The Role of Self-Regulation in Electronic Commerce

EURIM Briefing No. 25

March 1999

The Parliament/Industry group

concerned with the politics

of the Information Society.

The Role of Self-Regulation in Electronic Commerce

Introduction

The draft directive on "certain legal aspects of electronic commerce in the internal market" calls for a system of self-regulation as the most effective way to achieve a suitably controlled environment within which electronic commerce can thrive in the Single Market. This Briefing examines the issues of "governance" and their implications for the Internet - the principal vehicle today for consumer electronic shopping. Some of the issues are equally important for corporate intranets, which carry much of the business-to-business electronic commerce traffic.

In view of the relative immaturity of the 'Internet industry' it is unlikely that legislation is appropriate at the present time except where there is a pressing need for consumer protection or protection of rights (such as intellectual property) and personal data.

Some form of control is desirable to secure user confidence and safeguard consumers. Broadly based legislation is, however, too cumbersome and inflexible to meet the needs of a multi-faceted, but still immature, global industry, whose underlying technology will be subject to rapid change.

EURIM believes that self-regulation, despite some disadvantages, is the most appropriate form of governance for electronic commerce at the present time. It can apply to a global community in a way that is not possible for any national legislation. While primarily based on compliance with guidelines or formal Codes of Conduct, self-regulation may also be used within statutory frameworks which set out principles and establish penalties for non-compliance with approved codes.

There appears to be wide support for self-regulation, not just within the European Union: At the Ottawa Conference on Electronic Commerce in October 1998, the OECD declared a "need to create and implement trustworthy technologies and policies ... to develop underlying regulations for electronic commerce, and to develop codes of practices, standards, and technology tools necessary for 'self-regulation' and effective user protection. Government intervention, when required, should be proportionate, transparent, consistent and predictable, as well as technologically neutral."

The Financial Times on 1st December 1998, ("Electronic Commerce: White House backs Self-Regulation) quoted President Clinton thus: "The Internet should be a free trade zone with incentives for competition, protection for consumers and children, supervised not by governments, but by people who use the Internet every day,"

Recommendations

At both European and Member State level, governments and officials should give ideological and practical support to initiatives designed to develop effective self-regulatory regimes for electronic commerce.

This support (including financial aid in some cases) should be directed towards the creation of guidelines and codes of conduct, with co-operation and standardisation across industry, user community and state boundaries where appropriate and practical.

Processes are required to ensure that self-regulatory structures are: publicly accountable; compliant with competition law; fit for purpose (including enforcement procedures); and that there is a strong incentive for all providers of relevant services to participate.

Regulation by legislation should be a last resort and only where there are clear and pressing needs (for example to protect consumers or prevent content piracy) that cannot be achieved through self-regulation alone. Any such legislation should be equivalent to "off-line" law in that area.

Why Regulate?

Existing regulatory requirements do not meet current needs. The successful evolution of the public Internet as a communications medium so far has largely been due to an original culture of common consent (i.e. commonly accepted set of rules and behaviour). However, the Internet has grown beyond its original close-knit community. Demands are being made for stronger measures to be taken to prevent, as far as possible, harmful exploitation. More formal methods are required, but a balance needs to be achieved between over-constraint (in the form of legislation) which would seriously affect one of its main advantages (fast, easy, global communication), and the original 'no restraint' position.

Regulation must take account of rapid, dynamic technological change, the difficulty of achieving technological neutrality and the practical realities of global networks carrying material created under different jurisdictions to those in which it may be accessed or through which it may be routed and/or stored.

The slowness of legislative processes is compounded by the need for global agreement and subsequent national implementation. The global Internet is complex and interdependent and by its nature is said to make physical territorial boundaries meaningless.

Apart from the difficulty of achievement, a single Law is unlikely to be appropriate to all the different sectors involved in the many aspects of electronic commerce, nor to the requirements of all the differing cultures represented.

In the exceptional areas where legislation is considered essential, care should be taken to see that, as far as is possible, "on-line" regulations are equivalent to those "off-line"

Self-regulation has a number of potential advantages. In particular:

it is dynamic, being able to evolve according to need;

it is adaptive, being less tightly constrained than is legislation;

it is faster to implement than legislation;

it can be made sector-specific based on common underlying principles;

it can apply to a global community across national jurisdictions;

it is easier to enforce within the 'club’;

industry involvement may make self-regulation more relevant;

it can respond to market forces;

the burden of cost falls on those with commercial interest and saves government funds.

There are also, inevitably, potential disadvantages, amongst which are:

the problem of enforcement, if no statutory backing exists;

unless participation is obligatory, regulatory measures affect only those disinclined to flout the rules;

the "self" being regulated may not be accountable to any independent body;

procedures can fall short of standards that would be set by Courts (eg for civil liberties);

the burden of cost of regulation may discourage participants and/or fall on the consumer;

inconsistencies between groups are possible;

levels of intent may vary;

failure to secure acceptance through inadequate consumer involvement;

the procedures can be used to harm competitors and create barriers to entry.

Achieving Self-Regulation

Traditional methods of self regulation are:

common consent (an implicitly understood, and unwritten, set of rules agreed between parties)

guidelines

codes of conduct/practice/charters (written statements)

self-regulation within a statutory framework

contract terms (e.g. Internet service providers' contracts)

Guidelines are recommendations made by specific organisations for self-regulatory rules. They are not obligatory but may be a condition for regulatory recognition of a self-regulatory regime, thereby giving authority and credence to the regime. For example, "It is intended that compliance with the ICC recommended contract conditions (guidelines) should be accepted by the Data Protection Registrar as evidence of satisfactory control over the export of personal data to countries whose data protection regime is not considered adequate."

Codes of Conduct are written statements which announce the position of a particular organisation (or professional body) and have two objectives. The first establishes a set of rules for the members of the organisation (what is expected of them), and the second establishes a standard against which outside parties can assess the organisation concerned (what others can expect of them).

Self-regulation within a statutory framework

establishes a legal framework whereby individuals and organisations engaging in defined activities are required to conform to a 'recognised' code of conduct. The framework establishes guidelines and procedures for obtaining recognition.

Issues Raised by Self-Regulation
Infrastructure

Three US players "carry" over 50% of Internet traffic (however measured) world-wide and "control" over 90% of the desktop access market. The corporate intranet market is similarly dominated by only six groups of players. Over 80% of the traffic which requires switching between ISPs is routed through only five "peering points" (within USA), the balance is switched direct between a small number of ISPs (US owned). Over 80% of Intra-EU Internet traffic is switched between ISPs in the US (intra-EU cross-border leased lines are commonly more expensive than transatlantic leased lines and EU peering points also lack most of the necessary transfer facilities).

Self-regulation in markets dominated by a handful of players needs to be closely monitored by vigorous competition and consumer protection authorities. As said by the UK Foresight panel, "Regulatory focus should be directed at the understanding of the dynamics of the businesses and the implementation of any necessary measure to avoid the abuse of a dominant position.".

Privacy and Data Management

The First Report of the US Government Working Group on Electronic Commerce quotes an opinion poll showing that "81 per cent of American Internet users have significant concerns about threats to their personal privacy while on-line. Of computer users who say they are not likely to access the Internet in the next year, greater privacy protection is the factor that would most likely convince them to do so"

The US has proposed a voluntary privacy regime, but the EU requires its member states to permit transfers of personal data only to countries that have adequate legal protection. A Financial Times report of 1 December 1998 warned that: "This approach is quite different from the US self-regulatory approach and could disrupt personal information flows between the US and EU member countries," This shows the problems of adopting one extreme or the other.

The availability of the Internet, combined with the explosive growth of computing power, enables massive volumes of information to be assembled and processed. This has a great potential benefit for citizens and consumers, but carries with it an increased threat that personal information will be abused. This is an area where self regulation needs to be strengthened by statutory backing, to ensure that corporate multi-national systems operate to an adequate standard in every country in which they are accessed.

Security (data, financial exchange)

The principal components of security that affect the self-regulatory regimes are those of Confidentiality, Integrity and Authentication. All these components may be achieved by the use of encryption techniques, and each can be achieved independently of the others. There is great debate over the degree to which a licensing authority for a self-regulatory regime needs oversight of a) the mechanisms in use; b) compliance with stated and/or good practice and c) access to content for law enforcement or crime prevention.

There seems widespread agreement that authentication by means of electronic signatures can stand alone from other mechanisms. It must, however, be subject to scrutiny for compliance with standards and adoption of good practice. There are issues of legal status and mutual recognition (between systems as well as across jurisdictional boundaries). Similar remarks apply to integrity mechanisms.

The extent to which Confidentiality mechanisms (content encryption) need to be accessible via legal warrant is, however, the subject of fierce debate in many States.

Intellectual Property Rights (copyright)

The EC has already produced a proposed draft directive on the protection of copyright and related rights in the information society, which attempted EU harmonisation of these rights. It is unclear, however, how this directive and the existing copyright laws of Members States will offer protectection against the wholesale pirating of copyright material over networks in general and the Internet in particular.

Therefore, until such time as there are enforceable, legal measures to protect copyright material, and thus a rightholder’s/ author’s right of remuneration, self-regulation (eg by ISPs’ Codes of Practice) and, indeed, self-protection (eg by encryption, scrambling, tattooing, watermarking of copyright material) appear the only realistic means of protection at present.

Illegal/harmful content

At the level of the individual user, self-regulation is often discussed in the context of harmful content on the Internet (usually with reference to pornography, but also to racial incitement). Definitions of what is harmful vary between cultures and nations. EURIM Briefing 19 (July 97) The Regulation of Content on the Internet, concluded that self-regulation was currently the best way forward. The Foresight Information Technology, Electronics & Communications Panel (August 1998, Dept. of Trade and Industry) came to the same conclusion.

Making Self-Regulation Effective

To be effective self-regulation needs to address the disadvantages mentioned above, so that:

groups are given incentives to set up procedures to meet agreed needs and these are implemented and monitored;

there is co-operation and shared processes across groups serving those with overlapping interests;

there are strong incentives for all relevant players to participate;

enforcement procedures are put in place ;

user interests are properly represented.

Organisations providing self-regulation should be publicly accountable, so some form of external monitoring will be needed. This should check that they operate to appropriate standards and that suitable procedures exist for complaints and redress, with a requirement to take evidence from outside the self-regulating organisation. Monitoring should also watch out for attempts to use self- regulation as a weapon against existing competitors not included in the "club" or to prevent newcomers entering the market sector.

Competition between self-regulators would, however, have the benefit of forcing improvements in the process of self-regulation.

The use of technology as a means of enforcement is advocated by the European Commission and most western governments. In particular, PICS (Platform for Internet Content Selection), which is a rating software that facilitates filtering or blocking by appropriate software, can be used by groups or individuals to apply standards to web pages

An important development is the potential use of Internet addressing protocols to identify the location of the sender or control the routing/destination of Internet messages. It is therefore possible to screen enquiries received at web-sites to ensure that the responses are compliant with enquirers’ local regulations. This could, however, incur significant additional costs for site authors and operators.

The requirements for effective self-regulation can be met with support (both ideological and practical) from government and authoritative bodies (e.g. EU) in the form of: guidelines; standards; support to regulatory bodies (e.g. IWF) - possibly giving legal status; financial help and incentives, including set-up costs and on-going financial assistance.

For self-regulation to be successful, however, that support must be robust and include attention to the co-ordination of enforcement procedures across regulatory boundaries.

Copyright EURIM 1999. All Rights Reserved. For written permission to reproduce any part of this publication please contact the Administrative Secretary, EURIM, 5 Kingfisher House, New Mill Road, Orpington, Kent BR5 3QG. This will normally be given provided EURIM is fully credited. Whilst EURIM has tried to ensure the accuracy of this publication, it cannot accept responsibility for any errors, omissions, mis-statements or mistakes.

EURIM Home Page

Publications Index Page