In March 2018, when the Cambridge Analytica-Facebook data fiasco became common knowledge, it created ripples across the globe. Governments of several countries took notice of the public outcry and started laying the groundwork for the data & privacy protection of their citizens.

European Union (EU) lawmakers led the charge. Numerous laws and directives were created while some of the outdated laws were re-visited, imposing new obligations and responsibilities on the data controllers and processors. 

In this informative guide, we present our research about the European e-commerce regulations and laws which a business owner should be aware of before starting their e-commerce marketplace like Flubit, ASOS or Allegro. Let’s begin with the widely accepted and implemented; GDPR.

Table of Content

• The Basics of GDPR
• GDPR is important for the e-commerce industry. Here’s why!
• E-Commerce, VAT & Brexit, and their working harmony
• Payment Gateways and Online Payments
• Distance Selling Directive
• Payment Card Industry – Data Security Standard (PCI DSS) compliance
• European WEEE Directive
• Conclusion

The Basics of GDPR

General Data Protection Regulation (GDPR), which came into effect on 25th May 2018 is a regulation on data protection and privacy in the European Union (EU) and its economic area. It is to protect EU residents’ data.

Personal data refers to any information that can be traced to an identifiable person. It may include name, email address, IP address, etc. 

GDPR applies to any business or enterprise, irrespective of its location and/or the data subjects’ (individuals) citizenship or residence. If you are processing the personal information of individuals inside the European Economic Area (EEA) or if you have EU customers, you need to be aware of it. There are six lawful bases specified by the GDPR (consent, contract, public task, vital interest, legitimate interest or legal requirement).

Apart from the lawful basis, there are certain rights bestowed upon the data subjects’ of the EU under the new regulation, which are as follows: 

• Right to access means that the customers have the right to know how their data is used. Therefore, businesses need to appraise the individuals with this information.
• Right to transfer states that the customers or data subjects have the right to transfer their data from one company to another.
• Right to be forgotten implies that if a customer wants all its data to be erased, the companies must comply with the request. 
• Right to be informed enforces that customers need to be explicitly informed that their data is being collected and free consent must be attained. 
• Right to be corrected gives customers the right to get their data updated if it is out of date or incorrect. 
• Right to not process implies that a customer can choose to not get their data processed but their records can remain in the system. 
• Right to object means that a customer can choose to get their data not to be processed for Direct Marketing.

Furthermore, there are certain duties and rights that the businesses must adhere to as per the new GDPR guidelines: 

• In case of a data breach, a business must disclose and report it within 72 hours to the National Supervisory Authorities.
• All businesses must appoint a Data Protection Officer (DPO) in case of bulk data handling.
• To keep the data protected, businesses must take necessary actions. 
• Even if the businesses must collect data, it must be the bare minimum amount required. 
• Businesses/enterprises must take explicit consent before collecting personal data.  
• If the international or national businesses do not comply with data protection regulation, they can be fined up to €20 million or 4% of their annual worldwide turnover of the preceding financial year, whichever is greater. 

Due to the European Union’s reliance on GDPR, it has become a model for other countries and states to follow. Countries like Chile, Japan, Brazil, Kenya and the United States of America have many similarities with their regulations, making it a global rule for businesses and enterprises to follow and comply with. 

GDPR is important for the e-commerce industry. Here’s why!

GDPR has reshaped the ecommerce industry in Europe and other continents. Considering the businesses operating in the ecommerce domain have to deal with the personal data of the customers, and collect, store or otherwise use the data, they need to follow a plethora of regulations themselves because of the data handling of EU customers. 

• A business must disclose the contact details of its e-commerce store.
• Even if you don’t have a brick and mortar office in Europe but you have customers in the EU, you will have to comply with the GDPR.

Although a business doesn’t have to do anything out of the ordinary to ensure that their business is GDPR compliant, they still need to ensure that their T&C and Privacy Policy along with Cookie settings are up to date. 

Note: From 1 – 10,000 employees, GDPR applies to everyone but record-keeping is required only for companies that have 250+ employees.

There are certain aspects that you need to take into consideration to be GDPR compliant:

• Give the users choice and control over whether they give consent or not
• Ask users for opt-in’s means that pre-checked boxes do not count as consent therefore the user must ‘opt-in’ for themselves
• Explicitly highlight what the individual is consenting to
• Requests for consent should be separated from other terms of service
• Be specific; don’t use an umbrella way to catch all at once
• Be clear and concise: there’s no room for double negatives
• The third parties who will rely on the consent must be named
• Easy consent withdrawal, and how to do that is important
• Document and keep the evidence of the consent in terms of who consented, when, how and what they were the message communicated at that time
• Review the consent you have received, and update it if anything changes
• Avoid making consent a precondition of using your service

Cross-border payments and currency conversion risks:

Cross-border payment charges across Europe are interchangeable, regardless of its participation in the Euro area. Moreover, the domestic payments in the Euro are very costly, permitting the payment service providers (PSPs) to charge variably. 

To cater to this issue, the European Parliament updated its payment regulations. CBPR2 or Cross-border Regulation plans to introduce more transparency of currency conversion charges and set standards at POS (Point of Sale) and ATMs. 

PSPs must provide the following to the users who initiate a direct online credit card transfer:

• an estimated conversion charges
• an estimated total amount in the payer’s account currency
• an estimated total amount to be paid to the payment service user in the payer’s account currency 
• transaction fee, if any
• currency conversion fee, if any

CBPR2 further requires that before the initiation of any card-based transaction that involves a currency conversion at either an ATM or POS, the PSP’s must disclose the following information to the payment service user/payee: 

Declaration:

• Currency conversion charges as well as the exchange rates used.

Fiscal Compliance:

• The percentage mark-up over the most recent euro foreign exchange rate issued by the European Central Bank
• The total amount to be paid in the currency used by the payee and in the currency of the payer’s PSP’s account

Security fillings:

• The possibility of paying in the currency used by the payee and having the currency conversion subsequently performed by the payers’ PSP.
• The payee’s right to refuse the currency conversion service and pay in the currency used by the payee instead.

Originally shared here

E-Commerce law in Europe & currency conversions:

Due to currency conversion, several risks arise given the constant exchange of money. As per the new regulations, the currency rate that is used shall always be the rate at the time of transaction. Three kinds of currencies associated with an online store are:

• Store currency – It’s the currency that appears in the reports and is of the admin that is used to set prices for your products and its variants.
• Local Currency – It’s the currency that the customer uses to pay for their order at checkout and is also visible in your store. 
• Payout currency – It’s the currency used for depositing money in the bank account of a user which can be taken care of by the Admin or directly by the store owners. 

Risks: 

• In case of processing delays or refunds, there is a possibility that you might lose or gain money due to the continuous fluctuation of currency rates.
• If your store deals in multiple currencies, the prices are automatically converted and updated with the market rates (there’s a minor conversion fee involved as well).

E-Commerce, VAT & Brexit, and their working harmony

Great Britain consists of England, Wales and Scotland, and has new VAT rules for the goods imported from the U.K since new year’s day of 2021. Northern Ireland now has dual-status post-Brexit so they will be part of the UK’s customs territory but also a part of the EU single market for VAT purposes. 

Henceforth, e-commerce businesses need to take care of the certain technical aspects to ensure they don’t dangle feet in troubled waters: 

• First & foremost, apply for the UK VAT number in each country you’re selling into since the one-stop-shop rule has come into effect from 1st July 2021.
• Collect VAT on orders shipped to the UK which are below 135 pounds,
• In the case of an online marketplace, the liability shifts to the platform. 
• File & remit VAT to HMRC every quarter. 
• Apply for an Economic Registration and Identification (EORI) number; it is used on customs declarations, which helps in identifying the exporters in customs procedures and documentation. 
• Re-evaluate and update your tax settings; if you use Avalara, it will be done automatically. 
• Rules vary for B2B and B2C, and commodity codes are vital considering if you get the wrong codes, you may end up paying the wrong tariffs or have your goods blocked by Customs. 

Need for Local Fiscal Representative: 

Although it is yet to become official, it is believed that 19 out of the 27 countries in Europe are required to have a local VAT representative as per the new VAT & EU Regulation of e-commerce. Norway, Australia, Japan, or South Korea are already following this arrangement where the local Fiscal Representative is generally a lawyer or an accountant. 

Failing to appoint a Fiscal Representative may result in fines. Bearing in mind that these representatives will be held liable if your platform is not tax compliant, you may have to pay them a handsome amount of money or bank guarantee.

Payment Gateways and Online Payments

A Strong Customer Authentication (SCA) is made mandatory that helps in reducing customer fraud cases across Britain & Europe. As per Silicon Canals, a fintech company, e-commerce-based businesses are expected to grow up to $1 trillion by 2022 in Europe, and more than $1 billion is the expected fraud on the European cards as per ECB each year. 

SCA is required for most card payments. Failing to comply with the SCA could lead to failure in payments transactions, and other costly consequences. As per the new regulation, two-factor authentication is mandatory that will customers provide 2 out of 3 key information to prove their identity, which are as follows: 

• something they own (a mobile, token or smart card),
• something they know (PIN code or password),
• something they are (fingerprint or voice pattern).

The advent of 3rd party providers has further increased the competition and complexity. Since 2018, there are two types of open banking providers, both serving different purposes. 

• Payment Initiation Service Providers (PISP)
• Account Information Service Providers (AISP)

PISPs are authorized to initiate payments in & out of a user’s account while AISPs have the power to retrieve account information provided by the banks and institutions. 

These two handle customer consents required to access Open baking data. In simple terms, they explain to the customers what will be accessed, for how long and with whom it will be shared.

Things can be overwhelming for the businesses that haven’t had exposure to such a level of data before, however, understanding the nuances, and the concerned laws should be implemented by the organizations to safeguard their and their shareholders’ interests.

Benefits for the online merchants:

• Reduced fraud rates and increased trust in customers
• Two-factor authentication to make the process smoother. 
• More options for the ecommerce consumers

What can internet businesses do: 

Show the appropriate payment methods depending on the context, and make sure that your platform has a 3D secure 2-factor standard. 

Apart from the must do’s, there are a few exemptions as well to the Strong Customer Authentication regulations that has been explained by Stripe, which does a real-time analysis to determine whether to apply SCA to a transaction or not. 

Low-risk transactions:

Low-risk transactions are considered valid for SCA only if the payment provider deems it necessary, after analyzing it in real-time. However,, there are certain exemptions that are possible if the card payments of the payment provider’s or bank’s overall fraud rates do not exceed the following thresholds:

• 0.13% to exempt transactions below €100
• 0.06% to exempt transactions below €250
• 0.01% to exempt transactions below €500

Payments below 30 Euros:

Transactions below 30 euros are considered to be low value and therefore, may be exempted from SCA, however, if this scenario is repeated more than 5 times and the amount goes over 100 euros, banks will have to request authentication. Also, banks are required to keep a check on the number of transactions. 

Subscription of fixed-amount:

In this case, the customer’s first payment requires SCA, and the subsequent payment may however be exempt from it. 

Trusted beneficiaries: 

While completing authentication for a payment, customers have the option to add a business to the allow list which will further get added to the bank’s “trusted beneficiary” list. This will ensure that fewer authentication failures occur. 

Phone sales:

Customer’s card details collected over the phone are exempt from SCA and do not require authentication. 

Corporate payment:

Payments done by using virtual card numbers which are commonly used by the travel sector are also outside SCA. 

Merchant-initiated payments:

When a card is saved in the merchant’s system and payment is made using the saved cards, it is exempt from the authentication since technically, these payments are out of SCAs scope. 

Distance Selling Directive

Distance selling is, in simple terms, selling through any form of medium including digital, online, mail, among others. If your VAT-registered internet business sells to, say in Britain but you’re not registered there but in some other country in Europe then you’re Distance Selling. It’s not easy to understand but very important for the businesses who have their customers and potential customers in Europe. 

Before selling to a customer at distance, please ensure that the following information is included:

• Name, contact details and address of your business
• A detailed description of your business
• Total price inclusive of all taxes, and instructions on how to pay them. 
• Delivery payment, schedule and cost
• Billing period and the minimum contract duration
• Conditions of deposits, financial guarantees and ending contracts
• Order cancellation criteria alongside a form, any cancellation costs if any and a deadline till when they have the right to cancel

All this information has to be provided in an easy-to-understand format. 

Under this directive, e-commerce businesses must tell their customers that they can cancel their order within 14 days after it has been delivered, and no reason for cancellation is required. 

These e-commerce rules in the EU apply to the businesses that are selling online digital services and should be followed diligently. 

Payment Card Industry – Data Security Standard (PCI DSS) compliance 

If your e-commerce business accepts credit card payments, you need to be aware of how PCI DSS works, and more importantly, how it will impact your business.

While in many aspects, PCI and GDPR scope overlap each other, the difference however lies in their purpose. GDPR acts as a medium for the users to understand their rights and duties when an internet business collects their data, but it does not provide security. 

PCI, on the other hand, directly deals with the security & protection aspects of the cardholders data. Loss of data, breaches, identity theft, among others, come under PCI. Even though in this standard, customers don’t have much control over their data, PCI focuses on keeping the servers secure, limiting access, and focusing on mitigation and risk management. 

European WEEE Directive

This directive is especially important for businesses that deal in selling & buying electronic goods. Waste Electrical and Electronic Equipment directive (or WEEE) sets collection, recycling, and recovery targets for all types of electronic goods. 

As per the WEEE, all electrical equipment placed in the market should be registered in the respective country who are further given the instructions to maintain a directory of the same. 

All the member states are obliged to maintain annual reports of all the electrical equipment that are placed in the market, and all the registered equipment should be labelled accordingly. 

This becomes challenging for the sellers who want to sell their products in several EU countries since they will be required to be registered individually in each country to ensure that they are compliant with the local manufacturers’ obligations. If the organizations fail to comply with this directive, heavy fines may be imposed. 

Even though this directive has more work to do for the manufacturers, internet businesses still have to ensure that their products are under the given regulations.

Some common jargon used in Europe that you need to be aware of.

Let’s define some of the key terms you will see when researching for GDPR.

• Data Subject: The person whose private data is being stored, collected, shared or dumped.
• Private and Personal Data: Any information that directly or indirectly identifies a living person. For example, account information, health information, age, gender, email address, birth date, address, IP address, etc.
• Data Controller: It is a person or persons who determines how personal data is processed.
• Data Processor: It is a person or persons that process that data on behalf of the controller.
• Obligations of the processors – Processors must follow the data controller’s instructions and should be able to show GDPR compliance 
• Data Protection Officer – For overseeing GDPR, general privacy management compliance and data protection practices, businesses may need to appoint a staff member or a service provider for overseeing GDPR.
• Privacy Impact Assessments (PIA) – Privacy impact assessments must be conducted of large-scale data processing to minimize the risks and identify measures to mitigate them.
• Breach notification – Stakeholders must be notified by the Controller within 72 hours of becoming aware of a breach.

Information source

Other directives and regulations to consider:

European Copyright Directive (not a law but a framework to help the member states to write & draft their laws)

• Send a payment advisory to the customers once the payment is done. 
• Ensure that your business is registered with the Chamber of Commerce.

Give your users No pre-checked boxes

• Mandatory Payment Advisory
• Currency conversions
• Inventory management

Conclusion 

Given the scrutiny a business may face if they don’t follow the legal regulations for eCommerce in the European Economic Area (EEA), it is advisable to understand the laws concerning them. Besides, it is important for the new business owners to make sure that they are not neglecting their basic rights and duties as service providers and global citizens. Besides, the impact could be more severe on SMBs or startups than the bigger enterprises.