Australian Society of Archivists
Electronic Records Special Interest Group
Managing Websites Seminar: Gearing up for the
e-commerce era:
Regulatory, Recordkeeping and Legal Issues
associated with Managing Websites
Livia Iacovino, School of Information Management and
Systems, Monash University
"It has been the increasing use of web-based internet
technologies for business and social purposes including ‘electronic
commerce’, that are highlighting recordkeeping issues. The
business focus is on the need to maintain evidence of contract
formation, sender/recipient authentication, and message integrity in
order to ensure the legality of the transactions. These areas
intersect with major recordkeeping concerns: reliability,
authenticity, evidence, trusted systems and communities, and the
responsibilities of recordkeeping agents/actors in the recordkeeping
processes.
As recordkeeping professionals we will need to ask:
- How can we create and reconstruct transactional records on the
Web?
- Who owns the records and has control over them?
- Do the records provide evidence of a contractual or other legal
relationship?
- Who are the entities transacting via the Web? How do we capture
information about them?
- Are we revisiting the problems of electronic information systems
without recordkeeping functionality in the Web environment?
- Can intranet systems linked to the Web retrieve transactions with
all their contextual attributes?
- Are government studies addressing the issue of retaining records
as records in time and over any length of time on the Web?
Current web context
- Characterised by rapid changes
- Increasing use for more than presenting general information
- Integrated into business activities
- ‘One-stop shop’ link with other web sites (e.g.
portals)
- Client-centred thus legal liability aspects emerging
- Electronic service delivery on line, e.g. government business to
business. See ‘Moving to an Electronic Marketplace’,
Office of Government Online, Discussion Paper August 1999.
ftp://ftp.dcita.gov.au/pub/reports/emarketplace2.rtf
- increasing requirement to identify web site owners and consumers
for business transactions
An organisation’s web site is more than a dissemination tool
for its information resources. Every time someone accesses the site a
transaction occurs. It is not easy to separate out legal or
recordkeeping issues that are relevant purely to the web’s ‘publishing’
activities from its use for other business activities. The ‘one
stop’ shop means that all kinds of activities are being conducted
via the web, so we have to decide which of these need to have records
sitting behind them and which do not. We have to make appraisal
decisions from the outset.
Recordkeeping context
- What is the purpose of the web page?
- What is it used for?
- Is it a publication? (legal deposit requirements?)
- Is it a record?
- Are these divisions useful for recordkeeping purposes?
Business context
- Web development is part of business risk
- The recordkeeping risk is assessed within the context of a
business risk management analysis
- Recordkeeping risk: to make and keep a record
Manage as a business process?
- Link to business process. Do you need to make and keep records?
- Should all iterations/versions of web sites be maintained?
- How do you capture a view anyway?
- Aggregations of web pages or a snapshot?
- Do we need to be sure of what each end user sees? Lack of
conformity in what is seen depending on browser.
We may need to capture the transactions occurring via the web page.
When there is an interaction, some of these interactions many need to
be captured. Services are being delivered across structural boundaries
but the need for evidence has to link back to a responsible person;
this is an accountability issue. The client has to know who
he/she is dealing with and who to complain to.
Basic recordkeeping questions remain, such as which records am I to
make and keep and for how long?
Current recordkeeping practice is focused on transactions and
business processes. This translates into the Web environment which is
process-driven. Records creation and capture at the transactional
stage are essential.
Specifically:
- Outline the sequence of transactions
- Identify outcome of processes
- Identify external requirements to keep records
- Retain the procedures and mandates you followed at the time you
provided a service on the web. The procedures and mandates may be
dynamic on the web but they have to be captured and linked to the
transaction.
Metadata and web records
Domain registration does not always uniquely identify an
organisation or person; can be registered overseas.
- Capture the context/metadata in web records
- Use metadata for identification and evidential purposes not just
as retrieval/discovery tools
- Make the metadata links and keep them.
- Maintain objects that move into other environments.
There are choices for metadata standards, e.g.
AGLS
plus recordkeeping additions;
SPIRT
recordkeeping metadata; NAA’s
standard - government wide; Keyword AAA; AGIFT etc.
The preservation of web records and metadata, including control
information e.g. mandates procedures is essential.
Regulatory context
The regulatory framework for electronic commerce and other legal
aspects of managing a website - and how these impact on strategies for
recordkeeping. The players are Government: several bodies, including
AG’s,
NOIE; as well as industry
groups, who are setting standards.
Regulatory issues:
- E-commerce legislation
- Contracts online
- Consumer protection
- Authentication
- Privacy
One cannot understand the regulatory environment without the policy
framework. There are many recordkeeping issues that are not being
articulated in relation to e-commerce and encryption policies. They
are particularly relevant to evidential aspects of recordkeeping on
the Web.
The regulatory framework has been characterised by the government’s
‘hands-off’ approach. Business is taking the lead but is
still wanting some security.
- Who and what needs to be regulated in e-commerce?
- How much to regulate? Government pushing a light handed
regulatory approach
- How much to leave to codes and good business practice?
- Privacy and security on the Internet (personal and business):
cryptography; privacy regulation; what is it and how to comply?
- Global phenomenon: which rules apply, what are the problems, what
are the answers? E.g. role of international public and private law:
choice of forum and choice of law; special ‘cyberlaw’
(e.g. Lex Mercatoria model); international agreements.
It is important to remember that existing law applies to the Web so
do not only focus on special legislation like the Electronic
Transactions Bill. E.g. Evidence Law still operates on a state by
state basis.
Lighthanded regulation is a feature of the e-commerce approach in
Australia. Laws are still Australian jurisdiction-based. The legal
community’s concern with the legal authenticity of records in
ecommerce applications is that there is security of contract formation
and other business purposes without having to go to the courts to
determine whether the document expresses the deal or the contract.
Note: Victorian legislation on e-commerce in abeyance.
The Commonwealth Electronic Transactions Bill is based on two
principles: functional equivalence (also know as media neutrality) and
technology neutrality (US statutes have been more
technology-specific).
The Attorney-General, the Hon. Daryl Williams AM,QC MP, introduced
the Electronic Transactions Bill into Parliament on 30 June 1999.
‘The Electronic Transactions Bill creates a light handed
regulatory regime for the use of electronic communications in
transactions. The Bill facilitates the development of electronic
commerce in Australia by broadly removing existing legal impediments
that may prevent a person using electronic communications to satisfy
obligations under Commonwealth law. The Bill generally gives business
and the community the option of using electronic communications when
dealing with Government agencies’. (From Explanatory
Memorandum)
The Bill is based on the recommendations of the Electronic Commerce
Expert Group, which reported to the Attorney-General in March 1998.
Electronic Commerce: Building the Legal Framework, March 1998, Report
of the Electronic Commerce Expert Group to the Attorney General,
http://www.law.gov.au/aghome/advisory/eceg/ecegreport.html
The Expert Group was established by the Attorney-General to consider
the legal issues raised by electronic commerce and the appropriate
form of regulation, consistent with international developments, to
deal with those issues. The Expert Group recommended that the
Commonwealth should enact legislation based on the United Nations
Commission on International Trade Law (UNCITRAL) Model Law on
Electronic Commerce of 1996, with some modifications. Australia was
closely involved in the development of the Model Law. Relative
uniformity is achieved by sovereign states conforming broadly to the
Model Law.
‘All State and Territory governments have given in-principle
support to legislation based on the Electronic Transactions Bill.
However, while it is part of a national uniform scheme, the
Commonwealth’s Bill will operate independently of any legislation
in other jurisdictions and will take effect immediately from its
commencement.’ (From Explanatory Memorandum)
It should provide more confidence in using the web for business
activities within Australia. The Bill has had a second reading but has
not yet been passed.
A number of provisions in the Bill support recordkeeping processes
and actions. (Note: Bold italicised sections refer to my personal
interpretation.)
‘The Bill establishes the basic rule that a transaction is not
invalid because it took place by means of an electronic communication.
It contains specific provisions which state that a requirement or
permission under a law of the Commonwealth for a person
(immediately requires agents to a transaction to be identified)
- to provide information in writing (relates to script,
language, content, layout; i.e. how we communicate)
- to sign a document (agent and authentication link)
- to produce a document (needs to be created and captured in
the first place)
- or to retain information or a document (a system for record
capture)
can be satisfied by an electronic communication, subject to certain
minimum criteria being satisfied.
- in the absence of any contrary agreement, to determine the time
and place of dispatch and receipt of electronic communications
and the attribution of electronic communications. (recordkeeping
metadata on time and place of receipt of transaction)
The sole purpose of the Bill is to enable people to use electronic
communications in the course of satisfying their legal obligations’.
(From the Explanatory Memorandum of the Bill, January 1999.)
Look at the definitions:
“Electronic communication” is defined as a communication
of information by means of guided and/or unguided electromagnetic
energy. The term “communication” should also be interpreted
broadly. Information that is recorded, stored or retained in an
electronic form but is not transmitted immediately after being created
is intended to fall within the scope of an “electronic
communication”.
“Transaction” is defined to include transactions of a
non-commercial nature. (The term “transaction” is defined in
clause 5. Is it too broad?
It identifies and defines:
- Useability
- Accessibility
- Reliability
- Integrity
- Authenticity
For example legal changes supporting retention of transactions on
the web in Commonwealth law include:
Clause 9 Writing : ‘Subclauses (1) and (2) allow a person to
satisfy a requirement or permission to give information in writing
under a law of the Commonwealth by providing that information by means
of an electronic communication, subject to the general condition that,
at the time the information was given, it was reasonable to expect
that the information in the form of an electronic communication would
be readily accessible so as to be useable for subsequent
reference.’
‘It is not intended that any information technology
requirements or verification requirements must be promulgated by way
of an instrument or regulation, nor is it envisaged that they should
be personally provided to every person with which the Commonwealth
entity may deal. However, a Commonwealth entity must provide adequate
notice and publicity of any requirements they make under these
provisions. For example, if a Commonwealth entity has an interactive
Internet web page that enables individuals to deal electronically with
the agency, then the web page should contain explicit information
about the format of communications. This information could include,
for example, a requirement for communications to be compatible with
either a particular software package or specified open standards for
electronic communications and that a person must also request a ‘return
receipt’ when the information is transmitted.’ (From Explanatory
Memoranda)
(This means that other legal, business and societal requirements
continue to operate for ascertaining how long to keep the
communication. However it does at least provide a minimum retention
requirement in electronic form. Specific technology is not mandated
but the idea of a format which is compatible is the intention)
Contracts online
The Electronic Transactions Bill is centred on ensuring that
electronic communications have legal validity, in particular, but not
exclusively, in contractual circumstances. The Bill does not however
cover specifics of contract formation, such as terms and conditions.
It provides coverage for identities of parties essential for contract
formation. In contract law when a contract was accepted (or reasonable
to believe it was accepted) is important.
A contract is formed when one party offers to do or supply something
on terms which are accepted finally and unequivocally by the other
party, and that acceptance is communicated to the person making the
offer. Something of value in legal terms must be given to the person
making the offer, usually a payment.
- Terms of contract: what the parties agreed to. Where the
contract is placed on the Net to ensure buyer reads conditions;
variations in laws in different jurisdictions.
- Parties to the contract. Parties may never meet. Is there
sufficient identification of the buyer to ensure a valid contract?
Signatures to a contract: a formality for certain of contracts;
signature identifies the parties to the act; digital signatures and
the integrity of the sender: recourse to certifying authorities.
Nonrepudiation link.
- Is the communication on its own sufficient to prove that a
contract took place? E.g. A web page offer becomes a binding
contract on receipt of a user response requesting to purchase a
product, unless it is made clear that it is merely an ‘invitation
to treat’.
- When was the contract made? Is the order the offer and thus the
time of the contract? Is a clear acceptance needed?
- Where was the contract made? Place of contract: relevant
where parties have not agreed which jurisdiction governs, or where
there are no applicable international conventions.
- International dimension: applicability of law of country
of posting of transmission (this affects data protection laws) or is
it the country of access? Law of applicability and law of court
jurisdiction.
Legal obligations where a web site is used for promoting
products/services as opposed to actually providing them online; what
are the implications of these different uses?
Legal obligations arise whether or not we are using the web for
transactions or merely to disseminate information about ourselves.
Consumer protection
Promoting a product or service, is pre-contractual,
regardless of whether you are actually selling or providing it online.
You need to consider:
- Liability for advertising on the Net: ‘misleading and
deceptive conduct’ (trade practices)
- Check if you are subject to the Act; ie are you a ‘business’
or exempt
- Product liability
- Whole Trade practices area; defences ‘due diligence’
etc.
If you are selling:
- legal implications of selling goods and services via the
Internet, includes issues of consumer protection laws (including the
law of passing off), trade marks and domain names and contracting
and transacting on the Internet:
Trade Practices and consumer confidence issues are being managed by
the Australian Competition and
Consumer Commission. The
Trade
Practices Act 1974 (Cth) is relevant for electronic
transactions. See Part 5 which contains a range of provisions for
protecting consumers and corporations as consumers, including s 52
which deals with:
- misleading and deceptive conduct
- prohibits conduct which is misleading or deceptive, or which is
likely to mislead or deceive.
Sellers are required to tell the truth or to refrain from giving an
untruthful impression, including disclosure of relevant information.
S 53 prohibits false claims about sponsorship, approval, performance
characteristics, accessories, uses of benefits of goods and services.
These restrictions will apply to electronic transactions and
electronically supplied information as well as to physical goods and
services.
There are a number of Directives to protect consumers:
Consumer Protection in Electronic Commerce Draft Principles and Key
Issues, October 1997, Prepared by The National Advisory Council on
Consumer Affairs
http://www.dist.gov.au/consumer/eleccomm/draft/index.html
[Published text now at
]
Takes into account the United Nations Guidelines for Consumer
Protection. Establishes equal equivalence of consumer rights online as
those that apply to existing forms of commerce, i.e. Trade Practices
law.
A
Policy Framework for Consumer Protection in Electronic Commerce
was released for comment in May 1999. See Building Consumer Confidence
in Electronic Commerce: A Best Practice Model for Industry, Exposure
draft, October 1999
http://www.ecommerce.treasury.gov.au/
The Treasury report lacks a recordkeeping perspective. Similar to
1997 report above.
- Trader to consumer
- Based on trade practices principles
- Industry-based
- Individual bodies set up by each industry to administer code.
Note: Electronic Transactions Bill provides some legislative
certainty for consumers also, i.e. identity of seller; location.
Authentication and the Web
Authentication and certification methods as articulated in the IT
environment are concerned to ensure that the identity of a person or
entity is what it claims to be and contributes to the trustworthiness
of the transaction players.
The government’s role as an enabler: legal/regulatory and
policy framework. Generally the view that the private sector should be
main player. The market is pushing for reliability, trust and
non-repudiation of ecommerce. These are issues that recordkeeping has
considered for millennia.
The National Public Key Infrastructure Working Party was established
in late 1997 by NOIE to oversee
the development of a national framework for the authentication of
users of online communications services to provide:
- A trusted system for the generation of digital signatures to give
corresponding parties certainty in each other’s identities;
- Assurance of the integrity of electronic data used: and
- A means of ensuring non-repudiation of electronic transactions.
The report recognised the legal significance of electronic
authentication in respect of evidence and contract; liability, privacy
and consumer protection, and sovereignty and international trade.
The National Office for the Information Economy, Establishment
of a National Authentication Authority, A Discussion Paper, 19
August 1998 http://www.noie.gov.au/
The Report did not endorse all the National Public Key Infrastructure
(NPKI) Working Group’s recommendations. A much more general
government role.
The present the authentication frameworks are focussed on the
identity of the sender, a narrower focus than the evidential
requirements for recordkeeping. Another issue is that of encryption to
ensure that transactions are trustworthy and have not been tampered
with.
For e-commerce authentication is important to prevent nonrepudiaton
and fraud by the buyer and seller. Thus the emphasis has been on
electronic signatures for identifying the author of an offer and
acceptance for a product. Again there have been numerous reports:
international and others. A new body has been recently established to
advise on policy issues: National Electronic Authentication Council.
The development of frameworks and standards have been outsourced to
Standards Australia to develop a framework of technical standards and
codes of business practice.
Remember that reliability and authenticity of transactions are areas
that recordkeeping professionally are meant to be experts in. We
should be much more involved in the development of standards in this
area.
Privacy issues
The OECD conference in Ottawa on e-commerce last year highlighted
privacy as a fundamental requirement to give people confidence in the
digital marketplace. See Ministerial Declaration on the Protection of
Privacy on Global Networks, OECD Conference A Borderless World:
Realising the Potential of Global Electronic Commerce, Ottawa, 7-9
October 1998.
Federal privacy legislation in Australia has been around since 1988
but the present government initially resolved to extend the privacy
net beyond government in 1998 by adopting the National
Principles for the Fair Handling of Personal Information
based on the development of industry and business codes of practice.
Part of the impetus: Oct 1998 EU Directive restricting personal
information from member countries to other countries unless adequate
privacy safeguards are in place. Codes may be insufficient. The
Europeans have not rejected this out of hand, but they still seem to
prefer regulation with some legal force.
To strengthen the industry codes, new national legislation is
expected to be introduced by the end of 1999. It aims to strengthen
the self-regulatory privacy protection introduced in 1998. This is an
approach which has continued to generate substantial criticism from
significant authorities such as the NSW Privacy Commissioner who
argues that such approaches are in the interests of business.
The Commonwealth proposed system of self-regulation in the private
sector has many flaws. It does not have strong teeth; a breach has to
be noted by person concerned. Complainant handling is stacked against
the complainant. Without the Privacy Commissioner monitoring
compliance and only reacting to complaints it will be hard to detect
breaches of privacy on the Net. It may lead to powerful industries
dominated by large companies setting up codes to their advantage, as
well as a plethora of different codes which will not have the benefit
of statutory interpretation and case law. The proposed Victorian
Legislation had more sanctions.
Web privacy issues
If we need to know who we are dealing with to maintain trust, how do
we restrict information from third parties? (we also need to keep this
information for evidential purposes)
Personal information is at risk when it is transmitted either in the
form of:
- Identification of parties to the transaction
- Record/data subject information
- Third parties holding information about the above: e.g. ISP’s,
authentication certificate providers will hold personal data about
the entities they are certifying
The identity of parties to the transaction (buyer and seller) or the
ability to infer the identity and data subject identity would
constitute personal data and be subject to privacy legislation
depending on the jurisdiction and ambit of the legislation.
Use of a unique identifier (e.g. Australian business numbers) to
link data across networks.
Proposed legislation in Australia re private sector: principles of
added relevance to ecommerce:
- Option to remain anonymous when entering transactions, (NPP 8)
- transfers of personal information out of Australia (NPP9).
Ensure you have a privacy policy posted on your site.
Summary
Challenges:
- Web technologies, like information and document management
systems before them, are not providing recordkeeping systems
- Understanding that web transactions are business transactions and
fall under the same set of recordkeeping business and policy rules
- Keeping up to date with regulatory changes."
© Copyright Livia Iacovino 1999. |
