Graham is a partner in international law firm Bird & Bird LLP. He is based in London and is one of the UK's leading cyberlaw experts, with a practice encompassing advisory and contentious work in the internet, IT and intellectual property fields.
Company Details and contact information (Bird & Bird LLP:www.twobirds.com/en/our-lawyers/g/graham-smith1)
Since the EU eIDAS Regulation came into force in July last year there has been a noticeable resurgence of interest in the legality of using electronic signatures to sign off transactions and formal documents.
The European Commission hopes that eIDAS will kindle new interest in the more technically sophisticated kinds of signature defined in the Regulation: ‘advanced’ and ‘qualified’ electronic signatures. These differ from ordinary electronic signatures, which need no special identification or security technology. An ordinary electronic signature may vary from a typed name to something more technically robust. Whilst under EIDAS all kinds of electronic signature must be admissible in evidence, in many other respects the legal status and validity of different kinds of signature may vary from country to country and for different kinds of transaction or document.
Signature products on the market may offer some or all of ordinary, advanced or qualified signatures. Products in the ‘ordinary’ category can vary significantly in the technologies employed and in the degree of identification and integrity assurance offered. Vendors are making efforts to foster a market for the most robust qualified signatures, in which the identities of signatories are supported by third party certificates from a pan-EU network of trusted service providers.
It would be easy to suppose that eIDAS has magically rendered electronic signatures legal and safe for every variety of document and transaction. That impression would, unfortunately, be incorrect. Nevertheless we can still think about going electronic in some situations where hitherto we may have feared to tread.
Most everyday transactions are already concluded and signed (if signed at all) electronically. Think of the billions of online contracts formed on the click of an ‘I accept’ button or by a name typed at the end of a reply e-mail. For most practical purposes an informal acceptance or signature, with minimal assurance as to identity of the signatory, may (under English law) be good enough. That is unsurprising when we consider that a traditional wet ink signature in fact carries little in the way of formal assurance; and even less surprising when we recall that, in the English common law tradition, a simple mark ‘X’ can suffice as a wet ink signature and that most contracts do not require a signature at all.
A pragmatic approach to signatures partially explains why in many EU countries the elaborate technical signature mechanisms defined by eIDAS’ predecessor, the 1999 Electronic Signatures Directive, never really took off. ‘Advanced’ and ‘qualified’ signatures were overengineered for situations where a more informal ordinary electronic signature might be considered good enough (at least in a common law country) and was, under the Directive as with eIDAS, admissible in evidence.
A cheap and cheerful approach has been less easy to apply to high value or high risk transactions, where the consequences of tripping up are serious and a high level of comfort is required. When large sums of money, freedom to operate in a market or title to valuable assets are at stake, caution tends to prevail.
However there are signs that corporates and their legal advisers are now looking at whether electronic signatures of some kind can be used for more significant transactions. This is exemplified in England by the July 2016 Practice Note on Execution of a document using an electronic signature prepared by the Law Society Company Law Committee and the City of London Law Society Company Law and Financial Law Committees.
Successful evaluation of the suitability of electronic signatures for a transaction requires a clear understanding of the legal framework within which electronic transactions sit. Perhaps counter-intuitively, the relevant framework often has little to do with signatures and less to do with the eIDAS Regulation. While the question may be ‘Can we use an eSignature?’, the answer may well lie outside the law of signatures.
We can analyse the legal framework in three steps. This analysis is focused on English law. Whilst the high level principles may be applicable more widely, formalities and evidential value are still a matter of each country’s own law.
Three steps to eSignature heaven
Step 1 Formalities versus evidence The first step is to separate formalities requirements from evidential value. If a statute requires some formality to be complied with, then failure to comply may invalidate part or all of the transaction or render it unenforceable. Since the consequences of non-compliance are potentially catastrophic, any doubt about formalities is likely to be seen as a red flag. No amount of evidential value can correct a formalities failure.
Formalities requirements come in four flavours: Medium, Form, Process, and Signature. All four possible types of formality have to be considered. It is easy, but potentially fatal, to focus on signature formalities and overlook the rest.
At a general level a commercial contract may have no formalities requirements. However it may contain within it specific clauses to which a formalities requirement does apply. One example is a jurisdiction clause, for which the Recast Brussels Regulation prescribes (as one compliance option) a writing requirement.
Writing is the most common Medium formality. The legislation in question may have its own definition of writing or it may rely on the Interpretation Act 1978. Although generally speaking an English law writing requirement will permit electronic form, if such a requirement does exist then it has to be evaluated.
A Form requirement may be more typical of consumer than business contracts. One example would be a requirement that a signature has to appear at a particular place in a document.
That brings us to Bassano v Toft, a case which involved an agreement to pledge a viola. Under the Consumer Credit Act 1974 the agreement had to be signed in the prescribed manner. Mrs Bassano executed the agreement by clicking on an ‘I Accept’ button. The judge held that this complied with the requirement for a signature.
However that was not the end of the matter. Regulations prescribed that the signature had to be in “the space in the document indicated for that purpose”. This was a separate requirement of form. The ‘I Accept’ button appeared in the designated space, but Mrs Bassano’s name was on the previous page. The judge held that the location requirement was satisfied. The words ‘I accept’ were in the correct place. The word ‘I’ could be treated as Mrs Bassano’s mark affixed for the purposes of authenticating and agreeing to be bound by the terms of the agreement.
Another example of a form requirement might be a statute that expressly or by implication required a single signed document, excluding the possibility of signing separate originals and counterparts.
An example of a Process requirement could be a rule about the sequence in which signatures have to be affixed, or a rule that a signature must affixed in the presence of another signatory. The Law Society Practice Note discusses the example of a deed, which can be executed by a company incorporated under the Companies Act 2006 if it is signed on behalf of the company by a director ‘in the presence of’ a witness who attests the signature. Presence is a process requirement. Even if the signature may be electronic, could it validly be witnessed remotely? This requirement has also been discussed on the Land Registry blog.
The question of whether the witness must be physically present or can be virtually present (for instance by video link), and if so what conditions have to be satisfied, is a question of substantive law: the content of the formality. But even if virtual presence were permissible, there would still be a separate evidentiary consideration of how to prove that the video link was used in such a way as to satisfy the formality requirement.
The legal requirement that a deed must be ‘delivered’ is another process formality.
These examples well illustrate two separate risks: the formality risk (does the law allow it to be done in this way?) and the evidential risk (if so, can I prove that it was done in this way?). They also illustrate that evidential risk is not only a question of proving the signature (who signed, what did they sign, how, when and – if relevant – where?) but also of proving compliance with any applicable statutory formality.
Last, there may be a formal requirement for a signature. If the statute requires a signature, then (unless some specific kind of signature is mandated) English law is accommodating about what constitutes a signature, if intended to be a signature. A name typed at the end of an e-mail can be a signature (Golden Ocean). Even clicking an ‘I Accept’ button can amount to signature of a contract if intended to authenticate the document and communicate agreement to be bound by its terms (Bassano v Toft, above).
The eIDAS Regulation (Recital 49) reserves to Member States the right to define the legal effect of electronic signatures, the only constraint being that they must allow qualified signatures to have the same effect as handwritten signatures. The Regulation (and the Directive before it) does not say that only qualified signatures can have that effect. That is why countries such as England are able to treat informal kinds of electronic signature as equivalent (in formality compliance terms) to a handwritten signature.
Rarely in England, but more commonly in other EU countries with stronger traditions of formalities, a statute may require a particular kind of signature. Usually such a requirement will be framed by reference to one of the more technically sophisticated kinds of signature (advanced or qualified) defined in the eIDAS Regulation.
Electronic prescriptions for medicines are an example of a specific English signature requirement. Regulations require prescriptions to be signed with an advanced signature, as defined in the eIDAS Regulation.
Another example is in regulations governing utilities tendering, which empower utilities to require tenders to be signed using an advanced signature plus a qualified certificate (with or without a secure signature creation device), again as defined in the eIDAS Regulation.
Formalities requirements may touch on more than one element of medium, form, process and signature. Thus the Land Registration Act 2002 lays down formalities that have to be complied with if an electronic document disposing of a registered estate is to be accepted for registration. The requirements include a certified electronic signature of every person authenticating the document. If that and other conditions are complied with then the document is deemed to be in writing, to have been signed and to be a deed (see further, the Land Registry blog).
The fact that other countries (and perhaps parts of the UK with separate legal systems) may have different and often more prescriptive formalities requirements (including permissible kinds of signature) is something to be considered in international transactions.
Attention may have to be paid to soft law, as well as hard law, requirements. For instance a sectoral regulator may lay down guidelines about how electronic transactions should be conducted.
Step 2 Evidential admissibility
If something is admissible as evidence, the court can look at it. The eIDAS Regulation (and the Electronic Signatures Directive before it) both provide that an electronic signature of any kind, not just the more advanced types, must be admissible as evidence. There was never much doubt in England that electronic signatures were admissible under general rules of evidence, but in any event this obligation is implemented in Section 7 of the Electronic Communications Act 2000.
Section 7 goes only to evidential admissibility. It does not mean that an electronic signature is valid (in the sense of complying with a particular statutory requirement for a signature). Nor does it require the court to give any particular weight to the evidence. Evidential value is the third and final step to eSignature heaven.
Step 3 Evidential value
It is in the area of evidential weight that the risks associated with electronic signatures tend to be most discussed. How do we prove to a third party that the document was signed and who signed it? What if the signatory denies signing? What if the signatory admits signing, but contests what was signed? How do we prove when and (if relevant) where the signing took place?
These questions go to the strength of the evidence of the signature itself. If additionally there are requirements of form, medium or process then we also have to ask whether and how, if challenged, we can prove compliance with those requirements.
This discussion leads to the pros and cons of various different kinds of signature (including those defined in the eIDAS Regulation) and of facilities offered by the commercially available signature and associated document management and storage tools.
Compared with formalities compliance, risk assessment around evidential value is often more pragmatic (at least for strength as a signature – perhaps less so for evidencing compliance with formalities). Different conclusions may be reached for different kinds and value of document and transaction. Evidential value will be closely related not only to the type of signature, but also to how a signature tool has been used.
To sum up, the process of evaluating whether an electronic signature can be used for a given transaction is as follows:1. Is there an applicable formality requirement of signature, medium, form or process?
2. In principle can electronic form and signature comply with any applicable formality requirements?
3. In the light of 1 and 2, what particular kinds of signature, medium, form or process can in principle be used?
4. For a given solution and process, how strong would be the evidence of compliance with any applicable formality requirement? Is the risk acceptable?
5. For a given solution and process, how strong would be the evidence of signature (i.e. who signed what, how, when and – if relevant – where?) Is the risk acceptable?
Impact of eIDAS
Evidential value is an area where some aspects of the eIDAS Regulation may make a difference.
Types of signature with a good assurance level are likely to be seen as needed to provide the requisite degree of evidential comfort for high value, high risk, high comfort factor transactions.
At the highest ‘qualified’ signature level eIDAS introduces national lists of ‘qualified trust service’ providers, recognised across the EU, which may ease international use. eIDAS also introduces definitional changes and clarifications that may make higher level categories of signatures more economic and user-friendly.