The European Commission has proposed an update to the e-Signatures Directive. It wants to replace it with a new Regulation on electronic identification and trust services for electronic transactions.
The e-Signatures Directive provides a framework for the conduct of electronic cross-border transactions within the EU. The proposed new Regulation aims to create a framework for mutual recognition and acceptance of e-identification and authentication relating to access to public services.
Why is the regime changing?
Legal certainty in cross-border electronic transactions requires more than just the regime for establishing the equivalency of electronic signatures to 'wet' pen-and-paper ones that the Directive set out.
Achieving an acceptable level of certainty in cross-border electronic transactions may depend on a number of issues, including:
- mutual recognition and acceptance of electronic identities given by member states to their citizens by other member states;
- time stamping rules;
- certainty as to the legal weight of electronic documents;
- certainty as to the legal implications of using electronic delivery services and
- rules authenticating who owns a website.
The European Commission intends for its proposed Regulation to remove uncertainties in relation to these issues.
The Regulation introduces a process for mutual recognition and acceptance of 'means of electronic identification' used to identify natural and legal persons of other member states. The aim is to encourage member states to notify the Commission of national electronic identification schemes and ensure that those schemes unambiguously link electronic identification data to natural and legal persons, and enable third parties to authenticate that link online and free of charge.
The proposed Regulation requires member states to accept liability both for the trustworthiness of the electronic identifications enabled by the member state scheme and the authentication mechanism.
The proposed Regulation requires national electronic identification and authentication schemes to meet a number of conditions. Once a scheme meets those conditions, other member states must recognise the legitimacy of an electronic identification provided under that scheme for the purposes of accessing public services online wherever a national or Union law allows for the use of electronic identifications.
The Regulation does not specifically apply to the conclusion and validity of contracts where there are requirements as regards form prescribed by national or Union law. This means that member states may continue to require that specific services or transactions, for example, those in respect of land, be taken outside the scope of the regime.
In establishing a regime for trustworthy e-identification procedures the proposed Regulation will promote greater legal certainty in cross-border ecommerce and online service transactions in general.
The Proposed Regulation introduces 'trust services' as a new concept in EU law. Trust services are defined to include the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication and electronic certificates.
Trust Service Providers are to be liable for direct damage where they fail to comply with specific security requirements set out in the Regulation or if they act negligently. The security requirements set out in the proposed Regulation require Trust Service Providers to notify supervisory bodies of security breaches within 24 hours of the occurrence of a breach and inform the public where disclosure of the breach is in the public interest.
The e-Signatures Directive draws a distinction between 'electronic signatures' and 'advanced electronic signatures'. While a person's email signature could qualify as an 'electronic signature', only data that is uniquely linked to a person could qualify as an 'advanced electronic signature'.
The planned Regulation introduces the concept of a 'qualified electronic signature', which is a signature which is backed by a certificate issued by a certification service provider. These providers would be regulated under the Regulation. The Regulation includes other conditions that must be met for a signature to be 'qualified'.
The Regulation also seeks to ensure that over time the validity of an electronic signature is not diminished due to technological changes by introducing the concept of a 'qualified electronic signature preservation service' which uses "procedures and technologies capable of extending the trustworthiness" of a qualified electronic signature.
The proposed Regulation says that electronic seals will ensure the origin and integrity of data to which they are linked. In an Impact Statement accompanying the proposed Regulation an example is used which contrasts the efficiencies of a company issuing millions of invoices in accordance with EU requirements that are confirmed by an e-Seal with the inefficiency of a person from that company signing each invoice separately. The Regulation's validation and preservation requirements for qualified electronic signatures also apply to qualified electronic seals.
Electronic Time Stamps
There can be many situations in which it is necessary to know the time at which a transaction has been completed or has come into existence, and for electronic transactions this can be done using an electronic time stamp. Member states have laws making reference to time stamps but there is no consistency in their use of the terms.
The proposed Regulation defines an electronic time stamp as "data in electronic form which binds other electronic data to a particular time establishing evidence that these data existed at that time". The proposed Regulation also sets out conditions for 'qualified electronic time stamps' which enjoy a legal presumption of ensuring the time it indicates and the integrity off the data to which the time is bound.
Under the proposed Regulation electronic documents are to be considered equivalent to paper documents so long as they do not contain any dynamic features capable of automatically changing the document. Where a public sector body requires an original document or a certified copy for the provision of an online service, electronic documents are to be accepted as substitutes without additional requirements if formed in accordance with the provisions of the Proposed Regulation.
Electronic delivery services
The proposed Regulation introduces the concept of a 'qualified electronic delivery service'. Data sent or received using a qualified electronic delivery service are to enjoy legal presumptions as to the integrity of the data sent or received by means of the service and the date and time of sending or receiving the data as recorded by the service. Qualified electronic delivery services must meet conditions set out in the proposed Regulation including a requirement that the transmission process must be secured "as to preclude the possibility of the data being changed undetecably".
The proposed Regulation seeks to provide a regime for authenticating website ownership. It would impose a legal obligation for websites to include verifiable ownership information that allows users to verify the authenticity of a website and the existence of the website's owner. The regime also requires member states to recognise and accept all qualified website authentication certificates which meet the requirements of the proposed Regulation so that users can have confidence in sites used throughout the EU.
The Proposed Regulation was adopted by the European Commission on 4 June 2012. It will now go through the ordinary legislative procedure for its adoption by co-decision of the European Parliament and the Council.