto standard form of electronic signatures).
Data Protection
In both the EU and the US, data protection policies make clear the difficulty of addressing consumer protection interests while simultaneously attempting to protect and promote commercial interests.
The EU Data Protection Act
The Data Protection Act 1998 (the 'Act') requires that member states must ensure that personal data collected in the EU is not transferred outside the EU, unless the country receiving the data has provided adequate data protection regulations (the Act does not rise to protect personal data that is collected by organisations outside the EU). The principles of the Act are designed to ensure that consumers know the type of personal data that is collected, the purpose for which the data is intended and the methods of storage and disclosure of the data. The Act allows that adequate protection of personal data is not required where the data subject has given clear and unambiguous consent to the transfer of data outside the EU.
SingCo's European Division will be obliged to adhere to the EU Data Protection policies. Accordingly, the European division cannot transport data to a non-EU division of SingCo, unless either
The Safe Harbour
The US was deemed to be an inadequate data protection regime under the principles of the Data Protection Act. To avoid a trade war over personal data, the US and the EU negotiated a Safe Harbour Agreement which became effective in November 2000. The Agreement establishes criteria under which personal data may be transferred from the EU to US organisations which certify adherence to data privacy practices.
The Safe Harbour is a voluntary, self-regulatory mechanism. To date, the effectiveness of the Safe Harbour has not been determined because few companies have joined and the Federal Trade Commission (the US agency which administers the Safe Harbour) has not yet enforced the regulations against a non-complying company. Additionally, despite the Safe Harbour, US consumer privacy advocates continue to lobby for data privacy legislation (this year, the US Congress and several state legislatures are expected to introduce online privacy legislation that could affect e-commerce activities). Although the scope and breadth of that legislation is yet to be determined, it is clear that the goal will be to set baseline data protection standards for companies doing business online, without unnecessarily inhibiting the growth of e-commerce. Until specific legislation is enacted, SingCo may consult the provisions of the Safe Harbour to determine the bounds of the self-regulatory data protection scheme in the US.
Conclusion
The internet provides easy access to the US and EU markets. Singapore-based companies that intend to operate in these markets should make use of the regulations and policies of each jurisdiction to design successful e-commerce strategies.
Richard Harris
Weil, Gotshal & Manges