CASE LAW ON ECOMMERCE FROM OTHER JURISDICTIONS

APART FROM KENYA I.E , USA ,EU & UK (GDPR) SOUTH

AFRICA HOW TO STRENGTHEN OUR LAWS.

Kinuthia and Akinnusi (2013) found that legal and regulatory challenges were some of the most
formidable barriers faced by e-commerce firms in Kenya. These barriers are compounded by the apparent
lack of political will and initiative on the part of Government and legislators. In particular, Kenya lacks
robust legislation and regulatory regime relating to e-commerce. This has impeded the adoption of e-
commerce in the country.

One of the challenges faced by e-commerce firms and consumers in Kenya is protection for transactions
involving parties from foreign jurisdictions. Typically, electronic transactions involve trade in goods and
services by entities in different locations. The seller then engages a third party to deliver the goods to the
buyer’s location. The challenge is that the buyer does not get to examine the quality and quantity of the
goods or test their compatibility with his/her needs. In essence, the seller may have provided misleading
information about his ability to deliver a particular good or service

in Macquarie Bank Ltd v Berg 1Macquarie Bank challenged the decision of an aggrieved former
employee to defame the Bank on a website based in the US. The Court in Australia was at a loss about
how to determine the case given that two jurisdictions applied to the case and they could not guarantee
cooperation from US authorities. Similarly, cases such as Cyber sell Inc. v Cyber sell Inc 2. And
Compuserve, Inc. v Patterson 3, in the US demonstrate the challenge posed by transactions involving
different jurisdictions as both involved one of the parties to the case using servers that were based in
foreign jurisdictions. The challenge for transacting parties is whether they may obtain protection in the
local or foreign jurisdiction with the implication that transacting parties may only seek redress in
jurisdictions that provide such protection. Inevitably, the transacting parties are exposed if the foreign
jurisdiction does not provide protection.

The cases also demonstrate consumer vulnerability for transactions involving foreign entities as even
seeking legal redress may not work due to jurisdictional barriers.

E-commerce transactions are conducted in a way that makes it hard for consumers to inspect goods before
making purchase decisions. The matter is then complicated by the use of third parties who are often
1
[1999] NSWSC 526
2
[1997] 130 F.3d 414
3
[1996] 89 F.3d 1257,
independent contractors to deliver the goods. For instance, in Kenya, e-commerce consumers buy goods
on platforms such as Jumia and have them delivered by couriers in an arrangement that does not afford
the consumer enough time to inspect the goods. The consumer is further disadvantaged by internal
policies of e-commerce companies that do not allow for inspection before payment.

Consumer Federation of Kenya v Fone Express 4 , illustrates this situation. In this case a
customer had purchased a phone and computers from Fone Express that turned out to be
defective and sought the help of COFEK in getting legal redress as the internal policies at the
phone company do not address consumer interests sufficiently.
The case is interesting from a legal perspective as laws on sales of goods require buyers to be
granted reasonable opportunity to inspect the goods before making payment. The issue raised by
the case is what comprises a reasonable opportunity as the very nature of some goods may
necessitate consumers to first test them before making payment in order to ascertain their quality.
This is true especially for electronic devices such as phones as the customer may have to test the
phone for a few hours to determine if the phone battery is of the desired quality.

Data protection

The Kenya Constitution emphasizes the right of citizens to privacy and requires legislative
agencies to create laws that safeguard citizen privacy including e-commerce consumers.
However, Kenya has not enacted laws to safeguard citizen privacy as the Data Protection Bill of
2013 that was meant to activate Article 31(c) and (d) of the 2010 Constitution is yet to be
debated in Parliament. The Bill introduces provisions to regulate the collection, processing,
storage and use of personal data collected by entities operating in the digital environment. This
implies that Kenyan citizens who are now transacting online have no legal protections for
violations of their right to privacy unless they are protected in the foreign jurisdiction.

Experts note that the Kenya Government does not appreciate the fact that e-commerce thrives on
consumer data and that personal data is a valuable asset in the digital economy. Indeed, some of
the largest internet corporations offer their services for free with the implicit concession by the
consumer that the firm collects and uses the personal data collected for marketing purposes.
Currently, Kenyan consumer laws do not have a provision to control the use of personal data or

4
[2014unreported]
even obligate firms in possession of such data to give consumers the right to select the type of
personal data to be used for marketing purposes.

Schrems II Case:5
On July 16, 2020 the Court of Justice of the European Union (CJEU), also informally known as
the European Court of Justice or the supreme court of the European Union, rendered a judgment
of gargantuan proportions in the Schrems II Case concerning the transfer of personal data by the
ubiquitous behemoth called Facebook Inc.

The significance of the case filed by one Mr. Maximillian Schrems, an Austrian national, is
immediately discernible from the glitzy constellation of the parties, namely, the Governments of
the United States, UK, Germany, Ireland, Belgium, The Netherlands, France, Austria, Poland,
Portugal, Czech Republic, as well as the European Parliament, European Commission, European
Data Protection Commissioner, among others.

Mr. Schrems, a user of the Facebook social network since 2008, filed a complaint with the CJEU
requesting, in essence, that Facebook Ireland Limited be prohibited from transferring his
personal data to its US parent company, Facebook Inc. on grounds that the law and practices in
the US did not ensure adequate protection of his personal data against the surveillance activities
of governmental security agencies.

Mr. Schrems claimed that under US law, Facebook Inc. was required to make available the
personal data transferred to it by Facebook Ireland to the National Security Agency (NSA) and
Federal Bureau of Investigations (FBI). He, therefore, sought orders to prohibit Facebook Ireland
from transferring his personal information to the US.

The evidence before the court showed that US law allows NSA to intercept data in transit to the
US by accessing underwater cables on the floor of the Atlantic Ocean and to process such data
before its arrival in the US. It also requires operators of the internet backbone to allow NSA to
copy and filter internet traffic flows in order to acquire communication from, to or about non-US
nationals.
5
Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
In its defence, the US Government argued that there exists a data transfer mechanism between
the EU and the US known as the EU-US Privacy Shield Framework which ensures an adequate
level of protection of personal data transferred from the EU to organisations in the US. The
court, however, found that the principles of the Framework were limited and US authorities
could indeed derogate from them and proceed to access personal information on grounds of
national security, public interest or domestic legislation.

The US Government also admitted that it did not grant data subjects actionable or enforceable
rights against US authorities through US courts.

The evidence also showed that US law did not afford EU citizens a level protection equivalent to
that guaranteed by European law. Complaints by data subjects could only be referred to the
Privacy Shield Ombudsperson, who, although described as ‘independent’ was found to be an
officer in the US State Department appointed by the Secretary of State and to whom he reported.
He was, therefore, not a judicial officer capable of issuing binding orders against government
intelligence authorities.

Guided by the provisions of the General Data Protection Regulation (GDPR), the CJEU ruled in
favour of Mr. Schrems and held that where personal data of EU residents is to be transferred
outside the EU, the destination country must have appropriate safeguards, enforceable rights and
effective legal remedies which are equivalent to those guaranteed by the GDPR within the EU.

Where it is proved that contractual clauses are not respected or cannot be complied with in the
destination country, the national data protection regulator should prohibit the transfer since such
clauses are not binding on governmental authorities.

Where the data controller or processor is unable to take adequate additional measures to
guarantee protection of the personal data, the regulator is required to suspend or prohibit the
transfer of the data to the country concerned.

Where personal data has already been transferred to a country that does not provide equivalent
protection to those guaranteed within the EU, the regulator should order such information and all
copies of it to be returned and destroyed in their entirety.
Finally, the court held that the data subject must have the possibility of bringing legal action
before an independent and impartial court in the destination country for redress of their grievance
concerning access, rectification or erasure of their personal information. Therefore, where, like in
the US, legislation does not provide for the possibility for an individual to pursue legal remedies
for breach of his personal information through an independent and impartial court, transfer of
data to such country should be prohibited.

BREACHES INVOLVING MINORS BY AMAZON.

In a complaint filed in the U.S. District Court for the Western District of Washington, the
government alleged that, since at least May 2018, Amazon violated the Federal Trade
Commission Act, Children Online Privacy Protection ( COPPA Rules ) with respect to Alexa
and Alexa’s child-directed offerings. The complaint alleged that Amazon retained children’s
voice recordings indefinitely by default, in violation of COPPA’s requirement that these
recordings be retained only as long as reasonably necessary to fulfill the purposes for which they
were collected. Other alleged violations include making deceptive representations that Alexa app
users could delete their or their children’s voice recordings, including audio files and transcripts
and their geolocation information, when in fact Amazon on some occasions failed to delete all
such information at users’ request. The complaint also alleges that Amazon engaged in unfair
privacy practices with respect to Alexa users’ geolocation information and voice recordings,
including (in some instances) by failing to honor users’ deletion requests and failing to notify
consumers that it had not done so.

Amazon.com Inc. and its wholly-owned subsidiary Amazon.com Services LLC (collectively
Amazon), agreed to a permanent injunction and a $25 million civil penalty as part of a settlement
to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the
Children’s Online Privacy Protection Rule (COPPA Rule) and the Federal Trade Commission
Act (FTC Act) relating to Amazon’s voice assistant service Alexa.

Alexa is a proprietary voice-activated service that Amazon provides through its Echo smart
speakers, its “Alexa App” mobile application, and other devices and applications. Since May
2018, Amazon’s Alexa-related offerings have included voice-activated products and services
directed toward children under 13 years of age. When a user makes a verbal request of an Alexa-
enabled device, Amazon saves the voice recording of the request and creates a written transcript
of it.The breach of the children’s privacy rights caused Amazon to pay $25 million in civil
penalties. The order imposed injunctive relief that requires Amazon to identify and delete
inactive child profiles (profiles that have not been used for 18 months) unless a parent requests
that they be retained.

Amazon was also required to notify parents whose children have accounts of this change to its
policies. The order further prohibited Amazon from making misrepresentations about Amazon’s
retention, access to or deletion of geolocation information or voice information, including
children’s voice information, and mandated deletion of geolocation information, voice
information, and children’s personal information upon the request of the user or parent,
respectively. Finally, the order required Amazon to make disclosures to consumers relating to its
retention and deletion practices regarding Alexa App geolocation information and voice
information.

This measure is geared towards ensuring that companies do not misrepresent to parents how
children’s personal information is handled, retained, or deleted, and do not retain that
information for longer than reasonably necessary considering Amazon’s history of misleading
parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests
violated COPPA and sacrificed privacy for profits.

CASE LAW ON OBTAINING CONSENT TO TARGET ADVERTS.

Commission Nationale pour la Protection des Données (“CNPD”) v Amazon

In 2018 a complaint made to CNIL by French privacy rights group La Quadrature du Net, an
advocacy group that promotes digital rights and freedoms of citizens. The digital rights group
through a class action suit of over 10, complains contended on Amazon’s failure to obtain
consent to target adverts and for processing user data for its targeted adverts unlawfully.
The Commission opened an investigation into how Amazon processes personal data of its
customers and found infringements regarding Amazon’s advertising targeting system that was
carried out without proper consent. There are certain requirements for compliant consent that
need to be met in order to stay in line with the GDPR, like using clear, plain language and
explaining how data is going to be used, why and by whom. In its decision, Amazon was fined
746 Million Euros, a decision which is currently in an appellate court on grounds that Amazon
that CNPD’s decision was unfounded and that there was no data breach, and no customer data
had been exposed to any third party.

This highlights on GDPR focus to not only on data security but also on the data privacy aspect
and how companies use personal data, if the company is transparent, and if the processing is
lawful. With the €746 Million, Amazon has drawn scrutiny over the years for the vast trove of
data it has amassed on a range of customers and partners, including independent merchants who
sell on its retail marketplace, users of its Alexa digital assistant, and shoppers whose browsing
and purchase history inform what Amazon shows them on its website.

ANALYSIS OF THE CASES:

Since most data protection laws, including the Kenyan Data Protection Act, are modeled on the
GDPR principles, the CJEU’s interpretation is likely to be adopted by data protection regulators
around the world. This will make it harder for personal information to be transferred outside the
country, especially to the US, due to the gaps in the protection mechanisms that have been
identified by the court in this case. The decision deals a heavy blow to providers of cloud data
storage services which are borderless. Since the US is unlikely to relax its security laws in
response to CJEU’s decision, US-based cloud service providers may have to re-locate their
servers to Europe which, thanks to the GDPR, has the most developed data legislation in the
world. The case also lays bare the ineffectiveness of standard contractual clauses which purport
to give data subjects a false sense of protection while, unbeknown to them, the data is made
available to third parties including governmental agencies. Facebook Ireland had unsuccessfully
argued that there was no breach since its parent company was bound by contractual clauses to
safeguard the personal information of their clients. The court, however, found that snooping
intelligence authorities were not bound by such clauses since they were not party to the contract
between the two companies. The judgment will have a significant negative impact on e-
commerce which, by definition, is borderless. Since data has become the new oil, its free
movement across different geographies is essential for the advancement of economic and social
life. When a large market like the US is blacklisted by a court of CJEU’s stature, the implications
cannot be over-emphasized.

From the case above

In the “Data Protection (General) Regulations 2021 6, the Data Protection Commissioner provides clarity
on hosting in Kenya as mandatory for those providing a “Public Good”, which is defined, and include
“managing any electronic payments systems licensed under the National Payment Systems Act 2011”.
The provision of banking and financial services, payment and settlements systems and instruments are
defined as part of protected computer systems in terms of section 20 of the Computer Misuse and
Cybercrime Act, 2018 and therefore subject to hosting in Kenya.

The EU court cases now challenging the use of Data Centers in the US, early clarification by the Data
Protection Commissioner on whether an equivalent Schrems II case would be seen as valid in Kenya or
not, will assist all parties in making a clear risk assessment on their current approach to hosting. If
countries with sufficient data protection adequacy such as Europe – were also clearly “identified” then
data controllers could ensure their focus was on the technical and operational processes.

The 2010 constitution puts in place the use of international conventions as part of Kenyan law therefore in
filling the gaps with the lack of proper legislations, the following cases will handle that part,

In Entores v Miles Far East Corp. 7the Court determined that acceptance prevails over the long standing
rule of mail delivery. The displays appearing on websites are invitation to buy rather than offers. The
acceptance rule is the most preferred approach to assessing contractual validity of transactions conducted
in an electronic environment. The rule is that consensus is reached when the trader gets the customer’s
acceptance. The precedent for the terms and conditions of the contract as set by Gary Patchett v.
Swimming Pool and Allied Trades Association Ltd (SPATA) 8is that it is the obligation of the customer
to read the entirety of the terms and conditions documents before signing the contract. One challenge
electronic consumers endure is the fact that customers may make a mistake on the basis of an erroneous
representation on a website only for the website to correct the error after the transaction with the effect

6
https://www.odpc.go.ke/wp-content/uploads/2021/04/Data-Protection-General-regulations.pdf
7
[1955] 2 QB 327,
8
[2009] EWCA Civ 717,
that the customer may not prove that the information on the website at the time was misleading as the
website owners have full control of the content on the website.

Article 14 of the UN Convention on Electronic Contracts requires the offeror to notify the offeree of the
error if he has not benefited from the misrepresentation of facts. Article 14(1) further provides that the
website owner should create a backstop logic system that flags errors before accepting the customer’s
offer. Article 6 of the Convention provides guidelines for determining the locations of the parties to a
contract. Further, Article 15 of the model law of electronic commerce provides that the location of the
parties to a transaction is the place that has the closest relationship to the contract. Further, Article 10(3)
of the UN Convention provides the means of determining the place of dispatch of contractual obligations
and the place of receipt of the electronic communications.