Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

Digital identity management and trust services will be the main themes discussed at the colloquium convened by the Secretariat of the United Nations Commission on International Trade Law (UNCITRAL), that will take place on the 21st and 22nd of April 2016 at the Vienna International Centre.

During the meeting, Working Group IV on Electronic Commerce will focus its activity on legal issues related to identity management and trust services with a view to compiling information on the scope and methodology of future work in that area. The session will be attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL.

For further information please consult the section covering Working Group activities on UNCITRAL website.

 

 

As already announced, the Italian Data Protection Authority has approved a general normative provision on biometrics, which is in the process of being published in the Official Gazette.

Given the increasingly greater use of devices and technologies for the collection and processing of biometric data mainly for purposes of personal identification, control of access and signing of electronic documents, the Italian Data Protection Authority’s action aims to provide a uniform framework which can be used as the basis for recommending technological choices, adapting processing to the requirements of the Privacy Code and verifying compliance with safety standards.

Biometric data are by their very nature, directly and unequivocally related to an individual and are generally constant over time, which indicates the profound relationship between a person’s body, behaviour and identity. For this reason the adoption of biometric systems for the collection and processing of data may entail specific risks for fundamental rights and freedom as well as for an individual’s dignity.

However, within the varied landscape of technological biometric systems and with a view to simplifying legislation, the Italian Data Protection Authority has identified certain types of data processing which present less risk and which, unlike other types, do not require preliminary verification by the Authority. Exemption is granted on condition that all necessary measures and appropriate technical precautions are taken to achieve the security objectives identified by the measure and that the general requirements of legitimacy provided for by the Privacy Code are met.

There is no need to apply for preliminary verification for the following four types of processing:

In the signing of electronic documents, analysis of biometric data connected with applying a handwritten signature can be used for those graphometric signature systems which form the basis of a solution for advanced electronic signatures. Processing is only permitted with the express consent of the person concerned, which is given on signing up for a graphometric signature service and remains valid for all documents to be signed until it is annulled. Consent is not necessary in the public sphere, where specific institutional objectives are to be pursued. However, alternative systems will still have to be made available, such as paper or electronic forms of signature which do not involve the use of biometric data; in digital authentication the biometric characteristics of a person’s fingerprints or voiceprint can be used as credentials to also access databases and computer systems without the user’s consent; when controlling physical access, it will be possible to process the biometric characteristics of fingerprints or the topographical layout of the hand to allow access to areas considered” sensitive” or to only allow qualified operators access to dangerous machinery and equipment. It will also be possible for processing to be made without the consent of the user; to help facilitate processes, it will be possible to use fingerprints and the topographical layout of the hand to allow physical access for users to physical areas in the public domain (e.g. libraries) or the private sphere (e.g. reserved airport areas). Also in this case, use is only permitted with the consent of the parties concerned and alternative arrangements will in any case still have to be provided for those who refuse to provide their biometric data and refuse permission for the processing of biometric data.

In consideration of the complexity of the matter in relation to the regulations on the processing of personal data, the Italian Data Protection Authority has attached to its provision a document containing the “Guidelines on biometric recognition and graphometric signatures”, which has already been presented for public consultation and a special form to be used for communicating with the Authority in the event of violations of biometric systems. In fact, in order to prevent possible theft of biometric identity, all data breaches or cyber incidents that might impact significantly on biometric systems and the data collected must be communicated to the Italian Data Protection Authority within 24 hours of being discovered.

While awaiting publication of the provision in the Official Gazette, we invite you to browse through it and its relative attachments on the website of the Italian Data Protection Authority.

 

 

posted by admin on novembre 25, 2014

Electronic signatures

(No comments)

The long-awaited measure of the Italian Data Protection Authority in the field of biometrics recognition and graphometric signature was recently signed and published on the Register of measures (decision no. 513 of 12 November 2014).

The measure governs the processing of biometric data for purposes of computer authentication, access control and underwriting documents. An analysis on the changes introduced will be soon published on our blog.

You can find the document (in Italian) on the  Italian Data Protection Authority website.

 

 

As previously mentioned in this blog, the 49th Working Group session on electronic commerce of the United Nations Committee on international trade law was held in New York from the 28th April to the 2nd May 2014.

At the start of the session Giusella Finocchiaro, the Italian Uncitral representative for electronic commerce was unanimously elected as chairperson.

The WG is working on a detailed document on Electronic Transferable Records, which could form the new law model. This work is drawing to a conclusion.

The basic principles that motivated the WG have been reaffirmed; namely those of technological neutrality and non-discrimination between paper and electronic documents, keeping any impact on national law regulations to a minimum.

The 50th session of the WG will be held in Vienna from the10th to the 14th November 2014.

A recent decision by the Italian Data Protection Authority authorizes the use of the graphometric signature on tablets in the banking sector.

The system, which has been submitted for preliminary examination by the Italian D.P.A., is somewhat complex, split into different phases and involves a number of different parties.

The technology used is also able to detect the characteristics of a customer’s signature online by means of an analysis of certain criteria which can be deduced from the signature, such as the speed of the stroke, its pressure, acceleration, inclination and so on.

The system is intended to be used by financial promoters for customer authentication and for subsequent operations. There are two main phases in the process: firstly the collection of the specimen signature to be used as a tool for comparison in order to safeguard the customer, and secondly the signing of documents with the electronic signature.

As set out in the decision, the specimen signature together with the customer’s identification data is transmitted by the bank through secure encrypted channels to the certifier, who validates the request and issues the digital certificate associated to the applicant. All subsequent signings will thus be transmitted in encrypted mode to the certifier’s server which verifies the correspondence by means of the specimen signature and ensures that the tablet serial number is in fact listed.

This system would allow a reduction in the risk of cases of fraud, in particular those related to identity theft.

As usual the Authority draws attention to the adoption of special measures in order to protect personal data. With particular regard to the use of mobile devices, the D.P.A. recommends that the processing of biometric user data should be carried out adopting all appropriate security measures in order to reduce to a minimum the risk of unauthorised software installation or to avoid contact with malware.

According to the D.P.A. remote wiping must also be adopted, which would guarantee that in cases where tablets have been tampered with, lost or stolen, their content would be deleted remotely.

Moreover, processing of biometric data is subject to customer consent. The D.P.A. underlines the importance that consent, where required, must be free and responsible.

Finally, The D.P.A. draws attention to the need to ensure that biometric data is not preserved for a duration exceeding the purposes for which it was collected and subsequently processed. Any extension to the retention time may be justified by specific laws.

Further requirements under existing law are reaffirmed including notification of process and obligation to designate external parties as data processors.

On 3 April 2014 the Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) has been approved by the European Parliament.

Main principles of the Regulation are reported below (see also THIS POST).

One of the objectives of the Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States.

The principle of mutual recognition should apply if the notifying Member State’s electronic identification scheme meets the conditions of notification and the notification was published in the Official Journal of the European Union.

The Regulation reaffirms the principle that an electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature. However, it is for the national law to define the legal effect of electronic signatures, except for the requirement provided in the Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.

The Regulation lays down conditions under which Member States shall recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State, lays down rules for electronic trust services, in particular for electronic transactions and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificates services for website authentication.

The Regulation shall apply from 1 July 2016 and the Directive 1999/93/EC on electronic signatures is repealed with effect from 1 July 2016.

The Italian Data Protection Authority issued a new decision on the security measures to be taken for the appropriate processing of biometric data.

The decision named “Sistema per la sottoscrizione in forma elettronica di atti, contratti e altri documenti relativi a prodotti e servizi offerti da una banca” of 12th September 2013 gives much cause for reflection.

It is interesting to note when expressly referring to the technical rules relating to electronic signatures, how the Italian D.P.A. emphasizes the instrumentality of personal data, including biometric data, in order to generate graphometric signatures as advanced electronic signatures.

Moreover, the Italian D.P.A. highlights how the handling of data can be an effective instrument of proof, in case of dispute.

In fact, the decision reads:”(…) the use of the proposed solution could effectively contribute to lending greater certainty in legal relationships existing with users through the guarantee of authenticity, non-repudiation and integrity of documents signed electronically”.

The decision expressly mentions the provisions of the law requiring the written form for bank contracts and confirms the suitability of the graphometric signature in meeting the requirement of the written form ad substantiam. In addition, the Italian D.P.A. makes an important statement of economic policy of law, arguing that the graphometric signature ”complies with society’s legitimate organisational needs”.

Finally, the decision draws attention to the necessary safety precautions to be taken to reduce the risk of unauthorised software installation or the modification of the configuration of the systems used. It is additionally necessary to adopt security policies especially in cases where the data controller makes use of external parties and in any case obtain from the installer a written description of the steps taken, in order to certify their compliance with enforceable regulations.

Some general clarifications should be made, however.

The Italian D.P.A.’s decision on the graphometric signatures is not as yet the general decision the market expected.

The Italian D.P.A.’s decision is still one of an individual nature (referring to Fineco): that is to say one concerning a specific request.

The Italian D.P.A. general decision cannot of course refer to specific solutions.

The importance of this decision is evident, however.

It is the first decision of the Italian D.P.A. on graphometric signatures as advanced electronic signatures for the signing of contracts in the banking sector. In the other two decisions of the Italian D.P.A. dated 31st January last (referring to Unicredit and Cariparma) the graphometric signatures are considered a mechanism of authentication. Identification, of course, remains visual.

It confirms that the “graphometric signatures” can be “advanced electronic signatures”.

It also confirms it to be a very popular procedure in the market and that there should also be the maximum attention focused on the safety of the process. And many indications in this regard can be drawn from this decision.

Finally, it confirms the viability of graphometric signatures in mobility.

 

 

The new technical rules on electronic signatures have recently been published in the Official Journal.

Here follow the complete references: DPCM 22 febbraio 2013 “Regole tecniche in materia di generazione, apposizione e verifica delle firme elettroniche avanzate, qualificate e digitali, ai sensi degli articoli 20, comma 3, 24, comma 4, 28, comma 3, 32, comma 3, lettera b), 35, comma 2, 36, comma 2, e 71”.

The new rules give full legal value to a new type of electronic signature known as the “Graphometric Signature”, which consists of a handwritten signature being added to a digital document by means of a tablet using a special pen. According to the Italian Digital Administration Code currently in force, this signature can be regarded as either an electronic signature or as an advanced electronic signature. Whether it is an electronic signature or an advanced electronic signature depends on the security measures adopted.

“Graphometric Signatures” are used particularly by banks, but could be used in any field. The only limitation concerns contracts regarding real estate, which cannot be signed with a “Graphometric Signature”, but require a digital signature.

 

 

The Proposal Regulation by the European Parliament and the Council of electronic identification and trust services for electronic transactions on the domestic market has recently been published and has begun its Parliamentary procedure.

Here is an outline of the main innovations provided for by the Proposal.

Legal instrument

The most important innovation is the legal instrument chosen, which is no longer a directive, but a regulation. This is to ensure the uniformity of the new regulation: it provides for a single EU “law” instead of 27 “ national laws”.

It is a fact that complexity and juridical uncertainty generate a cost which Europe must eliminate in order to present itself as a single market.

The same choice has been made for the recent proposal on the General Data Protection Regulation.

Thus, the aim is to create a genuine single market for digital services, removing the obstacles created by different national laws.

Aim

The main aim of the new proposal is to achieve legal and technical interoperability among the EU countries regarding questions of e-identification, e-authentication and e-signature.

Objective

Once again to encourage the development of the domestic market in the field of digital services.

Main innovations

1. Member States have the right to notify the European Commission of individual national electronic identification schemes. Once notification has been given and has been included on the list published by the Commission, it must be accepted by the other Member States (e.g. in public procurements).

2. The e-seal which constitutes a legal person’s signature has been introduced and must be considered as distinct from the e-signature which constitutes a natural person’s signature.

Therefore a company will be able to use an e-seal without the signature of the legal representative in order to guarantee the origin and integrity of e-documents.

3. The obligation to store information concerning e-identification and qualified e-signatures has been introduced.

4. Extensive reference to technical standards.

5. Explicit recognition of the e-signature on remote servers and on mobiles.

 

The non-discrimination principle of documents with e-signatures on the sole ground that they are in an electronic form has been reaffirmed.

The equivalence between qualified electronic signatures and handwritten signatures has been reaffirmed.

Voluntary agreements under private law (such as those between banks and their clients) are not subject to the provisions of the regulation.

 

 

 

 

 

The so-called “advanced electronic signature” plays a leading role on the Italian market today.

It has recently been reintroduced into Italian legislation, with the latest version of the so-called “Digital Administration Code”, (Codice dell’amministrazione digitale -CAD), D. lgs. 7.3. 2005, n. 82 as modified by D. Lgs. 30.12.2010, n. 235.

Despite its name, the Code applies to both private and public bodies.

With regard to electronic signatures, the Code provides for a new kind of signature defined as the advanced electronic signature, which will be the fourth kind after the qualified, digital and electronic signatures. The definition of the advanced electronic signature is the same as Directive 1999/93/EC.

According to EU directive 93/1999 on electronic signatures the advanced electronic signature is defined as “an electronic signature which meets the following requirements:

[a] it is uniquely linked to the signatory;

[b] it is capable of identifying the signatory;

[c] it is created using means that the signatory can maintain under his sole control; and

[d] it is linked to the data to which it relates that any subsequent change of the data is detectable”.

According to Italian legislation, the advanced electronic signature, the qualified signature and the digital signature all satisfy legal requirements to the same degree, except for a few cases (concerning contracts regarding real estate). All of these signatures may have the same legal value as a hand-written signature.

The most interesting use of the advanced electronic signature in Italy is the handwritten signature on tablets, which is currently in use in many Italian banks.

  • Recent comments

  • Popular posts

    • None found