Introduction
Digital Signatures
Legal Effect of the Digital Signature
Authentication Services
Inspection and Control of Providers
On September 17 1999 the government approved Royal Decree 14/1999, which regulates the use of electronic signatures and those providing authentication services in Spain. The law is based on the common position adopted by the European Council of Telecommunications ministers on April 22 1999, on the proposal for a directive providing a common framework for digital signatures. The main aim of the law is to protect the security and integrity of electronic communications that use electronic signatures.
Diverse regimes existed in Spain. For example, the National Stock Market Commission had already established a system for encryption and electronic signatures, which is used for the submission of notifications by entities under the commission's supervivision.
This law has been introduced in Spain before the final adoption of the EC directive because there is a business sector in Spain that could provide authentication services for electronic signatures of sufficient quality. The introduction of this law will help this business sector to compete with foreign competitors. Furthermore, in order to encourage the development of what is known in the European Community (EC) as the 'information society', the regime for using this technology with adequate security should be introduced as soon as possible. This will give users of new services confidence in the systems, which will allow their rapid introduction and use.
The aim of a digital signature is to verify the origin of a document and to ensure that the document has not been altered during transmission.
Article 2 defines the electronic signature as the combination of data in electronic form, attached to other electronic data, that allows the formal identification of the author. The act also provides for an 'advanced electronic signature' which allows identification of the signatory and can only be created by means within his exclusive control, so any subsequent modification of the data can be detected.
The law does not specify a particular system of encryption, but in order for a device for creating a digital signature to be considered secure it must:
- guarantee that the data used to generate the signature may only be produced once and reasonably assure its secrecy;
- provide reasonable security so that any procedure for verifying the digital signature cannot derive the data used for generating the signature, for example to falsify the signature;
- ensure that the data used to create the signature can be protected against use by third parties; and
- ensure that the mechanism for attaching the digital signature to an electronic document does not alter the content of the document to which it is attached.
Similarly, the mechanism for verifying the signature must allow:
- the signature to be verified reliably and to identify the signatory; and
- the verifier to determine the content of the document to which the signature is attached and whether that document has been altered.
Legal Effect of the Digital Signature
The law regulates the use of electronic signatures, the recognition of their legal effectiveness and the provision of authentication services to the public. The law does not affect the general regulation of contracts.
Article 3 provides that an advanced electronic signature that has been properly authenticated has the same legal effect as a manuscript signature and is admissible in legal proceedings. An electronic signature that does not fulfil these requirements is not invalid merely because it is in electronic form.
Authentication Services
Following a verification procedure, a provider of authentication services may issue a certificate confirming the identity of the signatory. If the provider conforms to the requirements of the law then this certificate will be considered as an officially recognized certificate.
The provision of authentication services is not subject to prior approval and is open without restriction to any organization originating in the EC. The law lists certain requirements for providers, including the following:
- providers must guarantee rapid and secure services and employ suitably qualified personnel to meet these requirements;
- providers of authentication services established in Spain must apply to be entered in a public register;
- when providing authentication services the provider must state the price before providing a certificate;
- the provider must keep a register of certificates issued, together with details of circumstances affecting their validity. All information and documentation relating to a certificate must be kept for a period of at least 15 years; and
- the provider must guarantee it is responsible for any damage or prejudice suffered by users or third parties, supported by a suitable bank guarantee or insurance.
The law lists certain requirements for the content of the authentication certificate including:
- the identity of the provider of the certificate;
- the period of validity of the certificate, not exceeding four years; and
- the anticipated use of the certificate.
A certificate will remain in force until, for example:
- the period of validity expires;
- it is revoked by the signatory because of unauthorized use by a third party; or
- serious errors are found in the data provided by the signatory in obtaining the authentication.
Inspection and Control of Providers
The general secretary for communications will supervise providers of authentication services and verify that they fulfil the requirements of the law. Providers must help the general secretary to perform this function by providing all necessary information. The general secretary has the power to require providers to take steps to comply with the law.
Since many aspects of the law are technical, it is expected that the government will enact further legislation to implement and develop this law.
For further information on this topic please contact Beatriz Satrustegui at Gomez-Acebo & Pombo by telephone (+34 91 582 91 00) or by fax (+34 91 582 91 21) or by e-mail ([email protected])
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.