“Know Your Business Customer” – New Duties of Care for Digital Service Providers?
The legal framework for digital services is facing the most extensive reform on the European level in recent years. The horizontal key provisions set by the E-Commerce-Directive (Directive 2000/31/EC, “ECD”) date back to 2000 and have not been substantially modernized ever since, whereas the digital world did not stop evolving and creating new ways of communication and new online services. However, the digital world of today has also facilitated infringements of intellectual property rights on a large scale, as well as exposing users of digital services to a wide range of illegal goods, activities or content. One of the key factors behind this development is the simple fact that operators of illegal services are easily able to remain anonymous online. At the same time, intermediary service providers, such as hosting providers, commercially benefit from the relationship with their rights infringing customers, while enjoying the liability privileges under Articles 12–14 ECD. In addition, the transparency rules stipulated in Article 5 ECD have turned out to be ineffective in practice, as particularly operators of structurally-infringing websites simply ignore their transparency obligations, whereas there are no effective means for consumers and rights holders to enforce their rights.
To tackle these issues, among others, and to modernize the current legal framework for digital services, the European Commission has announced the Digital Services Act package (“DSA”). The DSA package is expected to be presented on 2 December 2020. As part of the potential DSA package, on 28 September 2020 the European Parliament’s Internal Market and Consumer Protection Committee (“IMCO”) approved its legislative initiative report “Digital Services Act – Improving the functioning of the Single Market” (IMCO Report 2020/2018 (INL)), which was recently approved by the European Parliament on 20 October 2020 (see https://www.europarl.europa.eu/doceo/document/TA-9-2020-0272_EN.html). The IMCO report expressly requests the Commission to introduce a new “Know Your Business Customer” (“KYBC”) principle, requiring platforms to check and stop fraudulent companies using their services to sell their illegal and unsafe products and content. The approved IMCO report suggests that
“the “Know Your Business Customer” principle, limited to the direct commercial relationships of the hosting provider, should be introduced for business users; hosting providers should compare the identification data provided by their business users against the EU VAT and Economic Operator Identification and Registration (“EORI”) databases, where a VAT or EORI number exists; where a business is exempt from VAT or EORI registration, proof of identification should be provided; when a business user is acting as an agent for other businesses, it should declare themselves as such; hosting providers should ask their business users to ensure that all information provided is accurate and up-to-date, subject to any change, and hosting providers should not be allowed to provide services to business users when that information is incomplete or when the hosting provider has been informed by the competent authorities that the identity of their business user is false, misleading or otherwise invalid;”
In the following, we will briefly outline the basics of KYBC principles and how these might help in the digital sector to effectively pull operators of illegal online businesses out of their anonymity, whereas at the same time imposing low burdens on legitimate businesses.
Know Your Customer Principles
The general principle of “Know Your Customer” (“KYC”) comprises duties of care of businesses to identify its clients and to verify the identity data obtained within the KYC process. Such KYC procedures are applied in various sectors of the economy, whereby the most prominent KYC duties on the European level are implemented in the financial sector, stipulated in the Anti-Money-Laundering Directive (currently 5th AML Directive of May 30, 2018, 2018/843/EU). According to the AML Directive, banks or other financial institutions are obliged to request and obtain information on their costumers’ identity and to verify the obtained data at the beginning of the business relationship. With respect to legal persons/companies, the identity information to be collected comprise, i.a., the company name, legal status, registration number of respective company registers and the business address. The identity information needs to be verified on the basis of documents or information obtained from independent sources, such as official company registers or by the company´s founding documents if submitted. Any changes of the customers identity information must be immediately reported to the bank or financial institution in the course of the business relationship.
“Know Your Business Customer” as proposed by IMCO
The “Know Your Business Customer” principle as proposed by IMCO has a narrower scope and is not as strict as the KYC duties being applied in the financial sector. The envisaged identification and verification duties are limited to business customers (therefore “KYBC”). Furthermore, KYBC duties are only aimed at hosting providers, thus specifically including online platforms and online service providers offering webspace and online infrastructure for website operators. The obtained identity information would particularly include VAT or EORI numbers, which have to be checked by the host provider against the EU VAT and EORI databases. In the course of the ongoing contractual relationship with business customers, host providers shall request their business users to ensure that the information provided is accurate and up to date, and that any changes should be immediately reported to the host provider. Most importantly, host providers should not be allowed to provide services to business users when the identity information is incomplete or turns out to be false, misleading or otherwise invalid.
The latter aspect might form the biggest difference and improvement compared to the transparency rules pursuant to Article 5 ECD, and significantly enhance the rights enforcement against online operators with illegal business models. Article 5 ECD only provides transparency obligations to the internet service provider itself, while there are no obligations or remedies in place towards the host provider, ultimately enabling the operator to run its illegal online business. This would change under the proposed KYBC duties, as host providers would at least have to block their services towards the respective business customer, if not shutting down its website completely.
The KYBC principle as proposed by IMCO already indicates how the final KYBC duties, if adopted, might look like. However, there are still many open questions which need to be further discussed and elaborated in the evolvement of the DSA package once introduced.
As an example, it should be defined which persons or entities fall under the scope of “business costumers”. Generally, this should include persons or entities acting in a commercial or professional capacity, rather than for private purposes. The line between business and private customers should be drawn by both quantitative and qualitative factors. Whereas the financial extent of the contractual relationship and webspace acquired by the customer from its host provider can be taken into account, there are illegal online services requiring little webspace, e.g. mere linking sites. Operators of such online businesses should in any event fall under the scope of the envisaged KYBC duties.
As another example, the proposed KYBC principle shall only apply to hosting providers. These indeed play a very important role in terms of intellectual property infringements on the internet, as their services are the basis of almost all online activities of operators with illegal business models, and should be subject to KYBC duties in any event. In addition, further categories of service providers could be considered subject to KYBC duties, which are also regularly involved in or benefiting from rights infringements on the internet such as domain name service or advertising service providers.
Finally, the legal framework for remedies and penalties relating to KYBC duties must be further discussed and elaborated. This relates both to host providers not complying with their KYBC duties, and customers submitting incorrect information on their identity. For example, it must be clarified at which stage host providers are obliged to terminate their services offered to the respective customer (e.g. after re-verification measures), and if third parties (particularly rights holders) should be entitled to directly request host providers to fulfil its obligations under KYBC, thus refraining from offering their services to their unidentifiable business customers.
Without question, the proposed KYBC duties are a big step towards a stronger and more effective enforcement against illegal business models on the internet, as hosting providers would not be allowed to provide their services to unidentifiable (regularly illegal acting) business customers. Such KYBC duties, in addition only impose low burdens on legitimate businesses, as these have no interest in hiding their identity towards their respective host providers. However, as briefly outlined above, there are still open questions and regulatory issues that need to be clarified and further in the evolvement of the DSA package. In any event, implementing KYBC duties at least for hosting providers are a step in the right direction.