Often the law struggles to keep up with the digital reality, but another significant step along the way is the updated framework for electronic signatures and online authentication. The Electronic Identification Regulation (EU/910/2014) entered into force on 1 July, replacing the E-Signature Directive (1999/93/EC).
The desired result of the changes in the law? To make transacting in an online environment more attractive to businesses and consumers whilst removing barriers to cross-border digital trade. Whether the regulation is more successful in delivering those outcomes than the directive it replaces remains to be seen.
The UK’s implementation of the regulation will come into force on 22 July through the catchily titled Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (SI 2016/696). The UK Information Commissioner’s Office will take the helm for supervising and enforcing the regulation.
Some of the principal changes to note:
• “Certification service providers” have been replaced with “trust service providers”, providing services not only relating to electronic signatures but also seals, time stamps, registered delivery services and website authentication certificates. The hope is that this will create a harmonised cross-border structure for digital transactions.
• “Advanced electronic signatures” will still allow signatories to be identified and authenticated, with the ability to use the latest technologies (such as mobile devices). Now the signature must also be created using electronic creation data that the signatories with a high level of confidence can use under their sole control.
• Electronic signatures are still admissible as evidence in legal proceedings. However, only “qualified” electronic signatures (that have been certified as such) are automatically granted the legal effect of a handwritten signature, with mutual recognition in member states.
• There is now a cross-border mutual recognition in relation to electronic identification schemes used by public sector bodies which have been notified to and approved by the Commission, meaning that consumers and businesses can use their own national e-IDs to access public services in other EU countries where e-IDs are available.
So, does this mean massive changes for the UK? Probably not. The key change in relation to e-ID schemes will not impact the UK as it does not currently have a national e-ID scheme, and the other changes brought about by the Regulation are not ground-breaking as they reflect much of what was already in the Directive.
The regulation should nevertheless be welcomed. It reinforces the potential for organisations to transform their business models to conduct many (if not all) of their activities digitally. In time, there could be more of an uptake of electronic signatures in the UK and digital interaction may become the default means of transacting in this area in the future.
Whilst the regulation of itself is unlikely to bring this about, nevertheless having a system of harmonised laws which supports it can only be a good thing. Even in a post-Brexit world, it would appear difficult to justify significant deviation from the principles captured by the regulation.
Businesses will of course have to assess what technological solutions are required to be able to offer an end-to-end, user-friendly digital experience within the boundaries of the law. As such solutions become more standardised and mainstream (in many cases, no doubt cloud-based), that in turn will help to foster adoption of this means of doing business.
• Claire Brady is a senior solicitor at Burness Paull