Legal Status of Qualified Electronic Signatures in Europe

Transcription

1 Legal Status of Qualified Electronic Signatures in Europe Jos Dumortier Professor of Law - K.U.Leuven Lawfort Of Counsel - Bar of Brussels jos.dumortier@lawfort.be Abstract It is a common misunderstanding that, in Europe, in order to have a legally valid electronic signature, you need a qualified electronic signature. The European Electronic Signatures Directive is very clear in this respect, though: it is forbidden to deny any legal effectiveness to an electronic signature solely on the ground that it is not qualified, for instance because not based on a qualified certificate or not created with a secure signature-creation device. The only consequence of using a qualified electronic signature is the automatic application of existing legal rules which are still referring to the handwritten signature. These rules are progressively disappearing because modern legislation no longer exclusively refers to information processing in paper format. The qualified electronic signature is therefore only a temporary concept, mainly useful for bridging a transition period. It can, on a longer term, be useful to have a standardized secure electronic signature for all kinds of applications, but such a standard should preferably not be dictated by the legal rules on the qualified electronic signature. 1 Looking Backwards: How Did It All Start? To understand the objectives of the European Electronic Signatures Directive and in particular the purpose of the concept of qualified electronic signatures, it is useful to recall the antecedents of the European regulatory framework. 1.1 First Digital Signature Laws in the US The first legislative texts regulating electronic signatures were issued at State level in the US between 1995 and The Utah Digital Signature Act, which was enacted in 1995 and amended twice in 1996, is often cited as the chronologically first example of this kind of legislation. The Utah Act was the first to authorize commercial use of digital signatures. It governed the use of public-private key pair encryption and certification authorities. Certification authorities had to be licensed by the Utah Department of Commerce. During the following years and particularly in , similar laws were issued in several other States in the US, for example in Washington, Missouri and Mississippi. Only in a second wave, new State laws on this subject adopted a more technology-neutral approach and did no longer refer to asymmetric encryption and certificates.

2 2 Legal Status of Qualified Electronic Signatures in Europe 1.2 The German 1997 Digital Signature Law The State legislation in the US inspired some of the national legislators in Europe, particularly in Germany and Italy. The German Parliament approved on 22 July 1997 a Digital Signature Law. This law stated in its first paragraph that it was its purpose to create general conditions under which digital signatures are deemed secure and forgeries of digital signatures or manipulation of signed data can be reliably ascertained. The law defined a digital signature as a seal affixed to digital data which is generated by a private signature key and establishes the owner of the signature key and the integrity of the data with the help of an associated public key provided with a signature key certificate of a certification authority. The German 1997 law established a very detailed framework, which was further developed in the Ordinance of 8 October Licenses were to be granted to certification authorities wishing to operate under the legal framework, after examination of their application file which had to include a security concept in accordance with the security requirements of the law and after a check of the implementation of that security concept by a body recognized by the supervisory authority. From a European perspective, the crucial provision of the German law was 15: Digital signatures capable of being verified by a public signature key certified in another Member State of the European Union or in another State party to the Agreement on the European Economic Area shall be deemed equivalent to digital signatures under this Act insofar as they show the same level of security. 1.3 The 1997 Digital Signature Legislation in Italy The German example was soon followed by the Italian government, in an implementation decree of the Law n 59 of 15 March It provided that anyone intending to use a system of asymmetric encryption keys for authenticating a legally valid electronic document must obtain an appropriate pair of keys and make one of these keys public by means of the certification procedure carried out by a certifying authority. This certifying authority needed an official accreditation prior to the commencement of its activities. The certification authorities had to be registered in an official public list kept by the public administration. Following art. 8 of the Italian decree, the certification procedures could also be carried out by a certifying authority operating under a license or authorization issued by another Member State of the European Union or the European Economic Area on the basis of equivalent requirements. 1.4 From Digital to Electronic Signatures Inspired by the State legislation in the US, the laws introduced in Germany and Italy focused exclusively on digital signatures in the technical sense. The Italian implementation decree of 1997, for example, defined a digital signature as the result of the computerized validation procedure based on a system of paired asymmetric keys, one public and one private, allowing the signatory, by means of the private key, and the recipient by means of the public key, to demonstrate and verify the origin and integrity of a computer document or of a set of computer documents. Later on, this terminology was changed in the European Directive, in order to adopt a more technology-neutral approach. The Directive introduced a very broad definition of the term electronic signatures, including not only signatures created on the basis of digital signature technology but all data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. The relationship be-

3 Legal Status of Qualified Electronic Signatures in Europe 3 tween digital signatures a specific technology based on asymmetric encryption aimed at securing the origin and the integrity of computer data and electronic signatures a legal concept referring to all kinds of data authentication is schematically represented in Figure 1. digital signatures (technology) electronic signatures (legal concept) electronic signatures created by using digital signature technology Fig. 1 Relationship between digital and electronic signatures The exclusive focus on one particular technology was, however, not the main reason why the European Commission reacted against the national legislation issued in Germany and Italy. It was primarily the requirement to submit certification services to national licensing schemes, which led to the European Commission s reaction. 1.5 No National Licensing Schemes, Please! The introduction of national licensing schemes for certification authorities in Germany and Italy was a thorn in the eye of the European Commission. The internal market had quickly to be restored. If every Member State were to submit the provision of certification services to a prior authorization by authorities of that Member State and adopt their own technical rules for electronic signature products, it would evidently be impossible - or at least very cumbersome - for a service provider to develop European-wide certification services or for vendors to sell their products throughout the European market. In a Communication to the Member States, published in 1997, the European Commission stated: Divergent legal and technical approaches would constitute a serious obstacle to the Internal Market and would hinder the development of new economic activities linked to electronic commerce. An EU policy framework for ensuring security and trust in electronic communication and safeguarding the functioning of the Internal Market is therefore urgently needed. The European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society.

4 4 Legal Status of Qualified Electronic Signatures in Europe The prohibition to submit certification services to prior authorization became therefore one of the core provisions of the European Directive. The access to this market should remain free and without any obstacle. This rule not only applies to certification authorities but to all categories of certification services, including time stamping services, trusted archival services, electronic notaries or even consultancy services in the area of electronic signatures. 2 Legal Recognition of Electronic Signatures In its reaction against the initiatives in some of the Member States, the European Commission evidently had to propose a positive alternative in this area. Instead of leaving the recognition of electronic signatures to the Member States, the European Directive introduced therefore a European-wide legal recognition for all kinds of electronic signatures. 2.1 What Does Legal Recognition Mean? Recital (21) of the Directive specifies that in order to contribute to the general acceptance of electronic authentication methods it has to be ensured that electronic signatures can be used as evidence in legal proceedings in all Member States. In the same Recital one can also read: National law governs the legal spheres in which electronic documents and electronic signatures may be used. In other words, Member States can freely decide for which circumstances electronic documents can be used, but once the use of electronic documents is accepted, the electronic signature should no longer be denied legal effectiveness. It has to be added that the freedom of the Member States to allow the use of electronic media has been considerably restricted in a later Directive of 2002 (the European Electronic Commerce Directive). This Directive requires the Member States to remove all legal obstacles for the conclusion of contracts in electronic form. 2.2 Qualified Electronic Signatures Article 5.1 states in its first paragraph that Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a securesignature-creation device satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data. An advanced electronic signature is an electronic signature meeting the following four requirements: 1) uniquely linked to the signatory; 2) capable of identifying the signatory; 3) created using means that the signatory can maintain under his sole control; and 4) linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. A qualified certificate is a certificate which is compliant with the format described in Annex 1 of the Directive and which has been issued by a provider who meets the requirements of Annex 2. A secure signature-creation device is a device which is fulfills the security requirements of Annex 3 of the Directive. 2.3 Equivalence with Penned Signatures The Directive attributes to qualified electronic signatures, in relation to electronic data, the same status as hand-written signatures have in relation to paper documents. It is nevertheless not contrary to Article 5.1 to replace current legislation requiring hand-written signatures by

5 Legal Status of Qualified Electronic Signatures in Europe 5 new legislation in which the use of electronic data is permitted without the use of qualified electronic signatures. It is also not the objective of the Directive to require the use of qualified electronic signatures in every situation in which, up to now, the use of hand-written signatures has been obligatory. On the contrary, such a requirement would often be an infringement of Article 5.2 of the Directive (see infra). On the other hand, Member States can introduce new legislation requiring additional security guarantees, above the level of qualified electronic signatures. In relation to paper documents, hand-written signatures aren t the exclusive security measure either. In all cases, however, where in relation to paper documents a hand-written signature is estimated to be sufficient, Member States have to give an equivalent status to qualified electronic signatures when they start to allow the use of electronic data processing as a substitute for the paper documents. The status of the hand-written signature in its relation to paper documents determines, in other words, the status of the qualified electronic signature in relation to electronic data. 2.4 Prohibition to discriminate Article 5.2 of the Directive states that electronic signatures may not be denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that the signature is not a qualified signature. The effect of Article 5.2 is that Member States may not draft or maintain regulation, or endorse or authorize private rules with a view to condemn the use of an electronic authentication tool solely by virtue of its electronic format or its non-qualified nature. This is, for example, relevant in a court proceeding: a judge could not refuse an electronic signature on the sole ground that it is not a qualified electronic signature. He is, however, not obliged to give that signature the same legal effect, as a hand-written signature would receive. Suffice it to say that the provision of Article 5.2 touches Member States legislators as well. Laws denying legal effectiveness of electronic signatures solely on the grounds that they are not qualified electronic signatures would not be in line with Article Why Do We Need Qualified e-signatures? The label of qualified electronic signature is only meant to be used for testing the equivalence of an electronic authentication method with the handwritten signature in the paperbased environment. Using the label for other purposes is in principle not allowed. For the European legislator, it was clear that national law lays down different requirements for the legal validity of handwritten signatures. The objective was clearly not to harmonize the requirements for the legal validity of electronic signatures but instead to establish in every Member State the equivalence between the legal status of handwritten signatures in the paperbased environment and the legal status of electronic signatures in the electronic environment. In other words, the European legislator tried to determine a type of electronic signature, which should consequently be considered by every Member State as the equivalent of a handwritten signature. It should be clear that, as a consequence of this choice, the legal status of qualified electronic signatures has not been harmonized between the Member States. The legal requirements for handwritten signatures differ from Member State to Member State. Qualified electronic signatures have the same status as handwritten signatures. Therefore the legal requirements for qualified electronic signatures are also different in each of the Member States.

6 6 Legal Status of Qualified Electronic Signatures in Europe 3 Problems Regarding Qualified e-signatures European legislation has opted for a solution in which the legal regime for qualified electronic signatures follows the national legal regime for handwritten signatures. If a Member State has, for example, very strict rules for the legal validity of a handwritten signature on a certain type of contract, this Member State will apply the same strict rules to qualified electronic signatures for this same type of contract. If another Member State has very flexible rules for handwritten signatures for that type of contract, the rules for the use of qualified electronic signatures on that same type of contract will also be very flexible. 3.1 Qualified e-signatures Refer to the Paper World The legal regime for handwritten signatures is, in other words, the reference point, the principle being to award qualified electronic signatures in the electronic environment the same legal status as handwritten signatures in a paper-based context. During the transposition of the Directive, some Member States, such as the UK, discovered that their legal system has no legal provisions for handwritten signatures. In the absence of national legislation for the use of handwritten signatures, it follows that there can be no legal status for the use of qualified electronic signatures either. If national law doesn t use the handwritten signature as a legal concept, it is impossible to use this concept as a reference point for electronic signatures. More and more, specific rules are being addressed to the electronic environment, without any reference to the paper-based context. It is not hard to imagine that, ten or twenty years from now, many applications will only use communications in an electronic form and that the rules applicable to those applications will no longer refer to handwritten signatures. In other words, the handwritten signature will, bit by bit, loose its value as a reference point. It is therefore doubtful whether the concept of the qualified electronic signature as an electronic equivalent to the handwritten signature will survive in the longer run. 3.2 Divergences Make Qualified e-signatures Useless For the time being, and for most of the Member States legal systems, linking the qualified electronic signature to a handwritten signature can perhaps be useful. Whether or not this will actually be the case, largely depends on how clear the concept of a qualified electronic signature actually is. It does not make much sense to require a Member State to award electronic signatures the same legal status as a handwritten signature on condition that it is a qualified electronic signature, if this concept is not uniformly understood. A Belgian citizen, for example, wishing to make an electronic commercial transaction with a Greek company by using qualified electronic signature should be certain that his/her signature will have, under Greek law, the same legal status as a handwritten signature. What I, as a Belgian, consider a qualified electronic signature should therefore be equally recognized as such by Greek authorities. The whole system adopted by European legislation is, in other words, only useful on condition that there is one common European concept of qualified electronic signature. Unfortunately there remain a large number of divergences between Member States about the requirements for qualified electronic signatures. The requirements have been listed in general terms in the annexes of the Directive and further specified in EESSI standardization deliverables. In practice however, these efforts did not lead to a unique, interoperable qualified electronic signature that can be used across the whole European Union.

7 Legal Status of Qualified Electronic Signatures in Europe Qualified e-signatures and Standards Legislation can contain rules but should preferably not describe how people have to implement these rules. The how is the object of standards, which have, by definition a voluntary character. As long as people comply with the rule, they should remain free to decide how they do this. It is true that, sometimes, legislation refers explicitly to standards, but only insofar that this is strictly necessary and the reference to a particular standard is mostly interpreted in a restrictive manner. These elementary principles should be borne in mind when interpreting the Directive and having regard to these principles, the reference to qualified electronic signature, should not be extended. Meeting the requirements of a qualified electronic signature merely results in equivalence with the handwritten signature. The non-discrimination rule in Art; 5.2 explicitly prohibits to go beyond this restriction and to use the concept for other purposes. One could call Article 5.2 for this reason a long-term provision. European legislation has not sought to use the concept of qualified electronic signature beyond the context of Article 5.1. As soon as it is no longer necessary to search an automatic electronic substitute for the handwritten signature, the concept should be abandoned. Every kind of electronic signature should, from that moment onwards, be judged only with regard to its objective adequacy in the specific context. 3.4 Why Supervise Qualified Certification Authorities? Various Member States have established supervision schemes for certification service providers which are very close to prior authorization. Article 3.1 is however very clear. Making the provision of certification services qualified, accredited, or other subject to prior authorization or taking other measures that have the same effect, are strictly prohibited by the Directive. Fortunately the supervision of certification services by the Member States authorities only affects providers established on their own national territory. One could have expected that Member States would keep the supervision regime for the providers established on their own territory as limited and as flexible as possible in order not to affect negatively the competitive position of their own service providers in comparison with providers established elsewhere. Nevertheless many European countries have followed a completely different strategy. Some of the national supervision schemes put heavy burdens on the local certification service providers before these can begin to provide qualified services. Apparently Member States are still convinced that most of the qualified certificates issued to the public on their own territory will be provided by providers established on that territory. Another reason could be that some Member States use the supervision schemes to raise the security level of the providers established on their territory in order to improve their quality and hence their competitiveness on the European and international market. In any case and as long as they avoid prior authorization, according to the Directive, Member States are largely free to organize the supervision of the certification service providers established on their territory themselves. Recital (13) states Member States may decide how they ensure the supervision of compliance with the provisions laid down in this Directive. It was clearly not the objective of the Directive to have similar or harmonized supervision schemes in every Member State.

8 8 Legal Status of Qualified Electronic Signatures in Europe On the other hand, however, the establishment of heavy, bureaucratic supervision schemes for qualified certification service providers doesn t seem very useful. A supervision scheme should rather be considered as an element of consumer protection. In this perspective, it doesn t seem very logical to restrict the protection to certification authorities which issue qualified certificates to the public. A light-weight supervision of all kinds of certification services, in order to protect consumers, would seem more appropriate. 3.5 What about Voluntary Accreditation? Recital (11) of the Directive states: Voluntary accreditation schemes aiming at an enhanced level of service provision may offer certification-service-providers the appropriate framework for developing further their services towards the levels of trust, security and quality demanded by the evolving market; such schemes should encourage the development of best practices among certification-service-providers; certification-service-providers should be free to adhere to and benefit from such accreditation schemes. Therefore Article 3.2 of the Directive stipulates that Member States can maintain or even introduce voluntary accreditation schemes aiming at enhanced levels of certification-service provision. The European legislator has estimated, very rightly, that voluntary accreditation schemes could be beneficial for the development of the market. It can give certification service providers operating in Europe the possibility of demonstrating their level of security and trustworthiness. Accreditation schemes could certify the adequacy of the security level of a particular certification service for being used in particular contexts or applications. For instance, specialized accreditation schemes could certify the adequacy of particular certification service for the health care sector. Recital (11) also refers to the evolving market in this area. When new solutions are discovered and introduced into the market, accreditation schemes can help providers gain user trust. The accreditation schemes should mainly be created or maintained for the benefit of the providers themselves. They should encourage the development of best practices and remain upto-date with state-of-the-art technology in the sector. They are a form of common quality control, organized at the level of a particular sector. Of course, setting up such accreditation schemes requires considerable resources, mainly in terms of expertise. Consequently the aim of the Directive has never been to have a national accreditation scheme in every Member State. It is also fully incorrect to consider voluntary accreditation schemes as a means to control whether or not a certification service provider operates in compliance with the provisions of the Directive. The provision concerning voluntary accreditation schemes was intended mainly to prevent Member States from misinterpreting the prohibition of prior authorization. This prohibition should not be understood as incompatible with existing or future voluntary accreditation schemes. On the contrary, the Directive encourages the creation of such schemes, as long as the conditions related to those schemes are objective, transparent, proportionate and non-discriminatory. Moreover, as is stated in Recital (12): Member States should not prohibit certification-service-providers from operating outside voluntary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services. 4 Conclusions The concept of the qualified electronic signature, referred to in Art. 5.1 of the European Directive, has been introduced in order to obtain more legal security on a short term. Our current

9 Legal Status of Qualified Electronic Signatures in Europe 9 laws have been conceived without taking into account digital information processing and electronic signatures. They have been drafted against the background of paper-based documents and handwritten signatures. It would have been very cumbersome to modify all these current laws at once and to adapt them to the electronic environment. Moreover, it would not suffice to modify only the text of the laws. Legal rules are only effective if they are embedded in common practices and if they are well understood by public administrators, judges and by the society as a whole. Art. 5.1 establishes therefore an equivalence between qualified electronic signatures and handwritten signatures. Whenever someone uses a qualified electronic signature in Europe, the same local rules will apply than those which apply to handwritten signatures. This creates some kind of European passport for online cross-border transactions: if a Belgian user orders a product on a website of a Greek vendor, he automatically knows that his (Belgian) qualified electronic signature will have the same legal status as a Greek handwritten signature. This mechanism is only useful as long as Greek laws continue to refer to handwritten signatures. Little by little, laws in all the Member States are modernized and contain security requirements that take into account the context of digital information processing. The legal concept of qualified electronic signatures, as a bridge to the laws of the paper world, will therefore not survive in the longer run. A completely different question is the one about the need for a standardized secure electronic signature that can be used for all kinds of transactions, preferably on a global scale. It is evident that such a standard would be highly beneficial for e-business. The discussions that have been conducted and the specifications that have been drafted around the concept of qualified electronic signatures can certainly be used as one element in this standardization process. But it is important to free the minds and no longer consider the legal requirements of the Directive as a dictate in this perspective. A standard for secure electronic signatures should be conceived by the important stakeholders on the market, on the basis of technical, organizational and economical considerations and not be the result of a political compromise between European Member States. Index European Directive Electronic Signature Qualified Certification Services Legal Aspects - Standardization