Translation and Commentary by Christopher Kuner
Translation copyright 1998 Christopher Kuner. Reproduction is permitted, provided that this translator's note, including the above copyright notice, is retained in its entirety.
Commentary: The following is a translation of the German government's formal comments on an earlier version (version of March 6, 1998), of the EU Draft Directive on Electronic Signatures. The comments reflect the government's concerns with the draft, in particular in concerning the following points:
- Scope. The government is concerned about the wide scope of the Directive, and would prefer that it be limited to digital signatures (i.e., signatures using asymmetric cryptography), rather than to "electronic signatures".
- Technical standards. The German government would prefer more detailed technical standards than are provided for in the Directive, in order to reflect the German digital signature legislation.
- Liability. The government expresses concern that the liability scheme envisioned in the Directive is incompatible with German law.
- Signatories. In keeping with German law in general and with the German digital signature legislation in particular, the government urges that only natural persons be allowed to issue electronic signatures.
- Writing requirements. The government expresses concern about the wide-ranging provisions in the Directive granting electronic signatures legal equivalence to handwritten signatures.
Government of the Federal Republic of Germany, Bonn, April 8, 1998
The Federal Government shares the view of the European Commission that a common European framework for the use of digital signatures in electronic commerce is necessary. It therefore supports the concept of a free internal market for digital signatures and certification services introduced by the Commission and its Communication of October 8, 1997 concerning Security and Trust in Electronic Communication.
The Federal Government also shares the view of the European Commission that a Common Market Directive of the Council and the European Parliament can be an appropriate way to advance the goals of the Treaty on the Founding of the European Community in the area of the use of digital signatures. Since the German legislation, i.e., the Digital Signature Law of July 22, 1997, is also based on a technologically-open conception, such a Directive on the European level should also be structured to be technically open, and, like the German legislation, should be functionally based on the authenticity of electronically communicated messages as well as their integrity.
However, the German government believes that a conception which is technically open does not require the inclusion of all electronic signatures in a Directive. Rather, a European framework should be limited to digital signatures, and thus to a technical concept for guaranteeing authenticity and integrity which can satisfy the high technical security standards required in electronic commerce. This gives potential users of digital signatures reliability and legal certainty. A technical neutrality which could lead also to electronic signatures which are insecure and not very usable having harmful effects on electronic commerce is not viewed as helpful by the Federal Government. Against a background of increasing requirements of industry for the security of electronic communication and investments which have already been made, the Federal Government supports a high standard of technical security for those digital signatures recognised in the European common market. The major elements of security standards should as far as possible be already defined in the proposed Directive; the German government believes it is not sufficient if the definition of technical requirements is left completely to the European Commission and to the Committee process.
A proposed Directive should, following the basic Community principle of subsidiarity, be limited to harmonisation of minimal standards for secure digital signatures in a common market, the ordering of free circulation of certification services, and ensuring mutual recognition of digital signatures which comply with the requirements. Intrusions on the law relating to liability, evidence, and written form of the Member States which go further and are not justified by the purpose of harmonisation of legal rules concerning digital signatures are on the other hand rejected by the German government. The German government believes that any changes in these legal areas should require careful documentation of whether and to what extent they are absolutely necessary in order to create a common market for certification services concerning European digital signatures. The German government believes that implementation of the legal concepts expressed in Consideration 8 of the draft Directive would in this respect be sufficient.
The area of application of the Directive should from the beginning be limited to electronic commerce in goods, services, financial services, and other capital transactions. In addition to closed user groups, highly personal legal transactions such as testamentary agreements, marital agreements, or donations should not fall in the area of application of the Directive.
With regard to Article 2, paragraph 1, the German government believes that the inclusion of electronic signatures in the area of application is not justified, since thereby certainty concerning the necessary technical security of concepts for electronic signatures is lacking. The substantive security requirements mentioned in Article 2, paragraph 1 should therefore be exclusively related to digital signatures. At the most, a clause could be included in a closing provision of the proposed Directive under which electronic signatures could be equated to digital signatures within the meaning of the Directive following a Committee proceeding.
With regard to the digital signatures mentioned in Article 2, paragraph 2, the Federal government shares the Commission's view that these can only be recognised if they are used by natural persons and the natural person acting is ascertainable. This is, for example, possible by use of a so-called attribute certificate. Since in electronic commerce a declaration of will must always be able to be traced back to a natural person, it would adversely impact the security of transborder trade in goods and services if a digital signature could also be used by anonymous legal entities such as corporations or associations without a concrete relationship to a particular person. This is, however, clearly not intended. In accordance with this interpretation, the Federal Government also agrees with the definition of a signatory in Article 2, paragraph 3 and also with the other definitions concerning digital signatures.
The Federal Government rejects the connection to digital signatures of legal matters beyond mutual recognition, based on the principle of the subsidiary of European rules, if it cannot be specifically shown that such a connection is absolutely necessary for the realisation of a functioning Common Market.
Concerning the rules on presumptions in Article 3, paragraph 1 of the draft Directive, they are only necessary and advisable if the security requirements of digital signatures are so high that the security infrastructure of the certification authorities and the users actually guarantees the identity of the document and of the issuer. The German government believes that the proposed Directive should therefore include clear technical requirements, so that the presumption rules of Article 3, paragraph 1 do not rely on an arbitrary basis. A presumption can only be a relaxation of evidentiary rules if it assumes typical actions which are also easily demonstrable. This life experience does not exist at the present time concerning various signature techniques, so that there are doubts concerning the use of a presumption rule. The German government furthermore finds the presumption of intentional affixing of the signature in Article 3, paragraph 1, letter c to be impracticable, since as a rule a declaration of will upon the affixing of the signature is not documented and therefore refutation of the presumption would be practically impossible.
The German government finds that the proposed intrusion in Article 3, paragraph 2 in written form provisions of the Member States goes too far. It should be left to the Member States to require hand-written signatures for legally-significant declarations for reasons of consumer protection or for other reasons, particularly those concerning public law, and it should likewise be left to them in what cases they want to equate digital signatures with declarations subject to form requirements. The German government believes that a non-discrimination provision would therefore be sufficient to secure a functioning internal market, particularly since by far the greatest number of transactions in electronic commerce are not subject to any form requirements. Furthermore, Article 3, paragraph 2 provides from the German point of view reason to consider the relationship of written form requirements in numerous other Community Directives to the law of digital signatures, and to examine whether a rule should not be included in the proposed Directive that the writing requirement of other Community Directives should not hinder national legislatures from optionally substituting digital signatures for written form in their implementation into national law.
The German government believes that Article 3, paragraph 3 is superfluous, since the law of the Member States guarantees that all necessary types of evidence can be presented in court. If it could be demonstrated that such a rule is actually necessary regarding the law of certain Member States, then based on Consideration 8 it would have to be expressed negatively as a non-discrimination provision.
Article 3, paragraph 4 expresses a legal consideration which the German government believes is absolutely necessary. The list of grounds for rebuttal contained in Article 3, paragraph 4, should however not be understood as being all-inclusive insofar as it concerns the refutation of the presumptions under paragraph 1. In this regard proof of the opposite would have to be admitted without any limitation.
With regard to Article 3, paragraph 5, it should already be clear from the area of application of the Directive that use of digital signatures in the area of public law of the Member States is not regulated. The Member States should be allowed to regulate autonomously the requirements that they wish to place on digital signatures in areas which do not fall under the area of application of the Treaty on the Founding of the European Community.
Moreover, the German Government recommends that a clear internal market clause be inserted in Article 3 or in another place in the Directive, under which the Member States could not hinder the free exchange of certification services in digital signatures solely because they are communicated in electronic form.
The Federal Government shares the view of the European Commission that certification services should not per se be subject to authorisation or licensing. However, since under the directive the Member States will be obligated to guarantee high technical security standards in order to guarantee the security of digital signatures, they must be able to introduce voluntary licensing procedures, and to require licensing for licensing services which in their scope exceed the minimum requirements. The Federal Government would like to point out that in Germany the licensing of the corresponding certification authority is a requirement under the Digital Signature Law for government recognition of digital signatures.
Against this background, the Federal Government is of the opinion that appropriate minimum standards for offers of certification services in the common market should be included in Article 4, paragraph 4. Article 4, paragraph 4 should expressly provide that it applies to certification services for digital signatures which must meet the requirements of Article 2, paragraph 1. Furthermore, also the technical requirements of Article 2, paragraph 2 should be mentioned in Article 4, paragraph 4, and the substantive technical requirements that have to be fulfilled should be more closely defined, in order that those digital signatures to which the certification service refers may be deemed to be secure. The definition of the technical details should not be left wholly to the European Commission or to a Committee procedure under Article 9. The German Government believes that, in any event, the substantive technical requirements should be explicitly and directly mentioned in the Directive.
The German Government believes that the requirements for a qualified signature certificate under Article 5, paragraph 1 should be limited to the substantive requirements for authenticity and integrity of electronic commerce. Thus, elements such as are included in letters h and i should, based on the content of Article 6, be deleted as exceeding what is necessary. In Article 5 it should in any case be clarified that qualified certificates can only refer to digital signatures of natural persons. The German Government believes that only in this way can the security of electronic legal transactions be appropriately taken into account.
The German Government believes it is sensible to have the basic requirements for qualified certificates be later expanded via a Committee procedure of the European Commission, and therefore has no concerns in this regard.
Regarding the liability of certification authorities, the German Government believes that a distinction should be made between contractual liability and non-contractual liability to third parties. Based on the principle of subsidiarity of the proposed Directive, the Federal Government rejects the inclusion of non-contractual liability of certification authorities to third parties. Such a special liability rule, which does not exist in domestic German law, would far exceed what is necessary for harmonisation of the internal market and would constitute a harmonisation of liability rules of Member States, which has so far not been attempted with any of the Community Directives concerning the provision of services. A regulation of liability of certification authorities to third parties such as the Commission proposes would create a liability regime that was much stricter than that which exists under existing Community Directives for lawyers, notaries, architects, and doctors. The Federal Government is afraid such a liability regime would inappropriately burden European offerors of certification services, who are in competition with providers from the US and Asian legal systems, and with thus burden them in their competitiveness. Such a regulation of liability which would be burdensome on business is from the point of view of the German Government not necessary to create a common market for certification services.
Even if such a regulation of liability was provided for, the German Government finds the European Commission's concept for the individual regulatory elements to be rather unclear. In this regard the question arises whether under Article 6, paragraph 6 certification authorities should be allowed to limit their liability also in cases of intentional damage. German law does not allow any limitation on the amount of liability in cases of liability based on fault. If a liability rule was adopted for, then the German Government believes that it should be limited to this basic principle. Furthermore, it would have to be clearly articulated in Article 6 that without any doubt there is to be no question of strict liability for certification authorities. Furthermore, if a liability rule were even to be suggested, then the structuring of the details of such rules should be dispensed with and left to law of the Member States.
The German Government believes that Article 7 should contain a complete and clear list of requirements under which certification services from third countries outside the European Community may freely circulate, and under which corresponding digital signatures may be recognised. Because of the WTO, the German Government does not favour a rule under which the recognition of digital signatures outside the Community is dependent on special bilateral or multilateral treaties between the European Community and third countries. Rather, the basic principle of non-discrimination under the WTO requires that all digital signatures of corresponding technical security may basically be recognised in the Common Market. In any event, a restriction on the free circulation of digital signatures from third countries which violates the WTO should be avoided in the proposed Community Directive.
The Federal Government supports the application of the EU Data Protection Directive and of the so-called Telecommunication Data Protection Directive in the area of digital signatures. Moreover, the directive should provide that storage of the private signature key outside the storage medium for the key which is at the user's disposal should not be permitted (uniqueness of the private key).
The Federal Government agrees with the Commission that a Committee procedure will be necessary. However, in this procedure it should be insured that the governments of the Member States have substantial weight, since the decisions to be made are of extraordinary importance for legal transactions in the Member States and will also have effects on matters which exceed the area of application of the proposed Directive. Because of the extraordinary importance of these decisions, the Council should be explicitly involved in this procedure. A mandatory participation of industry and user groups should occur separately before the Committee procedure.
The Federal Government suggests that the notification procedure provided for in Article 10 for names and addresses not only be extended to the national licensing authorities, but also to certification authorities licensed in the individual Member States. All national licensing authorities or other competent government agencies of the Member States should be included in the exchange of information, so that they may have an overview of which certification authorities exist in the individual Member States and how the other Member States guarantee that they fulfill the requirements of the Directive.
The German Government feels that the implementation period for the Directive should not be too short. Since this is a difficult subject which will probably also require changes in German law, the implementation period should be three years, as is the case with other Common Market Directives.