• No results found

Legal Status of Qualified Electronic Signatures in Europe

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Legal Status of Qualified Electronic Signatures in Europe"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Legal Status of Qualified Electronic Signatures in Europe

Jos Dumortier

Professor of Law - K.U.Leuven Lawfort – Of Counsel - Bar of Brussels

jos.dumortier@lawfort.be

Abstract

It is a common misunderstanding that, in Europe, in order to have a legally valid electronic signature, you need a “qualified” electronic signature. The European Electronic Signatures Directive is very clear in this respect, though: it is forbidden to deny any legal effectiveness to an electronic signature solely on the ground that it is not qualified, for instance because not based on a qualified certificate or not created with a secure signature-creation device. The only consequence of using a “qualified” electronic signature is the “automatic” application of existing legal rules which are still referring to the handwritten signature. These rules are pro- gressively disappearing because modern legislation no longer exclusively refers to informa- tion processing in paper format. The “qualified” electronic signature is therefore only a tem- porary concept, mainly useful for bridging a transition period. It can, on a longer term, be use- ful to have a standardized secure electronic signature for all kinds of applications, but such a standard should preferably not be dictated by the legal rules on the “qualified” electronic sig- nature.

1 Looking Backwards: How Did It All Start?

To understand the objectives of the European Electronic Signatures Directive and in particu- lar the purpose of the concept of “qualified electronic signatures”, it is useful to recall the an- tecedents of the European regulatory framework.

1.1 First Digital Signature Laws in the US

The first legislative texts regulating electronic signatures were issued at State level in the US between 1995 and 1997. The Utah Digital Signature Act, which was enacted in 1995 and amended twice in 1996, is often cited as the chronologically first example of this kind of leg- islation. The Utah Act was the first to authorize commercial use of digital signatures. It gov- erned the use of public-private key pair encryption and certification authorities. Certification authorities had to be licensed by the Utah Department of Commerce. During the following years and particularly in 1997-1998, similar laws were issued in several other States in the US, for example in Washington, Missouri and Mississippi. Only in a second wave, new State laws on this subject adopted a more technology-neutral approach and did no longer refer to asymmetric encryption and certificates.

(2)

1.2 The German 1997 Digital Signature Law

The State legislation in the US inspired some of the national legislators in Europe, particu- larly in Germany and Italy. The German Parliament approved on 22 July 1997 a “Digital Sig- nature Law”. This law stated in its first paragraph that it was its purpose to “create general conditions under which digital signatures are deemed secure and forgeries of digital signa- tures or manipulation of signed data can be reliably ascertained”. The law defined a “digital signature” as “a seal affixed to digital data which is generated by a private signature key and establishes the owner of the signature key and the integrity of the data with the help of an as- sociated public key provided with a signature key certificate of a certification authority”. The German 1997 law established a very detailed framework, which was further developed in the Ordinance of 8 October 1997. Licenses were to be granted to certification authorities wishing to operate under the legal framework, after examination of their application file which had to include a security concept in accordance with the security requirements of the law and after a check of the implementation of that security concept by a body recognized by the supervisory authority. From a European perspective, the crucial provision of the German law was § 15:

“Digital signatures capable of being verified by a public signature key certified in another Member State of the European Union or in another State party to the Agreement on the Euro- pean Economic Area shall be deemed equivalent to digital signatures under this Act insofar as they show the same level of security”.

1.3 The 1997 Digital Signature Legislation in Italy

The German example was soon followed by the Italian government, in an implementation de- cree of the Law n° 59 of 15 March 1997. It provided that anyone intending to use a system of asymmetric encryption keys for authenticating a legally valid electronic document must obtain an appropriate pair of keys and make one of these keys public by means of the certifi- cation procedure carried out by a certifying authority. This certifying authority needed an of- ficial accreditation prior to the commencement of its activities.

The certification authorities had to be registered in an official public list kept by the public administration. Following art. 8 of the Italian decree, the certification procedures could also be carried out “by a certifying authority operating under a license or authorization issued by another Member State of the European Union or the European Economic Area on the basis of equivalent requirements”.

1.4 From “Digital” to “Electronic” Signatures

Inspired by the State legislation in the US, the laws introduced in Germany and Italy focused exclusively on “digital signatures” in the technical sense. The Italian implementation decree of 1997, for example, defined a digital signature as “the result of the computerized validation procedure based on a system of paired asymmetric keys, one public and one private, allowing the signatory, by means of the private key, and the recipient by means of the public key, to demonstrate and verify the origin and integrity of a computer document or of a set of com- puter documents”.

Later on, this terminology was changed in the European Directive, in order to adopt a more

“technology-neutral” approach. The Directive introduced a very broad definition of the term

“electronic signatures”, including not only signatures created on the basis of “digital signature technology” but all “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication”. The relationship be-

(3)

tween digital signatures – a specific technology based on asymmetric encryption aimed at se- curing the origin and the integrity of computer data – and electronic signatures – a legal con- cept referring to all kinds of data authentication – is schematically represented in Figure 1.

digital signatures

(technology) electronic signatures (legal concept)

electronic signatures created by using digital signature technology

Fig. 1 – Relationship between “digital” and “electronic” signatures

The exclusive focus on one particular technology was, however, not the main reason why the European Commission reacted against the national legislation issued in Germany and Italy.

It was primarily the requirement to submit certification services to national licensing schemes, which led to the European Commission’s reaction.

1.5 No National Licensing Schemes, Please!

The introduction of national licensing schemes for certification authorities in Germany and It- aly was a thorn in the eye of the European Commission. The internal market had quickly to be restored. If every Member State were to submit the provision of certification services to a prior authorization by authorities of that Member State and adopt their own technical rules for electronic signature products, it would evidently be impossible - or at least very cumbersome - for a service provider to develop European-wide certification services or for vendors to sell their products throughout the European market.

In a Communication to the Member States, published in 1997, the European Commission stated: “Divergent legal and technical approaches would constitute a serious obstacle to the Internal Market and would hinder the development of new economic activities linked to elec- tronic commerce. An EU policy framework for ensuring security and trust in electronic com- munication and safeguarding the functioning of the Internal Market is therefore urgently needed. The European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society”.

(4)

The prohibition to submit certification services to prior authorization became therefore one of the core provisions of the European Directive. The access to this market should remain free and without any obstacle. This rule not only applies to certification authorities but to all cate- gories of certification services, including time stamping services, trusted archival services, electronic notaries or even consultancy services in the area of electronic signatures.

2 Legal Recognition of Electronic Signatures

In its reaction against the initiatives in some of the Member States, the European Commission evidently had to propose a positive alternative in this area. Instead of leaving the recognition of electronic signatures to the Member States, the European Directive introduced therefore a European-wide legal recognition for all kinds of electronic signatures.

2.1 What Does “Legal Recognition” Mean?

Recital (21) of the Directive specifies that “in order to contribute to the general acceptance of electronic authentication methods it has to be ensured that electronic signatures can be used as evidence in legal proceedings in all Member States.”

In the same Recital one can also read: “National law governs the legal spheres in which elec- tronic documents and electronic signatures may be used”. In other words, Member States can freely decide for which circumstances electronic documents can be used, but once the use of electronic documents is accepted, the electronic signature should no longer be denied legal ef- fectiveness.

It has to be added that the freedom of the Member States to allow the use of electronic media has been considerably restricted in a later Directive of 2002 (the European Electronic Com- merce Directive). This Directive requires the Member States to remove all legal obstacles for the conclusion of contracts in electronic form.

2.2 Qualified Electronic Signatures

Article 5.1 states in its first paragraph that “Member States shall ensure that advanced elec- tronic signatures which are based on a qualified certificate and which are created by a secure- signature-creation device “satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data”.

An “advanced electronic signature” is an electronic signature meeting the following four re- quirements: 1) uniquely linked to the signatory; 2) capable of identifying the signatory; 3) created using means that the signatory can maintain under his sole control; and 4) linked to the data to which it relates in such a manner that any subsequent change of the data is detect- able. A qualified certificate is a certificate which is compliant with the format described in Annex 1 of the Directive and which has been issued by a provider who meets the require- ments of Annex 2. A secure signature-creation device is a device which is fulfills the security requirements of Annex 3 of the Directive.

2.3 Equivalence with Penned Signatures

The Directive attributes to qualified electronic signatures, in relation to electronic data, the same status as hand-written signatures have in relation to paper documents. It is nevertheless not contrary to Article 5.1 to replace current legislation requiring hand-written signatures by

(5)

new legislation in which the use of electronic data is permitted without the use of qualified electronic signatures. It is also not the objective of the Directive to require the use of qualified electronic signatures in every situation in which, up to now, the use of hand-written signatures has been obligatory. On the contrary, such a requirement would often be an infringement of Article 5.2 of the Directive (see infra).

On the other hand, Member States can introduce new legislation requiring additional security guarantees, above the level of qualified electronic signatures. In relation to paper documents, hand-written signatures aren’t the exclusive security measure either. In all cases, however, where in relation to paper documents a hand-written signature is estimated to be sufficient, Member States have to give an equivalent status to qualified electronic signatures when they start to allow the use of electronic data processing as a substitute for the paper documents.

The status of the hand-written signature in its relation to paper documents determines, in other words, the status of the qualified electronic signature in relation to electronic data.

2.4 Prohibition to discriminate

Article 5.2 of the Directive states that electronic signatures may not be denied legal effective- ness and admissibility as evidence in legal proceedings solely on the grounds that it is in elec- tronic form or that the signature is not a qualified signature. The effect of Article 5.2 is that Member States may not draft or maintain regulation, or endorse or authorize private rules with a view to condemn the use of an electronic authentication tool solely by virtue of its electronic format or its non-qualified nature.

This is, for example, relevant in a court proceeding: a judge could not refuse an electronic sig- nature on the sole ground that it is not a “qualified electronic signature”. He is, however, not obliged to give that signature the same legal effect, as a hand-written signature would receive.

Suffice it to say that the provision of Article 5.2 touches Member States’ legislators as well.

Laws denying legal effectiveness of electronic signatures solely on the grounds that they are not “qualified electronic signatures” would not be in line with Article 5.2.

2.5 Why Do We Need Qualified e-Signatures?

The label of “qualified electronic signature” is only meant to be used for testing the equiva- lence of an electronic authentication method with the handwritten signature in the paper- based environment. Using the label for other purposes is in principle not allowed.

For the European legislator, it was clear that “national law lays down different requirements for the legal validity of handwritten signatures”. The objective was clearly not to harmonize the requirements for the legal validity of electronic signatures but instead to establish in every Member State the equivalence between the legal status of handwritten signatures in the paper- based environment and the legal status of electronic signatures in the electronic environment.

In other words, the European legislator tried to determine a type of electronic signature, which should consequently be considered by every Member State as the equivalent of a handwritten signature.

It should be clear that, as a consequence of this choice, the legal status of qualified electronic signatures has not been harmonized between the Member States. The legal requirements for handwritten signatures differ from Member State to Member State. Qualified electronic signa- tures have the same status as handwritten signatures. Therefore the legal requirements for qualified electronic signatures are also different in each of the Member States.

(6)

3 Problems Regarding Qualified e-Signatures

European legislation has opted for a solution in which the legal regime for qualified electronic signatures “follows” the national legal regime for handwritten signatures. If a Member State has, for example, very strict rules for the legal validity of a handwritten signature on a certain type of contract, this Member State will apply the same strict rules to qualified electronic sig- natures for this same type of contract. If another Member State has very flexible rules for handwritten signatures for that type of contract, the rules for the use of qualified electronic signatures on that same type of contract will also be very flexible.

3.1 Qualified e-Signatures Refer to the Paper World

The legal regime for handwritten signatures is, in other words, the reference point, the princi- ple being to award qualified electronic signatures in the electronic environment the same legal status as handwritten signatures in a paper-based context.

During the transposition of the Directive, some Member States, such as the UK, discovered that their legal system has no legal provisions for handwritten signatures. In the absence of national legislation for the use of handwritten signatures, it follows that there can be no legal status for the use of qualified electronic signatures either. If national law doesn’t use the

“handwritten signature” as a legal concept, it is impossible to use this concept as a reference point for electronic signatures.

More and more, specific rules are being addressed to the electronic environment, without any reference to the paper-based context. It is not hard to imagine that, ten or twenty years from now, many applications will only use communications in an electronic form and that the rules applicable to those applications will no longer refer to handwritten signatures. In other words, the handwritten signature will, bit by bit, loose its value as a reference point. It is therefore doubtful whether the concept of the qualified electronic signature as an “electronic equiva- lent” to the handwritten signature will survive in the longer run.

3.2 Divergences Make Qualified e-Signatures Useless

For the time being, and for most of the Member States’ legal systems, linking the qualified electronic signature to a handwritten signature can perhaps be useful. Whether or not this will actually be the case, largely depends on how clear the concept of a” qualified electronic sig- nature” actually is. It does not make much sense to require a Member State to award elec- tronic signatures the same legal status as a handwritten signature on condition that it is a

“qualified electronic signature”, if this concept is not uniformly understood. A Belgian citi- zen, for example, wishing to make an electronic commercial transaction with a Greek com- pany by using qualified electronic signature should be certain that his/her signature will have, under Greek law, the same legal status as a handwritten signature. What I, as a Belgian, con- sider a “qualified electronic signature” should therefore be equally recognized as such by Greek authorities. The whole system adopted by European legislation is, in other words, only useful on condition that there is one common European concept of “qualified electronic signa- ture”.

Unfortunately there remain a large number of divergences between Member States about the requirements for qualified electronic signatures. The requirements have been listed in general terms in the annexes of the Directive and further specified in EESSI standardization deliver- ables. In practice however, these efforts did not lead to a unique, interoperable qualified elec- tronic signature that can be used across the whole European Union.

(7)

3.3 Qualified e-Signatures and Standards

Legislation can contain rules but should preferably not describe how people have to imple- ment these rules. The “how” is the object of standards, which have, by definition a voluntary character. As long as people comply with the rule, they should remain free to decide how they do this. It is true that, sometimes, legislation refers explicitly to standards, but only insofar that this is strictly necessary and the reference to a particular standard is mostly interpreted in a restrictive manner.

These elementary principles should be borne in mind when interpreting the Directive and hav- ing regard to these principles, the reference to “qualified electronic signature”, should not be extended. Meeting the requirements of a qualified electronic signature merely results in equivalence with the handwritten signature. The non-discrimination rule in Art; 5.2 explicitly prohibits to go beyond this restriction and to use the concept for other purposes.

One could call Article 5.2 for this reason a “long-term” provision. European legislation has not sought to use the concept of “qualified electronic signature” beyond the context of Article 5.1. As soon as it is no longer necessary to search an “automatic” electronic substitute for the handwritten signature, the concept should be abandoned. Every kind of electronic signature should, from that moment onwards, be judged only with regard to its objective adequacy in the specific context.

3.4 Why Supervise Qualified Certification Authorities?

Various Member States have established supervision schemes for certification service provid- ers which are very close to prior authorization. Article 3.1 is however very clear. Making the provision of certification services – qualified, accredited, or other – subject to prior authoriza- tion or taking other measures that have the same effect, are strictly prohibited by the Direc- tive.

Fortunately the supervision of certification services by the Member States’ authorities only affects providers established on their own national territory. One could have expected that Member States would keep the supervision regime for the providers established on their own territory as limited and as flexible as possible in order not to affect negatively the competitive position of their “own” service providers in comparison with providers established elsewhere.

Nevertheless many European countries have followed a completely different strategy. Some of the national supervision schemes put heavy burdens on the local certification service pro- viders before these can begin to provide qualified services. Apparently Member States are still convinced that most of the qualified certificates issued to the public on their own territory will be provided by providers established on that territory. Another reason could be that some Member States use the supervision schemes to raise the security level of the providers estab- lished on their territory in order to improve their quality and hence their competitiveness on the European and international market.

In any case and as long as they avoid prior authorization, according to the Directive, Member States are largely free to organize the supervision of the certification service providers estab- lished on their territory themselves. Recital (13) states “Member States may decide how they ensure the supervision of compliance with the provisions laid down in this Directive”. It was clearly not the objective of the Directive to have similar or harmonized supervision schemes in every Member State.

(8)

On the other hand, however, the establishment of heavy, bureaucratic supervision schemes for qualified certification service providers doesn’t seem very useful. A supervision scheme should rather be considered as an element of consumer protection. In this perspective, it doesn’t seem very logical to restrict the protection to certification authorities which issue qualified certificates to the public. A light-weight supervision of all kinds of certification ser- vices, in order to protect consumers, would seem more appropriate.

3.5 What about Voluntary Accreditation?

Recital (11) of the Directive states: “Voluntary accreditation schemes aiming at an enhanced level of service provision may offer certification-service-providers the appropriate framework for developing further their services towards the levels of trust, security and quality demanded by the evolving market; such schemes should encourage the development of best practices among certification-service-providers; certification-service-providers should be free to adhere to and benefit from such accreditation schemes.” Therefore Article 3.2 of the Directive stipu- lates that Member States can maintain or even introduce voluntary accreditation schemes aim- ing at enhanced levels of certification-service provision.

The European legislator has estimated, very rightly, that voluntary accreditation schemes could be beneficial for the development of the market. It can give certification service provid- ers operating in Europe the possibility of demonstrating their level of security and trustwor- thiness. Accreditation schemes could certify the adequacy of the security level of a particular certification service for being used in particular contexts or applications. For instance, spe- cialized accreditation schemes could certify the adequacy of particular certification service for the health care sector.

Recital (11) also refers to the evolving market in this area. When new solutions are discov- ered and introduced into the market, accreditation schemes can help providers gain user trust.

The accreditation schemes should mainly be created or maintained for the benefit of the pro- viders themselves. They should encourage the development of best practices and remain up- to-date with state-of-the-art technology in the sector. They are a form of common quality con- trol, organized at the level of a particular sector. Of course, setting up such accreditation schemes requires considerable resources, mainly in terms of expertise.

Consequently the aim of the Directive has never been to have a national accreditation scheme in every Member State. It is also fully incorrect to consider voluntary accreditation schemes as a means to control whether or not a certification service provider operates in compliance with the provisions of the Directive. The provision concerning voluntary accreditation schemes was intended mainly to prevent Member States from misinterpreting the prohibition of prior authorization. This prohibition should not be understood as incompatible with exist- ing or future voluntary accreditation schemes. On the contrary, the Directive encourages the creation of such schemes, as long as the conditions related to those schemes are objective, transparent, proportionate and non-discriminatory. Moreover, as is stated in Recital (12):

“Member States should not prohibit certification-service-providers from operating outside voluntary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services”.

4 Conclusions

The concept of the “qualified electronic signature”, referred to in Art. 5.1 of the European Di- rective, has been introduced in order to obtain more legal security on a short term. Our current

(9)

laws have been conceived without taking into account digital information processing and electronic signatures. They have been drafted against the background of paper-based docu- ments and handwritten signatures.

It would have been very cumbersome to modify all these current laws at once and to adapt them to the electronic environment. Moreover, it would not suffice to modify only the text of the laws. Legal rules are only effective if they are embedded in common practices and if they are well understood by public administrators, judges and by the society as a whole.

Art. 5.1 establishes therefore an equivalence between “qualified electronic signatures” and handwritten signatures. Whenever someone uses a qualified electronic signature in Europe, the same local rules will apply than those which apply to handwritten signatures. This creates some kind of European “passport” for online cross-border transactions: if a Belgian user or- ders a product on a website of a Greek vendor, he automatically knows that his (Belgian) qualified electronic signature will have the same legal status as a Greek handwritten signa- ture.

This mechanism is only useful as long as Greek laws continue to refer to handwritten signa- tures. Little by little, laws in all the Member States are modernized and contain security re- quirements that take into account the context of digital information processing. The legal con- cept of “qualified electronic signatures”, as a bridge to the laws of the “paper world”, will therefore not survive in the longer run.

A completely different question is the one about the need for a standardized secure electronic signature that can be used for all kinds of transactions, preferably on a global scale. It is evi- dent that such a standard would be highly beneficial for e-business.

The discussions that have been conducted and the specifications that have been drafted around the concept of “qualified electronic signatures” can certainly be used as one element in this standardization process. But it is important to free the minds and no longer consider the legal requirements of the Directive as a dictate in this perspective. A standard for secure electronic signatures should be conceived by the important stakeholders on the market, on the basis of technical, organizational and economical considerations and not be the result of a po- litical compromise between European Member States.

Index

European Directive – Electronic Signature – Qualified Certification Services – Legal Aspects - Standardization

References

Download now ( PDF - 9 Page - 62.62 KB )

Related documents

Rapid Prototyping and Deployment of User-to-User Networked Applications

Dataflow Synchronous reactive Discrete event Design environment: specify, simulate, verify, synthesize Application definition Network: architecture Programmable Programmable

Comparing the Seed Cotton and Wheat Marketing Chains in Sindh

In contrast to cotton, the government has been, and continues to be, heavily involved in wheat procurement and storage, with private sector traders usually acting as

I. IDPH Facility ID Number: II. CERTIFICATION BY AUTHORIZED FACILITY OFFICER

TO: Long Term Care Facilities with Real Estate Tax Rates RE: 2001 REAL ESTATE TAX COST DOCUMENTATION In order to set the real estate tax portion of the capital rate, it

Functional characterisation of CETS genes in Fragaria vesca L.

Since the absence of a FvTFL1 expression peak under LDs does not explain why flowering initiation is delayed or abolished in the H4 TFL1-RNAi plants, the most

Designing interfaces for exploratory content based image retrieval systems

Our objective was to build a useful and easy to use interface which supports query less exploratory image search [CMM + 00, LKLO00, SF12] while keeping the cognitive load of the user

Digitally focused array ultrasonic testing technique for carbon fiber composite structures

The proposed methodology of composites quality assurance is adjusted on the specified reference sample for system calibration and control samples for the

Suicide Risk in Nursing Homes and Assisted Living Facilities: 2003–2011

We estimated the cumulative incidence of suicide among adults aged 65 years and older in nursing homes by abstracting resident cen- sus data published in the Nursing Home Com-