Solicitor (England & Wales), Warsaw, Poland
The law on e-services of July 18, 2002 (the ‘‘law’’) (Dz.U of 2002, No.144, item 1204) came into force on March 10, 2003 after a vacatio legis of six months. This law implements the provisions of Directive 2000/31/ EC of the European Parliament and of the Council of June 8, 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (Directive on electronic commerce). But some matters contained in the Directive on electronic commerce, for example, the manner of concluding contracts with the aid of electronic means, are to be implemented through recent amendments to the Civil Code which will come into force on September 25, 2003.
Furthermore, the law in its chapter on the processing of personal data also implements Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). The law aims to bring a great degree of security for the consumer using e-services by ensuring that personal data thus provided is subject to clear rules of data protection. The law effectively bans the sending of commercial information through direct marketing efforts unless there has been prior consent by the recipient to receive such information. Otherwise, such ‘‘spamming’’ is deemed to be unfair competition, which is subject to a fine.
Definition of e-service
The basic concept of the law is ‘‘provision of service by electronic means’’ (e-service). This is defined as performance of a service which occurs on the individual order of the service recipient by means of the sending and receiving of data with the aid of electronic means, without the simultaneous presence of such parties and where the data transmitted is by means of public networks within the meaning of the telecommunications law. This concept is in line with the concept of ‘‘information society services’’ contained in the Directive on electronic commerce. This definition is incomplete as the law itself also extends to regulating those e-services which consist of data storage (hosting).
Thus, the law does not apply to e-services provided within non-public networks for exclusive use of its users (e.g. intranet) and the sending and receipt of emails between natural persons for private purposes which are not connected or incidental to the business activities of such persons. The distribution of television and radio programming containing text messages are outside the ambit of the law, but it does apply to e-services provided via integrated television and internet transmissions, as well as to mobile telephone operators delivering text messages (SMS) to their subscribers. Also excluded are ATM banking services, electronic ticket sales, parking metres, point-to-multipoint transmissions, inter-bank settlements, credit cards, and e-money. Specifically, credit card and e-money transactions are covered by the Law on Electronic Payments Instruments of September 12, 2002 and as to matters which are not covered by that law, e.g. personal data protection, then this law applies.
The law also does not cover off-line purchases of, for example, CD-ROMs containing databases of goods and services. Telecommunications services are also excluded where the services are either data or signals between end points of telecoms networks as long as the operator does not initiate the transmission, does not choose the recipient nor deletes or modifies the data. Mere technical modification is allowed. This area is subject to recent legislative work on amending the telecommunications law.
Duties of provider
The e-services provider is defined as either a legal person, natural person or an organisational entity without legal personality who in conducting, however incidentally, a business or professional activity performs e-services. While an e-services recipient is either a natural person, legal person or an organisational entity without legal personality who uses e-services.
A provider must disclose full information about itself to the recipient:
- electronic addresses; and
- name, place of residence, address or name of firm, its seat and address.
If the provider conducts a registered business activity, then it must also provide information as to its relevant permit if the provision of such service requires a permit. Where the provider is a natural person whose right to perform a given profession is dependent on fulfilling certain requirements specified in other laws, then the following must also be provided:
- in case a representative is appointed, the name and surname, place of residence and address or his firm name, seat and address;
- self-governing business association of which he is a member;
- professional title which he uses and the country where it was granted;
- public registration number where he is entered, together with the name of register and the organ maintaining such register; and
- information on the existence of professional ethics principles for the relevant profession and the manner in which these can be accessed. This last provision of the law will come into force on Poland’s European Union accession next year.
The law allows for fines in case a provider fails to provide required data to the recipent, or where such data is incomplete or erroneous.
The law uses the concept of ‘‘commercial information’’. This is defined as each piece of information whose purpose is directly or indirectly to promote goods, services or image of a business entity, or a person performing a profession whose right to perform such profession is dependent on fulfilling requirements specified in other laws. This definition excludes information which enables communication via electronic means with a specified person, and information on goods and services which are not aimed at achieving commercial effect for the entity which orders its distribution, particularly where there is no remuneration or other benefits from manufacturers, sellers and those providing services.
Consent of recipient
Unordered, i.e. unsolicited, commercial information is subject to a fine. Redress for this breach is on motion of the person thus wronged. Such consent cannot be implied or assumed to be given when declared in words that have another content. After consent has been given it can be withdrawn at any time. The provider should keep written consent thus received for evidentiary purposes. The consent requirement also applies to mobile telephone operators sending promotional text messages to their subscribers or when such messages are attached to SMSs sent by other persons.
The provider will be responsible for its contents and delivery on a general basis, but is excluded from any civil or criminal liability when its activity is limited to a simple transmission of data, and it is automatic and limited in time storage where this data is not under its control. The General Inspector of Personal Data Protection is given authority to control the personal data of persons using e-services and the manner in which such data is collected.
Additional duties of provider
The recipent should also be given access to information regarding the specific dangers connected with the e-service. He should also have access to information regarding the function and aims of computer programmes or data, which are used by the provider and which are not part of the contents of the e-service.
The provider is required to prepare terms and conditions of his service which must be made available at no cost to the recipient. Also, when the recipient so requests, it must be provided in such a form that allows it to be received, displayed and stored by such technical means that are used by the recipient, before the contract for such services is concluded. If this is not done, the recipient is not bound by the contents of the terms and conditions.
The terms and conditions refer specifically to the type and scope of the e-service, the conditions of such e-service including the recipient’s required technical parameters that are indispensable for making use of such service. These should also contain a prohibition against providing contents of an unlawful character, conditions for concluding and terminating e-service contract and the procedure for lodging complaints.
No liability for mere conduit
No liability is attached to a provider who sends data but is not its initiator, does not select recipients of the data and does not remove nor modify the data which is subject to the transmission. This also covers automatic and short dutation indirect storage of data (caching) if this activity has as its aim solely data storage, and the data is not stored for longer than is necessary for completing the transmission.
Also, liability is excluded where a provider ensures automatic and short indirect storage of data in order to speed up renewed access to these on demand of another entity. For this exclusion to apply, the provider cannot delete or modify the data and uses approved and ordinarily used technical means for this type of activity, which do not interfere in the collection and use of this type of data. A provider will also not be liable if in meeting these conditions he removes without delay or disables access to the stored data on receipt of a message that the data has been removed from the initial source of transmission or access to it has been disabled. There will be the same result if a court or another appropriate body orders the deletion of such data or disables access to it.
A provider who stores data with the aim of allowing access to it (hosting) is not liable for their storage if such entity had no knowledge that the contents of such data were of an unlawful character or was connected with unlawful activity. The provider will not be liable if, without delay, he disables access to such data on learning by official means or from reliable information that the data is of an unlawful nature. It will not be liable to the recipient for any damages resulting from being denied access to such data. If, however, he proceeds to deny access to the data on receipt of only reliable information, then it must first inform without delay the recipient that it intends to deny access to the data in order to escape liablity for damages caused to the recipient by such denial of access.
Rules of personal data protection
Unless the provisions of the law provide otherwise, the Law on Protection of Personal Data applies to the provision of e-services. Thus, the law’s provisions on data protection constitute lex specialis. Personal data protection of an e-services recipient is subject to the provisions of the law, regardless of whether or not such data processing is conducted in databases.
The law specifies the aim and scope of such personal data processing. The following personal data of the e-services recipient may be processed:
- name and surname;
- personal evidentiary number (PESEL);
- address of permanent residence;
- address for correspondence if it differs from permanent residence;
- data serving to verify electronic signature; and
- email address.
The provider may process other data if they are indispensable to the conclusion of the contract or other activity of a legal character for reasons of the type of service or the manner of its settlement. This indispensable data should be distinguished from the personal data listed above. Other data which is not indispensable may also be processed for aims allowed under the law if consent for such processing has been granted by the recipient.
The provider may process the following data on how the e-services recipient has used such services:
- personal data identification on the basis of personal data listed above;
- identification of end-use telecommunications network or computer system;
- information on the commencement, completion and scope of each use of the e-service; and
- information on the use of the e-service.
Renewed data processing
The provider cannot resume personal processing of the recipient on the termination of such service. However, it may process data which is indispensable for settlement of the service or for measures to insure settlement. Renewed processing is also allowed with the consent of the e-recipient where the data is indispensable for the purpose of advertising or market research, as well as establishing the behaviour profile and preferences of the recipient if such results are to be used in improving the quality of such service. Such data processing may also be conducted when it is indispensable for clarifying prohibited use of the e-service. This would be in a situation where the recipient had not adhered to the terms and conditions or existing provisions, and it is indispensable for establishing the recipient’s liability.
The results of this must be kept for evidential purposes.
Renewed processing is also permissible on the basis of other laws or contract. This general ban on renewed processing means that an email address and other contact details may not be used in further direct marketing campaigns unless express consent has been given. The Polish legislator has thus chosen an ‘‘in-opt’’ regulation to control spamming, unlike the Directive on privacy and electronic communications which allows an ‘‘opt-out’’ regulation, i.e. spamming is prohibited only if the provider has received an express objection from the recipient as to receiving such unsolicited information.
The law introduces e-services regulations which were not previously present in Polish legislation and which are in line with EU law developments in this area. However, as this area continues to develop at the EU level, it is likely that this law will soon need amending. Nevertheless, some aspects of this law have been criticised as perhaps unnecessarily hampering the potential of the internet to find new customers through inexpensve means, such as direct marketing. While everyone dislikes spam mail, the ambit of commercial information as defined in the law seems far too wide. Also, adopting the ‘‘opt-in’’ solution rather than a simple ‘‘opt-out’’ will definitely restrict advertising and direct marketing of goods and services which are tailor-made for e-service technology.
First published in European Newsletter, combining Eastern European Newsletter, Issue 4, May 2003, Sweet & Maxwell, UK.
The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.