Imagine hypothetically that the stolen allowances were entered into circulation and were subject to the transactions for the sale (or other disposal) of allowances between the parties in different Member States.
Recent cases of allowances being stolen from accounts in the registries of some different Member States raise several legal questions.
The issue of the security standards of personal accounts in the registries is only the first but the most manifest one.
The Commission Regulation (EC) No 2216/2004 of 21 December 2004 for a standardised and secured system of registries pursuant to Directive 2003/87/EC of the European Parliament and of the Council and Decision No 280/2004/EC of the European Parliament and of the Council (OJ L 386, 29.12.2004, p. 1, as amended):
Access to registries
1. An authorised representative shall only have access to the accounts within a registry which he is authorised to access or be able to request the initiation of processes which he is authorised to request pursuant to Article 23. This access or these requests shall take place through a secure area of the website for that registry.
The registry administrator shall issue each authorised representative with a username and password to permit the level of access to accounts or processes to which he is authorised. Registry administrators may apply additional security requirements at their discretion if they are compatible with the provisions of this Regulation.
2. The registry administrator may assume that a user who has entered a matching username and password is the authorised representative registered under that username and password, until such point that the authorised representative informs the registry administrator that the security of his password has been compromised and requests a replacement. The registry administrator shall promptly issue such replacement passwords. ...”
The problem in this area is that many Member States registries are using only username and password to permit the access to accounts without engaging single, disposable passwords like tokens or etc. It is heard that the problem with the recent theft was caused by phishing and the effects of this could be probably smaller, if single, disposable passwords were more widely used as regards means of access to the registries.
As was said above, this is only one side of the coin. The other, much more complex issue relates to the legal procedures aiming at the recovery of the stolen allowances. Why is it complicated? The problem originates in the very idea of the European Trading Scheme for emission allowances – namely it’s pan-European nature and range. Imagine hypothetically that the stolen allowances were entered into circulation and were subject to the transactions for the sale (or other disposal) of allowances between the parties in different Member States.
Article 66(2) of the Registry Regulation (see box) brings about that in the case of phishing the registries administrators have rather clear situation meaning that the account holder is solely responsible for the safety of it’s logins and passwords and for the effects of loosing them.
But are the above mentioned transactions valid and binding? What about of the good faith of the acquirer? Does it have significance with respect to the first transaction in the chain of the subsequent ones? And the consecutive transactions – what with them? And – the last but not least – is the entry in the personal holding account of the registry the constituent element of the transaction (influencing it’s validity) or not? It appears that such a practical situation we probably have as regards the recent theft.
So, the core issues that need to be considered is the determination of the national legal order that will govern the legal effects in question. The national law of the Member State which governs the transaction in question may provide for the rules that where the person purporting to transfer the ownership (the transferor) has no right or authority to transfer ownership of the allowances, the transferee nevertheless acquires and the former owner loses ownership – under specified conditions (so called “good faith acquisition through a person without right or authority to transfer ownership”). The exact premises and conditions for applicability of the said clauses depend on the particular provisions of national laws of the Member States. It should be also recalled that the parties to the contract are allowed to choose the law that will govern the contract rights and obligations. It adds to the complexity of the case. It means that the recovery of the stolen allowance may not be so simple as it firstly appears. It seems that the specific circumstances of the case should be taken into account. Depending on the clear-cut legal national orders the premises that may have significant importance may be whether the transferee acquires the goods for value or for free.
The issue of the examining of the good faith of the transferee may concentrate on the demonstration that the transferee neither knew nor could reasonably be expected to know that the transferor had no right or authority to transfer ownership of the allowances at the time ownership would pass. The facts from which it follows that the transferee could not reasonably be expected to know of the transferor’s lack of right or authority have to generally be proved by the transferee.
Some national legal orders may also provide that good faith acquisition does not take place with regard to the stolen objects, unless the transferee acquired the allowances from a transferor acting in the ordinary course of business.
It follows from all the above that in the first turn the law applicable to the contracts in question must be determined and examined in detail.