Electronic signatures serve to identify the originator of an electronic communication and ascertain their intention with respect to that communication. Certain types of electronic signatures, namely digital signatures based on public key infrastructure certificates, may provide additional information, for instance on the integrity of the data message and on timestamping.
Many laws deal with the legal recognition of electronic signatures and set out requirements to be met so that an electronic signature may be considered legally equivalent to a handwritten signature. This reflects the importance given to signatures in business practices. However, legislative approaches may vary significantly, in particular with respect to technology neutrality and the status of service providers.
Trust services are electronic services that provide assurance on the quality of data. Trust services are often used to establish confidence in the use of electronic communications.
I.B.1 Does the law address how electronic signatures, including for identification, authorization and authentication, are added in an electronic environment? Does it require the use of a specific technology or method for electronic signatures or is it technology neutral?
(a) The law may mandate the use of a specific technology for electronic signatures. A technology specific approach spells out how electronic signatures must be created and often authenticated (certified) to be valid. The purpose of this approach is generally to ensure reliability or security of the performance of the “function”, especially the identification of the signatory but also the link between the signatory and the information. Thus, the law may require the use of PKI-based digital certificates. In that case, the law may also specify which providers of PKI signing data and supporting services (notably issuing certificates) are recognized and establish an oversight regime (certification, accreditation, licensing or monopoly) for them.
Article 2 of the Law of the Republic of Armenia on Electronic Document and Electronic Signature 2004, defines an electronic signature by reference to the use of cryptographic techniques.
“electronic digital signature” means obtained signature-creation data and a cryptographic data modification of the given electronic document presented in a unique sequence of symbols in electronic form, which is attached to or logically associated with an electronic document and which is used to identify the signatory, as well as to protect the electronic document from forgery and distortion.
In case of technology specific electronic signature law, please provide details of the required characteristics. Often this is a digital signature supported by a PKI-based certificate issued by a trusted third party, sometimes a public authority. Those details may be contained in implementing regulations and may vary with the type of document or transaction.
(b) Alternatively, the law may be technology neutral and recognize all types of electronic signatures. Exceptions may be made for specific types of documents or transactions.
For example, section 10 of the Electronic Transactions Act 1999 (Cth) of Australia.
10. Requirement for a signature
(1) If, under a law of the Commonwealth, the signature of a person is required, that requirement is taken to have been met in relation to an electronic communication if:
(a) in all cases—a method is used to identify the person and to indicate the person’s intention in respect of the information communicated; and
(b) in all cases—the method used was either:
i. as reliable as appropriate for the purpose for which the electronic communication was generated or communicated, in the light of all the circumstances, including any relevant agreement; or
ii. proven in fact to have fulfilled the functions described in paragraph (a), by itself or together with further evidence; and
I if the signature is required to be given to a Commonwealth entity, or to a person acting on behalf of a Commonwealth entity, and the entity requires that the method used as mentioned in paragraph (a) be in accordance with particular information technology requirements—the entity’s requirement has been met; and
(d) if the signature is required to be given to a person who is neither a Commonwealth entity nor a person acting on behalf of a Commonwealth entity—the person to whom the signature is required to be given consents to that requirement being met by way of the use of the method mentioned in paragraph (a).
(c) Often the law takes an intermediate approach, called “two-tier” or “hybrid”: all authentication methods may be recognized as having legal value, if they meet certain requirements, and 2) certain technologies offering higher levels of security (usually digital signatures issued by a recognized certifying authority) have a stronger legal status, typically associated with presumptions of origin and integrity.
Section 226 of the Contract and Commercial Law Act 2017 of New Zealand is a technology neutral provision on electronic signatures based on the functional equivalence approach.
226. Legal requirement for signature
(1) A legal requirement for a signature other than a witness’s signature is met by means of an electronic signature if the electronic signature—
(a) adequately identifies the signatory and adequately indicates the signatory’s approval of the information to which the signature relates; and
(b) is as reliable as is appropriate given the purpose for which, and the circumstances in which, the signature is required.
(2) However, a legal requirement for a signature that relates to information legally required to be given to a person is met by means of an electronic signature only if that person consents to receiving the electronic signature.
Section 228 of the same Act sets in a technology neutral manner the requirements to presume the reliability of the electronic signature
228. Presumption about reliability of electronic signatures
(1) For the purposes of sections 226 and 227, it is presumed that an electronic signature is as reliable as is appropriate if—
(a) the means of creating the electronic signature is linked to the signatory and to no other person; and
(b) the means of creating the electronic signature was under the control of the signatory and of no other person; and
(c) any alteration to the electronic signature made after the time of signing is detectable; and
(d) where the purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable.
(2) Subsection (1) does not prevent any person from proving on other grounds or by other means that an electronic signature—
(a) is as reliable as is appropriate; or
(b) is not as reliable as is appropriate.
I.B.2 Does the law adopt a functional equivalence approach for electronic signatures?
In line with the general application of the functional equivalence principles, the law may set the conditions under which an electronic signature is considered equivalent to a handwritten one. If a functional equivalence approach is adopted, an electronic signature must normally identify the signatory and to indicate the signatory’s intention in respect of the information signed.
For example, Article 9 of the MLETR.
Where the law requires or permits a signature of a person, that requirement is met by an electronic transferable record if a reliable method is used to identify that person and to indicate that person’s intention in respect of the information contained in the electronic transferable record.
I.B.3 Is the law based on international standards?
Many jurisdictions have based their electronic signature laws on uniform models.
UNCITRAL legal texts, especially the MLES, provide a set of provisions on electronic signatures based on the principles of technology neutrality and functional equivalence. Other regional models exist, for instance the European Union Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC (eIDAS Regulation), and certain influential national laws.
This question gives an opportunity to identify those international standards and describe significant variations that national law has made from its international sources.
I.B.4 Does the law recognize foreign electronic signatures?
A foreign electronic signature is an electronic signature that is issued or applied outside the jurisdiction where its legal recognition is sought. It may also contain other foreign elements, such as relying on a PKI-based certificate generated abroad.
In certain jurisdictions, the law recognizes only national electronic signatures. In many cases, this outcome may be implicit since the law does not contain any provision on foreign electronic signatures. However, silence on foreign electronic signatures does not necessarily mean that they are invalid.
Other jurisdictions may have laws, regulations, policies or agreements to provide legal recognition to foreign electronic signatures.
The law may attribute to a certain body the possibility of recognizing electronic signatures, or certain types of them, based on general guidelines.
See for instance the Information Technology Act 2000 (No. 21 of 2000) of India.
19. Recognition of foreign certifying authorities
19(1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may with the previous approval of the Central Government, and by notification in the Official Gazette, recognise any foreign Certifying Authority as a Certifying Authority for the purposes of this Act.
89. Power of controller to make regulations
89(1) The Controller may, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette, make regulations consistent with this Act and the rules made thereunder to carry out the purposes of this Act.
(2) In particular, and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely: […] (b) the conditions and restrictions subject to which the Controller may recognise any foreign Certifying Authority under sub-section (1) of section 19;
Alternatively, technology neutral electronic transactions may apply the same standards to validate the use of domestic and foreign electronic signatures. In other words, when it comes to assessing the validity of the signature, the foreign element is disregarded.
In that line, Article 12 of the MLES provides for a test of substantial equivalence between the reliability levels offered by the signatures in question in different locations. The Article offers legal effect to a foreign electronic signature if that signature offers a substantially equivalent level of reliability to an electronic signature issued in the enacting State.
12. Recognition of foreign certificates and electronic signatures
1. In determining whether, or to what extent, a certificate or an electronic signature is legally effective, no regard shall be had:
a) To the geographic location where the certificate is issued or the electronic signature created or used; or
b) To the geographic location of the place of business of the issuer or signatory.
2. A certificate issued outside [the enacting State] shall have the same legal effect in [the enacting State] as a certificate issued in [the enacting State] if it offers a substantially equivalent level of reliability.
3. An electronic signature created or used outside [the enacting State] shall have the same legal effect in [the enacting State] as an electronic signature created or used in[the enacting State] if it offers a substantially equivalent level of reliability.
4. In determining whether a certificate or an electronic signature offers a substantially equivalent level of reliability for the purposes of paragraph 2 or 3, regard shall be had to recognized international standards and to any other relevant factors.
5. Where, notwithstanding paragraphs 2, 3 and 4, parties agree, as between themselves, to the use of certain types of electronic signatures or certificates, that agreement shall be recognized as sufficient for the purposes of cross-border recognition, unless that agreement would not be valid or effective under applicable law.
Legal recognition of foreign signatures may also be provided by treaty or by a regional instrument. Article 9(3) of the ECC has this effect when electronic signatures are used in commercial exchanges since the ECC is a treaty that binds its States parties. The eIDAS Regulation has the same effect within the European Union.
Similar to what happens with domestic electronic signatures, the legal recognition of foreign electronic signatures, or certain types of them, used for electronic exchanges within a particular sector (such as banks) or among particular participants (such as public agencies) may be determined either by special laws (such as customs laws) or by other legal instruments.
Finally, the law may allow for parties to a commercial transaction to agree on the conditions for the recognition of foreign signatures. This is often allowed on the basis of general legal principles rather than specific provisions in the law. The Pan Asian E-Commerce Alliance (PAA) PKI Mutual Recognition Framework is a contractual mechanism used by PAA participants to achieve mutual legal recognition of foreign digital certificates. Contractual mechanisms operate within the limits of mandatory legal provisions that may be applicable.
I.B.5 Are there special rules for the use of electronic signatures in paperless trade?
If laws on paperless trade are enacted, they may contain special provisions. An example of such law could be the legal regime for the operation of the electronic single window.
I.B.6 Does the law deal with trust services?
Trust services are electronic services that provide assurance of the quality of data. Electronic signatures may be considered one type of trust service but, because of their importance, they are discussed separately. Other common trust services include assurance of integrity of the message and of the date and time at which certain functions were performed (“timestamping”). Often these services are provided with PKI technology by the same provider that issues PKI-based certificates for digital signatures. Other trust services include electronic registered delivery services, website authentication and archiving services.
The law may contain general rules on the legal status of some or all trust services. It may also mandate the use of certain trust services for certain types of transactions.
Special provisions on the use of trust services may also be found in law relating to paperless trade.