E-commerce is a new form of business which heavily incorporates technology, and lawmakers need to keep up by enacting laws which are able to adapt in order to curb arising legal concerns.
I. The Evolution of Electronic Commerce – A Brief Introduction
We live in an era where almost everything is available in a digital form or at least undergoing a phase of digitalisation process. What digitalisation process simply means is that despite atoms can construct almost everything in the physical world, from a human kidney to a high speed train, bits, on the other hand, is the basic fundamental block of the digital world. The revolution of digitalisation started in the early 1980’s. The revolution was triggered as computers started moving into homes from workplaces and research laboratories. The first ever conventional media that embarked into, and adopted digitalisation, was the music industry on a business and logical sense that information converted from atoms to bits are generally cheaper to store and encode while significantly reducing the distribution cost.
Technological advancement has grown and is continously growing on a rapid scale in recent years. This plays a direct link to the survival of most businesses. The most recent would be the fall of Nokia which has been successfully acquired by Microsoft. The direct and most apparent contributor to the acquisition was said to be the failure of Nokia to learn and keep abreast with technological changes that has led to their failure to survive.
The exponential growth of the internet and electronic technologies has driven many conventional businesses and traders to jump onto the bandwagon amounting to a creation of electronic commerce or more commonly known as e-commerce. E-commerce can be defined as the trading or the facilitation of trading in products or services using computer networks, more often than not, with the use of the internet. The Organisation for Economic Co-Operation and Development (OECD) defines an e-commerce transaction as “the sale or purpose of goods or services, conducted over computer networks by methods specifically designed for the purpose of receiving or placing of orders.” This new form of business provides greater opportunities for a greater audience and global reach.
Businesses that have adopted the e-commerce trend face the same legal issues faced by conventional brick-and-mortar companies. However, e-commerce businesses must understand and manage many other legal challenges that are unique and directly attached to the operations of an online business and transactions using an electronic medium, which, shall be discussed in this article. Neglecting the additional legal issues could be detrimental as it may lead to various problems, inter alia, regulatory penalties, financial instability, and not forgetting civil claims and criminal prosecution. Set forth below is a non-exhaustive list of potential legal issues in connection to e-commerce businesses.
II. Electronic Contract
The core purpose of a trade, whether conventional or e-commerce, is to extract revenue, and that is achieved by ensuring that there is a legally binding agreement or contract and a form of token of payment. Every day people enter into legally binding contracts, formally or informally. One may presume that there is no difference between an online contract and an offline contract on the basis that the internet is no more than a fundamental means of communication. It is true that all rules applicable to the contract law applies. However, there are some issues relating to online contracts that must be examined.
Informal contracts are deemed to have been formed when there is offer, acceptance and consideration. Although it may look relatively easy to establish, it is tricky in determining when consensus ad idem, if any, has occurred. In the early 1950’s, in the United Kingdom, the case of Pharmaceutical Society of Great Britain v Boots Cash Chemist (Southern) Ltd raised an important question before the Courts of Appeal. The Court had to determine whether the display of goods on a shelf was an offer to sell which was accepted by the customer upon placing it in the basket or whether was it merely an invitation to treat and an offer is only made by the customer at the till and acceptance being affected by the cashier. Birkett LJ opined that
“...it would be wrong to say that the shopkeeper is making an offer to sell every article in the shop to any person who might walk in and that person can insist on buying any article by saying “I accept your offer”’.
This decision was later upheld by the courts in the case of Fisher v Bell. However, the courts took a different approach when deciding on matters involving vending machines and ticketing machines as they were the first non-human actors to be involved in a formation of a contract. This was seen in the famous case of Thornton v Shoe Lane Parking Ltd where the court developed an approach for dealing with contract formation and non-human actors. As Lord Denning MR explained,
“the customer pays his money and gets a ticket. He cannot refuse it. He cannot get his money back. He may protest to the machine, even swear at it. But it will remain unmoved. He is committed beyond recall. He was committed at the very moment when he put his money into the machine. The contract was concluded at that time. It can be translated into offer acceptance in this way: the offer is made when the proprietor of the machine holds it out as being ready to receive the money. The acceptance takes place when the customer puts his money into the slot."
In the early days, this approach laid down by Lord Denning MR seems to suggest that e-commerce sites such as Lazada and Amazon would be operating under this principle as there is use of non-human agents to conclude their contracts.
Due to the lack of clarity and wide speculations in Europe by academicians and law makers, the Electronic Commerce Directive, in particular, Article 9-11 came into existence. Article 10 of the Directive being adopted and incorporated with full effect in the United Kingdom by regulation 9 of The Electronic Commerce (EC Directive) Regulations 2002. If one visits any well-established internet bookshop site in the United Kingdom, condition 14 of their conditions of use and sell expressly states,
“when you place an order to purchase a product [NAME], we will send you an email confirming receipt of your order and containing the details of your order. Your order represents an offer to us to purchase a product which is accepted by us when we send email confirmation to you that we’ve dispatched that product to you (Dispatch Confirmation Email). That acceptance will be complete at the time we send the Dispatch Confirmation Email to you. Any products on the same order which we have not confirmed in the Dispatch Confirmation Email to have been dispatched do not form part of the contract.”
Taking this into account, it is clear that an e-commerce webpage is to be treated as an invitation to treat in accordance with the principles laid down in the Boots Cash Chemist case. This is the most common position taken by e-commerce webpages. In the case of Argos TV in 2005, there had been a mistake where a television set worth £350 was advertised for 49p for thirty one hours leading to 10,000 orders, including one order for 80 sets. Argos simply referred to their terms and conditions and managed to set aside all orders and refunded all monies paid.
Next, the issue of acceptance has to be determined. As discussed above, acceptance will only be completed the moment the Dispatch Delivery E-mail is sent. Article 11(1) of the Electronic Commerce Directive incorporated by regulation 11(2)(a) of the Electronic Commerce (EC Directive) Regulations expressly states that “...the order and the acknowledgement of receipt email will be deemed to be received when the parties to whom it is addressed to are able to access them...”. It is evinced hereby that the said regulation strictly applies only to the offer and the acknowledgement of the receipt of offer hence, not applicable to the acceptance occurring in a much later stage during which the goods are dispatched. Since the regulation is silent as to when the acceptance is made, an inference can be drawn that the courts may be reluctant to extend the postal rule for this instance. In the United States however, the Uniform Computer Information Transactions Act (UCITA) 1999 explicitly states that the application of the general rule is to be applied when contracting via electronic means. Article 215 provides that electronic messages are effective at the time of receipt, regardless of whether the individual is aware of the receipt or not. In Malaysia, it can be said that the general rule of acceptance is applicable for electronic messages and therefore the postal rule will not be extended to this means of contracting.
There are also a number of contracts that are simply not accommodated to fit into the framework of an information society. These contracts are usually imposed with statutory requirements that require the contracts to be in writing and sometimes even imposing a requirement for signature. Due to the uncertainty in Europe as to whether an electronic document satisfies and meets the statutory definition of writing, the United Nations Commission on International Trade Law (UNCITRAL) adopted its model law on Electronic Commerce in 1996. The primary function and purpose of the model law was to ensure that all UNCITRAL Member States formally recognise electronic contracts. Article 6 of the model law states that “where the law requires information to be in writing, that requirement is met by a data message if the information contained therein is accessible so as to be usable for subsequent reference.”
A similar view was adopted in Malaysia when passing the e-commerce legislation in 2006. Section 8 of the Electronic Commerce Act 2006 states that, where any law requires information to be in writing, the requirement of the law is fulfilled if the information is contained in an electronic message that is accessible and intelligible so as to be usable for subsequent reference. The UNCITRAL Model Law was initially adopted and enacted by Singapore as one of the leading nations that addressed the issue relating to electronic contracts and electronic signatures by passing a legislation as early as 1998 which was the Electronic Transaction Act 1998; now replaced by the Electronic Transaction Act 2010. Thailand has also adopted the UNCITRAL Model Law by legislating the Electronic Transactions Act 2001 which formalises electronic contracts.
III. Electronic Signature
Further, Article 7 requires Member States to give recognition to electronic signatures. This led to the formation of the Electronic Communications Act 2000 in the United Kingdom to comply with the UNCITRAL Model Law. Electronic signature shall be recognised as being equivalent to those of a traditional signature. However, this was initially found to be difficult to achieve as a number of techniques were tried in the 1990’s which included digitally encoding a signature that was physically made with a pen and paper. It soon became apparent that such systems were attempting to replicate physical signatures rather then seeking to fulfill the function of a signature. In order to enact Article 7 of UNCITRAL Model Law, the European Union introduced two forms of electronic signatures under Article 2 of the Electronic Signatures Directive, namely, standard electronic signatures and advanced electronic signatures. The question then arose as to the differences between the two types of signatures. Standard electronic signatures were given lesser recognition as Article 5(2) states that,
"Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is: in a electronic form, or not based upon a qualified certificate, or not based upon a qualified certificate issued by an accredited certification service provider, or not created by a secure signature-creation device.” 
On the contrary, Article 5(1) refers to advanced electronic signatures which states,
“Member States shall ensure that advanced electronic signatures which are based on a quality certificate and which are created by a secure-signature-creation device: satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data and are admissible as evidence in legal proceedings.”
The distinction between the two is narrow but crucially important. It is clear that only advanced electronic signature is probative. A probative document automatically switches the burden from the party that intends to rely on it to the party that intends to depart from it. As for standard electronic signature, it is merely admissible as evidence but does not possess probative value, in other words, the burden does not shift automatically.
The important question to be answered is what, in practice, is an advanced electronic signature? It simply is a form of electronic signature based on encryption technology. The most widely accepted system is known as public key encryption or PKE signatures. PKE operates in a way by first creating two keys, one being a private key and the other public key. The said keys only work in pairs, which means that if a message is encrypted using one key it can therefore only be decrypted using the other key. This medium is an extremely powerful encryption tool as a decryption key is never needed to be sent to the recipient, reducing the risk of any interception by any hackers or third party.
However, the use of PKE in itself is not flawless as it does not prove identity but rather only possession of a key pair. An ideal solution for electronic signatures would be by issuance of certificate of identity, i.e a virtual ID card for key pairs. One must bear in mind that Article 5 of the Directive states that only electronic signatures based on a certification is probative. Therefore, to create a certified signature, the user may create his or her own set of keys and send them to a certification agency with proof of identity. On a general level, personal certification criteria can be established and proven by providing a functioning email address but for a high level commercial signature, a significant amount of personal information will be required in order to establish and satisfy identity.
In Malaysia, the Digital Signature Act 1997 was enacted to handle issues linked to electronic signatures, mainly in the arena of e-commerce. Section 9(2) of the Electronic Commerce Act 2006, provides specifically for the application of the Digital Signature Act 1997 where it shall be applicable to any digital signature used as a medium for a commercial transaction. Section 9(1) provides that if the criteria laid down are met, the legal obligation of a digital signature is established. An inference can be drawn as both the European Directive and the Malaysian legislation have adopted a view and approach permitting the use of digital signatures and on a very similar application. Therefore, the notion that one has to physically use pen and paper to sign a contract/agreement is now a thing of the past. Despite sufficient similarities, the terminology adopted by the Malaysian Act, ‘digital’, indicates that it is technology specific in comparison to other legislation that adopted the term ‘electronic’. It seems to suggest that the Malaysian Digital Signature Act 1997 followed the approach of being technological specific as per the Utah Digital Signature Act 1995 by adopting and applying the term ‘digital’.
IV. Electronic Money
The growth in technology has led to the birth and development of a new form of instrument of payment – electronic money. Electronic money is in digital form equivalent to conventional money, stored usually on a server remotely or on a particular device. Electronic money was defined as “an electronic store of monetary value on a technical device that may be widely used for making payments to undertakings other than the issuer without necessarily involving bank accounts in the transaction, but acting as a prepaid bearer instrument.” The most common example of electronic money is the electronic purse. In Malaysia, we swipe our electronic money on a regular basis at shopping malls, LRT stations and similarly the Oyster Card usage in London.
In Europe, the most recent Directive relating to electronic money was signed on 16th September 2009 and all Member States is to adopt not later than 30th April 2011 in order to establish national legislation that complies with the intention and direction of the Directive. The Directive, amongst many things, stated that in order to be a licensed electronic money institution, they must fall within the ambit of credit institution in accordance to the Banking Directive. This step was taken as a measure to curb third party businesses from becoming electronic money institutions, making the path clear for financial and credit institutions to monopolise the market. In order to further boost public confidence in entrusting electronic money in Europe, the electronic money issuers were governed by strict financial requirements. Pursuant to Article 4(1) of the Directive, the electronic money issuer is required to hold initial capital funds of 350,000 Euros.
Electronic money in Malaysia is governed by the Financial Services Act 2013. The Act defines payment instrument as “any instrument, whether tangible or intangible, that enables a person to obtain money, goods or services to make any payment.” Prior to 2005, only banks were permitted to issue electronic money. Presently, the position has been reversed, allowing non-banks to be electronic money issuers. As Bank Negara Malaysia is empowered by the Financial Services Act 2013 to approve any application relating to electronic money licenses, there is still uncertainty on the decision making process despite having regulations and guidelines available for interested parties in the application process.
Electronic money imposes both great benefits and great risks. The increased use of electronic money raises the risk of money laundering as it provides transacting parties an easier medium of transferring financial value. However, this risk is not completely alien to electronic commerce players. Electronic money issuers in Malaysia has to comply with the Anti-Money Laundering Act 2001 and Anti-Terrorism Financing Act 2001. Despite the risk, electronic money, in the long run, would significantly reduce cost of labour and paper respectively. Studies have also concluded that widespread usage of electronic money could directly contribute to a nation’s GDP.
V. E-commerce Tax
Another crucial aspect of e-commerce that shall be examined will be on taxation. The question to be answered is how to tax e-commerce online transactions. With large amount of inter border transactions, virtual goods i.e., MP3 files, movies, and online business services ,usually in a form that is difficult to be differentiated from non-commercial services, imposes significant risk of taxation revenue being lost. The OECD estimated the global e-commerce value to be worth in excess of $2 trillion as of 2010. Therefore, if schemes or procedures are not developed to ensure taxation is collected from e-commerce traders, a presumption of almost $200 billion is lost even by applying the most conservative tax scheme of 10%. In 2003, an E-commerce Directive on VAT came into effect. The said Directive made extensive changes and amendments relating to the Sixth VAT Directive in order to establish European Union VAT rules. With it being in effect, digital goods are taxed in the state where the customer resides making the location of the supplier irrelevant. This simply means that the European Union suppliers and non European Union suppliers are made to impose VAT payments on European Union customers and European Union suppliers have no obligation to charge VAT on digital goods or services supplied to Non-European Union customers. VAT, if applicable, shall be calculated based on the rate payable at the customer’s home country but subject to the exception that if the supplier is from European Union then under the single market principles, the supplier may charge their local VAT rate.
In Malaysia, the Goods and Services Tax Act 2014 (GST) came into effect on 1st April 2015. The Act adopted the same approach as the European Union Directive discussed above. This means that a Malaysian supplier and a non-Malaysian supplier are bound to impose GST on Malaysian customers. However, a Malaysian supplier is not subjected to impose GST rate on a customer residing in another country.
VI. Data Protection
The most recent and fast developing law is privacy law, as protection from misuse of personal information is getting increasingly important. Lord Hoffman in R v Brown opined that vast amount of information about individuals are kept in computers, making it capable to transform anywhere in the world and is easily accessible at the touch of a keyboard. The right entitling a person to keep oneself to oneself and to tell other people that some information are none of their business, is under technological threat. Although data protection in itself is not something completely new, the digitalisation era has made protection of data more difficult.
In the United Kingdom, personal data is defined as “... data which relates to a living individual who can be identified from those data, or from those data or other information which is in the possession of, or is likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or an other person in respect of any individual...” The Act laid down some important principles that must be complied with by the data controller when dealing with personal data, including sensitive personal data.
The first principle imposed on the data controller is that the personal data obtained shall be processed fairly and lawfully and shall not be processed unless one of the conditions in Schedule 2 of the Act is met and, in the case of sensitive data, one of the conditions listed in Schedule 3 is met. The most common conditions under Schedule 2 are in relation to consent by the data subject, or, that the processing is necessary for the performance of a contract to which the data subject is the party, or, for taking steps at the request of the data subject with a view of entering into a contract. As for sensitive data, the most common condition under Schedule 3 that usually has to be met is that the consent has to be explicit in order for the personal data to be processed by the data controller.
By now, we are all familiar with the opt-in and opt-out boxes that are frequently used by online data controller which is the point the data is collected. The question that should be addressed would be; is the provision of an opt-out box sufficient to satisfy the criteria of consent under Schedule 2 and explicit consent under Schedule 3 of the Data Protection Act 1998?
The first issue to be determined is that neither the term ‘consent’ nor the term ‘explicit’ was defined by the 1998 Act. Therefore, the Oxford English Dictionary's definition shall be adopted. Consent is defined as ‘to give permission, express willingness or agree’ while explicit is defined as ‘leaving nothing merely implied’. Applying this, it can be concluded that consent may be given by means of an opt-out box remaining unticked/unchecked. Explicit consent however, requires more positive indication of consent allowing an inference to be drawn that opt-in boxes are acceptable to establish explicit consent but opt-out boxes does not meet the requirement to satisfy explicit consent.
Another important principle that is directly linked to e-commerce is that “personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
However, the new European Union Data Protection Regulation 2017 has a new set of rules that has to be adhered by all Member States. Although this Regulation is not yet enforced, there are some crucial changes that has to be adopted by English Law. The Regulation has rejected the use of the current acceptable mechanism of consent which would be completely replaced by explicit consent. There would also be a mandatory requirement for a data breach officer in place by all data controllers. Another crucial change would be the Right to be Forgotten implementation. These are, namely, the few changes that would come into effect across all European Union Member States.
Personal Data Protection Act 2010 was enforced on the 15th November 2015 in Malaysia. Malaysia adopted similar principles with the current United Kingdom legislation, Data Protection Act 1998, by permitting implied consent to be given for personal data and express consent to be given by a data subject to a data controller when dealing with sensitive data in accordance to Section 6 and Section 40 respectively.
Personal data is a very big area by itself , therefore, it has not been discussed in depth.
E-commerce has the tendency to go beyond commonly accepted boundaries when it comes to the application of existing laws. Generally, law makers are catching up with the fast evolving trend and innovation. In this article, I have highlighted several major legal concerns in e-commerce predominantly using the existing European Union Directives and United Kingdom legislation, as well as applying the Malaysian legislation as far as possible.
This article was written by Premjit Singh Kolwant Singh, a postgraduate student at the Faculty of Law, University of Malaya. (Edited by Zafirah Jaya)
 See https://stats.oecd.org/glossary/detail.asp?ID=4721
  1 QB 401
 See footnote 1 above
  1 QB 394
  2 QB 163
See footnote 5 above
 Directive 2000/13/EC of the European Parliament
 SI 2002/2013
 Murray, A., Textbook on Information Technology Law (Law and Society), (Oxford: Oxford University Press, 2010).
 See footnote 2 above
 In 2002 Kodak had to fulfill orders for a digital camera sold for £100 rather than the intended price of £329. This is because the terms and conditions of Kodak at that given time stated that the contract would be concluded when the order confirmation email is sent, not at the later dispatch confirmation stage.
 Art 215 of the Uniform Computer Information Transactions Act (UCITA) 1999
 Sch. 1 of the Interpretation Act 1978
 The UNCITRAL Model Law on Electronic Commerce (1996)
Sec 8 of the Electronic Commerce Act 2006
 The UNCITRAL Model Law on Electronic Commerce (1996)
 Art 7 of the UNCITRAL Model Law on Electronic Commerce (1996)
 Art 7 states ‘Where the law requires a signature of a person, that requirement is met in relation to a data message if: (a) a method is used to identify that person and to indicate that person’s approval of the information contained in the data message; and (b) that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement.’
 S7 of the Electronic Communications Act 2000.
 Directive 1999/93/EC
 Article 5(2) of the EU Electronic Signature Directive 1999/93/EC
 Article 5(1) of the EU Electronic Signature Directive 1999/93/EC
 Article 5(1) EU Electronic Signature directive 1999/93/EC
 S9(1) of the Electronic Commerce Act 2006
 European Central Bank Annual Report 2000 Glossary
 Directive 2009/110/EC of the European Parliament and of the Council on the taking up, pursuit and prudential supervision of the business of electronic money institutions
 Directive 2009/110/EC
 S2(1) of the Financial Services Act 2013
 Council Directive 2002/38/EC
  1All ER 545
 S1(1) of the Data Protection Act 1998
 Personal Data Protection Act 1998
 S6 and 40 of the Personal Data Protection Act 2010