LEGAL EXPLANATIONS REGARDING THE REGULATION OF ELECTRONIC SIGNATURES

Principles

The Act on electronic commerce and electronic signature is based on modern principles: the principle of the non-discrimination of the electronic form, the principle of openness, the principle of contractual freedom of the parties, the principle of duality, the principle of protection of personal data and protection of the consumers and the principle of international recognition.

The principle of non-discrimination of the electronic form means, that the paper form and the electronic form are reasonably equivalent, thus the courts and state institutions during the examination of the evidence can not refuse the evidence solely on the grounds of its electronic form.

The principle of openness or technological neutrality ensures, that the Act does not refer only to one kind of technology or just to current solutions, but it remains general and thus useful for a longer time period and new technologies. Along with the fast and various technological development goes also the principle of duality, which allows the use of different technological solutions with different reliability and thus different legal consequences of the use of such solutions.

The principle of contractual freedom of the parties enables the parties to agree and regulate their relationships differently. Therefore the Act explicitly states that it is not valid for closed systems, where parties regulate all essential characteristics of the system in advance by a contract. Thus contractual parties in the closed systems are not bound solely by the solutions foreseen by law regarding electronic commerce.

Because of technological complexity of the solutions for the electronic commerce, also the principle of the protection of personal information and protection of the consumers are important. The principle of the protection of personal data follows modern guidelines, established in Slovenia and European Union concerning the safe-keeping of personal information which are even more exposed in the electronic world. The principle of the protection of the consumers protects an average consumer, for whom - without a lot of technological knowledge - is more difficult to implement his rights in the complicated electronic commerce, and imposes to the service-providers a special care for the consumer.

The principle of international recognition enables a simple mutual recognition of the electronic documents and signatures and thus enables a simple integration of the Slovenian economy into the international economy. International recognition of the legal effect of the data and signatures in an electronic form is very important, because the electronic commerce does not take into account the state borders or borders between individual legal systems.

Electronic signature

In its third chapter the Act more extensively regulates the electronic signature and the operation of the certification service providers, who represent an inevitable condition for the use of the electronic signatures. The Act is entirely relying on the European and world orientations and uses a so-called dual approach. Namely, it allows the operation of the certification service providers without previous permission and also does not imply special conditions for their operation, but it enables the operation of the certification service providers under very various conditions providing of different services of verification, which gives them different legal effect regarding their reliability. One of provisions as stated in the act is obligatory and voluntary supervision. The former is performed by an appropriate inspection and the latter by the Agency for telecommunications.

The Act defines the electronic signature very broadly and in general as data in electronic form, which are included or logically linked with other data. Furthermore, it is designed to verify the authenticity of the data and the identification of the signatory. Similarly as the EU directive, the Act also states that the electronic signature is formed with the assistance of means for electronic signing (e.g., private signing key) and verifies with means and data for verifying the electronic signature.

Due to the fact that many clients, who have not dealt with each other before,  will meet in an electronic environment, it is necessary to have a third party, which by issuing a certificate will act as a trusted third party in verifying the electronic signature of both parties. The certificate links data for verifying the electronic signature with the holder of the certificate and verifies the identity to the second party.   

According to the Electronic Commerce and Electronic Signature Act, any natural or legal person can be a Certification Authority that issues certificates or performs other services regarding certification or with electronic signatures. The Certification Authority does not need any specific licence for its operation. It only needs to register its activities when it commences operation to the Ministry of the information society, which manages a list of all Certification Authorities in Slovenia. The Act institutes two types of supervision: inspectional, which is performed by the Ministry of the information society, and voluntary within the framework of an accreditation scheme, which is performed by the newly established Agency for Telecommunications in accordance with the new Telecommunications Act.

One of the important provisions for users of the ECESA and the Decree in regarding electronic signature is the obligation that all means and data for verifying an electronic signature must be kept as long as the electronically signed documents are stored. Also persons, who store electronically signed data, are obliged to, no later than one month prior to the expiration date which is set by the Certification Authority for the validity of data for electronic signature in the policy of operations, ensure that all persons who initially electronically signed the data must once again sign this data, this can also be done by a notary or by verifying this data with a secure time stamp of the Certification Authority. If the Certification Authority did not set a deadline, a repeated signature is needed before the expiration date of the qualified certificate at the latest. It is important to note that the E-commerce and Electronic Signature Act considers  the use of data and means for electronic signing without the knowledge of the signatory or the certification holder a misdemeanor. 

Secure electronic signature and qualified certificate

The above-described electronic signature with the certificate of the Certification Authority does still not have the same validity as the autographic signature. According to ECESA, only a secure electronic signature, which is verified with a qualified certificate, is equal and therefore has equal validity and proving value of an autographic signature. A secure electronic signature is an electronic signature, which meets a few enumerated requirements in the Act. It must be exclusively linked to the signatory; this way we can undoubtedly determine the signatory. Simultaneously, the signature must be technologically designed so that it is linked to the referred data. Any change of the data or connection with them, which would happen after the signing, would be noticed. The signatory must form the signature using one of the devices for secure electronic signing and under its exclusive supervision. Devices for secure electronic signing differ from general devices for electronic signing. They comply with special conditions regarding security and reliability, as defined in ECESA and in more detail in the Decree.  A secure electronic signature must be verified with a qualified certificate. This kind of certificate has the same characteristics as a general certificate only that the law provides in detail its content, manner of issue, use, and revocation. In the Act and the Decree we can also find prescribed special, rigorous conditions regarding Certification Authorities, who issue such qualified certificates (compulsory liability insurance, special requirements regarding equipment and employees, exacting procedures, internal regulations, etc.).