Examination of Witness (Questions 1080
WEDNESDAY 7 JUNE 2000
1080. Are you aware of that? I am sure you are.
(Mr Wilderspin) We are pretty well aware of it.
1081. You said there was another point you wanted
(Mr Wilderspin) Yes, there was just one point which
I did not perhaps make. Another of the arguments which was put
forward by industry was this question of possibly harming competitivity
in relation to the United States. We have made a study of the
rules in the United States. The intellectual process is somewhat
different. The rule which is contained in this new Article 15
corresponds very much to the approach in the United States. The
basic approach of the Brussels Convention in our regulation is
that a defendant is sued in the country where they are resident,
subject to certain exceptions, including protective heads of jurisdictions
for consumers. Whereas in America the basic approach is that all
states are free to define their own jurisdictional rules subject
to the due process clause in the Constitution which requires what
are called "minimum contacts". So the jurisprudence
in the United States suggests that doing business via a website
which is accessible and available for making contracts in another
state can found jurisdiction in that state where the consumer,
or business for that matter, is resident. So the long and short
of it is that Article 15 does correspond pretty much to what is
called the Zippo Continuum test. There should not be any harming
(Mr Wilderspin) I am Michael Wilderspin and I work
in Justice and Home Affairs also.
1082. If I can come to the question of abuse
on the internet. It is coming in all sorts of forms, hacking of
websites and servers, distribution of things, look at the damage
caused by the Love Bug, each of these activities has a potential
to reduce the confidence of the consumer of e-commerce. How will
the EU address these concerns? Is it a criminal offence in all
EU States to spread viruses? Are the penalties in all EU States
sufficient to deter this?
(Ms Rouchaud) I think in your question there are two
aspects, one which is the more general one and one which is more
focused on criminal law. Your question could be addressed via
this civil aspect of justice. I think that the Brussels Regulation
to a certain extent can help in giving some jurisdictional rules
for damages so we have an article which deals with that. Even
the question of applicable law can be useful for dealing with
this question and maybe Michael Wilderspin can say a word about
this question of applicable law to e-commerce delict because he
is working especially on this issue. Maybe Mr Jones can answer
more on the criminal side. Michael, do you want to say something
about applicable law?
(Mr Wilderspin) Yes. As my colleague has said, the
Brussels Convention at present and the Regulation in future does
have a specific head of jurisdiction which allows actions to be
brought in the place where damage is suffered in the case of a
cross-border delict or tort. If there is transmission say of defamatory
material in one country and it is received or broadcast in another
country this comes under jurisdiction in the country where the
material is received. This can provide some form of deterrent.
As a complement to the Brussels Regulation work is going on at
present on an instrument on applicable law, that is to say the
law which will be applied by the court which has international
jurisdiction in the case of cross border delicts and torts. Obviously
this has received a certain amount of topicality in the context
of electronic commerce and modern means of communication. It is
extremely important to get a balance between providing sufficient
safeguards in case of abuse and infringement of protected interests
but, on the other hand, not discouraging use of electronic commerce
by stigmatising in one country actions which may be perfectly
lawful in the country where they are actually committed. The Commission
at present is planning to bring out a Green Paper, which I hope
will be adopted fairly shortly, the purpose of which will actually
be to consult with interested parties. It will pose a number of
questionssome general and some specifically related to
the question of e-commercein which this particular problem
will obviously feature fairly heavily. Things are at a fairly
embryonic stage at present. A certain amount of discussion did
go on on this initiative, which is called Rome II in fact, amongst
the Member States but now it is a first pillar matter the Commission
is taking over and starting from scratch again, partly to avoid
any criticism that there has not been proper consultation there.
1083. I do not know if you are conversant with
what is happening with the Regulation of Investigatory Powers
Bill in the United Kingdom?
(Mr Jones) Reasonably well. Shall I deal with this?
1084. It is all within the same parameter here.
We saw the Minister, at least I was part of the group which saw
the Minister two days ago, and he was being closely questioned
from a whole variety of standpoints. At the one end we have people
representing, for example, the interests of the RSPCC that represents
children saying it is not tough enough but conceivably you could
have paedophiles who under this new law, if it becomes law, could
be sentenced for up to two years, whereas if separately they have
been identified as a paedophile breaking other criminal acts they
could be imprisoned for much longer periods. They are saying that
the law is not tough enough. On the other hand, we have a great
outcry both from the industry about the imposition that it may
put on business, extra burdens on them that may discourage the
growth of e-commerce business in the United Kingdom and so on,
and they want it watering down. For all the reasons that you will
understand relating to terrorism and all the rest of it the Government
are maintaining that they need to have access. What happens in
the rest of Europe if people have regulations as tough as this?
The view that is being put around is that except for Russia nobody
has anything quite so tough as what they are proposing to put
in place. They emphatically deny that is not the case but they
say that a lot of people still have open minds in Europe on what
they want to do and it is quite conceivable that what happens
in the United Kingdom may be seen as a bit of a leader for other
countries to go down similar routes. Could you comment on that?
Do you think that is the case?
(Mr Jones) Can I just clarify exactly where your concerns
lie because the Bill covers both interception and encryption.
You are talking about the power to require someone to give up
their encryption key, is that correct?
1085. That is it, yes. I was linking it with
the Green Paper to see whether you are starting to move into this
area and whether you are starting to touch it.
(Mr Wilderspin) I will come back to this.
(Mr Jones) As far as the position in other Member
States is concerned, I think in law enforcement communities in
other Member States there is a lot of concern about encryption.
I think it is fair to say that quite a few Member States still
have yet to decide what they are going to do about the problem
of encryption. The Bill, as I understand it, does not impose a
key escrow requirement, which was the big issue that used to mean
that you had law enforcement on one side and industry on the other.
That seems to have settled down now in Europe and most people
tend to recognise that the key escrow requirement is no longer
an appropriate way to solve this problem. In terms of the Commission's
position, it is fair to say that we have yet to consider in detail
whether there is a need for the criminal law provisions that the
United Kingdom has introduced on encryption specifically. More
generally, if I could just go back to the previous question, question
five, there you are talking about criminal offences in Member
States to spread viruses. The Communication will look at this
issue and I think it is fair to say that there are quite wide
differences between Member States in the way in which they have
criminalised offences such as hacking and sending viruses. The
penalties do differ quite considerably. We are looking at this
issue at the moment and the Cybercrime Convention in the Council
of Europe will address this issue partly, but I think the Commission
believes that within the EU we can go a bit deeper in approximating
laws in this area and that is something we will be considering
over the next few months. Going back to your question about encryption,
you asked whether these powers conflict with the Telecommunications
Data Protection Directive, is that 97/66?
(Mr Jones) I am not sure how a power to require someone
to give up a key would conflict with that because the Directive
is obviously on First Pillar matters and does contain fairly broad
exemptions for public security, investigation of crime, etc. Obviously
there is a need when Member States are introducing legislation
such as this for there to be proportionality. I think the Commission
would be concerned if there were going to be substantive burdens
on industry as a result of this. I am not aware of any representations
the Commission has on this particular issue from industry although
I should say that it is DG INFSO that would have the main interest
in looking at that.
(Mr Jones) DG INFSO, the Information Society Directorate-General,
would have the main interest on looking at the impact of this
type of legislation. It will be interesting to see what the outcome
is of the UK Bill. I think in the US they are just about to introduce
legislation which will tackle cybercrime, and perhaps the encryption
issue to a certain extent as well. I am not aware of any other
Member States that have introduced specific legislation on encryption.
1088. Their approach is quite a different approach.
They are saying "no way do you get into this but the FBI
can do what they want. Here is the money, you can do what you
want but we do not know publicly what you are doing". At
least the British Government is arguing. I have to be careful
because there are a lot of contrary views on this side about it.
At least they are arguing and there is a degree of openness about
(Mr Jones) Yes.
1089. It is transparency.
(Mr Jones) Is industry concerned that they are going
to have to store these keys or simply that they are going to be
burdened with requests?
1090. There is a whole range of concerns. One
was that technologically there would be a burden on them. The
Government is now meeting that, they are involved in discussions
with major providers about footing some of the costs. I think
the other side of it is they feel there could be an exodus of
the people who say "we do not want to be troubled with this,
we will go and operate our businesses overseas, find ourselves
a nice Caribbean island or something like that where we will not
be similarly constrained". There are also some fine points
about tipping off, that you are not allowed to tip off an enquiry
being initiated and people could find themselves being liable
to prosecution by clients where either directly or indirectly
they have given leads that have led to enquiries. There could
be claims made against them for having information from clients
which has been released to agencies. There is a whole range of
(Mr Jones) My understanding is one of the main concerns
was actually the requirement for internet service providers to
have an interception capability. That was where industry was particularly
concerned about the burden put on them. Is it now true that the
Government is going to bear most of those costs.
1091. They were assuring us a couple of days
ago that it is all still for negotiation and that the major providers,
as we understood it, were now feeling much happier about it, although
publicly they would not be prepared to say that. What smaller
ISPs, who perhaps may not be so involved in this, or not involved
at all with negotiations, will feel about it, the new entrepreneurs,
may be quite different.
(Mr Jones) That is why I think the Commission will
watch what happens with interest. Obviously if representations
are made from industry it will probably be the DG Information
Society that will take the lead in considering whether there is
a single market dimension to it.
1092. You going to pick this up as well, Mr
Wilderspin. I am sorry this is a bit wide ranging.
(Mr Wilderspin) Not at all. I think what would be
dealt with in the Green Paper is only really peripherally relevant
to this particular question. What is envisaged in the Green Paper
is not to harmonise the Member States' substantive law but simply
to clarify which national law should be applied in the case of
a cross-border civil dispute. It is certainly not e-commerce specific.
The growth of e-commerce is obviously adding a practical interest.
These technical questions which are dealt with in this particular
UK Act are not relevant to this particular question. I do not
know if you want me to go into any further detail. It would perhaps
be unduly burdensome given the peripheral interest, but I am quite
happy to if you would like me to.
Chairman: I think we have got some more questions
yet but maybe if we have some time left at the end.
Lord Faulkner of Worcester
1093. It is related to this. Who is responsible
for material on the ISPs? The States are saying that the ISPs
are not liable for the material they carry, the messages which
they pass on. The United Kingdom courts have ruled in one case,
that of Demon, that that ISP is responsible. I think a French
court has ruled that Yahoo should censor material before it is
made available in France. It seems there will be a variety of
practices followed which will be a bit confusing and which could
lead to everybody flocking to the United States where there are
no restrictions. Could you comment and say if anything can be
done about it?
(Ms Rouchaud) My colleagues may have something to
say. The Directive on Electronic Commerce is ready to be adopted
and Article 14 is dealing with this question. It is providing
that the providers are not liable for the information, they are
just transferring from the origin to the final addressee under
certain conditions. If you look at Article 14, it is clear that
a provider who has not been aware of the illicit aspect of the
activity of the information, they cannot be made liable for the
quality of the information he just transfers because he cannot
control all the information which is going through his computers.
So I think that when the Directive is in force and has been transposed
into the Member States, the situation in the EU with Demon and
Yahoo should not occur any more except if Yahoo or Demon know
that information is illicit and so on and so forth. The basic
rule, the absence of liability on Internet Service Provider, I
think my colleagues from DG MARKT know much more about that and
I think you are going to meet them this afternoon. As far as we
know Article 14 is making the situation in Europe the same as
it is in the US according to your evidence. The risk you have
been quoting of having most internal transactions by US service
providers is maybe not such a big risk.
(Mr Wilderspin) Yes, that is certainly my understanding.
1094. If I may just bring up the question of
Article 15, Recital 13.
(Ms Rouchaud) Yes.
1095. Which is the question of an activity directed
to that State. This is causing considerable concern because companies
feel that by simply exposing themselves on the Web they are exposing
themselves to multiple liability. How do you see this being addressed,
by a definition of direction?
(Ms Rouchaud) First, to be sued in a court by a consumer
means that there was a contract. Having contracted with a consumer
located in State A, a provider in State B has exposed himself
to be sued in State A. Secondly, we know that this idea of activity
"directed to" the state of domicile of the consumer
has been a little bit controversial and has raised some problems.
That is why Commissioner Vitorino has said at the DG JHA Council
in March that we are ready to reconsider not the substance as
such but the drafting of Article 15 to make it clear that if you
have a website which is available in State A and a consumer living
in State A goes and makes a contract in State B during his holidays
or whenever and comes back to State A and sues the firm in his
domicile, Article 15 will not be applicable. To sum up, what is
not coveredin the Commission's viewis the case where
a consumer is going abroad, buys goods and comes back home and
wants to sue at home. In that case Article 15 will not apply.
That is something which is clear. If you have a website which
is available in all Member States, and if you accept to make a
contract with a consumer in State B, C or D, you expose yourself
to be sued in the State of domicile of the consumer.
1098. Would the destination of the delivery
have any bearing at all? If you were on holiday somewhere else
and you ordered it on the website but you order it to be deliveredand
they agree to deliver itto either your home country or
your next destination, would that have any effect?
(Mr Wilderspin) It is not relevant as regards the
application of Article 15 which has focused really purely on the
notion of directing activity and where the contract is made.
1099. And when the communication took place.
(Mr Wilderspin) Yes. But it can be relevant with regard
to another special head of jurisdiction which is Article 5(1),
which is of general application and not restricted to consumers,
which allows the plaintiff the option of suing in the country
where goods were delivered, or should have been delivered, in
the case where there was a breach of contract. There, in that
particular case, the focus is on where the goods were delivered
or should have been delivered according to the contract. This
is across the board, it is not just available for consumers, it
is also available in business to business contracts.
3 QQ 1096 and 1097 contain answers given in confidence
and have been deleted. Back