Proposal for a European Parliament and Council Directive on a common framework for electronic signatures
/* COM/98/0297 final - COD 98/0191 */
OJ C 325, 23.10.1998, p. 5 (ES, DA, DE, EL, EN, FR, IT, NL, PT, FI, SV)
|Bilingual display: DA DE EL EN ES FI FR IT NL PT SV|
Proposal for a European Parliament and Council Directive on a common framework for electronic signatures (98/C 325/04) (Text with EEA relevance) COM(1998) 297 final - 98/0191(COD)
(Submitted by the Commission on 16 June 1998)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular Article 57(2) and Articles 66 and 100a thereof,
Having regard to the proposal from the Commission,
Having regard to the opinion of the Economic and Social Committee,
Having regard to the opinion of the Committee of the Regions,
Acting in accordance with the procedure laid down in Article 189b of the Treaty,
(1) Whereas on 16 April 1997 the Commission presented to the European Parliament, the Council, the Economic and Social Committee and the Commission of the Regions, a communication on a European initiative in electronic commerce (1);
(2) Whereas on 8 October 1997 the Commission presented to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, a communication on ensuring security and trust in electronic communication - towards a European framework for digital signatures and ecryption (2);
(3) Whereas on 1 December 1997, the Council invited the Commission to submit as soon as possible a proposal for a Directive of the European Parliament and the Council on digital signatures;
(4) Whereas electronic communication and commerce necessitate electronic signatures and related services allowing data authentication; whereas divergent rules with respect to legal recognition of electronic signatures and the accreditation of certification service providers in the Member States may create a significant barrier to the use of electronic communications and electronic commerce and thus hinder the development of the internal market; whereas divergent actions in the Member States indicate the need for harmonisation at Community level;
(5) Whereas the interoperability of electronic signature products should be promoted; whereas, in accordance with Article 7a of the Treaty, the internal market is to comprise an area in which the free movement of goods is to be ensured; whereas essential requirements specific to electronic signature products used by certification service providers must be met in order to ensure free circulation within the internal market and to build trust in electronic signatures;
(6) Whereas the rapid technological development and the global character of the Internet necessitate an approach which is open to various technologies and services capable of authenticating data electronically; whereas, however, digital signatures based on public-key cryptography are currently the most recognised form of electronic signature;
(7) Whereas the internal market enables certification service providers to develop their cross-border activities with a view to increasing their competitiveness, and thus to offer consumers and business new opportunities to exchange information and to trade electronically in a secure way, regardless of frontiers; whereas in order to stimulate the Community-wide provision of certification services over open networks, certification service providers should in general be free to offer their services without prior authorisation; whereas there is no immediate need to ensure the free circulation of certification services by harmonising justified and proportionate national restrictions on the provision of those services;
(8) Whereas voluntary accreditation schemes aiming at an enhanced level of service provision may offer certification service providers the appropriate framework to develop further their services towards the levels of trust, security and quality demanded by the evolving market; whereas such schemes should encourage the development of best practice among certification service providers; whereas certification service providers should be left free to adhere to and benefit from such accreditation schemes; whereas Member States should not prohibit certification service providers from operating outside such accreditation schemes; whereas it should be ensured that accreditation schemes do not reduce competition for certification services; whereas it is important to strike a balance between consumer and business needs;
(9) Whereas this Directive should therefore contribute to the use and legal recognition of electronic signatures within the Community; whereas a regulatory framework is not needed for electronic signatures exclusively used within closed systems; whereas the freedom of parties to agree among themselves the terms and conditions under which they accept electronically signed data should be respected to the extent allowed by national law; whereas this Directive is not intended to harmonise national rules concerning contract law, particularly the formation and performance of contracts, or other non-contractual formalities requiring signatures; whereas for this reason the provisions concerning the legal effect of electronic signatures should be without prejudice to formal requirements prescribed by national law with regard to the conclusion of contracts or the rules determining where a contract is concluded;
(10) Whereas in order to contribute to the general acceptance of electronic signatures, an electronic signature should not be denied legal validity solely on the grounds that it is in the form of electronic data, not based on a qualified certificate or on a certificate issued by an accredited certification service provider, or that the service provider who has issued the related certificate is from another Member State; whereas electronic signatures which are related to a trustworthy certification service provider who complies with the essential requirements should have the same legal effect as handwritten signatures; whereas it has to be ensured that electronic signatures can be used as evidence in legal proceedings in all Member States; whereas the legal recognition of electronic signatures should be based on objective criteria and not be linked to authorisation of the service provider involved; whereas harmonised rules concerning the legal effect of electronic signatures will preserve a coherent legal framework across the Community;
(11) Whereas certification service providers offering certification services to the public are subject to national liability rules; whereas differences in the scope and content of such liability rules may result in legal uncertainty, particularly concerning third parties relying on their services; whereas such uncertainty will be detrimental to the development of cross-border trade and will hamper the proper functioning of the internal market; whereas harmonised liability rules provide legal security and predictability for both certification service providers and consumers; whereas such rules would contribute to the general accepetance and legal recognition of electronic signatures within the Community and consequently have a beneficial effect on the functioning of the internal market;
(12) Whereas the development of international electronic commerce requires cross-border mechanisms which involve non-member countries; whereas those mechanisms should be developed at a business level; whereas in order to ensure interoperability at a global level, agreements on multilateral rules with non-member countries on mutual recognition of certification services could be beneficial;
(13) Whereas in order to stimulate electronic communication and electronic commerce by ensuring user confidence, Member States should oblige certification service providers to respect data protection legislation and individual privacy and should be required to provide certification services also for pseudonyms at the request of the signatory; whereas national law should lay down if and under what conditions the data revealing the identity of the data subject must be transferred for investigation of criminal offences; whereas certification service providers should inform users in advance of their conditions, in particular regarding the precise use of their certificates and limitations of their liability, in writing and in readily understandable language and using a durable means of communication;
(14) Whereas for the purposes of the application of this Directive, the Commission should be assisted by a consultative Committee;
(15) Whereas in accordance with the principles of subsidiarity and proportionality as set out in Article 3b of the Treaty, the objective of creating a harmonised legal framework for the provision of electronic signatures and related services cannot be sufficiently achieved by the Member States and can, therefore, be better achieved by the Community; whereas this Directive confines itself to the minimum required in order to achieve that objective and does not go beyond what is necessary for that purpose,
HAVE ADOPTED THIS DIRECTIVE:
This Directive covers the legal recognition of electronic signatures.
It does not cover other aspects related to the conclusion and validity of contracts or other non-contractual formalities requiring signatures.
It establishes a legal framework for certain certification services made available to the public.
For the purpose of this Directive:
1. 'electronic signature` means a signature in digital form in, or attached to, or logically associated with, data which is used by a signatory to indicate his approval of the content of that data and meets the following requirements:
(a) it is uniquely linked to the signatory,
(b) it is capable of identifying the signatory,
(c) it is created using means that the signatory can maintain under his sole control, and
(d) it is linked to the data to which it relates in such a manner that any subsequent alteration of the data is revealed;
2. 'signatory` means a person who creates an electronic signature;
3. 'signature creation device` means unique data, such as codes or private cryptographic keys, or a uniquely configured physical device which is used by the signatory in creating an electronic signature;
4. 'signature verification device` means unique data, such as codes or public cryptographic keys, or a uniquely configured physical device which is used in verifying the electronic signature;
5. 'qualified certificate` means a digital attestation which links a signature verification device to a person, confirms the identity of that person and meets the requirements laid down in Annex I;
6. 'certification service provider` means a person who, or an entity which issues certificates or provides other services related to electronic signatures to the public;
7. 'electronic signature product` means hardware or software, or relevant components thereof, which are intended to be used by a certification service provider for the provision of electronic signature services.
1. Member States shall not make the provision of certification services subject to prior authorisation.
2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of certification service providers for reasons which fall under the scope of this Directive.
3. The Commission may, in accordance with the procedure laid down in Article 9, establish and publish reference numbers of generally recognised standards for electronic signature products in the Official Journal of the European Communities. Member States shall presume compliance with the requirements laid down in point (e) of Annex II when an electronic signature product meets those standards.
4. Member States may make the use of electronic signatures in the public sector subject to additional requirements. Such requirements shall be objective, transparent, proportionate, and non-discriminatory, and shall only relate to the specific characteristics of the application concerned.
Internal market principles
1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to certification service providers established on its territory and to the services they provide. Member States may not restrict the provision of certification services which originate in another Member State in the fields covered by this Directive.
2. Member States shall ensure that electronic signature products which comply with this Directive are permitted to circulate freely in the internal market.
1. Member States shall ensure that an electronic signature is not denied legal effect, validity and enforceability solely on the grounds that the signature is in electronic form, or is not based on a qualified certificate, or is not based on a certificate issued by an accredited certification service provider.
2. Member States shall ensure that electronic signatures which are based on a qualified certificate issued by a certification service provider which fulfils the requirements set out in Annex II are, on the one hand, recognised as satisfying the legal requirement of a handwritten signature, and on the other, admissible as evidence in legal proceedings in the same manner as handwritten signatures.
1. Member States shall ensure that, by issuing a qualified certificate, a certification service provider is liable to any person who reasonably relies on the certificate for:
(a) accuracy of all information in the qualified certificate as from the date on which it was issued, unless the certification service provider has stated otherwise in the certificate;
(b) compliance with all the requirements of this Directive in issuing the qualified certificate;
(c) assurance that the person identified in the qualified certificate held, at the time of the issuance of the certificate, the signature creation device corresponding to the signature verification device given or identified in the certificate;
(d) in cases where the certification service provider generates the signature creation device and the signature verification device, assurance that the two devices function together in a complementary manner.
2. Member States shall ensure that a certification service provider is not liable for errors in the information in the qualified certificate that has been provided by the person to whom the certificate is issued, if it can demonstrate that it has taken all reasonably practicable measures to verify that information.
3. Member States shall ensure that a certification service provider may indicate in the qualified certificate limits on the uses of a certain certificate. The certification service provider shall not be liable for damages arising from a contrary use of a qualified certificate which includes limits on its uses.
4. Member States shall ensure that a certification service provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate is valid. The certification service provider shall not be liable for damages in excess of that value limit.
5. The provisions of paragraphs 1 to 4 shall be without prejudice to Council Directive 93/13/EEC (3).
1. Member States shall ensure that certificates issued by a certification service provider established in a non-member country are recognised as legally equivalent to certificates issued by a certification service provider established within the Community:
(a) if the certification service provider fulfils the requirements laid down in this Directive and has been accredited in the context of a voluntary accreditation scheme established by a Member State; or
(b) if a certification service provider established within the Community, which fulfils the requirements laid down in Annex II guarantees the certificate to the same extent as its own certificates; or
(c) if the certificate or the certification service provider is recognised under the regime of a bilateral or multilateral agreement between the Community and non-member countries or international organisations.
2. In order to facilitate cross-border certification services with non-member countries and legal recognition of electronic signatures originating in non-member countries, the Commission will make proposals where appropriate to achieve the effective implementation of standards and international agreements applicable to certification services. In particular and where necessary, it will submit proposals to the Council for appropriate mandates for the negotiation of bilateral and multilateral agreements with non-member countries and international organisations. The Council shall decide by qualified majority.
1. Member States shall ensure that certification service providers and national bodies responsible for accreditation or supervision comply with the requirements laid down in Directives 95/46/EC (4) and 97/66/EC (5) of the European Parliament and of the Council.
2. Member States shall ensure that a certification service provider may collect personal data only directly from the data subject and only in so far es it is necessary for the purposes of issuing a certificate. The data may not be collected or processed for other purposes without the consent of the data subject.
3. Member States shall ensure that, at the signatory's request, the certification service provider indicates in the certificate a pseudonym instead of the signatory's name.
4. Member States shall ensure that, in the case of persons using pseudonyms, the certification service provider shall transmit the data concerning the identity of those persons to public authorities on request and with the consent of the data subject. Where according to national law the transfer of the data revealing the identity of the data subject is necessary for the investigation of criminal offences relating to the use of electronic signatures under a pseudonym, the transfer shall be recorded and the data subject informed of the transfer of the data relating to him as soon as possible after the investigation has been completed.
The Commission shall be assisted by a Committee, called the 'Electronic Signature Committee` (hereinafter referred to as 'the Committee`), of an advisory nature composed of the representatives of the Member States and chaired by the representative of the Commission.
The representative of the Commission shall submit to the Committee a draft of the measures to be taken. The Committee shall deliver its opinion on the draft, within a time limit which the Chairman may lay down according to the urgency of the matter, if necessary by taking a vote.
The opinion shall be recorded in the minutes; in addition, each Member State shall have the right to ask to have its position recorded in the minutes.
The Commission shall take the utmost account of the opinion delivered by the Committee. It shall inform the Committee of the manner in which its opinion has been taken into account.
Consultation of the Committee
The Committee shall be consulted, where necessary, on the requirements for certification service providers laid down in Annex II and on generally recognised standards for electronic signature products pursuant to Article 3(3).
1. Member States shall supply the Commission with the following information:
(a) information on voluntary national accreditation regimes, including any additional requirements pursuant to Article 3(4);
(b) the names and addresses of the national bodies responsible for accreditation and supervision;
(c) the names and addresses of accredited national certification service providers.
2. Any information supplied under paragraph 1 and changes in respect of that information shall be notified by the Member States as soon as possible.
1. The Commission shall review the operation of this Directive and report thereon to the European Parliament and to the Council by 31 December 2002 at the latest.
2. The review shall, inter alia, assess whether the scope of the Directive should be modified taking account of technological and legal developments. The report shall in particular include an assessment, on the basis of the experience gained, of aspects of harmonisation. The report shall be accompanied, where appropriate, by complementary legislative proposals.
1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 31 December 2000 at the latest. They shall immediately inform the Commission thereof.
When Member States adopt these provisions, these shall contain a reference to this Directive or shall be accompanied by such reference at the time of their official publication. The procedure for such reference shall be adopted by Member States.
2. Member States shall communicate to the Commission all provisions of national law which they adopt in the field governed by this Directive and in related fields and a correlation table between this Directive and the national provisions adopted.
Entry into force
This Directive shall enter into force on the 20th day following its publication in the Official Journal of the European Communities.
This Directive is addressed to the Member States.
(1) COM(97) 157 final.
(2) COM(97) 503 final.
(3) OJ L 95, 21.4.1993, p. 29.
(4) OJ L 281, 23.11.1995, p. 31.
(5) OJ L 24, 30.1.1998, p. 1.
REQUIREMENTS FOR QUALIFIED CERTIFICATES
Qualified certificates must contain:
(a) the identifier of the certification service provider issuing it;
(b) the unmistakable name of the holder or an unmistakable pseudonym which shall be identified as such;
(c) a specific attribute of the holder such as, the address, the authority to act on behalf of a company, the creditworthiness. VAT or other tax registration numbers, the existence of payment guarantees or specific permits or licences;
(d) a signature verification device which corresponds to a signature creation device under the control of the holder;
(e) beginning and end of the operational period of the certificate;
(f) the unique identity code of the certificate;
(g) the electronic signature of the certification service provider issuing it;
(h) limitations on the scope of use of the certificate, if applicable;
(i) limitations on the certification service provider's liability and on the value of transactions for which the certificate is valid, if applicable.
REQUIREMENTS FOR CERTIFICATION SERVICE PROVIDERS
Certification service providers must:
(a) demonstrate the reliability necessary for offering certification services;
(b) operate a prompt and secure revocation service:
(c) verify by appropriate means the identity and capacity to act of the person to which a qualified certificate is issued;
(d) employ personnel which possesses the expert knowledge, experience, and qualifications necessary for the offered services, in particular competence at the managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also exercise administrative and management procedures and processes that are adequate and which correspond to recognised standards;
(e) use trustworthy systems, and use electronic signature products that ensure protection against modification of the products so that they cannot be used to perform functions other than those for which they have been designed; they must also use electronic signature products that ensure the technical and cryptographic security of the certification processes supported by the products;
(f) take measures against forgery of certificates, and, in cases where the certification service provider generates private cryptographic signature keys, guarantee the confidentiality during the process of generating those keys;
(g) maintain sufficient financial resources to operate in conformity with the requirements laid down in this Directive, in particular to bear the risk of liability for damages, for example, by obtaining an appropriate insurance;
(h) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular to provide evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;
(i) not store or copy private cryptographic signature keys of the person to whom the certification service provider offered key management services unless that person explicitly asks for it;
(j) inform consumers before entering into a contractual relationship in writing, using readily understandable language and a durable means of communication, of the precise terms and conditions for the use of the certificate, including any limitations on the liability, the existence of a voluntary accreditation and the procedures for complaints and dispute settlement.