Web Design Agreements
Data Protection Issues
Ireland, a small open economy with an English-speaking, highly skilled and technologically proficient workforce, has historically been disadvantaged in international trade due to its physical location. E-commerce is seen as an ideal means of overcoming the inherent problems associated with being physically located on the periphery of Europe and of allowing the Irish economy to maximize the potential afforded by its strengths.
Ireland is thus seeking to position itself as a global telecommunications hub and centre for e-commerce. Key measures in realizing this ambition are the implementation of an impressive new telecommunications infrastructure, of which the Global Crossings Project, a massive new interconnectivity initiative, is perhaps the single most outstanding item. While this hard infrastructure will ensure that business will have the capability to conduct international business from Ireland, legal infrastructure is also being updated to address areas of uncertainty and to facilitate such business. The Electronic Commerce Act 2000 is the primary example of this but further legislation, both primary and secondary, is being prepared by the government.
This Overview seeks to highlight areas of legal concern for those engaging in e-commerce in Ireland and to give a summary of some of the applicable law.
As a company's web site may be its primary source of customer interface, the design and structuring of web sites has assumed increasing importance. With continuing development in the level of sophistication and technological innovation used on sites, firms are increasingly turning to third-party site designers to whom they outsource the design function.
Under the terms of Irish copyright legislation, where the design of a web page, or any material thereon (including logos, articles or other intellectual property) is produced by a third party, then that person retains ownership of the copyright in such items unless there is a written agreement specifically assigning copyright from the third party to the site operator.
Therefore, it is essential that the terms of any agreement to design, write or provide material for a web page expressly convey copyright from the author or designer to the company which has contracted for these services.
Under the terms of the New Copyright Act 2000, the concept of moral rights has been introduced into Irish law for the first time. Hence, in addition to assigning the ownership of any copyright, it is also now important for firms to get designers and authors to waive such rights.
The international nature of e-commerce, and the practical manner in which it differs from traditional business practices, inevitably means that core clauses such as choice of law and jurisdiction assume greater prominence in this context than might usually be the case for similarly sized transactions. It also means that basic contractual issues need to be re-examined in this context, to ensure that required formalities are observed and that the steps taken are actually effective to create valid legal contracts. This section seeks to examine these issues under Irish law.
In this jurisdiction the formation of a valid contract requires two parties with adequate capacity who intend to create legal relations, one of whom makes an offer which the other accepts, and a consideration to be paid.
In addition there are certain formalities which are required to be completed in some circumstances for the creation of an enforceable contract, for example that the contract be 'in writing' and/or signed by one or both parties. These rules equally apply to online contracts. To ensure that none of these rules might invalidate the formation of online contracts in or from this jurisdiction, the legislature has passed the Electronic Commerce Act 2000. This expressly provides that where information is required to be given in writing, the electronic form will equally meet this requirement. Further, where a signature is required an electronic signature may be used and will be recognized as being equally valid as a traditional signature. Contracts relating to certain areas, such as wills, are not affected by this act, but the general position is only subject to a small number of such exceptions.
Irish law recognizes that acceptance of a contract can be given by conduct, and therefore requiring third parties to click on an 'I accept' icon or button as a means of completing a contract can be valid.
Under the provisions of Irish contract law, the terms of a contract may be contained on a separate document. Hence there would generally not appear to be any problem in including applicable terms and conditions on a separate web page, accessible by a hypertext link (ie, so-called 'click wrap' agreements). However, any unusual or onerous obligations must be drawn to the attention of the offeree prior to completion of the contract to be enforceable. This is particularly relevant in relation to clauses seeking to exclude liability and any exclusion clauses should be brought to the actual notice of the other party to ensure enforceability. Similar provisions may apply in relation to clauses seeking to impose a foreign law or jurisdiction clause.
A reasonable attempt must thus have been made to bring such clauses to the attention of the other party prior to completion, for example by displaying the terms in a position that gives the offeree a reasonable opportunity to desist from entering into a contract. It is therefore advisable for offerors to try and ensure that offerees do consult the terms. This could be achieved by requiring that a customer must click on a button, acknowledging that he has read the terms, which can be reached only by scrolling through the terms, especially in cases where a contract contains such unusual or onerous clauses.
Ireland ratified the Brussels Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters of September 27 1968 by means of the Jurisdiction of Courts and Enforcement of Judgments (European Communities) Act 1988. The act and the convention entered into force in Ireland on June 1 1988. Further acts have subsequently been passed to give effect to the accession conventions. These are (i) the Jurisdiction of Courts and Enforcement of Judgments Act 1993, which ratified the amendments made to the Brussels Convention by the 1989 San Sebastian Convention on the accession of Spain and Portugal to the Brussels Convention, and also ratified the 1988 Lugano 'parallel' judgments Convention between the EU member states and the European Free Trade Area member states, and (ii) the Jurisdiction of Courts and Enforcement of Judgments Act 1998, which consolidated the earlier acts and gave effect to the 1996 Accession Convention.
Under the terms of this legislative regime, contracting parties may agree to submit to this jurisdiction and the courts will give effect to such an agreement, subject to a number of exceptions, such as in relation to contracts regarding ownership rights in immovable property. Consumer contracts are also one of the areas subject to separate terms.
In cases where the Brussels Convention is not applicable (ie, where the parties are not domiciled in a state which is a party to this agreement), relevant factors in deciding on the applicable jurisdiction in actions relating to contracts will include the place in which the contract was formed or is implicitly (or explicitly) to be governed by, or the location of agents through whom the contract was arranged.
Hence, Irish courts will generally respect choice of jurisdiction clauses agreed by a customer clicking on an icon marked 'I accept', subject to a number of exceptions.
Similarly, in relation to arbitration agreements, it would appear that the Irish courts would accept an agreement to arbitrate contained in an online contract as valid and effective. This arises as the Arbitration Act 1980 provides for recognition of all written arbitration agreements by the Irish courts and the Electronic Commerce Act 2000 expressly brings online agreements within the terms of the Irish statutory definition of the word 'written'.
Ireland is a signatory to the Rome Convention on the Law Applicable to Contractual Obligations 1980 and has adopted this into domestic law by means of the Contractual Obligations (Terms Applicable) Act 1991. Irish courts will respect choice of law clauses where the choice is expressed or demonstrated with reasonable certainty, and Irish law will accept that acceptance of a contract has been given by conduct.
Therefore, it seems that the Irish courts will respect a choice of law clause agreed by a customer clicking on an icon marked 'I accept' where the choice has been expressed or demonstrated with reasonable certainty in the terms of the contract, subject to a number of exceptions, some of which are outlined below.
Irish law respects choice of law clauses, and holds that the existence and validity of a contract, or of any term of the contract, shall be determined by the law which would govern it under the contract if the term was in fact valid. Nevertheless, it seeks to protect contractees by holding that a party may rely upon the law of the country in which he has his habitual residence to establish that he did not consent if it appears, from the circumstances, that it would not be reasonable to determine the effect of his conduct in accordance with the law specified.
Contracts will not be enforced where they are contrary to Irish public policy, for example contracts to carry out criminal activities.
Even where Irish law is recognized as governing a contract, the general rule is subject to a number of provisos and other legal provisions may be applicable. For example, the convention provides that a choice of law made by the parties shall not have the result of depriving a consumer of the protection afforded to him by the mandatory rules of the law of the country in which he has his habitual residence. This is the case if in that country the conclusion of the contract was preceded by a specific invitation addressed to him or by advertising, and he had taken in that country all the steps necessary on his part for the conclusion of the contract.
The practical effect of this is that where a consumer enters into a contract via an Irish web site, whose terms and conditions state that Irish law will apply to any contract entered into thereon, this contract will be subject to mandatory rules applicable in the consumer's home country (ie, foreign laws) under the provisions of Irish law.
Conversely, stating that the applicable law of a contract is that of another jurisdiction will not have the effect of avoiding the effectiveness of Irish mandatory rules in certain circumstances, for example where an Irish consumer is contracting with an overseas web site. The Irish mandatory rules which are applicable include both statutory provisions and general public policy considerations. Specific statutory provisions which may be relevant include the European Communities (Unfair Terms in Consumer Contracts) Regulations 1995, the Sale of Goods and Supply of Services Act 1980, the Competition Acts 1991-1996 and the Consumer Credit Act 1995.
Material on a web site established by a person located outside this jurisdiction could give rise to criminal liability under the laws of this jurisdiction if it is accessible here. For example, it is an offence under the Companies Act 1963 to issue a form for application for shares in or debentures of a company to the public unless the form is issued in accordance with Irish statutory requirements. Further, under the Investment Intermediaries Act 1995 it is an offence for a person without proper authorization to supply or to advertise the supply of investment advice. Therefore, firms operating outside this jurisdiction offering investment advice to Irish residents without the appropriate authorization may be guilty of an offence.
Links and frames
No firm rule has yet been established by the Irish courts on the legality of linking or framing third-party sites. Site owners who wish to prevent unauthorized linkage may be able to rely on breach of contract, infringement of trademarks or copyright protection under Irish law to prevent third parties from establishing links to their site. However, as there is currently no case law on this area in Ireland these potential causes of action remain to be tested.
Providing a hyperlink to another site, either outside or inside this jurisdiction, may expose the linker to both criminal and civil liability under Irish law in certain circumstances.
Civil liability could arise where the first site operator is viewed as being the agent of the second site, where representations were made, implicitly or explicitly, about the other site or where the first site operator is viewed as a concurrent wrongdoer under the terms of the Civil Liability Act 1967. Under Irish legislation a person may become a concurrent wrongdoer as a result of vicarious liability of one for another, breach of joint duty, conspiracy, concerted action to a common end or independent acts causing the same damage. For example, where a web site has a link, either authorized or unauthorized, to another site and that web site contains material which infringes copyright, then the linker may be liable in tort as a concurrent wrongdoer for breach of copyright.
Providing a hyperlink to another site either outside or inside this jurisdiction may also expose the linker to criminal liability, either for breach of specific legislation, such as causing an advertisement which is in breach of statutory regulations to appear, or for 'aiding and abetting' a third party, where the content of the material on the third party's site is illegal in this jurisdiction.
However, this is still something of a grey area under Irish law as the courts have yet to address these specific issues in this context.
The Irish Data Protection Act 1988 regulates the collection, processing, keeping, use and disclosure of personal data in this jurisdiction. This act gives effect to the 1981 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The existing legislative regime in this area is due to be revised in the near future to implement the terms of the European Data Protection Directive, but no specific date has been set.
The existing legislation grants data subjects certain rights and creates a data commissioner with certain powers to ensure compliance. 'Personal data' is defined by the act as data "relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller". There are separate regulations applicable to personal data on certain sensitive information, such as racial origin, political opinions, religion, physical or mental health, sexual orientation and criminal convictions. Such data must be described in an entry registered with the state-appointed data commissioner's register.
Data controllers who are obliged to register personal data but fail to do so are guilty of an offence. Certain types of body are specifically regulated when acting as data controllers. These include public bodies, financial institutions, insurance companies, debt collecting agencies and data controllers who keep sensitive personal data. Internet service providers and other telecommunications companies have recently been added to this list. Data processors whose business consists solely or partly of processing personal data on behalf of data controllers are also subject to regulation.
Data collected on web sites will come within the scope of this legislation, although the existing Irish legislation does not apply in respect of data kept and processed outside the state where it is not intended to be used within the state. Data controllers are obliged by Irish law to obtain and process personal data fairly, and not to use or disclose it in any manner inconsistent with such purposes. Therefore, data subjects will be required to be informed of the intention to disclose personal data to third parties prior to the data controller obtaining it. Consent to disclosure or transfer of personal information by the data collector will only be formed if there is a valid acceptance of this by the data subject. Acceptance, which is the final and unequivocal expression of agreement to the terms of an offer, may be indicated by conduct, such as clicking on an icon.
Therefore, in relation to web sites, valid consent may be obtained from data subjects by providing them with a list of the proposed purposes for which the personal data will be used and then requesting that they indicate acceptance by clicking on an 'I accept' icon. Data subjects could give consent in such a way which permits widespread use of their data - for example, to its export outside the European Union - if the consent form disclosed this as the use to which the data would be put and the data subject consented to this.
Data subjects in this jurisdiction have both statutory and common law rights under Irish law. These include the right to:
- establish the existence of data files relating to them, including a description of the data and the purposes for which it is kept;
- access such records and copy any such files;
- rectify or erase data, where there has been a contravention by the data controller of the statutory terms relating to collecting, keeping, use or disclosure of personal data; and
- require that the data controller cease to use the data for the purposes of direct marketing.
Data subjects may complain to the data protection commissioner if they feel that their rights in relation to personal data are being infringed. The commissioner may hear complaints and investigate possible breaches of the act. He may then issue an enforcement notice to an infringer requiring amendment or erasure of the offending data if he is of the opinion that a provision of the act has been contravened. Failure to comply with such an enforcement notice constitutes an offence.
If an offence is committed under the Data Protection Act then the guilty party is liable on summary conviction to a fine not exceeding £1000 or, on conviction on indictment, to a fine not exceeding £50,000. Further, the court may order that any data connected to the offence becomes forfeited and must be destroyed. Officers of a company, including the directors, can be found guilty of offences under the act if an offence was committed "with the consent or connivance of", or can be "attributable to any neglect on the part of", the officer. Offences committable under the Irish legislation include failure to register sensitive personal data with the data commissioner, failure to comply with an order of the data commissioner, attempting to mislead the data commissioner, and obtaining unauthorized access to personal data and disclosing it.
Data controllers owe an express statutory duty of care to data subjects regarding the accuracy of the personal data collected. Therefore, where a data subject believes that he or she has suffered damage due to a breach of this duty, he or she may be able to sue for damages through the courts.
Where representations are made in relation to the uses to which personal data supplied by the data subject will be used, then there will also be an implicit (or possibly even explicit) contract that the personal data will only be used in accordance with the terms of such an agreement. If these terms are not observed by the data controller, the data subject may also sue for breach of contract. The use of personal data without authorization may also breach the common law duty of confidentiality. A breach of this duty which is found to exist in the particular circumstances of the case will give rise to a cause of action.
The Irish top level domain is indicated by the suffix '.ie'. This is currently administered by the IE Domain Registry Limited as a public service on behalf of domain name users.
Acquisition of a .ie domain name is subject to meeting relatively onerous criteria. For example, applicants must be able to prove a "real and substantive" connection with Ireland. This must be proven by a natural person applicant producing their valid Irish passport, or an Irish birth certificate. In the case of a body corporate, it must be proven by either incorporation within Ireland or, in the case of incorporation outside Ireland, where it has established a "place of business" within Ireland which it has registered under Part XI of the Companies Act 1963, or has established a "branch" in Ireland which it has registered pursuant to the European Communities (Branch Disclosures) Regulations 1993.
On a practical level this has meant that overseas companies wishing to buy a .ie domain will normally have to set up an Irish subsidiary to do so, although the registry may, at its sole discretion, accept other documentary evidence that an entity has a real and substantive connection with Ireland. The naming authority may refuse to register a name where the proposed name is, in its opinion, likely to lead to confusion.
Other restrictions on the registration of .ie domain names apply to words that are offensive or contrary to public policy or generally accepted principles of morality. They also apply to generic names, words or descriptions, or a combination of such, followed by .ie, which in the registry's view would be likely to be misleading if registered in the name of the applicant. Finally, certain restrictions apply to geographical names, words and descriptions.
The Electronic Commerce Act 2000 provides a statutory basis under which the relevant minister may proceed to regulate the area directly. However, as yet no such regulations have been issued under this act and it is believed that the existing position will be allowed to continue.
The Irish courts have indicated a willingness to consider granting injunctions for infringement of Irish trademarks where third parties appear to infringe an Irish trademark by registering domain names in the .com higher level domain. However, since the specific case in question was settled before the actual grant of an injunction, it remains to be seen whether they will grant such a remedy.
For further information on this topic please contact David Sanfey at A & L Goodbody by telephone (+353 1 649 2000) or by fax (+353 1 649 2649) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.