24.10.2024

Legal effects of different types of electronic signature and the risks associated with them

Law no. 214/2024, on the use of electronic signature, time-stamp and the provision of trust services based on them ("the Act"), which recently entered into force (October 8, 2024), has the stated purpose in Art. 1 to create "the domestic legal framework for the direct application of Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 23, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, hereinafter referred to as Regulation (EU) No 910/2014, and for the regulation in the domestic legal order of measures left to the discretion of the Member States."

Among the measures left to the discretion of the Member States is, according to paragraph 49 of the Regulation, also the determination of the legal effects of different types of electronic signature. The only requirement imposed by the European legislator is that a qualified electronic signature must have legal effects equivalent to those of a holographic signature in any of the Member States.

Article 3 para. 2 of the Law once again enshrines this principle, providing, in accordance with the Regulation, that "a legal act in electronic form, signed with the type of electronic signature provided for by law or with a qualified electronic signature, shall produce the same legal effects as the same legal act in written form". The adjective 'letric ' is not explained either in the Explanatory Dictionary of the Romanian language or in other known dictionaries. It is only mentioned in the latest edition of the Orthoepic, Orthographic and Morphological Dictionary (DOOM 3), but only to specify that it is part of the terms 'format letric ' or 'forma letrică'. The wording chosen by the legislator may therefore give rise to confusion, but it must obviously be interpreted in the sense already provided for by the Regulation, namely that electronic documents signed with a qualified electronic signature have the same effects as those on a physical medium (usually paper), signed in holographic form. This idea is also reiterated in Article 4, para. 1 of the Law.

Moreover, if the written form is required as a condition for the validity of a legal act, the electronic document fulfills this requirement only if it has been signed with a qualified electronic signature or an advanced electronic signature which, under Article 4 para. 5 of the Law produces the same effects as a handwritten signature.

On the other hand, if the written form is required only to prove the existence of a legal act, the electronic document fulfills this requirement if it has been signed with a qualified electronic signature, an advanced electronic signature or a simple electronic signature which, under the conditions of Art. 4 para. 9 of the Law, produces the same effects as a handwritten signature.

This distinction made by the Romanian legislature is difficult for a jurist to understand, given that an unsigned document on a tangible medium is not a writing, either if the written form is required ad validitatem or if it is required ad probationem, but at most the beginning of a written proof. Equivalently, all electronic documents bearing signatures to which the Law confers the effect of a holographic signature should be considered valid irrespective of whether the written form is required for the validity or the evidence of the legal act. The intention of the Romanian legislator was probably to safeguard the security of the civil circuit by eliminating the possibility of drawing up valid legal documents signed with a simple electronic signature, which by definition is rather unreliable, if the written form is required for the very validity of the document. If this is the case, we believe that this concern should also have taken the form of eliminating the possibility of signing electronic documents with an advanced electronic signature, for which the written form is required ad probationem.

However, under Article 4 para. 4 of the Law, if the existence of a written document is required only as a means of proving a legal act, a simple advanced signature, even if it does not, according to the Law, produce the same effects as a handwritten signature, is sufficient to prove the existence of the legal act. This means that, in practice, the majority of transactions could be carried out simply by the application of an advanced signature, even if it is not recognized as a holographic signature.

Apart from the obvious paradox, this recognition raises major problems from the point of view of the security of the civil circuit, even though, according to the Regulation, an advanced signature should apparently be as secure as a qualified signature, since it must cumulatively meet exactly the same requirements:

(a) refer exclusively to the signatory;

b) enable the signatory to be identified;

c) it must be created using electronic signature creation data that the signatory can use, with a high level of confidence, under his sole control

(d) it is linked to the data used in the signature in such a way that any subsequent modification of the data can be detected.

In reality, things are not so simple. In the case of qualified electronic signatures, the fulfillment of all these conditions is certified by a qualified trustworthy service provider, which also assumes liability (insurance is mandatory). In the case of advanced e-signatures, there is no such pre-certification, so there is no clear-cut way for the courts (let alone for persons who conclude legal acts) to identify that a signature is truly advanced, i.e. that it really meets the four cumulative conditions set out above. Moreover, advanced signatures may not even be based on a certificate issued by an unqualified trust service provider, as other technologies may be used (Art. 3 (3), final sentence of the Law). In other words, there is a risk of using a signature which is only in appearance advanced, but in reality a simple electronic signature. Even if the advanced signature is issued by an unqualified trustworthy provider, he is not obliged to have civil liability insurance, he is not subject to serious ex ante checks (as qualified providers are subject to, according to Art. 24 of the Regulation). Of course, they also have to fulfill certain conditions laid down by the Romanian law, but their activity is not subject to prior verification by the Supervisory and Regulatory Authority (see Art. 10 paragraphs 2 and 3 of the Law), nor are they obliged to take out professional liability insurance. In case of negative consequences, these unqualified trust service providers always have the option to go into insolvency, thus escaping liability.

Another issue raised by this piece of legislation is the scope of membership of a closed electronic system, where a legal person can issue an advanced electronic signature which, according to the law, has the same effect as a handwritten signature. Moreover, within a closed electronic system, the members of the system can agree on the value and legal effects for any type of electronic signature. The closed electronic system is defined in Art. 2 para. 2 lit. c) of the Law as "an electronic platform used by a defined set of participants, within the same entity or established by it, whose processes have no direct effect on third parties and with which it is not possible to interact directly from outside the entity where the system is implemented, used for the entity's internal procedures, for services provided by the entity to its customers or for any other similar purposes." In the face of this seemingly rather broad definition, the natural question arises: can the legal entity, the creator of such a closed electronic system, establish that its customers themselves are members of the system?

From our point of view, the answer can only be in the negative, since the grammatical interpretation of the text leads to the conclusion that such an electronic platform may be used by a defined set of participants, that is to say a defined, not determinable, number of participants, who may be inside or outside the entity, but who have a collaborative relationship with the entity for the provision of services to customers. In other words, the members of the system may internally circulate acts preparatory to the provision of services, but the legal act by which the customer enters into direct relations with the entity cannot be signed through the closed system.

Furthermore, if customers were to be considered as members of the closed electronic system, other legitimate questions would arise:

(a) what is the concrete mechanism in which the participants agree (sign), especially if it is a supplier-consumer relationship, where the supplier has a dominant position vis-à-vis the consumer and can easily impose any condition, because a consumer has no choice but whether to accept that condition or not?

(b) what is the link between the identification of participants for access to the system, which may be carried out at a substantial or high level, and the actual signing of legal documents (e.g. a contract for gas connection), which in the legislature's view could in this case be carried out even by a simple electronic signature which does not meet any certainty requirement as to the consumer's real will

c) what is the purpose of the auditing procedure in the case of closed electronic systems managed by one of the participants in the transaction itself - for example, how can an auditing process guarantee the traceability of the actions of a supplier's representatives in the computer system which it manages itself, with access to consumers' personal data; moreover, how can the consumer prove possible fraud by certain representatives of the supplier who have made unauthorized use of his personal data?

Consequently, the way in which the measures left to the Member States by the Regulation are regulated by Law no 214/2024 raises a number of problems in terms of the risks associated with the effects established by the legislator for advanced electronic signatures. The most secure way of identifying the person remains the use and the claim of use of the qualified signature in the procedure of signing electronic documents.

An article by Dan-Rareș RĂDUCANU, Senior Partner (rraducanu@stoica-asociatii.ro), STOICA & ASOCIAȚII.