REGULATING ELECTRONIC COMMERCE IN THE NETHERLANDS Corien Prins* VI 1 Intellectual property The Dutch legal system of intellectual property rights is highly determined by European legislative initiatives. Both the European Directive on software protection and the European Directive on Database protection have been implemented into Dutch law. This implied an amendment of the Copyright Law as well as the introduction of a sui generis law on the protection for those databases that do not meet the requirement of originality under the Dutch Copyright Law. Since the introduction of the new legislative measures, court rulings have been issued on several of their provisions. In particular the case law on database protection is of interest, since the legislative framework merely works with vague protection criteria such as ?substantial? investment and leaves their specific interpretation up to the courts. In general, it becomes clear that applying the criterion of ?substantial? is not a matter of simple reasoning. The court rulings show different interpretations, whereby the more recent rulings of the courts of appeal have shown to be more strict as regards the criterion thus requiring considerable effort from the relevant party to qualify for ?substantial investment?. At present, the Dutch legislature is preparing for yet another series of amendments to the Copyright Law. As known, on 21 May 1999, in response to the amendments submitted by the European Parliament, the European Commission issued a draft copyright directive. The final text of this directive was adopted in 2001. The Directive claims that it aims to adjust and complement the existing EU framework on copyright and related rights to respond to the new challenges of technology and the information society, to the benefit of both right holders and users. Furthermore, it envisages establishing a level playing field for copyright protection in the new environment, and in particular covering the reproduction right, the communication to the public right, the distribution right, and legal protection of anti-copying and rights management systems. In anticipation of the European Directive, the Dutch government opened in 2000 a virtual discussion on its site www.minjust.nl/auteursrecht. Here, companies, representative organisations, citizens and other interested parties could express their opinion on the position and future of copyright in an online environment. In providing for this online discussion, the Dutch legislature intended to start the implementation process of the Directive in an early phase and collect the different views on society on the European measures. In implementing the European rules, the Dutch legislature is advised by a special commission on copyright matters, Commissie Auteursrecht. Since its establishment, this commission has published several reports on among others the effects of the European copyright directive on the Dutch system. Both the commission as well as the Dutch government took a rather critical opinion on the European Directive, in particular the proposed articles 5 (provisions on exceptions to the exclusive rights of reproduction and communication to the public, including the ?right to make available?) and 6 (protection of technological measures against circumvention) of the Directive. In general, the Dutch government was not in favor of limiting several of the traditional exceptions to the exclusive rights of users. In December 2001, the Dutch cabinet approved a Bill that implements the European Copyright Directive. It was send to the Raad van State for comments, after which it is expected to be send to Parliament in 2002.Prior to the cabinet?s approval, the Minister of Justice send a letter to Parliament in which he took a position on an earlier advice of the Commissie Auteursrecht as well as a draft proposal for the implementation of the Directive. Dutch case law has not dealt extensively with the copyright status of hyperlinking. In the August 2000 ruling on the website Kranten.com, the court found that linking and deeplinking on a frequent basis does not constitute an infringement of copyright. However, a company that links to a website it knows to contain infringing copyright material, acts not in accordance with the law. Although not dealing with the status of hyperlinking, the November 2001 court decision in KaZaA against the Dutch copyright organisation Buma/Stemra is of interest, because it shows that the Amsterdam court ruled in line with the US Napster decision that new techniques for distributing music on the Internet infringe copyright law. At present, there is some debate in Dutch legal doctrine on the status of patent protection for e-commerce related inventions. As known, much of the technology underlying online commerce, whether in the form of equipment or computer software, is subject to patent protection. While the granting of patents for computer programs which produce a commercially useful outcome is no longer an overly contentious issue, attention has turned to the patentability of business methods implemented by means of digital technology. Also in the Netherlands, questions arise as to whether business methods should be granted patent protection. No case law is, however, available. Overall, the conclusion is justified that intellectual property rights in the technology which supports electronic commerce, the materials which are made available or transmitted online in digital form and the identifiers used by individuals and entities trading on the Internet have been an important focus of legal attention at the Dutch national level in recent years. Together with the issue of privacy (which is being dealt with underneath in this report) intellectual property rights is an issue of high importance on the Dutch policy agenda. 2 Internet governance Internet Governance is a topic that is often addressed in relation to domain names. From, this perspective the issue has not draw much attention at the Dutch policy level. Court proceedings are, however, countless. At various instances, the Dutch courts are issuing rulings on the status of domain names under the Dutch trademark law as well as the rules on unfair competition. In general, these rulings shows a very unfriendly attitude toward the so-called ?domain grabbers?. A well-known domain grabber in the Netherlands is Namespace, which was sued by various companies for violating their trademark and subsequently held to violate the rights of these companies. The Dutch State itself was also involved in court cases, trying to protect its ?right? to various government-related terms such as ?troonrede.nl?, ?prinsjesdag.nl?, ?regering.nl? en ?miljoenennota.nl?. The court of Amsterdam ruled in favor of the Dutch State. In comparison with other years, the 2001 number of court rulings on domain name grabbing was limited. In the Netherlands, the management of domain names is under the responsibility of the Stichting Internet Domeinnaamregistratie Nederland (SIDN). It is a private, non-governmental entity. Thusfar, the position of this organisation is undisputed. No such extensive debate as on the international forum regarding the constitutional and organisational status of ICANN is being held in the Netherlands with respect to SIDN. Also, only a handful of publications point to regulatory questions surrounding Internet domain name governance. Under the present registration procedure for the top level domain .nl, foreign companies and citizens cannot file for a domainname. In a report, published by SIDN in November 2001, it is proposed to extend the registration of .nl domains to foreigners. Another proposal is to introduce a dispute resolution system similar to the well known UDRP-procedure for the .nl domain names. At present, domain name conflicts can only be solved in The Netherland through an formal court procedure (kort geding). A more fundamental debate on Internet governance is that on the required regulatory framework for commercial and other activities on the Internet and the organizations, existing or yet to be formed, which are to develop, implement and enforce those principles. Should the Internet be treated as a separate jurisdiction, is a new international governance structure required and what kinds of models of governance should apply? The answer to these questions centers in the Netherlands around the question whether legislative projects should be based on the adage "what holds offline, should also hold online". On several occasions, the Dutch government has held that in discussions on how to regulate developments like electronic commerce, the Internet, and, more in general, the electronic highway, the leitmotiv should be: ?what holds offline, should in principle also hold online.? In the 1998 Memorandum on Legislation for the Electronic Highway, the cabinet puts it thus: ?In the first place, the council of ministers chooses as a starting point that the norms that hold for the electronic highway must be the same as the norms in the physical world.? In some situations, however, this starting point can not be met. For example, in situations in which the traditional legal provisions result in problems when applied to an electronic environment (e.g. in the areas of consumer protection or private international law), one will have to consider whether other rules have to apply. Besides, existing and future European and international agreements sometimes do not leave room for maintaining the adage. Thus, the desire to create an international approach to certain ICT-related problems will result in different rules applying to the offline and the online worlds. Thus, a more detailed look at the legislative developments in the Netherlands as well as abroad shows that it is getting increasingly problematic to uphold the adage consistently when dealing with the various specific problems. The adage appears to have to taste defeat when concrete topics are worked out, because ? given certain interests (such as consumer protection, legal certainty, promoting electronic commerce) ? specific rules for the online world are being introduced nonetheless. One can also perceive this tendency at an international level (in any case, in the European Union). Therefore, as is argued in Dutch legal doctrine, it is unwise, when thinking about regulation, to hold on to the concrete rules of the offline world as a starting point. The approach should not so much equate in principle the concrete rules of the online world with those of the offline world, but rather, the level of protection in both worlds should be the same. Thus, the government should pay much more attention to the interests and goals that (should) underpin the rules of the offline and online worlds respectively. The question one is to pose oneself is why certain rules prevail in the offline world and why these rules should be maintained in the online world. If the online world introduces specific differences with the offline world, one will have to analyse the effect of these differences on the existing rules, considering the rationale of these rules. Rather than automatically transposing the rules of the physical world to the online world, the legislator should be creative in finding solutions to the specific problems of the online world. It is this conclusion that was also drawn by the Dutch legislature in its May 2000 policy document on internationalisation and law. An interesting point that should be mentioned here is that the ?offline = online? approach can of course also work the other way around: ?what holds online, must also hold offline?. In short, the legislator will have to observe the interaction between the rules of the two worlds, and not merely argue from out of the framework of the offline-world rules. A point that should be mentioned here is that as regards the discussion whether a general Lex Internet, an overall Act that would regulate various issues related to the Internet, should be introduced, the Dutch government takes the position that a Lex Internet is not expedient for the moment, but that it is an interesting option in the longer run. Finally, it should be mentioned here that, based on the work of Lawrence Lessig, several Dutch publications have recently dealt with the issue that the technology and architecture which make up the internet can, in themselves, act as a regulator of activity on the internet. 3 The digital divide As regards the ?digital divide?, there is some discussion on the access of individuals to ICT and their use of the Internet. However, the prime focus of the discussions in the Netherlands is not so much on the infrastructure, but rather on the content. As regards the infrastructure, the Dutch Telecommunications Law provides for several mechanisms that ensure that Internet access is broadly available on an equitable and reasonable basis. Also, the Dutch government as well as the supervising authorities OPTA and NMa published documents dealing with Internet access. The documents and discussions resulted by the end of 2001 in a Bill on ensuring accessibility to and availability of Internet. The Bill was approved by the Dutch cabinet and send for consideration to the Raad van State. In the Netherlands, access to Internet and thus Internet content is considered essential for the sound development of the information society. Here, the Dutch government in particular focuses on access to public sector information. It is argued that without such access some citizens and consumers will not be able to reap the benefits of the information society. Also, access to public sector information, is regarded to be an important instrument in enhancing citizens? and consumers? rights in the information society. Under Dutch law rights citizens have been provided with access rights to information being held by the public sector. ICT allows public sector bodies to provide access to a massive amount of information, enabling citizens to exercise their legitimate (democratic) rights more effectively. Simultaneously, public sector bodies discover that the (large repositories of) information they hold, represent a vast economic value, tempting them to exploit their resources. These two developments can easily lead to tensions. Also, other interests such as intellectual property rights and privacy rights, may hinder the free availability of public sector information. In 2000, the Dutch government issued several policy documents on this matter. The documents have chosen an ambitious perspective: all government information must be easily and widely accessible and available. In particular the policy document ?Contract with the future? provides a clear analysis of the impact that ICT (in the long term) will have on the relationship between the government and the citizen. Also, the Commission on Constitutional Rights in the Digital Era proposed in its 2000 report to codify a new fundamental right on access to and openness as well as availability of government information. Finally, in August 2001, another government advisory commission (the Commission Wallage) stressed the importance of a transparent and accessible public sector. The publication of all public sector information on the Internet, could be an important instrument in establishing this transparency. 4 Validity and security of electronic (commercial) transactions Electronic commercial transactions are different from traditional commercial activities in that they no longer require the exchange of paper-based documents and written signatures. Electronic transactions are marked out by various unprecedented features, which companies, individuals and regulators to their fascination and dismay cannot tackle by means of the traditional paradigms. The well-known paradigms have all developed along the lines of physical and local bounds of space and time. These confines have, however, lost their meaning in a society that is characterised by timeless, borderless and virtual communication and interaction. Thus, legislative bodies at both an international and national level are working on a new regulatory framework to overcome the new problems and thus provide for trust and legal certainty with respect to electronic transactions. From this perspective, the European Union has adopted several Directives addressing e-commerce related problems, such as the formation of contracts that take place by means of digital communications. Also, a legal framework has been made towards the development of rules on the recognition of electronic signatures that meet certain criteria. All European measures are at present being implemented into Dutch law, meaning that either a bill is pending in Parliament, or a proposed text is being considered in governmental bodies. 4.1 Signatures On 17 May 2001, the Bill on the implementation of the European Electronic Signatures Directive was put forward to the Dutch Parliament. The Bill introduces a legal framework for electronic signatures that is to amend the Civil Code, the Telecommunications Law and the Law on Economic Crimes. In line with the European Directive, the provisions are designed to ensure that an electronic signature cannot be legally discriminated against solely on the grounds that it is in electronic form. Interestingly, the Dutch proposal includes a more broad and open provision concerning the legal recognition of electronic signatures compared to the European Directive. In defining electronic signatures the Dutch provision follows the example of the UNICTRAL Model Law on Electronic Commerce. Already in March 1998, a special working group of the Ministry of Justice had advised to introduce the so-called functionally equivalent approach taken by UNCITRAL in its Model Law. Key objective of this approach is that the electronic document and the electronic signature must be functionally equivalent or, in other words, fulfill the same relevant functions as a paper document and a manual signature. Amongst these functions are: the evidential function, the information and communication function and the protection of third parties. In the Netherlands, the establishment of a voluntary accreditation scheme for CA's is at present under consideration. CA's wishing users of their certificates to benefit from the legal recognition of electronic signatures based on their certificates would, however, have to meet the essential requirements (as stipulated in article 15a of the Bill). In order to establish such an accreditation scheme, a National Action Plan Trusted Third Parties (TTPs) has been set up. Also, a text concerning the Dutch Policy with respect to TTPs has been issued and a national TTP project group, under responsibility of the Ministry of Transport and Communications, has worked out preconditions for TTPs. In this project group both representatives of government and industry participate. The group performs several pilot projects. As regards the Dutch Policy on TTPs, a number of preconditions are proposed for those TTPs who want to be accredited. For TTPs offering confidentiality services, there is a precondition of ?legal access? (i.e. government access to encrypted data). To determine what criteria and instruments should apply such legal access, the Dutch government opted for a "partnership approach", meaning that government and industry work together in developing a set of instruments acceptable to all parties. This project, called ?Legal Access? (Rechtmatige toegang), now appears to propose that TTPs are free in choosing the mechanism that allows for legal access (a term, by the way, that is not clearly defined). It was decided in the summer of 2001 that the final outcome is dependent on an economic-effect analysis, so there is not yet a definitive recommendation. Earlier, in 1998, the Dutch government had stated that a future mechanism for legal access to data encrypted with the aid of confidentiality TTPs is to be supported by legislation: ?If industry does not participate sufficiently actively in developing said set of instruments, the government will emphatically consider to fulfil the need for legal access with further legislation.? Finally mention should be made of the plans of the Dutch government to introduce a national Public Key Infrastructures (PKI). This infrastructure is intended to be used for authentication of electronic communications by government bodies. No final decisions have been made as regards the broader application of the infrastructure as well as its role in limiting the liability of CA?s and providing legal advantage for electronic signatures issued under this PKI. 4.2 Implementation of the European E-Commerce Directive On 6 July 2001, the Dutch cabinet has approved the Bill for the implementation of the European E-Commerce Directive. The Bill was subsequently send for consultation to the Dutch governmental counsel (?Raad van State?). Although itwas expected to be sent to Parliament some time autumn 2001, the Bill was still not in Parliament by January 1, 2002. Hence, the Netherlands will surely not meet the implementation date of 17 January 2002. The Dutch Bill amends the Civil Code and follows in many provisions the wording of the European Directive. 4.3 Electronic government communications In April 2001 the Dutch government distributed for consultation a draft text to amend the Administrative Procedure Act. Once in force this text will adapt Dutch administrative law to the digital era and authorize and facilitate the use of electronic communications for the performance of administrative procedures. In december 2001, the Dutch cabinet formally approved a Bill that adopts most of the proposals presented in the text distributed in April. The Bill was send for consideration to the Raad van State. So far Dutch administrative law contains formal requirement, which seem increasingly anachronistic in an era where electronic commerce is booming and electronic government is high on the political agenda. From the present Dutch proposal for a Bill, it is clear that the legislature opts for a simple amendment of the general administrative procedure act (Awb). A limited set of provisions is proposed to be introduced at the general level, thus acknowledging the possibility to issue an electronic administrative communication (besluit). The specifics are left to more detailed guidelines (dealing among others with additional security measures) as well as the relevant statutes that cover specific topics (such as the environmental statutes, etc.). This means that all topic-specific statutes will in the future be amended when such specific regulations are deemed necessary. It should be noted at this point that the ICT-related legislative developments under civil law may also have an impact on administrative law. Characteristic for the Dutch legal system is that all civil law rules also apply to the public sector (art. 6:162 Civil Code). Hence, all public bodies have to act in accordance with both the rules of the Civil Code as well as specific rules in administrative law. This means that when administrative law gives no ruling on a specific topic or interpretation question, courts may interprete administrative law in light of the civil law rules. In other words, both systems are seen as complementary. This characteristic of Dutch law is important in situations where no rules are available under administrative law on electronic communication, whereas such rules have been provided for under civil law. It also means that amendments to the administrative procedure act do not always need to be highly detailed because they can be interpreted in light of the civil law rules and case law. 4.4. On-line Dispute Resolution In the Netherlands, efforts have also begun towards developing online alternative dispute mechanisms to offer fast, low cost and accessible redress for the large number of small claims arising from business to consumer online transactions. In July 2001, the Dutch cabinet decided to introduce specific measures that allow for the establishment of low-threshold (on-line) dispute resolution mechanisms. Within the framework of the Dutch Electronic Commerce Platform (ECP.NL), a project on on-line dispute resolution is initiated, titled ODR.NL. At the time this report was written, no clear indications were available as regards the future of on-line dispute resolution in the Netherlands. What is clear is that providers of alternative dispute resolution mechanisms have to get used to the idea that these mechanisms can also be delivered by using electronic facilities. 5 Jurisdiction The Netherlands is a member to the Brussels Convention and the Rome Convention. Both conventions hold special provisions on international consumer contracts in order to protect consumers when contracting with foreign professionals, offering them access to a nearby forum and familiar legal system. Clearly, the existing consumer rules in both conventions have been written for a paper world and provide legal uncertainty with respect to on-line consumer contracts. One of the principle problems resulted from the distinction between active and passive consumers. The general idea behind the distinction is to solely protect the consumer who is solicited by the foreign business and not the consumer that looks actively for the foreign merchant or service provider himself. However, the question arises how to qualify a consumer who is looking for the website at its own initiative? Can the website itself be considered an advertisement in the consumer?s country? Does the shopkeeper?s intention with respect to the range of the website (worldwide or limited to a certain number of countries) play a role? Can circumstances such as language, currency and choice-of-law or choice-of-forum clauses be of relevance? There is no unambiguous answer to any of these questions. When interpreting the rules strictly, the Internet-consumer, in many cases will, not be protected, whilst protection may especially be important exactly in on-line situations. Secondly, legal uncertainty is detrimental to the development of electronic commerce, which development may be to the benefit of businesses as well as consumers. In 2000 the European Commission adopted a Regulation on jurisdiction, recognition and enforcement of judgements in civil and commercial matters, which intends to replace and update the Brussels convention. The Netherlands will adhere to the provisions of this Regulation. In the Regulation, which will come into force at a later date, the European Commission remedies the inadequacies by including on-line consumer contracts in the special consumer protection rules on jurisdiction, expressly deciding in favour of the Internet-consumer. Clearly, this choice is not welcomed by industry, Dutch industry included. Industry, among them Dutch providers of Internet services, fears huge economic consequences as a result of this new legislation. Admittedly, the chance of being haled into third country courts can be an expensive risk for companies and may not be desirable economically. The European Commission is reportedly also preparing a draft regulation on applicable law to replace the Rome convention, article 5 of which provides special rules for consumer contracts. Having in mind the world-wide dimension of the jurisdiction problems as well as the restricted scope of both afore-mentioned Conventions, the Dutch government is very much in favor of amending the relevant rules under the Hague Conference on Private International Law. The prime reason is that the United States is also a party to this Conference. Discussions to address the problems are also held as part of the revision of The Hague Conference on Private International Law. Progress is however very slow and a June 2001 meeting showed that a revision in light of Internet-related problems is not expected to be agreed upon in the near future. At an earlier organised round table meeting of the Hague Conference, website certification was proposed as a way of addressing private international law problems with respect to consumer contracts. Under the system on-line businesses would receive a certificate when adhering to a certain minimum level of consumer protection and offering the possibility of (free) alternative dispute resolution. Certified websites would fall under the country-of-origin principle, since disputes would for the greater part be resolved through alternative dispute resolution. Non-certified websites would still be subject to the lex consumptoris rule. The system could actually work if countries and (international) organisations can agree upon a set of minimum standards for consumer protection, since it assumes a certain level of harmonisation. Within the European Union consumer rules are still fragmented, but minimum norms are nevertheless determined in many areas. Several consumer organisations have already established such website certification schemes (e.g. the Dutch version Webtrader), which are self regulatory ways of stimulating companies to adhere to basic principles for on-line shopping. As regards website certification schemes it is important though to monitor observance of the rules by companies, preventing the use of the certificate solely for marketing purposes. This will be taken into account in more detail in the domain consumer representation. 6 Internet crime As regards Internet crime, mention should first be made of the draft Computer Crime Act II, submitted to parliament in July 1999. This legislative proposal intends to amend both the Criminal Code as well as the Criminal Procedure Code in light of developments such as Internet. Among the proposals made is that the police can command the conversing parties to assist in decrypting a message when it encounters ciphertext of this message in a wiretap. Further a provision is proposed which would enable the police to "seize" data by making them inaccessible; one means of doing so would be for the police to encrypt the data on the computer of the holder. In May 2001, the Minister of Justice put forward a Bill to Parliament in which virtual child pornography is made a criminal offense. Mention should also be made of the 14 May 2001 report of the Mevis Committee on Investigatory Data Gathering in the Information Society. In its report the Committee proposed the introduction of various data-production orders. The Committee also argues that a new power to order decryption should be introduced: the prosecutor can command decryption or providing information to decrypt if data produced upon a production order turns out to be encrypted. The command can be given to those who can reasonably be supposed to have the required knowledge, but not to suspects, and persons with a right to non-disclosure can refrain from complying. It is not surprising that the Dutch Data Registrar has issued a highly critical reaction to the Mevis report. However, by the end of 2001, the Dutch cabinet nevertheless approved a legislative proposal that adopts most of the proposals presented by the Mevis report. The Bill was send for consideration to the Raad van State. 7 Regulation of on-line content and commercial activities As regards legislation aimed at limiting access to illegal and offensive content on the Internet either by all users or by specific classes of users, such as children, mention must be made of legislative proposal to regulate on-line gambling. No specific legislation is available for the sale of pharmaceuticals and the offering of children for adoption. As regards on-line gambling, the district court of The Hague ruled that under the Dutch law a permit is required for providing gambling facilities and since no such permit is granted (has thus far been granted) for virtual gambling, on-line gambling is forbidden. A few months earlier, a working group has advised the Dutch government to amend the relevant laws that deal with gambling and to provide for an online ?gambling plaza? in order to cluster the virtual gambling facilities. In its reaction to the report, the Dutch cabinet mentioned that those providers of gambling facilities that have a permit to deliver these services in the off-line world, should under certain conditions also be allowed to provide Internet-related gambling facilities. In contrast to some other countries, the Dutch legislature has taken no formal steps to restrict children?s access to pornographic or threatening material by requiring the use of blocking or filtering technologies which prevent such content being accessed on the Internet. As mentioned above, legislation is proposed on virtual child-pornography. 8 Role of industry self-regulation Self-regulation is a central theme in the Dutch policy documents. The government thus stimulates industry measures that aim at giving consumers and business trust and thus facilitate the growth of e-business. Summer 2001, the Dutch government adopted a programme to stimulate low-threshold dispute resolution mechanisms, by means of self-regulatory initiatives. In the earlier-mentioned 1998 Memorandum on Legislation for the Electronic Highway, the Dutch government shows itself a strong proponent of using self-regulatory mechanisms in solving legal uncertainty about the cross-border consequences of electronic communications. It is exactly by supporting the instrument of self-regulation that the government hoped to provide sufficient flexibility at a time when technological and societal turbulence prevail. An additional advantage is that self-regulation is, in principle, not bound by national frontiers, which is also an important advantage given the borderless character of the Internet. Apart from that, in the Dutch government?s view, the instrument of government regulation remains the starting point if fundamental norms and values of the rule of law are at stake. The cabinet mentions in this respect protecting the classic fundamental rights of citizens, preventing and investigating breaches of the rule of law, and state security. Later documents also mention, for example, the importance of consumer protection in relation to security and reliability (e.g., in electronic payments), privacy, and applicable law. The Memorandum does bestow upon the government the task of supervising the preconditions that apply to self-regulation. These preconditions are: target groups must be sufficiently organised, societal interests must be promoted equally, all parties must be sufficiently bound, and the enforcement of the agreements must be sufficiently guaranteed. The government?s task takes shape by: * promoting ? vulnerable ? interests that are insufficiently represented; * drafting supporting legislation; * threatening to make laws; * supervising; * cooperating in enforcement (such as through hotlines). In May 2000, the Dutch government published an update of the afore-mentioned Memorandum. In this policy document, which focused on Internationalisation and ICT-Law, the Dutch government no longer shows itself an explicit proponent of self-regulation. It recognizes that the government also has an important role in establishing a policy for ICT-related matters: regulation should be a joint enterprise of the government and the private sector. This theme of co-regulation appears, as has been shown in a 2000 study, a popular scheme in several other countries as well. 9 Privacy It has often been stated that privacy protection is a critical issue for the growth of electronic commerce. At present, consumers appear to highly fear for their online privacy, as indicated by the Dutch Data Registrar in a report on privacy and Internet Service Providers. The Data Registrar concludes in several reports that with online profiling techniques, in practice online consumers do not have the same degree of privacy protection as have offline consumers. As ever there are conflicting legal interests at work here. Identifying consumers on the Internet poses a significant threat to personal privacy. On the other hand, in many instances businesses and organisations on the Internet have a justified interest in authenticating the identity of their counterpart. For this reason, various Internet techniques convey the authority to require identification of consumers and for purposes of assuring the quality of those identities impose authentication requirements. A more controversial issue is to what extent businesses may for marketing purposes gather, use and sell data on consumers and their transactions. The key question is what privacy standard consumers may reasonably expect in a cross-border online environment? In establishing the indices, Dutch data protection practice closely follows the European Privacy Directive, article 8 of the European Convention on Human Rights, the Council of Europe Convention and the OECD-Guidelines. Also the Dutch Data Registrar underlines the importance of the 1999 OECD Guidelines for Consumer protection in the Context of Electronic Commerce. However, day-to-day practice shows that there is a considerable lack of transparency in who collects what personal data of consumers on the Internet. Whereas in the offline world, consumers are usually aware of the fact that their personal data are collected, in the online world invisible data processing applications such as automatic hyperlinks to third parties, cookies, electronic monitoring and scripting techniques, etc., leave so-called click-trails of which consumers are unaware. Especially children will not be aware of the 'sensitive' data they may provide in an Internet environment. Also they will be easier to persuade to give away certain data. Both directives do not deal specifically with the on-line collection and use of personal data from children. However, developments show that urgent action needs to be taken. In this respect the US has set an example with the Children?s On-line Privacy Protection Act and in Dutch legal literature the importance of this example has been stressed. The Dutch privacy law that implements the European Directives (the Wet bescherming persoonsgegevens) came into force on 1 September 2001. Hence, it took the Netherlands ? as several other European countries ? several years more to implement the Directive than the official implementation period. Even now that the new Dutch privacy law is in effect, various problems in light of Internet-related activities remain. For example, it is required in certain situations that a person has to unambiguously give his/her consent to on-line businesses in order to lawfully process the consumer?s personal data. The realities of Internet, however, cause that data are usually processed for the purpose of the technique itself which results in the problem of invisible and automatic processing of personal data on the Internet performed by hardware and software. Furthermore, the question arises whether the definitions in the new law suffice considering the realities of Internet. Especially the telecom-privacy rules (which are implemented in the Dutch Telecommunications Law) appear not to extend to new developments in electronic communication services and technology. The rules on traffic data, if interpreted strictly, only refer to traditional voice telephony, but not to use of the Internet. Finally, how do the provisions on applicable law work out in an electronic world without boundaries? Overlapping jurisdictions appear a serious problem, which leaves the consumer with uncertainty. Also, with what national authority do controllers of Internet-related data processing activities have to register these activities? What is more, with electronic commerce, data processing has become a global issue. Without a worldwide comprehensive approach on protection consumers? privacy rights, the privacy standard in Europe is easily compromised by businesses that circumvent Europe for their data processing activities. In the end it seems that the only adequate way to tackle the problems is that international solutions are sought. In Dutch legal literature it is therefore concluded that several of the provisions introduced in the new privacy law appear less effective in an Internet environment. In this light a discussion is also been conducted whether a (constitutional) right to anonimity should be introduced. It is further stressed in documents of the Dutch Data Registrar that safeguarding privacy rights in an electronic environment requires a combination of legal measures and technology. This could be achieved by means of Privacy Enhancing Technology (PET). The idea behind PET is to provide the consumer with a mechanism to control the flow of his personal information (e.g. through a browser works with a privacy profile or terminal equipment where the software itself complies with the privacy legislation). As regards the latter option, there is a long way to go since the majority of the software is developed in the United States. As known, the US does not, by its own configuration, fully comply with the European data protection legislation. In light of consumers? interests it would be necessary that legislatures, more importantly the European Commission, act in this matter. In its proposed new telecom-privacy directive, the Commission indeed suggests such action (explanatory memorandum, paragraph 4). 10 Liability issues The question of the liability of internet service providers (ISP) for material transmitted by their users is extensively debated in The Netherlands. As regards both legislation and case law, a distinction must be made between civil liability and criminal liability. The Dutch government argued that, seen from a purely national perspective, there is no reason to create separate regulation for civil ISP liability. Dutch tort law is sufficiently technology-neutral and the open structure of the tort norm leaves enough room for the courts to further develop the issue. Thus, the Netherlands prefer to leave the developments under civil law to the courts, basing their decision on the broad tort norm. That courts can work with the present formulation in the Civil Code was shown in a civil law suit involving the Scientology Church. Here the court ruled that in principle there is no responsibility for service providers if the provider is not aware of the information content. Thus, the mere facilitation of an unlawful communication is in itself not a wrongful act. However, from the moment the ISP has knowledge of the unlawful content, it can no longer sit back. It then must act and either remove the material or block it?s availablity. Under criminal law, the liability of ISP?s was dealt with in the Computer Crime II Bill. ISP?s were given immunity from prosecution provided certain conditions were met (dealing with providing, preserving and handing over certain data). ISP?s (the Bill used the term ?intermediaries?) would only have to act (remove or block data) after instruction by the Public Prosecutor ? mere knowledge did not oblige them to act. This part of the Computer Crime II Bill was withdrawn, however, in light of the rules adopted at a European level under the E-Commerce Directive. The proposed Bill was not in line with the European provision. No new proposal on ISP liability was presented at the time this report was finalised (January 2002). As regards the international perspective, the Dutch government supports the view of the European Commission that a set of common principles has to be established at an international level in order to create a level playing field. Hence it supported the European Union plans to include a provision of liability issues in the E-Commerce Directive. However, as regards the specifics of the European view, the Dutch government questioned the soundness of the distinction between different types of ISPs. Also it does not agree with the European position to exclude in advance certain categories of ISP?s (in particular, access providers) from liability, regardless of their knowledge of unlawful content. This position is also not in line with the civil liability system under Dutch civil law. Here knowledge plays a role, irrespective of the position of the parties. 11 Consumer protection It is clear that consumers have a profound role in unfolding electronic commerce, being one of the driving and catalysing elements therein. Simultaneously, however, enhanced possibilities to communicate and to do business give rise to legitimate concerns as to the protection of consumers (e.g. in the areas of new marketing techniques, privacy, payment, access to infrastructure, services and content). Obviously, it thus affects the traditional framework of European and national consumer law and the interests that underpin this body of law, for most consumer law was established at a time when the Information Society was an unknown phenomenon. The Dutch government as well as various organisations (such as the Consumer Association) have acknowledged this and taken a keen interest in assessing whether changes need to be made to safeguard the level of consumer protection in an on-line environment. When looking at the specific consumer-related measures in the Netherlands, one notes that they are very much in line with what is happening in other countries on this issue. The Consumer Association has established a website certification scheme (Webtrader), which is a self regulatory way of stimulating companies to adhere to basic principles for on-line shopping. The Consumer Association stopped the Webtrader initiative by January 2002, because ?the scheme had proven its effect?. As regards website certification schemes it has been stressed also in the Netherlands that it is important though to monitor observance of the rules by companies, preventing the use of the certificate solely for marketing purposes. A drawback of this self-regulatory mechanism is that in the meantime various organisations and have all developed their own certification schemes, all working with a variety of different provisions. This leaves consumers with puzzled with questions as regards the real value of the scheme. As regards the legislative framework on consumer protection, we note that under the Dutch Civil Code a rather strong protection mechanism for consumers exists. In amending the provisions in light of e-commerce related problems, the Dutch legislature acts very much in line with the rules which have been adopted on a European level under the relevant European Directive. Aside from the specific legislative issues surrounding consumer protection in an on-line world, mention must be made here of discussions, both in legal literature and government policy documents, on the position of the consumer in an electronic environment. As known, ICT challenges various traditional concepts and boundaries. Not only geographical borders are losing their significance but also traditional frontiers in the organisation of our economic and social relationships are under discussion. Rigid ?physical? organisations are giving way to dynamic ?virtual? organisations where ICT offers opportunities to create the right organisational mix for the situation which is relevant at that moment in time. Whereas previously, large and financially powerful companies were required for certain economic activities, these can now be realised by any individual with access to his or her own personal computer. This development appears to have important effects on the bargaining powers of market parties, among them consumers. Bargaining power becomes more dependent on one?s position in an economic chain and on the commercial aptitude to exploit this position, than on criteria of size and financial viability. The size of business and the role of the party in the economic chain (for example the role of consumer) is no longer that relevant in determining their influence on the market and market conditions. Small companies as well as consumers can be dominant because of their technical knowledge over other parties they deal with, whichever size and economic power. The phenomenon of changing bargaining powers is especially clear when it comes to consumers. The consumer?s position is traditionally seen as a key example of an economically weak party. Electronic commerce shows that technology offers consumers altogether amazing possibilities to enhance its bargaining position, but also involves new risks for consumers. On the one hand, Internet offers consumers new possibilities to strengthen their position. They are, for example, able to influence the purchase price by collectively buying a certain product on sites like LetsBuyIt.com. Dissatisfied consumers and patients or citizens who are concerned about something can use the Internet to let a world-wide public know about their grievances or other problems. Other examples also show that technology can play an important role in strengthening the consumers position: encryption techniques and anonymous remailer services are important tools in protecting the consumers privacy on the Internet. Peer-to-peer techniques, such as Napster and Gnutella, show the growing effect of systems that are in the hands of individuals. On the other hand, of course, various factors also enhance the need for protection of consumers in electronic markets. The specific characteristics of electronic communication raise issues of consumer confidence and trust in the reliability of the transactions he performs as well as the businesses he is in contact with. In addition, the globalisation of trade, the new characteristics of economic chains and the multiplication of intermediaries in the process of provision of electronic services cause important threats for consumers. In particular the cross-border nature of electronic communication and contracting raises issues which can be identified as problematic for a consumer. What is to be done against the risk that a consumer may not understand the language in which a contract has been drafted? What about the different liability rules that affect the legal classification whether the business can be accused of breach of a contract? In an electronic environment the consumer?s position is particularly weak when it concerns aspects of privacy, payment and transactions carried out under foreign law. Internet consumers are very often obliged to pay the full amount in advance even when this practice is in many legal systems explicitly prohibited (see Dutch Law Book 7 title 1 BW). Advance payment puts the consumer at a disadvantage when it comes to a refund if the goods delivered do not meet the desired standards or the ordered product is not delivered at all. Again the cross-border character of electronic trade has a major impact on the problem: what if a consumer is not satisfied with a product he bought through the US-based E-Bay auction, but already paid the full amount of the ? relatively small - price? Starting a court proceeding to get his money back will in most cases not be an realistic option. In other words, although the internationalisation of electronic transactions present important possibilities, it also aggravates the consumer?s unequal position on the electronic market. The described development raises the question as to whether the standard imbalance with the consumer being a weak party can be approached on the electronic market in the same way as it is at present in the traditional off-line market? Law and other regulatory schemes have traditionally played an important role in strengthening the position of socially and economically weak parties. As regards consumers, on a world-wide level various specific consumer protection regulations have been introduced over the past decades. The past few years have shown that when it comes to regulatory choices with respect to e-commerce, the orientations of a legal and regulatory system have a direct impact on the commercial choices of market players. The emergence of legal institutional arrangements aiming at strengthening the position of consumers will clearly influence the position of the consumer on the E-Commerce market. The question that arises, however, is to what extent these arrangements will influence the consumer?s position? The main characteristic of consumer protection rules is namely that many of these rules are repressive in nature, meaning that consumers can only take action after something has gone wrong. In contrast however, Internet offers a range of preventive possibilities where the consumer can considerably strengthen its weak position. Mention can for example be made of services such as the ones offered by LetsBuyIt.com and the increasing number of possibilities for privacy-conscientious Internet users to surf anonymously or to semi-anonymously make payments. The availability of such pro-active - self-help - protection mechanisms raises the question of what a regulatory framework should be in a society where consumers (can) depend on technology instead of the law. The effect of legal protection mechanisms is also undermined due to the global nature of electronic commerce in combination with the still highly different legal systems around the world. In short, technology challenges the role of the regulatory framework in establishing a balance between strong and weak parties on electronic markets. Thus, in Dutch legal literature the question is now being posed what role can and must law and other regulatory mechanisms play in the changing dichotomy between strong and weak parties on electronic markets? These are far more fundamental questions than the present amendments of the Civil Code in light of the European E-Commerce Directive. They are also questions that cannot be answered by a single amendment of the law, but need adequate consideration for they are of utmost importance in defining the position of consumers in an Information Society.