Using electronic signatures
The coming into force of the new E-Signatures Regulation
21 September 2016
Digitalisation demands new laws. The EU regulation on electronic identification and trust services came into effect on 1 July 2016 and now applies in all 28 EU Member States. The Regulation marks another step towards consolidating a digital single market and removing obstacles to the seamless provision of goods and services across the EU.
- The regulation sets out an EU-wide framework for electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Trust services provide a key enabler for digital businesses and consumers within the EU.
- All forms of electronic signature will now be admissible in any EU Member State court for evidential purposes.
- Certain types of electronic signatures will have the same legal effect as if the documents were signed by hand.
What is a trust service?
Businesses and consumers require trustworthy methods of doing business online. Trust services seek to mitigate risk for businesses and consumers (e.g. cyber-crime, loss of privacy and fraud). The uses of trust services are broad (e.g. trust services may be used to authenticate mobile payments, sign invoices or implement content control for online media services, gambling or gaming).
The Regulation (Regulation (EU) No 910/2014) brings into force a number of key changes to the use of trust services across the EU. In particular:
The prior e-Signatures Directive has been repealed. Member States will now look to the harmonised legislative framework under the Regulation for matters concerning electronic identification and trust services.
Member States are required to designate a supervisory body to monitor trust service providers (broadly, individuals / companies that provide trust services - usually for remuneration). For example, the Information Commissioner supervises UK-based trust services providers.
Each Member State must publish a list of qualified trust service providers, including the trust services the trust service provider is authorised to undertake. A trust service provider will only be "qualified" if they are included on a Trusted List. The UK's Trusted List is available here.
What is an e-signature / e-seal?
Electronic signatures and electronic seals provide a robust method to reassure parties to a transaction that the integrity of document they have signed is intact. The Regulation sets out three types of electronic signature: simple, advanced and qualified.
A simple e-signature is an electronic signature that includes "any data" in electronic form that is attached to a document / can be logically associated with a document and is used by an individual to "sign" the document. A simple electronic signature may involve copying and pasting a .jpeg image or scanned pdf copy of a "wet ink" signature into an electronic version of a document or clicking an "Accept" button on a website (e.g. to consent to a retailer's terms and conditions prior to completing a purchase).
An advanced e-signature is, technologically, more sophisticated than a "simple" signature. Broadly, an advanced signature must identify (and be uniquely linked to) the signatory - e.g. by including the signatory's email and IP address. It should be tamper-proof and be created using data that only the signatory can control (e.g. by using a private encryption key or digital account which only the signatory can access / unlock).
Qualified e-signatures are the most regulated (and therefore technologically secure) type of electronic signature under the Regulation. A qualified e-signature must satisfy each requirement of an advanced e-signature and also be supported by a formal certificate issued by a trust service provider who appears on a Trusted List.
Under the Regulation, an electronic signature can only be used by a individual (i.e. not a company). An e-seal will not function as a "signature" of the company using the e-seal.
What is the legal effect of electronic signatures?
- Qualified e-signatures now have the equivalent legal effect to a handwritten signature across EU Member States;
- Advanced and simple e-signatures and e-seals cannot be denied legal effect / admissibility as evidence in legal proceedings solely because they are electronic;
- The Regulation does not, however, state that an advanced or simple e-signature will have the same legal effect as a handwritten signature in each Member State. This is a matter for national courts to determine.
Qualified e-signatures are less common in the UK. However, businesses and consumers are likely increasingly to consider qualified e-signatures as an option for securing digital transactions. Advanced e-signatures will, however, likely be the most common type of electronic signature in the short to mid-term digital environment.
Under English law, in the absence of any (generally statutory) requirement (i) an electronic signature may be used to enter into a contract; and (ii) there is no need for a contract to be in any particular form. As such an advanced (or even simple) e-signature can be used to sign contracts. Some English law documents have more formal requirements that may make electronic signature inappropriate. Legal advice should be sought when considering whether to sign documentation using e-signatures.
Opportunities and concerns for businesses
The Regulation states that building trust in the online environment is key to economic and social development and offers a number of opportunities for both businesses and consumers. Certain risks should also be considered:
Efficiency vs. risk
The creation, transfer and authentication of e-signatures can be significantly quicker than a physical signature. As such, there are circumstances where an e-signature may be appropriate (e.g. high-volume transactions, where signature by an individual may be unduly time-consuming or costly). However, high-value transactions may incur additional risks for businesses and/or consumers. A handwritten signature may be more appropriate, or, indeed, legally required in this case (e.g. for a governmental filing).
Cyber security / data protection
Cyber security and data protection concerns are increasingly board level issues. Trust services offer opportunities to mitigate against these cyber risks. Businesses and consumers may consider that electronic documents secured by data encryption solutions and/or e-seals better preserve the integrity of a document. Digital trust services also create additional risks (e.g. fraud and data loss). Businesses and consumers should therefore ensure that their legal relationships with trust service providers appropriately allocate legal and business risks and responsibilities.
Digital transactions are increasingly cross-border. Digital trust services may offer many benefits for businesses, including: efficiency gains, cost savings and convenience. Businesses may also consider embedding trust services into their online infrastructure (e.g. mobile apps and business interfaces). Implementing these digital transformations may serve to enhance the overall consumer experience, whilst also improving the security of electronic transactions.