Italy: Digital Signature in European Law

Last Updated: 4 June 2006
Article by Marco Pistis

Originally published on Mondaq, October 2003

It is universally recognised that a "signature" is the signatory name, written in the writers’ own hand on a paper document, the so called "manuscript signature". In spite of the generally held view to the contrary, most of the time signatures are not strictly necessary for a contract to be legally binding.

ABSTRACT

1. Basic concepts

2. Background and history of the European Directive on electronic signatures

2.1 European Background previous to the Directive

2.2 he first steps

2.3 The draft directive and its negotiation

3. Purposes of the Directive

4. Electronic signatures and signatories

4.1 Electronic signatures and advanced electronic signatures

4.2The Signatory

5. Certificates and certification-service-providers

5.1 Certificates and qualified certificates

5.2 Certification service providers

5.3 Certification services and free circulation

5.4 The concept of no prior authorization

5.5 The concept of voluntary accreditation schemes

5.6 Supervision

5.7 Electronic signature products

5.8 Liability of issuers of qualified certificates

5.9 International circulation of certificates and certificates services

5.10 Data protection

6. Legal status of electronic signatures

7. Final provisions

8. Conclusions

BIBLIOGRAPHY

ABSTRACT

This work is an attempt to explicate the European Union legislation on electronic signatures, its history and development. After a brief introduction about the concept of cryptography with reference to electronic signatures and its technical progress, the writing examines the provisions of the European Union law on the definition of different kinds of electronic signatures, on certificates and certification service providers, on the legal status of electronic signatures, on its international value, their implementation in different Member States, their effects within the Union and the possible future scenario. The conclusions are concerned with the legislation on this topic which was brought out too early and particularly before the actual start of a day-to-day practical usage of these tools.

Basic concepts

It is universally recognised that a "signature" is the signatory name, written in the writers’ own hand on a paper document, the so called "manuscript signature". In spite of the generally held view to the contrary, most of the time signatures are not strictly necessary for a contract to be legally binding. However, parties often prefer to sign their legal documents, even where it is not strictly required, and this particular tendency may cause some problems where the parties correspond via the Internet. Digital communications technology in not compatible with the manuscript signature and this is the reason why different methods of signature have been recently developed.

Basically two different methods have been developed:

  • a scanned image of a traditional manuscript signature which can be incorporated into a word processing file sent as an email attachment;
  • the use of a mathematical process to sign an electronic document (a set of numbers which represents text, pictures or any other information).

Essentially the concept of "electronic signature"1 refers to the second method described above.

There are many differences between the traditional approach to a manuscript signature to a paper document and the practical implications of "signing" an electronic document.

The American Bar Association, for instance, developed a model of contract where a party must accept the signature method2. However there are many reasons why electronic signatures cannot be simply left to the contractual autonomy of the parties: first of all, even where there is the possibility of creation of an estoppel, the estoppel will not bind a third party, who will be able to rely on the fact of signature as a defence, and, thus, will not be able to bring his own action on the basis of the estoppel. Furthermore such an action would be unsuccessful if the results would be to affirm the validity of a transaction, which is void for lack of formalities3. Moreover there are consumer law implications; where one of the parties to the contract is a consumer this itself may invalidate the contract; in fact, under European Law, a term "excluding or hindering the consumer’s right to take legal action or exercise any other legal remedy…" can be considered as potentially unfair4 and, in consequence of this, cannot bind the consumer.

Manuscript signatures are accepted as legally effective everywhere. However where a question about the legal requirements of a signature arises, other methods of signing a document have been considered legally valid. The requirements may be summarised as follows:

  • the signature must provide evidence of the identity of the signatory;
  • the signature must provide evidence that the signatory identifies the "sign" as his signature;
  • the signature must provide evidence that the signatory agrees with the contents of the document that he signed.

Where the relevant law of a particular jurisdiction classifies the evidential functions that a particular signature must achieve, an "electronic document may be signed by the use of a mathematical function based on the document’s data content"5.

The definition of electronic signature derives from the necessity of these requirements: an electronic signature is produced by performing a mathematical function on the document and must authenticate the identity of the sender of a message or the signer of a document and ensure that the original content of the message or document that has been sent is unchanged. The modification of the document must be achievable only by the creator and any attempt to change the content of the document must invalidate the signature6.

The scope of the electronic signature is accomplished through the utilization of encryption technology7 which permits the creation of an algorithm8 which has two different inputs: the document represented by a series of numbers, and the "key" also represented by a number the combination of both being the so called "ciphertext"9. In consequence of this, someone could define the scope of encryption technology as follows: transforming the message to a "ciphertext" such that no one but the seller and the receiver can determine the message sent. The legitimate receiver possesses a secret decryption key that allows him to reverse the encryption.

2. Background and history of the European Directive on electronic signatures

2.1 European background previous to the Directive

Before 199610 the concept of cryptography was often associated with state security and national defence and every attempt to create a European policy on this interesting subject collapsed at a very early stage. However, as a result of the future needs of the commercial community, on 21 November 1996, the Council of Ministers requested the Member States and the European Commission "to prepare consistent measures to ensure the integrity and authenticity of electronically transmitted documents"11.

Almost at the same time some of the EU Member States approved national laws in order to regulate digital signatures.

On 15 March 1997 an Italian law12 established the principle of the recognition of validity for all legal purposes of instruments, data, documents and contracts using computers or telecommunications. On 10 November 1997 a new decree13 followed the indications of the recent law stating that a digital signature would not be legally valid unless an officially accredited Certification Authority had certify the public key14. No space was left to the use of any other kind of electronic signature15.

On 22 July 1997 the German Bundestag approved the so-called Signaturgesetz16, the purpose of which was to create a legislative background to this topic and to create an administrative framework to facilitate the use of digital signatures in a secure manner. Under the 1997 German law a digital signature was always a signature generated by the use of an asymmetric technique of cryptography with a certificated public key.

2.2 The first steps

The possible implications for the internal market of German and Italian national laws started to worry the European Commission so that on 8 October 1997 it adopted the communication "Ensuring security and trust in electronic communications: Towards a European framework for digital signatures and encryptions17". The Commission stated that a European framework between Member States in relation to digital signatures and encryption techniques was urgently needed in order to facilitate electronic commerce. The intention of the Commission was to present a study upon which a Directive on this subject could be based, with the following objectives: to establish common requirements for Certification Authorities, to improve the legal recognition between Member States of digital signatures, to facilitate the development of this fundamental instrument considered crucial for on line communications. The Commission also highlighted the need for flexibility in this field in order to react to new technical progress. It was considered fundamental that the principle of freedom of contract remain untouched and that regulated and unregulated digital signatures interoperate and coexist.

2.3 The draft Directive and its negotiation

In consequence of the appreciation for the work of the commission expressed in the meeting of the Council of Telecommunications Ministers of 1 December 1997 the European Commission started work on a draft for the directive; an expert hearing was organized in Copenhagen on 23-24 April 1998 and the main elements of the draft directive were prepared. Basically the aim of the proposed directive can be summarized as follows:

  • The legal recognition of Electronic signatures would not be discriminated against in relation to hand-written signatures.
  • The proposal would help to guarantee a technology-neutral framework and as long as a signature met the requirements, the legal recognition of the signature would be assured in spite of the technology used.
  • Basic requirements of certificates and certification services would be essentially defined by the proposal so as to guarantee a minimum standard of security and to create some consistency throughout the European Union.

- Certification services would be offered without any prior authorization. Member States would be welcome to determine their own requirements for accreditation. Certification service providers, in order to meet a special status, would have to fulfil certain essential requirements.

  • Service providers would be subjected to minimum liability with particular reference to the validity of a certificate’s content.
  • In order to assist the development of electronic commerce at an international level, the proposal would create instruments to facilitate cooperation between Member States and third countries such as the mutual recognition of different certificates on the basis of multiparty agreements.

The negotiation procedure failed18 at its first attempt to achieve an agreement during the Telecommunication Council of 27 November 1998 because of different ideas as to the level of security that the directive should provide. Some wished to follow the German approach and require a high level of security while others were more in favour of a lower level of security due to fears of any possibility of creation of obstacles for the use of electronic signatures. The divergence was basically due to the misunderstanding of the concepts of legal rules and standards and about the incomprehension of the basic principles of the German concepts explained in the Signaturgesetz19.

In order to resolve the disagreement and to achieve a compromise a distinction was introduced between obligatory requirements for qualified certificates, for certification service providers issuing qualified certificates, for secure signature-creation devices and recommendations for secure signature verification were made.

The European Directive on a Community framework for electronic signatures was signed on 13 December 1999 and published in the Official Journal of 19 January 2000 (hereinafter called Directive).

3. Purposes of the Directive

Article 1 of the Directive states that its scope is "to facilitate the use of electronic signatures and to contribute to their legal recognition". And it follows that the Directive "establishes a legal framework for electronic signatures and certain certification-services in order to ensure the proper functioning of the internal market".

The indication of the purpose of the Directive contained in Article 1 is expressed in a prudent way so as to imply that it is not a complete and exhaustive regulation of electronic signatures but it is simply a tool to "facilitate" their use. Secondly the Directive, instead of covering the problem of the legal recognition of an electronic signature, is intended only to "contribute" to the resolution of the problem.

The establishment of a legal framework is instead a reaction against the national legislative approach to this problem of Germany and Italy in order to create a consistent set of rules in this area.

Thus Article 1 specifies what the Directive is not concerned with: "It does not cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Community law nor does it affect rules and limits, contained in national or Community law, governing the use of documents".

The first part of Article 1 states that the Directive does not affect the choice of national and Community law to impose the use particular forms for the conclusion and validity of a contract excluding digital signatures. With regard to this particular point Recital 17 of the Directive states: "This Directive does not seek to harmonise national rules concerning contract law, particularly the formation and performance of contracts, or other formalities of a non-contractual nature concerning the legal effect of electronic signatures should be without prejudice to requirements regarding form laid down in national law with regard to the conclusion of contracts or the rules determining where a contract is concluded". The scope of the Directive is to create a legal framework as to where and when the electronic signature will be used, not to impose the use of electronic signatures for specific kind of contracts. Consequently, if there is a provision requiring the use of paper for some kind of contracts, the Directive will not affect that rule.

The second part of the article concerns the use of documents and states that the Directive has an effect on the national or Community law governing such matters: many Member States regulate the use of appropriate forms of documents in order to give some legal effects to a particular act and in these cases the use of electronic signature is not permitted20.

In order to guarantee a technology-neutral framework21 and following the aim of the Commission,22 Recital 16 of the Directive points out: "a regulatory framework is not needed for electronic signatures exclusively used within systems, which are based on voluntary agreements under private law between a specified number of participants; the freedom of parties to agree among themselves the terms and conditions under which they accept electronically signed data should be respected to the extent allowed by national law". But then Recital 16 goes even further: "the legal effectiveness of electronic signatures used in such systems and their admissibility as evidence in legal proceedings should be recognised". The fact is that electronic signatures are open to applications in close backgrounds such as banks23, big company’s networks and even public organizations and it is not in the aim of the Directive to constrain the principles of freedom of contracts.

4. Electronic signatures and signatories

4.1 Electronic signatures and advance electronic signatures

This approach has been clearly followed in the Directive with a wide definition of electronic signature. Article 2 states that, for the purpose of the Directive, "’electronic signature’ means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication". This again follows the aim of the Directive that is to help the creation of a common framework and not to impose technological standards. In fact tautologically Recital 8 suggests: "Rapid technological development and the global character of the Internet necessitate an approach which is open to various technologies and services capable of authenticating data electronically". However, these impressive words are of no consequence under this directive because, except for Article 5.2, all the articles of the Directive deal with the concept of "advanced electronic signatures". Under Article 1.2 of the Directive: "’advanced electronic signature’ means an electronic signature" that it is exclusively linked to the signatory, capable of identifying the signatory, created using means that the signatory can maintain under his sole control and linked to the data to which it refers in a manner that any following change of the data is easily demonstrable.

In spite of the fact that Article 1.2 has been drafted in a broad and technological-neutral manner, the only system of cryptography that meets all these requirements is the one based on the use of public key.

The electronic signature basically utilizes two different types of encryption: the Symmetric Cryptosystem which is a method of encryption in which the same key is used for both encryption and decryption of the data and the Asymmetric Cryptosystem which is a method of encryption in which two different keys are used: one for encrypting and one for decrypting the data24. The Public Key encryption system refers to the latter method. In cryptography, a public key is a value provided by some designated authority as an encryption key that, combined with a private key derived from the public key, can be used to effectively encrypt messages and digital signatures.

However, all the methods of cryptography described above cannot be considered sufficient evidence in order to prove the identity of the signatory. Of course many others devices of proof are welcome in order to prove who signed the message, however this is the reason why the electronic signature in most jurisdictions is more likely to be associated with an ID Certificate issued by a Certification Authority25.

As previously noted, even if the European Directive deals with electronic signature in the broadest sense of the term, it is undeniable that the majority of the provisions relate to those types of e-signatures based on the public key technique of cryptography, generally known as "digital signatures". Public key cryptography supposes creation of two complementary keys: public key and private key. Each key can decode information, which was encoded with another key of the same pair. If one knows the public key, one can't define the private key. Your public key may be widely spread online and this does not affect security. Such system permits privacy without having a locked channel, which is essential with normal private key cryptography. Anyone can use the public key of the recipient to encrypt a message for him. The recipient then deciphers the message with the help of the private key. Nobody but the recipient can decipher the message, because nobody has an access to the private key. Even the person who encrypted mail with the public key cannot decipher it. The use of this particular technique of encryption prevents the possibility of the signatory later denying the signed document, and the integrity of the document can be verified even after the expiration of the supporting certificate26.

4.2 The signatory

But who is the signatory? Following Article 2.3 of the Directive "’signatory’ means a person who holds a signature creation device and acts either on his own behalf or on behalf of the natural or legal person or entity he represents". It was argued that the Directive should reflect that a signatory could be only a natural person but this approach has not been followed; the reason being that in some countries the definition of signature is wide: in the United Kingdom, for example, a document can be considered signed even if it contains just a company’s stamp, a seal or even a name if the authentication is adequately clear.

It is very important to point out that the signatory is the person that holds the signatory creation device that can be a smart card, a smart pen, a mobile phone, a PDA or a computer hard disk. Signature creation devices and signature verification devices that are tools used to verify an electronic signature are defined as "electronic signature products" at Article 2.12.

5. Certificates and certification-service-providers

5.1 Certificates and qualified certificates

As already seen, the proof of the identity of the signatory is assured by the presence of the certificates and certification services. Article 2.9 defines a "certificate" as "an electronic attestation which links signature-verification data to a person and confirms the identity of that person". Thus Article 2.11 the Directive offers a wide definition of "certification-service-provider" that is "an entity or a legal or a natural person who issues certificates or provides other services related to electronic signatures". The justification for such an approach can be found in Recital 9 of the Directive which states: "Electronic signatures will be used in a large variety of circumstances and applications, resulting in a wide range of new services and products related to or using electronic signatures; the definition of such products and services should not be limited to the issuance and management of certificates, but should also encompass any other service and product using, or ancillary to, electronic signatures, such as registration services, time-stamping services, directory services, computing services or consultancy services related to electronic signatures".

Following the idea of the Directive to create a legal framework but also to offer a double degree of legal effect to the different kind of signatures Article 2.10 defines a qualified certificate as "certificate which meets the requirements laid down in Annex I and is provided by a certification-service-provider who fulfils the requirements laid down in Annex II".

The idea of the certificates is to provide evidence from an independent third party that the person named in the certificate did in fact have access to the personal signature creation device, so long as the public key included in the certificate validates the signature27. In this respect electronic signatures will not only be able to play a part in the formation of contracts or any other kind of transactions (fund transfers, tax returns, etc.) but they may also be used for identification purposes for Government agencies or when the user is requesting information which should not be given to third parties28.

The ID Certificate may contain a wide range of information with reference to its use or destination. However, where a certificate is to be used to accompany an electronic signature there are some minimum requirements that must be fulfilled. Annex I of the Directive states that: "Qualified certificates must contain:

  1. an indication that the certificate is issued as a qualified certificate;
  2. the identification of the certification-service-provider and the State in which it is established;
  3. the name of the signatory or a pseudonym, which shall be identified as such;
  4. provision for a specific attribute of the signatory to be included if relevant, depending in the purpose for which the certificate is intended;
  5. signature-verification data which corresponds to signature-creation data under the control of the signatory;
  6. an indication of the beginning and end of the period of validity of the certificate;
  7. the identity code of the certificate;
  8. the advanced electronic signature of the certification-service-provider issuing it;
  9. limitations on the scope of use of the certificate, if applicable; and
  10. limits on the value of transactions for which the certificate can be used, if applicable".

5.2 Certification service providers

In spite of the broad and general definition of certification-service-provider with reference to Article 2.11 but in accordance with the aim of the Directive to create a legal framework and to offer a double degree of validity for electronic signatures, Annex II sets up a large number of requirements for certification-service-providers who want to issue qualified certificates, who "must:

  1. demonstrate the reliability necessary for providing certification services;
  2. ensure the operation of a prompt and secure directory and a secure and immediate revocation service;
  3. ensure that the date and time when a certificate is issued or revoked can be determined precisely;
  4. verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued;
  5. employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards;
  6. use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them;
  7. take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data;
  8. maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;
  9. record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purposes of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;
  10. not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services;
  11. before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in readily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate;
  12. use trustworthy systems to store certificates in a verifiable form so that:

  • only authorized persons can make entries and changes,
  • information can be checked for authenticity,
  • certificates are publicly available for retrieval in only those cases for which the certificate-holder's consent has been obtained, and
  • any technical changes compromising these security requirements are apparent to the operator".

As one will note there are a variety of requirements for certification service providers who want to issue qualified certificates and this is considered the precise aim of the Directive. Thus Recital 12 states that the creation of a Certification Authority must be established in accordance with Member State’s national law.

5.3 Certification services and free circulation

The creation of a certification system is fundamental for the Directive in order to create a double level of security for different transactions and in order both to create a legal framework and to start to give some practical indication of the best way to guarantee secure transactions.

Probably the most important provision of the Directive concerning the role of certification services throughout the European Union is Article 4.1: "Each Member State shall apply the national provisions which it adopts pursuant to this Directive to certification-service-providers established on its territory and to the services which they provide. Member States may not restrict the provision of certification-services originating in another Member State in the fields covered by this Directive".

The concept of freedom of establishment in the European Union arises from Article 43 of the European Community Treaty that prohibits restrictions on the freedom of establishment throughout the Union and Article 49 that prohibits restrictions on the freedom to provide services. The concept of freedom of establishment has been taken in to consideration many times by the European Commission and the European Court of Justice. The European Commission has decided to refer Italy to the Court regarding obstacles encountered by lawyers from other Member States who wish to provide services in Italy. Italian legislation29 prohibits a lawyer from another Member State who is providing a service in Italy from opening chambers there; this prohibition constitutes, in the Commission's view, an infringement of the Treaty provisions on the free movement of services (Article 49 of the European Community Treaty). The Commission's standpoint was confirmed by the Court of Justice in its ruling of 30 November 1995 in the Gebhard case30 which recognised that a provider of services may equip himself with some form of infrastructure (office, chambers or consulting rooms). The Court in that occasion stated that "the concept of establishment within the meaning of the Treaty is a very broad one, allowing a Community national to participate, on a stable and continuous basis, in the economic life of a Member State other than his state of origin and to profit there from, so contributing to economic and social interpretation within the Community in the sphere of activities as self-employed persons"31.

The essential requirements for establishment have been set out in different cases as follow: (i) a stable and permanent organization32, (ii) for an indistinct period of time, (iii) in a different Member State from the state of origin, and (iv) the real pursuit of an economic activity33.

There is inevitably a contrast between the concept of establishment and the terms of Article 49 of the Treaty concerning the "provision of services". The contrast has to be solved having regard to the eventual temporary nature of the provision of services in a Member State other than the state of origin. Again the Court of Justice in the Gebhard case stated that the nature of the activities has to be determined with reference to their duration, regularity, periodicity and continuity34. The fact, for example that the service provider has bought some kind of infrastructure or that the greater part of his business transactions are regularly provided in such state can be relevant.

Where a certification-service-provider is established in a Member State it will be consequently submitted to the law of that particular state even with reference to eventual services provided in other Member States.

The only legal restriction stated by the Directive concerns the use of electronic signatures in the public sector. With reference to this situation Article 3.7 states:

"Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non-discriminatory and shall relate only to the specific characteristics of the application concerned". The article ends then with an unclear provision that states: "Such requirements may not constitute an obstacle to cross-border services for citizens". In reality no one can see how these additional requirements cannot constitute an obstacle to cross-border services where in Germany, for instance, the use of "accredited" electronic signatures is required and residents of other Member States will be practically obliged to use a local accredited certification-service-provider.

5.4 The concept of no prior authorization

The Directive chose the path of no prior authorization for the certification services. In fact Article 3.1 states: "Member States may not restrict the provision of certification-services originating in another Member State in the field covered by this Directive" and Recital 10 indicates that the internal market should enable the certification-service-providers to develop their cross-boarder activities in order to increase their competitiveness and to offer consumers the possibility to exchange information and business new opportunities in a secure way, in spite of borders; in order to accomplish this idea and in complete accordance with the aim of the Directive Recital 10 continues by adopting the idea of no prior authorisation and stating that "prior authorisation means not only any permission whereby the certification-service-provider concerned has to obtain a decision by national authorities before being allowed to provide its certification services, but also any other measures having the same effect".

Even if Recital 13 of the Directive permits Member States to decide how they ensure the supervision of compliance with the provision of the Directive the concept of prior authorisation is expressly denied. As a result Member States have to make sure that service providers operating in their country do so in accordance with the provisions of the Directive without arranging a set of compulsory examinations prior to the opening of services.

5.5 The concept of voluntary accreditation schemes

In spite of the clear concept of free entry to the market of certification-services Section 3(2) establishes that is possible for Member States "to introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service-provision"35. Then Section 3(2) continues: "All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification-service-providers for reasons which fall within the scope of this Directive". However, in order to protect the idea of the Directive to guarantee free access to the market Recital 12 of the Directive states that "Member States should not prohibit certification-service-providers from operating outside voluntary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services".

The idea of an accreditation scheme is to attract potential clients with absolute needs of security36. Accreditation schemes, in fact, have the great advantage of improved flexibility and the possibility of quicker adaptation to the changes of the technical environment. The approach of Member States varies from country to country: some are more interested in the concept of accreditation schemes that are controlled by the state or governmental institution, where others choose a more private set up37. In some countries, such as Germany, the investment required for the accreditation scheme is substantial and therefore probably of interest only to the certification-service-providers who have already made the necessary investments under the old German Signaturgesetz38.

The accreditation scheme often offers an enhanced level of security. In Germany the accreditation scheme, for instance, consists mainly in the fulfilment of the requirements of the old law39. In France or Belgium voluntary accreditation is aimed at giving the certification-service- providers the official tag of "qualified" Certification Authority. The situation gets more confused where some Member States are creating, besides "qualified" certificates, a new category of "accredited" certificates with an even higher level of security. The creation of different levels of security may create some financial problem for certification-service-providers since the application process requires substantial investment. Where a Certification Authority intends to provide its services in more than one European country, in fact, it might have to apply different procedures in each different Member State if they want to attract customers from different countries. In fact, even if the national accreditation scheme would be potentially open to any Certification Authority based in Europe, customers, for practical reasons, are likely to put more trust into an accreditation scheme in their own country where they are may be supposed to be more familiar with the particular background and environment.

With reference to the accreditation schemes Article 11 of the Directive states that Member States have to notify to the Commission and the other Member States any information on national accreditation schemes, the name and addresses of the national bodies responsible for accreditation and the name and addresses of all accredited national service providers.

5.6 Supervision

Notwithstanding the idea of no prior authorization Article 3.3 of the Directive provides an appropriate system to allow supervision: "Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification-service-providers which are established on its territory and issue qualified certificates to the public". In practice Member States may decide how to ensure such supervision and the Directive does not preclude the establishment of different kinds of supervision system but the creation of such a system that creates the same effects as a requirement of prior authorisation is absolutely forbidden.

In order to ensure the supervision provided by Article 3.3 and "to strike a balance between consumer and business needs"40 Member States must remember that the potential customer must be in a position to recognise qualified certificates and must be protected against any illegal use of such qualification41. In apparent contrast with the above, Member States have to remember also that the aim of the Directive is to give the possibility to companies to offer their services freely and without obstacles.

In The Electronic Signatures Regulations 200242 there is no trace of the concept of prior authorisation: section 3 (1) states that "It shall be the duty of the Secretary of State to keep under review the carrying on of activities of certification-service-providers who are established in the United Kingdom and who issue qualified certificates to the public and the persons by whom they are carried on with a view to her becoming aware of the identity of those persons and the circumstances relating to the carrying on of those activities". Thus Section 3 (2 and 3) continues by establishing that it shall be the duty of the Secretary of State to maintain and publish a register of those certification-service-providers of whom he is aware who are established in the United Kingdom. Even in absence Section 3 (5) states that "The Secretary of State shall have regard to evidence becoming available to him with respect to any course of conduct of a certification-service-provider which is established in the United Kingdom and which issues qualified certificates to the public and which appears to him to be conduct detrimental to the interests of those persons who use or rely on those certificates with a view to making any of this evidence as he considers expedient available to the public in such manner as he considers appropriate".

Some Member States solve the problem concerning the interpretation of Article 3.3 of the Directive by requiring the certification-service-provider established on their territory and issuing qualified certificates to the public, to give notice to the appropriate public authority before starting their activity. In Italy, for example, Article 3 of Decreto Legislativo 10/200243 states that the activity of certification-service-providers is free and consequently prior authorisation is unnecessary. Then, following a more rigid approach Article 4 of the Decreto Legislativo provides that the certification-service-providers who want to issue qualified certificates have to give advice of their activity to the "Dipartimento per l’innovazione e le tecnologie" (herein after called the Dipartimento). It is the duty of the Dipartimento to check if the certification-service-provider who issues qualified certificates to the public satisfies the requirements provided by Italian law44. The Regolamento for the implementation of the Decreto legislativo 10/2002 was supposed to be issued within 30 days from the date of the Decreto and was to set out the requirements for those certification-service-providers who want to issue qualified certificates; unfortunately at the moment we have no idea of when this Regolamento will be issued.

The problem is that the obligation to notify, from a practical point of view, can be very similar to the unlawful requirement of prior authorisation and a considerable part of the legislation approved by Member States (in Italy and Germany for example) is in contrast with Article 3.1 and Recital 10 of the Directive.

5.7 Electronic signature products

Article 2.5 defines "signature-creation device" as "configured software or hardware used to implement the signature-creation data" and Article 2.8 defines "signature-verification device" as "configured software or hardware used to implement the signature-verification data". In general the Directive at Article 2.12 defines "electronic-signature product" as "hardware or software, or relevant components thereof, which are intended to be used by a certification-service-provider for the provision of electronic-signature services or are intended to be used for the creation or verification of electronic signatures".

Article 4.2 states that "Member States shall ensure that electronic-signature products" which comply with the Directive "are permitted to circulate freely in the internal market".

With reference to secure signature-creation devices Annex III of the Directive creates some general standards for advanced electronic signatures and states that secure signature-creation devices must at least ensure that the signature-creation-data45 used for signature generation: (i) can practically occur only once, and that their secrecy is reasonable assured; (ii) cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology; (iii) can be reliably protected by the legitimate signatory against the use of others. Finally Annex III states that a secure signature-creation device "must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process".

Moreover Article 3.4 establishes that appropriate public or private bodies designated by Member States should ensure the conformity of secure signature-creation-devices with the above-mentioned requirements. Article 3.4 continues by pointing out that it is the duty of the Commission to establish criteria for Member States to determine whether a body should be designated. Article 3.4 ends by stating that determinations of conformity made by the bodies referred shall be recognised by all Member States46.

In accordance with the above, in a Decision dated 6 November 200047, the Commission established a set of criteria to set up the designation of such bodies. Article 1 of the Decision in fact underlines that the purpose of the Decision is "to establish the criteria for Member States to determine whether a national body should be designated as responsible for the conformity assessments of secure signature-creation-devices". Then Article 2 of the Decision establishes that, where a designation body is involved in different activities, "different activities must be clearly distinguished" in the conformance assessment of secure signature-creation-devices. Article 3 of the Decision is probably the most important, stating that "The body and its staff must not engage in any activities that may conflict with their independence of judgement and integrity in relation to their task". Then Article 3 states that the body and its staff must be independent of the parties involved and obviously the staff of the body is required not to be a designer, manufacturer, supplier or installer (or the authorised representative of any of such parties) of secure signature-creation-devices or certification service provider issuing certificates to the public. "In addition" continues Article 3, "they must be financially independent and not become directly involved in the design, construction, marketing or maintenance of secure signature-creation-devices, nor represent the parties engaged in these activities". However Article 3 ends by stating that the possibility of exchange of technical information between the manufacturer and the designated body is not precluded. Article 4 of the Decision can be considered pleonastic where states that the body and its personnel must be able to determine the eventual conformity "with a high degree of professional integrity, reliability and sufficient technical competence". More interesting is Article 5 of the Decision with reference to the necessity of transparency and where in particular it provides that the body shall "record all relevant information" concerning conformity assessment practices and states that "all interested parties must have access to the services of the body". The last part of Article 5 may again be considered pleonastic where it assumes that "the procedures under which the body operates must be administered in a non-discriminatory manner". Article 6 is more practical and much more useful than Article 4 where it states that "the body must have at its disposal the necessary staff and facilities to enable it to perform properly" but again there are no suggestions or indications as to the meaning of this requirement. Article 7 apparently follows a different approach by giving details of the personnel responsible for the conformity assessment, who must have: (i) sound technical and vocational training in particular in the field of electronic signature technologies and the related IT security aspects and (ii) satisfactory knowledge and adequate experience of the requirements of the conformity assessments they carry out. Article 8 is not very useful where it states: "the impartiality of staff shall be guaranteed"; in effect it seems to assume that independence of remuneration should adequately guarantee the independence of the staff. Article 9, covering liability, is better written: "The body must have adequate arrangements to cover liabilities arising from its activities, for example, by obtaining appropriate insurance".

In accordance with the concept of free circulation the second part of Article 4.2 of the Directive states that: "A determination of conformity with the requirements laid down in Annex III made by the bodies" with reference to the first part of the article, "shall be recognised by all Member States".

Article 3.6 provides that "Member States and the Commission shall work together to promote the development and use of signature-verification devices in the light of the recommendations for secure signature-verification laid down in Annex IV and in the interests of the consumer". Setting out the requirements Annex IV provides that for the duration of the signature-verification process it should be ensured with reasonable certainty that:

  • The information used for the verification of the signature matches with the information displayed to the verifier;
  • The signature is consistently verified and the result of that verification is precisely displayed;
  • Where it is necessary the verifier can establish the contents of the signed information;
  • The authenticity and validity of the certificate required at the time of signature are verified;
  • The result of the verification and the identity of the signatory are correctly displayed;
  • The use of a pseudonym is visibly indicated;
  • Any changes with reference to security can be detected.

5.8 Liability of issuers of qualified certificates

Article 6 of the Directive concerns the Liability of certificate-service-providers issuing qualified certificates: they are liable for part of the content of the certificate and for the correctness of revocation lists. Article 6 provides a minimum liability which means that Member States are allowed to require a major level of liability in the implementation of the Directive but it is absolutely forbidden to provide a lower degree of responsibility for certificate-service-providers issuing qualified certificates. However Member States are allowed to introduce liability for certificate-service-providers issuing non-qualified certificates both in the implementation of the Directive or in any other national law.

In the light of the above the first part of Article 6.1 states: "As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate".

As one may note the minimum level of security is guaranteed by the Directive only in case of qualified certificates issued to the public or guaranteed to the public. However, in most cases customers and any other person relying on the certificate do not have the possibility to control if the certificate is qualified in the terms of the Directive but they simply rely on the designation of qualification made by the Certification Authority with reference to Annex I (a) of the Directive. The question whether a certificate can be considered "issued to the public" or "guaranteed to the public" is more ambiguous. Recital 16 of the Directive may be helpful in the interpretation of the former expression where it states: "a regulatory framework is not needed for electronic signatures exclusively used within systems, which are based on voluntary agreements under private law between a specified number of participants". It is in fact one of the aims of the Directive to protect the freedom of parties and if the Directive does not regulate these closed systems it is likely to assume that also the liability of certification-service-providers operating in such closed systems is outside the provisions of the Directive. Moreover it has to be considered that in the case of closed systems the mutual relationship enables parties to set up their own contractual rights and liability provisions. It is consequently probable that the expression "issued to the public" refers to certification services where anyone can verify and rely on the certificate without any previous relationship with the Certification Authority. Moreover, where a Certification Authority guarantees its certificates to the public Article 6 applies48.

Another problem arises as to whether or not the signatory can be considered as one of the targets of the provisions of Article 6.1. It can be argue that the signatory is not included in the provision of Article 6.1 because he already enters into a contract with the Certification Authority and his rights are governed by the terms of that contract. In consequence of the fact that the rules of the Directive do not apply to closed systems49 it could be assumed that also the question of liabilities between the signatory and the Certification Authorities are governed by contractual conditions. In accordance with this idea Article 6 could be regarded as a provision that guarantees to the signatory a minimum level of liability of the Certification Authority.

According to the second part of Article 6.1 and Article 6.2 a Certification Authority issuing a qualified certificate to the public or guaranteeing such a certificate should be liable:

  • "as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate";
  • "for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature-creation data corresponding to the signature-verification data given or identified in the certificate";
  • "for assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification-service-provider generates them both";
  • "for failure to register revocation of the certificate".

Both Articles 6.1 and 6.2, for liability of the Certification Authority to arise, require the "reasonable reliance" of the party who suffered the damages. The term is unclear and the test of reasonableness will vary from court to court of different Member States.

The negligence of the Certification Authority is an essential requirement of both provisions of Articles 6.1 and 6.2 but the Directive imposes the burden of proof on the Certification Authority. It can be rightly assumed that the inversion of the burden of proof is required as a result of the fact that only the Certification Authority has the indispensable technical competence to inspect the issue and it would be impossible for the claimant to investigate the technical devices and procedures of a reluctant Certification Authority.

Statutory Instrument 2002 No. 318, implementing the Directive, imposes in certain circumstances liability on the Certification Authority even in the absence of proof of negligence unless the Certification Authority proves he was not negligent50. In this particular case only the minimum liability requirements of the Directive have been followed with no trace of an intention of a stricter imposition to Certification Authorities.

It is however possible for Certification Authorities to limit their liability. Article 6.3 permits the introduction of limitations for liability on the use of a qualified certificate where such limitations are included in the qualified certificate. For example liability can be limited by stating that a certificate can be used only for a determined type of operation and where the signatory exceeds this limitation the Certification Authority cannot be liable for damages occurred as a result of such a misconduct. Following the same idea Article 6.4 introduces another limitation on liability where Certification Authorities "indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used".

Both limitations must be "recognisable to third parties"51 and this can be obtained by the inclusion of limitations in the Certificate Practice Statements that must be brought to the awareness of both the relying party and signatory and that can be, for instance, downloaded from the Certification Authority’s website.

5.9 International circulation of certificates and certificates services

The Directive emphasises the international recognition of certificates between different countries. In particular Recital 23 states that "agreements on multilateral rules with third countries on mutual recognition of certification services could be beneficial" in order to create an international legal framework.

In order to recognise that qualified certificates issued to the public in a third country are equivalent to certificates issued within the Community Article 7.1 of the Directive requires that:

  • the certification-service-provider fulfils the requirements of the Directive and has been accredited in a Member State; or
  • a certification-service-provider of a Member States fulfilling the requirements of the Directive guarantees the foreign certificate; or
  • in accordance with Recital 23 the certificate or the certification service provider is recognised under a bilateral or multilateral agreement.

The idea of the creation of international standards for certification services in order to facilitate cross-border certification services and legal recognition of advanced electronic signatures is confirmed also in Article 7.2. The second part of the article makes an effort to give a practical plan for the development of such an intention where states that "the Commission shall make proposals, where appropriate, to achieve the effective implementation of standards and international agreements applicable to certification services". Thus Article 7.2 continues by stating that the Commission "shall submit proposals to the Council for appropriate mandates for the negotiation of bilateral and multilateral agreements with third countries and international organisations"52.

Article 7.3 of the Directive makes an effort to solve any difficulties encountered by Community undertakings with regard to market admission in foreign countries and states that, where necessary, the Commission may "submit proposals to the Council for an appropriate mandate for the negotiation of comparable rights for Community undertakings in these third countries".

5.10 Data protection

Article 8 concerns data protection53. The provisions contained in this article are clear and do not seem to give rise to particular problems: Article 8.1 states the necessity for certification-service-providers and national bodies to comply with the requirements laid down in Directive 95/46/EC54 and Article 8.2 requires that certification-service-providers collect personal data only from the data subject or after his explicit consent and only for the necessity of issuing or maintaining a certificate. Obviously the data may not be processed or collected for different purposes without the prior explicit consent of the data subject.55

Moreover Article 8.3 states: "without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent certification service providers from indicating in the certificate a pseudonym instead of the signatory’s name". This provision cannot be considered superfluous and it is a clear indication of the requirements placed on the national legislator in cases of prior legislation that forbids the use of a pseudonym and in future legislation which may seek to outlaw the use of pseudonyms.

6. Legal status of electronic signatures

One of the most important but also controversial provisions of the Directive is Article 5.1 which states: "Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature creation device:

  1. satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data, and
  2. are admissible as evidence in legal proceedings".

Then Article 5.2 makes an attempt to prevent discrimination with reference to the use of electronic signatures where it provides that: "Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:

  • in electronic form, or
  • not based upon a qualified certificate, or
  • not based upon a qualified certificate issued by an accredited certification-service-provider, or
  • not created by a secure signature-creation device"56.

This provision is in accordance with the aim of the Directive to create a legal framework, to facilitate the use of electronic signature and also to sustain the idea that customers should not be obliged to use a qualified signature in order to have it admitted as evidence.

Moreover the second part of Recital 20 explains: "advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device can be regarded as legally equivalent to hand-written signatures only if requirements for hand-written signatures are fulfilled".

Again the development of the use of electronic signatures is underlined in Recital 21 that states: "In order to contribute to the general acceptance of electronic authentication methods it has to be ensured that electronic signatures can be used as evidence in legal proceedings in all Member States"57. Recital 21 then continues about the necessity that "the legal recognition of electronic signatures should be based upon objective criteria and not be linked to authorisation of the certification-service-provider involved".

Article 5.1 guarantees to advanced electronic signatures based on a qualified certificate and created by a secure-signature-creation device the same legal status as hand-written signatures58. On the other hand Article 5.1 does not express the idea of an obligation to use electronic data processing. In fact, following Recital 21 "national law governs the legal spheres in which electronic documents and electronic signatures may be used. In consequence of this, according to the Directive, legal rules concerning the obligation to use paper documents are absolutely free to continue to survive but where the use of electronic signatures is legally authorized, the electronic signatures referred in Article 5.1 should, in relation to electronic data, receive the equivalent status of hand-written signatures in relation to paper documents.

In any event it is always possible for Member States to replace current legislation that requires the use of hand-written signatures by the introduction of new rules approving the use of electronic data without the use of qualified electronic signatures and it is of course not in the aim of the Directive to impose the use of qualified electronic signatures. It is also possible for a Member State to introduce new legislation introducing additional security measures which are legally binding and, in relation to paper documents, hand-written signatures are not the best and the sole security measures.

On the other hand it is indeed arguable that the choice of the European legislator to determine the legal status of qualified electronic signatures relative to electronic data by the status of hand-written signatures relative to paper documents presumes that the hand written signature will survive for ever as a point of reference for the future, which is open to debate.

Article 5 is very controversial and does not seem to be in perfect accordance with the aim of the Directive not to impose a standard for electronic signatures. Article 5.2, for instance, seems to be applicable to all electronic signatures but does not indicate that a non-qualified signature is supposed to have the same legal effect of a hand-written signature.

7. Final provisions

As previously underlined the Commission has received from the Directive some implementing power with reference to the criteria for the choice of accredited bodies and for the publication of reference numbers of generally recognised standards59 and an "Electronic Signature Committee" should help the Commission in such a effort60

Article 9 of the Directive provides that Articles 4 and 7 of Decision 1999/468/EC61 apply with reference to the powers and management procedures of the Committee.

Article 11 of the Directive imposes a duty of notification on Member States for information on national voluntary accreditation scheme, for names and addresses for the national bodies and all accredited national certification service providers.

Finally Article 12 imposes a duty of review of the Directive and Article 13 imposes on Member States obligations for the implementation of the Directive62. Many Member States have failed to comply with the deadline of 19 July 2001 for the implementation of the Directive.

8. Conclusions

In reality, the legislation concerning legal signatures came about before the development of these instruments in the commercial community and it is very hard to build up a body of academic work in this area due to the total lack of judicial and practical references. As a result, this work is more an attempt to describe a legal situation than a criticism to a law that has not yet practical effects.

The idea of the Directive, as it has been underlined many times, is to create a legal framework for electronic signatures in order to facilitate and develop the use of this new instrument within the national and international legal community. Unfortunately at the moment we cannot say if this goal has been achieved: electronic signatures are not yet used in legal transactions and no one has yet a clear idea of how Member States are going to implement the rules of the Directive where there is a possibility of choice and with regard in particular to the legal status of electronic signatures. In addition, with regards to the interpretation of the courts of different Member States there is no clear guidance neither with reference to the rules of the Directive nor to the rules of implementation of different Member States because of the fact that not even one case in relation to such matters has been before a court.

Notwithstanding the Directive has made a good effort at the creation of a legal framework for the development of electronic signatures and most of its provisions are clear and well written in spite of the lack of practical references. In particular all rules concerning administrative procedures and competence of different bodies and authorities will probably not be subject to any changes due to the practical development of legal signatures. On the other hand one may assume that for the same reasons the rules concerning the legal effects of electronic signatures: in particular the rules with reference to the legal status of electronic signatures compared to traditional signatures will become obsolete in the long term because it is to be expected that in the future for at least some kinds of transactions electronic signatures will be the only reference.

The rules of the Directive concerning international aspects of electronic signatures are welcome and the effort made to facilitate bilateral and multilateral agreements between different countries is positive. Electronic commerce and international transactions over the Internet are increasing and the international recognition and interoperability of different standards is absolutely essential.

Unfortunately I do not believe in the imposition of standards and in the development of legal rules before the real advent of this phenomenon in everyday life and I think that the regulation of these tools was made before the commercial community understood them: the result of this is legislation destined to change in the next few years when practical exigencies impose their requirements and their standards.

BIBLIOGRAPHY

EUROPEAN LEGISLATION

Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on tile protection of individuals with regard to the processing of personal data and on the free movement of such data

European Directive 99/93/EC on a Community framework for electronic signatures

NATIONAL LEGISLATION

Legge 31/1982

Bundesgesetzblatt, I, 1997, 1870

Legge 15 Marzo 1997, n.59

D.P.R. 10 Novembre 1997, n. 513

Decreto Legislativo 23 gennaio 2002, n.10. Attuazione della direttiva 1999/93/CE relativa ad un quadro comunitario per le firme elettroniche

The Electronic Signatures Regulations 2002, Statutory Instrument 2002 No. 318

EUROPEAN UNION MATERIAL

Council Resolution Nr. 96/C 376/01 on new policy-priorities regarding the information society, OJ C376 of 12/12/96

European Commission, Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A European Initiative in Electronic Commerce, 15/04/97, COM(97)157, § 51

European Commission, Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, Ensuring security and trust in electronic communications: Towards a European framework for digital signatures and encryptions, 08/10/97, COM(97)503

Explanatory Memorandum of the Draft Directive, COM (98) 297 final, 6 Council Decision of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission, Official Journal L 184, 17/07/1999 o. 0023-0026, Decision 1999/468/EC

Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with article 3.4 of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures, OJ 2000 L289/42

NATIONAL MATERIAL

American Bar Association Model Electronic data Interchange Trading Partner Agreement (Chicago, American Bar Association, 1990) § 15

American Bar Association Digital Signature Guidelines (ABA: Chicago 1996) 9

US Uniform Computer Information Technology Act (October 1999 draft)

COLEMAN/SAPTE, "Computer Law & Security Report", Vol. 16 no. 4 2000

ETSI TS 101 733 "Electronic Signature Formats", V.1..1.2 (2000-12)

CASES

Gebhard v Consiglio dell’Ordine degli Avvocati e Procuratori di Milano (Case C-55/94) [1995] ECR I 4165

INASTI v Kemmler (Case C-53/95) [1996] ECR I-704

R. v Secretary of State for Transport, ex p. Factortame (Case C-221/89) [1991] ECR I 3905

Swallow and Pearson v Middlesex County Council [1953] 1 All ER 580

BOOKS

BOWER Spencer and Turner, The Law Relating to Estoppel by Representation (3rd, London: Butterworths, 1977)

CIACCI G., DI SALVATORE P., GALDIERI P., MINERVA M., Prospettive giuridiche delle tecnologie dell'informazione (Edizioni Scientifiche Italiane 2000)

D'ELIA CIAMPI I., L'informatica e le banche dati, Tomo II, parte speciale, in Trattato di Diritto Amministrativo a cura di Sabino Cassese, (Milano, Giuffrè 2000)

EDWARDS Lilian and WAELDE Charlotte, Law & the Internet (Oxfort – Portland Oregon: Hart Publishing, 2000)

FINOCCHIARO G., "Profili giuridici della firma digitale: normativa italiana e direttiva europea" Alta Frequenza Rivista Elettronica - vol. 13 N. 5

FORD Warwick and S. BAUM Michael, Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption, (New Jersey: Prentice Hall, 1997)

FUGINI M., MAIO F., PLEBANI P., Sicurezza dei sistemi informatici (Milano: Apogeo, 2000)

REED Cristopher, Digital Information Law: electronic documents and requirements of form (London: Centre for Commercial Law Studies, 1996)

REED Christopher, Internet Law: Text and Materials (London: Butterworths, 2000)

TOMMASI Fabio, La Firma Digitale (Dogana: Maggioli Editore, 2001)

ZAGAMI Raimondo, Firma digitale e sicurezza giuridica (Padova, 2000, CEDAM)

ARTICLES

BERMAN A., "The Cross-border Recognition of Electronic Contracts and Digital Signatures" (2001), 28 Syracuse Journal of International Law and Commerce (summer edition) 125

BOSS Amelia H., "Searching for Security in the Law of Electronic Commerce" (1999) 23 Nova L. Rev., 601

CARIDI V., "Documento informatico privo di firma digitale e sua efficacia probatoria", Commento a Cass. civ., sez. lav. 6 settembre 2001, n. 11445, in Temi Romana, I, 2001

CERINA Paolo, "The new Italian law on digital signatures" CTLR 1998, 4(6), 193-199

COLLEJA Rico, "European Union: Elctronic Commerce - Digital Signatures" CTLR 1998, 4(6), 105-106

COPELAND Caroline, "Digital Signatures: throw away your pens" Ent. LR 2000, 11(5), 112-113

DANIELS Philip, "Digital Certificates/Electronic Signatures - legal/regulatory Issues for Financial Institutions" COMPTLR 2000, 7 (4), 77-79

DUMORTIER J., VAN EECKE P., "Electronic Signatures. The European Draft Directive on a common framework for electronic signatures", Computer Law & Security Report. (1999) 15(2), 106-112

EMMERT, "Haftung der Zertifizierungsstellen", CR 9, 244 ff, 249

FROOMKIN Michael, "The Essential Role of Trusted Third Parties in Electronic Commerce" (1996) 75 Oregon L. Rev. 49 Part III.A.2(a) (iii)

KENNY Phillip H., "Are electronic signatures safer or not" Conv. & Prop. Law. 2002, Mar/Apr, 94-96

MILAZZO Ugo Agostino and FELCI Angelo, "Italy opened the way to digital signatures" ICCLR 1998, 9(8) at 235-237

REED Cristopher, "Legally Binding Electronic Documents: Digital Signatures and Authentication" [Spring 2000] 35, International Lawyer, 89

RICHARDS J., "The UTAH Digital Signature Act as ‘Model’ Legislation: a Critical Analysis" (1999) 17, John Marshall Journal of Computer and Information Law 873

ROSSNAGEL A., "Das neue Recht elektronischer Signaturen", NJW, 2001, 1821

SMITH B. and KIEFER K.,"Recent Developments in Electronic Authentication: the Evolution Role of the Certification Authority" (April 1999) 116, Banking Law Journal, 341

YON Frederic, "The legal significance of electronic signatures and their implementation in France" EIPR 2001, 23 (10), 478-488

ZAGAMI Raimondo, "Firme <>, crittografia e validità del documento elettronico", Riv. Inf. Infor., 1996

Footnotes

1 For a very general introduction on the concept of digital signature see Caroline Copeland, "Digital Signatures: throw away your pens" Ent. LR 2000, 11(5), 112-113.

2 American Bar Association Model Electronic data Interchange Trading Partner Agreement (Chicago, American Bar Association, 1990) § 15.

3 See Swallow and Pearson v Middlesex County Council [1953] 1 All ER 580. For a different point of view see also Spencer Bower and Turner, The Law Relating to Estoppel by Representation (3rd, London: Butterworths, 1977) at 142.

4 Art 6 (1) of the Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts.

5 Christopher Reed, Internet Law: Text and Materials (London: Butterworths, 2000) at 158.

6 For an introduction about these concepts see M. FUGINI, F. MAIO, P. PLEBANI, Sicurezza dei sistemi informatici (Milano: Apogeo, 2000).

7 Encryption is the conversion of data into a form, called a ciphertext that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood.

8 In algebra the term algorithm is a procedure or formula for solving a problem.

9 Christopher Reed Internet Law: Text and Materials (London: Butterworths, 2000) at 158.

10 In United States since 1997 there was a debate about electronic signature legislation. See Warwick Ford and Michael S. Baum, Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption, (New Jersey: Prentice Hall, 1997). But, with reference to E-Commerce even before: see Michael Froomkin, "The Essential Role of Trusted Third Parties in Electronic Commerce" (1996) 75 Oregon L. Rev. 49 Part III.A.2(a) (iii). Then the UTAH Digital Signature Act became a model of legislation: see J. Richards, "The UTAH Digital Signature Act as ‘Model’ Legislation: a Critical Analysis" (1999) 17, John Marshall Journal of Computer and Information Law 873.

11 Council Resolution Nr. 96/C 376/01 on new policy-priorities regarding the information society, OJ C376 of 12/12/96.

12 See Articolo 15 Legge 15 Marzo 1997, n.59.

13 D.P.R. 10 Novembre 1997, n. 513. For an exhaustive explanation of Italian legislation in this subject see also Fabio Tommasi, La Firma Digitale (Dogana: Maggioli Editore, 2001).

14 See Ugo Agostino Milazzo and Angelo Felci, "Italy opened the way to digital signatures" ICCLR 1998, 9(8) at 235-237. See also Paolo Cerina, "The new Italian law on digital signatures" CTLR 1998, 4(6), 193-199.

15 The concept of signature was evolving also in England: see Cristopher Reed, Digital Information Law: electronic documents and requirements of form (London: Centre for Commercial Law Studies, 1996).

16 Bundesgesetzblatt, I, 1997, 1870.

17 European Commission, Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, Ensuring security and trust in electronic communications: Towards a European framework for digital signatures and encryptions, 08/10/97, COM(97)503. And even before: European Commission, Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A European Initiative in Electronic Commerce, 15/04/97, COM(97)157, § 51.

18 For an example of one of the proposals made see Rico Colleja, "European Union: Elctronic Commerce - Digital Signatures" CTLR 1998, 4(6), 105-106.

19 For a good explanation of the reasons of the divergence see J. DUMORTIER, P. VAN EECKE , "Electronic Signatures. The European Draft Directive on a common framework for electronic signatures", Computer Law & Security Report. (1999) 15(2), 106-112.

20 In Italy for instance the possibility to send the tax declaration in electronic format is recent. Building permits also are often drafted in particular forms.

21 For an idea of "technology neutrality" and "implementation neutrality" see Amelia H. Boss, "Searching for Security in the Law of Electronic Commerce" (1999) 23 Nova L. Rev., 601.

22 See the Explanatory Memorandum of the Draft Directive, COM (98) 297 final, 6.

23 See Philip Daniels, "Digital Certificates/Electronic Signatures - legal/regulatory Issues for Financial Institutions" COMPTLR 2000, 7 (4), 77-79.

24 For a brief but exhaustive explanation of electronic signature technology see Cristopher Reed Internet Law: Text and Materials (London: Butterworths, 2000) at 158 and American Bar Association Digital Signature Guidelines (ABA: Chicago 1996) 9. See also Lilian Edwards and Charlotte Waelde, Law & the Internet (Oxfort – Portland Oregon: Hart Publishing, 2000).

25 For an introduction to the concept of certification and its developments see B. Smith and K. Kiefer,"Recent Developments in Electronic Authentication: the Evolution Role of the Certification Authority" (April 1999) 116, Banking Law Journal, 341.

26 See ETSI TS 101 733 "Electronic Signature Formats", V.1..1.2 (2000-12).

27 Christopher Reed Internet Law: Text and Materials (London: Butterworths, 2000) at 123.

28 Christopher Reed Internet Law: Text and Materials (London: Butterworths, 2000) at 123. The importance of identification in electronic transactions has been well recognised in the Uniform Computer Information Transaction Act (UCITA) is a proposed state contract law designed to regulate and homogenize the licensing of software and all other forms of digital information in United States of America. See US Uniform Computer Information Technology Act (October 1999 draft) section 112, 212 and 213.

29 Legge 31/1982 articolo 2.2.

30 Gebhard v Consiglio dell’Ordine degli Avvocati e Procuratori di Milano (Case C-55/94) [1995] ECR I 4165.

31 Gebhard v Consiglio dell’Ordine degli Avvocati e Procuratori di Milano (Case C-55/94) [1995] ECR I 4165, para 25.

32 INASTI v Kemmler (Case C-53/95) [1996] ECR I-704, para 8.

33 R. v Secretary of State for Transport, ex p. Factortame (Case C-221/89) [1991] ECR I 3905, para 20.

34 Gebhard v Consiglio dell’Ordine degli Avvocati e Procuratori di Milano (Case C-55/94) [1995] ECR I 4165, para 26.

35 Section 3 (2).

36 For an analysis of the security of electronic signatures see Phillip H. Kenny, "Are electronic signatures safer or not" Conv. & Prop. Law. 2002, Mar/Apr, 94-96.

37 See COLEMAN/SAPTE, "Computer Law & Security Report", Vol. 16 no. 4 2000, p.249.

38 See EMMERT, "Haftung der Zertifizierungsstellen", CR 9, 244 ff, 249.

39 A. Rossnagel, "Das neue Recht elektronischer Signaturen", NJW, 2001, 1821.

40 Recital 14 of Directive1999/93/EC.

41 This is the reason why article 11 of the Directive.1999/93/EC and the consequent obligation of notification for Member States applies also with reference to the national bodies responsible for supervision.

42 See The Electronic Signatures Regulations 2002, Statutory Instrument 2002 No. 318.

43 Decreto Legislativo 23 gennaio 2002, n.10. Attuazione della direttiva 1999/93/CE relativa ad un quadro comunitario per le firme elettroniche.

44 See V. CARIDI, "Documento informatico privo di firma digitale e sua efficacia probatoria", Commento a Cass. civ., sez. lav. 6 settembre 2001, n. 11445, in Temi Romana, I, 2001. G. CIACCI, DI P. SALVATORE, P. GALDIERI, M. MINERVA, Prospettive giuridiche delle tecnologie dell'informazione (Edizioni Scientifiche Italiane 2000). See also I. D'ELIA CIAMPI, L'informatica e le banche dati, Tomo II, parte speciale, in Trattato di Diritto Amministrativo a cura di Sabino Cassese, (Milano, Giuffrè 2000) and G. FINOCCHIARO, "Profili giuridici della firma digitale: normativa italiana e direttiva europea" Alta Frequenza" Rivista Elettronica - vol. 13 n. 5.

45 See article 2.4 of Directive1999/93/EC.

46 See also article 9 of Directive1999/93/EC.

47 Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with article 3.4 of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures, OJ 2000 L289/42.

48 See, for example article 7.1 (b) and 5 of Directive1999/93/EC.

49 See Recital 16 of Directive 1999/93/EC.

50 See Regulation 4 and the explanatory note of The Electronic Signatures Regulations 2002, Statutory Instrument 2002 No. 318.

51 See articles 6.3 and 6.4 of Directive1999/93/EC.

52 For the American point of view see A. Berman, "The Cross-border Recognition of Electronic Contracts and Digital Signatures" (2001), 28 Syracuse Journal of International Law and Commerce (summer edition) 125.

53 For an example of implementation of the provisions of the Directive concerning data protection see Regulation 5 of The Electronic Signatures Regulations 2002, Statutory Instrument 2002 No. 318.

54 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on tile protection of individuals with regard to the processing of personal data and on the free movement of such data.

55 Article 8.2 of Directive 1999/93/EC.

56 For an explanation of the former Italian legislation on this matter see Raimondo Zagami, "Firme <>, crittografia e validità del documento elettronico", Riv. Inf. Infor., 1996 and after the Directive see also Raimondo Zagami, Firma digitale e sicurezza giuridica (Padova, 2000, CEDAM).

57 See Cristopher Reed, "Legally Binding Electronic Documents: Digital Signatures and Authentication" [Spring 2000] 35, International Lawyer, 89.

58 See, for instance article 6 of Decreto legislativo 10/2002 about the legal recognised status of electronic signatures in Italy.

59 See article 3.4 and 3.5 of Directive 1999/93/EC.

60 See article 10 of Directive 1999/93/EC.

61 Council Decision of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission, Official Journal L 184, 17/07/1999 o. 0023-0026, Decision 1999/468/EC.

62 For the implementation in France of the Directive see for instance Frederic Yon, "The legal significance of electronic signatures and their implementation in France" EIPR 2001, 23 (10), 478-488.

The content of the article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement

    Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of www.mondaq.com

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

    Disclaimer

    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

    Registration

    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

    Cookies

    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

    Links

    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

    Mail-A-Friend

    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

    Emails

    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

    Security

    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at enquiries@mondaq.com.

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions