Be careful how you structure email domains to ensure compliance with the Electronic Transactions Act, says a lawyer who has been conducting seminars on the new law. You could be accepting a transaction that never makes it to your email inbox.
The act includes guidelines on when emails are judged to have been sent or received. It defines receipt, by default as the arrival of a message within a computer system designated by the recipient.
Businesses should be careful not to define that system too broadly, says Graeme Crombie of Minter, Ellison, Rudd Watts. Crombie was speaking at seminars on the act in Wellington and Auckland last week.
If the recipient tells the sender: “email this to me at my business”, he or she may have unintentionally “designated” the whole internet domain of the business as the requisite system. This means once an email imposing statutory obligations has passed the company’s main firewall, it could be judged to have arrived, even though the individual recipient may, through some internal accident, never see it in his or her inbox.
It might be best for a business to define a specific email address as the receipt point for all mails with statutory implications, Crombie says.
But on this point, as with others in his address, he emphasises that what is in the act is only the default assumption. It is always open to a business to define proof of sending and receipt according to its own criteria, by agreement with the other parties.
The act applies a lot less broadly than many people think, says Ministry of Economic Development policy analyst Andrew McCallum, who played a dominant role in shepherding the legislation into being over four years. It pertains only to statutory requirements in laws and regulations imposed by government agencies.
Communications concerning private arrangements between businesses are still a matter for common law, which the act does not change. Likewise, the requirement for parties to give consent to receiving documents in electronic form only applies to statutory matters.
In private dealings, parties may assume that electronic communications will be valid unless another party to the deal specifically says they are not.
Despite this restricted ambit, it is incumbent on businesses to consider the ways in which the ETA may affect their dealings, Crombie says.
“Start thinking now of the laws and regulations that apply to your business, check what the ETA requirements are [in respect of those statutes]; decide how you’re going to meet those requirements, then proceed to implementation.”
Businesses should also start thinking now of replacing paper transactions and documents with their electronic equivalent where it can be to their advantage, he says. But their obligations to customers and partners must be carefully thought out in that context.
Legally binding transactions executed on a website now have equivalent-to-paper status, Crombie notes. “Click-to-accept agreements are valid” and consent to forming such agreements can be judged to have been given merely “by conduct”. In other words, if you use a website containing such an agreement, you are judged to have consented to electronic dealing.
Nevertheless, businesses should take care over properly exposing the inquirer to any terms and conditions applying to such an agreement, he says. Depending on the significance of the agreement, a simple “click here to say you have read our terms” may not be enough; to be legally safe, a business may have to put the terms in front of the inquirer and require them to check a box on that page to testify that they have actually read the terms.
This is really no different from accepted practice in paper transactions, he notes. Pieces of legally binding paper often refer to other pieces of paper, and sensible safeguards are applied to ensure fully informed consent. The aim of the law is simply to make electronic transactions “functionally equivalent” to accepted paper procedures.
In this light, both speakers defend the lack of specificity in the act’s definition of an “electronic signature”.
A signature is simply “a method used to identify a person and to indicate that person’s approval of a document or transaction,” Combie says. Similarly McCallum: “As in the paper environment, anything intended to be a signature is a signature. We wanted the provision to be that broad-ranging.
“[Many people and businesses] are locked into the concept of a signature as something handwritten at the bottom of a document, and that has to change,” he says.
Answering a point raised in the wake of the act’s passage by Ron Segal of now-defunct certification authority Baycorp ID Services (see Industry bearish on ETA), McCallum confirms that under the right circumstances, most crucially sufficient protection against records being altered, a simple user-identifier and password could be considered a “digital signature” for the purposes of the act. Entry of such a pair of identifiers could well be judged to authorise all legally binding actions taken by the person within that computer system.
After all, he points out, entry of a four-digit PIN into an ATM is acknowledged, in the absence of strong evidence to the contrary, as indicating that the legitimate owner of that PIN authorised the transaction.
Application of the same principle to legally binding agreements on the strength of an identifier as weak as a four-digit number is doubtful, he says; but case law may establish that such a transaction is binding.