Rachel Stoermer, senior corporate counsel at DocuSign, spoke to a live ESRA conference audience about eIDAS, a new regulation that went into effect in the summer of 2016. It covers the entire European Union and it replaces the e-signature directive that was in place since 1999.
Stoermer explained: “The main takeaway is that the biggest thing that hasn’t changed is that it supports the use of e-signatures in Europe. The EU directive in 1999 had a concept of tiers of e-signatures: simple ones that can’t be denied as well as special ones, known as qualified e-signatures (QES).
“Under the directive, each country was tasked with implementing it into their laws. And each of them may have interpreted and implemented it differently, which meant that a QES doesn’t have cross-border recognition.
“There was a perception that because of the lack of consistency, it was doing more harm than good in promoting a single digital market. They wanted e-business to be easy to do across borders.”
Stoermer continued: “Another piece of background had to do with public e-infrastructure. I wonder if blockchain will eat into the dominance of PKI outside the US, but for now, PKI is the ‘secret sauce’ that gives an e-signature special recognition and makes it easily accepted. It’s a cryptographic standard that’s standards-based, so it should work the same way everywhere.
It uses a public key and a private key – the private key is associated with a specific signer. And historically, it was tied to a physical device that you could carry with you, like a keyfob.
“eIDAS offers consistency by being a regulation that applies to the member states, rather than directing them to implement it. It also expands the original directive – it lays the groundwork for cross-border electronic ID schemes. They’re coming up with a government-issued electronic ID that works across Europe.
“It also updated some technical standards that were making it harder to do things, particularly in the cloud, and it introduced the concept of a trust service. It regulates and defines what it means to be a trust service, particularly a PKI provider.
“eIDAS has a lot more, such as other trust services, like electronic seals and time stamping, and it introduces the concept of a qualified trust provider, which gives someone special status. They get approved by a supervisory body that requires them to undergo audits and carry a certain kind of insurance.”
Stoermer then went on to discuss the three types of defined e-signatures under eIDAS:
• A simple e-signature is similar to what the US thinks of as an e-signature, like clicking an “I accept” button.
• An advanced e-signature (AES) doesn’t have to use PKI, but every European regulatory agency has said it does. You would go to a certificate authority that would issue you a private key that you keep under your control – it doesn’t have to be a physical thing. They have a set of technical standards that have to be followed.
• A qualified e-signature (QES). It’s a subset of the AES – it has to use PKI and has to be blessed by a supervisory body. It has to comply with eIDAS and they have to have an approved method of identity verification. Trust providers who want approval from European governments have to get those governments to approve how they do ID verification, but no one has a process yet to do this remotely. Everyone doing this right now does in-person identity verification. eIDAS opens the door for remote verification, but it’s not happening yet.
Stoermer explained: “If you do business in Europe, you need to know a few things. First, it maintains the concept of non-discrimination against e-signatures. If a signature would otherwise be valid, the fact that it’s electronic can’t be used to declare it invalid. That will be sufficient for doing business.
“But there are cases where AES and QES are valuable, such as where they get the status of a handwritten signature. That covers things like divorce proceedings.
“The other thing AES and QES get is a presumption of authenticity, which doesn’t exist in the US. In Europe, if you show up with a handwritten signature, it’s assumed valid unless the other party is able to prove it’s not.
“The last thing is if you do go through the effort of getting an AES or QES, it’s valid across the EU.
“eIDAS talks about what it means to be an e-signature, but it doesn’t say when it’s required. Countries can still have their own special use cases, like buying a boat and requiring a special e-signature. Purchase and sale of land, family law, etc. will likely have special requirements,.
“Any kind of e-signature is admissible as evidence and you have to prove it up like you would in the US. You have to do more work if it’s not an AES or QES, but if it has an audit trail, you can likely get it introduced as valid evidence.
“If you’re doing business in Europe, what you’ll think about is that AES and QES have an added cost, so you’ll need to consider whether it’s worth it. If you’re in an industry where there’s a lot of fraud, it might be useful. Or a counter party might insist on it.
“There’s no special legal status to an AES.”
A Q&A session followed, which included the following:
Q: Is there a provision for signatures for corporations where multiple people would be required?
A: eIDAS doesn’t talk about rules for how many people need to sign or how many people are authorized to sign. But the regulations for certain kinds of documents may require that, such as an insurance contract that has regulations that need to be met.
Q: I’ve heard that since eIDAS was passed that advanced e-signatures are seeing some definitions arising, such as Italy having their own definition. Any update on that?
A: No update. AES isn’t useless. It uses PKI technology, which has value, but what I usually see is that the value comes from the security. In Italy, they had four levels of e-signature before eIDAS so I’m not surprised that it’s being picked up as a middle tier.
Q: Most of Europe is on a civil law basis. The way we think about signatures as an expression of intent is different from Europe, where they think of it more as a form of identification. Can you talk about what the differences are and what the cultural perceptions are in Europe vs. the US?
Also, what’s the difference between e-seals for corporate identity and e-signature under eiDAS for individual identity?
A: I don’t have a lot of knowledge about e-seals. Regarding the cultural differences, you’re right that signatures are viewed differently, as are contracts. In common law countries, it’s about the signature, it’s about the intent of the deal, even if you forgot to sign the third page of a 17-page document.
In Europe, it’s more about ceremony. That’s why you see a preference for AES and QES in Europe, particularly when you’re trying to take an American e-signature process and then you’re confused why your European partners don’t want to click and send it back.
[Rachel brought Ken Moyle up to talk about e-seals.]
A: Civil law vs. common law is about evidence and risk. The typical risk appetite in a civil law country is that it needs to be supported by existing law, not common law. In the US, we say that we can do it until the law says we can’t. That’s the kind of thing that drives the use of e-signatures. In the UK, because it’s common law, it’s been shoehorned into this European law. In the case of e-signatures, you have these two tiers, and when they got a hold of that in the UK, they didn’t understand why there were two versions of a signature. It’s all about the burden of proof.
Where special signature comes into effect is when you’re giving legal effect to an agreement. From a US point of view, the point where you require a notary, that’s a good indication of the type of transaction that would require an advanced e-signature. It’s an official, indisputable signature accepted in court.
The problem comes from the fact that our perception problems aren’t unique to us. There are attitudes in Europe where people think a signature doesn’t count if it’s not the highest tier of signature. That’s not the reality, but it’s the perception.
The concept of e-seals is a result of eiDAS recognizing the failure of the 1999 directive to do too much. It tried to create identity and signature in one thing and create such a high assurance that it would be indisputable in all cases, like an ultimate drivers license. But it was unusable. eIDAS tries to focus on the core concept, which is creating an electronic ID and letting business figure out how to use it.
The concept of an e-seal is the idea that a corporation, as distinct from a person, should be able to sign on behalf of itself as its own identity.
Q: QES has a requirement for PKI. Is there a difference between PKI and PK in private keys, which are more about signing and a one-on-one relationship?
A: When I say PKI, I mean the private key infrastructure that matches a private key to a public key. They’re talking about a system with a master issuer of a key that can be verified. With a QES that’s been blessed by the government, it’s more about the infrastructure has been blessed, rather than any particular key.
So to the extent that there are private keys with a pubic key counterpart, it wouldn’t fall under eIDAS. There are uses for PKI other than contracts, such as in healthcare, where they use private ley technology to do internal sign-offs, such as a doctor signing off on something. That’s something that doesn’t need to be blessed by someone – it’s internal. There are vendors, like DocuSign, that sell PKI-styled systems that companies can use internally.