All you ever wanted to know about eIDAS – which came into force today

What does Brexit mean for the next piece of EU law that arrived today? EU Regulation 910/2014 also called the ‘eIDAS’ Regulation applies to the UK with no approval from Westminster as of Friday, 1st July.

Comment by Richard Croft of UK electronic signature specialists Legalesign…

This law relates to identity services and e-signature. Will it continue to apply in law? Even if it does will political and culture differences between the EU and UK, given fresh force through Brexit, affect whether it will actually work in practice? What could be the impact on the validity of contracts?

As before, daily life goes on, nothing appears to change at all. Contracts signed before 1st July will remain valid and those signed from Friday will be valid now and in the future. The impact is more likely to be felt in the longer term in connection with e-signature contracts, especially those that are Deed equivalents (or ‘Probative’ in Scots Law), subject to how a new relationship between the UK and EU develops.

A short history of EU law for e-signature

The EU has pushed forward two major pieces of legislation in connection with e-signature, EU Directive 2000/31/EC and EU Regulation 910/2014.

The first legislation was a ‘Directive’ which meant that it had to be written into each country’s own law. In the UK this led to the Electronic Communications Act 2000.

This Act affirmed the status of e-Signature as a valid means of contract formation. While the Directive went further in setting up a model for ‘certified’ electronic signature, this was not widely adopted, most likely because it required a standard identity proof that was impractical compared to existing methods of signing.

The second legislation is a ‘Regulation’, known as the ‘eIDAS’ Regulation. Importantly as a ‘Regulation’ it applies immediately across Europe with no need for national legislative approval. It comes into force this Friday the 1 July. Important because it comes into force post-Brexit and has no national legislative approval, raising a degree of uncertainty whether it will continue to apply in the UK.

The eIDAS Regulation affirms the status of advanced e-signatures. It goes on to add a new category of e-signature it calls ‘qualified’, taking over from the previous ‘certified’ e-signatures. ‘Qualified’ e-signature arises out of a cross-national model for identity and trust services defined at length in the Regulation.

What legislation applies now?

While there is some uncertainty over what policies will arise from Brexit, indubitably one sure outcome is that EU courts will no longer have jurisdiction over the UK. The question then follows, what laws will apply?

A question mark falls over the eIDAS Regulation. The previous Directive was written into UK law as the Electronic Communications Act 2000 (ECA) and should therefore apply in any case. That is most likely to be the fall-back position should eIDAS be struck down in the UK.

For e-signatures the potential loss of eIDAS will affect those ‘qualified’ e-signatures that are given legal force by the eIDAS Regulation alone. Trust services that are setting themselves up to comply with the EU regulations may also need to re-configure themselves.

Many e-signature providers use advanced e-signature rather than ‘qualified’ ones. These are given legal force by eIDAS, but in the absence of that, by the Electronic Communications Act 2000 (ECA).

In case there is doubt over that Act too, business should ensure their e-signature provider, not only falls under eIDAS and the ECA, but is also valid based on the common law principles governing formation of contract.

eIDAS and UK

If eIDAS does apply to the UK, will it still work out? The trust services system defined in eIDAS has a strong hint toward a state identification system. However practical that may be, on this issue the UK and EU has been historically divided.

Perhaps for historical or cultural reasons the British people have consistently resisted calls for a single centralised ID card, while European neighbours have adopted it with fewer reservations.

There may be workarounds. The UK government has been building its own identify system called ‘Verify’ which creates a common digital identify for British subjects to access government services online. There are also many independent trust services built on the reasonable idea that identity fraud is less likely the more sources of private information a person can demonstrate they have access to.

It is not unlikely that one or other of these services will align with EU law and become a conduit for UK electronic signatures to meet with EU ‘qualified’ eIDAS standards.

(For those of you unfamiliar with Legalesign, here’s a link to a law firm case study + their product service description)

And in more eIDAS news… Adobe has announced details of an initiative to set up an Open Standard for Cloud-based digital signatures

Adobe has announced the Cloud Signature Consortium, a group comprised of leading industry and academic organisations committed to building a new open standard for cloud-based digital signatures across mobile and web – so anyone can digitally sign documents from anywhere. Helping pave the way for global adoption of secure digital signatures, the initiative coincides with the introduction of a new European Union signature regulation (eIDAS) that goes into effect on 1st July.

Digital signatures are the most advanced and secure type of electronic signature, increasingly used by businesses and governments around the world. However, using standards-compliant digital signatures today can be a cumbersome, time consuming process that keeps people tethered to their desktop. In many cases, they need certificate-based IDs stored on a physical device, like a USB token or smart card. This approach doesn’t meet increasing consumer and business expectations for simple and engaging experiences that work anywhere, on any device.

And, while some cloud-based digital signature solutions exist, they are proprietary and fragmented, rather than an open approach that offers a choice of certificate providers. As a leader and founding member of the new consortium, Adobe is collaborating with industry leaders to develop an open standard that will bring the world’s most secure form of electronic signing to over seven billion mobile devices around the globe.

“Adobe has a history of pioneering and advancing industry standards like PDF. We embrace open standards and, where none exist, we help create them,” said Bryan Lamkin, executive vice president and general manager of Digital Media, Adobe. “With more than six billion digital and electronic signature transactions processed each year through Adobe Sign and Adobe Document Cloud, we are focused on moving the signature industry forward. Today, in collaboration with the Cloud Signature Consortium, we are proud to advance an open standard for cloud-based digital signatures.”

Why an open standard is needed

The new standard created by the consortium will be critical to furthering digital transformation of business on a global scale by giving everyone access to secure digital signature solutions across a full range of cloud applications and mobile devices. Once implemented, the standard will benefit processes where signer identification is critical, such as applying for a marriage or business license, state benefits, or signing for a large loan. The Cloud Signature Consortium aims to build a global network of industry contributors and intends to release new standard specifications by the end of 2016—with the first cloud-based implementations to follow shortly thereafter. The consortium was inspired by the need to meet the highest level requirements of the European Union’s Regulation on Identification and Trust Services (eIDAS), but its impact is expected to be global as demand for highly secure digital solutions continues to rise.

“Adobe has a long history of successfully helping to establish and drive the adoption of open standards,” said Melissa Webster, vice president of content and digital media technologies, IDC.  “An open standard focused on cloud-based digital signatures will not only help companies save time and resources, but ultimately move an entire industry forward with best practices that benefit all.”