6 November By to: Dear Sirs, Consultation on Legal Problems in E-Business

Transcription

1 6 November 2003 European Commission Enterprise Directorate-General Unit D4: E-business, ICT industries and services SC 15 (1/12) B-1049 Brussels (BELGIUM) By to: Dear Sirs, Consultation on Legal Problems in E-Business In accordance with the aspect of your consultation whereby associations, enterprise support organisations and public authorities are invited to send their general comments in relation to continuing legal barriers to e-commerce, we are pleased to offer our comments as follows. The Institute of Chartered Accountants in England & Wales is the largest professional accountancy body in Europe. The Institute s Faculty of Information Technology Faculty helps chartered accountants to make best use of IT, represents their interests and expertise and contributes to public affairs. The Information Systems Audit and Control Association (ISACA) is a global organisation for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners world-wide and its research pinpoints professional issues challenging its constituents. Barriers to e-commerce Legal barriers are not necessarily the greatest barriers to the evolution of e-commerce. Commercial difficulties and user resistance probably offer an equal, if not greater, barrier to its widespread use at present. In fact, it is fair to say that some legal barriers are desirable for the protection of the public interest, including the prevention and detection of crime. In our experience, legal problems are sometimes put forward as barriers, but in actual fact prove of small practical hindrance to the successful use of e-commerce. On the

2 other hand, we believe that there is a tendency to over-regulate electronic business communications a disincentive to legitimate businesses without doing much to stop spam from other sources. In addition, there are legal issues of significance (e.g. the extent of regulation of system software providers that might be desirable) which, while not actually constituting a barrier to today s e-commerce, are worth further study because they might have repercussions at a later stage. For example, the Trusted Computing Group (TCG) is an open, industry standards organisation formed to develop, define, and promote open standards for hardwareenabled trusted computing and security technologies. Microsoft s Next-Generation Secure Computing Base for Windows ( Palladium ) is an example of technology that falls into this category. TCG claims that its specifications will enable more secure computing environments without compromising functional integrity, privacy, or individual rights. The final part of this claim is not always accepted by independent commentators. Similar considerations apply to commercial spyware (also called adware ), which gathers information about a user through their internet connection, without the user s knowledge. In respect of existing legal barriers, we have placed emphasis on the international aspects of the problems because: our organisations and many of their members believe that the UK s economic interests are best served by reference to a global perspective e-commerce within this country is already governed to a great extent by the provisions of European Directives e-commerce offered via the medium of the World Wide Web is by definition global. Our comments on specific legal barriers are as follows: EU Data Protection Directive (95/46/EC) (enacted in the UK as the Data Protection Act 1998) We have no problems with the principles and objectives driving this Directive, but it imposes an obstacle that organisations in most countries outside the EU and Pacific Rim (in particular USA) do not have to negotiate. This not only makes e-commerce with people and organisations in such countries more difficult than is normally justified by any corresponding benefits, but also renders some of the e-commerce solutions developed overseas unusable in the EU. In addition, there are inconsistent interpretations of the requirements of the European Directive when incorporated into national laws of Member States. Indeed, the Directive itself allows for considerable flexibility of interpretation to accommodate the particular positions of individual Members States. There are also difficulties in relating the requirements of Directive 95/46/EC to those of Directive 2002/58/EC (the Directive on privacy and electronic communications).

3 The sooner equivalent legislation is in place globally, the better. The Report on Compliance with, and Enforcement of, Privacy Protection Online, by the OECD s Directorate for Science, Technology and Industry s Committee for Information, Computer and Communications Policy, provides a sound basis for seeking this elusive objective. Legislation on Countering Money Laundering Money laundering is a global problem. Part of the solution at present is to enforce manual intervention in certain categories of electronic transaction in order to verify identities and other details. Most of this enforcement is by rule of law, rather than codes of conduct, etc., and therefore presents a legal barrier to the take-up or efficiency of certain types of e-commerce. Because of the importance of countering money laundering, however, together with the absence at present of any universally acceptable electronic alternative to the manual verification of identity, it is difficult to see how this barrier can in the short term be overcome. Geographic or procedural variations in cross-border treatment of VAT and consumption taxes generally The essential issue is that taxes can only be imposed without extensive legal challenge on products and services the nature of which can be easily defined. In other words, not the products and services that can be made available by the imaginative exploitation of emerging technologies in new and unforeseen ways. As stated in the OECD s recent report on Implementation Issues for Taxation of Electronic Commerce unless a particular international service is mentioned specifically, European courts will classify it as taxed where the supplier is established, regardless of how it would be considered by other jurisdictions. From July 2003 e-commerce falls into this exception category in the European Union and it follows, therefore, that this approach essentially calls for carving out a separate tax category for e-commerce supplies. In theory, this might be a fairly straightforward exercise; legislators could add another tax category to cover electronically supplied services. However, in practice this is more difficult and made more so by the changing technology and new business models it facilitates (our italics). The problem with carving out a separate category for electronically supplied services, or, indeed, services generally, is that it may lead to conflicts. If these services are not clearly defined and if all countries do not apply the same rules to determine the place of consumption then double or unintentional non-taxation becomes more likely. The OECD report also refers to the corresponding difficulties in the approaches to taxation of e-commerce followed by countries, such as Australia, that do not follow the European model. One of these difficulties is that of businesses being unable readily to confirm or verify a customer's jurisdiction of residence. This difficulty also applies to businesses within Europe.

4 Again, continuing commitment to the deliberations of international forums on this topic is essential if these issues are to be fully resolved on a global basis. Copyright Many of the most obvious opportunities for e-commerce are those where the product can be downloaded with no further physical delivery involved (e.g. music, video, software, etc.). Whilst copyright law has been updated in many countries, the vendors are still at risk of illegal copying for sale in others. Copyright is a legal issue that could inhibit the use of e-commerce both from the vendor and the purchaser viewpoint. Illegal copying and sale would be a threat to the vendor, whilst the complex technical solutions available to address that risk at present are intrusive to the well-intentioned purchaser. It seems likely that the long-term solutions to this issue will be technical rather than legal, but, as noted above, the means of implementation and use of the technical solutions may themselves be in need of legal restriction in due course. Export Restrictions The unwillingness of some legislative regimes to allow the export of cryptographic technology and software is a legal barrier to the secure processing of e-commerce on a global basis. Lack of criminal sanctions against hackers, virus writers and other e-troublemakers Criminal law lags behind the types of crimes that interfere with legitimate e-business. So do the knowledge and resources of law enforcement in many countries. The threat may be one of lost revenues (which may be siphoned off or lost because of non-availability) or one of high costs of resolving problems and implementing adequate security. Or both. There is also a lack of control over use of web sites imitating and holding themselves out as if they were the sites of other businesses. While it is unlikely that this inhibits e-commerce to any great extent, it may have this effect at the margins if consumers are deluded and as a result lose money, are plagued by unwanted spam or confronted by undesirable images or links. Lack of case law Even where legislation exists, interpretation may be open to doubt where there is little experience of applying the law in court.

5 Shortcomings in weight of electronic evidence PD 0008: A code of practice for Legal Admissibility and Evidential Weight of Information Stored Electronically (and PD 0009 Compliance Workbook) it is sometimes claimed for these codes that they deal with the vulnerability of electronic information to the risk of: 1. Possible problems of legal inadmissibility of electronic evidence 2. Shortcomings in weight of electronic evidence We do not believe that legal inadmissibility is a big issue, in the UK at least, since the Electronic Communications Act 2000, but mention it as a possibility. We believe that it is more likely that the question of possible shortcomings in evidential weight of electronic communications not subject to a digital certificate might be worth further consideration in the light of emerging case law. Geographic or procedural variations in cross-border recognition of Electronic/Digital Signatures There are particular problems, however, in connection with the admissibility of electronic and digital signatures. Some countries recognise only electronic signatures (subject to any form of electronic verification), some only digital signatures (subject to verification by public key cryptography only). In some places, electronic or digital signatures are admissible as evidence, in some not. In some countries, foreign certification service providers also have to be licensed locally, some countries accept the foreign licence, some require the foreign licence to be vetted by a local licenser, etc. Such complications inevitably inhibit cross-border e-commerce. For further details see Electronic and Digital Signatures: A Global Status Report, published by the ISACF and available from bookstore. ISBN Yours faithfully J M Court Head of Faculty of Information Technology The Institute of Chartered Accountants in England & Wales Chartered Accountants Hall P O Box 433 Moorgate Place London EC2P 2BJ Direct line: john.court@icaew.co.uk