Legal and Intellectual Property Concerns of E-Businesses Managing
Ying DONG1 and Meizhang CHEN2
1Institute of Software, Chinese Academy of Sciences
2 Peking University, China
The Internet is transforming the way businesses work. Emerging technologies are
consolidating global markets and opening doors of opportunity to all, regardless of size.
However, running an e-business involves legal risks. Increasingly, disputes regarding
copyrights, trademarks, patented technology and domain names are appearing in courts
and gathering media attention, especially those disputes involving e-businesses. With the
treat in mind, the legal risks must be in the top priority to be considered when managing
e-business. In this chapter, we address seven legal and intellectual property concerns for
e-business including: (1) protection of name, reputation; (2) protection of important
technologies, business models; (3) protection of new types of information assets &
content control; (4) privacy issues; (5) security issues; (6) assure that transactions are
enforceable; and (7) global legal environment for e-business.
e-business, intellectual property, domain name, trademark, cyber-squatting,
software patent, business method patent, copyright, privacy, spam e-mail, security,
1. Protection of Name and Reputation
In e-business, organizations that establish a strong reputation and brand loyalty in the
marketplace can create values. A famous brand results in fewer competitive entrants, less
price sensitivity, and increased customer loyalty. Businesses with a famous brand attract
high values while retaining high value customers and opportunities to cross-sell
additional products and services to them. Organizations must protect their names on the
Internet, because the good reputation is particularly fragile. The style of names and
reputations on the Internet for a company include its domain name, trademarks or service
Law & Policy
Internet Corporation for Assigned Names and Numbers (ICANN) is the non-profit
corporation that manages the domain name system world-wide. Its Rules for Uniform
Domain Name Dispute Resolution (UDRP) has been approved by ICANN on October 24,
1999. The new dispute-resolution process now requires in every domain name
registration contract. Under the policy, most types of trademark-based domain-name
disputes must be resolved by agreement, court action, or arbitration before a registrar will
cancel, suspend, or transfer a domain name.
US: The Anti-Cyber Squatting Consumer Protection Act (ACPA) was signed into law
by the President on November 29, 1999. It applies to situations in which a person has a
bad faith intent to profit from a mark: (1) In the case of a mark that is distinctive, at the
time of registration of the domain name it is identical or confusingly similar to that mark;
(2) In the case of a famous mark that is famous at the time of registration of the domain
name, it is identical or confusingly similar or delusive of that mark; or (3) It is s protected
under special statutory sections.
Canada: Cyber squatting activities in Canada or by Canadian parties has to date in
Canadian courts been dealt with on a case-by-case basis. The court decisions illustrate the
present state of the law in Canada with respect to cyber squatting. The Canadian Internet
Registration Authority (CIRA) is a not for profit Canadian corporation that is responsible
for operating the dot-ca Internet country code Top Level Domain for all Canadians in an
efficient and professional manner. Decisions available are basically resolutions based on
CIRA Registration Rules and the CIRA Dispute Resolution Policy.
Europe: The European Council have called upon the Commission to take the
necessary measures to introduce a new Internet Top Level Domain (TLD) for Europe -
".eu". The European Commission will now take steps to select a private non-profit
organization to manage the .eu TLD and to define rules to safeguard certain public policy
issues. The Regulation provides safeguards to prevent cyber-squatting and to ensure an
effective extra-judicial procedure for the settlement of disputes about domain names.
There are several stages in this process. Firstly, the European Parliament and the Council
have adopted a regulation (EC No.733/2002), which provides the legal basis for the
creation of the .eu registry. Now that the Regulation has been adopted, the procedure for
the implementation of the Regulation can be initiated, including the selection and
designation of the .eu Registry operator, as well as the definition of applicable public
Japan: As to Japan, Japan Network Information Center (JPNIC) is the organization
to resolve domain name disputes, which is responsible for the top level domain .jp.
Decisions available are basically resolutions based on JP Domain Name Dispute
Resolution Policy. JPNIC had no policy with respect to dealing with domain names
substantially similar to known and popular trademarks, instead the Trademark Law
governs the issue.
China: There are no laws in China currently governing the act of cyber-squatting.
The General Regulations on Registration of Domain Names in China, issued by the China
Internet Network Information Center (CNNIC), is responsible for administering domain
name registration Moreover, PRC Government has determined to establish a centralized
Chinese character domain name registration system. CNNIC opened its Chinese-language
domain name registration service on Nov 7, 2000.
It was the first cyber-squatting case under the World Intellectual Property
Organization process (WIPO, 2000, January 14). The US-based World Wrestling
Federation (WWF) had brought the suit against a California resident, who had registered
the domain name www.worldwrestlingfederation.com and offered to sell it back, at
significant profit, to the WWF. The WWF filed the case with the WIPO Arbitration and
Mediation Center under the new Uniform Dispute Resolution Policy. The Center’s
decision concludes as follows: " the Panel decides that the domain name registered by
respondent is identical or confusingly similar to the trademark and service mark in which
the complainant has rights, and that the respondent has no rights or legitimate interests
in respect of the domain name, and that the respondent domain name has been registered
and is being used in bad faith. Accordingly, pursuant to paragraph 4, i of the Policy, the
Panel requires that the registration of the domain name
be transferred to the complainant." It was the first case of an abusive registration of a
domain name on the Internet was decided with the Administrative Panel ordering the
registrant to hand over the domain name to the complainant.
We advise that any e-business registers its company name as a trademark and all
permutations (.net/.org/.com etc) of domain names. At the same time, it is recommended
obtaining trademark registration for URLs or domain names that are addresses on the
Internet. The steps to get domain name protection include: (1) Search national and
international domains; (2) Search for trademarks; (3) Register the domain name; and (4)
Get protection on the domain name from requirements on entry, release, deletion, damage
claims and claims to cease and desist before courts, domain registration offices and
arbitration courts. The steps to get trademark protection include: (1) Searches of domestic,
community and foreign trademarks; (2) Register the trademark; and (3) Get protection on
the trademark from requirements on entry, objection, deletion, damage claims and claims
to cease and desist before courts and trademark offices.
There have been numerous cases where registration of another’s trade name as a
domain name has come before the courts; often the registrant attempted to charge large
sums for selling the domain name to the trade name user.
The WIPO Arbitration and Mediation Center has developed a set of dispute
avoidance and resolution best practices for application service providers. The dispute
resolution methods include litigation and alternatives to litigation: (1) Litigation is the
formal, public process for resolving disputes before national courts. While litigation may
be the most appropriate, or only available, method of dispute resolution in certain
circumstances, it is generally accepted to be a slow, disruptive, resource-draining,
expensive and time-consuming way of resolving conflicts. (2) Alternative dispute
resolution (ADR) encompasses a range of different and distinct techniques, including:
negotiation, mediation, arbitration, etc. The main advantages of ADR procedures include
speed, substantial cost savings, privacy and confidentiality, and jurisdictional issues.
Because ADR is a private process, based on party agreement.
If a company is subject to cyber-squatting, dispute resolution should be considered as
a cheap and fast way to achieve resolution. To invoke the "UDRP" policy, a trademark
owner should either (1) file a complaint in a court of proper jurisdiction against the
domain-name holder, or (2) submit a complaint to an approved dispute-resolution service
provider in cases of abusive registration.
Each provider follows the "UDRP" policy as well as its own supplemental rules.
Approved providers for UDRP include: (1) Asian Domain Name Dispute Resolution
Center and its two offices in Beijing and Hong Kong; (2) the CPR Institute for Dispute
Resolution; (3) eResolution at the University of Massachusetts Center for Information
Technology and Dispute Resolution; (4) the National Arbitration Forum; and (5) World
Intellectual Property Organization (WIPO) Domain Name Arbitration.
Once a request for resolution of domain name dispute is filed with the disputeresolution
service provider, normally a decision is made considering the following three
elements: (1) Whether the domain name is identical or confusingly similar to a trademark
or other indication in which the complainant has rights or legitimate interests; (2)
Whether the registrant has no right or legitimate interest in the domain name; and (3)
Whether the domain name has been registered and is being used in bad faith.
After the decision is made, the complainant or the registrant may take the following
(1) When there are no legitimate grounds for relief (when the complainant loses), the
complainant may: a) Request an injunction to prevent the registrant from using the
domain name based on breach of Trademark Law or Unfair Competition Prevention
Law; or b) File a lawsuit against the registry to request that the registrant be
prohibited from using the domain name.
(2) Decision to cancel or transfer (when the registrant loses), the registrant may: a) File a
lawsuit against the complainant to confirm that an injunction prohibiting the use of a
domain name based on the breach of Trademark Law or Unfair Convention
Prevention Law cannot be issued; or b) File a lawsuit against the registry to confirm
that there is no basis for rescission of contract or file a lawsuit to confirm that the
domain name does not fall under the resolution policy and that the use or registration
of the domain name is possible.
The use and registration of trademarks and the use and registration of domains
supplement each other. An entered trademark can be a prerequisite for registration or
claim for release of the domain name or at least facilitate the release of the domain name.
On the other hand the use of a domain name in practice may lead to a famous trademark
granting protection even before registration of the trademark. Therefore, the early coordination
of the use of enterprise and product names and trademark and domain
registration is advisable.
2. Protection of Important Technologies and Business Models
The recent explosion in e-commerce has prompted many businesses to seek patents
for the methods they use to do business on the Internet. Most of the complaints
surrounding this new genre of patents deal with the eligibility of e-commerce business
methods carried out by computer software.
Law & Policy
Patent law provides the right to the holders having exclusive use of patented
inventions, for a limited period. Legislation and patent office policies from around the
world regarding software and business method patents are summarized below.
US: The United States Patent and Trademark Office (USPTO) is the authority for
patent in the states. The US patent legislation include: (1) US Patent Act; (2) USPTO
Public Hearings on Software Patents in 1999, allowing software patent afterwards; and (3)
USPTO Business Method Patent Improvements Act of 2000, allowing business method
Canada: According to the patent rules for Canada, computer software-related
inventions are patentable if the inventive discovery would be patentable whether or not it
was incorporated into software. Note that this is precisely the opposite of the rule in the
United States, which only grants patents only if the business process is implemented with
Europe: As for EU, in reality many thousands of patents are in fact granted by the
European Patent Office for software inventions, and patents can also be granted for
business-related inventions. The present position governing the patenting of software is
governed by Article 52 of the European Patent Convention. Article 52 excludes computer
program from being patentable, and business methods. However, European Commission
has put forward proposals for patent protection of computer-implemented inventions,
based on the draft directive published on 20 February 2002.
Japan: The Japan Patent Office (JPO) released "Examination Guidelines for
Computer Software-related Inventions in 2000. The parts of the said Examination
Guidelines regarding the "computer program claim(s)" are applied to the applications
filed on or after January 10, 2001. Consequently, software is generally patentable in
Japan only if it involves the application of a scientific principle, it has industrial
application, and it involves an inventive step. Considering of business methods, JPO has
been making use of various opportunities in the effort to disseminate information about
the criteria under which "business method patents" can be approved as part of software
China: Software is not patentable as a statutory subject matter. Computer software is
protected in China under 3 laws: the "Copyright Law", "Regulations for the Protection of
Computer Software", and "Measures for Computer Software Copyright Registration".
According to the "Copyright Law", computer software is included in the works that are
protected under "Copyright Law". The State Intellectual Property Office of PRC (SIPO)
publishes its examination guidelines related with computer programs. The patentable
inventions with involving computer programs may address measurement, automation,
Chinese character coding method, or external data processing.
It was the case of State Street Bank & Trust Co. v. Signature Financial Group, 149
F.3d 1368 (Fed. Cir. Jul. 23, 1998). In the case, Signature is the assignee of US Patent No.
5,193,056 (the '056 patent), entitled "Data Processing System for Hub and Spoke
Financial Services Configuration." The '056 patent is generally directed to a data
processing system for implementing an investment structure which was developed for use
in Signature's business as an administrator and accounting agent for mutual funds. The
data processing system facilitates a structure wherein mutual funds pool their assets into
an investment portfolio organized as a partnership. The case has impacted patent practice
significantly, because State Street Bank's business methods were implemented using
computer software. The case eliminated the business methods exception to statutory
Trademarks, patents, copyright, and various kinds of contractual arrangements all
serve to protect IP. IP rights include two categories: those that occur automatically upon
creation of the IP asset, for example, copyright, database rights, design rights; and those
that occur only upon registration, for example, patent rights and registered trade mark
rights. The most common form of protection for an invention is a patent. However, patent
can be a double-edged sword, bringing wealth to those who carefully mine the
intellectual property within their companies while visiting disaster upon those who
blithely infringe upon the work of others.
The IP management plan considers of the licensing strategy. A non-exclusively
license plan will differ significantly from a plan to exclusively license IP to a start-up
company. In any event, the IP management plan will normally include sections on the
objectives, markets, IP protection, valuation, marketing, partners, grant applications, and
model agreements to be used.
Large corporations use patents to battle each other today. They staff large research
departments that patent as much new technology as possible to lock it up. Often,
corporations cross-license their patents: two corporations that each hold important patents
offer each other use of their patent portfolios in a sort of "trade", circumventing the
business of charging each other royalties. However, patent can be an effective and
powerful weapon for small and medium enterprises (SME) to fight against large
companies if the invention is at a critical place.
Since patent can be a double-edged sword, the protection considering patent issues
are also addressed in two ways. On one hand, protecting your website from copyright and
patent infringement, and carrying process analysis to identify business methods or
practices that could be patented. And on the other hand: ensuring that your website does
not breach the copyright and patents of others. A survey is necessary for the software and
business methods patents similar to the technology and model of the own e-business.
To file a software patent, in most cases the application can be supported by a flow
diagram functionally representing the operation of the software together with definitions
for the significant data together with the inputs and outputs for the system. An application
typically includes representative examples for the operation of the software in addition to
functional and structural description.
As for business method patent filing, USPTO announced a plan to improve the
quality of the examination process in technologies related to electronic commerce and
business methods on March 29, 2000. USPTO address the business method-related patent
issues including: prior art in the field of business method patents; how to successfully
prepare and prosecute a business method patent application; the rejection examples for
business method inventions; and the famous cases such as the one for State Street Bank.
However when a new area of patentability is opened up as for the software patent,
the documentation for what constitutes prior art is generally not well developed. So
patent examiners generally do not have access to previously existing products, or to
information that has not been published and properly catalogued in the field of software.
Thus, there may be patents issued, which later prove to be invalid. However, the time and
expense for litigation to invalidate a patent is substantial and the outcome can never be
predicted with certainty.
In the case of reexamination, interference, opposition or other legal challenge
including civil litigation to a patent (or an application for a patent) on software or
business method invention, the party producing evidence of invalidity or ineligibility of
the patent, has the burden of making their showing by a preponderance of the evidence.
A defensive strategy may include the points as:
(1) Preparedness: If a company is engaged in a relatively narrow sector of the market, it
should collect and maintain a library of relevant technical information going back as
far as possible;
(2) Not to assume a too broad claim: If the patent seems unfairly broad, there is likely to
be some important prior art that was not considered when examining the application;
(3) Focus its strategy on the technology: The defendant must be perceived by the judge
or jury as addressing the technical issues straightforwardly, in contrast to the patentee
who usually emphasizes similarity of appearance or structure.
A trend is that, patent authorities around the world have become increasingly
receptive to claims for computer program-related inventions, including algorithms.
However, copyright protection is still the basic method to protect software, since it
automatically exists in software and patents always cost much more to procure and
perfect. Nevertheless, many computer software industry leaders commonly agree that
patents will play a major role in the future of most software companies.
3. Protection of New Types of Information Assets & Content Control
Are you exposed to liability for the content on your website? If an organization
wishes to attract visitors (and thus customers) to its own website, it must be able to break
out to attract as much attention as possible. Internet brings a continuing expansion of
intellectual property rights, even for digitized texts, pictures, movies, and data in
databases. These liability risks become more difficult to manage where the content is
brought in from outside the organization. The organization needs to understand these
risks and implement procedures to control them, particularly as liability rules differ
substantially on a global scale.
Law & Policy
The enterprise needs to be aware that different standards of assessment apply in
different countries and must take these into account in its content control activities.
US: Despite of Copyright Act of 1976, US has passed the Digital Millennium
Copyright Act as a revision to US copyright laws especially for e-business. US ISPs
would be liable under the Digital Millennium Copyright Act if they failed to remove
infringing material posted by their subscribers, once informed by the copyright owner of
its existence on the site. Since US is the country where e-business is the most popular,
more legislations are undergoing for e-business copyright, including Music Online
Competition Act of 2001, Amendment to limit the liability of copyright owners for
protecting their works on peer-to-peer networks, Digital Media Consumer's Right Act of
Canada: The Copyright Act of 1985 already applies to Internet transactions. As for
liability of Internet Service Providers (ISPs), the Copyright Board has released decisions
related with copyright tariff for e-business. On Oct. 27, 1999, the Copyright Board
released its decision that it would proceed with the certification of proposed Tariff 22 (the
so-called Internet tariff).
Europe: EU copyright legislation has evolved during the past decade with the
objectives of enhancing the functioning of the single market and of harmonizing rules to
insure uniform protection in the new technological environment. EU has formulated an
action plan and has adopted legislation on the legal protection of computer programs and
databases, satellite broadcasting and cable transmission, etc. The Copyright Directive
(2001/29/EC) was adopted by the EU's Council of Ministers on April 9, 2001.The goal of
this directive is to adapt legislation on copyright and related rights to reflect technological
developments—in particular, the “information society”—and to transpose into EU law
the main international obligations arising from the two treaties on copyright and related
rights adopted within the framework of the WIPO. These two treaties are the Copyright
Treaty and the Performances and Phonograms Treaty of 1996.
Japan: The Copy Right Law of Japan was revised in 1986 so as to comply with the
WIPO Copyright Treaty and to make some other changes especially for e-business. The
changes include: (1) With effect from October 1, 1999, unauthorized removal of
copyright protection means or rights management information (including electronic
watermarks and signatures) became criminal offenses as did unauthorized modification of
rights management information. Additionally removal or modification of rights
management information now gives rise to the possibility of a civil action; and (2) Clarify
that it protects databases through defining "databases."
China: China's Copyright Law was issued on June 1, 1991. The 24th session of the
Standing Committee of the 9th National People's Congress approved the amendments to
the law on Oct. 27, 2001. The amended copyright law guarantees equal protection to
foreign and Chinese copyright holders and is expected to promote the development of
patented products in international and Chinese markets. The amendments extend the
scope of the law to involve more subjects, including acrobatic performances, architectural
designs and literary and artistic works published via the Internet.
It was the famous case on intellectual property right problems over peer-to-peer
networks, A&M Records, Inc. v. Napster, 114 F. Supp. 2d 896 (N.D. Calif. 2000), 192
F.3d, 239 F.3d 1004 (9th Cir. 2001). Napster is a file sharing program that allows users,
via the Internet, to search for and obtain music in the form of MP3 files. Napster, Inc.
(“Napster”) runs servers that control the distribution and cataloguing of this music. On
December 6, 1999 the various record companies including Sony Music Entertainment
Inc., Polygram Records Inc., Virgin Records America Inc., etc., represented by the
Recording Industry Association of America (RIAA) have sued Napster in Federal District
Court alleging Contributory and Vicarious Copyright Infringement. On Feb. 12, 2001, US
Court of Appeals for the Ninth Circuit affirmed a District Court ruling that Napster had
encouraged and assisted widespread copyright infringement of music recordings. In its
decision, the appeals court directed the trial court to fashion an injunction that requires
Napster to stop the exchange of copyrighted works but respects the technological
limitations of Napster's system to police activity on its site.
Much of the value of an e-business enterprise will consist of confidential knowledge
and proprietary information which is known only to it, and whose value depends upon
retaining such information within the business. Customer information, know-how about
methods of conducting e-business, and relationships with providers of information
products and e-business services, all have real value and need to be protected from
competitors. To copyright a web page and its content, simply including a line of text such
as "Copyright © 2003 Your Company, Inc." is sufficient. You can, if you like, include
more extended language in your copyright notice, specifying which rights you actually
want to retain. On the contrary, you have to request for the permission if you want to use
other people’s pages. Getting permission and clearly spelling out terms as well as who
has which rights is the key. Sometimes the owner of the work will want you to sign a
licensing agreement and pay fees for its use. You can often negotiate mutually agreeable
terms, but if you are simply denied permission, respect that decision. Fighting a lawsuit
for infringement can be both time consuming and expensive.
When creating web pages one must keep in mind that the copyright laws that govern
print material also govern web pages distributed over the Internet. Publishing a web site
and including materials that were created by someone else involves the distribution of
these copyrighted materials, a right that belongs exclusively to the copyright holder and
which means infringement on copyright law.
To protect own copyright, it is recommended to display of the copyright sign . It
is not enough to only mention the name of the author. Moreover, it is better addressed
that reprinting, distribution, sale or performance is not allowed without the copyright
owner's permission. Most Internet hosting sites have rules concerning privacy in relation
the steps are recommended to follow: (1) Determine whether permission is needed; (2)
Identify the copyright owner; (3) Identify the rights needed; (4) Permissions should be
sought before publication; and (5) Get written permission agreements.
When linking to another web site's homepage there is no need to ask for permission.
However, even if the link appears perfectly legal, it is considered good netiquette to
obtain consent for all links. Deep linking - bypassing the homepage - is a practice that is
rather disliked by web owners. When linking to other web sites it is advisable to include a
disclaimer that would minimize liability for any activities that might occur when the
visitor is taken to the linked web site.
Some web sites use framing to connect to other web sites. Framing is a lot like
linking, but instead of taking the reader to the other web site, the information from that
web site page is imported in the original page and displayed in a special frame. Web sites
who do framing are generally seen as stealing content from other Web sites.
Fair use – for purposes such as criticism, comment, news reporting, teaching
(including multiple copies for classroom use), scholarship, or research, is not an
infringement of copyright. It is a permission to make digital or hard copies of all or part
of this work for personal or educational use is granted without fee provided that copies
are not made or distributed for profit or commercial advantage and that copies bear this
notice and the full citation on the first page.
If the worst happens, and a complaint is made that the website content infringes
someone’s rights, we advise on immediate steps to be taken to reduce the liability claim.
These include removing the offending material or blocking access to it, posting a
correction or apology, and helping the aggrieved party to track down the person
Selling content over the Internet not only reduces physical costs, but also provides
new opportunities to improve customer experience and gain incremental revenues.
Publishers need to develop clear guidelines for the appropriateness of content digitally
distributed and the rights they associate with that content. In the future, two versions
(print and digital) will be common for every type of “works” in the Copyright Law,
whatever the works is literary works, visual arts, music, etc. So either the publisher or the
composer of the works has to be aware of the two types of copyright, traditional
copyright and digital copyright, at the same time for e-business.
4. Privacy Issues
The concept of privacy is at the heart of e-business. In the Internet age, privacy means
the claim of individuals, groups, or institutions to determine for themselves when, how,
and to what extent information about them is communicated to others. When a site owner
accepts orders using its website, it will have to collect information from customers. The
aggregate data is a valuable business resource to be bought and sold, so that it leads to
abusing of customer records or spam e-mails. The failure to respond effectively to
privacy issues can result in adverse consequences that range from outright market
rejection, through regulatory enforcement action, to loss of data flow or to costly
Law & Policy
US: The US currently has no legislation specific to consumer data privacy protection,
as it prefers to rely upon the industry self-regulation approach to the guidelines of
Organization for Economic Co-operation and Development. In the US, the idea of selfregulation
on privacy seems to reign. Self-regulatory instruments for data protection do
exist within the US, including: (1) Platform for Privacy Preferences developed by the
World Wide Web Consortium; (2) the Online Privacy Alliance (OPA) set of guidelines
by an alliance of 60 global companies, such as Microsoft, Netscape, AT&T, Oracle, AOL,
Cisco, and Yahoo; and (3) the Direct Marketing Association. Moreover, there is the
Electronic Communications Privacy Act (ECPA) of 1986, which assigns fines and prison
sentences for anyone convicted of unauthorized interception and disclosure of electronic
communications such as phone calls through landlines or mobile systems and e-mail.
Canada: The country has a full range of legislation concerning the privacy problems,
include: (1) Privacy Act of 1985; (2) Privacy Impact Assessment Policy of 2002; and (3)
Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks.
Europe: On Oct. 25, 1998, the European Union's Consumer Data Directive came into
effect The Data Directive of the European Parliament and of the Council (95/46/EC) on
the protection of individuals with regard to the processing of personal data and on the
free movement of such data, is the basis for current data privacy principles in the EU. The
Data Directive was intended to harmonize the laws with respect to the transfer of data
between Member States and to determine the circumstances under which it is appropriate
or permissible to transfer data relating to EU citizens to other countries. The Data
Directive protects the privacy of all persons in the "processing" of their "personal data" in
instances where the processing is done within a Member State or is transmitted from a
Member State to a non-EU country. Before launching into the particular requirements of
the Data Directive, an understanding of certain terms used therein is essential.
Japan: Japan government has tended to favor self-regulation over legislation, and
throughout the 1990s government departments and self-regulation organizations also
released a range of privacy guidelines for both the private and public sectors: (1) In 1989,
the Ministry of International Trade and Industry released the “Guidelines Concerning the
Protection of Computer Processed Personal Data in the Private Sector”; (2) In 1991 the
Ministry of Posts and Telecommunications released its “Guidelines on the Protection of
Personal Data in Telecommunications”. (3) Japanese Direct Marketing Association's
released “Guidelines for Electronic Direct Marketing”; and (4) New Media Development
Association released “Guideline For Protecting Personal Data" in electronic network
China: There is no general data protection law in China. The provisions in some
related laws taken together provide a minimum legal protection of the privacy of the
citizen. The related laws include Civil Law and Criminal Law.
It was the case of America Online, Inc. v. Cyber Promotions, Inc., No. 96-462 (E.D.
Va. complaint filed Apr. 8, 1996). American Online, Inc. ("AOL"), its mail servers
swamped by undeliverable junk e-mail, received numerous complaints from its members
about unsolicited advertisements from Cyber Promotions, Inc. ("Cyber"). The cases have
their genesis in a letter dated Jan. 26, 1996, in which AOL advised Cyber that AOL was
upset with Cyber's dissemination of unsolicited e-mail to AOL members over the Internet.
In response, AOL blocked e-mail coming in from Cyber Promotions. Cyber then began to
file against AOL in response to AOL's "e-mail bombing" of Cyber's ISPs in US district
court in Pennsylvania. The case presents the novel issue of whether, one private company
has the unfettered right to send unsolicited e-mail advertisements to subscribers of
another private online company over the Internet and whether the private online company
has the right to block the e-mail advertisements from reaching its members.
Unresolved privacy concerns will leave the e-commerce at a cross-road. So we
suggest any business storing or processing personal data better comply with the principles:
(1) fairly and lawfully processing; (2) processing for limited purposes and not in any
manner incompatible with those purposes; (3) not keeping for longer than is necessary; (4)processing in line with the data subject's rights; and (5) not transferring to countries
without adequate protection.
Since in the US, data protection is largely based on self-regulatory initiatives, it is
recommended enforcing own e-business rules that clearly violate their guidelines. So,
firstly please have a Privacy Statement on your website, bearing:
(1) Notice: companies should provide clear and conspicuous notice about what
information will be collected, how that information may be used and to whom they
will sell or disclose the information.
(2) Consent: consumers can “opt in” before their personally identifiable information is
collected, used or disclosed. Consumers must be able to “opt out” when nonpersonally
identifiable information is collected.
(3) Access: upon request by a user, companies should provide reasonable access to
personally identifiable data and an opportunity to correct it.
(4) Security: companies should protect the security and confidentiality of information.
Notice of breaches in security should also be provided.
Secondly, when processing any personal data you should ensure that at least one of
the following criteria applies: (1) The individual has given consent; and (2) The
processing needs to be done for the individual to enter into a contract, or to have a
contract set up, or is necessary to comply with any legal obligation other than that
imposed by contract.
Finally, companies must take measures to secure personal data. It is required that
data controllers take appropriate technical or organizational measures to prevent the
unauthorized or unlawful processing, or disclosure, of data. The responsibility for data
security is not the sole ownership of the IT department. So, please have the employees
and company departments understand what they can and cannot do with personal data.
Where there is a complaint that you have processed others’ data as an infringement
by your e-business, the following points can be considered when defending:
(1) Processing is necessary to protect the vital interests of the data subject or another
person where consent cannot be given by the data subject;
(2) Processing is carried out for legitimate activities by any body which is not conducted
for profit or exists for political, religious or trade union purposes, and carries out
appropriate safeguards, relates only to members or regular contacts, and does not
involve disclosure without the consent of the data subject;
(3) The information has been made public as a result of steps deliberately taken by the
(4) Processing is carried out in the course of its legitimate activities by any body or
association which is not established or conducted for profit, and exists for political,
philosophical, religious or trade-union purposes;
(5) Processing is carried out with appropriate safeguards for the rights and freedoms of
(6) Processing relates only to individuals who either are members of the body or
association or have regular contact with it in connection with its purposes, and
(7) Processing does not involve disclosure of the personal data to a third party without
the consent of the data subject.
Limited, inconsistent industry self-regulation has failed to significantly advance
consumer confidence in online privacy. Increasing public concern and a trend toward
government regulation demonstrate why companies involved in e-commerce need to
consider self-regulation in addressing privacy issues. Self-regulation is important because
of the image of the e-commerce industry.
5. Security Issues
Technology and the Internet, however, have enabled hackers and virus to operate
faster and more efficiently. Being sued due to a major security flaw could seriously limit
or end an enterprise. The issues of security include: Secrecy, Authentication, and Message
Integrity. Secrecy means only sender and intended receiver should “understand” message
contents; Authentication means sender and receiver want to confirm identity of each other;
and Message Integrity means sender and receiver want to ensure message not altered
without detection. A tailored security policy should be formulated to ensure the success
Law & Policy
While the technology and the Internet is developing fast, current legislation fighting
against offensive technologies are still insufficient.
US: Both the federal and state governments have passed laws and policies in an
attempt to regulate crime, specifically hacking, on the Internet. Federal legislation include:
(1) the Computer Fraud and Abuse Act of 1986; (2) the Computer Security Act of 1987;
(3) the approval of Article 4A of the Uniform Commercial Code in 1989 by providing
that a bank could rely on security procedures as a substitute for the traditional time-tested
requirement of a signature; (3) Computer Security Enhancement Act of 1997; and (4) The
Electronic Signatures in Global and National Commerce Act of 2000.
Canada: Canada is working to establish a legal framework that will give Canadians
security and confidence to use the Internet as a place to communicate and to do business.
The legislation include: (1) The Personal Information Protection and Electronic
Documents Act of 2000; (2) The Uniform Electronic Commerce Act (UECA) of 1999;
and (3) The Uniform Law Conference of Canada, which it allows the use of electronic
signatures in communications with the government, and defines the equivalence between
traditional and electronic signatures.
Europe: Considering e-business security issues, EU has EC Directives on: (1)
Distance Selling (97/7/EC); (2) Data Protection (95/46/EC); (3) Electronic Signatures
(1999/93/EC); and (4) Electronic Commerce (2000/31/EC).
Japan: The Ministry of International Trade and Industry and the Ministry of Posts
and Telecommunications, joined by the Ministry of Justice, released a legislative
framework for electronic authentication. On 1 Apr. 2001 the Law Concerning Electronic
Signatures and Certification Services was enforced. The contents include mainly: (1)
presumption of the authenticity genuine establishment of electromagnet magnetic records;
and (2) provisions for accreditation of designated certification services.
China: China is also making progress in e-business as well as in the legislation
governing it. The Decision of the Standing Committee of the National People’s Congress
Concerning Maintaining Internet Security was adopted on Dec. 28, 2000. It lists
numerous acts that may be committed involving computer systems and the Internet and
provides that if such acts “constitute a crime” criminal liability will be investigated and
dealt with in accordance with the relevant provisions in the Criminal Law.
It was the case of US v. David Smith, Case Number 2:99-CR-730-01 (US District
Court of New Jersey, 1999). In Mar. of 1999, David Smith created a "computer virus",
known as the "Melissa" virus, designed to evade anti-virus software and to infect
computers that used certain word processing computer software programs (hereinafter
"word processing programs"). On March 26, 1999, after accessing an Internet account
that he was not authorized to use, he posted on the newsgroup "Alt.Sex" a message with
an attachment infected with the "Melissa" virus. David Smith was arrested on 1 Apr.
1999. He was accused of unleashing the "Melissa" computer virus pleaded guilty to both
state and federal charges, and sentenced to 20 months in federal prison. The Judge also
ordered that, upon release, Smith can not be involved with computer-related jobs.
Implementing a comprehensive and properly managed security policy can
substantially reduce the risks, which come from both internal and external sources. A
combination of software and hardware security solutions, together with a security aware
culture at all levels within the company is an essential. It is imperative that a security
policy must be robust enough to protect the business, but flexible enough to be workable.
Management should employ the tools, mechanisms, and supervision necessary to ensure
that they can:
(1) Verify a digital signature;
(2) Authenticate the identity of all parties to the application or communication;
(3) Protect the traffic from modification, destruction, interference, or inappropriate or
(4) Ensure that the business can continue to operate in the case of technology failures;
(5) Recognize variances from the intended use, operation, or behavior of systems and
take timely and effective corrective action.
Insecure passwords, disgruntled employees, viruses, inappropriate use of e-mail and
even casual mistakes, are all common internal security problems, whilst external threats
are often introduced by the Web or e-mail. Identifying the company’s key assets will
reveal all associated risks and this is the first step to deciding on the most effective
security design tailored to an individual business’ needs.
There are a number of security procedures that can be used to assist in establishing
trust for electronic communications. These include: (1) a digital signature; (2) replies and
acknowledgments; (3) repeat-back acknowledgments; (4) date/time stamping; (5) the
use of trusted third parties; and (6) encryption.
However, to protect from external security threats, preparations in technologies and
management are also have to be made beforehand: (1) setting up a proper network
structure; (2) keep watching on hackers by intrusion detection; (3) keep watching on
virus; (4) adopting advanced security technologies; (5) e-mail and web usage; and (6)
considering of wireless security issues if the e-business will go to mobile.
Finally, educating users about the value of security and supplying appropriate
training is also an essential. And to ensure these policies are taken up, senior management
should be involved.
To defend cases arising from e-business security disputes, there are two concerns
mainly: One is authenticity, which concerns the source or origin of a communication. A
party entering into an online transaction in reliance on an electronic message must be
confident of the source of that message. When a dispute arise, the party better retained
records of all relevant communications pertaining to the transaction and keep those
records in such a way that it can show that the records are authentic. The other is integrity,
which concerns the accuracy and completeness of the communication. For example,
consider the case of a building contractor who wants to solicit bids from subcontractors
and submit its proposal to the government online. The building contractor must be able to
verify that the messages containing the bids upon which it will rely in formulating its
proposal have not been altered.
The terrorist attacks of September 11th transformed security into a front-burner issue.
But defensive measures to protect business systems and information from external attacks
and internal compromise are only one aspect of security. In essence, a technical problem
has become a legal issue. Recent case law brings even greater security and encryption
challenges. In the future, since we will see an increase in e-Banking and more financial
transactions on Internet, legal entities have to learn more on security technology trend.
6. Assure that Transactions Are Enforceable
For every e-business transaction, we must address the basic question of whether this
particular transaction will be legally valid and enforceable if done in electronic form. A
contract is a legally enforceable promise. Because an e-business transaction does not bind
parties in the same manner as a physical-world transaction, it is important to ensure
enforceability wherever and whenever disputes arise. Considering of future disputes or
legal problems, this question is certainly an important issue when running the e-business.
To answer this question, we must focus on the requirements for enforceability that arise
solely because of the electronic nature of the transaction.
Law & Policy
US: In the US, the enforceability of electronic transactions is primarily governed by:
(1) The Electronic Signatures in Global and National Commerce Act (E-SIGN), which
was enacted by Congress in 2000 and largely preempts inconsistent state law; and (2) The
Uniform Electronic Transactions Act (UETA), which was finalized by the National
Conference of Commissioners on Uniform State Laws in 1999.
Canada: In 1999, Uniform Law Conference of Canada approved the Uniform
Electronic Commerce Act (UECA), which was created as a model electronic transactions
law. At present, all provinces and territories in Canada, except for Quebec, have either
proposed or passed an electronic transactions law based on the UECA. In 2001, the
province of Quebec enacted e-commerce legislation that differs from the UECA in certain
respects. These efforts have established a stable legal framework for electronic commerce
in Canada. The UECA model law addresses many key issues, including the functional
equivalence of electronic documents, electronic signatures and online contracting.
Europe: EU adopted the Electronic Commerce Directive (2000/31/EC) on 17 Jul.
2000. EU member states must implement its requirements in their national legal systems
by 17 Jul. 2001. The E-Commerce Directive attempts to harmonize the law relating to
electronic contracting in the EU. Pursuant to this goal, the E-Commerce Directive sets
forth rules which ensure the legality, validity and enforceability of electronic contracts.
Moreover, in the EU Directive on Digital Signature (1999/93/EC), the electronic
signature must possess certain attributes or meet certain requirements before they will be
Japan: The general rule under Japanese law is that a contract becomes effective
when the acceptance is dispatched unconditionally by the “offeree” (the person offers) to
the “offeror” (the person takes the offer). Japanese law generally does not require any
formalities for offers or acceptances to be valid as such. If there is enough evidence
establishing that the offeree agreed to the terms offered, an offeror may rely on it. In most
simple sales contracts for consumer goods, for example, it would be easy to prove that
the customer agreed to pay for the product. The seller's electronic records showing that
the customer clicked on the icon to buy the product should be enough in this context.
China: Under the new PRC Contract Law that took effect on October 1, 1999,
contracts can be validly formed through the exchange of “data messages,” including
telegrams, telexes, facsimiles, electronic data interchanges (EDI), and e-mails. Where
contracts are required to be made in writing under PRC law, contracts formed through the
exchange of data messages are deemed to be written contracts. While the PRC Contract
Law has provided a legal foundation for electronic contracting, there is currently no legal
framework for the use of digital signatures in online contracts.
It was the case of Parma Tile Mosaic & Marble Co. v. Estate of Short, 663 N.E.2d
633 (N.Y. 1996). Parma Tile contacted general contractor MRLS Construction at the
suggestion of subcontractor Sime Construction. Parma Tile hesitated to enter a contract
with Sime absent a guaranty. MRLS faxed a document which Parma Tile contended was
a valid guaranty. Parma then delivered ceramic tile to Sime Construction. The death of
Sime's principal led Parma Tile to demand MRLS satisfy Sime's unpaid invoices. MRLS
refused to pay and claimed the faxed document was not a valid guaranty. Parma instituted
a lawsuit against MRLS to recover the amount Sime owed Parma on the contract. Parma
contended that the faxed document MRLS sent was properly subscribed because MRLS
Construction's fax machine was programmed to automatically-imprint the company name,
company telephone number, time, and date. This imprint appeared on the receiver's copy
only. MRLS contended that the automatic imprint did not meet the New York Statute of
Frauds' subscription requirement asserting that the fax was merely a proposal for a
guaranty. The case suggests writings transmitted through e-mail, bearing no
authenticating symbol other than an automatically-generated identification, do not satisfy
the subscription requirement.
Most laws contain requirements that transactions be documented in "writing" and be
"signed", raising concerns that this requires ink on paper and, thus, that electronic
communications do not meet appropriate legal requirements for writing and signature and
will not be enforceable. Moreover, non-negotiated contract terms establishing a clear
imbalance between the rights and obligations of contracting parties in consumer
transactions should be non-enforceable by business parties.
Generally, under the common law, the courts look more favorably on agreements
between parties regarding evidentiary matters that are entered after litigation has
commenced than on pre-litigation contracts. However, courts do uphold many prelitigation
contract provisions that affect later litigation matters.
Based on the current legislation being proposed and enacted in the US and
internationally relating to electronic transactions, the question of enforceability requires
that the parties focus on the following questions:
(1) Authorization: Does the law allow this type of transaction to be conducted in
(2) Consent: Statutory provisions requiring consent of all the parties to doing the
transaction in electronic form before electronic transactions will be considered
(3) Signature: A signature can be used to ensure document integrity.
(4) Record keeping: It requires the documents be communicated in a form that can be
retained and accurately reproduced by the receiving party.
(5) The site owner needs to prescribe the terms upon which its site can be used.
When defending on whether it is enforceable, the e-business owner can stand on the
(1) Ensure there is legal recognition of its trade before it commences a transaction;
(2) Identification is crucial, since a transaction is only enforceable against the person
who entered into it;
(3) Avoiding the problem with including links to the sites of others is that a site owner
may be taken to have endorsed the statements or products in that other site.
The legislation developments reveal a piece of good news for electronic contracts.
While the legislative trend is to enforce such contracts, care must be taken in drafting and
implementing electronic contracts to ensure that assent is clear and that the terms are
reasonable. There is a current trend toward implementing, by a click agreement, the use
of the site approach. In a click agreement, strict contractual prohibitions on the use of
information contained in a web site are common even when the subject information
would not be protected under copyright, trademark or unfair competition laws. The
danger of such contracts is that all information would become proprietary, when the
clickwrap contracts are enforceable.
7. Global Legal Environment For e-Business
Many businesses only have experience of operating within a single jurisdiction, under
a uniform legal system. Since e-business is global, its activities must be conducted
against a wide variety of legal backgrounds. Jurisdiction is a legal term for the limitation
on the ability of a court to determine disputes. There are a number of jurisdictional
difficulties in selling goods and services over the Internet, because different laws may
produce unexpected effects. The result can be that the transaction is unenforceable, or
customers are entitled to refunds.
Law & Policy
This field is the most confusing topic when we discuss the "legal and IP concerns of
e-business management." Because the previous legislation problem can be discussed only
in the range of one-country, however this issue has to be addressed between countries,
and different legal systems.
US: Differing standards may also exist between apparently similar jurisdictions. This
problem of variable standards also applies in varying degrees to other types of activity, in
particular to regulated advertising such as that used in the financial services,
pharmaceuticals, and arms industries. As a general matter, choice of law would be upheld
in consumer contracts for US law.
Europe: In EU Electronic Commerce Directive (2000/31/EC), it sets that company’s
principal place of business decides which government may regulate contract. Some
jurisdictional rules as established in the recently adopted Council Regulation on
Jurisdiction and the Recognition and Enforcement of Judgements in Civil and
Commercial Matters (hereinafter the Brussels I regulation), due to enter into force on 1
March 2002 between all Member States of the EU with the exception of Denmark. The
basic principle is that jurisdiction is exercised by the Member State in which the
defendant is domiciled, regardless of his or her nationality. As a result, one could
reasonably expect that, as long as a consumer has his or her permanent domicile on the
territory of a Contracting state, the e-commerce contract can be concluded not only from
this domicile in one of the Union states, but also while the person is on a business trip to
another non-EU country.
US~EU: US and EU have difference systems in e-business legislation, so the
relationship between the two systems is discussed here. The European Commission’s
Directive on Data Protection went into effect in Oct. 1998, and would prohibit the
transfer of personal data to non-European Union nations that do not meet the European
“adequacy” standard for privacy protection. However the United States uses an approach
that relies on a mix of legislation, regulation, and self-regulation. In order to bridge these
different privacy approaches and provide a streamlined means for US organizations to
comply with the Directive, the US Department of Commerce in consultation with the
European Commission developed a "safe harbor" framework. The Safe Harbor -
approved by the EU in July of 2000 - is an important way for US companies to avoid
experiencing interruptions in their business dealings with the EU or facing prosecution by
European authorities under European privacy laws. Certifying to the safe harbor will
assure that EU organizations know that your company provides “adequate” privacy
protection, as defined by the Directive.
Japan: Under Japanese conflict of laws rules, whether displaying products in a
virtual mall or clicking on an Accept-to-Buy icon constitutes an offer or acceptance,
whether a contract is formed by such acts, and the law applicable to these issues, are all
determined by the parties’ choice of governing law. In the absence of a choice by the
parties, the applicable law would be the laws of the place of the conduct. Thus,
determination of the place of the conduct is an important issue in Japanese conflict of
China: Since China's currency, the Renminbi, is not yet freely convertible, and
conversions between it and foreign currency and remittances of foreign currency into and
out of China are transactions subject to regulatory scrutiny. At a minimum, the parties
may need to enter into a supplementary written contract for currency remittance purposes.
Upon China’s accession into the WTO, it is developing the telecommunications and
computing infrastructure necessary to compete in this marketplace, as well as legislation
for e-business cross-border.
Universal City Studios v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000) (Universal
City Studios v. Reimerdes Case, 2001, November 28): The case involved a dispute over
technology known as "DeCSS", which was designed to circumvent CSS, an encryption
device that protected movies stored on Digital Video Disks (DVD). DVDs are 5-inchwide
discs that hold full-length motion pictures, which is the most current technological
advancement for private home viewing of motion pictures. The defendant in the case
initially posted the DeCSS on his website; when a lawsuit was filed, he removed the
DeCSS code and posted links to "mirror sites" where users could access the code. The
plaintiffs, members of the motion picture industry, sought an injunction against both the
postings and the links.
The court's analysis offers worthwhile insights. Judge Kaplan adopted explicitly the
reasoning that defendants should not be able to circumvent an order against their posting
of unlawful materials by removing the posting and offering a link. In the case, this court
has personal jurisdiction over the Defendants in that each Defendant either resides or has
his principal place of business in the State of New York.
Doing business on the global market, however, should overcome many new kinds of
legal obstacles. Activities that are lawful in the home country may be unlawful elsewhere.
It is necessary to identify two categories of electronic commerce: On one hand there is
the trade with physical goods and services and, on the other hand, the trade with
electronic materials. This basic distinction leads to a further division of e-commerce
contracts: In the former case, the Internet is being used as the medium to communicate
and sometimes to even conclude a contract, while in the latter event the Internet
represents the place where the performance takes place.
One possible way to avoid the jurisdiction problems would be the inclusion of a
forum choice clause in the initial contract. While being able to apt for the jurisdiction of a
certain court, the parties may at the same time choose to solve their future dispute before
an out-of-court panel. It is reasonable to evaluate the costs of compliance with
contradictory requirements of national laws whether or not economic, as in the case of
multiple registration and regulation of financial services.
Generally speaking, the best method to meet the multi-jurisdiction system problem is
to investigate and assessing the impact of foreign laws, and assisting in devising a
strategy for global compliance.
Firstly, it is not enough, however, to display the standard terms of trade on the
website because online contracting raises new issues about the enforceability of contracts.
The content of terms and conditions needs to be assessed for global effectiveness. New
issues, such as when electronic messages become legally effective or when payment can
be deducted, must be addressed with care.
Secondly, cross-border data flows have become problematic, especially since the EU
directive on data protection came into force. Technology only partially assists in
preventing a site from being available in a particular jurisdiction: orders can be rejected
by vetting software but it is not possible to prevent access to a site from users physically
located in a particular geographical area. This is because users’ own electronic
communications can mask their origin. The only way to avoid such a situation is to
clearly state that the products are not intended for a certain market.
Thirdly, comply to “Safe Harbor” principles when doing e-business with EUcountries.
In the United States, determining whether personal jurisdiction exists is a two-step
process. First, the court must assess the particular facts and circumstances of your
situation. Then, it must decide whether the exercise of control over the case by that
particular court would comply with the “Due Process Clause” of the United States
(1) Facts and Circumstances: In examining the unique facts and circumstances of each
case, a court will examine whether or not it has one of two types of jurisdiction:
“general“ or “specific”: a) General Jurisdiction, which means a court may exercise
general jurisdiction you when you are physically present in a court's forum; or b)
Specific Jurisdiction, which might include transacting business, committing a tort, or
committing a tort outside of a court's forum, which results in injuries within a court's
(2) Due Process: Generally, due process is satisfied where you have enough minimum
contacts with a forum so that requiring you to defend your interests
Personal Jurisdiction is a problem on the Internet. Just because you have a website
does not mean that you can expect to have to defend myself anywhere where the website
can be accessed. So, the domicile of party, the location of the website host, the resource
and target of electronic messages are to be concerned.
We can see across the threshold to the rapidly expanding territory of e-commerce.
Keeping aim at the target of a legally uniform e-commerce world, international
differences regarding the legal environment for e-business must be resolved if the dream
of a dynamic global marketplace is to be fully realized. However, jurisdiction on the
World-Wide Web has earned its name and will present many interesting questions in the
America Online, Inc. v. Cyber Promotions, Inc., No. 96-462 (E.D. Va. complaint filed
Apr. 8, 1996).
A&M Records, Inc. v. Napster, 114 F. Supp. 2d 896 (N.D. Calif. 2000), 192 F.3d, 239
F.3d 1004 (9th Cir. 2001).
Parma Tile Mosaic & Marble Co. v. Estate of Short, 663 N.E.2d 633 (N.Y. 1996).
State Street Bank & Trust Co. v. Signature Financial Group, 149 F.3d 1368 (Fed. Cir. Jul.
Universal City Studios v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000).
US v. David Smith, Case Number 2:99-CR-730-01 (US District Court of New Jersey,
1999). Retrieved from http://www.usdoj.gov/criminal/cybercrime/meliinfo.htm.
WIPO (2000, January 14). First Cyber-squatting Case under WIPO Process Just
Concluded. Press Release PR/2000/204. Geneva, January 14, 2000. Retrieved from