Κυριακή, 24 Φεβρουαρίου 2008

ELECTRONIC SIGNATURES


I. Introduction

A modern regulatory framework regarding electronic communication and transactions is considered essential to establishing legal certainty in the field of e-commerce. Τhe nature of the Internet as an open network raises concerns about the confidentiality and security of electronic communication, which hinder the exploitation of the net as a platform for conducting commerce[1]. Electronic signatures and related services that allow data authentication can, therefore, play an important role in this aspect by ensuring security and trust in electronic transactions[2].

The European Directive 1999/93/EC lays down the rule of legal recognition of electronic signatures[3]; the Directive provides the legal framework for e-signatures and Certification Service Providers and defines two levels of security that organizations may apply to e-signatures depending on the sensitivity of the transaction, that is a) the simple e-signatures, which provide a minimum level of security and b) the advanced electronic signatures, which provide a higher level of security and can be used as a substitute of a hand-written signature[4].

In order for a signature to be qualified as an advanced signature, certain requirements should be fulfilled (Article 5 Para. 1 of the Directive). These requirements concern the technical function of the signature software and the existence of a qualified certificate, which is provided by a certification service provider who meets certain criteria. As it is obvious, the legal regulations concerning the certification of e-signatures and the accreditation of service providers are of great importance.

II. Implementation of the Directive 1999/93/EC in Greece

1. General Background

Greece implemented the European Directive 1999/93/EC by enacting specific legislation, which is complementary to the relevant provisions of civil and civil procedural law. The Presidential Decree 150/2001 (Official Journal A/125, 25-6-2001), which transposed the relevant provisions of the Directive into Greek law, establishes the principle of recognition of electronic signatures as hand-written signatures; thus, it provides for a legal framework for the provision of certification services and specifies the liability status of certification service providers. The Decree reflects faithfully the provisions of the Directive, but it also brings about considerable modifications of the provisions on the legal validity of documents and their evidential value[5].

Regulations of electronic signatures in Greece are also found in the law No. 2672/1998. Article 14 of the law allows for the exchange of public documents by electronic means, especially via e-mail. This regulation, however, did not entered into force until the enactment of the Decree 150/2001, since it presupposed a Presidential Decree regulating all details, which are necessary for the use of digital signatures[6].

2. The legal effect of electronic signatures

Article 3 provides that advanced electronic signatures, which are based on a qualified certificate and are created by a secure-signature-creation device, are equated as to their effect, i.e. the legal validity and the probative effect, to hand-written signatures in paper documents.

Furthermore, Article 3 Para. 2 states that electronic signatures, which do not meet the above-mentioned requirements, shall not be denied legal effectiveness and admissibility.

The Decree adopts, likewise as the European Directive, a two-tier system of electronic signatures, which consists firstly, of “simple” and secondly, of “advanced” electronic signatures. Simple signatures are not denied validity solely on the grounds that they are in electronic form or are not certified. Nevertheless, simple electronic signatures can be denied recognition for any other reason. Advanced signatures, on the other hand, are treated as equivalent to manuscript signatures.

However, the precise legal effects of advanced and simple electronic signatures are not clearly defined and should be investigated.

3. Advanced electronic signatures

Firstly, regarding the legal validity of advanced electronic signatures, the law does not provide for which kinds of documents can advanced electronic signatures be used for. Therefore, one should take into account the provision of Article 7 of the Draft Law on Electronic Commerce, which will be soon enacted[7]. According to this provision, contracts can be concluded by electronic means, with the exception of: (a) contracts that create or transfer rights in real estate, (b) contracts requiring by law the involvement of courts, public authorities or professions exercising public authority and, (c) contracts governed by family law or by the law of succession.

Furthermore, as regards the probative effect of electronic signatures, it is clear that the law establishes a legal fiction, according to which, documents with electronic signature are equated as to their effect to private documents. Consequently, the advanced electronic signature in a document satisfies the concept of the private document (Article 443 of Greek Code of Civil Procedure)[8], which has probative weight on the part of the issuer, the submission of rebuttal evidence being allowed, according to the provision of Art. 445 Code of Civil Procedure.

4. Simple electronic signatures

The legal validity and the admissibility as evidence of simple signatures has been recognised in the past by the jurisprudence of Greek courts even before the enactment of the Decree[9]. The jurisprudence has recognised the probative effect of electronic documents, which are deemed as mechanical representations, according to Art. 444 par. 3 Code of Civil Procedure, which states that mechanical representations are considered as private documents, having therefore the effects of the latter under the law.

More generally, it has been ruled out that documents (e.g. bankbooks, printouts, etc.) containing records of electronic representations are considered as mechanical representations, pursuant to Art. 444 par. 3 Code of Civ. Proc[10].

However, it must be noted that prerequisite for the probative effect of electronic documents regarded as equal to private documents is the recognition or proof of their genuineness (Art. 445 Code of Civ. Proc.). In the case of an electronic document, the confirmation of the issuer of an electronic document can be attained by elements, which are functionally equivalent to a hand-written signature, such as a (simple) electronic signature.

Therefore, electronic documents, which bear an electronic signature that does not fulfil the criteria set out in the definition of the advanced electronic signature, are not denied legal effectiveness and admissibility as evidence. Simple electronic signatures can be used, thus, in deeds and contracts, which are not required to have a hand-written signature.

III. Accreditation and Supervision of Certificate Providers – Liability Issues

The Decree 150/2001 contains regulations concerning the provision of certification services, the conditions of offer for advanced certification services, the liability of certification service providers, voluntary accreditation and also, the supervision of certification service providers by the National Telecommunications and Post Commission (EETT)[11].

The specific details concerning certification services have been regulated by the Regulation No 248/71 of 15.3.2002 of the EETT. With the enactment of the Regulation, the infrastructure, which was necessary, in order to attain full operation of the certification system, has been created and the system is already working[12].

According to the principle of free market access, stated in Article 4 par. 4 of the Decree 150/2001 and in Article 3 par. 1 of the EETT Regulation, certification service providers are not subject to a prior authorisation from the state or any other measure of equivalent effect (see also Article 3 par. 1 of the Directive 1999/93).

Nevertheless, every certification service provider is obliged to notify EETT of his activity and in particular, to send a notification containing the following information, which will be recorded in the register of certification service providers with establishment in Greece: a) name/trade name, address, telephone, fax number, e-mail address, Web Page, b) legal form, legal representatives and eventually, proxy attorney, c) VAT number, d) offered services.

The EETT holds a register of certification service providers established in Greece (Article 10 of the EETT Regulation) and can control the conformity of certification service providers with the provisions of the Decree 150/2001 and the Regulation (Article 12).

More stringent provisions apply for qualified signatures. In particular, the certification service provider, who issues qualified certificates, is under the obligation to submit a statement called Certification Practice Statement to the EETT; in this statement, the provider describes the procedure for the issuance of certificates and/or the provision of other certification services (Articles 10, 2 of EETT Regulation)[13]. Furthermore, the provider should conform to the requirements set out in Annexes I and II of the Decree 150/2001, which are identical with the Annexes in the Directive 1999/93, and send a statement that he complies with these requirements and further documents.

The providers, who issue qualified certifications, are due to provide evidence that as regards the issuance of the certificates they conform with Annexes I and II of the Decree 150/2001 (Article 3 par. 3 EETT Regulation). A provider is deemed to issue qualified certificates, if he proves that the certificates, which he issues, are conformity with recognised norms and standards (Article 3 par. 4 EETT Regulation).

Furthermore, certification service providers have to keep a file in document or/and in electronic format, containing the sum of data regarding the qualified certificates that the providers issue or administer; more specifically, these data include the time of issuance, annulment, suspension and expiration (article 7 EETT Regulation).

It is also important to note that the certification service provider before the concluding of a contract with a person who applies for a qualified certificate, should inform this person about his liability and responsibility as an owner of a qualified certificate, his obligations to store and protect the signature-creation data, the consequences arising from the publication of the signature-creation data, the certification policy and the Certification Practice Statement etc. (Article 8 EETT Regulation).

The above-mentioned provisions shape the limits of the liability of the certification service provider. The latter will be held responsible, in case he does not fulfil the requirements provided for qualified certificates. It is worth noting that the burden of proof lies on the provider, not on the signatory (Article 6 of Decree 150/2001)[14].

IV. Conclusion

The Greek legal framework concerning E-signatures is developed in conformity with the terms of the Directive 1999/93/EC. The relevant provisions of the presidential Decree No 150/2001 are in force since the National Telecommunications and Post Commission (EETT) enacted the Regulation No 248/71 of 15.3.2002, which regulated specific issues concerning the certification services for e-signatures, and a market for certification has already been created in Greece.



[1] European Commission, DG XIII, Ensuring Security and Trust in Electronic Communication, Towards A European Framework for Digital Signatures And Encryption, COM (97) 503, p. 1 et seq.

[2] See J. Angel, Why use Digital Signatures for Electronic Commerce?, JILT 1999 (2)

[3] OJEC no L 13 of 19.01.2000.

[4] See C. Spyrelli, Electronic Signatures: A Transatlantic Bridge? An EU and US Legal Approach Towards Electronic Authentication, JILT 2002(2), 8-9

[5] Cf. S. Stavridou, Greek Law on E-Signatures, CRi 5/2001, 155.

[6] Cf. I. Iglezakis, Regulations of Digital Signatures. The European Directive 1999/93/EC and the National Laws, Episkopissi Emporikou Dikaiou 2000, 638 [in Greek].

[7] Cf. S. Koussoulis, Regulating Electronic Commerce, RHDI 2002, 357-358; E. Zervogianni, Recent Legal Initiatives for the Regulation of E-Commerce in Greece, RHDI 2001, 605 et seq. (609).

[8] See K. Christodoulou, Electronic Documents and Electronic Contracts, 2001, 43-73 [in Greek].

[9] See e.g. Athens Single-Member Court of First Instance 1327/2001 [payment order on the basis of an e-mail], published in: Dike International (2001) 457 ff. See also I. Iglezakis, Electronic Documents as Legal Means of Evidence in Greece, to be published in RHDI 2002.

[10] See Areios Pagos 54/1993, HellDni 1993, 600 et seq; Athens Court of Appeal 807/2000, DEE 2000, 522 et seq.; S. Koussoulis, supra Note 6, 356.

[11] See Stavridou, supra Note 5.

[12] A small number of certification service providers has been registered until 25-2-2003 in the EETT, but it is expected that this number will be increased; see www.eett.gr/gr_pages/telec/eSign/Mitroo/EsignProviders.htm.

[13] The statement contains at the minimum information about the certification services, security mechanisms, the liability of the provider, the infrastructure, privacy and consumer protection mechanisms etc., see Annex I of EETT Regulation.

[14] See D. Maniotis, The electronic formation of contracts and the liability of third parties responsible for the authenticity of the electronic document, 2003 [in Greek], p. 74.

1 σχόλιο: