Electronic signatures in Denmark: free for all citizens



Similar documents
Executive Order No. 67 of 25. January 2012 on online casinos 1

The Danish Act on the Central Business Register

Terms and conditions of business for a NemID administrator of commercial NemID

Qualified Electronic Signatures Act (SFS 2000:832)

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

Guidelines for the use of electronic signature

The Geological Survey of Denmark and Greenland Act

Order on maritime security training on board ships

Ericsson Group Certificate Value Statement

UNCITRAL United Nations Commission on International Trade Law Introduction to the law of electronic signatures

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Executive Order on Access to and Conditions for Travelling in Certain Parts of Greenland

ELECTRONIC TRANSACTIONS LAW N0 (85) OF Article (1)

The Marketing Practices Consolidation Act 1)

Executive Order on Residence in Denmark for Aliens Falling within the Rules of the European Union (the EU Residence Order) 1

Decree No. 18/2009 (VIII. 6.) MNB of the Governor of the National Bank of Hungary. on Payment Services Activities CHAPTER I GENERAL PROVISIONS.

Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

on Electronic Signature and change to some other laws (Electronic Signature Act) The Parliament has hereby agreed on this Act of the Czech Republic:

1 L.R.O Electronic Transactions CAP. 308B ELECTRONIC TRANSACTIONS

Executive Order on Insurance Intermediaries Indemnity Insurance, Guarantees and Treatment of Entrusted Funds

ABA Section of International Law 2006 Spring Meeting 5 8 April 2006, New York

Statoil Policy Disclosure Statement

A7-0365/133

Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations

The Auditor General's Act

A Revised EMC Directive from Europe

HKUST CA. Certification Practice Statement

AGREEMENT WITH A SELF-EMPLOYED CONTRACTOR FOR CONSULTANCY SERVICES

Amendments Guide for FP7 Grant Agreements

DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Danish Act on Approved Auditors and Audit Firms (Lov om godkendte revisorer og revisionsvirksomheder) 1

Specifikationsdokument for OCES II

Supported by. World Trademark Review. Anti-counterfeiting. Poland. Contributing firm Patpol Patent & Trademark Attorneys.

PART I GENERAL. Chapter 1. General provisions. Section 1. General scope of application of the Act

Spillemyndigheden s change management programme. Version of 1 July 2012

COMMISSION DELEGATED REGULATION (EU) /... of

Consolidation Act no. 224 of 16 March Act on Energinet.dk

AdvantageCard Rewards Program. Terms & Conditions - Business

Ministerial Order on the PhD Programme at the Universities and Certain Higher Artistic Educational Institutions (PhD Order)

Informationsteknologi Serviceledelse Del 3: Vejledning i definition af emne og brug af ISO/IEC

Den Gode Webservice - Security Analysis

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

DECISIONS ADOPTED JOINTLY BY THE EUROPEAN PARLIAMENT AND THE COUNCIL

GUARANTEE OF LOANS (COMPANIES) ACT

Merchants and Trade - Act No 28/2001 on electronic signatures

Implementing Regulations under the Benelux Convention on Intellectual Property (Trademarks and Designs) *

1.3 The Terms are accepted by the Customer upon registration or ordering of the Products or renewal of any such subscription.

ELECTRONIC TRANSACTIONS ACT

COMMISSION DECISION C(2013)343. of 22 January 2013

Terms and Concepts in NemID

COUNCIL OF THE EUROPEAN UNION. Brussels, 23 June 2010 (OR. en) 10858/10 Interinstitutional File: 2009/0009 (CNS) FISC 60

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

Softwareudvikling Retningslinjer for anvendelse af ISO 9001:2008 til computersoftware

Act 7 Electronic Signatures Act 2011

Consolidation Act No. 68 of 21 January The Employers' and Salaried Employees' (Legal Relationship) (Consolidation) Act 1

Electronic Signature Law,

Guidance on vessel traffic services (VTS) in Danish waters

REPUBLIC OF LITHUANIA. LAW ON ELECTRONIC SIGNATURE

JUDGMENT OF THE COURT 28 September 2015

Number 35 of 2007 PERSONAL INJURIES ASSESSMENT BOARD (AMENDMENT) ACT 2007 ARRANGEMENT OF SECTIONS

LAWS OF MALAYSIA. Act 680 ELECTRONIC GOVERNMENT ACTIVITIES ACT 2007 ARRANGEMENT OF SECTIONS PART I PRELIMINARY PART II

Skovbrugsmaskiner Sikkerhedskrav til og prøvning af motordrevne stangsave til beskæring Del 2: Maskiner med rygbåret energikilde

DIRECTIVE 2006/95/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 12 December 2006

Act LXXXV of on the Pursuit of the Business of Payment Services

Spillemyndigheden s Certification Programme Change Management Programme

In case of any discrepancy between the original Danish text and the English translation of this Act, the Danish text shall prevail.

31977L0092. mhtml:file://c:\documents and Settings\evtimova_r\Local Settings\Temporary Inter...

ELECTRONIC SIGNATURE LAW

Concept of Electronic Approvals

Certificate Policy for OCES Employee Certificates (Public Certificates for Electronic Services) Version 5

Certificate Policy for OCES personal certificates (Public Certificates for Electronic Services)

PAYMENT TRANSACTIONS ACT (PTA)

ELECTRONIC TRANSACTIONS ACT 1999 BERMUDA 1999 : 26 ELECTRONIC TRANSACTIONS ACT 1999

Informationsteknologi Serviceledelse Del 4: Procesreferencemodel

You can also find the conditions at

COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION ON MONITORING THE APPLICATION OF COMMUNITY LAW (2003) OVERALL POSITION

Executive Order on Articles of Association for ATP (Arbejdsmarkedets Tillægspension)

Limited Liability Companies Act Finland

BANK LINK USE AGREEMENT NO. Representative:

Content Clause Contents Clause

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts

2002 No. 318 ELECTRONIC COMMUNICATIONS. The Electronic Signatures Regulations 2002

Certificate Policy for OCES company certificates (Public Certificates for Electronic Services)

COMMISSION OF THE EUROPEAN COMMUNITIES

In force as of 15 March 2005 based on decision by the President of NIB ARBITRATION REGULATIONS

ACT. of 15 March 2002

ELECTRONIC SIGNATURE LAW. (Published in the Official Journal No 25355, ) CHAPTER ONE Purpose, Scope and Definitions

THE DUALIST SYSTEM FOR THE ADMINISTRATION OF JOINT STOCK COMPANIES

Transcription:

Article Electronic in Denmark: free for all citizens JAN HVARRE Both the Directive and the Danish Act establish general principles for the approval of electronic Historical background Early Danish start In the late eighties and the early nineties, the general view in Denmark was that the establishment of a public key infrastructure (PKI) was an important condition for the popularisation of electronic. In 1996, the first draft for a Danish law on electronic was prepared, to be followed by a revised version in 1998. The ambition of the draft bill was not only to lay down requirements for electronic and certificate issuing key centres ( Certification Authority ), but also to govern how electronic meet requirements in Danish law where an agreement or exchange of messages must be in writing and signed. Thus, the idea was that such requirements could be fulfilled by the exchange of electronic messages applied with an electronic signature. The implementation of the draft bill implied a review of the requirements as to formality in the entire Danish legislation, which was assumed to include more than 10,000 rules and regulations with formal requirements for a written signature, which would be influenced by the legislation. It was discussed whether to pass a decision on every single rule and regulation where an electronic signature was to be accepted ( opt in model), or generally to consider electronic as fulfilling the formal requirements of the rules and regulations unless otherwise decided concerning the rule in question ( opt out model). The review was, however, somewhat timeconsuming and thus the draft bill was overtaken by the Directive from the European Parliament on electronic and was therefore never implemented. The EU Directive on electronic On 13 December 1999, the EU issued Directive no 99/93 on a Community framework for electronic. 1 A EU Directive does not impose direct obligations on the citizens in a member state. The member states are, however, obliged to implement the regulation of the Directive into national law within a given time limit. Dependent on the form of the Directive, member states are left with more or less free hands as to the actual drafting of the national legislation. According to the European Commission, all countries have implemented the Directive, and thus it may be expected that all member states have rules on electronic generally corresponding to the Danish regulation. In Denmark, the Directive has been implemented by means of Lov om elektroniske signaturer, the Danish Act on Electronic Signatures, nr. 417 of 31 May 2000 ( The Danish Act ). Both the Directive and the Danish Act establish general principles for the approval of electronic. Certain advanced based on qualified certificates are granted special advantages. The Directive and the Danish Act concentrate on the role of the centres issuing electronic keys ( Key Centres ). Moreover, article 5 of the Directive establishes general requirements that advanced electronic based on a qualified certificate and created by a secure signature creation device shall be deemed to: comply with the legal requirements of a signature in relation to data in electronic form to the same extent that a handwritten signature meets these requirements in relation to data in paper form, and be admissible evidence in legal actions. Moreover, article 5 (2) also provides that member states must ensure that advanced electronic are not deemed legally invalid and inadmissible evidence in legal actions only because they 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic (OJ 19.1.2000 L13/12). 14 DIGITAL EVIDENCE AND ELECTRONIC SIGNATURE LAW REVIEW www.deaeslr.org

are electronic; are not based on a qualified certificate; are not based on a qualified certificate issued by an accredited key centre; or are not created by a secure signature creation device. Finally, the Directive prohibits, as part of the general efforts to secure free movement of goods and services between member states, that a country requires that the Key Centres must obtain prior certification. Danish law on electronic Scope and definitions Efforts have been made to keep both the Directive and the Danish Act technology neutral. This appears from the definition of an electronic signature in the Danish Act, section 3(1): Data i elektronisk form, der knyttes til andre elektroniske data ved hjælp af et signaturgenereringssystem, og som anvendes til at kontrollere, at disse data stammer fra den person, der er angivet som underskriver, og at de ikke er blevet ændret. Electronic data attached to other electronic data by a signature creation device and which are used for verifying that these originated from the person indicated as signatory, and that they have not been amended. Thus, it is required that a device is used for creating the electronic signature. Stating your name at the end of an e-mail will not meet this requirement. It is, however, in principle not necessary to involve a Key Centre to meet the requirements of the definition. However, most of the provisions in the Danish Act provide for procedures that indicate the use of a key centre in a Public Key Infrastructure (PKI) is presumed to be the most common procedure. A further requirement is that a natural person must always issue the electronic signature. An electronic signature issued by a machine will therefore not qualify as an electronic signature under the Danish Act. Variation of electronic In principle, all electronic are subject to the Danish Act. However, a distinction is made between different types of with different effects, depending on whether the signature is regarded (1) advanced, (2) is issued based on a qualified certificate and (3) is created by a secure signature creation device. Advanced electronic An advanced electronic signature is a signature fulfilling the following four requirements, see the Danish Act, section 3(2): It must be uniquely linked to the signatory. It makes it possible to identify the signatory. It is created using means under the exclusive control of the signatory. It is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. Requirements 1, 2 and 4 would be met by the use of an ordinary electronic signature based on the use of the signatory s secret key using complete encryption or creation of a hash value of the signed message. Requirement 3 can be met by means of prior agreement between the signatory and the receiver, or by involving a trustworthy third party. Qualified certificates In order to provide the possibility of issuing especially trustworthy certificates, both the Directive and the Danish Act contain the concept of a qualified certificate. This is a protected designation, as only certificates meeting the requirements mentioned below can be designated qualified certificates. To classify as a qualified certificate, the certificate must be signed with the Certification Authorities advanced electronic signature, see section 4(3) of the Danish Act. Moreover, according to section 4(2) the certificate must meet the following requirements as to the level of information: www.deaeslr.org DIGITAL EVIDENCE AND ELECTRONIC SIGNATURE LAW REVIEW 15

At present, only a very limited number of Danish acts provide for the use of an electronic signature The certificate must identify the item being qualified, and state the name and registered address of the Certification Authority, the signatory s name or pseudonym (in such event specifying that it is a pseudonym) and any further information regarding the signatory, including information providing an unambiguous identification of the signatory. The qualified certificate must contain information regarding the validity period of the certificate and any limitations as to object and amount, which define the application of the certificate. The qualified certificate must contain an identification code and the signature verification data corresponding to the signature creation data, which are controlled by the signatory at the time of the issue. Secure Signature Creation Devices Further, a distinction is made between ordinary signature creation devices and secure signature creation devices. According to the Danish Act section 14-15, a signature creation device must meet certain requirements to obtain the designation secure. In this connection, the Danish Act introduces a system according to which the Danish Ministry of Science, Technology and Innovation appoints a test centre, which is responsible for controlling whether the signature creation device meets the requirements. The Ministry has not yet appointed such centre, probably because no test centre has found it commercially feasible to undertake this task. Danish parties looking for verification that their signature creation device is secure therefore must contact a test centre in another member state within EU, cf. section 15(3) of the Danish Act. Legal effect of electronic The Danish Act anticipates a situation where the individual Danish acts generally accept electronic messages signed electronically. Section 13 of the Danish Act states that any requirement in the legislation of signature on electronic messages shall be deemed fulfilled if the message is: provided with an advanced electronic signature; based on a qualified certificate; and created by a secure signature creation device. This means that any person or business acquiring an electronic signature fulfilling the requirements set out in the Danish Act on Electronic Signatures can be confident of fulfilling any future legislative requirements. At present, only a very limited number of Danish acts provide for the use of an electronic signature. Requirement for the business of the Certification Authority: the identification requirement A Certification Authority operating in Denmark does not need to be authorized, as this would be contrary to the EU Directive. The Certification Authorities must, however, fulfil a number of requirements, especially if they want to issue qualified certificates. Some of these requirements are laid down in a departmental order issued by the Danish Ministry of Science, Technology and Innovation ( the Departmental Order ) 2. First of all, the Certification Authority is required to have a written certification policy and a certification practice, both of which shall be made available to the public, cf. section 2 of the Departmental Order. Moreover, the CA must take out an insurance covering damage arising out of its business operations, cf. section 5 of the Departmental Order. Secondly in connection with the issue of qualified certificates, the Certification Authority must verify the identity of the person or business by requiring physical appearance at the office of the Certification Authority, (section 6 of the Departmental Order), or at the office of a representative appointed by the Certification Authority, (section 8 of the Departmental Order). This requirement can only be deviated from if the Certification Authority already knows the signatory. The requirement of physical appearance is relatively far-reaching, especially when considering the fact that the Certification Authority is already motivated to perform a thorough check because of the presumption of negligence, for which see further below. The requirement is not contained in the Directive, which only requires the use of appropriate means in accordance with national law. 3 The Certification Authority may appoint other businesses or authorities to be local registration units performing the identity check on its behalf. Thus, a number of Danish Certification Authorities have chosen to issue qualified certificates using either local post offices or banks as local registration units in order to make is as easy as possible for the citizens to appear in person. 2 Bekendtgørelse nr. 923 af 5. oktober 2000 om sikkerhedskrav mv. til nøglecentre. 3 Recital 21. 16 DIGITAL EVIDENCE AND ELECTRONIC SIGNATURE LAW REVIEW www.deaeslr.org

Liability: reversed burden of proof Section 11 of the Danish Act lays down a strict liability for Danish Certification Authorities issuing qualified certificates: Nøglecentre, der udsteder kvalificerede certifikater til offentligheden, eller som over for offentligheden indestår for sådanne certifikater udstedt af et andet nøglecenter, er ansvarlig for tab hos den, der med rimelighed forlader sig på certifikatet, såfremt tabet skyldes, at oplysningerne angivet i certifikatet ikke var korrekte på tidspunktet for udstedelsen af certifikatet, at certifikatet ikke indeholder alle oplysninger som krævet i henhold til 4, manglende spærring af certifikatet, jf. 9, stk. 2, manglende eller fejlagtig information om, at certifikatet er spærret, hvilken udløbsdato certifikatet har, eller om certifikatet indeholder formåls- eller beløbsbegrænsninger, jf. 9, stk. 1 og 3, eller tilsidesættelse af 7. Stk. 2. Et nøglecenter pådrager sig erstatningsansvar efter stk. 1, medmindre nøglecentret kan godtgøre, at nøglecentret ikke har handlet uagtsomt eller forsætligt. Stk. 3. Et nøglecenter er ikke ansvarlig for tab opstået som følge af anvendelse af et kvalificeret certifikat uden for de formålsbegrænsninger, som gælder for certifikatet, eller for tab opstået som følge af en overskridelse af de beløbsbegrænsninger, som gælder for certifikatet, forudsat at de pågældende begrænsninger tydeligt fremgår af certifikatet, jf. 4, og på forespørgsel oplyses, jf. 9, stk. 1 og 3. Stk. 4. Stk. 1-3 kan ikke ved forudgående aftale fraviges til skade for skadelidte. Stk. 5. Stk. 1-3 finder ikke anvendelse, i det omfang tabet dækkes efter lov om visse betalingsmidler. The key centres, which issue qualified certificates to the public, or which towards the public vouch for such certificates issued by another key centre, is liable for any loss incurred by those who reasonably rely on the certificate if the loss is due to: the information stated in the certificate not being true at the time of the issue of the certificate; the certificate not containing all information required under section 4; lack of blocking of the certificate, see section 9(2); lack of or misinformation regarding blocking of the certificate, expiry date of the certificate, or if the certificate contains any limitations as to objects or amounts, see section 9(1) and (3); or non-observance of section 7. (2) A key center incurs liability pursuant to sub-section 1 unless the key center can prove that the key center has not acted negligently or willfully. (3) A key center is not liable for Loss occurred in relation to the use of a qualified certificate beyond the limitations as to objects applicable to the certificate; or for loss occurred due to an excess of the amount limitations applicable to the certificate; provided that the said limitations are explicitly stated in the certificate, see section 4, and are notified upon inquiry thereof, see section 9(1) and (3). (4) Sub-section 1-3 cannot be derogated from to the detriment of the claimant by prior agreement between the parties. (5) Sub-section 1-3 are not applicable if the loss is covered according to the Danish Act on certain means of payment (lov om visse betalingsmidler). As it appears, the Certification Authority is liable for damage caused to any person or business, which reasonably relies on the certificate unless the Certification Authority can prove that it has not acted negligently. In other words, the Certification Authority is subject to a so-called presumption of negligence. The Certification Authority is not, however, liable for damages for loss arising out of the use of a qualified certificate beyond the limitations as to the object and amount that applies to the certificate. Naturally, this implies that the limitations in question are clearly stated in the certificate. The liability of the Certification Authority cannot be derogated from to the detriment of the claimant by prior agreement between the parties. www.deaeslr.org DIGITAL EVIDENCE AND ELECTRONIC SIGNATURE LAW REVIEW 17

The OCES signature is approved by the Danish Data Protection Agency for use by public authorities when exchanging sensitive information with citizens 4 Read more at (Danish sites) http://www.videnskabsministeriet.dk/cg i-bin/theme-list.cgi?theme_id=7471, http://privat.tdc.dk/digital and https://www.signatursekretariatet.dk/ frontpage.html. 5 Project competition with limited participation under Directive 92/50/EEC as modified by Directive 97/52/EC, art. 13. 6 http://politiken.dk/visartikel.iasp? PageID =301322&TemplateID=552. Jan Hvarre, 2004 Jan Hvarre is attorney-at-law at the IT-law department of the law firm Kromann Reumert, Denmark. Has worked with IT-law and Intellectual Property Rights since 1998. He teaches IT law on the MA programmes at the Aarhus School of Business as well as at the assistant attorney course, an obligatory course for law graduates wishing to become attorneys. jhv@kromannreumert.com www. kromannreumert.com The public sector as the driving force The public sector in Denmark has found it natural and necessary that the use of electronic should be encouraged on the initiative of the public authorities. The widespread use of electronic requires a certain volume, and also a standardization that ensures that the applied devices using PKI are compatible. In this connection, it is important to bear in mind that the public sector itself may save large sums if electronic are commonly used. This is because of the massive exchange of information between citizens and public authorities and between public authorities. Therefore, the Danish government has launched a project called OCES ( Offentlige Certifikater for Elektroniske Services, or Public Certificates for Electronic Services ). The purpose of the project is to facilitate the take-up of electronic and thereby the development of electronic public administration. The project implies the creation of a standard PKI in which the source code for the signature creation device is made public. The project also implies that all Danish citizens may obtain a free electronic signature. 4 Based on a EU supply procedure 5, the Danish Ministry of Science, Technology and Innovation has appointed TDC A/S, the largest telecommunication company in Denmark, to perform the issuing of electronic. The OCES certificate standard covers three types of certificate: The personal certificate, verifying a person s identity. The employee certificate, verifying the identity of a person and his or her status as an employee of a certain business. The business certificate, verifying that the holder of the certificate is in fact representing the business stated in the certificate. So far, the OCES certificate is only based on software. Notwithstanding that the solution basically intends to ensure the use of the certificate between citizens and public authorities and among public authorities, it can also be used in the private sector. So far, however, primarily public authorities offer to accept documents signed electronically by use of the OCES signature, including schools, colleges and universities, the tax authorities and a number of local authorities, for instance All Danish citizens may order a free electronic signature by contacting TDC A/S via the internet. In order for the signature to be issued, the citizen in question must state his or her civil registration number and e-mail address. TDC A/S then forwards a unique HTML address to be used for downloading the electronic signature by e-mail. However, the PIN code necessary for downloading the electronic signature is sent by ordinary mail to the physical address listed with the residence register of the person in question. Apart from situations where unauthorized persons order an electronic signature using another person s civil registration number, and also have access to, or is willing to force access to, the private ordinary mail of the person in question, the system is thus relatively secure. The OCES signature is approved by the Danish Data Protection Agency for use by public authorities when exchanging sensitive information with citizens. However, the system does not fulfil the requirement of personal appearance, on which the issue of qualified certificates is based (see discussion above). Therefore, it appears somewhat peculiar that the Danish Ministry of Science, Technology and Innovation has chosen an identification procedure which results in the issued certificates not meeting the requirements set out in section 13 of the Danish Act on Electronic Signatures. Otherwise, the OCES signature would meet the requirements for electronic following any future legislation in the area. However, the Ministry has probably decided to attach the ease of obtaining an electronic signature with greater value in order to facilitate the highest possible take-up of the electronic signature. The free electronic signature was made available in March 2003. However, the distribution of the electronic signature has not been a success so far. Shortly after the introduction, it was possible to complete one s tax return by the use of electronic signature. However, only 7,000 of Denmark s 3.9 million taxpayers did so. At the time of writing this article, only 145,000 Danish citizens, less than three per cent of Denmark s population, holds the free OCES signature. The reason for the low take-up is partly that many public institutions, including the taxation authorities, still offer entry of and access to information via the internet using a PIN code only, partly that less than 25 per cent of the citizens actually know that the OCES signature is free 6. As TDC will receive a bonus if it distributes the OCES signature to at least 350,000 citizens by June 2004, TDC has launched a marketing campaign, by which citizens that register for the OCES signature can participate in a competition with a trip to Disney World in Florida is the main prize. TDC also finds support in the fact that the numbers of public services available through the OCES signature is rapidly growing. Notwithstanding this development, it is considered unlikely that TDC will issue 350,000 digital in time. In contrast, the Danish banks have issued more than a quarter of a million electronic in connection with home banking, without issuing any trips to Disney World in the process. 18 DIGITAL EVIDENCE AND ELECTRONIC SIGNATURE LAW REVIEW www.deaeslr.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information