Scholarly Lawyer: I have just the thing for you: clause 122 of the Data Protection and Digital Information Bill. Post-Brexit geopolitics meets digital signatures, a strange mixture if ever there was one.
ES: I’m guessing that this is about eIDAS.
SL: Correct. What do you know about it?
ES: An EU Regulation, domesticated following Brexit, which defines three categories of electronic signature: ordinary, advanced and qualified (QES). eIDAS has been a pet project of the European Commission for years, and some EU countries require a QES to be used for some transactions. However, English law hardly ever requires anything more than an ordinary signature: something as informal as a name typed at the end of an e-mail can suffice. So for most purposes we can ignore advanced and qualified signatures.
SL: Right again. The main point of a QES is that the identity of the signatory is certified by a third party Qualified Trust Service Provider (QTSP) approved by a national supervisory body. Conceptually that is closer to notarisation than to a manuscript signature. If you think about it, even a witnessed wet ink signature does not require the witness to verify the identity of the signatory. It would be a radical departure from the long-standing flexible English law approach to signatures if we were to start encumbering electronic signatures with those kinds of legal formality requirements.
ES: But isn’t it quite useful for a signature to have that degree of assurance attached to it? Anyone could type a name at the end of an email.
SL: For sure, there is a broad spectrum of electronic and digital signatures. They offer differing degrees of assurance of identity or document integrity, ranging from none to highly probative. Those features may go to the evidential weight that a court gives to a contested signature, but just as with manuscript (for which even a pencilled ‘X’ can count as a signature) we don’t generally impose a bright line rule invalidating signatures below a specified level of reliability or assurance. Absent compulsion by law, there has been little demand for the full-blown QES. Indeed, in the UK the Information Commissioner’s Office (the designated supervisory body) has still approved only one QTSP.
ES: So qualified signatures are a red herring?
SL: They cannot be completely ignored. In Scotland there are real estate transaction rules based on QES; and in England the Land Registry is running a QES pilot. So QES are significant in that limited sphere. In the future there may be a move to allow deeds generally to be executed by means of a digital signature instead of witnessing. There would no doubt be suggestions that the full panoply of a QES should be required for that.
ES: That’s all by way of background. What does this Bill do?
SL: Within the EU, a QTSP approved in one EU country counts as a QTSP throughout the EU. Following Brexit, the UK unilaterally retained recognition of EU QTSPs. So an EU QTSP can still certify a QES for UK law purposes. The EU, on the other hand, ceased to recognise UK QTSPs (such as exist) post-Brexit.
Clause 122 of the Bill would give the Secretary of State power to lay regulations withdrawing UK recognition of EU QTSPs. Conversely, the SoS could extend recognition to foreign QTSPs (or equivalent) on a country by country basis, including countries outside the EU.
ES: So if the UK were to withdraw EU-wide recognition on Day 1, that would radically diminish the pool of available QTSPs that could certify a QES under UK law?
SL: Indeed so, unless automatic recognition were simultaneously extended to every EU country individually, or if EU QTSPs en masse applied for UK ICO approval. Clause 121 smooths the path for EU QTSPs to obtain approval, by deeming an EU conformity assessment report under eIDAS to have equivalent status to one issued by a UK conformity assessment body.
ES: So instead of recognising an EU QTSP itself, we could end up recognising a QTSP’s EU conformity assessment, wave it through and arrive in much the same place?
SL: It looks that way.
ES: So what really is the point of this legislation?
SL: It is difficult to be sure. Perhaps the UK government is miffed that the EU won’t mutually recognise UK-approved QTSPs, and wants to try to exert negotiating pressure on Brussels by taking power to withdraw recognition. (But one has to wonder whether withdrawing automatic recognition of EU QTSPs would merely shoot ourselves in the foot by cutting off the supply of qualified trust services in the UK.)
Perhaps there is an undercurrent of post-Brexit jingoism: what we really need to make the UK the best place in the world to transact online is a sturdy, copper-bottomed, certifiably British digital signature.
ES: What does the government say?
SL: The official answer that the Minister gave in the House of Commons last year was that the power enables revocation if continued unilateral recognition “no longer meet[s] the needs of the UK market”. The version in the Bill’s Explanatory Notes is: “should the continued unilateral recognition of EU qualified trust services no longer be appropriate”.
Various DSIT memoranda to Parliamentary Committees contain a third, more illuminating version: “either because the EU changes its current trust service standards, and/or the UK qualified trust service market matures to an extent that it is no longer appropriate to unilaterally recognise EU qualified trust services.”
None of these criteria is stated in the legislation itself, which places no constraints or conditions on the exercise of the power.
ES: I can see that the government might not want to be tied to possible future changes in EU law. But how would maturity of a UK market determine whether it is still appropriate to continue unilateral recognition?
SL: It sounds like: “Are there now enough UK QTSPs that we can afford to cut off QTSP services supplied from the EU?”. You could call that 21st century digital mercantilism. Go back to 1684 and we find, in Philipp Wilhelm von Hornick’s tenets of mercantilism: “That no importation be allowed if such goods are sufficiently and suitably supplied at home.”
ES: Digital Corn Laws?
SL: Very apposite. A feature of the protectionist mindset is to look at the issue solely from the perspective of producers, at the expense of consumers and the general public. How, we might ask, would the general public benefit from taking what is already a prescriptive, complex technology specification (albeit one rarely required by UK law) and grafting a narrower geographic restriction on to it?
In short, the public would not benefit. On the contrary, in the shape of the unwary user the public is put at risk. Austria provides a vivid example: a €3bn contract to supply double-decker trains to Austrian Federal Railways was invalidated by a judge who noticed that the contract was signed with a QES supported by a Swiss, rather than an EU, TSP.
It is for this kind of reason that the UK (or at least English law) is traditionally chary of imposing formalities. Requiring a particular kind of defined signature for a transaction to be valid is a more technically obscure, 21st century version of the Statute of Frauds, of which an official committee report of 1937 said:
“ 'The Act', in the words of Lord Campbell . . . 'promotes more frauds than it prevents'. True it shuts out perjury; but it also and more frequently shuts out the truth. It strikes impartially at the perjurer and at the honest man who has omitted a precaution, sealing the lips of both. Mr Justice FitzJames Stephen ... went so far as to assert that 'in the vast majority of cases its operation is simply to enable a man to break a promise with impunity, because he did not write it down with sufficient formality.’ ”
Where UK law does require a QES (which it is to be hoped will remain the exception) it would be doubly unwise to introduce a regime that would invalidate an otherwise perfectly satisfactory QES simply because the certifying QTSP was on the wrong side of the Channel.
ES: Weren’t many of the Statute of Frauds formalities abolished in 1954?
SL: Indeed so. It would be beyond ironic if irritation at EU unwillingness to reciprocate recognition of QTSPs, or perceived national interest in fostering a self-sufficient UK trust service provider industry, resulted in the UK heading down the road of the kind of prescriptive formalities associated with civil law jurisdictions and which England and Wales, as a common law jurisdiction, long ago rolled back.
ES: Thank you. My essay awaits.