THE LEGALITY OF THE ELECTRONIC SIGNATURE IN THE EUROPEAN UNION

Transcription

1 THE LEGALITY OF THE ELECTRONIC SIGNATURE IN THE EUROPEAN UNION 1

2 INDEX Introduction Current law in Europe: the Regulation (EU) No 910/2014 (eidas) Repercussion in Europe Definitions: three types of electronic signatures Electronic signatures as legal evidence in a court. Are they admissible? The burden of proof and the evidentiary value of electronic signatures Why does the advanced electronic signature have greater evidentiary value than the simple signature? What should a company take into account in order to implement the electronic signature? Signaturit s electronic signature solution What do we offer? Advantages of the advanced electronic signature How is Signaturit different compared to other electronic signature solutions? 2

3 INTRODUCTION The digital world is instantaneous: the constant connectivity and the widespread use of smartphones has made customers, consumers, providers and even employees demand instantaneous results in every transaction with any company. difficult to justify that many companies are still requiring customers or employees to print paper documents in order to obtain the necessary signatures that express consent to any contractual relationship, be it commercial or labor. The requirement that nowadays, both internal or external transactions - such as agreements, contracts or negotiations with companies - have to be carried out fast and easily, almost immediately at anytime or place, makes it Since in Europe the first law concerning the electronic signature was approved in Directive 1999/93/CE - the following question arises: Why have companies delayed for so long adopting electronic signature technology? 3

4 There are three basic reasons that explain the slow adoption of the electronic signature from companies and European citizens: 1. The Directive 1999/93/CE was not directly applied to all member states. The interpretation that each state made of this first law complicated the adoption of a single electronic signature solution for those companies with offices, customers and consumers in more than one member state. 2. The rooted cultural perception of a greater reliability of the signature with pen on printed paper. For many people, the (falsely preconceived) notion of the unreliability of electronic technologies has been a reason not to use them. Overcoming this lack of trust has been (and remains) a difficult challenge, since it s a belief deep-seated in the mind of many potential users. 3. The perception that electronic signature systems are complicated to implement and difficult to use. This feeling is due to the fact that many companies who have developed electronic signature solutions have focused mainly on the technology, and not so much on the user experience. 4

5 However, this scene has already begun to change for several reasons: 1. Keeping paper to sign documents is contrary to the objectives of a digital transformation plan. More and more companies are aware that maintaining the use of paper to sign documents is a practice that goes against the goals of any digital transformation plan, as it only perpetuates the complexity of processes and involves a time consumption whose opportunity cost is too high in the present age -- one where the speed is key for companies to provide responses to their customers needs (which are constantly changing). 2. More and more people rely on technology to conduct electronic transactions. As generations advance, more and more people trust technology for electronic transactions, and are overcoming the old suspicions to use the Internet. Users are getting used to buying and interacting digitally or remotely with companies, and increasingly even from smartphones. 3. Safe, legal and easy-touse electronic signature solutions have been developed. Electronic signature technologies have also evolved with easy to use solutions that do not renounce to the strictest standards regarding information security and legal and regulatory compliances, including the protection of personal data. 5

6 At a legislative level, there has been a clear reaction to these changes, considering companies priorities, users mentalities and the new technological solutions available. That is the adaptation of the legal framework that regulates electronic signatures in the European Union: on July 1 in 2016 came into force the Regulation (EU) No 910/2014 of the European Parliament and of the Council of July on electronic identification and trust services for electronic transactions in the internal market, also known as eidas, which completely repealed the Directive 1999/93/CE. In this whitepaper we explain the impact that this Regulation has had in the EU and we review the different types of electronic signatures that it considers, whose implementation in each company will depend on each specific use case. 6

7 CURRENT LEGISLATION IN EUROPE: THE REGULATION (EU) No 910/2014 (eidas) REPERCUSSION IN EUROPE Overcoming the limitations of the Directive 1999/93/CE and providing a trustworthy environment for electronic transactions in the internal market have been priorities for the European Union at the time of drawing up the new Regulation (EU) No 910/2014. As it is directly applicable in each member state, this new legal framework does not leave any margin for any particular interpretation. Thus it overcomes the problem of legal fragmentation around electronic signatures caused by the previous Directive, precisely because the Directive allowed each member state to interpret it in their own way. The new Regulation has eliminated the legislative barriers (and the resulting interoperability problems) which companies that were operating at a European level had when integrating an electronic signature solution across the entire organization. This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union. Relgulation (EU) No 910/2014, (2) 7

8 Main differences between Directives and Regulations Directives Rules that member states are bound to achieve, leaving national authorities the power to choose the method. This means that each member state has to fulfill the ruling, but has the freedom to choose their own internal legislation for implementation. Therefore, no member state can avoid their obligations, but different from Regulations, the entirety of the Directive is not completely mandatory. The directives come into force when each member state (or states) is notified, and is written in their language. The most characteristic feature is that each member state can create their own internal legislation regarding the Directive s implementation that, once it goes into force, gives rights and obligations to citizens. Directives therefore lack the direct applicability that characterizes Regulations, since as expressed in the previous point, each member state needs to intervene to transform it into an internal law, while complying with the characteristics of the Directive. Therefore, in some cases it will be necessary to adopt a law and in others it could be a Decree or Ministerial Order. Regulations Regulations have a general scope, all elements are mandatory and directly applicable in each member state. Any individual can make a claim for its compliance in front of a national court of law. It is an act that, like the law, establishes a norm and imposes an obligation. New EU Regulations enter into force by their publication in an Official Journal of the European communities in the date that they determine, or by default, passing a vacatio legis of twenty days. They are directly included in the internal judicial order of each member state, meaning they do not have to be integrated into domestic law and they render any contrarian national provisions inapplicable. 8

9 Thus, with the entry into force of the eidas Regulation, all national laws that emerged to transpose the Directive 1999/93/CE have disappeared, including the Spanish law - Law 59/2003 on December 19th on the electronic signature - which was definitively repealed on October 2, On the other hand, in addition to electronic signatures, the eidas Regulation extends its scope and also establishes a common legal framework for electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication. (Article 1.c). 9

10 DEFINITIONS: THREE TYPES OF ELECTRONIC SIGNATURES In Article 3 of the Regulation (EU) No 910/2014, the following three types of electronic signatures are defined: Electronic signature. Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. Qualified electronic signature. an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. Advanced electronic signature. An electronic signature which meets the requirements set out in Article 26. Article 26 An advanced electronic signature meets the following requirements: a) it is uniquely linked to the signatory; b) it is capable of identifying the signatory; c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control, and; d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable. 10

11 ELECTRONIC SIGNATURES AS LEGAL PROOF IN COURT. ARE THEY ADMISSIBLE? Any document signed with any of the three types of electronic signature cannot be rejected as legal evidence before any European court of law. This is established in Article 25 of the eidas Regulation: Article An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. 2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature. 3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States. 11

12 THE BURDEN OF PROOF AND THE EVIDENTIARY VALUE OF ELECTRONIC SIGNATURES The three types of electronic signatures have legal value and therefore are admissible in a court of law as valid legal evidence. One of the main differences between them lies in who is responsible for the burden of proof: In contrast, in the case of the simple or advanced electronic signature, the burden of proof is reversed: in case the author of a signature is questioned, the burden of proof will rely on whoever claims the signature is authentic. The qualified electronic signature has the presumption iuris tantum in its favor, which means that the author of the signature is presumed to be proven, unless evidence is provided against by those who say the opposite. For example, in the case that supplier A and client B sign a contract with a qualified electronic signature, if B claims that his signature is invalid in order to not accept the consequences that might result due to the contract conditions, B would have to provide evidence against the validity of his/her own signature. In this case, the supplier A and the client B sign a contract with a simple or advanced electronic signature. If B claims that his/her signature is invalid, the burden will be on A to prove its authenticity. The electronic signature will only be considered invalid in case A fails to prove its authenticity. For this reason, to sign documents and contracts that involve some type of legal risk derived from a possible denial of a signature s authorship by any of the contracting parties, it is advisable to always use the advanced electronic signature due to its greater evidentiary value (or legal proof) than the simple signature. THE BURDEN OF PROOF Qualified electronic signature Simple and advanced electronic signature The authorship of a signature is assumed to be proven unless evidence is provided against by those who claim otherwise. In case the authorship of a signature is questioned, whoever maintains that it is authentic is responsible to prove its validity. 12

13 WHY DOES THE ADVANCED ELECTRONIC SIGNATURE HAVE GREATER EVIDENTIARY VALUE THAN THE SIMPLE ELECTRONIC SIGNATURE? Because by definition, an advanced electronic signature solution allows to identify the signer. Instead, a simple electronic signature solution does not provide any type of link between the signer and the signature. Therefore, in case of litigation a simple electronic signature cannot technically prove who really signed the document. In the eidas Regulation there are no mandatory prescriptions on the use of one or other type of electronic signature depending on the document to sign, or according to the business process that requires a signature. If they exist, these restrictions would be found in civil codes, commercial codes or codes that establish documentary and/or procedural standards that govern some industries or sectors. 13

14 WHAT SHOULD A COMPANY TAKE INTO ACCOUNT TO IMPLEMENT THE ELECTRONIC SIGNATURE? The use of electronic signatures is becoming more and more common, in all types of companies and for all types of documents. In the vast majority of cases, the use of one or another type of electronic signature depends mainly on each company, and to make a decision in this regard they should take into account the different use cases that exist within the company, as each one will require certain legal and security conditions ad hoc. logically related with a set of data - the terms and conditions - that is also presented in electronic format. This case has low legal risk, and that is why the simple electronic signature is sufficient, because being a transaction with little value and little risk of fraud, what is important in this case is the agility of the process. When defining the different use cases, one criteria that cannot be forgotten is if it s necessary or not for the electronically signed document to have evidentiary value and, consequently, greater legal security. For example, to accept the terms and conditions on a website, almost all companies choose to ask the customer or user to simply check a box to indicate that they agree with the terms and conditions stipulated by the company. This check is equivalent to a simple signature, because it is produced electronically and can be However, in situations with greater legal risk it s not recommended to use the simple signature, precisely for its lack of evidentiary value. This is because with the simple signature it is not possible to prove that only the signer has actually intervened in signing the document. In the majority of cases, such as the example of a loan contract, insurance policies, commercial or labor contracts, etc., it is advisable to use an advanced electronic signature, which can prove the identity of the person who made the signature. 14

15 Main objectives of a signature: Associate the signer with the signed document and prove the relationship between the signer and the content of the document signed. Serve as evidence that the signer proves and/or adopts the content of the document. Conclude that the content of the document is coercive (mandatory). Comply with a legal requirement that a document has to be signed to be valid. Demonstrate that a person was in a specific moment at a specific place. Be witness to the content of a document that affects a third party (testify). Validate the authenticity and integrity of a signed document. On the other hand, in addition to considering the need that signed documents have evidentiary value, in order to determine the type of electronic signature most suitable for each use case, companies that are considering implementing the electronic signature at a global level should also keep the following points in mind: Once the different use cases have been studied, the best thing to do is to create a global digitization plan for the signature processes that combines the three types of electronic signatures, as some are more convenient than others depending on the situation, on the legal guarantees and on the security level required. How many people are involved in each use case? What are their roles? What types of documents require signatures? What is the procedural flow? Are the necessary signatures internal or from third parties? Should your company develop your own electronic signature solution or rely on a thirdparty solution? Are the company s technologies coupled with third-party electronic signature solutions? In which departments could there be a reluctance to use new electronic tools and why? 15

16 SIGNATURIT S ELECTRONIC SIGNATURE SOLUTION WHAT DO WE OFFER? Signaturit offers an advanced electronic signature that meets all requirements established in the Regulation (EU) No 910/2014: a) it is uniquely linked to the signatory; b) it is capable of identifying the signatory; c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control, and; d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable. Biometrics In addition, our solution also incorporates biometric technology, which allows us to capture biometric data from the signer s graph: what points make up the graph and the position, speed, acceleration and pressure from the signature (this last data is only available on devices that allow it). More information Our e-signature biometric technology What impact has the new EU Data Protection Regulation had on biometric data? Electronic evidences Additionally, we also collect electronic evidences that are generated during the signing process, evidences that offer additional information regarding the context in which the signature was made. All this electronic evidence is included in what we call the audit trail, and include the following: address (both who sends the signature request and who receives it). IP address of the signer. Exact time and place that the signature was made, captured by geolocation. Name of the document to sign. Events: opening, document opening and document signature. To guarantee the integrity of all electronic evidence generated during the signing process, we use an official time stamp, which allows us to guarantee that the data contained in the audit trail, as well as the signature itself, have not been altered after the signature. We also use the official time stamp to guarantee the authenticity of a signed document, in the sense that the document the signer receives is identical to the document sent by the sender. 16

17 In the event of questioning who really signed a specific document, the biometric data that Signaturit obtains can be made available to a graphologist, and his/her findings constitute valid legal proof. That, along with the rest of electronic evidence, can be presented in front of any court, in case of litigation to prove the signer s identity. At the end of the signing process, who sent the document to sign will receive the following documents: Signed document: with the signature and biometric data from the signer embedded. Audit trail: with all of the electronic evidence obtained during the signing process, sealed with an official time stamp that guarantees its integrity. And the signer will receive a copy of the signed document in his/her inbox. Security The security of the communications between the user, Signaturit s platform and the infrastructure provider (in this case Amazon Web Services), is paramount to guarantee the confidentiality of the data circulating on the platform. Therefore in Signaturit we have implemented two important control measures: firewall access and encrypted communications. In other words, we encrypt and store data, not just the communications, but also the signed documents and audit trail, limiting the reading and signing of documents only to designated users. In case you need more information about Signaturit s security measures, please contact us: info@signaturit.com Data Protection In order to comply with the different European and Spanish laws on data protection, during the signature process the signer s consent is expressly requested to capture his/her data, personal data--name, surname, ID card, etc. -- as well as biometric data. Laws with which Signaturit s electronic signature complies: Regulation (EU) 2016/679 Directive 95/46/CE Directive 97/66/CE Law of Protection of Personal Data 15/1999 (LOPD 15/99) Royal Decree 1720/2007 (R.D. 1720/07) (Link in Spanish) More information: Essential guide to Europe s new Data Protection Regulation. Big Data: how to minimise risk in data analysis. 17

18 AUTHENTICITY A document is authentic if it can be proved (certified) that it is true or certain. INTEGRITY The data has integrity if it is intact, meaning that it has not been altered after the signature. Audit trail example 18

19 ADVANTAGES OF THE ADVANCED ELECTRONIC SIGNATURE Regarding the simple signature Regarding the qualified signature EVIDENTIARY VALUE (Legal Security) The advanced electronic signature allows to identify the signer in a unique way, meanwhile the simple signature cannot. A simple electronic signature is, for example, a checkbox or a PIN code. In these two cases there are no technical guarantees that can certify if someone else than the signer has intervened in the signing process. REMOTE SIGNING The qualified electronic signature requires a qualified device for signature creation, as stipulated in Annex II of the Regulation (EU) No 910/2014. Therefore, the main advantage of the advanced electronic signature is that it s much easier to use, since it does not depend on any specific device, nor on any personal accreditation prior to the use of the signature. 19

20 HOW IS SIGNATURIT DIFFERENT COMPARED TO OTHER ELECTRONIC SIGNATURE SOLUTIONS? 1. It s easy to use. The signing process with Signaturit is totally intuitive. Even if people who use our tool don t have any previous experience with similar platforms, the signature flow is fast and easy to complete, both for the person who prepares the document to be signed and for the person who signs it. 2. You don t have to download nor install any programs. Unlike many electronic signature solutions that exist today, with Signaturit you don t have to download nor install any programs on the computer, not any applications on the smartphone. In addition, the signer doesn t have to register in our platform in order to sign. 3. It is a mobile solution. Our electronic signature solution is multi platform, meaning that it can be used from any type of device: computer, tablet or smartphone. The signer only needs to have access to a web browser, access to a valid address and Internet connection. Mobility makes life easier not only for signers, who can sign any document or contract from anywhere from any device, but it also offers advantages for companies, that can get signatures from their users or clients also in a physical store, through the use of a tablet. 4. It allows to follow the stages and control the signature process. From Signaturit s platform you can control the entire signature process: document reception, document opening and document signature. In this way, you can easily control if the client has received and signed the document or contract, without having to invest time with the client in person nor having to follow up via phone or to assure if he/she has finally signed. 5. It easily integrates via API into any flow or process. Our solution facilitates automating processes through its integration via API, which is the ideal measure for companies that need to incorporate the signature process within their internal procedural flows -- meaning that they want to avoid having the signer leave the company s platform to sign a document or contract, or that they want to manage all client communications from one single tool. In these cases, Signaturit can integrate via API into any CRM or ERP. 20

21 6. Signatures made with Signaturit are unique. Not all electronic signature solutions provide the right guarantees that make a signature be truly personal and non transferable - meaning, impossible to copy. Our platform does not store signatures - that means we cannot do a copy-paste-- but each time a signer has to sign a document, he/she has to do it every time, without resorting to any stored files. These features guarantee a greater security. 7. And advanced. offer simple electronic signatures (such as the signature through a PIN number) that, compared to the advanced, have less judicial security due to their lesser evidentiary value. 8. It adapts to your corporate image. Our platform adapts without any problems to any corporate image, so that a company can maintain its logo and corporate colors, in order to not lose visual cohesion when transmitting the company values. The electronic signature that Signaturit offers is advanced, as it meets all the requirements from the Regulation (EU) No 910/2014. Therefore it has greater evidentiary value than simple electronic signatures, as it can prove the signer s identity. There are many solutions that 21

22 Annex I Regulation (EU) Nº 910/2014 REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE CREATION DEVICES 1. Qualified electronic signature creation devices shall ensure, by appropriate technical and procedural means, that at least: a) the confidentiality of the electronic signature creation data used for electronic signature creation is reasonably assured; b) the electronic signature creation data used for electronic signature creation can practically occur only once; c) the electronic signature creation data used for electronic signature creation cannot, with reasonable assurance, be derived and the electronic signature is reliably protected against forgery using currently available technology; d) the electronic signature creation data used for electronic signature creation can be reliably protected by the legitimate signatory against use by others. 2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing. 3. Generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider. 4. Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation data only for back-up purposes provided the following requirements are met: a) he security of the duplicated datasets must be at the same level as for the original datasets; he security of the duplicated datasets must be at the same level as for the original datasets; b) the number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service. 22

23 Signaturit Signaturit facilitates closing contracts with an intuitive and legally binding esignature solution, without having to install any applications. For more info, please contact us: (ES) Follow us: