Legal recognition of an electronic signature: attention to the signature levels in the eIDAS regulation
The development of online contracts has encouraged the use of electronic signature solutions, which allow the signatory to sign the contract from their personal computer, without having to go anywhere.
But how valid is an electronically signed contract? Does a simple scanned signature affixed to a document have the same value as an electronic signature using smart cards and embedded electronic certificates, guaranteed by trusted service providers? What about intermediate solutions, such as "certificates on the fly", which are increasingly used to sign contracts over the internet?
According to article 1367 of the French Civil Code, an electronic signature will have the same legal value as a handwritten signature if it makes use of an "electronic signature". a reliable identification process guaranteeing its link with the act to which it relates ".
Recognition of an electronic signature is therefore linked to recognition of the reliability of the process used to sign it.
Current European regulations, in this case the "eIDAS" regulation no. 910/2014 of 23 July 2014, provide for three levels of electronic signature, from the least secure to the most secure:
- Simple signature, as defined in article 3-10 of the regulations ;
- Advanced signature, defined in articles 3-11 and 26 of the regulations ;
- Qualified signature, defined in article 3-12 of the regulations.
In French law, Article 1er of Decree no. 2017-1416 of 28 September 2017 specifies that only a process implementing a "qualified electronic signature" benefits from a presumption of reliability.
It should be noted that the implementation of a qualified electronic signature has a very high financial and technological cost, as it requires :
- An advanced electronic signature, meeting the requirements of Article 26 of the Regulation (signature uniquely linked to the signatory, identification of the signatory possible, exclusive use of the signature by the signatory, subsequent modification of the document not authorised);
- a qualified signature creation device, for example a smart card mentioned on the European Commission list ;
- a qualified electronic signature certificate, issued by a trusted service provider that is also qualified under strict conditions.
Thus, even if the presumption of reliability is a "simple" presumption, the signatory will find it very difficult to provide evidence to the contrary showing that he did not sign the document.
Implementing such a signature for electronic signatures on B2C or C2C contracts has a very high financial cost and security requirements. As a result, most solutions only allow for unqualified signatures, which will only be admissible in court as evidence in writing, in the same way as an email or fax.
The burden of proof for the reliability of the process will therefore rest with the merchant or the electronic signature platform. This party will usually provide at least one "audit trail" covering the technical steps leading up to the signature (identification of the user on the platform, generation of the certificate, signature of the document, etc.).
The admissibility of an electronic signature in court is therefore closely linked to the quality of the electronic signature solution:
- Does it enable the signatory to be unambiguously identified? Could another person easily have signed the document in the signatory's place?
- Does the signatory have exclusive control over the signature data?
- Does the audit trail include enough information to demonstrate the reliability of the process?
- Will the information provided be easy to understand despite the technical nature of the solution?
Suppliers and users of these solutions will therefore need to consider in advance the admissibility of elements enabling them to demonstrate the reliability of their solution in the event of litigation.