EC Directive on electronic signatures

It is easy to see that the emergence of dozens of national statutes regulating the same problems is not inclined towards providing uniformity and may even hamper the development and marketing of new products as confidence in the new systems cannot be built. As regards electronic signatures, the EU could act in a somewhat proactive role, although some Member States already had national legislation in force before the EC Directive. The German law on electronic

68 Based on Smedinghoff, Thomas J. and Hill Bro, Ruth, Moving with Change: Electronic Signature Legislation as a Vehicle for Advancing E-commerce, The John Marshall Journal of Computer and Information Law, Vol. XVII, No. 3, Spring 1999, p 723, reproduced partly at http://profs.lp.findlaw.com/index.html.

69 Information Security Committee, Electronic Commerce Division, Digital Signature Guidelines, Legal Infrastructure for Certification Authorities and Secure Electronic Commerce, 1996 A.B.A SEC. SCI & TECH.

70 The ABA Guidelines, pp. 21-22.

71 Only three states adopted a law based on public key cryptography. Others advanced to a more technology neutral direction admitting, at the same time, that some electronic signatures are more neutral than others. Gregory, p. 6.

72 See also Federal Certification Authority Liability and Policy. Law and Policy of Certificate-based Public Key and Digital Signatures, by Michael S. Baum. U.S. Department of Commerce, Gaithesburg, MD, June 1994. This very comphensive report surveys political liabilities as well as liability and policy issues arising in the operation of a “Federal Certification Authority” infrastructure. A Federal Certification Authority was an illusory concept to cover various certification responsibilities that might be vested on the US Federal Government in the creation of a public key electronic signature infrastructure.

signatures, the Signaturgesetz⁷³, was passed by the German Parliament on 22 July 1997. Similarly, legislation on electronic signatures existed in Italy.⁷⁴

The aim of Directive 1999/93/EC on a Community framework for electronic signatures is to create recognition for and equivalence to electronic signatures within the European Union. The Directive aims at facilitating the use of electronic signatures as well as contributing to their legal recognition. It establishes a legal framework for electronic signatures and certain certification services in order to ensure the proper functioning of the Internal Market.

Member States of the Community shall not make the provision of certification services subject to prior authorisation.⁷⁵ Member States may, nevertheless, introduce or maintain accreditation schemes aiming at enhanced levels of certification-service provision.⁷⁶ They shall furthermore ensure the establishment of an appropriate system that allows for the supervision of certification-service-providers which are established on its territory and which issue qualified certificates to the public. The Directive also contains provisions aimed at facilitating cross-border certification services with third countries. This could be done by the involvement of a certification-service-provider meeting the Directive´s requirements or through international standards and agreements applicable to certification services. The Commission is given, in Article 7 of the Directive, a task to make proposals to reach such uniformity.

The Directive has a two-tier definition of electronic signature. As described earlier, an electronic signature can exist in many different forms or of which many technologies can be used in its production. The Directive is therefore, in defining an electronic signature, based on the objectives and inherent reliability of the signature.

According to Article 2, an ´electronic signature´ means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authetication.⁷⁷ An ´advanced electronic signature´

means an electronic signature which meets a number of requirements. First, it is uniquely linked to the signatory⁷⁸, secondly it is capable of identifying the signatory, thirdly it is created using means that the signatory can maintain under his sole control and finally it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

73 Bundesgesetzblatt, I, 1997, p. 1870.

74 Law 59 of 15 March 1997, Supplemento Ordinario alla Gazzetta Ufficiale della Republica Italiana n. 63 del 17 March 1997.

75 A ´certification-service-provider´ is an entity, a legal or a natural person who issues certificates or provides other services related to electronic signatures. Recital 12 of the Directive explains that certification services can be offered either by a public entity or a legal or natural person, if established in accordance with national law.

76 Voluntary accreditation schemes (providing for accreditation similar to ISO quality standards) should not reduce competition for accreditation services and Member States should not prohibit certification-service-providers from operating outside voluntary accreditation schemes.

77 Thus the Directive deals with different kinds of electronic signatures and not only with digital signatures. The word ´authentication´ is used without defining it. For definitions of

´authentication´, see supra.

78 ´Signatory´ means a person who holds a signature-creation-device and acts either on his own behalf or on behalf of the natural or legal person he represents.

These two definitions have different legal effects. An advanced electronic signature shall satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data.⁷⁹ Moreover, an advanced electronic signature shall be admissible as evidence in legal proceedings. In order to have these effects, an advanced electronic signature has to be based on a qualified certificate⁸⁰ and has to be created by a secure-signature-creation device.

An electronic signature (which is not an advanced electronic signature) shall also be recognised to some extent, which may depend on the circumstances of the case. Member States shall namely ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that any of the requirements to make an advanced electronic signature (to be based upon a qualified certificate, to be based upon a qualified certificate issued by an accredited certification-service-provider or having been created by a secure signature-creation device) are not met. Recital 21 of the Directive states that the legal recognition of electronic signatures should be based upon objective criteria and not be linked to

authorisation of the certification-service-provider involved.

The Directive does not interfere with the possibility of national law of governing the legal spheres in which electronic documents and electronic signatures may be used. Neither does it affect national rules regarding the unfettered judicial consideration of evidence.⁸¹ As advanced electronic signatures shall be admitted as evidence in legal proceedings, it is the jurisdiction in

question, which shall determine what significance should be given to the advanced electronic signature.

Finnish procedural law applies the doctrine of free assessment of evidence.

The existence of a valid signature usually counts as evidence of the intention to be bound by the signed text, unless other circumstances such as coercion or forgery are involved. The Directive only requires in this context that an advanced legal signature based on a qualified certificate and created by a secure-signature-creation device shall hold, in respect of electronic data, the same status as a hand-written signature in respect of a paper document.

79 Recital 17 adds however that the Directive shall not seek to harmonise national rules concerning contract law, particularly the formation and performance of contracts or other formalities of a non-contractual nature concerning signatures. For this reason the provisions concerning the legal effect of electronic signatures should be without prejudice to requirements regarding form laid down in national law with regard to the conclusion of contracts or the rules determining where a contract is concluded.

80 A ´certificate´ means an electronic attestation which links signature-verification data to a person and confirms the identity of that person. A ´qualified certificate´ means then a certificate which meets the requirements laid down in Annex I of the Directive and is provided by a certification-service-provider, who fulfils the requirements laid down in Annex II.

81 Recital 21 of the Directive.

The Directive aims at meeting many objectives. It is designed to create full credibility and a framework⁸² for sophisticated products, recognising at the same time that less sophisticated methods need to be given certain significance so that the use of signatures is not hampered by a formal ´straitjacket´. Such a straitjacket may, however, be created by sectoral legislation using the Directive as reference.

Furthermore, the Directive gives a role to voluntary accreditation schemes in pursuit of quality, but emphasises that adherence to these schemes is voluntary for the certification-service-providers and tries to make sure that accreditation is not detrimental to competition.

This dualism extends to supervision and liability. There may exist, unless implemented differently by a Member State, different standards in relation to the supervision of certification-service-providers, as the obligation imposed on Member States in Article 3(3) of the Directive concerns only those certification-service-providers which issue qualified certificates to the public.

82 For repetition and elaboration, an advanced electronic signature is to be equated with a hand-written signature if

- it is based on a qualified certificate; this requires that the certificate meets the

requirements of Annex I and is provided by a certification-service-provider who fulfils the requirements laid down in Annex II; and

- it is created by a secure-signature-creation device, which is a signature-creation device that meets the requirements laid down in Annex III.

The Directive contains in the Annexes detailed information about

- requirements for qualified certificates (Annex I), such as the names or identifications of the service provider and the signatory, the signature-verification data which correspond to signature-creation data under the control of the signatory, validity period, limitations on the scope of use or on the value of admitted transactions, as well as an indication that the certificate is issued as a qualified certificate;

- requirements for certification-service-providers issuing qualified services (Annex II), which lays down a detailed list of administrative, financial, technical and contractual measures to be complied with;

- requirements for secure signature-creation devices (Annex III), which are of a general nature and aim to protect the secrecy of the signature-creation-data, which should not be easily derived, which are protected against forgery and which should be protected by the legitimate signatory against the use of others; and finally

- recommendations for secure signature verification (Annex IV), according to which it should be ensured with reasonable certainty i.a. that the signature is reliably verified and the result of that verification is correctly displayed and the verifier can, as necessary, reliably establish the contents of the signed data.

The Directive provides for the establishment of an ´Electronic-Signature Committee´ the tasks of which include the clarification of the requirements laid down in the Annexes.

In the absence of a prior authorisation, the supervision of certification-service-providers plays a more important role.

Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification-service-providers which are established on its territory (home Member State) and issue qualified certificates to the public. According to Recital 13, Member States may decide how they ensure the supervision of compliance with the provisions of the Directive. Supervision could be done by private-sector-based supervision systems. Moreover, certification-service-providers could apply to be supervised under any applicable accreditation scheme, but they are not obliged to do this.

Furthermore, Member States should designate a public or private body to verify the conformity of secure signature-creation devices with the requirements laid down in Annex III.

The Directive expressly⁸³ presents as a minimum requirement for Member States that these shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate in respect of its contents⁸⁴ unless the certification-service-provider proves that he has not acted negligently.

Similarly, there is a presumption that the certification-service-provider is liable for failure to register a revocation of a qualified certificate unless he proves that he has not acted negligently. As is the case with the contents of the

certificate, the entity or natural or legal person sustaining damage must have relied on the certificate reasonably in order to be able to recover damages.

A certification-service-provider may limit the use of the certificate, provided that the limitations are recognisable to third parties. Moreover, with similar prerequisites, a limitation can be made on the value of transactions for which the certificate can be used. The Directive provides that the certification-service-provider is not liable outside the limits of use or in excess of the limitation value.

83 In the case of consumer protection legislation in particular, Member States are considered to have the right to go beyond the otherwise imperative minimum provisions of

community directives and impose more stringent requirements than those required by a directive. Sometimes this is expressly stated in the directive, in some cases derogations must be based on aims listed in Article 95(4) of the Treaty of Rome.

84 Article 6 of the Directive stipulates that the information concerning which the liability arises after an entity or legal or natural person has reasonably relied on it as contained in the certificate, is

- the accuracy at the time of issuance of all information contained in the qualified certificate and the fact that the certificate contains all the details prescribed for a qualified certificate;

- the assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature-creation data corresponding to the

signature-verification data given or identified in the certificate; and

- the assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification-service-provider generates them both.

IV.5.5 UNCITRAL Model Law on Electronic