Digital identity management and trust services will be the main themes discussed at the colloquium convened by the Secretariat of the United Nations Commission on International Trade Law (UNCITRAL), that will take place on the 21st and 22nd of April 2016 at the Vienna International Centre.
During the meeting, Working Group IV on Electronic Commerce will focus its activity on legal issues related to identity management and trust services with a view to compiling information on the scope and methodology of future work in that area. The session will be attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL.
For further information please consult the section covering Working Group activities on UNCITRAL website.
Given the increasingly greater use of devices and technologies for the collection and processing of biometric data mainly for purposes of personal identification, control of access and signing of electronic documents, the Italian Data Protection Authority’s action aims to provide a uniform framework which can be used as the basis for recommending technological choices, adapting processing to the requirements of the Privacy Code and verifying compliance with safety standards.
Biometric data are by their very nature, directly and unequivocally related to an individual and are generally constant over time, which indicates the profound relationship between a person’s body, behaviour and identity. For this reason the adoption of biometric systems for the collection and processing of data may entail specific risks for fundamental rights and freedom as well as for an individual’s dignity.
However, within the varied landscape of technological biometric systems and with a view to simplifying legislation, the Italian Data Protection Authority has identified certain types of data processing which present less risk and which, unlike other types, do not require preliminary verification by the Authority. Exemption is granted on condition that all necessary measures and appropriate technical precautions are taken to achieve the security objectives identified by the measure and that the general requirements of legitimacy provided for by the Privacy Code are met.
There is no need to apply for preliminary verification for the following four types of processing:
In the signing of electronic documents, analysis of biometric data connected with applying a handwritten signature can be used for those graphometric signature systems which form the basis of a solution for advanced electronic signatures. Processing is only permitted with the express consent of the person concerned, which is given on signing up for a graphometric signature service and remains valid for all documents to be signed until it is annulled. Consent is not necessary in the public sphere, where specific institutional objectives are to be pursued. However, alternative systems will still have to be made available, such as paper or electronic forms of signature which do not involve the use of biometric data; in digital authentication the biometric characteristics of a person’s fingerprints or voiceprint can be used as credentials to also access databases and computer systems without the user’s consent; when controlling physical access, it will be possible to process the biometric characteristics of fingerprints or the topographical layout of the hand to allow access to areas considered” sensitive” or to only allow qualified operators access to dangerous machinery and equipment. It will also be possible for processing to be made without the consent of the user; to help facilitate processes, it will be possible to use fingerprints and the topographical layout of the hand to allow physical access for users to physical areas in the public domain (e.g. libraries) or the private sphere (e.g. reserved airport areas). Also in this case, use is only permitted with the consent of the parties concerned and alternative arrangements will in any case still have to be provided for those who refuse to provide their biometric data and refuse permission for the processing of biometric data.
In consideration of the complexity of the matter in relation to the regulations on the processing of personal data, the Italian Data Protection Authority has attached to its provision a document containing the “Guidelines on biometric recognition and graphometric signatures”, which has already been presented for public consultation and a special form to be used for communicating with the Authority in the event of violations of biometric systems. In fact, in order to prevent possible theft of biometric identity, all data breaches or cyber incidents that might impact significantly on biometric systems and the data collected must be communicated to the Italian Data Protection Authority within 24 hours of being discovered.
While awaiting publication of the provision in the Official Gazette, we invite you to browse through it and its relative attachments on the website of the Italian Data Protection Authority.
As previously mentioned in this blog, the 49th Working Group session on electronic commerce of the United Nations Committee on international trade law was held in New York from the 28th April to the 2nd May 2014.
At the start of the session Giusella Finocchiaro, the Italian Uncitral representative for electronic commerce was unanimously elected as chairperson.
The WG is working on a detailed document on Electronic Transferable Records, which could form the new law model. This work is drawing to a conclusion.
The basic principles that motivated the WG have been reaffirmed; namely those of technological neutrality and non-discrimination between paper and electronic documents, keeping any impact on national law regulations to a minimum.
The 50th session of the WG will be held in Vienna from the10th to the 14th November 2014.
On 3 April 2014 the Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) has been approved by the European Parliament.
Main principles of the Regulation are reported below (see also THIS POST).
One of the objectives of the Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States.
The principle of mutual recognition should apply if the notifying Member State’s electronic identification scheme meets the conditions of notification and the notification was published in the Official Journal of the European Union.
The Regulation reaffirms the principle that an electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature. However, it is for the national law to define the legal effect of electronic signatures, except for the requirement provided in the Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.
The Regulation lays down conditions under which Member States shall recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State, lays down rules for electronic trust services, in particular for electronic transactions and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificates services for website authentication.
The Regulation shall apply from 1 July 2016 and the Directive 1999/93/EC on electronic signatures is repealed with effect from 1 July 2016.
The new technical rules on electronic signatures have recently been published in the Official Journal.
Here follow the complete references: DPCM 22 febbraio 2013 “Regole tecniche in materia di generazione, apposizione e verifica delle firme elettroniche avanzate, qualificate e digitali, ai sensi degli articoli 20, comma 3, 24, comma 4, 28, comma 3, 32, comma 3, lettera b), 35, comma 2, 36, comma 2, e 71”.
The new rules give full legal value to a new type of electronic signature known as the “Graphometric Signature”, which consists of a handwritten signature being added to a digital document by means of a tablet using a special pen. According to the Italian Digital Administration Code currently in force, this signature can be regarded as either an electronic signature or as an advanced electronic signature. Whether it is an electronic signature or an advanced electronic signature depends on the security measures adopted.
“Graphometric Signatures” are used particularly by banks, but could be used in any field. The only limitation concerns contracts regarding real estate, which cannot be signed with a “Graphometric Signature”, but require a digital signature.
The Proposal Regulation by the European Parliament and the Council of electronic identification and trust services for electronic transactions on the domestic market has recently been published and has begun its Parliamentary procedure.
Here is an outline of the main innovations provided for by the Proposal.
The most important innovation is the legal instrument chosen, which is no longer a directive, but a regulation. This is to ensure the uniformity of the new regulation: it provides for a single EU “law” instead of 27 “ national laws”.
It is a fact that complexity and juridical uncertainty generate a cost which Europe must eliminate in order to present itself as a single market.
The same choice has been made for the recent proposal on the General Data Protection Regulation.
Thus, the aim is to create a genuine single market for digital services, removing the obstacles created by different national laws.
The main aim of the new proposal is to achieve legal and technical interoperability among the EU countries regarding questions of e-identification, e-authentication and e-signature.
Once again to encourage the development of the domestic market in the field of digital services.
1. Member States have the right to notify the European Commission of individual national electronic identification schemes. Once notification has been given and has been included on the list published by the Commission, it must be accepted by the other Member States (e.g. in public procurements).
2. The e-seal which constitutes a legal person’s signature has been introduced and must be considered as distinct from the e-signature which constitutes a natural person’s signature.
Therefore a company will be able to use an e-seal without the signature of the legal representative in order to guarantee the origin and integrity of e-documents.
3. The obligation to store information concerning e-identification and qualified e-signatures has been introduced.
4. Extensive reference to technical standards.
5. Explicit recognition of the e-signature on remote servers and on mobiles.
The non-discrimination principle of documents with e-signatures on the sole ground that they are in an electronic form has been reaffirmed.
The equivalence between qualified electronic signatures and handwritten signatures has been reaffirmed.
Voluntary agreements under private law (such as those between banks and their clients) are not subject to the provisions of the regulation.
The so-called “advanced electronic signature” plays a leading role on the Italian market today.
It has recently been reintroduced into Italian legislation, with the latest version of the so-called “Digital Administration Code”, (Codice dell’amministrazione digitale -CAD), D. lgs. 7.3. 2005, n. 82 as modified by D. Lgs. 30.12.2010, n. 235.
Despite its name, the Code applies to both private and public bodies.
With regard to electronic signatures, the Code provides for a new kind of signature defined as the advanced electronic signature, which will be the fourth kind after the qualified, digital and electronic signatures. The definition of the advanced electronic signature is the same as Directive 1999/93/EC.
According to EU directive 93/1999 on electronic signatures the advanced electronic signature is defined as “an electronic signature which meets the following requirements:
[a] it is uniquely linked to the signatory;
[b] it is capable of identifying the signatory;
[c] it is created using means that the signatory can maintain under his sole control; and
[d] it is linked to the data to which it relates that any subsequent change of the data is detectable”.
According to Italian legislation, the advanced electronic signature, the qualified signature and the digital signature all satisfy legal requirements to the same degree, except for a few cases (concerning contracts regarding real estate). All of these signatures may have the same legal value as a hand-written signature.
The most interesting use of the advanced electronic signature in Italy is the handwritten signature on tablets, which is currently in use in many Italian banks.