The digitalisation of workflows in modern-day legal and commercial proceedings is now ubiquitous. One notable example are the reforms in civil proceedings introduced by the Royal Decree 6/2023, articles 129 bis and 137 bis, in which is introduced the general rule that all procedural acts shall be preferentially conducted via means of telecommunication, rather than in person (Palao, 2024, p. 194). However, these advances have led to increased concerns for parties who handle electronic documentation on a regular basis. One salient issue is that of the validity and reliability of electronic signatures. Whilst undoubtedly practical, and already in widespread use, third-party providers of digital certification remain subject to rigorous scrutiny both in the European Union and elsewhere. The purpose of this article is to analyse the legal framework within which these providers operate, primarily in the European Union but also, by brief comparison, in the United Kingdom and Latin America.
Thanks to digital service providers such as DocuSign – perhaps the most widely used electronic certification provider, operating in 180 countries – it is now common and highly practical for official documents, including commercial contracts, to be signed electronically by all parties. Even documents which require witness signatures, such as wills, may be completed digitally by providers such as DocuSign. In Brazil, the execution of digital contracts has been recognised as legally valid since 2006, under article 2 of Law 11,419 / 06 on the digitalisation of the judicial process. Indeed, by that time, several other Latin American countries had already long enacted legislation to the same effect, including Peru (Supreme Decree No. 019-2002-JUS), Colombia (Law 527 / 1999), and Argentina (Law 25,506).
Nevertheless, perhaps the most stringent regulations governing electronic signatures are to be found in the European Union, as well as the United Kingdom, which, after Brexit, has diverged very little from this area of EU law. In the European Union, electronic signatures are regulated by Regulation No. 910/2014 (aka eIDAS, or, la identificación electrónica y los servicios de confianza) (hereinafter, the “Regulation”), which repealed Directive 1999/93/CE and, under article 3, established two types of trusted digital certification service providers: qualified and non-qualified. A trusted digital certification service is defined as:
“an electronic service provided regularly in exchange for remuneration, and consisting of: [i] the creation, verification, and validation of electronic signatures, electronic seals, or temporary electronic seals, certified services of electronic delivery, and certificates relating to those services, or [ii] the creation, verification and validation of certificates for the authentication of websites, or [iii] the preservation of signatures, seals or electronic certificates relating to those services” (article 3, section 16).
A trusted digital certification service provider is defined as “a natural or legal person who provides one or more trusted services, either as a qualified service provider or as an unqualified service provider” (article 3, section 19). And whether said service provider is qualified or not simply depends on whether they comply with the applicable regulations of the act relating to electronic signature (article 3, section 17).
As pertains to the electronic signature itself, the regulation makes a distinction between an (i) electronic signature, (ii) an advanced electronic signature, and (iii) a qualified electronic signature. Under article 3, section 11, an advanced electronic signature must comply with the following four requirements set forth in article 26:
- The signature is uniquely linked to the signing party.
- The signature requires the prior identification of the signing party.
- The signature is digitally created with the utmost confidentiality and security and based on the data provided and exclusively controlled by the signing party.
- The signature is linked to the above data in such a way that any modification after signing is automatically detectable.
Finally, a qualified electronic signature is defined as an advanced electronic signature executed by a qualified digital certification service provider – that is, a provider who can guarantee that electronic signatures made with their software are secure and protected against possible forgeries, through cryptographic algorithms, key lengths, and other functions. Indeed, a qualified electronic signature offers the greatest level of protection to signing parties.
By virtue of being a regulation, and not a directive, this legislation had the effect of applying directly to all member states of the European Union upon its entry into force on 1 July 2016, thereby repealing the margin of appreciation which the Directive 1993/93/EC allowed each individual state. The fact that the Regulation applies to all member states is crucial because of that set forth in article 25, which establishes that an electronic signature shall not be denied legal effect or admissibility as evidence in legal proceedings solely on the grounds of its electronic form, or even that it does not meet the requirements of a qualified electronic signature.
It is evident from the above analysis that electronic signatures and certification remain heavily regulated in the European Union. Indeed, as far as Spain is concerned, the Regulation is further complemented by Spanish Law 6/2020, which entered into force on November 13, 2020. In section III thereof, it is made clear that, for a digital certification service provider to be valid, it must also be included on the list of trusted providers (TSL) published by each member state under article 22 of the Regulation. Included in the TSL is SIGNATURIT SOLUTIONS, S.L.U. (pp. 905-918), a qualified provider with over 245,000 clients, including TOSHIBA, IBERIA, Banco Santander, Deloitte, and Banco Sabadell. The fact that the Spanish TSL numbers 1296 pages serves as evidence of just how widespread this digitalisation movement is, and how complicated it is to control. With the trend towards complete digital certification showing no signs of abating, it remains to be seen how legal systems will cope with the increased security risks and regulatory costs which said phenomenon brings.
Sebastian Ricks
Vilá Abogados
For more information, please contact:
26th of July 2024
