Legal validity of electronic signature
Electronic signing allows us to sign documents in a paper-free manner, but often raises many different questions. What is the legal meaning of the electronic signature? What form, platform, etc. would be wise to use? What are their differences?
Term “electronic signature” (or “e-signature”) covers several signature levels, including digital signatures. Although, the terms “electronic signature” and “digital signature” are often used interchangeably, they are not same. Future more not all signatures given electronically are digital signatures and their legal validity does not correspond to the handwritten signature. Both types of signatures are created online and are applied to online documents. However, digital signatures provide an extra level of security by using technology that encrypts the signature and ensures that the person signing is who they say they are.
First the choice of electronic signature depends on the form of transaction required by law. For example, according to Estonian law, there are transactions that can be made orally, there are transactions that can be made in a form that can be reproduced in writing (i.e., it doesn’t require handwritten signatures), there are transactions that must be in written form (i.e., it must contain handwritten signatures), there are transactions that can be done electronically (equivalent to a written form) and there are transactions that can only be notarized.
Secondly, the choice of electronic signature may depend on the preference of the party, i.e., even if the law does not require a handwritten signature or an equivalent electronic signature, the party may need a guarantee that the document has been signed by the authorized person, because any dispute over the validity of a transaction in connection with signing could be very expensive.
To avoid such disputes or to comply with the statutory requirement for a handwritten signature or an equivalent electronic signature, it must be identifiable (i) who signed the document; (ii) when it was signed; (iii) that the document has not been changed; and (iv) which qualified trust service provider has verified the signature.
In short it is necessary to clearly understand which electronic signature is equivalent to a handwritten signature in the context of law and which is not.
In practice there are three types of electronic signatures: Simple Electronic Signature (SES), Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES).
SES is an imprint of an electronically generated signature without any special technical features (e.g., an image of a signature copied to a PDF) and therefore doesn’t meet the basic requirements for electronic signing, which equal to a handwritten signature.
AES and QES are both recognized by Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS) (hereinafter “Regulation”) as more sophisticated and secure forms of electronic signatures, however they are distinguished in terms of security.
Pursuant to the Regulation AES must be uniquely linked to the signatory; capable of identifying the signatory; created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Therefore, using the widespread AES (e.g., DocuSign, PandaDoc), it is possible to detect the time of signing and ensure that the content of the document remains unchanged but given that there is no intermediate qualified trust service provider, in practice it is not possible to be sure of the identity of the signatory. For example, the email address used for signing may be fictitious or used by a malicious third party. Hence AES is not considered to be an electronic signature equivalent to a handwritten signature.
According to the Regulation QES must meet the requirements of AES, but in addition it must be supported by a qualified certificate issued by a qualified trust service provider, whose credentials have been recorded in the trusted list. List of Trust Service Providers can be found here.
Qualified trust service provider verifies the signature, which ensures, among other things, the integrity of the content, the clarity of signing time and the signer's identity. Currently there are two trust service providers in Estonia: GuardTime OÜ and SK ID Solutions AS; one in Latvia: Latvian State Radio and Television centre and four in Lithuania: Identity Documents Personalisation Centre under the Ministry of the Interior, State Enterprise Centre of Registers, UAB BalTstamp, UAB Dokobit.
Digital signing, which term is widespread in Estonia, is equivalent to the so-called signature with the highest level of security, i.e., QES. In Estonia ID-card, digi-ID, mobile-ID, Smart-ID are used for digital signing and it is performed via the necessary ID software or RIA DigiDoc mobile app. In Latvia eID card, eParaksts mobile and Smart-ID are used for digital signing and in Lithuania GoSign, SignaWeb (only for adoc format) are used for digital signing.
When analysing the signed document QES is recognized by: (i) the signature certificate in the document; (ii) the issuer of the certificate indicated on the signature certificate and (iii) that the issuer of the certificate is a qualified trust service provider of the European Union (it has a QES certificate). If all these circumstances are identifiable, it is a qualified electronic signature. If such certificate is difficult to find or it is not clear whether it is a QES, it should rather be assumed that it is not QES.
Within the European Union QES must have the same legal effect as a handwritten signature. This means that if the law applicable to the transaction requires the document to be signed by hand or digitally, this would mean a QES. In other words, as long as the means of issuing an electronic signature is not qualified, we cannot speak of an electronic solution equivalent to a handwritten signature.
In conclusion, if the formal requirement of the transaction arising from the law allows it, platforms that offer only AES can be used to sign documents (e.g., in daily business practice), however, to avoid disputes over the validity of the transaction, it is recommended to use platforms that provide QES.