Important Issues
Regulating E-commerce

Domain Name Regulation
Electronic Signatures
Personal Data Protection
Information Society Service Providers

Important Issues

The most important issues with regard to the legal regime covering e-commerce include regulation, self-regulation, harmonization of laws with EU practices and responsibility.

Due to the fast development of the Internet, not in terms of only the number of users but also the number of business operations needing specific regulation (eg, online gambling and financial activities), a considerable amount of regulation is already in place.

Some critics believe that the Internet should only be self-regulated; but what about conflicts between domain names and trademarks or names of famous individuals (eg, the Julia Roberts Case)? Perhaps self-regulation is not the best solution. In Spain the Spanish Association for E-commerce favours a Code of Ethics for processing personal data. This code was drafted by the most important internet companies and associations, and has the approval of the Spanish Agency for the Protection of Personal Data.

Furthermore, in order to avoid fragmentary legislation on internet issues, there is a need for a legal framework that is in line with the legislative frameworks in other EU countries.

Lastly, the question of who is responsible for controlling the content of websites and trade on the Internet must be considered. Is it possible to control these areas effectively?

Regulating E-commerce

The most significant regulations include both EU legislation and domestic legislation:

  • Act 34/2002 which implements the E-Commerce Directive (2000/31/EC) and which came into force on July 11 2002;

  • the proposed Financial Services Directive;

  • the E-commerce Bill;

  • the Retail Commerce Act;

  • Spanish law on distance selling;

  • the Users and Consumers Act;

  • the General Conditions Act;

  • the Electronic Signature Directive;

  • an order dated February 21 2000 relating to certification of electronic signatures; and

  • an order dated March 21 2000 concerning the Spanish system for assigning domain names.

Domain Name Regulation

On March 21 2000 the Ministry of Public Works and Telecommunications approved an order to regulate the assignment of internet domain names under Spain's country code ('.es'). This order proposes to establish a legal framework to avoid conflicts between famous trademarks and domain names. It is widely known that in the past cybersquatters have tried to obtain money in exchange for the ownership or transfer of domain names which were identical to famous trade names or trademarks.

The Internet Corporation for Assigned Names and Numbers (ICANN) recently enacted a dispute resolution policy to enable the owners of famous trademarks to fight cybersquatting (see However, the disputes that ICANN has addressed are unlikely to occur in Spain because the March 21 order guarantees protection for trademark holders (and others) who have a legitimate interest in preserving an exclusive right or interest from being used in bad faith as a domain name.

Only the following can be assigned as a regular domain name:

  • the complete name of an organization as it appears on the deed or constitutional document;

  • an acronym that is easily associable with the official name of the organization;

  • one or various commercial denominations or trademarks legally registered with the Spanish Trademark and Patent Office; and

  • the names of individuals (this came into effect on August 1 2000).

The order provides that no organization is allowed (i) to use an acronym that does not correspond with the name of the organization, or (ii) to incorporate substitutes or additions (eg, 'net' or the prefix 'inter') which have no relation with the official name of the organization.

If these rules are not followed the application for domain name registration will be denied. This is the case even when the proposed domain name corresponds with the complete name of the requesting organization or with one of its registered trademarks. For example, if the requested domain name contains characters that are not permitted, these must be substituted with similar characters (eg, 'ñ' with 'n' or 'ny'). If the domain name turns out to be generic or toponymic it will need to be qualified with the legal denomination of the organization (eg, 'sa', 'sl', 'sc', 'fundación' or 'fund', 'asociación' or 'asoc'), or in the case of a trademark with the number/issue of the international nomenclature classification for the products or services.

Electronic Signatures

The General Conditions Act (7/1998), dated April 13 2000, regulates the contents of contracts and agreements. Article 5 specifically refers to agreements undertaken on the Internet. Electronic contracts are generally valid and enforceable under Spanish law except for agreements that must be notarized. Therefore, most agreements concluded through the Internet are not subject to formal requirements (eg, the need to be in writing and on paper).

Nevertheless, Act 34/2002 introduces a new regulation with respect to the way that electronic agreements are concluded.

The most important modification refers to the point at which the agreement is deemed to be concluded, when the parties do not conclude the agreement at the same place or at the same time. This matter has been the focus of much debate. Act 34/2002 clarifies the different issues involved in determining the moment of completion. As a result, both the Civil Code and the Commerce Code were modified to regulate the question of when these agreements are concluded.

Pursuant to these modifications, an agreement is concluded when the offeror is in receipt of the consumer's acceptance. The agreement is then presumed to have been executed in the place where the offer was made.

However, problems arise because Spanish law requires the consumer to receive a receipt in writing. Although this requirement is considered superfluous and somewhat onerous for the companies involved with electronic agreements, the legislation strictly interprets a 'receipt' as a paper document. However, it is argued that the receipt can be sent to the consumer by electronic means (eg, email), and this form of communication could also be considered to be 'in writing'. This argument is based on the use of electronic signatures, which grants full efficacy as evidence to digital documents that are electronically signed. Where an advanced electronic signature has been used, it has the same legal value as a handwritten signature.

Even though electronic signatures are legally recognized, the Spanish Justice Department continues to follow the narrowest interpretation of the law, pursuant to which the offeror must provide the consumer with a hard copy of the agreement.

The Electronic Signature Act
Under the Electronic Signature Act (14/1999), an electronic signature must meet two basic requirements to have complete validity as evidence in court. First, the signature must be based on a valid digital certificate. Second, it must have been produced by a secure device for signature creation (ie, the full validity of the electronic signature depends on the technical accuracy of the devices used to produce it). It will be assumed that an advanced electronic signature meets all the necessary conditions if an authorized service provider issues a certificate stating that the document has been signed in accordance with an advanced electronic signature system. However, according to the act the courts may consider evidence that does not satisfy the two abovementioned criteria.

Before the Electronic Signature Act was approved, a resolution of the CNMV (Comisión Nacional del Mercado de Valores, which is the entity in charge of supervising securities) recognized the advantages of using electronic signatures and transmissions. Since the early 1990s it has been possible to file documents by electronic means. However, the CNMV has proposed a resolution that will further the recognition of electronic documents. The resolution proposes the following:

  • A system, called CIFRADOC, should be established that will provide protection for the sender and recipient (eg, ensure that no other user can access messages). These requirements would be fulfilled by the use of private and public keys.

  • The CNMV should keep documentation for an adequate period of time and avoid any interference or manipulation.

  • Electronically sent documents that can be authenticated should be valid in the eyes of the law.

  • Messages may be sent via the Internet, the Computer Bulletin System and any other system specified by the CNMV.

  • Any company or individual intending to make use of an authorized network system must file an application with the CNMV.

Spanish case law confirmed the validity of electronically signed digital documents even before the Electronic Signature Act was enacted. Two decisions in the Spanish courts admitted the use of digital signatures as evidence of payment.

Service providers
The Ministry of Public Works and Telecommunications issued an Order on Electronic Signatures on February 21 2000. The order aims to provide a suitable degree of security with regard to electronic documents, and to protect consumers. It sets out rules for service providers. The order defines a service provider as either (i) an individual or legal entity that delivers information to the public, or (ii) an individual or legal entity that delivers information to the public, and provides other services involving electronic signatures.

Personal Data Protection

Act 15/1999 regulates personal data issues. The legislation follows the spirit of the former act and also updates Spanish legislation in certain fields; for example, prior authorization from the Spanish Agency for the Protection of Personal Data is no longer needed for international data transfers.

The act specifies the cases in which the person responsible for processing personal data may authorize access to third parties (without this being considered as disclosure), for example when a third party renders a service to the person responsible for data. This contract should specify that the third party must process the data pursuant to given instructions and only use the data as provided by the contract. Also, the agreement should make the service provider liable for disclosures to non-authorized third parties. In order to prevent the subsequent possibility of data disclosure, the third party must destroy or return the data as soon as the service has been rendered.

Act 15/1999 provides the following requirements when dealing with personal data:

  • the data must be adequate, pertinent, and not excessive to the purposes for which it was collected;

  • The data must be explicit and legitimate;

  • The data must be accurate and up to date;

  • The relevant authority may cancel the data if it does not correspond to the objective for which it was collected, unless the data has historical, statistic or scientific value;

  • The data subject must be allowed access to the stored data; and

  • The data subject must authorize the collection and processing of personal data. Consent must be clear and cannot be implicit.

In certain circumstances the prior consent of the data subject is not necessary, such as:

  • when the data is collected by public administrations in the course of their administrative functions;

  • when the data has been collected by parties linked by a contractual, administrative or business relationship;

  • when the purpose of processing and collection is the protection of the subject (eg, data related to medical diagnosis); and

  • when the data is collected from sources available to third parties (eg, professional colleges).

International transfers
International data transfers are forbidden if the countries to which they are directed have a lower protection level than the European Union. Personal data may be transferred, with the approval of the Spanish Authority for the Protection of Personal Data, when:

  • the data is transferred pursuant to international conventions or treaties;

  • the data is transferred in order to provide judicial assistance;

  • the transfer is necessary for medical purposes;

  • it is a monetary transfer (governed by separate regulations);

  • the transfer is unambiguously authorized by the data subject;

  • the transfer forms part of a contract between the data subject and the other party;

  • the transfer is necessary for the public interest (eg, customs administration);

  • the data is needed to exercise rights before courts;

  • the data is transferred through a public registry; or

  • the transfer is made to an EU member state or a country with adequate and similar protection.

Information Society Service Providers

Act 34/2002 applies to information society service providers. A service provider is domiciled in Spain if the place where its administrative activity and business management is undertaken is Spain.

Act 34/2002 will only apply to information society service providers domiciled outside both the European Union and the European Economic Area if such providers offer services or products through a permanent establishment located in Spain.

The act also applies to service providers domiciled in another EU member state or the European Economic Area if the recipient of the services is domiciled in Spain and the services relate to certain items specified in the act.

Service providers' liability
Act 34/2002 outlines the obligations and liabilities of service providers carrying out intermediary activities such as transmission, mirroring and hosting services, and data location.

Providers are subject to liability if (i) they were aware of the existence of an illegal activity, and (ii) they failed to take appropriate steps or measures to remove illegal content.

These criteria are identical to those of the Digital Millennium Copyright Act and the E-commerce Directive.

Act 34/2002 also regulates the sending of unsolicited commercial offers or advertisements, known as 'spamming'.

The act establishes that any commercial communication must be clearly identifiable, specifying the natural or legal person who is sending the communication.

If spamming takes place through email or similar means, commercial offers must include the word 'advertisement' in the message.

Likewise, sending any promotional communications or advertisements by email or any other similar means is prohibited unless they have been previously requested or authorized by the recipients.

For further information on this topic please contact Gonzalo de Ulloa at Gómez-Acebo & Pombo by telephone (+34 91 582 9100) or by fax (+34 91 582 92 82) or by email ([email protected]).