Transcription
Electronic SignaturesSigning electronically with legalcertainty
The electronic signature –a good “support” in times of Corona?In the era of the “digital economy”(more than a third of Germans nowprefer shopping done online andeven more than half of all Germansshop using a mobile device1),companies are increasinglyquestioning why their contracts andcustomer/supplier interactionscannot be moved to an entirelypaperless model.Particularly with the insides gained during the Coronacrisis, companies will have to think more intensivelyabout this topic in the future. After all, contactlessinteraction with customers and suppliers isrecommended to protect employees, customers, andsuppliers from getting ill. Digital business operationsthat are as contact-free as possible lower the risk ofgetting an infection. For this reason, electronicsignatures can no longer be regarded as a “nice-tohave” but much rather as a “must-have”.pleadings will only be signed and submitted viaelectronic signature.This development shows that companies are buildingtheir proceedings on the use of the electronic signatureand, therefore, should implement it in their businessoperations.However, the absence of globally harmonisedlegislation, coupled with cumbersome local laws, have,at least historically, led to uncertainty around the scopeof application and validity of electronic signatures.Likewise “Cloud” delivery models (employed by themajority of service providers) present challenges,particularly from the point of view of data security anddata residency.We seek to address some of those issues in thisbriefing.Many banks, insurance companies, retailers, telcos,utility providers, software and app vendors, and airlineshave all been successful in shifting some (if not all) oftheir consumer contracting to an online model; ticking abox is sufficient to confirm a transaction and acceptassociated terms and conditions.To tackle the B2B market, encouraged by favourableregulatory regimes in Europe, the US and othercountries, the range of services providing electronicsignatures has recently increased significantly. Inaddition to DocuSign, which claims, for example, tohave “more than 500,000 customers and hundreds ofmillions of users in over 180 countries using theirservices”2, there are also start-ups such as “Skribble”,which handle signature processes digitally and which –according to their own statements – are legally validaccording to Swiss and EU law.3Furthermore, Adobe asserts that an electronic signaturesolution can “cut the cost and hassle of paper-basedtasks” and “speed business transactions.4Even the business operations of the German justicesystem are becoming increasingly digital. From 01January 2022 onwards at the very latest, all lawyers willbe obliged to transmit documents to courtselectronically. This is done via a special electroniclawyer mailbox (“besonderes elektronischeAnwaltspostfach” (“beA”)). Hence in the future,1PWC-Study „Total Retail 2016 – der Wettlauf um e.com/de/de/sign.html.1
What is anelectronic signature?The eIDAS Regulation5 defines theelectronic signature as“data in electronic form which isattached to or logically associatedwith other data in electronic formand which is used by the signatory tosign”.According to eIDAS, electronic signatures can becategorised as “simple”6, “advanced” or “qualified”. Thiscomplex designation hides a much simpler reality –most users may not realise that they are “signing”contracts electronically by: chip & pin or contactless transactions; ticking “I accept” or “submit” in online purchases; signing their name at the end of an email; or using biometric signatures (fingerprint and facialrecognition).In the business environment, electronic signatures canbe used as a vehicle to expedite, simplify and managethe contract execution process.Electronic contracts can be circulated, signed,authenticated and loaded in a matter of minutes.Parties to an agreement can select the electronicsignature method which best suits their authenticationrequirements. Good practice7 dictates that “advanced”8or “qualified” signatures should be used for high valueor strategic agreements as they: identify the signatory with a high degree ofcertainty; limit the risk of 3rd party interference or fraud;and limit the risk of subsequent amendment orrevocationand thus enable the parties to validate the integrity ofthe signature and, in turn, the enforceability of thecontract.“Qualified”9 electronic signatures supplement“advanced” electronic signatures by mandating the useof software or hardware tools to create codes orcryptographic keys (certificates) issued by trust serviceproviders and used to validate the authenticity of thesignature. The devices and trust service providers mustbe “qualified”, – that is to say they must meet therequirements of eIDAS, be registered with thesupervisory body in the relevant member state10 andnotified to the European Commission. According toGerman law, only a “qualified” electronic signaturemeets the legal requirements of the statutory writtenform (see § 126a German Civil Code (BürgerlichesGesetzbuch (“BGB”)).5Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronictransactions in the internal market and repealing Directive 1999/93/EC.6We use the term “simple” to highlight those identification and trust services for which no special conditionsapply. For more information on “advanced” and “qualified” electronic signatures, see below.7For recommendations, see Federal Office for Information Security (Bundesamt für Sicherheit in derInformationstechnologie), Fundamentals of Electronic Signature, 2006 (Grundlagen der elektronischenSignatur, 2006) (currently under revision).8eIDAS Article 26.9eIDAS Article 28 – An “advanced” electronic signature based on a “qualified certificate” issued by a“qualified electronic signature creation device” issued by a “qualified trusted third party service provider”.10In Germany, the Federal Network Agency (Bundesnetzagentur) maintains a so-called “Trusted List”, inwhich all qualified trusted service providers are included, and is responsible for the accreditation ofcertification service providers (e.g. TÜViT); see EIDCOMMUNITY/Overview of available attributes of prenotified and notified eID schemes.2
Electronic signaturesand the legal landscapeAlready in 1997, Germany was thefirst country to introduce a signaturelaw. In 1999, the European Union11,Australia and the United States12followed with codifying the treatmentof electronic signatures.The position in the European Union changed inJuly 2016 when eIDAS came into force. eIDAS isdirectly enforceable across member states and replacesthe existing Directive. eIDAS is designed firstly toensure a more harmonised approach with respect to therecognition and enforceability of electronic signatures.eIDAS is also designed to build a consistent frameworkfor secure electronic authentication by defining mutuallyrecognised, pan-EU rules for:Subsequently, the German Signature Act was adaptedto meet the European standards, as the requirements ofGerman law were too strict. electronic signatures(simple, advanced and qualified); electronic identification schemes(classified low, substantial, high); electronic seals (simple, advanced and qualified); trust services (simple, advanced and qualified); electronic time stamps (simple and qualified); electronic registered delivery services(simple and qualified); electronic documents (simple); and website authentication (qualified).The European Union, Australia and the United States allrecognised the validity of electronic signatures for theconclusion of contracts and their admissibility asevidence in legal proceedings; all stipulate that acontract cannot be denied legal effect solely on thegrounds that they are in electronic form.So far, so good. However: the EU and the US model required states ormember states to adopt the legislation; in Europein particular this created a fractured legislativelandscape;13 the legislation (in the interests of being technologyneutral) did not stipulate what it regarded as an“electronic signature” but defined them by a set ofqualifying criteria; the European Directive established a two-tierprocess for “simple” and “advanced” electronicsignatures which introduced uncertainty as to thelegal effect of the poorer sibling; and the legislation was subordinate to existinglegislation applicable to specific legal instruments(for example property transfers).From a German point of view, this harmonisation leadsto a reduction of the legal requirements for electronicbusiness processes in many areas. As a result, undereIDAS, it is possible for the first time in Germany, forexample, to use the so-called “remote signatureprocedures”. Here, a service provider takes over thetechnical processing of the electronic signing ofdocuments “remotely” and thus considerably facilitatesthe use of electronic signatures – for both the companyand its customers.11Directive 1999/93/EC on electronic signatures.12US Electronic Signatures in Global and National Commerce Act (ESIGN), 30 June 2000; US UniformElectronic Transactions Act (UETA), July 1999; Australian Electronic Transactions Act (1999).13In Germany, the Digital Signature Act and Digital Signature Ordinance have been particularly relevant sofar.3
Benefits ofelectronic signaturesAccording to the providers ofelectronic signature procedures,the electronic conclusion of contractshas numerous advantages.14IntegrationSpeedLegally bindingElectronic signatures enable contracts to be executedand returned in a matter of minutes, on any device bygeographically-dispersed signatories.SecurityContracts executed by an electronic signature,particularly when overlaid with authentication tools, areinherently more secure and harder to forge than papercontracts.TraceabilityElectronic signatures are traceable and auditable;workflow tools enable companies to track the status ofcontracts in real-time. When using an electronicsignature, there is the option to get a time stampinserted by a third-party provider. Such a time stamphas the advantage that the parties no longer need torely on the local system s time and that the signer nolonger has to enter the date and time manually.Instead, the date and time at which the signature wasinserted is retrieved by a trusted third-party providerfrom a standardized service (e.g. some certificationbodies, such as GlobalSign, offer this service).15 Thetimestamp enables time-critical transactions, as thetime and date when the signature was added can nolonger be denied.Electronic signatures can be integrated with existingCRM, procurement, accounting, HR and documentmanagement systems to provide end-to-end workflowmanagement.Contracts that are signed by means of a qualifiedelectronic signature are legally binding, as they complywith the statutory written form requirement underGerman law. Accordingly, declarations made by meansof a qualified electronic signature are legally relevantand cannot be withdrawn without further ado.Ease of useExecution processes by electronic signature aretechnology-neutral, intuitive and culturally accepted bythe digital generation.CostsWhilst there will be inevitable up-front / ongoingcharges for implementing an electronic signaturesolution, vendors argue these will be offset by closingcontracts more quickly, introducing certainty, savingmanagement time, facilitating contract managementand eliminating courier fees.14This is a summary of the advantages stated by the providers and does not reflect the opinion of EvershedsSutherland – the actual benefits depend on individual imestamp-service.4
Barriers to introduction ofelectronic signaturesUnder the new EU legislativeframework, and with technologyembedded in popular culture, mostdocuments can be executedelectronically – from confidentialityagreements, to contracts ofemployment.16Retail banks, for example, can even use electronicsignatures for consumer loans.17However there remain some barriers to the use ofelectronic signatures for certain documents in somejurisdictions, for example: deeds, wills18 and trust documents; healthcare proxy; guarantee agreements;19 marriage, birth, divorce, and death certificates; certain real estate agreements;20 other official documents required to be submittedin paper form; and agreements which stipulate that they can only besigned or varied by agreement “in writing andsigned by hand”.21It is therefore advisable for companies to seekspecialized legal advice and develop a corporate policythat takes into consideration the regional legalrequirements in the jurisdictions relevant for thecompany.This especially applies to companies that are active orintend to become active in the German market, asGerman law contains some comparatively strict legalrequirements in this respect.In addition, the previous regulations on electronicsignatures in Germany have always been subject tostrict interpretation. This should be taken into accountwhen making a legal assessment of newly introducedprocesses due to potential risks of possibleineffectiveness of electronically signed contracts,especially when using innovative, yet completelyuntested technologies.16However, according to German law (§ 623 BGB) electronic form and thus the use of electronic signatures isexcluded for the termination of employment relationships. Same applies in accordance with § 109 Abs. 3GewO (German Industrial Code) for issuing an employer’s reference.17§ 492 (1) BGB in conjunction with § 126a BGB.18Under German law, a testament usually needs to be drafted “by hand”, which excludes the signing bymeans of an electronic signature (§ 2247 BGB).19Under German law, however, the Federal Court of Justice (BGH, ruling of 28.10.1963, ref. III ZR 153/62)considers that the conclusion of a guarantee contract is possible without any formality.20For example, for the creation of a land charge, German law regularly provides for notarial certification (§§873, 1115, 1192 BGB).21According to German law, however, an agreed written form can be maintained by transmission by email orfax (§ 127 BGB) or by using a qualified electronic signature (§ 126a BGB).5
Selecting a provider forelectronic signaturesThere are a myriad of electronicsignature service providers.Regarding the German market, theones that stand out are theBundesdruckerei, DATEV and IDnow.The major global players includeDocuSign, Adobe, Silanis andARX20.22Given the range of vendors and features, it will beimportant for businesses to conduct detailed duediligence and vendor selection taking into consideration:Some suppliers offer an “on-premise” solution (i.e.where the software is hosted by the customer) but mostare now cloud-based.Furthermore, many solutions are compatible withmobile devices (enabling tablet or smart phonesignatures), and offer custom branding so they can bewhite-labelled or “integrated” with existing CRM or ERPsystems. legal compliance of the certification of provider andsolution offered;24 functionality and ease of use; pricing plans and options; performance and availability requirements; integration and compatibility with existingCRM/ERP systems; scalability and flexibility; data privacy, data security and data residencyrequirements; compliance with the requirements of regulatoryauthorities such as the German Federal FinancialSupervisory Authority (BaFin) or the requirementsof Solvency II24;25 and other applicable terms and conditions.Most providers offer multiple authentication options(from public/private keys to biometric signatureverification).Many providers warrant that they are compliant withexisting legislation (including eIDAS and the US ESIGNAct).2322See the study carried out for the EU Commission by Cavallini et al. (2012), “Study on the supply-side of EUe-signature market”, Final Report for the DG Information Society and Media of the European Commission.23It is not always certain whether their products meet the requirements for “qualified” electronic signatures.24In this respect, companies can, for example, make use of the certification lists of accredited certificationservice providers; the corresponding list of TÜViT shows, for example, that the trust service “e-SzignóQualified Signature” has been certified according to eIDAS for Microsec Ltd.25Directive 2009/138/EC, which harmonises the risk and capital requirements for European insurers.6
Basic contractualprinciples applySome practicalconsiderationsIt must not be forgotten thattraditional legal principles apply tocontracts concluded electronically.An electronic signature shouldtherefore be particularly suitable asevidence for the intention to belegally bound.Effective risk management forerroneous (or fraudulent) contracts isparticularly important for companiesthat want to use an electronicsignature solution for the purpose ofcontract signatures.However, it is also important to define a solution or aprocess which enables: the incorporation of applicableterms; validation that signatories have adequatecapacity and delegated authority to sign; certificationthat the agreement has not been varied; and anactionable change-control process. It may also berecommended that parties include clauses thatrecognise the parties’ intention to be bound by anelectronic signature.Robust security procedures and HR policies shouldcontrol the risk of physical IT assets being leftunsecured or the sharing of passwords and access keys.Companies should also review existing contracts, as theterms and conditions for customers, suppliers and/oremployees may need to be adapted to allow forelectronic signatures. The same applies to internalgovernance procedures, ensuring that contracts orpurchase orders have been authorised and signatorieshave appropriate delegated authority.7
De-Mail and video identificationUnder German law, the introduction of the so-called“De-Mail” in a field related to electronic identificationhad already created a possibility to prove the accessand content of electronic mail in court proceedings.In addition, Deutsche Post AG has been offering theso-called “e-Postbrief” in Germany for many years,which, although not having comparable legal effects,has nevertheless been met with great acceptanceamong companies. In the meantime, the providers ofDe-Mail platforms (in particular 1&1, DeutscheTelekom and Mentana) have also had trusted theirservices for the delivery of electronic registered mailcertified according to the requirements of eIDAS.Based on their experience with De-Mail, thesecompanies should be well prepared for the future.Even though eIDAS was initially associated with aloosening of the requirements for electronic businessprocesses – especially in regards to the first-timepossibility of using remote signature procedures – theBaFin caused a stir with its circular 04/2016 (GW) onvideo identification procedures in the financial servicesindustry. According to this circular, identification vialive video transmission – an essential component ofcurrent remote signature procedures – should in futureonly be possible for banks in view of the existingidentification obligations under money laundering law.Not least due to strong criticism from all areas of thefinancial services sector, the BaFin has meanwhilerepealed this circular (which had been suspended inthe meantime) and replaced it by the circular3/2017(GW)26 which came into force on 15 June2017.According to this circular, video identificationprocedures may be used by all entities obliged underthe Money Laundering Act who are under thesupervision of the BaFin. It also contains detailedrequirements for the implementation of suchprocedures, which should be observed – also regardingremote signature procedures. Due to the differentrequirements regarding the video identificationprocedure in the respective EU countries, a preciselegal examination of the respective identificationprocedure under consideration is necessary in eachcase. In Germany, for example, according to theBaFin, it is necessary to communicate with the personto be identified to be able to check the plausibility ofthe individual’s details.27Policy review andimplementationIntroducing electronic signaturesrequires a mix of technology, legaladvice and practical experience.Our Technology team can help clients definingbusiness objectives, reviewing and selecting providersof electronic signatures, evaluating legal requirementsand introducing streamlined contractual processes.With the strength of our global network, we helpmulti-national clients define global policies, taking intoaccount local law, custom and practice. For moreinformation on the legal position regarding contractsthat are subject to English law, please click here.26The circular is available under the following hungen/DE/Rundschreiben/2017/rs 1703 gw videoident.html).27See under VII Verification of the individual to be entlichungen/DE/Rundschreiben/2017/rs 1703 gw videoident.html;jsessionid C29132507E47EE30EC366228C1316338.1 cid383?nn 9450904#doc9143870bodyText9.8
Your contactsDr. Lutz SchreiberPartnerT: 49 40 808094 444F: 49 40 808094 199lutzschreiber@eversheds-sutherland.comSara GhoroghyAssociateT: 49 40 808094 446F: 49 40 808094 sutherland.com Eversheds Sutherland 2020. All rights reserved.Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLPare part of a global legal practice, operating through various separate anddistinct legal entities, under Eversheds Sutherland. For a full description of thestructure and a list of offices, please visit www.eversheds-sutherland.com.
of a qualified electronic signature are legally relevant and cannot be withdrawn without further ado. Ease of use Execution processes by electronic signature are technology-neutral, intuitive and culturally accepted by the digital generation. Costs Whilst there will be inevitable up-front / ongoing charges for implementing an electronic signature
