Legal framework conditions for e-commerce: much ado about nothing? (17 May 2001)

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

  • Unclarified legal aspects such as liability, copyright, lack of verifiability of online transactions and insufficient data protection are frequently cited as causes behind the difficulties in exploiting the potential of e-commerce.
  • European legislators have responded to this need. The EU has issued three directives to create a standardised legal framework for the internal market so the providers of online services will enjoy equal conditions in all the member states. The German government intends to regulate the legal framework for electronic commerce before its summer break.
  • The three directives provide a very practicable legal framework for conducting e-commerce, with a strong accent on the introduction of consumer protection standards through better, more comprehensive information for customers and largely uniform rights of withdrawal from a contract. This approach is very sensible since this is a way to strengthen customer confidence.
  • However, the harmonisation of regulations in the internal market has only been a partial success since the member states have in some cases been granted unilateral manoeuvring room in the implementation of directives.
  • The Directive on Electronic Commerce institutes legal certainty with the introduction of the country of origin principle for providers of e-commerce transactions. Generally, this means that the law of the country applies in which a company is domiciled. Together with the Distance Selling Directive, it provides a framework for consumer protection. Customers of online services have to be given better information about product offer and provider.
  • Germany has plans to improve data protection for users of e-commerce. In future, the Teleservices Data Protection Act is to be brought up to date to make it easier for both providers and customers to determine what personal data may be collected and processed.
  • The Signature Directive introduces minimum standards for the use of electronic signatures in the EU member states. This is to raise legal certainty by a significant degree when contracts are concluded via the internet and to improve their verifiability in related court cases. Qualified electronic signatures are to become legally equivalent to hand-written signatures.

The enormous declines in technology stock prices make it evident that the expectations placed a year ago in the development of information and communications technology were in many cases exaggerated. Names such as eToys or Gigabell are only the most prominent victims of an increasing number of insolvencies among start-ups world-wide. Nevertheless, there is still a wide range of potential uses for the internet and e-commerce which are still in the initial stages. The focus is for the most part on electronic transactions between businesses and consumers (B2C) and between businesses only (B2B).

In light of the broad field of potential e-commerce applications, the question arises: what are the causes behind the obvious major difficulties in exploiting this potential commercially? When one inquires into the grounds for the current problems faced by online providers, people point above all to the lack of trust in concluding virtual transactions and to management errors. In addition to the problems associated with payment security, one crucial issue from the viewpoint of consumers is the unclarified legal aspects, such as liability, copyright, the lack of verifiability of online transactions and the lack of data protection.

An unlimited exchange of information is possible via the internet. Anybody can communicate with anybody else at any time and thus conclude agreements. This advantage, however, also causes a problem for e-commerce, given that it is possible with the corresponding knowledge, at least theoretically, to access, read and alter exchanged data in an unauthorised fashion. Declarations transported via the public network must be protected from access and falsification by third parties and must allow their originator to be unequivocally identified. Only in this way do such declarations generate the trust necessary on the part of the recipient to conclude transactions and the legal certainty necessary to enforce the legal transactions. Given that e-commerce is conducted internationally, the need is also increasing to standardise legal regulations as much as possible across national borders.

What special legal regulations exist in the e-commerce sector? Do they provide effective consumer protection? Or are European and national legislators doing their best to “regulate e-commerce to death” as some people maintain? These questions mark the range of contention in which the legal discussion on the issue of e-commerce is currently taking place. European legislators have taken the need to create a standardised legal framework for the Internal Market into account by issuing various legal directives. The Distance Selling Directive was adopted in 1997. In 2000, the Signature Directive and the Directive on Electronic Commerce took effect. The directives provide a framework for action which is to be implemented by the member states. The German federal government intends to regulate the legal framework for electronic commerce before its summer break.

The EU Directive on Electronic Commerce

The Directive on Electronic Commerce (“E-Commerce Directive”) constitutes the legal framework for offers of electronic commercial services within the EU in order to create equal conditions for online transactions in all member states. The directive is to warrant legal certainty for providers and effective protection for consumers. “Commercial services” include the online sale of goods and the provision of services, for example. The directive is also intended to warrant the free movement of “information society services” within the member states. The member states are therefore required to agree in accordance with their respective legal systems

  • to enable the conclusion of electronic contracts and
  • in principle not to subject service providers to any prior authorisation (freedom of establishment and exclusion from prior authorisation).

The directive does not contain any provisions regulating the origination of contracts by electronic means. The E-Commerce Directive nonetheless stipulates one principle in favour of consumers: if the customer orders a good (e.g., a book) electronically, the provider is obligated to confirm the receipt of the order immediately by electronic means.

What regulations apply to providers?

The differences between the legal systems of the EU member states, for instance, affect providers of online services particularly strongly, as they develop their activities multi-nationally through one and the same offer on the internet. This gives rise to the question of which regulations are to be observed by providers of network services. In order to clarify the issue of which national law is applicable to the initiation and exercise of offers, European legislators have introduced the so-called “country of origin principle”. In accordance with this principle, a provider must satisfy the legal provisions related to the initiation and exercise of activity at the place of establishment, even if the provider offers the services in other member states. It follows that the EU countries are obligated to mutually recognise the individual national provisions applicable to network services. The directive defines the place of establishment of a service provider as the place at which the provider actually pursues an economic activity using a fixed establishment for an indefinite period of time, irrespective of where websites, servers and mailboxes have been installed.

This provision is intended to prevent that the provider must deal, when obtaining permission to do business, with different legal systems, where procuring information can alone be a costly undertaking. However, a series of exemptions from the principle of the country of origin are provided. For example, the respective national principles of consumer law are preserved. This means that a foreign provider in transactions with German customers in Germany must allow the consumer protection provisions applicable in Germany, the Consumer Credit Act and the Act for the Regulation of General Terms and Conditions of Business of 1976, to be held against it even in electronic commercial transactions.5 The standardisation hoped for through the Europe-wide application of the country of origin principle is thereby only partially realised in electronic commerce.

Information Requirements for providers

In order to strengthen the trust in electronic commerce in general and to create greater transparency, the directive imposes general information requirements on providers of online services which they must meet in both the B2B and B2C areas.

  • Providers must, for example, make their name, address (including e-mail address) and, if relevant, any commercial register number easily, directly and permanently accessible.
  • Commercial communications must be clearly identifiable as such and it must be clear on whose behalf such communications are made. The information must therefore be presented clearly and unambiguously and be retrievable at all times without a lot of searching. This also applies to promotional offers, such as discounts. The directive prescribes information requirements for service providers which primarily serve the purpose of consumer protection. In accordance therewith, providers must comprehensibly and unambiguously inform users of:
  • the different technical steps to follow to conclude the contract;
  • whether or not the concluded contract will be stored by the service provider and whether it will be accessible;
  • the technical means for identifying and correcting input errors prior to the placing of the order and the languages offered for the conclusion of the contract.

The directive stipulates a further major provision in the area of e-mail advertising. The member states are to assure that service providers clearly and unambiguously identify unsolicited e-mail advertising as such. E-mail users also have the opportunity to register themselves in “Robinson lists” (e.g., the Robinson list of the German Direct Marketing Association) if they do not want to receive such advertising. To comply with this, service providers are required to regularly consult such lists. The regulation of e-mail advertising not only serves consumer protection but also warrants the smooth functioning of interactive networks.

The infringement of provisions must be effectively sanctioned

So that the requirements established for information service providers by way of the directive are actually complied with, suitable instruments are required for their supervision and enforcement. The text of the directive remains highly general in this regard, obligating member states merely to establish effective, proportionate and dissuasive sanctions to punish infringements. German legislators plan, for example, to punish intentional or negligent infringements of the information requirements by fines. Given the absence of experience in dealing with the legal structure of e-commerce matters, European legislators determined that the European Commission would report at certain intervals to the European Parliament on the application of the directive and submit proposals for improvement if relevant. It is to be reviewed in particular whether the consumer protection provisions are sufficient.

The directive is to be implemented into German law through the Act on the Legal Framework Conditions for Electronic Commerce and the Act for the Modernisation of the Law of Obligations. The implementation must be concluded prior to January 17, 2002 at the latest.

The EU Dis tance Selling Directive and the Distance Selling Act

Long before the issuance of the E-Commerce Directive, European legislators had developed standards for contracts in distance selling. Distance selling includes contracts concerning the supply of goods or the performance of services which are concluded between businesses and consumers through the exclusive use of means of distance communication. Distance selling signifies the conclusion of contracts not only via the internet, but also via phone, fax, teleshopping and conventional mail-order trade. Immovable property transactions, supply of foodstuffs and transactions involving household items intended for everyday consumption are not encompassed by the regulations. Likewise excluded are distance selling contracts concerning financial services, which are to form the subject of a special directive.

The E-Commerce and Distance Selling Directives overlap to a certain extent. They both regulate, for example, the information requirements imposed on providers. The E-Commerce Directive, however, has a variant scope of application, in particular it is not restricted to legal relations between businesses and consumers but is instead also and precisely applicable to relations between businesses. In contrast, the Distance Selling Directive concentrates on the harmonisation of consumer protection, i.e., it also has the B2C area in view.

As a result of the variant provisions in some member states in the distance selling sector, people feared negative effects on competition among businesses within the internal market if, for example, businesses must satisfy different standards in relation to consumer protection. By way of a modicum of legal provisions, consumers are to be protected from misleading and aggressive distance selling advertising methods. German legislators implemented the directive into German law through the passage of the Distance Selling Act in the summer of 2000.

Consumer protection written big

The decisive provisions of the Distance Selling Directive and the Distance Selling Act are the information requirements for suppliers and the withdrawal right of consumers. Suppliers must inform consumers in due time before concluding a distance selling contract in a clear and comprehensible manner about:

  • their identity and address;
  • the main characteristics of the goods or services;
  • the date of origination of the contract;
  • where appropriate, the minimum duration of the contract;
  • a right to provide goods or services of equivalent quality and price or a right not to provide the promised goods or services in the event of their non-availability.

Already in February 2000, the Working Group of Consumer Protection Associations presented a Convention on Provider Identification in Electronic Commerce. This convention too was based on the realisation that the identifiability of a provider is the basic condition for consumer trust in electronic shopping. The convention relies on self-regulation and provides clear provisions as to how one is to accommodate on a website a provider’s full identifying data with address, legal form and information on the persons authorised to represent the supplier. The internet pages are to be designed so that the users can find (previously often hidden) information quickly. It is recommended that users be able to retrieve the information through a maximum of two mouse clicks, irrespective of on which page of the internet offer a user currently is. The Convention has to date been signed, for example, by the German Federal Financial Services Association, the German Association of Travel Agencies and Organisers, the German Insurance Industry Federation and the German Multimedia Association.

The directive moreover opens the possibility for consumers to withdraw from any contract concluded in distance selling within at least seven working days without any penalty and without givin g any reason. The law applicable in Germany enables withdrawal within two weeks. This period does not commence before the above-mentioned information requirements have been fulfilled and, with respect to the supply of goods, not before the date of their receipt by the recipient.

Is the Distance Selling Act too “customer-friendly”?

On the internet, under the heading “Exchanging Goods Made Easy”, legal assistance is offered for customers regarding the exchange of goods which have been acquired by means of distance selling. Behind this website lies the assumption that, due to their complexity, providers only succeed in exceptional cases in adapting websites and catalogues to the information requirements imposed by the Distance Selling Act without the assistance of lawyers. The withdrawal period could thereby increase for customers to up to four months. This has more to do with advertising the relevant website than any criticism of any possible over-regulation of consumer protection, for the regulations are suited to a significant degree, thanks to their consumer-friendliness, to strengthening the trust of customers in e-commerce.

E-commerce and data protection

Many users say a lack of faith in electronic commerce on account of insufficient data security and confidentiality is a decisive obstacle to their participating in e-commerce. In fact, electronic commerce necessarily requires a large amount of personal data to be collected. Consumer interest groups object that many times beyond the necessary amount of data is collected. Users are also not made aware of hidden procedures to collect data, and data is often transferred unencrypted and can therefore be viewed by unauthorised parties. The state-of-the-art information technologies moreover enable the rapid, systematic collection, classification and use of data. Businesses can store the data which flows to them in these ways in databases and evaluate such along certain criteria in order to create customer profiles and to submit targeted, unsolicited offers or to pass this data on. Though automated processes (such as data warehousing and data mining) increase the possibilities for mass data collection and evaluation, they also simultaneously increase the risk of abuse.

The Teleservices Data Protection Act is brought up to date

The Teleservices Data Protection Act is intended to combat the scenario of the “the glass consumer”. It deals with the use and processing/storage of personal data through teleservice providers. Teleservices are offers e.g., in the private communications area (such as telebanking), concerning the use of the internet, telegames as well as goods and services in electronically retrievable databases with interactive access and the possibility of direct ordering. The act permits the use of personal data to perform teleservices only if the user consents or if a special law permits the use. By way of the current revision of the 1997 act, it is to be made clearer that this only concerns the protection of the personal data of natural persons who request teleservices as consumers. Naturally, teleservice providers may collect and process the data which they need in order to enable and settle the use of teleservices. The economic use of personal data beyond the data processing permitted by law is to be simplified through broader application of electronic authorisation.

Due to the increasing awareness of users with respect to data protection, infringements of data protection are certainly suited to hurt the images of businesses. Data protection thus becomes a competitively relevant topic to a certain degree. Hence, e-commerce providers also have an incentive to regulate themselves. The data protection officials of the German government and the Länder (federal states) have called upon the producers and users of data warehousing and data mining procedures to favour programs which avert the storage of personal data by using data-protection-friendly programs to render data anonymous and implement pseudonyms. Consumers have also been called upon to use their market power by informing themselves on the possibilities for effective self-protection of data and settling with businesses online transactions which fulfil the legal requirements.

EU Signature Directive and electronic signatures

Electronic declarations lack a hand-written signature. Electronic declarations are necessary, however, so that the content of the declaration of intent can be attributed to a particular person (namely the undersigned). How can the recipient of an electronic declaration of content identify its originator beyond doubt (identity problem)? The question also arises as to how to prevent electronic declarations from becoming modified on their trip through the internet in an imperceptible fashion to the recipient (integrity problem). These two questions can currently not be answered satisfactorily. By way of the Directive on a Community Framework for Electronic Signatures, which is to be implemented into national law prior to mid-2001, European legislators intend:

  • to introduce minimum standards for electronic signatures; and
  • to achieve the legal equivalence of electronic signatures and hand-written signatures.

German legislators are to implement this directive by way of the new Signature Act, which is to take effect in the near future, replacing the identically named Signature Act of 1997.

How do electronic signatures work?

Legislators have defined three types of electronic signatures which build on each other:

  • “Electronic signatures” are data in electronic form which are attached to or logically associated with other data and serve as a method of authentification.
  • “Advanced electronic signatures” are electronic signatures which are uniquely linked to a signatory. They enable identification of the signatory and are created by means which signatories can maintain under their general control. Advanced electronic signatures are linked to the data to which they relate in such a manner that any subsequent change of the data is detectable by the recipient. “Signatories” are natural persons who possess the signature key and to whom the signature verification key is allocated.

    A double key, consisting of private and public keys, is used to create the signature. The private key (signature key) is uniquely linked to a particular person (signatory) and serves to encrypt the data. With the public key (signature verification key), the recipient of the data can check whether the data has been subsequently changed. To create a secret signature, the sender uses his or her private key. The text to be signed is initially compressed in a “hash” process. The compressed data is then linked to the private key and the result is attached as an electronic signature to the letter (document) to be transmitted. The recipient then likewise compresses the text and compares the compressed data with the compressed data contained in the digital signature which results from decoding the signature with the public key. If the two correspond, then it is clear that the sent and received texts are identical. It is moreover clear that only the sender who is in possession of the secret key can have created the signature because the public key would otherwise not fit.

  • “Qualified electronic signatures” are progressive electronic signatures which are based on a valid qualified certificate at the time they are created. The certificate is an electronic attestation which links a signature verification key to a person and confirms the identity of that person. Private certification service providers issue these certificates. The operation of a certification service is not subject to any permission within the framework of the law. However, the certificates may only be issued by those providers who fulfil certain legal requirements, e.g., the reliability and knowledge nec essary for the operations. They are moreover obligated to take suitable precautions to cover any damage caused through the operation of a certification service. If a provider of certification services negligently violates the legal requirements or if such provider’s products fail, the provider is liable for the damage thereby arising to third parties.

    The Signature Directive moreover permits a voluntary accreditation system aimed at increasing the security level of the certification services rendered. The German Signature Act will pursue this: It is to be stipulated that certification services can be accredited by the competent agency (this will be the Regulatory Authority for Posts and Telecommunications in Bonn) upon application. They will receive a quality seal, provided they can prove that they meet the legal requirements. Proof of the tested technical and administrative security of the qualified electronic signatures based on their certificates will be expressed in this fashion. As a practical matter, however, two levels of qualified electronic signatures with different requirement profiles thus arise.

In June 1999, the four major German banks took shares in the security services provider “TC Trust Centre”. The basis for a joint certification provider for private banks has thus been created.

When does an electronic signature help?

In accordance with the provisions of the German Civil Code, most contracts concluded pursuant to German law do not require any particular form. They can be concluded verbally and thus also per phone, as well as per fax, e-mail or in another fashion on the internet. As in traditional commerce, it does not matter to providers in electronic commerce who actually buys their merchandise. What is important is that the (anonymous) buyer pays. This is often warranted in everyday internet transactions through the fact that the merchandise is only delivered upon payment. Insofar as this procedure is not used (payment per credit card), the need arises to be able to identify the contracting party. Electronic signatures can help here because the author of a declaration of intent can thereby be identified with certainty. Whether an electronic signature is used for contracts concluded in a formless fashion and, if so, what type of electronic signature is used is left up to the contracting parties themselves.

Why has the qualified electronic signature been introduced?

The German Civil Code requires that certain legal transactions (e.g., guaranties, receipts, notices of termination of lease agreements for residential space and termination notices for employment agreements) be made in writing. This signifies that these declarations of intent have to date not been able to be validly made by electronic means. This is not even possible if the signature is reproduced by fax, stamp or other mechanical means.

By way of the Act to Adapt Formal Provisions to Modern Legal Transactions, legislators have now stipulated that under certain conditions, instead of signing a declaration by hand, an electronic signature may be used as an alternative. In the future, in all cases where the written form is prescribed by law, electronic signatures will also be able to be used, e.g., when terminating a lease relation for residential space. It is necessary, however, that the parties desire this and that legislators have not provided for any exceptions. The use of qualified electronic signatures is mandatorily prescribed in such cases, however. Only qualified electronic signatures meet the quality features inherent to the written form, such as authenticity, verifiability and provability.

In certain cases, the use of electronic signatures will continue to be ruled out. This is particularly true for:

  • the issuance of a guaranty;
  • the issuance of an employment recommendation;
  • the issuance of an undertaking to perform an act;
  • the issuance of an acknowledgem ent;
  • the conclusion of a consumer credit agreement.

In all cases in which the notarisation of a contract is prescribed by law (e.g., real property purchase agreements), the notarial act cannot be replaced by an electronic signature, even through a qualified electronic signature.

More legal certainty through electronic signatures? 

The new regulations on electronic signatures and on the adaptation of formal provisions represent a major step in the right direction along the way to establishing legal certainty in e-commerce. Decisive in this regard is the basic legal equation of qualified electronic signatures and hand-written signatures. Contracts concluded by electronic means for which hand-written signatures have been prescribed to date will be able to be concluded via the internet. But the conclusion of formless contracts can be documented more effectively using qualified electronic signatures.


By way of the three directives, European legislators have created a thoroughly practicable legal framework for e-commerce participants in the internal market. A strong emphasis has thereby been placed on the introduction of consumer protection standards through improved and comprehensive information to customers and broad standard possibilities for withdrawing from contracts. This approach makes perfect sense, given that the trust of customers can thereby be strengthened. Hence, there can be no talk of “regulating e-commerce to death”. This also holds for the improvements which legislators are seeking with respect to data protection.

It must be noted, however, that the standardisation of the legal provisions within the internal market has only been partially successful, given that the member states have in part been granted unilateral manoeuvring room in the implementation of the directives. It is to be feared that providers will continue to migrate to those countries which offer businesses the most favourable legal conditions. German legislators have recognised this and reacted by dismantling the Price Discount Act and the Ordinance on Bonuses, for example. Wholly new in the medley of international rules is the introduction of electronic signatures as an equivalent to hand-written signatures. This represents a solid offer to participants in e-commerce in terms of legal certainty. It remains to be seen whether the offer will be accepted by market players.


For in-depth analysis, see the Deutsche Bank Research


Subscribe to our newsletters