Electronic Commerce Law: Privacy, Data Protection, and Cybersecurity

Electronic Commerce Law: Privacy, Data Protection, and Cybersecurity
Introduction
Most commercial activity is governed by state law, which makes it difficult and confusing for individuals to do business through electronic commerce (e-commerce) platforms. In essence, the legality of the transactions and the enforceability of contracts will be determined by law. For some businesses and individuals, engaging in contractual agreements through e-commerce may face such hurdles as verifying signatures and making online contracts legally binding and legally enforceable. For this reason, the development of e-commerce law can be seen as a mechanism to facilitate online transactions while, at the same time, protecting the users of such platforms. E-commerce law can be a broad subject due to the multiple aspects it covers. In this research, the focus will be on the legal issues surrounding data protection, privacy, and cybersecurity as they related to e-commerce.
To accomplish the purpose of this research, a brief overview of e-commerce is presented to lay the foundation for the research. secondly, a description of the legal issues in e-commerce helps paint a picture of why the various e-commerce laws are a necessity. Additionally, this section will reveal the progress in legislation regarding online commerce. The other three sections will cover privacy and data protection laws, and cybersecurity laws in terms of how they apply to e-commerce. In these sections, the evolution of the legal efforts and the efficacy of the laws, as well as the remaining gaps will be explored.
Overview of Electronic Commerce
The emergence and proliferation of the internet and digital devices have transformed modern society across all pillars of human life. Business activities have been affected tremendously, both in positive and negative ways. The positive implications have included the introduction of new platforms on which to conduct businesses – e-commerce. The term ‘e-commerce’ can be defined as the use of the internet and networks to sell, purchase, transport, or trade in services, goods, or data. However, this definition offers only a narrow perspective on the scope of activities that can be conducted on these platforms. As such, an alternative term with a broader perspective is e-business, which includes all the aforementioned e-commerce activities in addition to collaborating with business partners, servicing customers, e-learning, and e-transactions. Even though these two terms can be used interchangeably, it is important to emphasize that their usage refers to engagements across online platforms that have a commercial value. As a result, even such activities as customer data management, social media marketing, and online shopping are all included in the conceptualization of e-commerce.[Efraim Turban, et al. Introduction to Electronic Commerce and Social Commerce. Cham: Springer, 2017.]
E-commerce can take many forms and typologies depending on the extent of digitization of the business activities. As a result, there is pure e-commerce and partial e-commerce. Pure e-commerce entails where all aspects of the transition are digital: ordering, payments, delivery, and order fulfillment. Partial e-commerce comprises at least one digital aspect, for instance, ordering online but payments and pickups are done manually. An example of pure e-commerce is Amazon since all interactions between the buyers and the firm are digital. Consumers order and pay online, after which the company fulfills the orders and delivers them to the customers. In this case, Amazon can also be categorized as an e-commerce organization as opposed to the traditional brick-and-mortar firms with a physical presence. It is important to distinguish between e-commerce organizations and electronic markets and networks. The former simply refers to a singular entity with its own platforms. On the contrary, e-marketplaces and networks comprise buyers and sellers interconnected through the internet. In this case, several organizations can be part of a network where consumers conduct their shopping. Such social media sites as Facebook have marketplace applications, which simply entail a page where sellers and buyers come together to transact.[Ibid.]
A marketplace comprises several stakeholders with different relationships with one another. In the description given above, businesses and customers are regarded as the key players. These tend to form business-to-customer (B2C) relationships. This classification means that companies produce goods and/or services to be offered directly to the consumers. In many cases, B2C transactions are retail by nature, considering that retailers form the components of a value chain that is closest to the consumers. Amazon is an online retailer (e-tailer) operating a B2C e-commerce model. Businesses also have a relationship between themselves, especially within a supply where intermediate businesses purchase and sell to other businesses before the final product can be sold to the customer. In this case, a business-to-business (B2B) relationship is established, even in an e-commerce setting. The B2B e-commerce transactions are on the rise and have already surpassed the B2C transactions. Indeed, around 85% of e-commerce is B2B. customer-to-business (C2B) can be considered a reverse of B2C e-commerce. However, this arrangement involves individuals using the internet to sell services and products to individuals and organizations.
Overall, e-commerce presents a paradigm shift in business transactions from brick-and-mortar organizations to virtual firms that transact through digital mechanisms. Since its emergence, e-commerce has presented policy-makers with a puzzle that is increasingly difficult to solve, especially when implementing business laws regarding e-commerce. A key question that needs to be addressed is how business laws apply to online transactions and how enforceable they can be. Some of the legal and regulatory issues in e-commerce will be discussed in the section that follows.
Legal Challenges in E-commerce
All business activities and transactions are regulated by the government. The regulation of business is often intended to protect the consumers from such vices as exploitation and other forms of harm that companies can inflict on consumers. The development of e-commerce has subjected customers to greater risks, which include a weaker bargaining power regarding their rights. Legal protection and consumer security in e-commerce have been one of the major legal challenges faced by countries worldwide. Rogue businesses can adopt online platforms to sell faulty products or to defraud customers. In conventional business models, consumer protection has been made possible by the physical presence of a business, which means disputes are easier to resolve. In e-commerce, virtual firms with no physical presence make it difficult to reach out to the relevant individuals in the case of disputes.[Abdul Djumadi, ‘Does Self-Regulation Provide Legal Protection and Security to E-Commerce Consumers?’ (2018) 30 Electronic Commerce Research and Applications 94-101.]
Besides customer protection, business laws often seek to regulate such issues as taxation. In such countries as the United States, the courts and policymakers have often struggled with this aspect, which illustrates why it is difficult to use conventional business laws to govern e-commerce practices. One of the most landmark Supreme Court cases involved Quill Corp and North Dakota, where North Dakota’s tax commissions tried to force Quill Corp. to collect tax on behalf of the customer residing in North Dakota. The company argued that it did not have a physical presence in North Dakota, a position that was also upheld by the Supreme Court. A physical presence has often been the basis on which many business laws are enforced. However, e-commerce presents a scenario where businesses do not need a physical presence to operate, which means that enforcing certain laws becomes increasingly difficult. In a similar ruling involving National Bellas Hess and the Department of Revenue, the Supreme Court ruled that sellers whose only connection with consumers in the state is by common carrier lacked the required minimum contact with that state. As such, it is important to acknowledge the virtual nature of e-commerce businesses presents a major legal hurdle for governments.[Quill Corp. v. North Dakota [1992] 504 U.S. 298.] [National Bellas Hess, Inc. v. Department of Revenue of Ill. [1967] 386 U. S. 753.]
The issue of physical presence presents an even greater challenge when it comes to cross-border transactions, especially when addressing jurisdictional issues. International e-commerce has great strategic importance to global economic integration. However, countries have found it difficult to unify cross-border e-commerce laws. In many cases, developing domestic legislation regarding cross-border e-commerce needs to focus on three basic principles. First, the e-commerce laws should eliminate the barriers to the development of an e-commerce legal system. In other words, the laws should be adapted to the needs of e-commerce, especially the traditional rules that do not fit within the e-commerce context. To illustrate the need to adjust laws, a computer fraud case involving Van Buren ruled that with authorized access are necessarily prohibited from using information for improper purposes. Such is a legal loophole that does not offer adequate protection to users, especially from internal threats.[Min Wang, ‘Establishment of an International Legal Framework for Cross-Border Electronic Commerce Rules: Dilemmas and Solutions’ (2017) 11(2) World Customs Journal 61-75] [Van Buren v. United States [2021] 593 U.S.]
Second, coordination should be pursued between the various stakeholders in international e-commerce. International trade agreements and organizations offer a perfect platform on which to achieve coordinated e-commerce laws. Lastly, security protection is critical due to the insecurities that online platforms present to users. Van Buren v. United States [2021] 593 U.S. serves as an example of the extent to which the security legislation has to change to become effective.
Privacy and Data Protection
Privacy and data protection are terms that can be used synonymously or separately to mean two different things. Data privacy focuses on access to data, while data protection is more concerned with policies and tools restricting access to the data. Regardless of the usage, these terms are critical in e-commerce law because they present a legal challenge for both policymakers and businesses. In some cases, even the government finds challenges navigating through the privacy and data protection laws. For example, Carpenter v. the United States ruled that a government must obtain a warrant to access sensitive data on a person’s cellphone location data. Such regulation is based on the Fourth Amendment, which protects citizens from unreasonable searches and seizures. This means that surveillance by the government is unconstitutional, which also applies to any other entity seeking to access sensitive data about a user.[Carpenter v. United States [2018] 585 U.S.]
Conducting e-commerce means having to exchange data between users and entities. For example, registering an account with an e-commerce business may involve providing personal details, including contacts, identification, and home addresses. Emails and phone numbers can be considered sensitive data, but even more sensitive information may include social security or credit card numbers. The protection of digital data can be achieved through ensuring integrity and authenticity, which ensures that only accurate data is collected and stored. This also means that anyone accessing such data is guaranteed to have true information regarding users and could use the data for improper purposes. Integrity ensures that data is not tampered with while authentication involves verifying the data content. However, the most important requirement regarding this data is that it is kept confidential and non-repudiated. In other words, possessing user data does not grant the firm the liberty to disclose the data or share it with third parties. Even the use of the data is highly regulated to ensure that users of online platforms are effectively protected.[Omar Tayan, ‘Concepts and Tools for Protecting Sensitive Data in the IT Industry: A Review of Trends, Challenges and Mechanisms for Data-Protection’ (2017) 8(2) International Journal of Advanced Computer Science and Applications 46-52.]
Data protection is an issue that has had historical significance in such regions as the United States, Europe, and Australia. The current literature indicates that countries have been trying to deal with data protection legislation for almost three decades. For instance, the European Union (EU) formulated the 1995 Data Protection Directive to regulate how personal data is processed across Europe. For decades, data protection has been a basic right in the Eu, which has been separate from the right to privacy. Therefore, the EU provides one of the best frameworks for data protection since it is comprehensive and considers all aspects that require protection. In other words, it is not just sensitive and embarrassing information that has to be protected. On the contrary, the EU data protection laws extend its scope to employers’ storage of outdated files. The law also offers guidelines on how to balance the right to data protection when this right conflicts with other fundamental rights. Most importantly, the EU Court of Justice has made several rulings based on the 1995 Directive, including invalidating the Safe Harbor arrangement that sought to govern data transfers between the EU and the United States.[Directive 95/46/EC; Keller, Daphane. ‘The Right Tools: Europe's Intermediary Liability Laws and the EU 2016 General Data Protection Regulation’ (2018) 33 Berkeley Technology Law Journal 288-364.] [C-362/14 Maximillian Schrems v. Data Protection Commissioner]
The case for the United States is quite different in terms of how comprehensively the data protection laws are implemented. Indeed, some scholars observe that the United States does not have comprehensive policies for protecting consumer privacy and governing access to consumer data. As such, there is a sense of urgency in the government to develop such a policy framework. Without a comprehensive data protection law, the United States records some of the most serious data breaches in the world and other data governance challenges. For example, Equifax had to pay a settlement fee of $575 million (potentially rising to $700 million) for one of the largest data breaches that occurred in 2017. The frequency with which similar cases take place insinuates that data protection, meaning the tools and policies for regulating access to data, are lax in the country. An overhaul of the entire e-commerce system in the country could be deemed necessary if the country's e-commerce sector is to thrive without users fearing for the safety of their personal information.[Cory Robinson, ‘Disclosure of Personal Data in Ecommerce: A Cross-National Comparison of Estonia and the United States’ (2017) 34 Telematics and Informatics 569-582.] [See case Federal Trade Commission, Plaintiff, v. Equifax, Inc., Defendant [2019] 1:19-cv-03297-TWT] [A list of the most recent data breaches in the United States could be accessed through this link: /article/3410278/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html]
As mentioned earlier, e-commerce works mostly by exchanging goods, services, and data between firms and consumers. In this case, it can be argued that firms have different uses for the data they gather. Current literature on e-commerce establishes that consumers are always seeking and demanding personalized experiences from goods and service providers. As a result, the firms have undertaken all measures possible to understand their customer bases, which then helps marketers to design the desired personalized experiences. Understanding the customers often means gathering as much data about them as possible. Such data often include personal and sensitive information about an individual's behaviors, preferences, and even searches on the internet. If firms were to use the Eu 1995 directive, it could prove difficult to access this data since the firms that often store such information would be prohibited from sharing with other firms. However, businesses with online platforms have a mechanism for collecting their own consumer data, which includes addresses, contacts, and even current locations. Different algorithms have been developed for this purpose, which begs the question of the extent to which firms comply with data protection and privacy laws.[Marek Koniew, ‘Classification of the User's Intent Detection in Ecommerce systems – Survey and Recommendations' (2020) 6 Information Engineering and Electronic Business 1-12]
Literature on privacy has shown that many e-businesses tend to exploit user privacy to facilitate their growth. From a legal perspective, all privacy breaches should be subjected to claims for damages by the victims. However, many court cases or tribunals often involve the regulator as the plaintiff and the businesses as defendants, as illustrated in the earlier example of Equifax. As mentioned earlier, earlier, some of the data management practices in the United States would attract legal action in the EU due to the comprehensive 1995 directive. Amazon, one of the world’s largest e-tailers, faces legal action in the EU for violating the General Data Protection Regulation (GDPR) in its practices of processing users. Even though the company refutes that no personal data has been shown to third parties, the EU regulations cover a much wider scope. Such businesses as Amazon can benefit from accessing and analyzing the massive consumer data gathered to develop targeted marketing practices. While this may be a permissible practice in such countries as the United States, it presents a legal challenge since access to data is regulated but not used.[Asia Muneer, Samreen Razaaq and Zaineb Farooq. ‘Data Privacy Issues and Possible Solutions in E-commerce’ (2018) 7(3): Journal of Accounting & Marketing 1-3.]
So far, the EU has been used as the best-case scenario for privacy and data protection legislation. Besides Directive 1995, the EU has made several efforts to develop new laws to achieve even greater protection. These efforts are often guided by the observations that personal data breaches are on the rise, most of which have detrimental impacts on the lives of the victims. Additionally, most of the breaches observed involve online services and systems, which simply insinuate online businesses. The ePrivacy directive was developed in 2002 to obligate businesses to notify both the authorities and the affected individuals regarding data breaches. The GDPR offers an extension of this obligation from electronic communication providers to all data processors and controllers across all sectors. In as much as the EU is the best example of how to legislate for data protection and privacy, it can be argued that the fact that breaches still occur means that the laws have deficiencies.[See Directive 2002/58/EC]
Across many countries, it can be observed that the privacy and data protection laws governing brick-and-morta...