Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

Electronic Signature Regulations now in force in UK


On 8th March 2002, new laws came into force in the UK implementing an EU Directive on electronic signatures which should have been incorporated in full into the laws of all Member States by July 2001.

The Electronic Signature Regulations have been made under the Electronic Communications Act of 2000 which implemented only part of the EU Directive before the deadline. The Regulations are now in force following a short consultation period on a draft version of them which ended on 12th February.

The Electronic Communications Act was passed in June 2000 and parts of it came into force the following month. The Act deals with the legal recognition of electronic signatures and the process under which they are verified, generated or communicated, and the removal of obstacles in other legislation to the use of electronic communication and storage in place of paper.

The Regulations are limited in scope, addressing only the supervision and liability of Certification Service Providers (CSPs) and certain issues of data protection.

CSPs are businesses that issue certificates in support of electronic signatures. The certificate links signature verification data to a person and confirms the identity of that person. Under the regulations, the Secretary of State is given the duty of reviewing CSP activities and setting up a register of those CSPs that issue qualified certificates (a certificate meeting certain criteria) to the public.

The Regulations also impose liability on CSPs to the extent that they either issue or guarantee qualified certificates to the public. In such circumstances, a CSP is liable to anybody relying on the certificate for, among other things, the accuracy of the information contained within the certificate at the time of issue.

CSPs established in the UK are now bound by a data protection rule which provides that personal data (such as an e-mail address) may only be obtained directly from the data subject for the purpose of issuing or maintaining the certificate or, if obtained indirectly, only with the explicit consent of the data subject. The personal data must only be processed insofar as it is absolutely necessary for the issuing and maintaining of the certificate or if the data subject has explicitly agreed other purposes than the purpose for which consent has been given.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.