The Law and Policy of Consumer Protection in Electronic
Commerce – The New EFT Code of Conduct
Chris Connolly
Introduction
This paper summarises the key developments in the law and
policy of consumer protection in electronic commerce. It is written from an
Australian consumer’s perspective.
The paper attempts to provide an update on the Australian
legal framework and a discussion of the key regulatory instruments - generally
codes of conduct – chielfy the Revised EFT Code of Conduct.
Consumers and Technology
There is something of a divergence between business views
on new technology and consumer views on new technology.
The business view concentrates on the benefits of new
technology - the convenience, the speed, the ability to manage customer
relationships in new ways, and of course the efficiency that new technology
will deliver to work processes, thus reducing costs and increasing profits.
The consumer view is often less swept up in the hype of new
technology, and includes concerns about privacy and security risks, whether or
not new technology will be affordable to all consumers, whether or not
traditional legal rights will be eroded, and the impact of new technology on
traditional services.
If there is room for agreement it usually centres around
the notion of trust and confidence. That is, consumers want to use technologies
that they can trust, and business wants consumers to have the confidence to try
new technology services and products.
How do we achieve trust and confidence in new technology
electronic commerce like smart cards, online broking and Internet shopping?
Trust and Confidence
It appears that trust and confidence can be won in a number
of ways. Some businesses simply offer money back guarantees for emerging
technology. This is quite common in Internet shopping and some online payment
systems in the United States.
For example, the Powells online bookstore provides the
following guarantee:
“We're confident that our security system is the best in the business, and you should be, too. That's why we guarantee that every transaction you make at Powells.com will be 100% safe. If unauthorized charges are made to your card as a result of shopping at Powells.com, you will pay nothing.“
American Express also guarantees all transactions made
online using an American Express credit card. However, they have recently
announced that they will no longer provide American Express merchant facilities
to online providers of adult content, as customers of those sites were
disputing too many charges to their accounts.
Other businesses have decided to win trust and confidence
by signing up to a ‘seal’ or ‘tick’ program. These seals appear on products or
websites and provide certain assurances that the seal can only be displayed by
organisations which adhere to strict privacy principles and security measures,
and perhaps are audited on a regular basis against privacy and security
criteria.
It is unclear how useful these seal and ticks are in
practice. There may be no redress for consumers who choose to use sites
carrying the seal but are later disappointed. The seals themselves are not
backed up by privacy or consumer protection laws, especially in the United
States. There is an argument that a failure to abide by the principles behind a
seal could lead to a claim that the organisation had engaged in misleading or
deceptive conduct, thereby breaching trade practices laws. However, this
argument is untested and will be an impractical solution for many consumers.[1]
Some seal programs also provide a dispute resolution
process, which is certainly preferable for consumers. However, the many
inconsistencies between the various seal programs operating today mean that
trust and confidence in electronic commerce as a whole has probably not been
greatly helped by seal programs alone.
An additional option for improving trust and confidence in
electronic commerce is to provide detailed information about the policies and
procedures behind a product or service.
This approach to delivering ‘transparency’ is most useful
when it is provided as a complement to some other form of guarantee or seal.
Again, American Express has backed up its ‘guarantee’ with detailed information
about its privacy policies, use of cookies, security arrangements and
information processes. See:
http://www.americanexpress.com/corp/consumerinfo/consumerfaqs.asp
For a good Australian example of a complicated electronic
commerce service which is trying to provide transparency to consumers, see the
privacy policy and other documents at:
http://ninemsn.com.au/support/privacy.asp
Of course, an alternative way to provide trust and
confidence in electronic commerce is to be able to point to a regulatory
structure that provides appropriate privacy and consumer protections. It is
this last option which is explored in this paper.
Case Study: Online Financial Services
It is useful at this point to consider one particular
aspect of electronic commerce - online financial services - and examine what
consumer issues arise and how they might be dealt with in law or self
regulation.
Some specific consumer issues that arise for online
financial services are:
Complexity of Products
- Most online financial services are not as simple as checking the news or weather
online, or buying a book or CD online. The products themselves are extremely
complex - online mortgage applications, online banking, online broking,
electronic payment systems etc. The complexity of these products raises
consumer issues because the element of human interaction and explanation which
usually accompanies these products may be missing.
Online Calculators - Many
online financial services include access to online calculators. These tools are
used to predict repayments, compare competing products, or estimate the future
value of investments. Obviously these tools are extremely useful, but they lead
to opportunities for abuse. Some sites have taken the opportunity to ‘fiddle’
with the calculators so that the results are always skewed towards particular
products - those which will earn the promoters higher commissions. Other sites
always seem to be out of date when comparing competitor’s products, when it is
to the promoter’s advantage.
Independence - There
has been a trend to re-brand certain financial services and products for the
online marketplace, and an attempt to promote some online financial services as
independent - especially where sites provide comparative tables or broking
services. However, claims of independence can be misleading in many
circumstances, and it is important to know who owns or backs financial services
being offered online.
Disclosure - The jury
is still out on whether or not disclosure can be effectively performed via
electronic means. The key regulator - the Australian Securities and Investments
Commission has taken the view that disclosure can be permitted online (rather
than requiring face to face disclosure or the provision of hard copy
documents), however it will keep a close watching brief on developments and
issue specific guidance for some products.[2]
Naturally, a range of generic consumer issues in electronic
commerce also apply to online financial services:
Identification - How
can consumers identify the business? Does the ACN/ABN appear on the website? Is
there a physical address? It is important for consumers to be confident that
online stores and service providers are not shams, and that any consumer
complaints can be followed up with a physical business. Consumers are also
advised to check ACNs of some companies, especially those selling investment
products.
Complaints - Does the
service have a dispute resolution mechanism and belong to an external dispute
resolution scheme? As we will see below, there is no generic dispute resolution
scheme for Australian companies trading online. However, many
telecommunications companies, Internet Service Providers and financial services
organisations will belong to established dispute resolution schemes.
Privacy - Does the
organisation provide protection of consumer’s personal information and have a
privacy policy? A recent survey of the 100 most poplar websites visited by
Australian consumers found that although 72% of the sites collected personal
information, only 51% had a published privacy policy and only 28% of those
sites notified their users about the specific personal information being
collected.[3]
Access and cost - Can
all consumers gain affordable access to this service? What impact will the
provision of this service online have on traditional services? Many of these
issues have now been rolled up in a debate about what has become known as the
“digital divide”. A recent study by the National Centre for Social and Economic
Modelling and the Communications Law Centre found that the main barriers to
Internet access in Australia were education and income, and that geographical
location was less relevant than previously thought. So affordable access will
remain a key consumer issue in electronic commerce.[4]
Jurisdiction - What is
the applicable law of any transactions entered into with this service? Will
consumers be able to resolve a dispute with the service in their own
jurisdiction? This issue may act as a significant deterrent for some consumers
considering using electronic commerce involving a foreign party. It is
discussed in detail later in this article.
Terms and Conditions -
Are there plain language terms and conditions available and do they reduce or
enhance the rights of consumers? Is there fine print that consumers should be
concerned about?
The combination of these specific and generic issues shows
how quickly consumer confidence and trust in electronic commerce can be eroded.
Let’s now turn to the response to these issues in Australia.
Policy Framework
More by luck than planning Australia has developed a
reasonably effective policy framework for dealing with consumer issues in
electronic commerce. Despite the lack of overall coordination, several
government agencies and regulators have developed (or are in the process of
developing) effective tools for protecting consumers online. In the future,
coordination of these activities may be better coordinated through the
reinvigoration of the National Office of the Information Economy, which has
recently been given a stronger role in this area.[5]
All electronic commerce can be broken down into three key
consumer issues - the formation of a contract, the payment for
goods or services, and the conduct of the organisation providing the
good or service (both before and after a sale). Each of these issues are
discussed below:
Contract
Any agreement to make an online purchase or use an
electronic commerce service requires the formation of a contract. Contract law
was initially developed around certain requirements for hard copy documents,
writing and in some cases witnessing. These concepts are not so useful when the
transaction is to take place via electronic communication between two parties
who may never share the same physical location. A reasonable compromise in
recent years has been for contracts to be entered into through the exchange of
hard copy documents, and many electronic commerce services still require some
element of hard copy documentation today.
However, for electronic commerce to take full advantage of
the speed and convenience delivered by new communication technology, full
electronic contract formation must be possible.
At the international level, UNCITRAL (The United Nations Commission on International Trade
Law) has developed model provisions for the formation of electronic
contracts and the recognition of digital signatures[6]. This development
is mirrored in Australia by the passage of the Commonwealth Electronic
Transactions Act 2000 and the proposed development of mirror legislation in
each state. These developments are not discussed in detail in this paper, but
form the first step in ensuring consumer confidence in electronic commerce.
Payment
The second vital step in ensuring consumer confidence in
electronic commerce is to deal with
consumer concerns arising from the use of electronic payments systems. This has
been one area in which there is a definite degree of consumer hesitancy. While
there are a proliferation of alternative online payment systems at the trial or
early roll out stage, the use of credit cards has remained dominant.
Developments in Australia regarding the regulation of
payment systems are discussed in detail in this paper, in the section below on
the revision of the EFT Code of Conduct.
Conduct
Once you have formed a contract and sorted out the payment,
the only outstanding issue is the conduct of the organisation providing the
good or service. Will the goods actually arrive? Will advertising be
misleading? What will happen to a consumers’ personal information?
In Australia, the issue of conduct is dealt with through
the development of industry codes of conduct, such as the Internet Industry
Association Code of Conduct[7]. There is an
additional layer of guidance provided by the Model Code[8]. These
developments are discussed in greater detail below.
Note that privacy is a specific consumer issue which arises
within each of the above fields - contract, payment and conduct. Privacy is not
discussed in detail in this paper.
With these three policy settings in place, consumers can be
reasonable confident in engaging in electronic commerce. However, as we will
see, the devil is in the detail. For payment systems and business conduct we
have to rely heavily on codes of conduct, many of which are unsatisfactory, and
some of which only exist in theory.
There are numerous codes of conduct which have some
relevance to consumer protection in electronic commerce. Many of the specific
industry codes, such as the Banking Code of Practice, will have electronic
commerce implications in that particular niche. However, there are several
codes of conduct which stand out as the most relevant:
¨ EFT Code of Conduct
¨ Smart Card Code of Conduct
¨ Telecommunications Codes
¨ Internet industry Association Code of Conduct
¨ Australian Direct Marketing Association (ADMA) Industry
Code of Practice
¨ The federal Government’s ‘Model Code’
The Electronic Funds Transfer Code of Conduct is the main
regulatory instrument in Australia for providing consumer protection in
electronic payment systems. However the existing Code is limited in scope
because it contains a technology specific definition of which transactions are
within the Code’s jurisdiction:
“Transactions intended to be initiated by an individual
through an electronic terminal by the combined use of an EFT card and a
personal identification number (PIN).”
The Code has therefore been the subject of a lengthy
review, chaired by the Australian Securities and Investments Commission. The
EFT Code review working group issued two discussion papers and a final version
of the revised Code was published on April 1, 2001. All available at http://www.asic.gov.au
The revision of the Code was intended to ensure that an up
to date, technology neutral Code will be in place for all electronic transfers
of value. The review did not consider all of the issues faced in electronic
payment systems, and specifically “set aside” certain contentious issues for
separate discussion in order not to hold up the Code review further. The most
notable of these issues set aside was the requirement for the disclosure of the
costs of an electronic transaction at the point of sale.
The revised EFT Code covers any business to consumer
electronic transfer of value. Business to business electronic transfers of
value will be excluded where the product being used was intended primarily for
business use.
An ‘electronic transfer of value’ includes coverage of
credit cards in some circumstances, but not where a signature is obtained. It
certainly include EFTPOS, ATM transactions, most Internet and telephone banking
transactions, direct debits and direct transfers.
Stored value products, such as electronic purses and stored
value smart cards, are now included in a new section of the Code - Part B.
Specific requirements of the Code include:
¨ Terms and conditions must be provided to consumers
¨ Records of transactions must be available to consumers.
¨ Audit trails must be kept.
¨ Privacy provisions mirroring the new federal privacy
legislation for the private sector must be complied with, plus some specific
EFT industry privacy guidelines.
¨ Complaint investigation and resolution procedures must be
in place.
Of course, the most important section of the existing EFT
Code was the section apportioning liability for unauthorised transactions. This
section has been completely updated and revised, and includes coverage of:
¨ access methods
¨ security and disguise of codes
¨ contribution to loss
¨ fraud and negligence
¨ lost and stolen cards or devices
¨ system or equipment malfunction
While the EFT Code has always been voluntary, it has ain
the past been a very successful and popular code with both business and
consumers – and has achieved a very high rate of industry coverage. It will be
interesting to see what proportion of new economy businesses sign up to the
Code.
Despite the likely comprehensive coverage of electronic
payment systems by a revised EFT Code of Conduct, there is one other Code which
is relevant in this field. The Asia Pacific Smart Card Forum Code of Conduct
was first envisaged in 1995 and published in 1997. It remains the world’s only
comprehensive smart card code of conduct, and about 70 organisations have
signed.
The Code serves three functions. The first is to provide a
Code for members of the Smart Card Forum where no industry specific code is
developed. The second is to provide minimum standards which must be observed in
industry specific codes. The third is to provide the basis upon which Code
Subscribers can use a ‘compliance logo’.
The Code is voluntary and is administered by a small code
advisory committee
And a sanctions committee. It contains:
¨ Privacy provisions
¨ Security provisions
¨ Access and correction rights
¨ Special requirements for terms and conditions
¨ Provisions for loss and misuse of cards
¨ Provisions regarding advertising
¨ Complaints procedure
The role of the smart card code in electronic payment
systems will be greatly reduced following the introduction of the revised EFT
Code, which contains a specific section (Part B) covering stored value
products, including stored value smart cards.
The Australian Communications Industry Forum is developing
codes of conduct under the Telecommunications Legislation which may have some
relevance for consumer protection in electronic commerce. The impact of
telecommunications codes on electronic commerce varies, as many are designed
only to cover the standard telephone service. In the future, telecommunications
codes are likely to play a greater role in the regulation of electronic
commerce services.
Some specific codes which already have an impact on
electronic commerce include:
¨ Protection of Personal Information of Customers of Telecommunications Providers
¨ Customer and Network Fault Management
¨ Customer Information on Prices, Terms and Conditions
More details of these Codes and the work of the Australian Communications Industry Forum can be found at:
http://www.acif.org.au
While there was initially great emphasis placed on the
development of a code of conduct by the Internet Industry Association (See
“Internet Code of Conduct Takes Shape” – ILB Vol 1 Issue 2), there is still no
code in place and interest in the development of a code beyond the issue of
content regulation has waned.
The original draft Code of Conduct was split into two parts
in response to the urgent need to register a code of conduct on content issues
with the Australian Broadcasting Association following the passage of the
Government’s amendments to the Broadcasting Services Act in 1999.
A code dealing with content issues was registered with the
ABA. The remaining parts of the draft Code, dealing with issues like
transactions, advertising, privacy and general complaints handling, remain on
the IIA web site but have not progressed to a formal adoption stage. No
infrastructure has been put in place to administer the Code or receive
complaints.
There may be some renewed interest in developing and
implementing the Code later in 2001 as a result of the passage of the Privacy
(Private Sector Amendments) Act 2000. This legislation provides an opportunity
to register a code orf conduct with the Privacy Commissioner to ensure
compliance with the Act. It is unclear whether the IIA will again hive off part
of the Code and just register the privacy sections – but it would seem to make
more sense to implement a comprehensive Code, as the administration and
complaints requirements under the Privacy Act will be substantial.
For the moment, the IIA Code must simply be considered a
‘virtual code’ having no impact on consumers beyond the few content related
sections registered with the ABA. The Code is available at:
http://www.iia.net.au
The Australian Direct Marketing Association Industry Code
of Practice came into effect in early 2000. It contains a short section on
electronic commerce (section D) which repeats in general terms the text of the
OECD Guidelines (discussed below).
The 400 plus members of ADMA are therefore bound by these
Code requirements, and there is a full administration and sanctions procedure
in place to deal with complaints.
The most notable provision of the Code is that it allows
ADMA members to distribute unsolicited commercial email on an opt-out basis.
Both the IIA Code (above) and the Model Code (below) require organisations to
restrict the use of unsolicited commercial email to situations where the
consumer has opted in, or is an existing customer. However, both those codes
are ‘virtual codes’ with no enforcement mechanisms or administrative structure.
For consumers it is unfortunate that the one code which provides the most
structure and opportunity to have disputes resolved, provides the weakest
consumer protection provisions in relation to spam.
The Code is available at:
http://www.adma.com.au
The Model Code is actually a document titled “Building
Consumer Sovereignty in Electronic Commerce – A Best Practice Model for
Business”. Earlier versions of the document included the words “model code” in
the title, and that name has stuck. The Model Code is available at:
http://www.treasury.gov.au/ecommerce
The Model Code repeats (and in part develops) the text of
the OECD Guidelines on Consumer Protection in Electronic Commerce discussed
below.
It includes key provisions on:
Advertising – All
Internet advertising must be clearly identifiable as advertising. This is an
important development as it provides consumers with an opportunity to complain
about buttons, services and searches etc. which are really just paid
advertisements.
Spam – The Model Code
requires consumer “opt-in” before unsolicited commercial email can be used.
The Model Code has no enforcement provisions, complaints
process or administrative structure. It is yet to be adopted or implemented by
any industry body. In these circumstances it is best seen as another ‘virtual
code’ which gives some useful guidance to business, but to date provides no
consumer protection.
Although international regimes for consumer protection in
electronic commerce have been slow to develop, there are two documents which
have some impact today – the EU Directive and the OECD Guidelines.
The EU Directive is actually “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Fortunately it is usually shortened to the EU Directive or the EU Privacy Directive.
The EU Directive sets out detailed privacy protections which must be implemented by European national governments. The Directive covers both the private sector and public organisations.
The Directive assumes wider international importance because of Article 25, which prohibits organisations from exporting personal information to jurisdictions without adequate privacy protection. This creates a ‘domino effect’ because attempts to protect the privacy of European citizens invariably lead to improved protections for other individuals. For example, attempts by the US to comply with the EU Directive have included provisions (for those organisations participating) that protect the privacy of all their employees and customers.
The strength of the EU Directive is the gradual rollout of strong privacy laws across the world in an effort to comply with the Directive, therefore ensuring uninterrupted trade in information with Europe. Its weakness is that it only covers privacy, and has little impact on other areas of consumer concern in electronic commerce such as advertising and transactions.
The full English
text of the EU Directive is available at:
http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
The OECD published Guidelines on Consumer Protection in
Electronic Commerce in early 2000. They have no direct enforcement powers but
may be implemented in various ways at the national or local level.
In Australia the supposed implementation takes the form of
the Model Code discussed above. This is an example of one of the main
weaknesses of the OECD Guidelines, in that they may mislead consumers into
believing that some form of consumer protection exists on line, when actual
protection will only be provided by several more effective layers of
regulation.
The Guidelines are a comprehensive set of consumer
protection measures, with a strong emphasis on the provision of information to
the consumer. They also set out the minimum requirements for the formation of a
contract in electronic commerce.
One issue which was dealt with in earlier drafts of the
Guidelines, but has subsequently been dropped because of a lack of consensus,
is jurisdiction. The Guidelines now state that the jurisdiction will be decided
according to the normal principles of international law. This has been a missed
opportunity to settle the jurisdiction issue, and many OECD members had argued
that the jurisdiction should be confirmed as the residency of the customer.
The OECD Guidelines are available at:
http://www.oecd.org
There is no doubt that Australia has put in place the
correct general policy framework for protecting consumers who wish to
participate in electronic commerce. The electronic transactions legislation,
backed by the new EFT Code, added to a layer of industry codes covering the
conduct of businesses is the right formula to improve consumer confidence.
The electronic transactions legislation still requires a
concentrated effort by the states to ensure nationwide coverage, but is on the
right track.
The new EFT code will have far reaching consequences -
virtually all online services will be covered – and consumer protection in
electronic payment systems will be assured.
However, the conduct of a business before or after you have
paid for your goods has received plenty of attention, but is not the subject of
any effective codes of conduct or other regulations. The international
documents have a limited impact unless they are backed up by industry codes at
the national level. The federal Government’s model Code initiative has been
very useful as an education tool, but lacks the necessary teeth and structure
to be considered a consumer protection instrument.
As we have seen, the missing piece in this puzzle is the development
of effective industry codes which flesh out the details of consumer protection,
and provide a mechanism for dealing with complaints. The Internet Industry
Association came closest to delivering this solution, but now appears to have
backed away from this goal. Other industry groups may have to step forward to
fill this gap.
[1] “From Privacy to Portals: Implications for Seals of Assurance”, Allan Asher Deputy Chairperson ACCC, 24 November 1999. http://www.accc.gov.au/speeches/fs-speeches.htm
[2] For example, guidance is available for the disclosure requirements if superannuation is to be sold online: http://www.asic.gov.au.
[3] Anderson Legal / Arthur Anderson Internet Privacy Survey 2000 http://www.andersonlegal.com
[4] http://www.natsem.canberra.edu.au
[5] http://www.noie.gov.au
[6] http://www.uncitral.org
[7] http://www.iia.net.au
[8] The Model Code is actually titled “Building Consumer Sovereignty in Electronic Commerce – A Best Practice Model for Business”. http://www.treasury.gov.au/ecommerce