Coffee break law + tech: e-signatures & eIDAS
This is the first of our coffee break law + tech blog posts. In this blog we focus on e-signatures & the new eIDAS Regulation.
Did you know that the law around electronic signatures and seals is changing?
Take 5 minutes, grab a coffee and read this blog… by the time you’ve finished you’ll understand the new laws around electronic signatures & seals, as well as the technology that makes them possible.
What are electronic signatures and seals?
An electronic signature means data in electronic form that is attached to, or logically associated with, other data in electronic form and that is used to sign a document.
An electronic seal is a type of electronic signature for a corporate entity that enables the electronic seal to bind the entity using it.
There are three types of electronic signature and seal:
- Simple electronic signatures and seals: these include scanned signatures applied to documents using cut & paste, and tick box declarations.
- Advanced electronic signatures and seals: these allow unique identification and authentication of the signer of a document and enables verification of the integrity of the signed document. Advanced electronic signatures and seals are capable of detecting any post-signature tampering and if data changes after signature then the signature is marked as invalid. The principal technology used is a digital certificate issued by a “Certificate Authority”.
- Qualified electronic signatures and seals: these are the only types of electronic signature that are considered the legal equivalent of a handwritten signature and the only type of electronic signature (or seal) that guarantee a mutual recognition of validity across all EU Member States. The key difference between a qualified electronic signature and other forms of electronic signature is that the qualified electronic signature’s digital certificate is issued by a special type of Certificate Authority – one that meets a more stringent accreditation and supervision mechanism. Electronic seals also rely on “qualified certificates” that are issued by “trust service providers” and must be able to establish the identity of the natural person representing the legal person to whom the qualified certificate for the electronic seal is provided.
Electronic signature software, such as DocuSign, Adobe Sign and RightSignature can be deployed across organisations or business units and allow people to sign documents online without using paper. Some services also allow you to track progress of signing.
Data from e-mail addresses, IP address, time-stamped audit logs, digital signature and biometric signature data are used to create legally binding documents. Digital signatures and biometric signature data are the principle techniques used in advanced e-signatures.
As a general rule of thumb, e-signatures are legally binding under English law and in many other countries around the World. There are a very limited number of categories where they are not often permitted, such as for the transfer of land.
Why do we need a change of law? The development of frameworks and standards for electronic signatures and online authentication are important for encouraging online transactions and improving business efficiencies. The previous arrangements for electronic signatures and online authentication were problematic because various EU member states had implemented the earlier eSignature Directive (1999/93/EC) inconsistently, making it difficult for companies to confidently rely on electronic signatures. eIDAS is designed to change this.
What is eIDAS: The Electronic Identification Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market or “eIDAS” comes into force in the UK on 1 July 2016.
What does eIDAS do? It establishes a new legal framework for electronic identification, signatures and seals that includes mutual recognition across all Member States. It also provides greater legal certainty for transactions executed using digital certificates that have been issued by a Certification Authority that has been accredited and is subject to supervision by a special body in each Member State.
What about Brexit? eIDAS is an EU Regulation, which means it has direct effect in the UK and therefore the UK parliament does not need to implement any specific legislation to bring it into force. The UK voted to leave the EU in June 2016 but the process of extraction from the EU is likely to be protracted over many months. It remains to be seen how EU and UK legislation will be unpicked, however if the UK government chooses to retain efficient trading mechanisms with the EU then we would expect much of eIDAS to survive.
Tech + Law: Let’s look at the tech alongside the law…
The two main underlying techniques used in advanced electronic signatures are digital signatures and biometric measurements.
The digital signature entails key generation, signing and verification algorithms.
This technique is in the format of Public Key Infrastructure (PKI), which basically generates a pair of keys: a private key that is only in possession of the signer, and a public key, which is openly available and used by those who need to validate the e-signature. In addition, the keys are checked by the Certificate Authority (CA) and other policies.
On top of the digital signature, the documents contain a biometric measurement in the form of a cryptographic hash code, i.e. an invertible fixed size bit string that is created using a mathematical algorithm.
Together, these methods create encrypted data that is the digital signature. The signature also includes a time stamp and so changing the document after signing makes the digital signature invalid.
The new Electronic Identification Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (referred to as “eIDAS”) is directly applicable in Member States and so has direct effect in the UK. The majority of its provisions come into force on 1 July 2016.
Article 25 of eIDAS maintains the fundamental rule that electronic signatures and verification services shall not be denied legal effect and admissibility as evidence in legal proceedings based solely on the fact that they are in electronic form. This rule applies to electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication.
eIDAS defines Trust Services as those service companies that provide electronic signatures, seals and time stamps. It differentiates between non-qualified and qualified Trust Services, the latter having supervision mechanisms, the purpose of which is to increase confidence in digital transactions.
Take home thought: The efficiency savings and cost benefits of using electronic signatures can be huge. Getting a document signed is a key milestone within the lifecycle of a contract. In many organisations there are a large number of manual processes that can be eliminated by implementing electronic signatures. It is hoped that the new law will improve legal consistency across the EU, as well as bolstering confidence in and the uptake of electronic signatures. If your organisation has had concerns about operating a single electronic signature solution across different countries and as a result has not rolled out e-sign technology or implemented an electronic signature policy, then eIDAS could help to change this.
About us: At Wavelength we are focused on dramatically improving the delivery of commercial law using the powerful combination of technologists and lawyers.
- Regulation (EU) N°910/2014 (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG)
- The Department for Business, Innovation and Skills (BIS) guidance on electronic signatures:(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/356786/bis-14-1072-electronic-signatures-guide.pdf)
- Short film about public key infrastructure (https://www.youtube.com/watch?v=i-rtxrEz_E8)
- Wiki digital signature (https://en.wikipedia.org/wiki/Digital_signature)
- Wiki hash code (https://en.wikipedia.org/wiki/Cryptographic_hash_function)
- EU guidance(https://ec.europa.eu/digital-single-market/trust-services-and-eid)
- The eSignature services hub (https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eSignature+Services)