Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

EU proposes directive on electronic signatures [1998] PLBIRp 9; (1998) 44 Privacy Laws and Business International Report 14

EU proposes directive on electronic signatures

THE PROPOSED DIRECTIVE on electronic signatures aims at creating a secure environment for electronic commerce by means of minimum regulation. Essentially, the proposal introduces common requirements for trusted third parties.

The driving force behind the European Commission’s proposal is its wish to enhance electronic com- merce in Europe (PL&B, Feb ’98, p.19). Electronic signatures are needed to ensure that the receiver of the data can verify its origin, and that the data is received unchanged. As the recipients may wish to check that senders of the data are who they claim to be, a third-party is needed. The proposals are for the wide range of electronic signatures, includ- ing the more advanced digital signatures which are based on public- key cryptography. Cryptographic technology protects digital signatures against fraudulent use. This proposed directive should ensure that future technological development remains within this legal framework.

The proposed directive examines the requirements that should be established for trusted third parties in EU Member States. Trusted third parties, or certification service providers, as referred to in the pro- posal, can be persons or institutions trusted by both parties. A common framework for trusted third parties would facilitate the legal recognition of electronic signatures across borders. As this cross-border element is central to electronic commerce, many international organisations have already started to prepare rules on electronic signatures. The proposed directive is meant to establish basic rules that would enable electronic sig- natures to be immediately accepted across the European Community in the same way as normal, hand- written signatures.

TRUSTED THIRD PARTIES MUST ACCEPT PSEUDONYMS

The certificate issued by the trusted third party confirms the identity of a person. As a data protection measure, it is suggested that a pseudonym could be used instead of the signatory’s1 name in the certificate. Pseudonyms may be revealed without consent only when the information is needed for the investigation of crime. In general, trusted third parties must follow all the data protection provisions of the general data protec- tion directive (95/46/EC) and the telecommunications data protection directive (97/66/EC). Therefore, per- sonal data may be collected only for the purposes of issuing the certificate.

STANDARDISATION BODIES TO DO THE DETAILED WORK

It is proposed that trusted third parties should be able to operate without prior authorisation. However, the Commission recom- mends, following the German Digital Signature Law, that a voluntary accreditation scheme should be in place. The Member States will be required to inform the Commission of any such schemes, and the names of accredited trusted third parties.

The suggested common require- ments for the trusted third parties include several security and quality aspects, such as taking measures against forgery of certificates, and not storing private cryptographic keys unless asked to do so. As the requirements form only a loose framework, it is hoped that industry and standardisation bodies will introduce more detailed provi- sions in the form of internationally agreed standards.

EXISTING CONTRACTS REMAIN UNCHANGED

Many companies already use elec- tronic signatures in closed environments, for example, in their local networks such as Intranets. These existing arrangements should not be affected by the proposed direc- tive as it is not the intention to harmonise national contract laws.

The directive would oblige the Member States to inform the Commission of legislative develop- ments in this field. It is suggested that the directive would be implemented by the end of year 2000.

1 Signatory means a person who creates an electronic signature

The proposal for a common framework for electronic signatures was made public on 13th May.

The text is available at www.europa.eu.int/comm/dg15 from DG XV of the

European Commission,

Tel: +32 2 295 1612.