June 30, 2016
e-Signature, eIDAS Regulation 910/2014 & Brexit
EU Regulation 910/2014 comes into force in the EU from this Friday 1st July. Also known as ‘eIDAS’, this Regulation legislates on e-signatures and identity services across the EU. Legalesign is compliant and classed as an ‘advanced e-signature’ under this Regulation.
You can find the full text here: [EU Regulation 910/2014]
The relevant test for Legalesign is Article 26 which is worth reproducing in full:
An advanced electronic signature shall meet the following requirements:
It is uniquely linked to the signatory;
It is capable of identifying the signatory;
It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
It is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Legalesign meets this by uniquely linking to a signatory via email and one-use link, and optionally a secret code if you use that function (1). The email also serves to uniquely identify the signatory in addition to the signature itself (2). The document and its signing process is only accessible to the signer and no one else (3), and the final PDF with a full audit log is Certified (with long term validation) that will break if there is any change in the data it contains (4).
The future 1: Understanding the past and current EU e-signature law
The EU has pushed forward two major pieces of legislation in connection with e-signature, EU Directive 2000/31/EC and the imminent ‘eIDAS’ Regulation.
The first legislation was a ‘Directive’ and therefore had to be written into each country’s own law. In the UK this led to the Electronic Communications Act 2000.
This Act affirmed the status of e-signature as a valid means of contract formation. While the Directive not only affirmed the status of e-signature it also set up a model for an additional type of e-signature called a ‘certified’ e-signature. This was not widely adopted, most likely because more effort was required by signers to comply than to sign by pen in the traditional way.
This Friday’s legislation is a ‘Regulation’, known as the ‘eIDAS’ Regulation. Importantly, as a ‘Regulation’ it applies immediately across Europe with no need for national legislative approval. Important because it comes into force post-Brexit and has no national legislative approval, raising a degree of uncertainty whether it will continue to apply in the UK.
The eIDAS Regulation affirms the status of advanced e-signatures. It goes on to add a new category of e-signature it calls ‘qualified’, taking over from the previous ‘certified’ e-signatures. ‘Qualified’ e-signature arises out of a cross-national model for identity and trust services defined at length in the Regulation.
eIDAS does promise to improve the efficiency of cross border transactions, but the extensive rule oriented system and its insistence to structure a system out of a set of legal rules, runs the risk of falling foul of the same fate as its Directive forbear: creating excessive red tape that makes it less useful than substitutes, leading to rejection by the market.
The future 2: What legislation applies in the UK post-Brexit?
While there is some uncertainty over what policies will arise from Brexit, indubitably the outcome we can be most sure about is that EU courts will no longer have jurisdiction in the UK. The question then follows, what laws will apply?
While all laws will apply until such time as the UK actually exits the EU, the main question mark at that point falls over the new eIDAS Regulation. The previous Directive was written into UK law as the Electronic Communications Act 2000 (ECA) and should therefore apply in any case. That is most likely to be the fallback position should eIDAS be struck down in the UK.
For e-signatures the potential loss of eIDAS will affect those ‘qualified’ e-signatures that are given legal force by the eIDAS Regulation alone. Trust services that are setting themselves up to comply with the EU regulations may also need to re-configure themselves.
Legalesign uses advanced e-signature rather than ‘qualified’ ones. These are given legal force by eIDAS, but in the absence of that, by the Electronic Communications Act 2000 (ECA).
In case there is doubt over that Act too, Legalesign is compliant not only under eIDAS and the ECA, but is also on the common law principles governing formation of contract across England & Wales law and under Scots law too.