Introduction

Given the COVID-19 world in which we now all operate, we are likely to see an increased use of digital signatures in the legal and commercial spheres going forward. While courts generally consider that digital and electronic signatures are "a fact of modern commercial life"1, it is important for businesses and individuals to consider how their private data and information is stored, processed, maintain, accessed and secured.

Key points/how does it affect you

What are digital signatures?

Digital and electronic signatures have been used in the commercial and legal industries since at least 2000. At the Federal level, the use of digital and electronic signatures is governed by the Electronic Transactions Act 1999 (Cth) (Commonwealth ETA). There are similar statutes in each state and territory.2

Pursuant to s 10 of the Commonwealth ETA, electronic and digital signatures will have the same effect as written signatures where the requirements of "identity",3 "reliability",4 and "consent"5 have been satisfied. Although there is some debate over exact definitions:

  • A "wet signature" refers to an individual physically marking a document (ie with a pen).
  • An "electronic signature" refers to the acknowledgi>ent or adoption of an electronic message, transaction or document (ie an "electronic version" of someone's signatures which is placed onto a document, a typed name on an electronic form or document, a scribbled name on a device following a delivery).
  • A "digital signature" uses "cryptographic authentication technology" which is an encryption sitting underneath the signature and provides for the tracking of each step of the execution/signature process and can assist parties (and a court) in determining who actually signed the document and when they purportedly signed it. Programs such as Adobe EchoSign and DocuSign are now commonly used by businesses and individuals to facilitate digital signatures.

Whilst in times gone by, there would have been a crowded boardroom with individuals — dressed in nice suits — attending to the signing of voluminous amounts of paper (within nicely laminated folders), this is increasingly becoming an antiquated form of operating. Obvious benefits of digital signatures are that they make commercial dealings more efficient, quick and cost-effective - and they save paper and improve sustainability.

What are the privacy considerations?

Digital signatures necessarily involve the uploading and exchange of documentation in a cloud platform. A question arises as to commercial confidentiality when documents are uploaded to cloud platforms. Companies who provide these services purport that when documents are uploaded to their platform, the substantive content of the document, agreement, contract or the like is encrypted; meaning they have no control over, or access to, the specific contents of the documents.

In engaging an external service provider to store documents and information in the cloud, individuals and companies must be satisfied that the cloud service provider can adequately protect the security of documents and other data. They should also be satisfied that documents uploaded to the platform are protected from unauthorised amendments, which is a particular risk with an increase in cybercrime and hacking, both nationally and globally.

A key consideration is where the cloud server (which hosts the relevant contents and data) is located. Where the server is hosted overseas, it will generally be subject to both its local laws regarding data protection and the laws of the nation hosting the server. Foreign government agencies can — legally — have more extensive powers to access information. Realistically, is it likely that companies, let alone individuals, are going to examine the small print of where the data is going to be stored? Maybe ... but maybe not and the risk of not doing this is that it could result in a material breach of private information.

What protections exist in Australia?

The Privacy Act 1988 (Cth) governs and regulates how relevant businesses handle personal information.

Personal information is defined as any information or opinion about an individual who is "reasonably identifiable". Businesses subject to the Privacy Act (ie a business with an annual turnover of $3 million) are subject to the obligations set out in the Australian Privacy Principles (APP).

The obligations can be summarised as follows:6

  • The privacy policies of cloud providers must notify customers as to what personal information will be collected and state the intended disclosure arrangi>ents of that personal information, including whether it will be placed in any international data storage locations.
  • Cloud servers can only disclose personal information internationally if the overseas recipient does not breach the APPs.
  • Cloud servers must give customers their personal information upon request.
  • Cloud providers must take reasonable steps to secure personal information from misuse, interference or loss and from unauthorised access, modification or disclosure, including security breaches that occur internationally.
  • Cloud providers must take reasonable steps to delete or de-identify personal information that is no longer needed for the purpose for which it was originally stored.

There will also, in appropriate scenarios, be ri>edies available under the Australian Consumer Law as it provides customers with protections including, but not limited to, those involving false and misleading conduct, unfair contractual terms and unconscionable conduct.

APP 8 and APP 11

APP 8 states that a relevant entity (such as a cloud server) which discloses personal information about an individual to an overseas recipient must take "such steps as are reasonable in the circumstances" to ensure that it complies with the APPs generally. In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under s 16C of the Privacy Act, to have been done, or engaged in, by the APP entity and to be a breach of the APPs.

APP 11 states that if a relevant entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss; and from unauthorised access, modification or disclosure. APP 11 further holds that such personal information is destroyed or de-identified once the entity no longer requires the information.

Importantly, the Federal Court can impose civil penalties of up to $2,100,000 per breach for each serious and/or repeated interference with an individual's privacy.7 Therefore, there is an incentive for cloud servers that facilitate exchange of documents via digital signatures to comply with the Privacy Act and the APPs.

Best practice

Best practice for Australian cloud servers will be to ensure that they operate in accordance with the Privacy Act and other global privacy regimes and standards, such as the European General Data Protection Regime. Such practices will involve allowing customers to submit requests regarding their personal data, customers to determine their account retention policies, allowing customers to choose where their data will be located and having privacy policies which are easily accessible and understandable (to the non-Bill Gates' of the world).

Conclusion

As technology in this area becomes increasingly sophisticated and more widely and regularly used, it is likely that breaches of the Privacy Act will rise and result in financial penalties. It is important for both servers which facilitate the exchange of documents using digital signatures and for companies/individuals who utilise such services to be aware of their rights and obligations when it comes to privacy and, in particular, the storage and maintenance of personal and/or important data.

Footnotes

1Stuart v Hishon [2013] NSWSC 766; BC201303109 at [34].

2Including the Electronic Transactions (Victoria) Act 2000 (Vic), the Electronic Transactions Act 2000 (NSW), the Electronic Transactions Act 2000 (Tas), the Electronic Communications Act 2000 (SA) and the Electronic Transactions Act 2011 (WA).

3Electronic Transactions Act 1999 (Cth), s 10(1)(a).

4Above n 3, s 10(1)(b).

5Above n 3, s 10(1)(c).

6Australian Government Department of Communications Cloud Computing and Privacy: Consumer Factsheet(2014) www.communications.gov.au/sites/default/files/2014-112101-CLOUD-Consumer-factsheet.pdf?acsf_files_redirect.

7Privacy Act 1988 (Cth), ss 80W and 13G.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.