Electronic Signature Regulation
Cathrine Ripley explores some of the issues to consider around the regulation governing electronic signatures.
The EU Regulation of Electronic Identification and Trust Services in the Internal Market (910/2014 EU) (the Regulation) came in to force on 1 July 2016. Whilst there was little fanfare, likely due to its timing coinciding with the Brexit referendum, its effect should not be overlooked. It aims to ensure electronic signatures have the same legal status across EU Member States and to assist businesses and consumers carry out convenient secure electronic transactions.
The Regulation defines three types of electronic signature, summarised in brief below:
- Standard Electronic Signature (SES)
A SES is defined as any data in electronic form which is attached to or is logically associated with other data in electronic form and is used by the signatory to sign. Put simply, this is the electronic equivalent of a handwritten signature. It usually allows the signatory to sign a document using a mouse or stylus and does not require third party verification. SES examples range from a typed name in an email to biometric data such as a retina scan.
- Advanced Electronic Signature (AES)
A AES is a more secure form of SES that is created with public key cryptography (a maths based encryption scheme) and inserted in to the code of the electronic document.
The requirements of an AES is defined in the Regulation as a signature:
– uniquely linked to the signatory
– capable of identifying the signatory
– created using electronic signature creation data that the signatory can with confidence use under their control
– linked to the data signed in a way that a subsequent change to the data is detectable.
- Qualified Electronic Signature (QES)
This is digital signature is created by a QES creation device. It must be supported by a certificate issued by a qualified trust service provider whose credentials have been recorded in a list published by a member state. It has the equivalent legal effect of a handwritten signature and is compulsory for certain transactions in some countries.
Whilst all three types of electronic signature are admissible as evidence in front of an EU court, it is national law that still determines their legal effect. UK businesses should therefore be prepared to evaluate their use on a transaction and country basis. In particular, whilst most UK businesses favour using a SES for contracts governed by English law, there are circumstances when exceptions apply such as when dealing with the HM Land Registry.
Businesses who want to appoint a signature platform provider (such as Adobe Sign or DocuSign) will usually enter into a contract for services with them. In doing so a number of issues will need to be considered including the method of authenticating the signatories, the warranties given by the platform provider and any service levels to be agreed. If in doubt, it is worth consulting with a legal practitioner to discuss these and other legal issues surrounding the use of a platform provider.
With the General Data Protection Regulation coming into force in May 2018, platform providers will need to address the new data obligations placed upon them as data processors. While many are considering how to deal with this issue, in the interim the data protection burden is placed solely on the customer as the data controller.
As the new Regulation seeks to build business confidence in using electronic signatures, organisations should stay up to date with the laws governing them, as their use is only likely to increase in the coming months.