legal challenges in e-commerce

LEGAL CHALLENGES IN E-COMMERCE

UBA HELEN DORATHYCHENG KIE HONG

LOCK JUN QI

Outline

• Introduction • Unfair Terms in E-Commerce • Cybercrime as a Challenge to E-Commerce• Jurisdictional Issues in E-commerce

Introduction • What is e-commerce?

– The sale of physical or digital goods or services via a digital channel• Interesting Fact:

– 11th November 2016, The Star Online reported that Chinese e-commerce giant Alibaba Group Holding Ltd said it racked up more than US$5bil in transactions in the first hour of its annual 'Singles' Day' sales blitz

– In Malaysia, revenue in the e-commerce market amounting to USD 1,199.8 million in 2016

• The high volume of e-commerce transactions creates multiple challenges to all parties

Challenges

• consumer protection issues/unfair terms in e-commerce;

• data and network security issues;• Intellectual Property rights issues; • Privacy issues; • jurisdiction/choice of law issues; • admissibility/evidence issues;• Cybercrime to e-payment & etc.

The Main Legislation

• Electronic Commerce Act 2006– “electronic” means the technology of utilizing electrical, optical,

magnetic, electromagnetic, biometric, photonic or other similar technology

– “commercial transaction” means single communication or multiple communications of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance

• UNCITRAL Model Law on Electronic Commerce– Part I which covers e-commerce in general– Part II which covers E-commerce in specific areas such as carriage of

goods

UNFAIR TERMS IN E-COMMERCE

• E-commerce transactions are categorised in four ways being;– (a) consumer to consumer transactions;– (b) business to consumer transactions;– (c) business to business transactions; and– (d) many to many transactions (e-marketsor exchanges).

• The Star Online reported that:

– ‘Between 80% and 85% of e-commerce is the business-to-business (B2B) market. The business-to-consumer (B2C) market takes up only a small portion.’

Challenge

• Standard form contract • A common contract where unfair contract

terms can be expected to be found.• Consumer Protection Act only governs

consumer contracts– Not specifically on e-commerce – Not the business-to business market

Unfair Terms in Malaysian Law• Consumer Protection Act

– Section 24A defines “unfair term” as a term in a consumer contract which, with regard to all the circumstances, causes a significant imbalance in the rights and obligations of the parties arising under the contract to the detriment of the consumer

– Procedural Unfairness (knowledge and understanding, bargaining strength, reasonably practicable for the consumer to negotiate for the alternation, independent legal or other expert evidence, accurately explained) – These are not suitable for e-commerce, click-wrap agreement? Air Asia auto-added system?

– Substantive Unfairness (unreasonably difficult to comply with, not reasonably necessary for the protection of the legitimate interests of the supplier) – No list of example of substantive unfair terms, e-commerce will not know which term is allowed and which term is not allowed.

– A breach of any circumstances is a not breach of the law, it is not a mandatory requirement, merely a list of circumstances for a court or the Tribunal to take in account.

Business-to-business market (business contracts) • Contract Law

– a contract caused by coercion, undue influence, misrepresentation and fraud all of which are concerned with the procedural aspects of contractual fairness

– Consider the burden of proof – Consider the substantive unfairness

• Common Law – Doctrine of Unconscionability– The applicability of the doctrine of inequality of bargaining power or

unconscionable contract under the common law of Malaysia is still doubted.

– Malaysian courts have yet to deal with the issue of unconscionability and unequal bargaining power in e-commerce transactions.

A regional movement• European Union Council Directive 93/13/ECC on Unfair Terms in

Consumer Contracts• UK enacted the Consumer Rights Act 2015 (CRA) in order to give

effect to the Directive– ‘Contract and Notices’ vs ‘A Contract or a Term of the Contract’

• A notice that relates to rights and obligations between a trader and a consumer or a notice which appears to exclude or restrict a trader’s liability to a consumer

• Contractual or non-contractual consumer notices • Notices can be found on an e-commerce website (e.g incorrect price, incorrectly

states the offer's end date, late delivery, etc)– The Fairness Requirement

• A term or a notice is unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer.

– The Transparency Requirement• A term which is ambiguous will be interpreted in the meaning that is most

favorable to the consumer• The transparency requirement may be enforced by public bodies

Conclusion on Unfair Terms in E-Commerce

• No Model Law, Convention or Treaty • No specific provision• No regulation on business contracts• No mandatory requirement on transparency• The current law is inadequate for dealing with unfair

terms in e-commerce

Recommendations

• Insert the provisions on unfair terms in Electronic Commerce Act 2005—applicable to business contracts and consumer contracts

• Set up a commission or regulator to govern the unfair terms in e-commerce

• Insert a transparency requirement • Importance: to foster a more conducive environment

for e-commerce activities

Wednesday 3 May 2023

Cybercrime: a Challenge to E-Commerce

CYBER CRIME !!The term ‘Crime’ is defined as “an intentional act in violation of the criminal law (statutory and case law), committed without defence or excuse, and penalized by the state as a felony or misdemeanour. Cybercrime is a term used to broadly describe criminal activity in which computers or computer networks are a tool, a target or a place of criminal activity. It include everything from electronic cracking to denial of service attacks.

It is also used to include traditional crimes in which computers or networks are used to enable the illegal activity.


Categories of Cybercrime

Cybercrime can generally be divided into two categories;• Crimes that target computer networks or devises directly,

example; Malware and malicious code, denial of service attacks, computer viruses, industrial espionage, software piracy and hacking.

• Crimes facilitated by computer networks or devices, example; cyber stalking, fraud and identity theft, phishing scams and information warfare.


Norton Report 2013


Is Cybercrime a challenge?Silly question I suppose


Challenges cont.…..


International efforts to combat Cybercrime• International Criminal Police Organization (Interpol)

– As an international law-enforcement organization with 184 members, Interpol started to tackle computer crime very early, by coordinating law-enforcement agencies and legislations, in regard to which Interpol made efforts to improve counter-cybercrime capacity at the international level

– Interpol has provided a technical guidance in cybercrime detection, investigation and evidence collection. The Interpol Information Technology Crime Investigation Manual was compiled by the European Working Party on Information Technology Crime.

– Compared with the substantive and procedural law harmonization of today's Convention on Cybercrime, the Manual developed a technological law-enforcement model to improve the efficiency of combating cybercrime


Regional efforts to combat Cybercrime;• The Asia-Pacific Economic Cooperation (APEC)

• In 2005, The sixth APEC Ministerial Meeting on the Telecommunications and Information Industry passed the Lima Declaration,

• "encouraging all economies to study the Convention on Cybercrime (2001) and to endeavour to enact a comprehensive set of laws relating to cyber security and cybercrime that are consistent with international legal instruments, including UN General Assembly Resolution 55/63 (2000) and the Convention on Cybercrime (2001)."

• Nevertheless, due to the great difference between member economies within the APEC, the development toward unified legal instruments has not been too satisfactory.


Regional efforts to combat Cybercrime cont.….

• COUNCIL OF EUROPE

• In 1981, the Council of Europe implemented “the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data”,

• The Convention recognized the desirability – "to extend the safeguards for everyone's rights and fundamental

freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing," and the necessity "to reconcile the fundamental values of the respect to privacy and the free flow of information between peoples" (Preamble).

• The Convention covers the protection of personal data in both the public and private sectors.


COUNCIL OF EUROPE cont.…

• In 1997, the Council of Europe began drafting the Convention on Cybercrime, which was open for signature in 2001 and took effect in 2004.

• In 2003, the Additional Protocol to the Convention on Cybercrime Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed Through Computer System (ETS NO. 189) was implemented.

• The Convention is a historic landmark in the combat against cybercrime.

• The Council of Europe in 2006 launched a Project against Cybercrime, envisioned to assist the development of national legislation in line with the provision of the Convention, training of judges, prosecutors and law-enforcement officers, and training of criminal justice officials and 24/5 contact points in international cooperation.

The European Union

• In 1995, the European Parliament and the Council (EPC) endorsed Directive 95/46/EC of 24 October 1995 on the protection of Individuals with regard to the Processing of Personal Data and on the Movement of Such Data.

• In 1997, the EPC endorsed Directive 97/66/EC of 15 December 1997 concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector.

• In April 2002, the Commission of the European Communities presented a proposal for a Council Framework Decision on Attacks against information systems, and this proposal constitutes the case of the Decision of 24 February 2005.

• The Framework Decision only dealt with attacks through unauthorized access to or interference with information systems or data. It does not specify penalties for illegal access to information systems and instigation, aiding and abetting and attempting of these offences, but requires member states to take the necessary measures to ensure that they are punishable by effective, proportional and dissuasive criminal penalties.

• It is worth noting that the matters mentioned in the Framework Decision can also be found in the Convention on Cybercrime.

http://www.webology.org/2007/v4n3/a45.html#5



Multi-national Organizations;

• The Common Wealth Nations

• The Commonwealth of Nations’ Secretariat prepared the "Model Law on Computer and Computer Related Crime" in October 2002

• The Model Law expanded criminal liability - so as to include reckless liability- for the offences of interfering with data, interfering with computer systems, and using illegal devices.

• The Model Law also covered the problem of dual criminality by stating that the act applied to an act done or an omission made by a national of a state outside its territory, if the person's conduct would also constitute an offence under a law of the country where the offence was committed. This may lead to prosecution or extradition based on dual criminality.

• Another focus of the Commonwealth is on mutual assistance in law enforcement between Commonwealth member states and non-commonwealth States.

• In the 2005 Meeting of Commonwealth Law Ministers and Senior Officials, the Expert Working Group proposed 10 recommendations for member states to adopt suitable measures for improving domestic law enforcement and trans-national assistance.

• It also encouraged member states to sign, ratify, accede to and implement the Convention on Cybercrime as a basis for mutual legal assistance between Commonwealth member states and Non-commonwealth States.

The Group of Ei ght (G8 )

• In 1995 at the Halifax Summit, the Group of Seven recognized

– "that ultimate success requires all governments to provide for effective measures to prevent the laundering of proceeds from serious crimes, and to implement commitments in the fight against trans-national organized crime."

• The group released 40-point set of "recommendations to combat Trans-national Organized Crime efficiently" at the G7/P8 Lyon Summit. The recommendations urged the states to increase the level of criminalization, prosecution, investigation, and international cooperation, while acknowledging in their entirety human-rights protection.

• The Group of Eight Meeting of the Justice and Interior Ministers indicated, in a Statement of Principles Concerning Electronic Crime, that,

– ‘although criminal legislation was a national responsibility, the character of the information networks obstructed countries from operating traditional power over this problem. National legislations have to be supplemented by international cooperation to criminalize the exploitation of the networks and harmonize the investigative action.’

• The Group of Eight agreed on principles and approaches for the protection of privacy, the free flow of information, and the security of transactions.

The Organization for Economic Corporation and Development (OECD)

• In 1983, an expert committee was appointed by the OECD to discuss computer crime phenomena and criminal-law reform.

• In December 1999, the OECD officially approved the Guidelines for Consumer Protection in the Context of Electronic Commerce,

• In 2002 the OECD adopted Guidelines for the Security of Information Systems and Networks, calling on member governments to– "establish a heightened priority for security planning and

management", and to "promote a culture of security among all participants as a means of protecting information systems and networks"

• The guidelines established nine principles, including awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and re-assessment.


Major themes of the Organizations

The promotion of security awareness at both the international and national levels,

Global harmonization of laws and procedure, Coordination and Cooperation in law

enforcement, and Direct anti-cybercrime actions.


Efforts to combat cybercrime in Malaysia

• Numerous legislations have been enacted in 1997 to 1998. They are: - – 1. Multimedia and Communications Act 1998 – 2. Multimedia Commission Act 1998– 3. Digital Signature Act 1997 – 4. Computer Crimes Act 1997– 5. Telemedicine Act 1997– 6. Copyright (Amendment) Act 1997


Malaysia cont.…. • Computer Crimes Act 1997 is the main Act use to combat cybercrime

in Malaysia.• However, the offences are only described in sections 3, 4, 5, 6, 7 and

8 in Part II of the Act.• The Computer Crimes Act 1997 does not cover many areas of

computer-related activities.• The criminal laws of Malaysia, in particular the Penal Code, do not

specifically provide for any computer-related crimes. • The legal standing of these cybercrime protections must be

determined in the context of the existing laws. • The existing laws were not drafted with computer technology in mind

and in most cases, is not sufficiently broad enough to encompass the various types of computer-related activities.

• Consequently, no matter how repulsive or evil such activities may be in the perception of the policymakers and the public, they may not constitute unlawful or prohibited behaviour.


Cybercrime’s definition; no comprehensive definition of the term “cybercrime” yet. Cybercrime covers diverse types of offences which includes; offences against the confidentiality, integrity and availability of data and information systems. There is need for a harmonized definition of the term cybercrime in an international instruments either binding or non-binding.

ICT is complex and often unfamiliar to the traditional criminal justice world. It requires well-trained personnel to deal with crimes involving these devices throughout the investigation phase, during prosecution, and in courts. States need to invest in constant training and education of its operators

Crimes occur in a fraction of a second and evidence of cybercrime frequently consists of digital information, which is momentary by nature and can be altered or deleted. Law enforcement agencies must therefore take rapid action and be able to collect and preserve digital evidence for use in criminal proceedings


How to Tackle Such Activities?

An important question that arises is how can these crimes be prevented. A number of techniques and solutions have been presented but the problems still exists and are increasing day by day.

Antivirus And Anti Spyware Software:Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. Anti spy wares are used to restrict backdoor program, trojans and other spy wares to be installed on the computer.

Firewalls:A firewall protects a computer network from unauthorized access. Network firewalls may be hardware devices, software programs, or a combination of the two. A network firewall typically guards an internal computer network against malicious access from outside the network.

Cryptography:Cryptography is the science of encrypting and decrypting information. Encryption is like sending a postal mail to another party with a lock code on the envelope which is known only to the sender and the recipient. A number of cryptographic methods have been developed and some of them are still not cracked.

Cyber Ethics and Laws:Cyber ethics and cyber laws are also being formulated to stop cyber crimes. It is a responsibility of every individual to follow cyber ethics and cyber laws so that the increasing cyber crimes shall reduce. Security Software like Anti Viruses and Anti Spy Wares should be installed on all computers, in order to remain secure from Cyber Crimes. Internet Service Providers should also provide high level of security at their servers in order to keep their clients secure from all types of viruses and malicious programs.

The Future of Cyber-Crimes in Malaysia

• Continued Website Hacks and Defacements

• Data and Information theft

• Increasing phishing attacks on Ecommerce and Financial Websites

• Cybercriminals targeting Social and Professional Networks

• Threats directed at the Mobile Platform: Smartphones and Tablets

Conclusion…

"As internet technology advances so does the threat of cyber crime. In times like these we must protect ourselves from cyber crime. Anti-virus software, firewalls and security patches are just the beginning. Never open suspicious e-mails and only navigate to trusted sites.”

36

JURISDICTIONAL ISSUES IN E - COMMERCE INTRODUCTION• “As long as different countries have different laws and cultures,

there are no good principles for jurisdiction….Every nation wants unity, but no nation wants to give up any of its traditions.”

• When something goes wrong with contracts between parties in different countries, there is often confusion as to where a court action should be brought.

Should it be in the country of the purchaser? Or that of the seller or service provider? And how can you enforce a court ruling when each party is in a

different country? Internet Contracts are based largely on the terms and conditions contained on the web site in question

37

Introduction cont.……• The terms and conditions often contain a 'choice of law'

clause, which indicates the country in which a dispute will be decided.

• But most times not brought to the attention of the customer. • These problems may be solved and/or reduced by an

international treaty• Unfortunately, there are no specific rules in the model laws

and conventions dealing with Internet jurisdiction yet

• Common law courts around the world have applied different criteria to determine whether they have jurisdiction over Internet disputes.

• While some courts have simply applied existent traditional rules, others have tried to develop new criteria to accommodate the uniqueness of the electronic commerce.

CASE STUDY; BANYAN TREE HOLDING (P) LIMITED VS. A. MURALI KRISHNA REDDY & ANR.

• The case came up at Delhi India Court• The Plaintiff’s registered office is at Singapore • The Defendants 1 and 2 are at Hyderabad. None of the parties is located within the

territorial jurisdiction of the Court.

Brief facts of the case.

• The Plaintiff, since 1994 adopted and used the word mark “Banyan Tree” and also the banyan tree device.

• Due to long usage the Plaintiff claimed that the said mark have come to be associated with it and its sister concerns.

• The Plaintiff maintains the websites www.banyantree.com and www.banayantreespa.com since 1996.

• The said websites are accessible in India. • In October 2007, the Plaintiff learnt that the Defendants had initiated work on a project

under the name “Banyan Tree Retreat”. • The Plaintiff contend that the word mark and the device adopted by the Defendants in

relation to their retreat is deceptively similar to that of the Plaintiff.

38

Case study cont.…

The Plaintiff contends that the use of the said mark and device by the Defendants was calculated to cause confusion and deception among the public by passing off the services of the Defendants as that of the Plaintiff.

The Plaintiff filed for an injunction to restrain the Defendants from the use of the said mark and device.

One of the issues before the court for determination is,

– whether for the purposes of a passing off action, or an infringement action where the Plaintiff is not carrying on business within the jurisdiction of a court, in what circumstances can it be said that the hosting of a universally accessible website by the Defendants lends jurisdiction to such Court where such suit is filed ("the forum court")?

39

40

USA Approach• In the United States, the rules on applicable law and jurisdiction are based on

notions of “reasonableness” and “fundamental fairness” to both plaintiffs and defendants.

• Case to case basis 1. Purposeful availment test;- the Plaintiff to prove;o That the defendant has sufficient "minimum contacts" in the forum state. In

other words, the defendant must have purposefully directed its activities towards the forum state or otherwise "purposefully availed" of the privilege of conducting activities in the forum state.

o The forum court had to be satisfied that exercising jurisdiction would comport with the traditional notions of fair play and substantial justice (International Shoe Co. v. Washington)

2. The “Zippo” sliding scale test:- the plaintiff to prove: o the defendant must have sufficient "minimum contacts" with the forum state,

(2) the claim asserted against the defendant must arise out of those contacts, and (3) the exercise of jurisdiction must be reasonable."

o The court in Zippo classified websites as (i) passive, (ii) interactive and (iii) integral to the defendant’s business. (Zippo Mfg. Co. v. Zippo Dot Com, Inc.)

41

USA Approach3. Effects test:-o The courts moved from a “subjective territoriality” test to an

“objective territoriality” or “effects” test in which the forum court will exercise jurisdiction if it is shown that effects of the Defendant’s website are felt in the forum state. (Calder v. Jones)

4. Targeting Approach:-o Currently evolving in the USA courts, a targeting analysis requires

that a defendant specifically aim its online activities at a forum to come under the jurisdiction of that state.

In addition, US courts have generally held that consumer protection authorities can assert jurisdiction over foreign businesses harming American consumers.

42

EUROPEAN UNION APROACH• Europe has specific rules relating to jurisdictional issues relating to e-

commerce activity. The Brussels Convention on Jurisdiction and Recognition of Enforcement of

Judgments in Civil and Commercial Matters (known as “the Brussels Convention”) govern the issue of jurisdiction; and

The EC Convention on the Law Applicable to Contractual Obligations (known as “the Rome Convention”) govern the issue of applicable law for consumer contracts concluded over the Internet.

• Under these conventions, jurisdiction and applicable law for consumer contracts are based on whether consumer is “active” or “passive”. – Passive;- the consumer is not the initiator of the international contract(has no

intention to enter international market) such contract was preceded by a specific invitation or by advertising.

– Active:- takes the initiative to enter international market• The conventions focus more on passive consumer than active consumers• This protection is not affected by a choice of forum or law clause. • Art. 17.1( c) Brussels Reg. requires only that the commercial activity was

directed towards the consumer’s state and the specific contract should fall within the scope of the business area

• It does not provide any basis for a causation requirement

BANYAN TREE HOLDING (P) LIMITED CONT….

• The Delhi High Court after thorough examination of different commonwealth cases and principles of law, applying USA targeting approach held that; “………For it to exercise jurisdiction there should be a

prima facie evidence to shown that the nature of the activity indulged in by the Defendant by the use of the website was with an intention to conclude a commercial transaction with the website user and that the specific targeting of the forum state by the Defendant resulted in an injury or harm to the Plaintiff within the forum state”.

APPROACH IN MALAYSIA

There is no Malaysian decision on the jurisdiction of a commercial website yet.

• Should a case arise, we assume, the basic law regarding Court’s jurisdiction would apply i.e.;-

• Thus Malaysian Courts would have jurisdiction only when;

– The cause of action arose in Malaysia; or– The defendant resides or is domiciled in Malaysia; or– The defendant has a business or carrying on a business in Malaysia

It is suggested that the approach taken by the U.S.A. courts would be the best way forward, that is the targeting

FINDINGS AND RECOMMENDATIONS

The presence of multiple parties in various parts of the world who have a virtual connection with each other.

Difficulties in determining the appropriate forum court in times of dispute due to borderless nature of internet.

We recommend that in this kind of situations the court should apply the USA targeting approach theory.

The challenge of conflict of laws among nations may also arise. For instance, some websites may be offensive in Malaysia but legal in Canada.

These issues are of serious concern especially with respect to enforcement of foreign judgment.

We suggest that there is urgent need for strong and pervasive laws at the international level to deal with forum jurisdiction in e-commerce disputes and the recognition and compulsory enforcement of such forum decisions in other territorial jurisdiction.


Conclusion

• As the number of internet users increases globally and consumers and vendors gain more familiarity and comfort in doing business online, internet markets will play an even more significant role in the economies of nations worldwide.

• Therefore, the subject of jurisdiction in e-commerce consumer contracts is of great importance in the lives of online vendors, consumers, policy makers and governments.