Overview (February 2001)

Introduction
Consumer Protection Act
Spamming
Digital Signatures Act
Comment

Introduction

On June 8 2000 the European Parliament and Council adopted Directive 2000/13/EC on certain aspects of information society services, in particular electronic commerce, which took effect on June 1 2000.

The directive includes rules on:

• information society services;

• unsolicited commercial communications;

• electronic contracts; and

• service providers' liability.

According to Article 22 of the directive member states must take the necessary steps to comply with the directive by January 17 2002. The Austrian Parliament has not yet passed any new laws, regulations or administrative provisions to implement the directive. However, certain pieces of legislation already provide a legal framework for e-commerce.

Consumer Protection Act

On June 1 2000 and January 1 2001 two amendments to the Consumer Protection Act came into force implementing the provisions of Directive 97/7/EC of the European Parliament and Council on the protection of consumers in respect of distance contracts. The Austrian legislator has incorporated the provisions of the directive into various existing acts, most importantly the Consumer Protection Act.

Section 5a of the Consumer Protection Act defines 'distance contracts' as "contracts under an organized distance sales or service-provision scheme with the exclusive use of one or more means of distance communication". This encompasses any means for the conclusion of a contract without the physical presence of the parties. Although internet shopping is not explicitly included, it is covered by Section 5a.

Spamming

On September 20 1999 two provisions prohibiting spamming entered into force under the Telecommunications Act. The provisions were adopted in the course of deliberations on the implementation of Directive 97/7/EC on the protection of consumers in respect of distance contracts. The Austrian legislator has taken a unique approach regarding the prohibition against spamming. To date, this has not been followed by any other member state of the European Union.

While Article 10 of the distance contracts Directive 97/7/EC and Article 7 of the e-commerce Directive 2000/31EC both contain provisions allowing distance communication and unsolicited commercial communication unless the recipient has clearly objected against the receiving of such communication (eg, by registering in an opt-out list), the Austrian legislator went one step further.

Now, the sending of electronic mail as mass e-mail or for the purposes of advertising is subject to the recipient's prior consent. The recipient may withdraw his or her consent at any time. The provisions distinguish between mass e-mails (which need not be connected to advertising) and e-mails for the purposes of advertising (which need not be in the form of mass e-mails). A single e-mail for advertising purposes falls within the scope of the spamming provision.

Violation of the prohibition is punishable by a fine of up to Sch500,000.

Shortcomings
There is no definition of what constitutes a mass e-mail. With regard to regular mail, the postal service can mail up to 400 letters for the purposes of direct advertising within one mailing. It is likely that the Austrian legislator had a similar figure in mind when regulating mass e-mails. However, the exact definition remains subject to clarification by the courts.

The scope of the term 'for the purposes of advertising' is also unclear. Unlike the e-commerce directive, the Telecommunications Act does not require that the communication be of a commercial nature. Also, a single e-mail for the purposes of advertising triggers the fine unless prior consent is given.

'Advertising' refers to the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services. There is no indication as to how the recipient's prior consent might be obtained.

Only offences committed within Austrian territory are punishable. The offence of sending a prohibited e-mail is committed by sending the message. Receipt of the message does not form part of the element of the offence. Consequently, some authors argue that the penalty does not apply to e-mails sent from foreign countries, although this could lead to misuse of the provision. It remains to be seen how the courts and administrative authorities will deal with the prohibition against spamming and its sanctions.

Digital Signatures Act

On January 1 2000 the Digital Signatures Act came into force, implementing Directive 1999/93/EC of the European Parliament and Council on a community framework for electronic signatures. The purpose of the act is to facilitate the use of electronic signatures and to contribute to their legal recognition. The act establishes a legal framework for electronic signatures and appropriate certification services.

Following the example of the directive, domestic law has a two-fold digital signatures system. Section 2 of the Digital Signatures Act distinguishes between 'electronic signatures' and 'secure electronic signatures' (the latter refers to advanced electronic signatures according to the EC directive). An electronic signature consists of data in electronic form which is attached to or associated with other electronic data and which serves as a method of authentication.

A secure electronic signature must be uniquely linked to the signatory, capable of identifying the signatory and created using means that the signatory can maintain under his sole control. It must be linked to the data to which it relates in such a manner that any subsequent change of the data is detectable, and it must be based on a qualified certificate and created by using secure technical methods.

The legal effects of electronic signatures and secure electronic signatures differ. Section 3 provides that an electronic signature cannot be denied legal effectiveness and admissibility in evidence solely on the grounds that:

• it is in electronic form;

• it is not based upon a qualified certificate;

• it is not based upon a qualified certificate issued by an accredited certification service provider; or

• it is not created by a signature creation device.

The legal effects of electronic signatures are somewhat more relaxed than those of secure electronic signatures. Section 4 provides that secure electronic signatures are equal to conventional handwritten signatures. Furthermore, they are admissible as evidence in legal proceedings.

Generally domestic law does not require a special form for the conclusion of a contract. Therefore contracts can also be concluded by way of electronic signature or secure electronic signature. However, there are certain categories of legal transaction that require a specific form and so cannot be concluded by way of a secure electronic signature. They are:

• legal transactions concerning family law and the law of succession;

• declarations of will or legal transactions that require a notarial deed or attestation by the court or a public notary for their validity;

• declarations of will or legal transactions that are necessary for registration in public books (such as the land register and the company register); and

• contracts of suretyship.

Secure electronic signatures require a qualified certificate. Certification service providers are entities that issue certificates or provide other services related to electronic signatures. The Digital Signatures Act has adopted a system of voluntary accreditation, allowing certification service providers that comply with certain obligations to apply for special permission.

According to Article 3 of the EC directive Austria is obliged not to make the provision of certification services subject to prior authorization. However, this rule does not apply to the provisions of trade law. Consequently, a certification service provider must comply with the Austrian Business and Trade Code.

The technology used to provide secure electronic signatures must be able to ensure that the person shown as the author has composed a message. With regard to confidentiality, there must be a way of ensuring that the message can only be read by the intended recipient. Therefore current technology provides for one set of keys, a private key (signature creation device) and a public key (signature verification device). Each person possesses only one set of keys. The private key may not be transferred to other persons and its owner must obtain a special password or code. To ensure authenticity and confidentiality, the public key can be obtained from trustworthy databases of signature verification authorities. The message will be encrypted by the sender with his private key and de-coded by the recipient with the public key. If the sender of the message wishes to ensure that only the intended recipient will be able to read it, he or she can encrypt the message by means of the public key. Then only the intended recipient can decode it.

Section 13 of the Digital Signatures Act foresees the implementation of a supervisory board that ensures compliance with the provisions of the act and controls the certification service providers. In Austria that role is attributed to the Telekom Control Kommission.

Comment

Clearly, the legal issues posed by modern technology, information services and e-commerce are complex. E-commerce encompasses a large number of areas and consequently no single piece of legislation can tackle the various issues. The situation is complicated by the fact that technology develops at a much faster speed than law, thus leaving the legislature a step behind. The existing domestic legal framework is mainly based on EU legislation and takes into account that a step-by-step approach is required in order to issue appropriate legislation.

For further information on this topic please contact Dieter Hauck or Barbara Kurz at Preslmayr & Partners by telephone (+431 533 16 95) or by fax (+431 535 56 86) or by e-mail ([email protected] or [email protected]).