eSignature Act

30
Aug
2019
An Overview of eIDAS Regulation

An Overview of eIDAS Regulation

The number of online transactions is increasing day by day. A simple purchase from an eCommerce store is the best example. However, the primary focus, in this case, refers to trust. Businesses want to shift their documentation flow online. Digital platforms provide much-needed flexibility for online transactions. 

However, the lack of trust can influence the motivation of consumers, public authorities, and businesses for electronic transactions. Therefore, eIDAS regulation is one of the precedents that help in governing the use of electronic signatures. The following discussion would focus on important implications associated with the regulation, such as a basic outline of the regulation.

The other significant highlights in this discussion would deal with the basic principles of eIDAS. The discussion would also throw some light on the different types of signatures validated by the regulation. Subsequently, the discussion would cover the benefits of the e-signature regulation for businesses and their application in different sectors. 

Also Read: An Overview of UETA and ESIGN Act

Origins of the eIDAS Regulation

eIDAS (electronic Identification, Authentication, and trust services) is the commonly accepted name for the EU regulation, 910/2014. The regulation found its roots on July 1, 2016, when the European Commission implemented it across all regions in the European Union. The eIDAS regulation appears focused only on electronic identification. However, you can also find precedents for trustworthy services of electronic transactions. 

The European Commission established the regulation to create a single digital market. The regulation also has two other objectives. The regulation aims at ensuring access to public services of any State of the Union for all citizens of the EU. Citizens could use their electronic National ID number for obtaining access to public services. 

Another objective of the regulation is the creation of an internal market for trust services. The regulation implies the provision of the same legality to trust services like conventional paper-and-ink processes. So, eIDAS is a regulatory instrument that specifies legal and security standards for trust services and electronic identification. What are the trust services? Let us find out something about them.

Criteria for Trust Services

The eIDAS regulation provides a clear impression of the criteria for classifying trust services. Article 3, paragraph 16, gives a precise definition of trust services. Trust service is an electronic service that is ideal for remuneration purposes. The scope of ‘trust service’ includes the following tenets:

  • Creating, verifying and validating electronic signatures, electronic registered delivery services, and related certificates and electronic seals or timestamps. 
  • Creating, verifying and validating website authentication certificates.
  • Safeguarding electronic signatures, seals or certificates related to these services.

There are a number of myths spread worldwide regarding the use of e-signatures. It is important to understand these electronic signature myths and facts behind them.

Summarizing the Regulation

eIDAS (electronic Identification, Authentication, and trust services) develops trust, security, and transparency needed to bring the whole EU on the same page. So, online commerce and electronic transactions could flourish in the EU with support from citizens, public authorities, and companies. The summary of working of the regulation in four simple points can help in understanding its scope better.

  • The regulation outlines the conditions for member states to recognize the methods for identifying people and legal entities followed by other member states.
  • The regulation also serves as a supervisory and accountability instrument. As a result, it enables qualified trust service providers to provide qualified services at national and cross-border levels. Also, eIDAS presents conditions for maintaining a high level of security in electronic transactions.
  • The regulation presents a comprehensive legal framework for the governance of electronic documents, electronic stamps, electronic signatures, and electronic timestamps. Furthermore, it also governs certified website authentication services and certified electronic delivery services. 
  • The regulation is mandatory for ensuring access to public service across borders in EU countries having electronic identification (eID) documents.

Types of Signatures Recognized in the eIDAS Regulation

eIDAS defines the three types of recognized electronic signatures. They are –

  1. Electronic signature
  2. Advanced electronic signature
  3. Qualified electronic signature.

1. Electronic Signature

An electronic signature is the data in electronic form that is logically associated or attached to another data in electronic form. Signatories can use an electronic signature for signing documents. According to eIDAS, all electronic signatures are legally admissible. The regulation specifies that signatures in the electronic form cannot be denied for legal recognition due to their form. 

2. Advanced Electronic Signatures

Advanced electronic signatures are slightly improved than typical electronic signatures. These type of electronic signatures comply with the following requirements.

  • Unique link with the signatory.
  • Linked with data that is signed in a manner suited for detecting any changes in the data.
  • Capabilities for identifying the signatory.
  • Developed using electronic signature creation data. Most important of all, signatory could use the data under their control. 
  • The final document complies with tamper-evident characteristics.

3. Qualified Electronic Signatures

Qualified Electronic Signature is an advanced electronic signature created with a qualified electronic signature creation device. The device should have a qualified certificate for electronic signatures. The device could be a smart card or a mobile app for generating a one-time password. Signers have to use certificate-based digital ID provided by a qualified EU Trust Service Provider.

Also Read: Information Technology Act, 2000

Guiding Principles for the eIDAS Regulation

Now, let us explore the different guiding principles of eIDAS that make it a trusted regulation for electronic transactions. The guiding principles can help us learn about the foundation of the regulation. As a result, we can understand the benefits of this regulation easily. Here are the four guiding principles for the eIDAS regulation –

1. Trust

Trust is the first pillar in the foundation of the regulation. It ensure that transactions completed by the regulation are reliable, secure, and legally enforceable. Technologies such as electronic signatures, electronic services delivery, and electronic identification help in achieving these outcomes. 

However, the lack of trust can influence the motivation of consumers, public authorities, and businesses for electronic transactions. Therefore, eIDAS regulation is one of the precedents that help in governing the use of electronic signatures. The following discussion would focus on important implications associated with the regulation, such as a basic outline of the regulation.

The technical standards defined in the regulation ensure complete assurance to all the parties involved in a transaction. Apart from technical standards, the regulation also provides a comprehensive liability framework. The liability framework addresses legal, enforceability, and jurisdictional concerns.

2. Cross-border

Cross-border transactions are one of the prime objectives of eIDAS legislation. The regulation ensures compliance with legal aspects related to cross-border transactions. Therefore, services provided in one jurisdiction are legal while transactions covering the service originate and conclude in another jurisdiction. The regulation makes sure that the legal standards for electronic transactions are similar across all jurisdictions. As a result, electronic transactions could not be restricted based on local jurisdictions.

3. Seamless Transactions

The trust services and electronic identification transactions should be completely seamless for the user. Users should get the same uninterrupted experience without any influence of their current location, device, or language. The regulation covers personal devices such as laptops and mobile phones as well as public areas such as airports. So, the regulation reduces concerns of authentication and identification when moving from one service to another. Users could also move from one location to another in the EU and use electronic signing and identification services seamlessly.

4. Transparency and Accountability

The fourth founding pillar of the regulation relates to transparency and accountability. The regulation outlines specific obligations for trust service providers and a clear definition of acceptable signatures. As a result, users could recognize qualified trust service providers easily. The most important highlight, in this case, refers to specific risk management and security precedents for trust service providers. The risk management approach covers aspects such as procedures, operations, and conduct. 

The guiding principles of eIDAS clearly show the intent to develop a credible and reliable system for electronic identification. The other traits of the regulation appear clearly in the underlying principles such as cross-border, seamless, and convenience in services. 

Still confused about adopting electronic signatures? Check out these top reasons to adopt electronic signature for your business.

Applying the Regulation in Different Sectors

After a reflection on the origins, implications of the regulation, and types of recognized signatures let us find applications. The e-signature regulation is applicable in various sectors such as financial services, transport, and online retail.

  • Financial Services

The financial service sector benefits the most from the eIDAS legislation. Financial services can find better opportunities across borders. Customers in the financial service sector demand online services and compliance obligations keep getting complex. Therefore, the digitization of identifying, authenticating, and security of transactions became evident. 

Therefore, eIDAS regulation is one of the precedents that help in governing the use of electronic signatures. The following discussion would focus on important implications associated with the regulation, such as a basic outline of the regulation. However, the lack of trust can influence the motivation of consumers, public authorities, and businesses for electronic transactions.

A closer look at the different examples of the application of electronic identification services in the financial sector can clarify some doubts. The regulation governs e-signatures used for signing financial service contracts remotely. Also, the financial services sector depends on electronic registered delivery service that comes in the scope of the regulation. 

  • Online retail

As we discussed previously, the regulation offers a comprehensive legal framework for governing electronic transactions across the EU. The online retail sector derives major benefits from the regulation. Online stores can ensure secure electronic transactions with customers alongside implying formidable levels of trust in the transaction. Furthermore, the transactions governed by the regulation are legally valid across the European Union. 

One of the examples of the regulation’s use in the online retail sector relates to the better identification checks for customers. This application can be helpful in the case of purchasing high value or restricted goods. Another prominent example of the use of eIDAS in the online retail sector is the facility of qualified website authentication certificates. These certificates can ensure the better trust of customers in online retail stores. 

  • Transport and Logistics

The transport sector also relies on electronic identification and trust services for a seamless business process with ample security. Electronic identification and trust services provide flexible, secure, and resource-effective document flow between suppliers, carriers, and receivers. As a result, the orders could arrive on time without any administrative setbacks. 

The most notable example of electronic identification and trust services in the transport sector is in the car-sharing services. The regulation governs conditions for proving identity and secure login of customers in car-sharing services. For freight transport and logistics applications, electronic registered delivery service helps in the secure and faster exchange of contractual documentation. 

  • Professional Services

Other professional services such as accountants, architects, and lawyers also find applications of electronic identification and trust services. Trust is the prominent concern in the professional services sector, and so the regulation is applicable here. First of all, electronic identification and trust services simplify many complex formal procedures in this sector. 

The regulation has assured professional services regarding operational efficiency, thereby implying the flexibility to focus on customer services. The regulation governs the example of electronic identification to validate the identity of clients. As a result, it is easier to establish contractual relationships. Furthermore, electronic registered delivery service can help professionals in sending crucial documents without any risk of alterations, damage, or theft. 

How to get the eIDAS Certificate?

Many businesses adopt electronic signatures and identification methods for faster and streamlined operations. However, many of them are also confused about how to get eIDAS certificate. So, let us find out the different types of certificates available in this regulation. Recently, the EU announced the PSD2 directive that validates two types of electronic signatures.

The two electronic signatures are –

  1. Qualified Certificates for Seals (QCSEALs)
  2. Qualified Website Certificates (QWACs)

Also, you can find certificates for other qualified trust services such as a qualified certificate for electronic signature. You can receive your certificate from a Qualified Trust Service Provider. The European List of Trusted Services provides an outline of the different local qualified Trust Service Providers.   

The next step in how to get eIDAS certificate relates to providing information to the trusted service provider. You have to provide your authorization number registered with the qualified Trust Service Provider. The next important detail required in the process is your role in a transaction. Following the entry of information about your role, you have to select the certificates which you need. Based on your eligibilities, the trust service provider would provide you with the certificates. 

Benefits of the Regulation for Companies

The benefits of the regulation for every business depends on electronic business transactions in Europe. Companies can gain the following benefits from the regulation:

  • Better security and trust in electronic transactions can foster the creation of relationships with customers.
  • Seamless and convenient cross-border transactions with ease.
  • Improved transparency and accountability with the technical and liability standards in the regulation.
  • Reduction in barriers for establishing a business in EU countries.
  • Saving costs of material, shipping, and management.
  • Time-saving in documentations for improving focus on core business tasks.
  • Aligning the focus of companies towards digital transformation with better and flexible customer service.

Also Read: Top 10 Electronic Signature Myths and Facts

Conclusion

On a closing note, the eIDAS legislation proves to be a wide-ranging instrument to promote the adoption of electronic identification. The digital transformation of businesses is driving the attention of companies towards electronic business transactions. However, the legal validity of electronic signatures and trust services may be a formidable barrier. 

Therefore, the regulation provides a precedent for validating electronic signatures across all member states of the EU. The discussion reflected on the basics of the regulation alongside summarizing the key points of the regulation. The discussion also focused on the types of recognized signatures as well as the founding principles of the regulation. 

The other significant highlights of the discussion included the different sectors which use the regulation and the process for certification. Apart from the simple process of getting a certificate, the discussion also presents a brief insight into the benefits. So, if you are ready to jump on the digital transformation trend, then this discussion can be a helpful guide!

Posted by Brian Felix, 0 comments
14
Aug
2019
E-Signature Law in India – Information Technology Act, 2000

E-Signature Law in India – Information Technology Act, 2000

As we all know, signatures are the identity of an individual. Traditionally, signatures are handwritten with pen on paper. However, now we can have electronic signatures! So, what brought this change? Digitization is the answer. Many businesses adopted the digital route for different business processes. This is the reason for which you can see better efficiency in marketing and sales.

Electronic signatures or e-signatures are a huge part of the ongoing move towards the digitization of businesses. This is one of the reasons to emphasize the information technology act in India. Wondering what it is, are you? E-signatures need valid legal recognition, and the IT act serves this purpose. In the following discussion, let us explore the legal precedent governing e-signatures in India. 

The Basic Notion of the Information Technology Act, 2000

According to the Information Technology Act 2000, electronic signatures are legally valid in India. The Government of India focused on different advantages associated with e-signatures for presenting this regulation. The IT act is a clear platform to foster the adoption of digital technologies by Indian corporations and citizens. The act focuses on improving the ease of doing business and refining the storage of records. 

Also, it focuses on raising the standards of safety, security, and cost-effectiveness of records. The information technology act is one of the drivers behind the recent rise in the use of e-signatures. One of the notable highlights that we can not miss here is the focus on providing electronic transactions using Aadhaar. Aadhar is the unique identification number issued to all Indian residents by the Indian government. 

Indian law recognizes electronic signatures on the same grounds as that of physical signatures only with a few exceptions. On the other hand, the IT Act, 2000 also specifies requirements for the validity of electronic signatures. So, let us find out what are the requirements for the validity of e-signatures in India. 

Also Read: UETA and ESign Act

Type of Signature Recognized in the Information Technology Act 

The first thing to look at is the type of signatures recognized in the information technology act. There are two types of signatures in the IT act. 

1. Electronic signatures combining aadhaar with eKYC service

Electronic signatures that combine Aadhar with eKYC service are the first type of signatures as per information technology act. Users who have an Aadhar could use an online e-signature service for signing documents online. This happens with the integration of the e-signature service with the Application Service Provider (ASP). 

Users could have a mobile or web application interface, and this helps in signing documents online. They could authenticate their identity through an eKYC service provided by the e-signature service provider. The eKYC service could be an OTP or one-time password used commonly in India. The online e-signature service would work with the application service provider to give certificates and authentication services. All of these services would have to follow government guidelines. 

2. Digital signatures developed with asymmetric cryptosystem and hash function

The second type of signature considered valid as per e-signature laws in India are digital signatures. Digital signatures created through the asymmetric cryptosystem and hash function are valid according to the information technology act. In an asymmetric cryptosystem, there is a pair of keys such as private key and public key. These keys are unique for each user and creates an e-signature. Users could get a digital signature from a reliable Certifying Authority (CA). 

The CA provides a digital certificate that has the user’s name, the public key, and the expiry date of the certificate. The digital certificate also includes other essential information relating to the user. Many operating systems and browsers have a list of trustworthy CA root certificates. These root certificates verify the digital certificates provided by CA. In some cases, users could also get a USB token for signing a document. The USB token contains a personal PIN and an ID based on digital certificate. 

Digital Signatures and Electronic Signatures are two similar looking terms but are different from each other. Check out the difference between the two i.e. Digital Signature vs Electronic Signature

The Criteria for Valid E-Signatures

The most important milestone for e-signature laws in India was in 2008. In this year, the Information technology act 2008 introduced some amendments. The amendment brought the definition of ‘electronic signature’ into the scenario. 

Section 2(a) of the act stated the definition of electronic signature. 

“An electronic signature is defined as the authentication of electronic records by subscribers through electronic techniques.” 

Schedule II of the Information Technology Act, 2000 points out the definitions of electronic techniques. According to the information technology Act, e-signatures have to satisfy different criteria for validity. 

The criteria can be outlined as follows –

  • E-signatures should be linked to the person signing a document with a unique ID. The unique ID is generally a digital-certified ID.
  • The signatory should have complete control over the data used to create the e-signature. The signatory should get this control at the time of signing. Generally, e-signature service providers authorize signatories to affix their e-signature to the document. This helps in fulfilling this requirement.
  • The changes to the document or the attached e-signature should be detectable. Users could fulfill this requirement by encryption of the document with a tamper-evident seal. 
  • The e-signature is valid only if it has an audit trail. The audit trail is an account of the steps implemented in the signing process.
  • According to the information technology act, a certifying authority (CA) recognized by the Controller of Certifying Authorities (CCA) issues a digital signature certificate. 

Suitable Use Cases for E-Signatures

An electronic signature is valid if it satisfied all these conditions. The Information technology act 2000 is presently the main governing law for the validity of e-signatures in India. At this point, there are no case laws that relate to disputes regarding the application of e-signatures. The different types of use cases where the standard electronic signature can be applied are as follows.

  • Commercial agreements among corporate entities. These may include procurement deals, sales agreements, and non-disclosure agreements.
  • E-signatures are also applicable to HR documents. The examples include employment contracts, new employee onboarding processes, and benefits paperwork.

Documents Which Cannot Be Signed Electronically

The IT Act 2000 also presents details of use cases that are not suitable for the use of digital signatures. The first concern involves processes that require handwritten signatures. But the IT act does not cover these use cases. It covers examples of use cases that cannot be signed electronically.

  • Handwritten negotiable instruments except for cheques.
  • Trust deeds documents, written by hands.
  • Handwritten wills or any testaments.
  • Power of attorney, written by hands.
  • Handwritten contracts for sale or conveyance of immovable property and interest in the property.
  • Real estate documents; the examples include purchase and sales contracts and lease agreements. Documentation for residential and commercial real estate can also not involve e-signatures.

There are a number of myths spread worldwide regarding the use of e-signatures. It is important to understand these electronic signature myths and facts behind them.

Legal Precedents for Stamping

Therefore, any document which needs a notarial process or registration by a Registrar or Sub-Registrar cannot use an e-signature. The information technology act also presents some insights into the requirements for stamping. This is one of the noticeable concerns while signing electronically. 

You need to know that specific documents should be stamped before or at the time of execution. However, there is no particular law in India that outlines a method for stamping of electronic documents. The states of Delhi, Maharashtra, and Karnataka focus on stamping for electronic records. 

The electronically accepted stamps can help e-signature service providers to design their solutions according to your needs. The information technology act also emphasizes that companies should always look into the legal need for stamping a document. If there is a requirement of stamping before signing and execution of a document electronically, the company should have a physical copy. The physical copy should be stamped. 

A document can bring financial penalties if it is not properly stamped. In some states, there are penalties for deliberately not stamping a document. The penalties could either be in the form of fines or even imprisonment. However, these provisions are implemented rarely. 

Other Valid Forms of E-authentication

As we discussed above, there are certain documents that are suitable for electronic signing. However, it does not mean that documents signed by other electronic means than an e-signature are invalid. The Information technology act also provides validity for contracts that use authentication methods specified in it. For example, a contract executed with email is an authentication method. Documents that use two-factor authentication such as OTP or a PIN could also be considered valid. 

On the other hand, there is a slight problem in proving the validity of these documents. They are not the same as the documents signed with handwritten signatures. If an electronic contract involves any dispute, then it is essential to prove that the requirements of a valid contract have been fulfilled. 

The parties involved in the contract should ensure the execution of the document by using a non-tamperable method. Even if this requirement is quite tasking, the use of email and two-factor authentications of contracts is highly popular. The technology and eCommerce sector make the most of this facility. 

You would have to follow certain best practices to prove the validity of electronically signed documents. An important note, in this case, these best practices are suitable in case of using email or other forms of authentication. 

  • The signing process should have a mechanism for verifying the identity of signatories. The mechanism could be a verification email to the signatory’s unique email address. The information technology act also allows sending OTP to the mobile phone of the signatory. 
  • The signing party should provide consent for conducting the transaction electronically.
  • A clear description of the intent of the signing party to sign the document electronically with the method used for signing.
  • Secure tracking of the process with an audit trail for logging each step.
  • Use of a tamper-evident seal for securing the final document. 

Based on these industry best practices, you can conform to the precedents outlined in the IT act for e-signatures. Furthermore, a clear awareness of these factors could help you find the best e-signature solution. 

Still confused about adopting electronic signatures? Check out these top reasons to adopt electronic signature for your business.

The Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015

India achieved another notable milestone in regulation for e-signatures long after the Information Technology act, 2008 amendment. Despite the clear definition and availability of provisions enabling the use of e-signatures, they were not used. However, the Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015 brought a new change. 

Also, the Digital Signature Rules (End Entity), 2015 came into existence. The most noticeable application of these rules provided the basis of e-signature regulations in India as known today. For example, the Controller of Certifying Authorities (CCA) developed with the Information technology act, received more powers. The CCA is now capable of regulating and providing the requirements and process for using e-authentication methods. 

The Current state of E-Signature Legality

According to the Information Technology Act in India, the sole authority over e-signatures is the Central Government. The Central Government holds the authority for declaring reliable techniques for e-signature. The Central Government could add or remove any technique valid for electronic authentication. 

However, the Central Government has not issued any notification regarding the concept of electronic signature. So, the only method used for electronic signatures is digital signatures. The examples of Aadhaar based identify verification and electronic signing show the fact. The Delhi High Court has asked the Central Government to introduce policies on the use of electronic signatures. 

This clearly shows that the legal aspects of e-signatures are relatively underdeveloped in India. However, the IT act outlines the criteria for the legal recognition of e-signature in Section 5. The section outlines that if the prescribed requirements have been followed, then an electronic signature is valid just like a handwritten signature. 

You should also take note of the offenses outlined in electronic signatures. The offenses can include publishing false e-signature certificates, identity theft, or publishing electronic certificates for a fraudulent purpose. The other offenses include misrepresentation or suppression of material fact to obtain e-signature or license. 

While working with electronic signatures, it is commendable to understand how electronic signature works. Here is a quick guide to the electronic signature workflow.

Conclusion

Based on an outlook of the e-sign laws in India according to the IT Act 2000, the above discussion concludes now. The discussion provided information on the general concept of e-signature accepted legally in India. The types of e-signatures considered valid according to the IT act formed an important part of the discussion. The use cases suitable for electronic signatures and the unsuitable documents also refined an understanding of the legality of e-signatures in India.

Finally, the discussion focused on other forms of electronic authentication valid in India. Also, the discussion presented a brief illustration of the present state of e-signature legality in India. These details finally concluded a brief outline of offenses related to e-signatures according to the IT act. 

Posted by Brian Felix, 0 comments