Last week, a new EU-wide Regulation (eIDAS) took effect with the aim of further harmonising EU laws on the use of electronic signatures.
As the Regulation has direct effect (and therefore overrides conflicting member state laws), consequential amendments have also been made to the existing UK laws such as the Electronic Communications Act 2000 and the Electronic Signatures Regulations 2002 are repealed.
What does eIDAS do?
Effective identity verification systems are a key part of delivering the European Commission's aim for a Digital single Market and enabling greater use of electronic contracting. eIDAS replaces a Directive from 1999 and is intended to standardise and ensure mutual recognition of electronic signatures across the European Union.
eIDAS sets out specific rules in relation to what are called advanced electronic signatures (AES) and qualified electronic signatures (QES). A QES is a form of AES where the signature is created using a qualified electronic signature creation device (eg a secure smartcard) and the identity of the individual is certified by a qualified trust services provider.
In particular, eIDAS:
- makes clear that an electronic signature shall not be denied legal effect and admissibility solely on the grounds that it is in electronic form;
- gives QESs the same equivalent legal effect of a handwritten signature; and
- provides a legal framework for cross-border electronic identity and trust services, through mutual recognition of QESs issued within an EU member state.
What does eIDAS mean for electronically signing contracts in Scotland?
eIDAS will have little practical effect on the laws dealing with electronic signatures in Scotland and England and Wales. The reason for this is that both legal systems in the UK already give broad recognition to electronic signatures (in whatever form they may be) for the majority of contracts. The issue largely comes down to whether, from an evidential perspective, the electronic signature provides sufficient certainty of the person's identity and intention to form a contract.
To put that another way, if challenged, can you prove that the person you think authenticated a document did indeed do so? That is much easier to do with an AES or a QES, compared to a simple electronic signature.
Unlike England and Wales, AES and QES are given special prominence under Scots law and, indeed, are required in order to electronically authenticate certain types of documents. Under Scots law, authentication using a QES is given the same status as a witnessed wet ink signature. However, one (perhaps) unintended consequence of the Scottish legislation is that it is less flexible than the law in England and Wales when dealing with the reliance that can be put on less secure (but more commonly available) forms of electronic signature.
On of the main barriers to the adoption of electronic signatures (and a criticism of the 1999 Directive) has been the limited availability of AESs and QESs.
Notably, the basic signing functionality in online platforms such as Adobe Sign does not satisfy the requirements for an AES or QES. Whilst these platforms do provide some meta data which may assist in proving the identity of the signatory, the provider does not verify that person's identity. If you wish to use these platforms with a secure signature such as an AES or QES then you will need to use an AES or QES provided by a third party trust services provider.
Whilst a number of providers make available B2B solutions (for example, the Law Society of Scotland's smartcard, which provides all Scottish solicitors with a QES, or closed loop systems such as that used by BACS), at present there appears to be no provider in the UK of publicly available QESs for use by individuals.
This may change given the new cross border framework in eIDAS, as trust providers will be able to provide individuals with a QES that will be recognised across the EU.
Can I use electronic signatures for my business?
As noted above, not all electronic signatures are equal. Different types of signatures provide different levels of identity assurance and (as noted above) certain types of documents can only be authenticated using more robust forms of electronic signatures. For example, a bank card PIN is a form of (simple) electronic signature. More secure signatures such as AES and QES use PKI technology and third party verification of the signatory's identity, with a specific liability regime applying to providers of QES services.
When using electronic signatures it's important to think about both the legal and commercial risks and weigh these up against the commercial and administrative benefits of using electronic signing. For many contracts, using a simple electronic signature may be sufficient, but for higher value/higher risk contracts it may be appropriate to require the use of an electronic signature that provides a greater degree of certainty.
You should therefore carry out appropriate diligence on the proposed signing system before it is used. Remember, also, that certain types of contract or documents may be subject to specific rules on the use of electronic signatures.
We have advised a number of clients on the use of electronic signatures and the commercial and legal risks involved. If you would like to discuss this further, please get in touch.