The Spanish Trust Services Draft Bill that would repeal Act 59/2003 on Electronic Signatures

Written on 23 Nov 2018

eIDAS Regulation has been directly applicable since 1 of July of 2016, but there were some issues left to be regulated by the EU Member States. Spain is in the process of approving the Draft Bill that will regulate all of those issues, as well as rectify any incompatibility between the Spanish E-Signature Act and the eIDAS Regulation.

When talking about e-signatures in Spain, it is necessary to remember that Spain was one of the first European countries to ever recognize a document signed through electronic means as legally valid. The national regulation (Royal Decree 14/1999, of 17 September, on Electronic Signature) was approved even before the Directive 1999/93/CE of the European Parliament and of the Council, of 13 of December 1999, on a Community framework for Electronic Signatures, the first EU legislation on eSignatures. The Royal Decree was meant to promote a fast incorporation of the then new electronic communications security technologies to the business activity, citizens’ daily life and the relationship with Public Administrations. This text was later modified by Law 59/2003, of 19 December, on Electronic Signatures (Spanish e-Signature Act) to comply with the provisions provided by the EU Directive and to strengthen what was the existing legal framework. With Regulation (EU) no 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (known as “eIDAS Regulation”) being directly applicable, the Spanish E-Signatures Act was left ineffective in all the features that were incompatible with the EU Regulation, but there were still some issues left to the Member States criteria that would have to be regulated by national laws. This would be the purpose of the Trust Services Draft Bill published by the Spanish Government. In general terms, the Draft Bill would mainly complement the eIDAS Regulation on the following points:

  • The establishment of a risk forecast scheme for qualified trust services providers.
  • The establishment of additional requirements at a national level for qualified certificates.
  • The establishment of a sanctioning scheme.
  • The verification of the identity and attributes of those that would be applying for a qualified certificate.
  • The establishment of the certain conditions to suspend certificates.

First of all, the Draft Bill introduces a regime on the allocation of risks for qualified trust services providers pursuant to which trust services providers would have to comply with certain obligations and would be held liable for any damage caused by the services provided. Nonetheless, the text also establishes some cases in which the liability of the trust services providers would be limited (i.e. when a customer does not provide them with accurate information). According to the Draft Bill, trust services providers would have to comply with the provisions established in eIDAS and some other additional obligations such as the following: the duty to retain/keep all the information relating to any services provided for a period of 15 years; the maintenance of a liability insurance policy for a minimum of 1,500,000 euros and an additional 500,000 euros for any other service provided that is contemplated in the eIDAS Regulation. Trust services providers will need to communicate to their customers (as well as the supervision authority) the cease of their business activities or any circumstance that may hinder their own activities with at least a two-month notice.

The Draft Bill also establishes certain obligations for trust services providers concerning data protection, expressly mentioning the rules of the General Data Protection Regulation. The Trust Services Draft Bill also states that service providers would have to make publicly available a report on their practices with a view to informing their customers about the services they are about to acquire.

The infringement of any of the obligations mentioned above or any other contemplated in the eIDAS Regulation may imply the application of the sanctioning system established in the Draft Bill. It establishes a range of various types of infringements and their corresponding fines depending on their seriousness. The fines corresponding to the infringement of the electronic trust services obligations may be up to e 300,000 euros.

As far as it can affect consumers, the Trust Services Draft Bill includes some provisions that would allow the withdrawal of a qualified certificate (i.e. concurring the request by the signatory or a court decision), and in some cases it would be possible to suspend the certificate. In addition, it is also envisaged how the identity of those applying for a qualified certificate will need to be verified: it will generally require the personification of the natural person that would apply or would represent the legal person applying for the certificate (save for the cases that the signature has been legitimated by a Notary Public). The Draft Bill also envisages the approval of a Ministerial Order that would regulate the technical conditions that would allow the remote identification of natural persons (once the technology is adequately developed).

As far as it can affect consumers, the Trust Services Draft Bill includes some provisions that would allow the withdrawal of a qualified certificate (i.e. concurring the request by the signatory or a court decision), and in some cases it would be possible to suspend the certificate. In addition, it is also envisaged how the identity of those applying for a qualified certificate will need to be verified: it will generally require the personification of the natural person that would apply or would represent the legal person applying for the certificate (save for the cases that the signature has been legitimated by a Notary Public). The Draft Bill also envisages the approval of a Ministerial Order that would regulate the technical conditions that would allow the remote identification of natural persons (once the technology is adequately developed).

The Spanish Trust Services Draft Bill would include some provisions giving special emphasis to the value as evidence of those services, which guarantees it to be the very same as the ones established by the Spanish Civil Procedural Act. In this sense, it is stated that if any party challenges the validity of a qualified trust service and requests an ad hoc expert report, the same party would have to pay for the costs and expenses involved in the preparation of the report. However, as far as probative value is concerned, we would like to highlight another provision that establishes that the loss of the relevant qualification by a service provider shall not bear retroactive effects, but the affected customers may not be able to use the qualified trust services provided thereinafter. Considering the above, we are uncertain how the affected customers may receive notice of this circumstance; or, more importantly, how a service provider would have to deal with security breaches corresponding to the services already provided during the time that it had a qualification. It must be noted that this may entail legal certainty problems, as a valid trust service that has been used may be vulnerable to security breaches if the service provider happens to lose its qualification.

Additionally, the Draft Bill also expressly repeals the Spanish E-Signatures Act and proposes some provisions that would rectify the incompatibilities that the Spanish E-Signature Act had in relation to the eIDAS Regulation. In particular, the Draft Bill states that only individuals would be able to sign electronically and legal persons would be compelled to use electronic seals (which were not envisaged by the previous Act). According to the Spanish E-Signature Act, a legal person that intends to sign electronically a document would have to designate a representative, which would have a specific certificate attributed to him/her to sign in the name of the entity. With the use of eSeals (envisaged in the eIDAS Regulation), the Draft Bill would simplify the application of trust services concerning legal persons. Likewise, this Draft Bill would not provide for the publication of information relating to non-qualified trust services providers, as their activity would not be previously verified by the supervision authority.

To conclude, the approval of this Trust Services Draft Bill is necessary as it would result in the consolidation in Spain of the new legal framework on eSignatures that was foreseen by Regulation 910/2014. Nonetheless, we must remember that this is just a Draft Bill and therefore there are some steps to be taken in order for the text to be approved and some amendments may still be included.