BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Journals |
||
You are here: BAILII >> Databases >> United Kingdom Journals >> Zekos, 'EDI: Electronic Techniques of EDI, Legal Problems and European Union Law' URL: http://www.bailii.org/uk/other/journals/WebJCLI/1999/issue2/zekos2.html Cite as: Zekos, 'EDI: Electronic Techniques of EDI, Legal Problems and European Union Law' |
[New search] [Help]
Attorney at Law and Economist
Amvrosia-Komotini
Greece
http://www.diavlos.com/zekos
[email protected]
Copyright © 1999 Georgios I Zekos.
First Published in Web Journal of Current Legal Issues in association with
Blackstone Press Ltd.
The formulation of the law has been an evolutionary process, adapting to suit the needs of commerce and society, but the pace of change regarding electronic commerce is too great for this process to take place. The legal issues regarding electronic commerce transactions are far from being resolved. Existing laws are not capable of being adapted to demands of electronic business. It could be argued that there is a need for the creation of a commercial code setting down basic rules for electronic transactions. The changing nature of the electronic technology and techniques of EDI renders any legislation obsolete within a short period of time. Hence, the rapid increase of electronic transactions and the plethora of technologies involved inevitably leads to problems on a global scale with legislation and regulation because the legislatures' machinery cannot keep up the pace with the changes.
Electronic commerce has the ability to eliminate the time span between ordering, delivery, invoicing and payment by using the world of wide web. Electronic commerce has the ability to create a global digital economy, but at present legislation does not encourage the uptake of this technology. The growth of electronic commerce (Swindells,1998) and technology has made current legal requirements difficult to assess. The rapid increase of electronic transactions and the plethora of technologies involved inevitably leads to problems on a global scale with legislation and regulation because the legislatures' machinery cannot keep pace with the changes. The very nature of the technology involved means that it is transnational which leads to problems as to which legal system has jurisdiction over electronic transactions. It has to be taken into account that even in this era of supra-national bodies and trade blocs, the nation-state is responsible for almost all the legislation that affects all the transactions. The aim of this article is to analyse the new techniques of electronic transfer of data and the current approach of European Union law. The analysis will be limited to the investigation of some of the European Regulations or Directives in order to find out if there is currently specific and effective regulation of EDI.
Top | Contents | Bibliography
EDI is the interchange of commercial data structured on the basis of approved standard messages between computer systems and effected by electronic means. Moreover, EDI facilitates international transactions irrespective of distance and time differences through the practically instantaneous transmission of data. Thus, EDI led the way in establishing the legal validity of transactions by developing trading partner agreements.
The term electronic signature is used generally to cover any signature in electronic form, including digital signatures. Written signatures are considered legally valid to demonstrate the signatory's identity and intention to be bound by the contents of a document. Hence, written documents and hand-written signatures play the role of securing the identity of the submitting party and the submitted information. Moreover, the signatory by himself or herself performs and materialises the action. With the advent of electronic communications, the manual signature is being displaced by an electronic version that is not widely accepted. Legislators now find themselves having to deal with the task of creating a trustworthy legal environment for the use of electronic signature methods without stifling technological development, whilst simultaneously promoting open electronic commerce. One of the obstacles is that an electronic signature considered valid in one jurisdiction may not be recognised in another.
Open networks offer new business opportunities by creating tools to strengthen productivity and reduce costs, as well as methods of reaching customers. Service users are the EDI users and service offerors are the network service providers. Network service providers are the facilitators of the interchange of information. Network service providers use standard communications protocols for the transmission of electronic data. The protocols contain such features as positive and negative delivery, notification, message tracing capability useful in audit trails, facilitation of encrypted and authenticated data, interconnectivity of the EDI system with the e-mail of the user. The most relevant protocols for EDI are the X.400 and the X.435. The X.400 standard has been authorised as an international standard by ISO. Network services can be either open or closed to use by third parties. For instance, SWIFT ( Society for World-Wide Inter Bank Financial) is a typical closed network used for the exchange of information, such as money transfers between banks.
Cryptography constitutes a very good means to secure safe transmission on the Internet, thereby allowing full exploitation of its commercial potential. Encryption consists in any procedure to convert plain text into ciphertext, whereas decryption performs the opposite procedure. Contemporary cryptographic systems can be divided into two mathematical families: first the symmetric cryptographic systems (Secret Key) and second asymmetric cryptographic systems (Public Key). The practical weakness of symmetric cryptography consists in transferring the key securely and keeping the key secret since, for two people to communicate securely, they must both have a copy of the same key. Hence, the disadvantage of secret algorithms is that much of the system security measures depend on the issuer of the algorithm. The most well known symmetric algorithm is the Data Encryption Standard (DES). In the asymmetric cryptography each person has two keys generated with special software at the same time. Asymmetric systems offer greater security since there is no need to exchange the secret key and the authentication of the digital signature becomes possible. The only security problem consists in the authenticity of the public key. The asymmetric or public key algorithm can be used in combination with a public and a secret key. RSA(1) is the best known asymmetric algorithm. This problem can be solved with the creation of a Certification. Hence, there is a need for an authority which guarantees third parties the public key's authenticity by issuing electronic authentication certificates. Ideally, however, governments should certify the authenticity of the CAs public key.
Closed EDI is used by trading partners who are already known to each other and have had previous business contact. Open EDI procedures are envisaged to be publicly available, remotely accessible and directly executable. Interconnectivity is a requirement for open EDI. Hence, closed EDI provides point to point electronic communications between trading partners. It is a technology that is used to replace the paper based pattern of existing trading relationships. By contrast, open EDI supports machine processable formats and the interchange of digital information.
In the end, the novelty of EDI is to transmit messages according to an agreed format. The EDI message has a standard form that allows the automatic process and execution of the order. Hence, once the information is keyed in it does not need to be re-keyed and it can be processed automatically. The advantages of using EDI in a company can result in the improvement of the competitive position of this company. Strategic advantages can include the following: an enhanced flow of business activities; the use of just in time (JIT) management can facilitate the delivery of goods; improvement in the time that documents need to be transmitted. (Zekos, 1998)
Some have suggested that the Internet is not regulated by any individual legal system or by International Treaties. In fact, many existing laws both at a national and international level do already apply to the Internet. There are concerns about cross border actions and the application of different legal systems to certain activities, such as hypertext links on the world wide web. The recognition of the validity of electronic messages and the conditions under which electronic messages can fulfil formal legal requirements should be considered by the national legal systems. Interruptions in the flow of data caused by formal or administrative requirements should be avoided. In England, Lord Wakeham, Chairman of the Press Complaints Commission(2) stated that "it would be impossible to produce any form of global legislation that would ever be able to regulate a global communications market".
Interchange agreements are a legal instrument that traces its origin from the transition period from a paper based system to an electronic one. Can a limited legislative approach for a number of issues address the legal problems that open EDI currently presents? Successful solutions in EDI should guarantee compatibility with international regulations. In a first movement, laws have been amended merely to recognise the legal validity of signatures in electronic form. Cryptography can provide the means to enforce different kinds of rights on the Internet, such as copyright or the right to privacy. There is an urgent need for international harmonisation since CAs are not subject to data protection regulations(3), leaving national efforts ineffective. The rights of individuals to privacy and protection of personal data should be regulated by legislation.(4) In the end, challenging economic and national security issues may need to be resolved before a meaningful resolution on mutual recognition and interoperability of encryption policies can be completed.
Top | Contents | Bibliography
Through the centuries several forms of signature have been used. Signatures serve a particular legal function: a) Identification of the signatory, a person has performed an action; b) Proof of the declaration of will of the signatory. The signature demonstrates the internal will of the signatory to perform an action. It is the material expression of the animus signandi of the signatory. The same concepts of the signature should be performed by the electronic one and the only difference should be limited to the way on which the signature is materialised.
Digital signatures are created and verified by cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again. Digital signatures use what is known as public key cryptography which employs an algorithm using two different but mathematically related keys. One for creating a digital signature and another key for verifying a digital signature. A variety of methods are available for securing the private key. Although many people may know the public key of a given signatory and use it to verify that signatory's signatures, they cannot discover that signatory's private key and use it to forge digital signatures. This is referred as the principle of irreversibility. The process of creating and verifying a digital signature provides a high level of assurance that the digital signature is genuinely the signatory's. Digital signatures have been accepted in several national and international standards developed in co-operation with and accepted by many corporations, banks and governing agencies.
Verification of messages takes the form of a return message that acknowledges and verifies the receipt of message sent. To verify a digital signature, the verifier must have access to the signatory's public key and have assurance that the public key corresponds to the signatory's private key. Verification of the authenticity and integrity of data does not necessarily prove the identity of the signatory who creates the electronic signatures. The solution to problems of verification is the creation of a "public key infrastructure" (PKI), which is a structure of entities providing the services necessary to allow users of public key technology to establish the authenticity of the public keys of the people with whom they are communicating and transacting. PKIs entail the establishment of one or more (trusted third parties) that serve the function of binding a particular person to a specific public key. That trusted third party is referred to as a "certification authority" (CA) in most technical standards. This body can be either public or private and must inspire reasonable trust. The certificate issued by CAs is a digitally signed statement that provides independent confirmation of an attribute claimed by a person proffering a digital signature. Legislation needs to cover the use of digital signatures in all fields of activities. There does not seem to be a need for discrimination between various ranges of activities. As for hand-written signatures, all types of activities should be embraced. The legal recognition of electronic signatures should be based upon objective, transparent and non-discriminatory criteria. Common liability rules should support the cross-border recognition of signatures and certificates.
A digital signature, whether created by a subscriber to authenticate a message or by a CA to authenticate its certificate, should be reliably time-stamped to allow the verifier to determine whether the digital signature was created during the co-operational period, stated in the certificate, which is a condition upon verifiability of a digital signature. If the subscriber loses control of the private key , the CA may suspend or revoke the certificate. Since the mainstay of a PKI is the CA, the first significant document is the "certification practice statement" (CPS). CPS is a mechanism which a certification authority employs in issuing certificates. A CPS contains facts concerning a certification authority's systems, operations, methods of validating the identity of subscribers and other certification service details. A CA's CPS permits customers to determine its quality and the extent to which they are willing to trust the CA. Second, a CPS permits parties relying thereon to judge the quality of the CA that issued it. Third, a CPS has contractual significance. Where incorporated by reference in an agreement, a CPS and its provisions are intended to bind the party assenting to the agreement (Baum 1998). A CPS(5) should contain the policies of a CA and practices recognised by the industry. Liability, the rights and obligations of the parties should be articulated by CPS as well. A CPS should address the conditions under which a certificate is issued as well as the legal position of the issuing CA and subscriber. Hence, CAs play an important role in electronic commerce by providing the means to deliver security and trust in a trading relationship. To fulfil this role CAs rely on services that are recognised as being practical, trustworthy, and legally binding. At present there is an absence of legislation on the provision of TTP services which makes it necessary for CAs to explain the company policy in a comprehensive document.
One of the unanswered questions about the use of public key cryptography for digital signatures relates to the business model for CA services. An open PKI(6) model assumes that subscribers will obtain a digital certificate from a CA that will link their identity to their public key for all purposes. Hence, in an open PKI environment a person could obtain a digital certificate and then use it to order goods on-line from various merchants, sign legally binding agreements, or even file documents with a government entity. In a closed PKI model, users would obtain a different digital certificate for each community of interests with which they interact on-line. In an open PKI model if the user's private key is compromised then the consequences are extremely severe. Besides, in a closed PKI model the risk to the user relying on an improperly signed document are more limited due to the system's narrowly defined scope. Open but bounded (OBB) PKI entails the creation of reliable and trustworthy mechanisms that parties to transactions may opt into. Consequently, OBB PKI would rest on an advance agreement by known parties. From a technical point of view, cross-certification is the process in which a CA certifies the certificate signing key of another CA, thereby extending its community of users to include those of the other CA. Interoperability and cross-certification is one of the key issues facing PKI solution vendors today. Utah(7) was the first state to attempt to provide a regulatory framework for CAs. Clarification of the duties and liabilities of CAs in the absence of legislation should thus serve the interests of all parties to an electronic transaction in which a certificate plays a role. A CA should not be liable for the ways in which accurate certificates may be used by others. However, the existence of standards such as X.509 impose significant constraints on CA behaviour. For instance, to comply with X.509 a CA must uniquely identify itself in a certificate.
TTPs are intermediaries between users that offer services like user registration, mailbox services for messages, certification of digital signatures, key escrow etc. Hence, independent third parties can be entrusted with keeping the master key linking digital pseudonyms to the user's true identity. TTP services can be used in an exchange of negotiable instruments such as bills of exchange and bills of lading (Kiat, 1992) where trust between trading partners is necessary and missing.(8) TTP should guarantee the integrity of the stored data and authenticate data concerning both parties. The legal recognition of the role of TTPs and a detailed description of the limits and the regulations of their use can further enhance their role in open EDI. TTPs would keep secret keys in custody for law-enforcement purposes.(9) Legislation would have the effect of engendering trust in licesnsed TTPs that offer cryptographic services. The "voluntary" use of licensed TTPs might be impaired by the need of licensed CAs.(10)
Biometrics is an alternative to digital signatures (Jueneman,1998). The use of a light pen and the emulation of the physical action of signing manually should be the answer to the plethora of digital signature techniques. Biometric identification and authentication techniques provide a more direct means of identifying an individual, normally by means of some form of physical measurements or indicia that are uniquely associated with the individual. Hence, a biometric technology, such as signature dynamics, analyses some unique biological fact about or physical action undertaken by a person and then binds the record of that sophisticated reading to a message or document. Biometric measurements are always subject to some degree of imprecision. Its virtue is that biometrics, which are unique to a given human being, are not capable of being forged or stolen. It could be argued that written and biometric signatures have many common elements, regardless that the characteristics of a written signature are detected more easily than those of a biometric one. A biometric verification authority can be established to securely store standardised categories of biometric identifiers.
The only way to prove beyond doubt that a document was created before a certain time is to cause an event based on the document. A time stamp is a cryptographically unforgeable digital attestation that a document was in existence before it happened. In the end, international law on digital signatures has yet to be formulated regardless of the fact that a substantial amount of legislation regulating the use of digital signatures and their legal status has been enacted.
Top | Contents | Bibliography
A crucial issue for businesses conducting electronic commerce is how they will enter into contracts in a way that is appropriate for the electronic environment. One contractual tool useful for the electronic environment is incorporation by reference. To make an incorporation by reference contracting parties can set forth an agreement or other information on paper and use words in the document incorporating another document by reference.(11) In the electronic environment some of the new patterns of incorporation by reference still involve the use of express words of incorporation or language in the text of the incorporating document. Incorporation by reference of this variety resembles the paper-based analog in this respect. The differences are first the web technology of hypertext linking permits a reference to another document without using words of incorporation and second the difficulty in using physical attachment. Physical attachment strengthens the claim that an incorporation is legally effective. In the electronic world, it is possible to append one electronic document to another and if electronic documents are not appended, parties cannot physically link one document to another. Incorporation by reference is important for electronic commerce because it permits parties to shorten contracts and other documents, while retaining comprehensive coverage of legal issues. The technical motivation for incorporation by reference is efficiency.
The current paper-based laws do not adequately account for the emerging patterns of incorporation by reference in the context of electronic commerce. The conditions set forth by national law for validating incorporation by reference may involve strict requirements. Besides, in common or civil law countries certain legal tests of incorporation by reference may inquire whether the incorporated terms are "clear" or whether they contain suitable words of reference evidencing an explicit intention to incorporate.(12) For instance, statutes and courts in the US permit incorporation by reference in contracts and impose specific standards.(13) It is essential to move the law beyond its paper-based roots to embrace electronic commerce and communications. Revised article 2 of UCC provides some support for electronic based incorporation by reference. It supports the use of hypertext links in web pages and electronic messaging coupled with clear words of incorporation.
Top | Contents | Bibliography
There are a number of ways by which digital or electronic signatures and certificates from other jurisdictions may be accepted as legally valid.
The first category refers to those legislative texts that will consider valid only those digital signatures that are backed by a valid certificate issued by a locally licensed certification authority. In that case electronic signatures created in other jurisdictions would not be valid in the local jurisdiction. This would limit the flow of business, especially with respect to electronic commerce where contracts between buyers and sellers from different jurisdictions will be a commonplace occurrence.
The second category refers to those legislative texts that have given some public entity or authority the power to establish rules or regulations on the subject of digital or electronic signatures. For instance, the Malaysia Digital Bill 1997 provides an appropriate approach that allows regulators to be as specific as they deem necessary while maintaining the faster adaptability of regulations to new technology situations:(14)
The use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it embodies all the following characteristics: 1. it is unique to the person using it; 2. it is capable of verification; 3. it is under the sole control of the person using it; and 4. it is linked to data in such a manner that if the data are changed, the digital signature is invalidated.
The third category is not focused on any specific technology, type of entity, licensing regime, or rules or regulations to be adopted for the establishment of a valid electronic signature. Electronic signature means any identifier or authentication technique attached to or logically associated with an electronic record that is intended by the person using it to have the same force and effect as a manual signature. This allows for any electronic signature, regardless of its jurisdiction of origin, to be considered legally valid as long as it was intended to have the same force and effect as a manual signature. The parties should adjust their electronic signing methods accordingly by adopting appropriate security measures. Moreover, a certain legal and technological uniformity should be deployed.
The fourth category refers to the regional approach proposed by the European Union(15).
The fifth category is the use of international agreements for the recognition of foreign certification authority licensing regimes.
Top | Contents | Bibliography
Jurisdictional questions occupy a major part of any discussion of the application of existing law to electronic commerce and other cyberspace transactions. Cross-jurisdictional uniformity is a basic principle that not only applies to electronic signatures but also to commercial law in general. It is necessary to establish principles on a regional and international basis in order to force national legislatures to adopt them. The cross-border nature of Internet commerce and the proper international legal regime required for the establishment of a predictable and supportive framework is the subject of continuing meetings of the UNCITRAL working group on electronic commerce. For example, the Electronic Commerce Enhancement Act of 1997 aims to compel federal agencies to engage in electronic-transactions(16). The creation of a trustworthy legal environment is accomplished not only by express acceptance of electronic signatures but also by technologies that offer appropriate degrees of reliability.
There is a debate within the cyber-legal community as to whether electronic authentication laws should be technology-specific or neutral. It could be argued that the complexity of present technologies requires technologically specific regulations. Electronic authentication laws should be technology-specific or neutral. It must be observed that all proposals relating to electronic authentication are already technology-specific to some degree, since they address only a specified range of authentication technologies. For instance, laws that addressed the minimum requirements for establishing a CA, its duties, accreditation and licensing requirements, the warranties that accompanied its digital certificates, and its exposure to litigation by aggrieved third parties, should be technology-specific. A technology-specific proposal should be viewed as suspect when it confers an undeserved legal advantage upon a particular authentication technology and thereby provides it with an unfair competitive advantage in a rapidly evolving marketplace. The problems involved in enabling PKI interoperation are multifaceted, affecting technical, legal economic, political, business and many other concerns. Legal scholars and law makers still face problems regarding information security technology and its practical application in the area of secure electronic commerce. In some legal circles there is considerable resistance to the enactment of PKI-specific legislation. The reasons are: first lack of standardised CA quality metrics and second, difficulty in developing criteria for certification of CA's and standards for PKI accreditors.
Public key cryptography as a method for protecting the confidentiality, integrity, and authenticity of messages has significant advantages over the more familiar forms of security involving such symmetric single keys as passwords or personal identification numbers.
Top | Contents | Bibliography
The use of PKI for digital negotiability is another major concern for law makers. For instance, digital signatures are regulated by article 3 of UCC ( Uniform Commercial Code of US). However, articles 1 and 3 of the UCC do not yet recognise explicitly the effect of electronic documents and digital signatures made through the PKI process. The term digital signature is used to refer to signatures made through the use of a private key. By contrast an electronic signature is a much broader concept, including not only digital signatures but names or symbols typed into an e-mail message whether or not those have the security protections of signatures made with a private key. The use of public key technology to sign negotiable instruments would make these instruments less vulnerable to theft than their paper-based counterparts. Can the use of PKI reduce or eliminate the risk that a digital negotiable instrument could be cloned by a holder? Until the threat of cloning can be eliminated the electronic negotiable instruments will remain only a theoretical possibility or in other words a digital dream. Another matter which has to be solved is the possession problem connected with negotiable instruments.
Uniformity and harmonisation of legal rules governing PKI appears unlikely to result from the process of random state legislation. PKI interoperability refers to the capability and PKI interoperation refers to the effect of logically linking multiple PKIs to form a larger PKI supporting a wider community of users. Achieving interoperability and implementing interoperation are major challenges for the PKI industry.
In 1991, the International Chamber of Commerce (ICC) initiated the EDI terms project to develop new means for establishing legal relationships in electronic commerce. Moreover, the ICC(17) has issued very recently a document concerning general usage for international digitally ensured commerce with the objective of promoting the world business community's understanding of the issues relating to the use of techniques in electronic commerce. A goal of open electronic commerce that differentiates it from previous closed forms is the enabling of short term or ad hoc commercial transactions between organisations and individuals. Security procedures in open electronic commerce can ensure the confidentiality, integrity, and authenticity of electronic documents, maintain the evidential value of electronic messages, and provide proof to liability in disputes between electronic commerce users and network service providers. As mentioned above, a public-key infrastructure can provide the necessary support for conducting safe and secure trade. PKI is based upon Trusted Third Parties (TTPs) that verify that the signatory of a document is indeed who it claims to be. Verification takes place by means of certificates that are confirmations of identity as well as other attributes of the holder of the corresponding private key.
Top | Contents | Bibliography
The existence of a uniform European approach to issues relating to the use of EDI will improve the position of undertakings within the member states in their negotiating power when trading via EDI. A better understanding between Europe and third countries regarding the legal implications of conducting transactions by the use of EDI is needed. So, the Commission issued the Recommendation 94/820/EC(18) relating to the legal aspects of electronic data interchange, where a European Model EDI Agreement is presented. The preparation of a draft of a European model EDI agreement has been initiated by Council Decision 87/499/EEC(19). This model agreement will contribute to the promotion of EDI by providing a flexible approach to the legal issues raised by the use of EDI. It would reduce the legal uncertainty. The model consists of legal provisions which need to be supplemented by technical specifications provided in a technical Annex in accordance with the user's needs.
The drafters of the model agreement made clear in the scope of the agreement that unless the parties agreed to the provisions of this model agreement they are not intended to govern the contractual obligations arising from any underlying transactions effected by the use of EDI. It seems that the applicability of the model agreement as mandatory law has been ruled out from its genesis. The main problem with EDI is the standardisation of their legal effects upon the traditional regulations. The aim should be to put electronic transactions at the same legal level of applicability and enforcement as traditional paper ones. This uniformity should have been transplanted to the national laws which means updating all the national legal systems.
The EDI is defined as the electronic transfer of data from computer to computer relating to commercial and administrative matters using an agreed standard to structure an EDI message. The standardisation is left to the parties and it has not introduced a standard format of data. Article 2 specifies the meaning of EDI message without giving a single form of format. The important definition is that of the acknowledgement of receipt by demanding the receiver to send a corresponding acknowledgement of receipt of the EDI message. The conclusion of the contract is achieved at the moment the EDI message constituting acceptance of an offer reaches the computer of the offeror. The parties, if and when they want to be bound by the agreement, have to expressly waive their right to contest the validity of a contract effected by the use of EDI. Furthermore, it is stated that the EDI message has to be in a form acceptable by the national law of the contracting party. In fact this legal provision does not define a format of an EDI message which will be endorsed by the national laws but merely advises the parties to form an EDI message in accordance with their national laws if and when there is national legislation about it. The agreement advises parties to agree to the admissibility in evidence of EDI messages to the extent permitted by their national law which may apply. Thus, it does not establish the admissibility of EDI messages. The provisions of the model agreement regulate the processing and acknowledgement of receipt of EDI messages where the acknowledgement is not requested, security of EDI messages, confidentiality and protection of personal data(20), recording and storage of EDI messages, and operational requirements for EDI. Specifically the agreement states the standards of EDI messages have to be transmitted in accordance with the UN/ Edifact standards and the European standards(21). Article 11 refers to the liability of parties using EDI in their contract and assumes that no party to this agreement will be liable for any damages caused by a failure to perform obligations of this agreement. On the other hand if one of the parties engages a third party to perform services in the process of EDI messages then that party should be liable for any damages caused by a failure in the provision of said services.
The model agreement clarifies the means of dispute settlement by providing as first alternative arbitration where the parties agree the nomination and the rules of procedure and as a second alternative a jurisdiction clause where the parties specifically will refer to the courts of a state of their choice which shall have sole jurisdiction. The parties have the right to choose the applicable law regarding recording and storage of EDI messages or confidentiality and protection of personal data, but without prejudice to any mandatory national law. So, national law is above this model law which is supposed to be a model for the harmonisation of national law in order to achieve uniformity. The Commission in Annex 2 brings out a commentary about the legal provisions of the European Model EDI Agreement where it is stated that it is merely a model, a kind of an interchange agreement which offers the possibility for adaptation where required and there is mention to an inconsistency with a national law. Does Europe need merely a model rather than a specific regulation or it could be said a codification of contracting by the use of EDI messages or data? It is supposed that European undertakings and organisations need a solid, specific and mandatory law regulating the conclusion of the contract, the exchange of EDI data and messages, and the liabilities and duties arising out of such an electronic contract. The Commission states that the objective of the model agreement is to provide a contractual basis for the EDI users. Users need a mandatory legal basis regulating their obligations and duties arising from an EDI agreement.
What, then, has this model added to national laws? Parties can contract under the national laws of the member states without the model agreement, when in fact the model agreement itself refers to the national law. The model agreement does not give an answer to different legal issues which have been identified with the use of EDI for the purposes of commercial transactions or other purposes involving legal consequences, for example, as mentioned above, the case of networks of agreements. This legal uncertainty is not helped by the non mandatory legal framework when the parties have to rely on different and non harmonised national laws. Many national laws have no provisions about electronic contracting or are in the process of creating the principles to be applied. The Commission in its commentary states that the legal provisions of the model agreement merely indicate and provide for the legal matters which need to be addressed when using EDI, but there are no answers to these legal demands and specifically the parties have to determine even the technical specifications.
Of course the substance of transactions which will effectively be carried out by using EDI will be regulated by the applicable law decided by the contracting parties. According to its provisions, the parties should not challenge the validity of transactions effected by use of EDI, on the sole ground of that means. The determination of the moment and place where a contract is concluded or formed is important with regard to the legal consequences it involves. Rules have been defined regarding contracts concluded by mail or telephone but uncertainty exists on the kind of the rule which might be applicable to contracts concluded by EDI. The application of the "reception rule" which ensures that acceptance takes place at the place and at the time of receipt of such acceptance by the offeror should apply for the conclusion where the parties are not in the presence of each other. The Vienna Convention on the International Sale of Goods provides for this rule to be applicable to contracts concluded at a distance. The reception rule means that an EDI message is received at the time and the place where the message reaches the computer of the offeror. It is specified that in case the parties have not included a jurisdiction clause then the competent court shall be determined by reference to the Convention on Jurisdiction and Enforcement of Judgements in Civil and Commercial Matters(22). In case of absence of a choice of law then the agreement will be regulated by the provisions of the Convention on the Law applicable to Contractual Obligations(23).
EDI as an alternative to paper implies that the EDI messages will replace effectively the documents that were exchanged previously on paper. In most countries legal provisions regarding evidence of EDI documents are not mandatory or even there is a lack of regulation. EDI messages should be admissible before the courts as evidence but the model law does not provide the mandatory regime to that extent. However, where a proposal aims to sanction the standing of electronic signatures as equivalent to the traditional written kind, technology neutrality is important to ensure that it does not skew marketplace developments through anti-competitive effects. Hence, if a law recognises only certain types of electronic technologies as providing valid signatures, then they will have a market advantage over alternative means of electronic authentication technologies that parties might otherwise have selected.
Moreover, the EU has recognised the importance of utilising the benefits of technology for promoting one of their principle objectives, the free movement of goods and services. The Distance Selling Directive (Directive 97/7/EC of 20 May 1997(24)) provides provisions for the protection of consumers who are involved with distance selling including electronic commerce utilising the Internet. The directive applies to a distance contract which is defined as being one for the supply of goods or services between companies and a consumer utilising the Internet. In June 1998, an EU conference concluded that regulation should be kept to a minimum and, therefore, industry self regulation was the way ahead.(25) On the one hand, the OECD recognises that the different legal and political systems and the global nature of digital commerce require certain safeguards concerning access and enforcement.(26) The Global Standards Conference, hosted by the EU, came to similar conclusions regarding self regulation.(27)
In conclusion, at present, there are no effective means for solving cross border disputes caused by electronic commerce. Several Member States of the EU have already started detailed legislative initiatives related to electronic signatures. The Commission(28) specifically indicated that Members States shall ensure compliance with directives 95/46/EC(29) and 97/66/EC(30) of the European Parliament and of the Council.
There is a disadvantage in the use of EDI because there is a dearth of information regarding the legal implications of EDI (UN,1993). The costs of negotiating on EDI trading agreement are perceived to be high. The formality of such a negotiation may be perceived to work against an existing and harmonious trading relationship. There are a number of legal systems which permit litigants to submit all relevant computer records as evidence, leaving to the discretion of the forum the weight to be attributed. So admissibility is decided by the judge. Many states have established an exhaustive list of acceptable evidence, other evidence such as computer records being excluded. In some common law jurisdictions statutory exceptions apply specifically to computer records and EDI messages. Commission Recommendation 87/598/EEC(31) recommends a European code of conduct relating to electronic payment. It deals with relations between financial institutions, traders and service establishments and consumers through voluntary compliance with a code of conduct. The free movement of goods and capital will be effective if it enjoys the technological support provided by the new means of payment. A code of conduct should be flexible so as to make it easier to adapt to changes in the new technology. It recommends that all economic partners concerned should comply with the provisions of the European code of conduct relating to electronic payment. In Part III general principles stated that contracts concluded by issuers with traders should be in writing. Thus, the electronic transactions have to be based on written contracts which diminishes the usefulness of the electronic bargain.
In December 1994(32) the Commission published a proposal for a European Parliament and Council Directive on cross-border credit transfers. The amended proposal ( 95/C199/07) concerning the same matter submitted by the Commission pursuant to article 189a of the EC Treaty on 7 June 1995(33). In accordance with article 3b of the Treaty this directive lays down the minimum requirements needed to ensure an adequate level of customer information. A Commission notice(34) on the application of the EC competition rules to cross-boarder credit transfers supplements the proposal for a directive. This sets out the approach which Commission intends to take when assessing the compatibility of cross-boarder credit transfer systems with articles 85 & 86 of the EC Treaty. The whole effort resulted in the introduction of Directive 97/5/EC(35) on cross-boarder credit transfers. The purpose of this directive is to improve cross-border credit transfer services and therefore to assist the European Monetary Institute (EMI) in its task of promoting the efficiency of cross-border payments.
The European Commission sponsored a project, entitled project Bolero (bills of lading in Europe), examining the feasibility of electronic bills of lading. The initial task of Bolero is to dematerialise those documents used in trade process including bills of lading (Sharona,1995).
Top | Contents | Bibliography
The use of digital or biometric signatures for commercial purposes faces a number of existing legal impediments that derive from both common and civil law treatment of form requirements for many types of commercial transactions. The currently perceived function of formalities has an important effect on their adaptability to electronic commerce.
Legal solutions to problems by the use of IT are typically based on traditional legal instruments and concepts that are modified accordingly. Besides, the basic notions and norms of law, which have been created through and by the historical development of law and have been expressed by paper documents, cannot be changed. The introduction of electronic means of expression should only contribute to a simpler way of dealing and exchanging documents rather than eliminating the documentation or altering the basic concepts, norms and canons of law. Electronic means of documentation cannot alter the concept of justice. The introduction of new terminology can only serve the principles of law. For instance, can EDI change the way of concluding a contract, the concept of signature, the canons of jurisdiction or the understanding of negotiable instruments? The legal problems of open EDI can be addressed within a legal framework based upon the use of international law and supported by information technology. Open EDI creates an open global commercial environment. Successful solutions in EDI should guarantee compatibility with international regulations. Rapid change is the rule in IT and, therefore, the legal solutions that regulate technology should follow these changes closely. Hence, new technological developments require new legislative steps.
New legal concepts have to be introduced so that the law corresponds to the needs of technology. As mentioned above, the new legal concepts cannot contradict the old concepts of law because new electronic commerce terminology is introduced to serve the traditional concepts of law. Of course, the introduction of new concepts of law cannot be prohibited since new developments of life bring forward new notions or concepts.
Formation of a contract by electronic means should be investigated. Commercial practice has made paper a safe and reliable means of recording information. The functions of a traditional written document are: informative when information appears on it; probative or evidential when it provides proof of its contents; and symbolic when it incorporates facts with legal value. Therefore, formal requirements concerning the validity of paper based transactions inhibit the use of open EDI for electronic commerce. For instance, the existence of a paper document may be required for a contract concerning real estate. Consequently, there is a need for a reconsideration of the approach to fulfilling legal requirements. Current legal formalities exclude several kinds of transactions from the scope of EDI.
Documents can assume one of the following three forms: documents which have probative power (ad probationem); documents which confer rights (ad solemnitatem); and securities. National laws require that documents that fulfil formal obligations assume a written form and they are signed. A broad interpretation of the existing legal concepts in order to include electronic means should be the first step which can facilitate open EDI. Consequently, electronic transactions should be treated comparably to paper ones for contractual and other formal purposes. Identity must be judged on the quality of evidence provided by a particular technology as well as any associated procedures or records. Even when identity is clearly established by an electronic signature, it is not legally binding unless made with requisite intent. Consequently, no electronic technology can demonstrate intent on its own. Hence, technologies that are implemented passively and automatically cannot generate a valid signature. Intent has to be established through a procedure in which the signatory's active participation is shown to provide evidence of informed and voluntary subscription to a particular electronic transaction.
Another major issue is how standard terms and conditions may be incorporated into a contract over the Internet. The terms need to be brought to the consumer's notice prior to the conclusion of the contract.(36) There are different ways for a webseller to bring its standard terms and conditions to the consumer's notice. As mentioned above, he may attach a hypertext link to his page, which reveals the terms or he can point out to terms and conditions contained in the seller's FAQ (frequently asked question) or the supplier could alternatively refer to an e-mail address where the consumer can demand the terms.
The dematerialisation of commercial transactions raises the admissibility of electronic documents as evidence. The admission of electronic documents must be based upon harmonised provisions with respect to form. The admissibility of a document as evidence should be independent of the format that a document takes and the medium that is used. Continental legal systems provide that all means of evidence can be admitted as evidence in court. In some countries civil procedure law sets out a list with the acceptable means of evidence. For instance, Greek law provides an exhaustive list for the acceptable means of evidence. Article 444 of the Code of Civil Procedure provides for the conditions under which a document can be admitted as evidence in a civil law trial. In article 448(2) it provided that: " mechanical reproductions consist a full proof for the facts or things which are stated upon them, however, counter proof is permitted". Mechanical reproductions in the context of article 444(3) include " any video recording, facilitated by any means". On the one hand, there is no explicit reference to electronic means of evidence such as electronic documents that would facilitate the use of EDI generated documents. On the other hand, a broad interpretation might accommodate the admissibility of electronic documents.
A common risk in open EDI is that trading partners may not have enough information on the identity of their trading counterpart. Security measures are important to guarantee the reliability of information used in open networks. There are two kinds of remedies to the security in open EDI, technical and legal. Both remedies contribute to the security of the system and enhance the legal validity of it. Open EDI is necessary to achieve a high level of certainty with respect to the contents and the transmission of a message. Hence, it is important to draw the limits of liability of EDI users so that the necessary precautions can be taken. User liability issues in open EDI refer to the interchange of electronic messages and, therefore, interchange considerations do not interfere with the underlying commercial transaction.
The consumer is faced with three important problems in a dispute arising from a contract over the Internet. First, there is the question of jurisdiction. As the Internet has no regard for national boundaries the question of which legal system is responsible for cross border transactions is fundamental to the success of electronic commerce. Users feel less confident about making a transaction electronically if they are unsure of their legal protection. They will be reluctant to transact with parties in an unknown jurisdiction due to lack of legal protection. The jurisdiction matters are governed by the Brussels Convention 1968 to which all EU Member States are party. A consumer can choose whether to sue in his domicile court or in a court of the country where the defendant is domiciled. The legal situation is more complicated concerning contracts where the purchaser acquires the right to down load software. Is this a consumer contract? There is no clear case law on this point yet. Problems arise in regard to the definition of a consumer contract in article 5 of Rome Convention. Secondly, there is the question of the applicable law. As far as the determination of the applicable law is concerned, one has to look at the 1980 Rome Convention.(37) The parties are free to choose a legal system that will govern their contract. If there is no choice of law then the contract is governed by the law of the country with which it is most closely connected. Thirdly, the consumer wants to know whether and how to enforce a judgment. The legal position is clear where the supplier is originally situated in the USA but has a branch in one of the EU Member States. In that case the Brussels Convention provides that the supplier is deemed to be domiciled in the State of his branch. Besides, there is no agreement between Europe and US providing for common enforcement rules.
Top | Contents | Bibliography
Several technical, legal , and political groups are energetically attempting to resolve interoperability issues. The law of signatures must be reformed in order to accommodate electronic commerce transactions. There is a need for equating electronic documents with "signed writings" under the statute of frauds. Special rules for proving the originator and content of electronic documents during employment of a security procedure must be established. Much reform legislation should give evidentiary weight to electronic documents. Moreover, there is a need for eliminating the following risks regarding the technical risks of electronic, digital and biometric signatures. 1) risk of an unexpected cryptanalytic breakthrough; 2) risk of cryptanalytic attack by increased computing power; 3) compromise of a digital signature through inadequate computer or cryptographic security; 4) compromise of digital signatures on uncontrolled platforms; 5) errors and omissions by CA in binding the subject's identity to the key; and 6) misuse of a private key by an authorised user.(38) At present, a specific and effective legal framework for the governing of the electronic commerce has not been established by the EU law. As mentioned above, only some Members States of the EU have taken the initiative to deal with the use of digital signatures. The EU and US in a joint statement on electronic commerce encouraged an open dialogue between governments and the private sector world-wide in order to construct a predictable legal and commercial environment for the conduct of business on the Internet.(39) Section 3 specifies the guidelines for the development of a global marketplace where competition and consumer choice drive economic activity. This joint statement should be the initiative for a conclusive regulation of the EDI by EU law. On the one hand, there is a tendency, which is part of the characteristic way that the European Union regulates different subjects, to issue different Regulations or Directives for a matter and in the end there is no connection between them. Therefore, it could be said that there exists an overproduction of Regulations without a coherent approach to the regulated subject. For instance, the regulation of competition in the different modes of transport (Zekos,1996). On the other hand, this approach is due to the characteristics of the legislative powers of the EU and the application of the EU law upon national laws of the Member States. Besides, a comprehensive way of regulating EDI (a kind of codification) will encourage a rapid development of electronic commerce and the European Union should take the lead on this field. The establishment of legal concepts about the different terms used in electronic commerce and their legal force should be the legal framework upon which the regulation of all the matters concerned with electronic commerce and EDI in the EU will be based. The creation of this kind of legal framework should become a priority matter for the EU. Within the EU, the use of guidelines for the control of EDI in place of common regulation will delay the introduction of electronic commerce and the digital economy in Europe for some time.
Baum M, Ford W(1998 ) "Public Key Infrastructure Interoperation"
Jurimetrics 359.
Jueneman R, Robertson R, Jr (1998) "Biometris and Digital Signatures in
Electronic Commerce" Jurimetrics 427
Kiat T, (1992) "Law of Telematic Data Interchange", Butterworths
Asia
Sharona T, (1995 ) " Bolero trade steps" Vol. 145 Banker 72.
Swindells C, Henderson K (1998) "Legal Regulation of Electronic Commerce"
JILT
<http://www.law.warwick.ac.uk/jilt/98-3/swindells.html>
United Nations Commission on International Trade Law, (1993) «Model
Law International Credit Transfers" ILM 587.
Zekos G, (1996)"EU Competition Rules in maritime and Air Transport",
Il Diritto Marittimo, 679, Italy.
Zekos, G (1998) "The Use of Electronic Technology in Maritime Transport:
the Economic Necessity and the Legal Framework in European Union Law"
Web Journal CLI
<http://webjcli.ncl.ac.uk/1998/issue3/zekos3.html>
(1) RSA stands for Ron Rivest, Adi Shamir,
Len Adleman, the three Professors who invented it
(2)The Independent 9 November 1998
(3) Digital Signature Ordinance , 1998, 37
ILM 579. Digital Signature Act of 22 July 1997. Federal Law Gazette IS. 1870,
1872
<http://www.iid.de/rahmen/iukdge.html#f>.
<http://www.urjura.uni-sb.de/BGBL/PEIL1/1997/19971870.1.html>.
<http://www.kuner.com>.
The draft Ordinance deals with technical requirements for the use of digital
signatures, licensing procedures , cessation of operation etc. See US White
paper
<http://www.nlc-bnc.ca/ifla/documents/infopol/copyright/ipnii.txt>.
(4) OECD Guidelines for Cryptography Policy
27 March
1997<http://www.oecd.org>. HMSO Data
Protection Act
<http://www.hmso.gov.uk/acts/acts1998/19980029.htm>.
Akdeniz Cryptography and Liberty
<http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/default.htm>.
(5) A Framework for Global Electronic Commerce
<
http://www.iitf.nist.gov/eleccomm/ecomm.htm>.
Digital Signature of California
<http://www.ss.ca.gov/digsig/digsig.htm>
(6) The PKI Evaluation Guide lines provide
a process to assure trustworty PKIs. see ABA Network
<http://www.abanet.org>. See "ETERMS"
ICC World Business Organisation
<http://www.iccwbo.org>
(7) The Utah Digital Signature Act
<http://www.commerce.state.ut.us/web/commerce/digsig/act.htm>
See ABA Digital Singature Guidelines
Draft<http://www.abanet.org/scitech/ec/isc/home.html>
(8) TEDIS 1996 Appendix I p. 15 "a world-wide
bill of lading negotiation system requires a trusted third party which takes
care of the organitional aspects of the system"
(9) S Baker "UK Plans for Trusted Third Parties
Encryption"
<http://www.us.net/~steptoe/ukcrypto.htm>,
DTI Paper on Licencing of Third Trusted Parties
<http://www.dti.gov.uk/pubs>.
C Lindsey "Critique of the DTI proposals for the Licencing of Trusted Third
Parties"<http://www.cs.man.ac.uk/~chl/dti.critique.html>
(10) The Electronic Data Security Act of 1997
<http://www.cdt.org/crypto/970312_admin.htm>
(11) Carnival Cruise Lines v Shute
499 US 585
(12) Giliberto v Kenny 48 ALR 620,
Smith v South Wales Switchgear Co [1978] 1 WLR 165
(13) Lamb v Embart Corp 47 F3d 551,
Town Center Assocs v Workman 487 SE2d 624, Hill v Gateway 2000
Inc 105 F3d 1147.
(14) Cyber Bills of Malaysia
(http://www.cert.org.my/bill.html)
(15) COM (97) 503.
http://www.ispo.ce.be/eif/policy/97503toc.html
(16)
ftp://ftp.loc.gov/pub/thomas/c105/h2991.ih.txt
(17) [1998] 37 ILM 714
(18) OJ L 338/98 1994
(19) OJ 1987 L 285/35
(20) See COM (92) 422 final on protection
of personal data.
(21) See UN/ Edifact Syntax Rules ISO 9735-EN
29735. UN/Edifact TDED ISO 7372-EN 27372.
(22) Convention 72/454/EEC OJ 1972 L
299/32
(23) Rome Convention 80/934/EEC OJ 1980
L 266/1
(24) OJ 1997 L144/19. See Council Directive
89/522/EC of 3 October 1989. It regulates the use of TV as a medium for the
advertisement of home shopping opportunities. The Television without frontiers
Directive intended to allow a consistent approach to home shopping and avoid
giving an unfair advantage to any Member State.
(25) EC Commissioner Bangemann
<http://www.ispo.cec.be/ecommerce/english.htm>
(26) OECD Working paper No 81
(27) OECD Working paper No 5
(28) COM(98) 297 final. see COM(97) 503
final
(29) OJ 1995 L281/31. See Decision No 2717/95/EC
on a set of guidelines for the development of the EURO-ISDN OJ 1995 L282/16.
Council Decision 96/715/EC on Edicom OJ 1996 L327/34.
(30) OJ 1998 L24/1. See Decision No 1336/97/EC
on a series of giudelines for trans-European telecommunications networks.
OJ 1997 L183/12.
(31) OJ 1987 L 365/72
(32) COM (94) 436, OJ 1994 C 360/13
(33) COM(95) 264, OJ 1995 C 199/16
(34) OJ 1995 C 251/3
(35) OJ 1997 L 043/25. See Commission
Recommendation 97/489/EC of 30 July 1997 concerning transactions by electronic
payment instruments OJ L 208/52 1997. It applies to transactions referred
to transfer of funds and cash withdrawals by means of an electronic payment
instrument. There is a need to sign a written contract prior to delivering
on electronic payment instrument. Obligations and liabilities of the parties
to a contract are specified in it.
(36) Thornton v Shoe Lane Parking Ltd
[1971] All ER 686
(37) OJ 1980 L266. Restatment of Law 2d,
Conflict of Laws, Par 187. See Vita Food Products Inc v Unus Shipping
Co Ltd [1939] AC 277. Finch v Hughes Aircraft Co 469 A2d 867.
Burbank v Ford Motors Co 703 F2d 865.
(38) Internet Security OASIS
<http://www.tsin.com/>,
<http://www.tsin.com/docs.html>
(39) EU-US Joint Statement on Electronic
Commerce, 1998, 37 ILM 667. See UNCITRAL Draft Rules
<http://www.un.or.at/uncitral>