The Law and Policy of Consumer Protection in Electronic Commerce – The New EFT Code of Conduct

 

Chris Connolly

 

 

Introduction

 

This paper summarises the key developments in the law and policy of consumer protection in electronic commerce. It is written from an Australian consumer’s perspective.

 

The paper attempts to provide an update on the Australian legal framework and a discussion of the key regulatory instruments - generally codes of conduct – chielfy the Revised EFT Code of Conduct.

 

Consumers and Technology

 

There is something of a divergence between business views on new technology and consumer views on new technology.

 

The business view concentrates on the benefits of new technology - the convenience, the speed, the ability to manage customer relationships in new ways, and of course the efficiency that new technology will deliver to work processes, thus reducing costs and increasing profits.

 

The consumer view is often less swept up in the hype of new technology, and includes concerns about privacy and security risks, whether or not new technology will be affordable to all consumers, whether or not traditional legal rights will be eroded, and the impact of new technology on traditional services.

 

If there is room for agreement it usually centres around the notion of trust and confidence. That is, consumers want to use technologies that they can trust, and business wants consumers to have the confidence to try new technology services and products.

 

How do we achieve trust and confidence in new technology electronic commerce like smart cards, online broking and Internet shopping?

 

Trust and Confidence

 

It appears that trust and confidence can be won in a number of ways. Some businesses simply offer money back guarantees for emerging technology. This is quite common in Internet shopping and some online payment systems in the United States.

 

For example, the Powells online bookstore provides the following guarantee:

 

“We're confident that our security system is the best in the business, and you should be, too. That's why we guarantee that every transaction you make at Powells.com will be 100% safe. If unauthorized charges are made to your card as a result of shopping at Powells.com, you will pay nothing.“

 

American Express also guarantees all transactions made online using an American Express credit card. However, they have recently announced that they will no longer provide American Express merchant facilities to online providers of adult content, as customers of those sites were disputing too many charges to their accounts.

 

Other businesses have decided to win trust and confidence by signing up to a ‘seal’ or ‘tick’ program. These seals appear on products or websites and provide certain assurances that the seal can only be displayed by organisations which adhere to strict privacy principles and security measures, and perhaps are audited on a regular basis against privacy and security criteria.

 

It is unclear how useful these seal and ticks are in practice. There may be no redress for consumers who choose to use sites carrying the seal but are later disappointed. The seals themselves are not backed up by privacy or consumer protection laws, especially in the United States. There is an argument that a failure to abide by the principles behind a seal could lead to a claim that the organisation had engaged in misleading or deceptive conduct, thereby breaching trade practices laws. However, this argument is untested and will be an impractical solution for many consumers.[1]

 

Some seal programs also provide a dispute resolution process, which is certainly preferable for consumers. However, the many inconsistencies between the various seal programs operating today mean that trust and confidence in electronic commerce as a whole has probably not been greatly helped by seal programs alone.

 

An additional option for improving trust and confidence in electronic commerce is to provide detailed information about the policies and procedures behind a product or service.

 

This approach to delivering ‘transparency’ is most useful when it is provided as a complement to some other form of guarantee or seal. Again, American Express has backed up its ‘guarantee’ with detailed information about its privacy policies, use of cookies, security arrangements and information processes. See:

http://www.americanexpress.com/corp/consumerinfo/consumerfaqs.asp

 

For a good Australian example of a complicated electronic commerce service which is trying to provide transparency to consumers, see the privacy policy and other documents at:

http://ninemsn.com.au/support/privacy.asp

 

Of course, an alternative way to provide trust and confidence in electronic commerce is to be able to point to a regulatory structure that provides appropriate privacy and consumer protections. It is this last option which is explored in this paper.

 

 

Case Study: Online Financial Services

 

It is useful at this point to consider one particular aspect of electronic commerce - online financial services - and examine what consumer issues arise and how they might be dealt with in law or self regulation.

 

Some specific consumer issues that arise for online financial services are:

 

Complexity of Products - Most online financial services are not as simple as checking the news or weather online, or buying a book or CD online. The products themselves are extremely complex - online mortgage applications, online banking, online broking, electronic payment systems etc. The complexity of these products raises consumer issues because the element of human interaction and explanation which usually accompanies these products may be missing.

 

Online Calculators - Many online financial services include access to online calculators. These tools are used to predict repayments, compare competing products, or estimate the future value of investments. Obviously these tools are extremely useful, but they lead to opportunities for abuse. Some sites have taken the opportunity to ‘fiddle’ with the calculators so that the results are always skewed towards particular products - those which will earn the promoters higher commissions. Other sites always seem to be out of date when comparing competitor’s products, when it is to the promoter’s advantage.

 

Independence - There has been a trend to re-brand certain financial services and products for the online marketplace, and an attempt to promote some online financial services as independent - especially where sites provide comparative tables or broking services. However, claims of independence can be misleading in many circumstances, and it is important to know who owns or backs financial services being offered online.

 

Disclosure - The jury is still out on whether or not disclosure can be effectively performed via electronic means. The key regulator - the Australian Securities and Investments Commission has taken the view that disclosure can be permitted online (rather than requiring face to face disclosure or the provision of hard copy documents), however it will keep a close watching brief on developments and issue specific guidance for some products.[2]

 

Naturally, a range of generic consumer issues in electronic commerce also apply to online financial services:

 

Identification - How can consumers identify the business? Does the ACN/ABN appear on the website? Is there a physical address? It is important for consumers to be confident that online stores and service providers are not shams, and that any consumer complaints can be followed up with a physical business. Consumers are also advised to check ACNs of some companies, especially those selling investment products.

 

Complaints - Does the service have a dispute resolution mechanism and belong to an external dispute resolution scheme? As we will see below, there is no generic dispute resolution scheme for Australian companies trading online. However, many telecommunications companies, Internet Service Providers and financial services organisations will belong to established dispute resolution schemes.

 

Privacy - Does the organisation provide protection of consumer’s personal information and have a privacy policy? A recent survey of the 100 most poplar websites visited by Australian consumers found that although 72% of the sites collected personal information, only 51% had a published privacy policy and only 28% of those sites notified their users about the specific personal information being collected.[3]

 

Access and cost - Can all consumers gain affordable access to this service? What impact will the provision of this service online have on traditional services? Many of these issues have now been rolled up in a debate about what has become known as the “digital divide”. A recent study by the National Centre for Social and Economic Modelling and the Communications Law Centre found that the main barriers to Internet access in Australia were education and income, and that geographical location was less relevant than previously thought. So affordable access will remain a key consumer issue in electronic commerce.[4]

 

Jurisdiction - What is the applicable law of any transactions entered into with this service? Will consumers be able to resolve a dispute with the service in their own jurisdiction? This issue may act as a significant deterrent for some consumers considering using electronic commerce involving a foreign party. It is discussed in detail later in this article.

 

Terms and Conditions - Are there plain language terms and conditions available and do they reduce or enhance the rights of consumers? Is there fine print that consumers should be concerned about?

 

The combination of these specific and generic issues shows how quickly consumer confidence and trust in electronic commerce can be eroded. Let’s now turn to the response to these issues in Australia.

 

Policy Framework

 

More by luck than planning Australia has developed a reasonably effective policy framework for dealing with consumer issues in electronic commerce. Despite the lack of overall coordination, several government agencies and regulators have developed (or are in the process of developing) effective tools for protecting consumers online. In the future, coordination of these activities may be better coordinated through the reinvigoration of the National Office of the Information Economy, which has recently been given a stronger role in this area.[5]

 

All electronic commerce can be broken down into three key consumer issues - the formation of a contract, the payment for goods or services, and the conduct of the organisation providing the good or service (both before and after a sale). Each of these issues are discussed below:

 

Contract

 

Any agreement to make an online purchase or use an electronic commerce service requires the formation of a contract. Contract law was initially developed around certain requirements for hard copy documents, writing and in some cases witnessing. These concepts are not so useful when the transaction is to take place via electronic communication between two parties who may never share the same physical location. A reasonable compromise in recent years has been for contracts to be entered into through the exchange of hard copy documents, and many electronic commerce services still require some element of hard copy documentation today.

 

However, for electronic commerce to take full advantage of the speed and convenience delivered by new communication technology, full electronic contract formation must be possible.

 

At the international level, UNCITRAL (The United Nations Commission on International Trade Law)  has developed model provisions for the formation of electronic contracts and the recognition of digital signatures[6]. This development is mirrored in Australia by the passage of the Commonwealth Electronic Transactions Act 2000 and the proposed development of mirror legislation in each state. These developments are not discussed in detail in this paper, but form the first step in ensuring consumer confidence in electronic commerce.

 

Payment

 

The second vital step in ensuring consumer confidence in electronic commerce is to  deal with consumer concerns arising from the use of electronic payments systems. This has been one area in which there is a definite degree of consumer hesitancy. While there are a proliferation of alternative online payment systems at the trial or early roll out stage, the use of credit cards has remained dominant.

 

Developments in Australia regarding the regulation of payment systems are discussed in detail in this paper, in the section below on the revision of the EFT Code of Conduct.

 

Conduct

 

Once you have formed a contract and sorted out the payment, the only outstanding issue is the conduct of the organisation providing the good or service. Will the goods actually arrive? Will advertising be misleading? What will happen to a consumers’ personal information?

 

In Australia, the issue of conduct is dealt with through the development of industry codes of conduct, such as the Internet Industry Association Code of Conduct[7]. There is an additional layer of guidance provided by the Model Code[8]. These developments are discussed in greater detail below.

 

Note that privacy is a specific consumer issue which arises within each of the above fields - contract, payment and conduct. Privacy is not discussed in detail in this paper.

 

With these three policy settings in place, consumers can be reasonable confident in engaging in electronic commerce. However, as we will see, the devil is in the detail. For payment systems and business conduct we have to rely heavily on codes of conduct, many of which are unsatisfactory, and some of which only exist in theory.

 

Australian Codes of Conduct

 

 

There are numerous codes of conduct which have some relevance to consumer protection in electronic commerce. Many of the specific industry codes, such as the Banking Code of Practice, will have electronic commerce implications in that particular niche. However, there are several codes of conduct which stand out as the most relevant:

 

¨      EFT Code of Conduct

¨      Smart Card Code of Conduct

¨      Telecommunications Codes

¨      Internet industry Association Code of Conduct

¨      Australian Direct Marketing Association (ADMA) Industry Code of Practice

¨      The federal Government’s ‘Model Code’

 

EFT Code of Conduct

 

The Electronic Funds Transfer Code of Conduct is the main regulatory instrument in Australia for providing consumer protection in electronic payment systems. However the existing Code is limited in scope because it contains a technology specific definition of which transactions are within the Code’s jurisdiction:

 

“Transactions intended to be initiated by an individual through an electronic terminal by the combined use of an EFT card and a personal identification number (PIN).”

 

The Code has therefore been the subject of a lengthy review, chaired by the Australian Securities and Investments Commission. The EFT Code review working group issued two discussion papers and a final version of the revised Code was published on April 1, 2001. All available at http://www.asic.gov.au

 

The revision of the Code was intended to ensure that an up to date, technology neutral Code will be in place for all electronic transfers of value. The review did not consider all of the issues faced in electronic payment systems, and specifically “set aside” certain contentious issues for separate discussion in order not to hold up the Code review further. The most notable of these issues set aside was the requirement for the disclosure of the costs of an electronic transaction at the point of sale.

 

The revised EFT Code covers any business to consumer electronic transfer of value. Business to business electronic transfers of value will be excluded where the product being used was intended primarily for business use.

 

An ‘electronic transfer of value’ includes coverage of credit cards in some circumstances, but not where a signature is obtained. It certainly include EFTPOS, ATM transactions, most Internet and telephone banking transactions, direct debits and direct transfers.

 

Stored value products, such as electronic purses and stored value smart cards, are now included in a new section of the Code - Part B.

 

Specific requirements of the Code include:

 

¨      Terms and conditions must be provided to consumers

¨      Records of transactions must be available to consumers.

¨      Audit trails must be kept.

¨      Privacy provisions mirroring the new federal privacy legislation for the private sector must be complied with, plus some specific EFT industry privacy guidelines.

¨      Complaint investigation and resolution procedures must be in place.

 

Of course, the most important section of the existing EFT Code was the section apportioning liability for unauthorised transactions. This section has been completely updated and revised, and includes coverage of:

 

¨      access methods

¨      security and disguise of codes

¨      contribution to loss

¨      fraud and negligence

¨      lost and stolen cards or devices

¨      system or equipment malfunction

 

While the EFT Code has always been voluntary, it has ain the past been a very successful and popular code with both business and consumers – and has achieved a very high rate of industry coverage. It will be interesting to see what proportion of new economy businesses sign up to the Code.

 

Smart Card Code

 

Despite the likely comprehensive coverage of electronic payment systems by a revised EFT Code of Conduct, there is one other Code which is relevant in this field. The Asia Pacific Smart Card Forum Code of Conduct was first envisaged in 1995 and published in 1997. It remains the world’s only comprehensive smart card code of conduct, and about 70 organisations have signed.

 

The Code serves three functions. The first is to provide a Code for members of the Smart Card Forum where no industry specific code is developed. The second is to provide minimum standards which must be observed in industry specific codes. The third is to provide the basis upon which Code Subscribers can use a ‘compliance logo’.

 

The Code is voluntary and is administered by a small code advisory committee

And a sanctions committee. It contains:

 

¨      Privacy provisions

¨      Security provisions

¨      Access and correction rights

¨      Special requirements for terms and conditions

¨      Provisions for loss and misuse of cards

¨      Provisions regarding advertising

¨      Complaints procedure

 

The role of the smart card code in electronic payment systems will be greatly reduced following the introduction of the revised EFT Code, which contains a specific section (Part B) covering stored value products, including stored value smart cards.

 

Telecommunications Codes

 

 

The Australian Communications Industry Forum is developing codes of conduct under the Telecommunications Legislation which may have some relevance for consumer protection in electronic commerce. The impact of telecommunications codes on electronic commerce varies, as many are designed only to cover the standard telephone service. In the future, telecommunications codes are likely to play a greater role in the regulation of electronic commerce services. 

 

Some specific codes which already have an impact on electronic commerce include:

¨      Protection of Personal Information of Customers of Telecommunications Providers

¨      Customer and Network Fault Management

¨      Customer Information on Prices, Terms and Conditions

 

More details of these Codes and the work of the Australian Communications Industry Forum can be found at:

http://www.acif.org.au

 

Internet industry Association Code of Conduct

 

While there was initially great emphasis placed on the development of a code of conduct by the Internet Industry Association (See “Internet Code of Conduct Takes Shape” – ILB Vol 1 Issue 2), there is still no code in place and interest in the development of a code beyond the issue of content regulation has waned.

 

The original draft Code of Conduct was split into two parts in response to the urgent need to register a code of conduct on content issues with the Australian Broadcasting Association following the passage of the Government’s amendments to the Broadcasting Services Act in 1999.

 

A code dealing with content issues was registered with the ABA. The remaining parts of the draft Code, dealing with issues like transactions, advertising, privacy and general complaints handling, remain on the IIA web site but have not progressed to a formal adoption stage. No infrastructure has been put in place to administer the Code or receive complaints.

 

There may be some renewed interest in developing and implementing the Code later in 2001 as a result of the passage of the Privacy (Private Sector Amendments) Act 2000. This legislation provides an opportunity to register a code orf conduct with the Privacy Commissioner to ensure compliance with the Act. It is unclear whether the IIA will again hive off part of the Code and just register the privacy sections – but it would seem to make more sense to implement a comprehensive Code, as the administration and complaints requirements under the Privacy Act will be substantial.

 

For the moment, the IIA Code must simply be considered a ‘virtual code’ having no impact on consumers beyond the few content related sections registered with the ABA. The Code is available at:

http://www.iia.net.au

 

Australian Direct Marketing Association (ADMA) Industry Code of Practice

 

The Australian Direct Marketing Association Industry Code of Practice came into effect in early 2000. It contains a short section on electronic commerce (section D) which repeats in general terms the text of the OECD Guidelines (discussed below).

 

The 400 plus members of ADMA are therefore bound by these Code requirements, and there is a full administration and sanctions procedure in place to deal with complaints.

 

The most notable provision of the Code is that it allows ADMA members to distribute unsolicited commercial email on an opt-out basis. Both the IIA Code (above) and the Model Code (below) require organisations to restrict the use of unsolicited commercial email to situations where the consumer has opted in, or is an existing customer. However, both those codes are ‘virtual codes’ with no enforcement mechanisms or administrative structure. For consumers it is unfortunate that the one code which provides the most structure and opportunity to have disputes resolved, provides the weakest consumer protection provisions in relation to spam.

 

The Code is available at:

http://www.adma.com.au

 

The Model Code

 

The Model Code is actually a document titled “Building Consumer Sovereignty in Electronic Commerce – A Best Practice Model for Business”. Earlier versions of the document included the words “model code” in the title, and that name has stuck. The Model Code is available at:

http://www.treasury.gov.au/ecommerce

 

The Model Code repeats (and in part develops) the text of the OECD Guidelines on Consumer Protection in Electronic Commerce discussed below.

 

It includes key provisions on:

 

Advertising – All Internet advertising must be clearly identifiable as advertising. This is an important development as it provides consumers with an opportunity to complain about buttons, services and searches etc. which are really just paid advertisements.

 

Spam – The Model Code requires consumer “opt-in” before unsolicited commercial email can be used.

 

The Model Code has no enforcement provisions, complaints process or administrative structure. It is yet to be adopted or implemented by any industry body. In these circumstances it is best seen as another ‘virtual code’ which gives some useful guidance to business, but to date provides no consumer protection.

 

International regimes

 

Although international regimes for consumer protection in electronic commerce have been slow to develop, there are two documents which have some impact today – the EU Directive and the OECD Guidelines.

 

EU Directive

 

The EU Directive is actually “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Fortunately it is usually shortened to the EU Directive or the EU Privacy Directive.

 

The EU Directive sets out detailed privacy protections which must be implemented by European national governments. The Directive covers both the private sector and public organisations.

 

The Directive assumes wider international importance because of Article 25, which prohibits organisations from exporting personal information to jurisdictions without adequate privacy protection. This creates a ‘domino effect’ because attempts to protect the privacy of European citizens invariably lead to improved protections for other individuals. For example, attempts by the US to comply with the EU Directive have included provisions (for those organisations participating) that protect the privacy of all their employees and customers.

 

The strength of the EU Directive is the gradual rollout of strong privacy laws across the world in an effort to comply with the Directive, therefore ensuring uninterrupted trade in information with Europe. Its weakness is that it only covers privacy, and has little impact on other areas of consumer concern in electronic commerce such as advertising and transactions.

 

The full English text of the EU Directive is available at:

http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html

 

OECD Guidelines

 

The OECD published Guidelines on Consumer Protection in Electronic Commerce in early 2000. They have no direct enforcement powers but may be implemented in various ways at the national or local level.

 

In Australia the supposed implementation takes the form of the Model Code discussed above. This is an example of one of the main weaknesses of the OECD Guidelines, in that they may mislead consumers into believing that some form of consumer protection exists on line, when actual protection will only be provided by several more effective layers of regulation.

 

The Guidelines are a comprehensive set of consumer protection measures, with a strong emphasis on the provision of information to the consumer. They also set out the minimum requirements for the formation of a contract in electronic commerce.

 

One issue which was dealt with in earlier drafts of the Guidelines, but has subsequently been dropped because of a lack of consensus, is jurisdiction. The Guidelines now state that the jurisdiction will be decided according to the normal principles of international law. This has been a missed opportunity to settle the jurisdiction issue, and many OECD members had argued that the jurisdiction should be confirmed as the residency of the customer.

 

The OECD Guidelines are available at:

http://www.oecd.org

 

Conclusion

 

There is no doubt that Australia has put in place the correct general policy framework for protecting consumers who wish to participate in electronic commerce. The electronic transactions legislation, backed by the new EFT Code, added to a layer of industry codes covering the conduct of businesses is the right formula to improve consumer confidence.

 

The electronic transactions legislation still requires a concentrated effort by the states to ensure nationwide coverage, but is on the right track.

 

The new EFT code will have far reaching consequences - virtually all online services will be covered – and consumer protection in electronic payment systems will be assured.

 

However, the conduct of a business before or after you have paid for your goods has received plenty of attention, but is not the subject of any effective codes of conduct or other regulations. The international documents have a limited impact unless they are backed up by industry codes at the national level. The federal Government’s model Code initiative has been very useful as an education tool, but lacks the necessary teeth and structure to be considered a consumer protection instrument.

 

As we have seen, the missing piece in this puzzle is the development of effective industry codes which flesh out the details of consumer protection, and provide a mechanism for dealing with complaints. The Internet Industry Association came closest to delivering this solution, but now appears to have backed away from this goal. Other industry groups may have to step forward to fill this gap.