E-Signatures and the EU — Boiling the Ocean Takes Time
This is the first in a two-part article.
Should you be concerned that your e-signature deals with European firms aren’t “good enough” to be valid?
First, and without getting myself overly deep into legal waters, a quick recap. If you weren’t aware of this, Europe isn’t built upon the same legal principles as the USA (and other English-speaking countries and former British colonies), which relies on common law (i.e. with court cases establishing precedent over time). Aside from the UK, the EU countries use civil law (which goes back to the Romans), with codes or statutes that take precedence over court cases.
How does this apply to contracting and e-signatures? Well, the EU has been obsessing for some time over the perfect approach to codifying what a signature is, how it is handled and validated, etc. In legal terms, they are trying to create a signature that constitutes a rebuttable presumption – meaning that if you have an executed document in your possession, it is then up to the other party to prove that the signature is not valid. The benefit for buyers is that they don’t have to prove that the supplier did in fact sign off on the terms – and conversely, suppliers can rest assured that you are actually authorized to make purchases on behalf of your organization, and that the contract value is within your level of spend authority.
The last part is what becomes troublesome in practice. The Europeans are trying to embed a power of attorney into the signature. Specifically, in addition to the authentication and validation of who is signing, they also want to embed the sign-off dollar (or euro) limit and a time validity range (outside of which the signature becomes invalid), as well as drag certificate service providers into the mix with a liability clause.
The EU has been at this for some time now – at least since 1999 – when they codified the “qualified” signature (the rebuttable presumption level) as a tier above the simple or basic e-signature. The public sector is primarily driving the use of this, with the private sector largely ignoring this level of qualification at the signature level. Firms like DocuSign have participated in this effort from the beginning. I had the pleasure of speaking with their Chief Legal Officer Ken Moyle last week, and he cheerfully seconded my analysis of the EU undertaking this in a “boil the ocean” fashion. A peer-to-peer based approach to aligning the Europeans around a common approach isn’t easy. With 28 member countries and the expansive approach of the qualified signature, getting a consensus is difficult.
There are more problems with the EU approach. Keep in mind the e-signature solution provider liability mentioned above. This requirement, along with the complexity of the specifications, leads to a limited number of certificate authority (CA) providers per country that provide these services (right now only one or two!). Lack of competition isn’t good.
Then there are interoperability issues where cross-border approaches aren’t working (for example, a French approach is really only accepted in France).
Creating the European Digital Single Market is the EU’s goal, and it’s a complicated one. Typical central European process (over)thinking, one could say. For those interested in current progress, the “Mandate M/460” (under way in the EU since January 2011), covering a European Commission initiative, backed by the member states, to deliver a coordinated response on the subject of the deployment of the European Digital Single Market has recently been released to the public for feedback. Specifically, it states that “signatures, identification and secure electronic authentification [sic] should help securing e-business transactions and e-services in Europe.” Indeed – it wouldn't be secure if it isn't securing anything, now would it?
In a rather stealthy move, M/460 was posted right before Christmas. It’s open for review until January 15, so there are still 10 days left to provide comments. The latest ETSI drafts cover "Signature Creation and validation, and Trust Service Providers Supporting Electronic Signatures" in the EU, the details of which you can read here.
Check back tomorrow for the second part of this article.