Bill on Electronic Signatures - Bill No. L 229
29. maj 2000
Bill No. L 229 introduced on 22 March 2000
Translation
Note: The text has been amended in section 5(2)
and is therefore identical to the final text of Act No. 417 of 31 May
2000.
Only the Danish version of the text has legal validity.
Bill No. L 229
Danish Parliament (the Folketing)
1999-2000
Introduced on 22 March 2000 by the Minister of Research
and Information Technology
(Birte Weiss)
Bill
on
Electronic Signatures 1)
Part 1
Scope and application 1. The purpose of the Act is to promote secure and efficient utilisation of electronic communication by specifying requirements for certain electronic signatures and certification authorities that issue certificates for electronic signatures. 2.-(1) The Act shall apply to certification authorities established in Denmark that issue qualified certificates to the public, except as provided in section 12. (2) The Act shall also apply to verification that signature-creation devices comply with the specified requirements for secure signature-creation devices. Part 2 Definitions 3. For the purposes of this Act: 1) "Electronic signature" shall be understood to mean data in electronic form that are attached to other electronic data by means of a signature-creation device and that are used to check that such data originate from the person indicated as signatory and that the data have not been changed. 2) "Advanced electronic signature" shall be understood to mean an electronic signature that: (a) is uniquely linked to the signatory (b) makes it possible to identify the signatory (c) is created by means controlled only by the signatory, and that (d) is linked to the data to which it relates in such a manner that any subsequent change made in the data is detectable. 3) "Signatory" shall be understood to mean a natural person who holds a signature-creation device and acts either on his own behalf or on behalf of another natural or legal person. 4) "Signature-creation data" shall be understood to mean unique data, such as a code or a private encryption key, which are used to create an electronic signature. 5) "Signature-creation device" shall be understood to mean a software- or hardware-based system used to implement and store signature-creation data. 6) "Signature-verification data" shall be understood to mean unique data, such as a code or public encryption key, which are used for the purpose of verifying an electronic signature. 7) "Signature-verification device" shall be understood to mean a software- or hardware-based system used to implement the signature-verification data. 8) "Certificate" shall be understood to mean an electronic attestation which links certain signature-verification data to the signatory and confirms the identity of same. 9) "Certification authority" shall be understood to mean a natural or legal person who issues certificates. Part 3 Qualified certificates 4.-(1) The designation "qualified certificates", or designations suitable for producing the impression that qualified certificates are implied shall only be used about certificates that meet the requirements stipulated in (2) and (3), and that are issued by a certification authority that meets the provisions of part 4 and rules laid down in pursuance thereof. (2) A qualified certificate shall contain the following: 1) an indication that the certificate is issued as a qualified certificate 2) the name and domicile of the certification authority 3) the name of the signatory or a pseudonym, which shall be identified as such 4) any other information about the signatory that is needed for use of the certificate, including information that ensures unique identification of the signatory 5) the validity period of the certificate 6) a clear statement of limitations on the scope of use of the certificate, if applicable (scope limitations) 7) a clear statement of limitations on the transaction amounts for which the certificate can be used, if applicable (amount limitations) 8) the identity code of the certificate 9) the signature-verification data corresponding to the signature-creation data that were under the control of the signatory at the time of issuance. (3) A qualified certificate shall be signed with the advanced electronic signature of the certification authority. Part 4 Requirements concerning the activities of certification authorities 5.-(1) A certification authority shall take the measures that are necessary for a secure, reliable and well-functioning offering of qualified certificates. The certification authority shall among other things: 1) apply administrative and management procedures that meet recognised standards 2) employ personnel who possess the required expert knowledge, experience and qualifications, including personnel with expertise in electronic signature technology and familiarity with proper security procedures 3) use trustworthy systems and products that are protected against unauthorised modification and ensure the technical and cryptographic security of the processes supported by them 4) take measures against any possible forgery of certificates 5) maintain sufficient financial resources at all times to operate in conformity with the provisions of this Act and to fulfil its liability obligations under the Act. (2) Certification authorities that issue qualified certificates shall appoint an external state-authorised public accountant to undertake the system audit. In special circumstances the National Telecom Agency may exempt from the requirement that the system auditor must be a state-authorised public accountant. (3) The Minister of Research and Information Technology shall lay down more detailed rules on the requirements in (1). 6.-(1) Certification authorities shall specify and apply adequate procedures for verifying the identity and any other facts concerning the signatory prior to the issuance of certificates. (2) Information about the procedures mentioned in (1) shall be publicly available. (3) The Minister of Research and Information Technology may lay down more detailed rules on the requirements in (1) and (2). 7.-(1) When issuing a qualified certificate, a certification authority shall ensure at the time of issuance that the signatory holds the signature-creation data corresponding to the signature-verification data given in the certificate. (2) If, in connection with the issuance of qualified certificates, it is the certification authority that supplies the signature-creation and signature-verification data, only uniquely connected signature-creation and signature-verification data shall be used. The certification authority shall ensure confidentiality of the signature-creation data during the process of generation. (3) A certification authority shall establish procedures for the issuance of certificates that make it possible to determine the date and time of issuance. 8.-(1) When entering into an agreement on the issuance of a qualified certificate, a certification authority shall inform the signatory in writing about the following: 1) The terms and conditions concerning the use of the certificate, including any limitations on the scope or amounts. 2) Any requirements concerning storage and protection of the signature-creation data by the signatory. 3) The signatory's cost of obtaining and using the certificate and of using the other services of the certification authority. 4) Whether the certification authority is accredited under a voluntary accreditation scheme. 5) Procedures for settlement of complaints and disputes. (2) The terms of contract may be submitted electronically provided they are directly legible to the recipient. (3) Relevant parts of the information given in (1) shall also be made available on request to third parties relying on a qualified certificate. (4) The Minister of Research and Information Technology may lay down more detailed rules on the requirements in (1) to (3). 9.-(1) Certification authorities shall ensure the operation of a prompt and secure directory and a secure and immediate revocation service that makes it possible to check whether a qualified certificate is revoked, the validity period of the certificate or whether the certificate contains any limitations on the scope or amounts. (2) A certification authority shall revoke a certificate immediately upon receipt of such a request from the signatory or if otherwise warranted by the circumstances. (3) Information required under (1) shall be immediately available. (4) A qualified certificate may only be made publicly accessible with the consent of the signatory. (5) The Minister of Research and Information Technology may lay down detailed rules on the requirements in (1) to (3). 10.-(1) A certification authority shall record all relevant information concerning the certificates for an appropriate period of time, which shall be at least six years. (2) A certification authority shall use trustworthy systems to store certificates in a verifiable form. (3) Certification authorities must not store or copy signature-creation data of the persons concerning whom the certification authority have gained knowledge through the issuance of certificates. (4) The Minister of Research and Information Technology may lay down more detailed rules on the requirements in (1) and (2). Part 5 Liability 11.-(1) Certification authorities issuing qualified certificates to the public, or guaranteeing such certificates issued by another certification authority to the public, shall be liable to pay compensation for losses incurred by the person who reasonably relies on that certificate, if the losses were due to the following: 1) that the information contained in the qualified certificate was not correct at the time of issuance 2) that the certificate did not contain all information required under section 4 3) failure to revoke the certificate, see section 9(2) 4) lack of or erroneous information on whether the certificate has been revoked, the expiry date, or whether the certificate includes limitations on the scope or amounts, see section 9, subsections (1) and (3) 5) failure to comply with section 7. (2) A certification authority shall be liable for damage in accordance with (1) unless the authority proves that it has not acted negligently or wilfully. (3) A certification authority shall not be liable for: 1) losses occurring as a result of use of a qualified certificate outside the scope limitations applying to the certificate, or for 2) losses occurring as a result of violation of the amounts limitations applying to the certificate, provided that the limitations in question appear clearly from the certificate, see section 4, and that information concerning them is given on request, see section 9, subsections (1) and (3). (4) Subsections (1) to (3) may not be departed from by prior agreement to the detriment of the injured person. (5) Subsections (1) to (3) shall not apply if the loss is covered by the Act on Certain Payment Instruments. Part 6 Supplementary requirements concerning the processing of personal data 12.-(1) A certification authority may only collect personal data in connection with its activities directly from the person in question, or with the explicit consent of that person, and only insofar as the data are needed for the purposes of issuing and maintaining a certificate. (2) Personal data collected under (1) must not be processed or passed on for any other purposes than those mentioned in (1) without the explicit consent of the person in question. Part 7 Electronic signature and formal requirements 13. Legal provisions according to which electronic messages shall be provided with a signature shall be regarded as met if the message is provided with an advanced electronic signature based on a qualified certificate and created by a secure signature-creation device. However, in the case of electronic messages to or from public authorities, this shall only apply if current legislation or provisions in pursuance thereof do not prescribe otherwise. Part 8 Secure signature-creation devices 14.-(1) A secure signature-creation device shall be understood to mean a signature-creation device that ensures by appropriate technical and procedural means that the signature-creation data used for signature generation: 1) can, in practice, appear only once 2) are reasonably certain to remain secret and cannot be derived 3) are protected against forgery, and 4) can be reliably protected by the signatory against unlawful use by others. (2) A secure signature-creation device must not be designed in such a way that it changes the data to which an electronic signature is attached or prevents such data from being shown to the signatory prior to the signing. (3) The requirements stipulated in (1) and (2) shall be regarded as satisfied if a signature-creation device meets generally recognised standards for such devices, which the Commission has laid down and published in the Official Journal in accordance with the procedure prescribed in Article 9 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 15.-(1) The Minister of Research and Information Technology shall designate one or more appropriate bodies or authorities that can assist in verifying that signature-creation devices comply with the requirements stipulated for secure signature-creation devices, see section 14, subsections (1) and (2), and will lay down detailed rules on the procedures for such verification and on the payment of fees for the same. (2) A signature-creation device described as a secure signature-creation device may not be marketed or used to create advanced electronic signatures that are based on a qualified certificate until it has been verified, see (1). (3) A verification of a secure signature-creation device by a body or an authority in another country within the European Economic Area (EEA) shall have the same status as a verification in pursuance of (1). Part 9 Supervision 16.-(1) Certification authorities shall notify the National Telecom Agency before or as soon as they begin issuing qualified certificates. (2) The notification shall contain the following information: 1) name and domicile of the certification authority 2) corporate form if the certification authority is operated as a company 3) management and system auditor of the certification authority. (3) Changes in matters reported in pursuance of (2) shall be reported not later than eight days after the change has taken place. (4) The National Telecom Agency may lay down detailed rules on any other information to be included in the notification. 17.-(1) Together with the notification under section 16, the certification authority shall submit a report to the National Telecom Agency. (2) The report shall contain the following: 1) a description of the certification authority's activities and systems 2) a declaration from the certification authority's management stating that its overall data, system and operation security must be regarded adequate and in compliance with the rules laid down in this Act and rules laid down in pursuance thereof, and 3) a declaration from the system auditor, see section 5(2), stating that, in the opinion of the system auditor, the certification authority's overall data, system and operation security must be regarded adequate and in compliance with the rules laid down in this Act and rules laid down in pursuance thereof. (3) The certification authority shall prepare an updated report each year. The National Telecom Agency will set a deadline for submission of the report to the National Telecom Agency. (4) The National Telecom Agency may lay down detailed rules on the content of the certification authority's reports and on how to perform system auditing in certification authorities. § 18. The National Telcom Agency shall ensure that this Act and rules issued in pursuance thereof are complied with. (2) The National Telecom Agency may order a certification authority: 1) to notify the National Telecom Agency, see section 16 2) to report to the National Telecom Agency, see section 17 3) to bring matters concerning the certification authority's activities into conformity with the Act or rules issued in pursuance thereof. (3) The National Telecom Agency shall stipulate a time limit for compliance with orders issued under (2). (4) The National Telecom Agency may impose daily penalties on a certification authority for the purpose of enforcing compliance with orders issued in pursuance of (2), section 19(1) or section 20. (5) The National Telecom Agency may require that an extraordinary system audit of a certification authority be carried out. The National Telecom Agency will appoint a system auditor to carry out the extraordinary system audit. The certification authority may be ordered to pay for the performance of the extraordinary system audit. (6) The National Telecom Agency may deprive a certification authority of its right to use the designation qualified certificates, see section 4, if: 1) despite the imposition of daily penalties, the certification authority fails to comply with the National Telecom Agency's order in pursuance of (2), section 19(1) or section 20. 2) the certification authority has grossly or repeatedly violated the provisions of this Act or rules laid down in pursuance thereof, or 3) if the certification authority suspends its payments or goes into liquidation. (7) A certification authority may request that a decision of the National Telecom Agency under (6) be brought before the courts. A request to this effect shall be received by the National Telecom Agency not later than four weeks after the date on which the decision was communicated to the certification authority. The National Telecom Agency shall bring a case against the certification authority under the rules of the Administration of Justice Act. (8) A request to bring an action shall not have suspensive effect, but the court may decide that the certification authority in question shall have access to issue qualified certificates while the case is being heard. In the event of an appeal against a decision whereby the deprivation of the right to issue qualified certificates is found to be illegal, the court that made the decision, or the court before which the case was brought, may decide that the certification authority must not issue qualified certificates while the appeal case is being heard. 19.-(1) The National Telecom Agency may require the certification authority to submit all information found necessary for the Agency's supervision under section 18, including information to decide whether a natural or legal person is covered by such supervision. (2) The certification authority and the system auditor shall immediately inform the National Telecom Agency of matters of vital importance to the certification authority's continued operation. 20.-(1) The National Telecom Agency may order a certification authority to choose another system auditor within a stipulated time limit, see section 5(2), if the present system auditor is found clearly unsuitable for his task. (2) The National Telecom Agency may order a system auditor to provide information on matters concerning the certification authority without the consent of the certification authority. (3) In the event of change of auditors, the certification authority and the withdrawing system auditor(s) shall each submit a report to the National Telecom Agency. The National Telecom Agency may order that the first sentence hereof be complied with. 21. The decisions of the National Telecom Agency under this Act or provisions laid down in pursuance thereof cannot be referred to other administrative authorities. 22. The Minister of Research and Information Technology may lay down rules to the effect that costs incurred in connection with the National Telecom agency's regulation shall be paid by the certification authorities that issue qualified certificates. Part 10 International issues 23. Qualified certificates issued by a certification authority established in a country outside the European Economic Area (EEA) shall be recognised in the same way as qualified certificates issued by certification authorities established in a country within EEA provided that: 1) the certification authority meets the requirements of this Act and is accredited under a voluntary accreditation scheme, or 2) a certification authority established in a Member State that meets the requirements of this Act, guarantees certificates issued by the certification authority in question, or 3) the certificate or the certification authority is recognised under a bilateral or multilateral agreement between the Community and third countries or international organisations. Part 11 Criminal liability 24.-(1) Unless more severe punishment is prescribed under other laws, penalty of fining shall be imposed on any person who: 1) violates sections 9(4), 10(3), 12 or 15(2) 2) gives wrong or misleading information to the National Telecom Agency, or 3) violates orders or decisions by the National Telecom Authority under section 18, subsections (2) and (6) and section 19 (1). (2) Companies etc. (legal persons) may be held criminally liable under the rules of Part 5 of the Danish Criminal Code. (3) The limitation period of criminal liability under (1) and (2) shall be five years. Part 12 Coming into force etc. 25. This Act shall enter into force on 1 October 2000. 26. This Act shall not apply to Greenland and the Faroe Islands but may by Royal Order be put into force for these parts of the Kingdom with such modifications as may be required by the special conditions prevailing in Greenland and the Faroe Islands. Footnote 1) The Act contains provisions that implement Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 13 2000, p.12). Explanatory Notes to the Bill General notes The purpose of the Act is to ensure that there will be electronic-signature products and certification authorities on the Danish market that will comply with a number of requirements that will make them secure to use. From a socioeconomic point of view it is important to develop and provide electronic signatures of such a high security level that they are recognised in a broad forum and can be used to supply the provision of new services in both the private and the public sector. The purpose of the legislation is not to control the overall provision of certification services. After implementation of the Act, the certification authorities will still be free to provide certificates and electronic-signature products without being subject to extensive regulation, authorisation schemes or being forced to apply specific technical solutions. Thus the Act is intended solely to ensure the availability on the market of products (namely the qualified certificates described) for which a common minimum standard has been specified. In connection with the provision of electronic services where there is a need for authentication of the sender or recipient, both the private and the public sectors will thus have the possibility of requiring use of a certificate and an electronic signature that comply with certain minimum requirements. At the same time, the legislation must ensure that the liability is clear when as a sender you use and as a recipient you trust a qualified certificate. The chosen liability model implies that it is the responsibility of the certification authority to prove that it has not made any mistakes in connection with the issuance of a certificate, revocation or when giving information about the expiry date and limitations on the use of the certificate. A. Background and scope of the Bill 1. The function and importance of electronic signatures The function and importance of electronic signatures can best be described by an example: Agreements are often concluded by the parties signing a contract or by one of the parties, as confirmation of the conclusion of an agreement, delivering a note and invoice etc. to the other party. In some cases the parties know each other in advance so neither of them will be in doubt about the identity of the other party. However, many agreements are concluded by parties that do not know each other in advance, and that will never actually meet as their communication takes place only by letter, fax or similar means. When the parties communicate on paper, it is their signatures and perhaps a special letterhead that serve to identify the sender to the recipient. The paper also serves to ensure that there will be no doubt later about the contents of the document used at the time of conclusion of the agreement. With paper-based communication the parties are thus able to see if an envelope has been opened while on the way and whether visible changes have been made to the written or printed text. In practice, communication is usually exchanged without the parties giving much thought to these aspects and, in fact, it is only in a few exceptional cases that we need to pay attention to it. When communicating through open digital networks, i.e. through networks that are accessible to everyone, such as the Internet, it is likewise essential to be sure with whom you are actually communicating and that the contents of the communication have not subsequently been changed. When communication is electronic, there is no concrete evidence in the same manner that makes a recipient notice that the contents of a message may have been altered, and it is difficult, if not impossible, to be sure who is the actual sender of the message. This means that, in practice, it is much easier to make alterations in an electronic message or to pretend to be somebody else without this being visible to the recipient. An electronic signature is a combined "signature" and "lock" that may safeguard against these problems. In other words, an electronic signature locks a document with a content for a specific person after the signature has been attached. The signatory can store the signature-creation data that are used to create the electronic signature on a plastic card or as part of a program on his PC. A password, which the signatory has, or some other kind of identification mechanism will usually be required to use the data. The electronic signature is intended to safeguard both the signatory and the recipient, who does not know the sender in advance. In other words, the recipient of an electronic signature needs to be able to trust that the sender is in fact the person he claims to be and that the sender is still in possession of his signature-creating data (plastic card, computer program, etc.). To ensure credibility vis-à-vis the recipient, the identity of the signatory must be verified by an independent third party, a so-called certification authority. In practice, what happens is that the certification authority after having verified the identity of the signatory issues an electronic certificate to that effect. The certification authority must also establish a service function that allows the recipient to check automatically if a certificate, and thus an electronic signature, is revoked, for example if the signatory has lost possession of his signature-creation data. The main purpose of the Bill is to lay down minimum requirements for certification authorities wishing to use the designation qualified certificates about the certificates they offer. Such certification authorities will be the only authorities entitled to use the designation and will be subject to, among other things, increased liability for the data in a certificate being correct and adequate and for the correct functioning of the certification authority's revocation function. It is not a question of authorisation or approval of certification authorities, but such authorities will be subject to regulation by a public regulator, who may require regular documentation for compliance with the Act, and who may apply various sanctions if a certification authority does not comply with the requirements of the Act. 2. What is an electronic signature, an electronic signature certificate and a certification authority? In practice, an electronic signature is based on two elements. The first element is the so-called key pair, which can be described as two halves of a key, a code or a lock. The signatory has one half (the private key) and an independent certification authority stores or registers the other half (the public key). The second element is a certificate issued by an independent certification authority; the certificate verifies the identity of the signatory and states that the signatory has possession of the private key that matches the public key contained in the certificate and which may be used by the third party to verify and prove that he has in fact been communicating with the signatory. With the technology of today, communication will then take place as follows: the signatory sends an electronic message, which may consist of a text file, graphics, a sound recording, a spreadsheet or the like, or a combination of several of these elements. When the signatory is ready to send his message he attaches his electronic signature by means of his signature-creation device (plastic card, computer program, etc.) and his private key. The affixation also "locks" the document so that when the message is opened later, it will be possible to see whether subsequent attempts have been made - by the sender, recipient or third party - to change it. Then the signatory sends his message to the recipient. He will also often attach his certificate containing the attestation of the certification authority together with his public key, which the recipient needs in order to check the message. However, it may be that the sender has lost possession of his certificate and his private key or that the certificate has expired and can therefore no longer be used. To check this, the recipient will have to contact the certification authority and request them to confirm that a user's certificate has not been revoked in the same way as a payment card. The certification authority will also be able to tell the recipient if the certificate has expired and if there are any limitations on what the signature can be used for or limits on the value of transactions for which the signature can be used. In a number of cases, both the sender and the recipient may need to prove when they sent, received or verified a message assigned an electronic signature. In this regard, the certification authorities may, as independent third parties, offer a facility whereby electronic messages are forwarded for time stamping, possibly as part of the process of sending the message to the recipient (a kind of "mail stamping function") or immediately after receipt of the message. The extent to which such facilities will be offered in practice will depend on the demand. The certification authorities will usually be commercial enterprises, although public authorities, organisations etc. may also decide to set up a certification function. The type of products offered by the individual certification authorities will differ. Some certification authorities will only offer issuance of certificates and thus expect the customer to obtain the actual electronic signature (the key pair) elsewhere. Others will offer both. Other certification authorities, although probably not all of them, will offer time-stamping functions. There may also be wide differences as to how the certification authorities are set up in practice, including their use of IT solutions and security procedures. An enterprise serving as a certification authority may also carry out activities in a number of other areas. An obvious example is activities within credit and payment cards or other forms of financial activities or mail handling. It should also be emphasised that what we have is a market and some products that are only just being developed and that the technology used is constantly changing. This also means that the above description of how an electronic signature and electronic signature certificates operate today is no more than an outline that might not necessarily be true in one, five, or ten years' time. 3. User interest in the use of electronic signatures and electronic signature certificates As mentioned earlier, the users' main interest is that when communicating through open digital networks, such as the Internet, he wants to be sure who he is actually communicating with and that the contents of the communication have not been changed in transit or later. Another decisive element is to be able to prove subsequently what has happened and when. From a user's point of view, security - both as sender and recipient - depends on the following: (i) How and how thoroughly does the certification authority verify the identity of the signatory prior to the issuance? (ii) How secure and thorough are the certification authority's procedures as regards registration of and information on the revocation or expiry of certificates and digital signatures, or on certificates containing limitations on use? (iii) Is the above information of a certificate correct and adequate? (iv) What is the liability of certification authorities in situations where a certificate is incorrect on one or more of the above-mentioned points, or where errors have occurred in other ways at a certification authority, resulting in losses for either the sender or the recipient? (v) How is the quality of the electronic signature used in connection with a certificate, i.e. is it in fact possible to break or copy the signature without leaving any visible traces? The importance of the above-mentioned issues depends on the desired use of the signature. 4. In which contexts will electronic signatures and electronic signature certificates be used? The rapid development in recent years within information technology, including the merging of electronic data processing and telecommunications, has led to increased use of digital communication in all spheres of society. The use of electronic mail, information exchange and a number of other forms of transactions via the Internet is rising sharply. In relation to public authorities, electronic communication enables more efficient communication between authorities and private citizens and enterprises. For example, more and more digital self-service systems are being developed that allow citizens to file their tax returns, apply for study grants, order medical cards, passports or driving licences, file building licence applications or notify change of address, or receive electronic prescriptions from their doctor following up on a telephone consultation etc., from a PC at home or at work, or from a public information kiosk. The Ministry of Research and Information Technology's pilot projects on the use of electronic signatures in public services include a number of practical examples on how electronic signatures can be used in combination with, for example, student cards, payment and reports on student grants, exchange of information on patients, patient records and the settling of health insurance accounts between a number of health institutions. The experience gained from the pilot projects is of great importance to the design of a universal infrastructure for electronic signatures. The projects have revealed many of the problems that arise when electronic signatures are used in practice. Within the business community, the technology is being used increasingly for electronic commerce, i.e. for making contracts and transferring payments via electronic media, including the automatic exchange of business documents such as orders and invoices (e.g. via EDI - Electronic Document Interchange). Today, electronic data interchange between companies is carried out in a number of situations in dedicated systems where security aspects, exchange formats etc., have been agreed in advance between the parties involved. The common standards for electronic data interchange serve as an example of a code of practice that may be used in such dedicated systems. Companies doing business with each other on a regular basis have found it useful to set up such framework agreements. However, this solution is not feasible if the aim is, in principle, for all companies, authorities and private individuals on the network to be able to carry out legally binding transactions with each other - for example placing an individual order or entering into an individual agreement whether or not they have been in contact with each other before. As a result, there is a growing demand by the commercial sector for legal regulation that provides a satisfactory framework for carrying out legally binding transactions via open networks such as the Internet without having to arrange with the recipient in advance how to do it. However, the Danish business community is not the only sector that is interested in electronic communication. Private citizens also increasingly want to use the Internet in a commercial context, i.e. for ordering and buying goods and services via the Internet. Today, communication as mentioned above already takes place in some situations without any use of electronic signatures. This applies particularly to less complicated transactions. Also in situations in which someone wishes to use and electronic signature, there are differences in the economic risks and possible losses etc. that may occur. As a result, there is a trend towards the development of electronic signatures and associated certificates with graduated security tailored for different types of use. Thus it is likely that an individual citizen will have different digital certificates and signature-creation devices at his disposal for different purposes, for instance for small private purchases, for communication with public services, or in a work context. It should largely be left to the market itself to arrange for certification authorities to be established and to ensure that the solutions they offer are sufficiently secure for the situations for which they are intended. The reason is that this is still a rapidly developing market - and one in which too much government regulation is certain to impede product development. In addition, any such regulation would have to be constantly updated in step with the latest technical advances. However, this is a new market with products of such technical complexity that it is extremely difficult for the individual private user to be sure that the product offered has the necessary security. At present, there is no regulation of enterprises that wish to offer certificates and electronic signatures. 5. The significance of legislative regulation on electronic signature certificates The main purpose of the Bill is to establish a flexible regulation and control scheme for certification authorities that wish to offer certificates with the designation qualified certificates and, in that connection, to regulate the liability of the certification authorities in question to signatories and recipients of qualified certificates. The regulatory scheme means that the certification authorities covered by it must currently document that their activities and the certificates they issue comply with a number of minimum requirements to ensure a range of solutions of the necessary quality on the Danish market. The minimum requirements to be set up comprise points (i)-(iii) in paragraph 3 above, i.e. to ensure the quality of electronic signature certificates. If the rules are not complied with, a certification authority may be deprived of its right to use the publicly recognised designation qualified certificates for their certificate products. As far as concerns regulation of the extent of a certification authority's liability for errors due to non-compliance with the stipulated minimum requirements (point (iv) in paragraph 3), the aim is fault liability with reversed burden of proof. The regulatory scheme and regulation of liability will not cover all certificates offered or all certification authorities in the market, but only certificates that a certification authority chooses to call "qualified certificates". As part of its overall activities, a certification authority will be able to offer qualified as well as other certificates, including certificates that comply in principle with the minimum requirements of the Act but that are not called qualified certificates. The Bill covers certificates used for publicly accessible systems, but not solutions used only for dedicated networks where a specific code of practice has been agreed between the parties involved. So this kind of use of electronic signature certificates is not covered by the rules on regulation and liability. 6. The role of legislative regulation on electronic signatures The regulatory scheme described above and the associated regulation of liability concern the actual issuance of electronic signature certificates by the certification authorities. As described above in paragraph 2, there is another important security aspect of the use of electronic signatures, i.e. the quality of the actual key pair used (also called the signature-creation and signature-verification data), and the way in which the private key in particular is used and stored (on a plastic card or as part of a PC program) (also called the signature-creation device). In some cases, but not all, the certification authority will also have supplied the signature-creation product. In accordance with the underlying EC Directive on a Community framework for electronic signatures (the Directive has been included as Annex 1 to the Bill, hereinafter referred to as the "Directive" or the "EC Directive"), the Bill lays down a number of basic requirement concerning signature-creation devices that the manufacturer/supplier wishes to call "secure signature-creation-devices" as defined in the EC Directive. In extension of this, the Bill provides authority for the designation of one or more appropriate bodies or authorities that can help to verify and document that specific products comply with these minimum requirements. The minimum requirements in question are formulated in very general terms and are primarily functional minimum requirements aimed at ensuring, to the widest possible extent, a technology-neutral and thus robust regulation. This is necessary because the technology used - or several competing technologies - are still at a relatively early development stage, where technological solutions are constantly changing, and thus make it impossible to implement stable regulation and to lay down highly specific technical minimum requirements. It is also possible, as part of the development in question, that authentication methods will in time be developed that might replace all the digital signature solutions that we know today. The "labelling" of specific signature-creation devices thus enabled will guide users who wish to procure a product they can rely on and is also important to the regulation of the problems of legal effect, see paragraph E, point 9 below. B. Existing legislation At present, there is no legislation on the issuance of certificates that can be applied to electronic signatures (certification authority activities) in Denmark. Certification authorities lay down their own rules for the issuance of certificates and for how to verify the identity of signatories, and are not subject to any particular compensation scheme if certificates are faulty, are not revoked in time, etc. If mistakes are made in connection with the issuance or use of a certificate that links the signatory and the electronic signature, the matter will at present have to be tried in accordance with the general law of damages. This means that injured parties will have to prove that a certification authority has made mistakes in connection with its issue or handling of a certificate. C. Danish initiatives on electronic signatures On 28 January 1998, the Minister of Research and Information Technology, as the minister primarily responsible, together with the Minister of Trade and Industry, the Minister of Economic Affairs and the Minister of Taxation, presented a report to the Folketing (the Danish parliament) on the security of digital communication. The point of departure of the reports was a noted substantial demand from the commercial sector, public authorities as well as private users for legal regulation that will provide a satisfactory framework for making legally binding transactions via the Internet. The parliamentary debate showed an express wish to create a legal framework for the use of electronic signatures that will ensure high quality and thus establish the basis for practical equality between digital and paper-based communication. It was emphasised that use of electronic communication for binding legal transactions depends on certainty concerning the identity of the sender and the recipient, the integrity of the content and, often, guaranteed confidentiality in relation to other parties as well. In other words, solid technical solutions must be available. The debate also showed that there is a need through legislation to be able to deal with the liability of certification authorities. It was the general view that the issue should be dealt with from the point of view of the consumers. The regulation must result in secure, but also simple and user-friendly devices, and a balance must be struck between protection of the users and definition of the liability of certification authorities. It was considered desirable to provide the required legal basis for establishing certification authorities that can provide solid quality solutions and clear rules on certification authorities' liability and compensation in connection with the issuance of certificates for use in combination with digital signatures. Based on the parliamentary debate in February 1998, the Ministry of Research and Information Technology circulated a draft Bill on digital signatures for public consultation. The Bill contained two main elements. The first was a proposal for an authorisation scheme with a number of minimum requirements for digital signature certificates and certification authorities wishing to obtain authorisation, and the seal of approval that would thus be implied. The authorisation scheme was to be combined with restrictive regulation of the liability of certification authorities in situations where the publicly regulated minimum requirements were not complied with, in the form of absolute liability for loss occurring as a result. The second was a proposal for regulation of the legal effects of using digital signatures by way of equal status for digital and written signatures. The Bill contained two alternative models on how the latter might be implemented in practice. The result of the consultation on the first Bill made it clear that it was necessary to consider further the issue of possible regulation of the legal effect of digital signatures in areas with statutory requirements for signatures or existence in writing, etc. The consultation also made it clear that considerations on such legislation would be closely bound up with a number of legal problems across the board and would, among other things, affect general property contract and tort law, general law of contract, and consumer protection law that come within the sphere of the Ministry of Justice. Consequently, it was decided to divide the legislation work on the use of electronic signatures and electronic signature certificates between the Ministry of Justice and the Ministry of Research and Information Technology, with the former responsible for regulation of problems in connection with the legal effects of using digital signatures. For this purpose, the Ministry of Justice has set up a committee with representatives from the Ministry of Research and Information Technology, which is to consider more closely the need to legislate on the extent to which electronic messages can/must be used in areas with formal requirements as mentioned above and on the legal effects between sender and recipient in certain defined situations. The committee has not yet completed its work. The result of the consultation also made it clear that there was a need for further work on the Bill's provisions on authorisation and liability and for the provisions to be seen in an international perspective, especially as the market for certificates and electronic signatures will be largely international and be characterised by transboundary solutions. Consequently some of the consultation replies also pointed to a need to harmonise Danish regulation with regulation in other countries if it was desired to promote the establishment of certification authorities in Denmark as well. D. International developments Establishment of a framework for electronic signatures is not an isolated Danish phenomenon. Such systems must also to a great extent be able to function globally if the business community and users are to benefit fully from the facilities offered by the systems. It will therefore also be relevant to consider how far other countries have proceeded with regulation of electronic signatures and what initiatives are in the pipeline in various international collaborative forums such as the EU, UN, WTO and OECD. Internationally, regulatory activities concerning electronic signatures have primarily been concentrated around the International Chamber of Commerce, OECD and UNCITRAL (United Nations Commission on International Trade Law), and the EU. The EC Directive on a Community framework for electronic signatures The Directive was adopted on 13 December 1999 and is a follow-up on two communications from the Commission on electronic commerce and on encryption and digital signatures from April and October 1997, respectively. The main points of the Directive The background of the Directive is the Commission's view that a prerequisite for accelerating electronic commerce is the establishment of a satisfactory framework ensuring that it will be possible to make legally binding transactions via open networks such as the Internet without having to arrange with the recipient in advance how to do it. Use of electronic communication for binding legal transactions presupposes that it is possible to communicate with certainty of the sender's identity and certainty that the content has not been changed. The purpose of the Directive is to facilitate the use of electronic signatures and to contribute to their legal recognition. The Directive provides a framework for electronic signatures and associated certification services etc. so as to make the internal market secure with respect to electronic signatures. Scope The scope of the Directive is electronic signatures. The Directive operates with a broad definition of an electronic signature since it defines an electronic signature as data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. The Directive also operates with the concept "an advanced electronic signature", which is an electronic signature that must be 1) uniquely linked to the signatory, 2) capable of identifying the signatory, 3) created using means that the signatory can maintain under his sole control, and 4) linked to the data to which it relates in such a manner that any subsequent change made in the data is detectable. The distinction between an electronic signature and an advanced electronic signature is significant to the Directive's provisions on legal effects (see below). It is left to the Member States to decide in their national law the legal spheres in which electronic documents and electronic signatures may be used. Electronic communication in dedicated systems is not covered by the general regulation of the Directive. In cases where the parties have concluded a communication agreement in advance, such an agreement is given precedence. However, electronic signatures given within such systems must not be excluded from obtaining the legal effects provided by the Directive. Specification of a number of requirements concerning certification authorities and electronic signatures In order to create a market for high-quality electronic signatures and with the same level of security within the entire EU, the Directive lays down a number of requirements concerning service providers (in the Directive certification authorities are called certification service providers) of so-called qualified certificates for electronic signatures. In the following review of the Directive, the Directive's designation for these certificates will be used. In the Directive "certification authorities" means a person or an entity who issues certificates or provides other services related to electronic signatures to the public. This means, among other things, that service providers that do not offer certification are still covered by some of the Directive's rules if they offer "associated" services such as time stamping of electronic mail. The Directive specifies in Annex II a number of basic requirements concerning such service providers. According to the Directive, a certificate for an electronic signature is a digital attestation that links signature-verification data to a person and confirms the identity of that person. According to the Directive, a qualified certificate means a certificate that meets the requirements laid down in Annex I and is provided by a certification authority that fulfils the requirements laid down in Annex II. The Directive lays down rules for the certification authority's liability to "any person who reasonably relies on the certificate". The European Commission has stated that these persons also include the signatory. The liability rules cover only cases in which a certification authority has issued a certificate as a qualified certificate or in which the service provider guarantees a certificate of another service provider. The certification authority must be responsible for 1) the accuracy at the time of issuance of all information contained in the certificate, 2) assurance that at the time of the issuance of the certificate, the person identified in the qualified certificate held the signature-creation data (the private key) corresponding to the signature-verification data (the public key) given or identified in the certificate, and 3) assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases in which the certification authority generates them both. The liability rules must be based on a principle that certification authorities must at least have acted negligently in the three cases mentioned above. According to the Directive, it is for the certification authority to prove that it has not acted negligently. Member States must also ensure that certification authorities that issue qualified certificates are liable for damage caused as a result of failure to revoke certificates unless the certification authority proves that it has not acted negligently. The Directive contains no regulation of the liability between the signatory and the recipient of an electronic signature. The Member States must ensure that certification authorities and national bodies responsible for accreditation or regulation comply with the general EC Directive 97/46/EC on personal data protection. It is provided that the certification service provider may only collect personal data directly from the person in question or with the explicit consent of that person. Personal data may only be collected insofar as the data are needed for the purposes of issuing and maintaining a certificate. An open market The Directive prohibits prior authorisation of certification authorities as a condition for providing certification services for electronic signatures. Prior authorisation should be understood to mean any licence, the issuance of which requires a decision by the national authorities before the certification service provider can offer its certification services, and any other measure with the same effect. This is to ensure that the certification authorities are able to offer their products across the EU, thereby strengthening competition in this special area to the benefit of the consumers and the business community. It must be assumed that this will result in the consumers and the business community being offered a number of products that afford new possibilities of secure electronic exchange of information. A free market will thus stimulate Community-wide provision of certification services. However, the Directive makes it obligatory for the Member States to establish an appropriate regulation of the certification authorities that issue qualified certificates for electronic signatures. The Directive opens the way for the Member States to leave the establishment of such systems to the market players in the form of self-regulation. The Member States must recognise certificates issued by certification authorities of countries outside the European Economic Areas on an equal footing with certificates issued by certification authorities within the EEA provided 1) third-country certification authorities fulfil the requirements of the Directive and have been accredited under a voluntary accreditation scheme established in an EU country, 2) if an EU certification authority that fulfils the requirements of this Directive guarantees the certificates of the third-country provider, or 3) if the third-country certificate or third-country provider is recognised under an international agreement. Legal recognition of electronic signatures The Directive contains some rules on the legal effects of electronic signatures. The Directive thus contains a ban on "discrimination" of electronic signatures with respect to legal enforceability and admissibility as evidence in legal proceedings solely on the grounds that the signature is electronic or fails to comply with certain security requirements. This "discrimination ban" means that the Members States must not deny electronic signatures legal effect etc. solely on the grounds that they are in electronic form. The ban does not mean, however, that Member States cannot treat electronic signatures differently from hand-written signatures for other reasons. If, for example, an electronic signature has been generated by a technology that affords only limited protection against forgery etc. it will not conflict with the "discrimination ban" to treat such signatures differently from hand-written signatures due to the low level of security. The Directive also contains a provision to the effect that the above-mentioned "advanced" electronic signatures, i.e. electronic signatures that comply with particularly strict security requirements must be deemed to meet formal requirements for signatures on paper documents. However, this applies only if a Member State accepts the use of electronic signatures in that context. As mentioned above, it will still be for the Member States to decide in which areas they will accept the use of electronic documents and electronic signatures. However, the provision means that, in areas where national law requires a signature on electronic messages, the Member States must accept that advanced electronic signatures fulfil this requirement. In the case of communication with public authorities, however, the Directive enables Member States to make more stringent security requirements for electronic signatures provided they are objective, transparent, reasonable and non-discriminatory. Finally, the Directive contains a rule to the effect that Member States must ensure that "advanced" electronic signatures can be used as evidence in legal proceedings. The preamble of the Directives makes it clear that the rules do not change the principle regarding the unfettered judicial consideration of evidence. The Danish procedure in respect of the Directive The Draft Directive was presented to the Parliamentary Committee on European Affairs on 15 May 1998 together with the Ministry of Research and Information Technology's Memorandum of 7 May 1998 prior to the Council meeting (on telecommunications) on 19 May 1998. The Draft Directive was also discussed in a consolidated memorandum of the Ministry of Research and Information Technology of 13 November 1998 with a view to informing the Parliamentary Committee on European Affairs prior to the Council meeting (on telecommunications) on 27 November 1998. And the Draft Directive was referred to in a report to the Parliamentary Committee on European Affairs on the Council meeting (on telecommunications) on 27 November 1998. Nordic cooperation on legislation on electronic signatures The Ministry of Research and Information Technology has participated in informal cooperation between the relevant authorities in Norway, Sweden, Finland and Iceland with a view to exchanging experience and endeavouring to create conformity where possible with the legislation in the individual countries. Sweden has sent out a new draft Bill on certificates for electronic signatures for consultation and expects to be able to introduce a new Bill in the Swedish parliament (Riksdagen) in a few months' time. The Swedish draft is in many ways identical to the present Bill. Unlike the present Bill, however, Sweden wants a less comprehensive regulatory scheme based on the principle that certification authorities wishing to issue qualified certificates themselves declare that they comply with the statutory requirements. The Swedish National Post and Telecom Agency (Post- og Telestyrelsen) has been suggested as supervisory authority. Certification authorities would be required to submit information with a view to enabling the supervisory authority to check compliance with the Act. Norway has just sent out a draft Bill on electronic signatures etc. for public consultation and expects to introduce a Bill in the Norwegian parliament (Stortinget) in the autumn. The Norwegian draft, like the Swedish, resembles the present Bill in many ways. Norway has chosen a supervisory model that resembles the Swedish model because it does not wish to impose to heavy administrative burdens on the certification authorities. Finland and Iceland are also presently engaged in completing a draft Bill to be sent out for public consultation. Finland has already implemented parts of the 1998 Directive by adopting an act on electronic communication. Other international initiatives In 1997, the International Chamber of Commerce issued a set of guidelines on best practice within certification and safeguarding of electronic commerce. The primary target group of the guidelines is the business community and its business-to-business trade. The guidelines are mainly based on UNCITRAL's model law on electronic commerce. The UN Commission on International Trade Law (UNCITRAL) adopted a model law on electronic commerce in June 1996. The model law is based on the fundamental idea that electronic commerce requires that digital messages be put on an equal footing with paper messages provided that the functions served by paper are served equally well digitally. This idea of functional equivalence is expressed in articles 5-7 of the model law, which deal with requirements for existence in writing and signatures. Article 5 of the model law states that information must not be denied legal effect solely on the grounds that it is in the form of a data message. As for the requirement for information to be in writing, article 6 of the model law states that this requirement is met by a data message if the information contained therein is accessible so as to be usable for subsequent reference. As for signature requirements, it is stated that where the law requires a signature of a person, that requirement is met if a method is used to identify that person and to indicate that person's approval of the information contained in the message, and if that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated. UNCITRAL has subsequently appointed a working group on digital signatures, which has been assigned the task of formulating guidelines for digital signatures and other electronic identification. The most recent meeting of the group was in Vienna on 19-30 January 1998. In a recommendation of 27 March 1997, the OECD encouraged its Member States to remove or avoid creating unnecessary obstacles to digital communication for the sake of an encryption policy. Also in 1997, the OECD published a report on certification in the electronic environment together with another report on technological capabilities of certification of data in a global network. This report was followed by yet another report in 1998. These documents provide an overview of the trend in technological developments and important political areas within this field. In a number of countries, initiatives are under way to promote digital communication. However, there is much uncertainty with regard to the specific content of future legislation in the individual countries on digital signatures, etc. In the United States, a number of states have adopted legislation on digital signatures. Utah passed the first regular law on digital signatures with regulation of certification authorities and giving legal effect to digital signatures. Since then a number of other states have followed, with law initiatives differing widely in scope and content. However, at federal level it is still uncertain what initiatives the US Government will take with regard to digital signatures. In Europe, Italy, Germany, France and Austria have adopted national legislation on electronic documents/contracts and digital signatures. To summarise, the situation can be described as follows: there are a number of initiatives under way, both nationally and within the framework of international cooperative bodies. The EC Directive on electronic signatures serves as a clear landmark indicating in which direction international regulation is moving. E. The contents of the Bill 1. The scope of the Act The territorial scope of the Act is certification authorities established in Denmark. The Act does not specify any special requirements concerning certification authorities and electronic signatures originating in other countries within the EU, or in third countries outside the EU, but does make it possible for certificates issued by them to be recognised in the same way as certificates issued by Danish certification authorities. The Act will not apply to certificates and electronic signatures used exclusively within dedicated systems based on voluntary agreements between a limited number of participants 2. Technology-neutral regulation The Bill is based on a wish to ensure technology-neutral and robust regulation. In extension of this, the Bill's scope is electronic signatures and not only digital signatures, which constitute the present predominant technology. An electronic signature is a technical means giving the same function as an ordinary handwritten signature, i.e. relating a certain amount of data to a specific person. Electronic signatures occur in several variations. A digital signature is at present the main technical solution for an electronic signature. A digital signature guarantees the sender's identity and that the message has not been changed on the way (integrity). A digital signature is produced by means of a computer program based on the use of public-key encryption techniques. Public-key encryption is a special form of encryption. Encryption is a technique for scrambling data according to a specific principle. For example, each letter of a text can be replaced by another letter further ahead in the alphabet. In the example mentioned, the same key is used both to scramble and restore the text. Public-key encryption, however, uses two different but linked keys so that a text that has been encrypted with one of the keys (no matter which), can only be decrypted by the other key. The name "public key" stems from the fact that with such a system one can establish a certification authority with which one of the keys (the public key) is registered, and which verifies the identity of the person in possession of the key in question, to potential communicating parties. Public-key encryption thus ensures a high degree of certainty of the sender's identity without having to agree on the code or exchange keys in advance. It is thus considered important that the Bill cover not only digital signatures but also future techniques that serve the same purpose as the public-key-encryption technique and thus also other forms of digital identification. For this purpose, the Bill operates with a broad definition of an electronic signature since it defines an electronic signature as data in electronic form that are attached to or logically associated with other electronic data and that serve as a method of authentication (identification). It is important to emphasise that the electronic signature market, like so much else in the IT world, is characterised by rapid technological development which makes it difficult to predict how it will actually develop. This also means that the picture of technological capabilities and functionalities is constantly changing, which makes extensive and technology-specific regulation impossible. 3. General certificates versus qualified certificates The Bill specifies a number of requirements for certification authorities offering so-called qualified certificates. The requirements cover both the contents of a qualified certificate and the procedures used by the certification authorities. The requirements are intended to ensure a high level of security in connection with the issuance and administration of these certificates. A qualified certificate is a certificate that contains the information required in section 4 of the Bill and is issued by a certification authority that complies with the provisions of Part 4 of the Bill and the rules issued in pursuance thereof. The provisions include an implementation of the requirements made in the Directive on the provision of "qualified certificates". If a certificate includes an indication that the certificate is issued as a qualified certificate, and if the issuing certification authority is domiciled in Denmark, then the requirements in this Act on the provision of qualified certificates must be met. A qualified certificate must include data that make it possible to identify the signatory. The signatory (i.e. the person generating the signature) is the natural or legal person stated in the certificate. It is the person that controls a signature-creation device and holds the signature-creation data (the private key). 4. Requirements for certification authorities offering qualified certificates for electronic signatures Part 4 of the Bill includes a number of requirements for certification authorities offering qualified certificates for electronic signatures. The provisions require providers of qualified certificates to take the legal, organisational, technical, personnel, operating and security measures required to make them secure and well-functioning providers of electronic signatures. To achieve this, the certification authorities issuing qualified certificates must employ personnel that possess the required expert knowledge, experience and qualifications for the services provided. This may differ from one service provider to another depending on the services provided. The personnel must possess expertise within electronic signature technology and know how to establish and maintain adequate and proper security procedures. The personnel must be familiar with the systems and products used. In addition, the certification authorities must maintain sufficient financial resources at all times to comply with the provisions of this Bill and to fulfil their financial liability in pursuance of the special liability regulation. Whether a certification authority has sufficient financial resources for this will depend, among other things, on the type of certificates offered. If, for example, a certification authority offers certificates for use within an area of high economic risk for the parties involved or offers certificates without limitations on the scope or amounts, then the financial resources must be equally large. Finally, as an important key element of the regulation, a certification authority must comply with certain minimum requirements on how the identity of a signatory is to be verified prior to the issuance of a qualified certificate in order to secure adequate checking thereof. This identity check, together with the rules ensuring adequate procedures for the certification authorities' design, storage and administration of certificates, constitutes the core of the regulation of qualified certificates. This regulation is described in more detail in the notes on section 6 of the Bill. The system auditor, who, according to the Bill, must be attached to the certification authority, must submit annually to the National Telecom Agency a report on whether, in his opinion, the certification authority observes the stipulated rules and requirements, and the management of the certification authority must guarantee that. The Bill specifies the general rules on the requirements made concerning certification authorities that provide qualified certificates. The Bill authorises the Minister of Research and Information Technology to lay down specific rules on the precise content of the requirements made concerning certification authorities in a number of the above-mentioned areas. 5. Regulation and notification The National Telecom Agency is assumed to maintain general regulation to ensure that certification authorities comply with the rules of this Act. The National Telecom Agency must check that the requirements of this Act, concerning both certification authorities and the certificates they issue, are complied with. The requirement that certification authorities issuing qualified certificates be subject to regulation by a public regulator is intended to ensure that these certification authorities maintain a quality and security level with which users can be confident. The main task of the National Telecom Agency will be to assess the audit reports to be submitted by certification authorities when they start operating and in connection with their annual presentation of accounts. If the information that the National Telecom Agency receives from a certification authority, its auditors, users or others causes doubt about whether the certification authority complies with the requirements of the Act, the National Telecom Agency has a number of recourses described in the Act. Unlike today's regulation of companies in the financial sector, it is not intended that the National Telecom Agency should actually inspect the companies subject to regulation. The National Telecom Agency's recourses include the right: I. to require a certification authority to submit all the relevant information needed for its regulation II. to order a certification authority to bring specific matters in conformity with the legislation III. to impose daily penalties if a certification authority fails to comply with an order IV. to arrange for an extraordinary audit of a certification authority to be carried out, and V. to deprive a certification authority of its right to use the designation "qualified certificates" about its products. It is not considered necessary to give the National Telecom Agency the right to carry out inspections of the premises of certification authorities. Certification authorities that do not wish to issue qualified certificates will be able to establish themselves freely and operate in accordance with quality requirements and standards decided upon by themselves. The National Telecom Agency will, however, also check that the Danish certification authorities observe the provisions of section 12 concerning processing of personal data. By letting the market for electronic signatures be open to players that do not meet specific requirements concerning regulation etc., it is ensured that a potential market development in which private authorisation schemes or similar schemes will prevail is not impeded by inflexible legislation. The reasons for organising the regulation as an audit-based system in which a major part of the practical regulation is carried out by the external auditor at the certification authorities, are first of all to make use of the experience and competence in the performance of system audits that already exist in the audit sector. Expert knowledge is required to be able to understand and assess the advanced technology used by a certification authority and the National Telecom Agency does not possess that knowledge today. Secondly, it will take a great deal of resources to build up extensive governmental regulation, and it is assumed that these will be paid for by the companies subject to regulation. This might deter certification authorities from issuing qualified certificates, which would mean that the quality of the market created for electronic signatures might be insufficient to inspire confidence among consumers, authorities and companies. It is believed that the cost of the audits imposed by the Bill on the certification authorities will be of far greater benefit to the certification authorities themselves in the form of knowledge, control and exchange of experience with the auditors than would be the case with a governmental scheme. It is proposed that the costs of the regulation be financed by the public sector in the short term, but in the longer term they should be paid by the certification authorities that issue qualified certificates. 6. Liability rules Section 11 of the Bill specifies special liability rules for certification authorities that issue qualified certificates. The provisions specify the liability in specific cases where a person who reasonably relies on a certificate suffers a loss due to a certification authority. These are cases such as losses incurred as a result of errors and deficiencies in the certificate data, failure to revoke a certificate, lack of or erroneous information on the expiry date or applicable usage limitations on certificates, as well as errors in the certification authority's verification that a signatory holds the signature-creation data corresponding to the signature-verification data given in the certificate. According to the provisions, it is for the certification authority to prove that errors have not occurred that can be attributed to the certification authority in connection with the issuance of a qualified certificate for an electronic signature and that the information in the certificate is correct. It is also the responsibility of the certification authority to make information available on a certificate's expiry date, revocation, limitations on its use or limits on the value of transactions for which the certificate can be used and that such information is correct. So in this case there is fault liability with reversed burden of proof, or presumption of negligence. The reason for introducing this increased liability for certain certification authorities is the highly technical and complicated nature of the area. It will be difficult for the ordinary user of electronic signatures to prove that errors have occurred in the handling of the signature services. The rules thus aim to protect consumers. In order to impose liability on a certification authority for a loss suffered by the signatory or a third party under the provisions of this Bill, the other conditions for imposing liability must exist. Matters that are not covered by the special increased liability in this Act will be decided according to the ordinary rules of Danish law. 7. Protection of personal data The Bill contains a few supplementary provisions to the existing legislation on protection of personal data. The provisions in the Bill on protection of personal data apply to all certification authorities established in Denmark. According to the Bill, a certification authority may only collect personal data in connection with its activities directly from the person in question or with the explicit consent of that person, and only insofar as the data are needed for the purposes of issuing and maintaining a certificate. A certification authority must not pass on or process data for any other purpose than required for issuing or maintaining a certificate without the explicit consent of the person in question. This ensures that data collected by a certification authority without the consent of its customers cannot be used for marketing purposes etc. 8. Secure signature-creation devices As described above in section A, subsection 5, the Bill also contains specific regulation of the minimum requirements for signature-creation devices, which certification authorities want to call "secure signature-creation devices". The basis for this is Annex III of the EU Directive, which contains a number of functional minimum requirements for such signature-creation devices. The Directive also provides authority for the European Commission together with the Member States to decide which generally recognised international standards for such devices are deemed to meet the minimum requirements of the Directive. To the extent that such amplifying regulation is implemented, it will, according to the Bill, constitute the basis also for verification by Danish authorities etc. as to whether specific products meet the stipulated minimum requirements. It is also intended that the European Commission, together with the Member States, with authority in the relevant provisions of the Directive, must lay down more detailed common guidelines for appointing the bodies or public authorities to assist in the verification of whether specific signature-creation devices meet the specified minimum requirements. The Bill also provides authority to implement any joint EU rules thereon or to implement a special Danish regulation thereof where no common guidelines are laid down. It is not directly intended to use the authority in section 15 of the Bill for that purpose until it is clear whether the Commission intends to submit a proposal for common guidelines and, if so, whether agreement has been reached on the contents of such guidelines. 9. A general rule on use of electronic signatures on areas with formal requirements Danish law does not contain any general rules on the significance of signing a document etc., and there is no general definition of what constitutes a signature. In some areas, however, the legislation does contain provisions with formal requirements - for example, that a document must be signed. The provisions may be formulated in various ways and may for instance be supplemented with a requirement that the authenticity of a signature be verified by an attesting witness. Because of the varied formulation of the provisions, it is not certain that a signature which complies with a signature requirement in one set of rules also complies with a similar requirement in another area of law. The reason why it has been found necessary to make detailed rules only within a single area of law as regards requirements concerning signatures is probably bound up with the fact that a signature has a firmly established function and is seen as an everyday and familiar action. Furthermore, the means used for making a signature (a pencil, ballpen, etc.) are technically simple, and apart from reading skills no other special knowledge or access to technical aids is needed to read a signature. There is nothing to prevent the question of what constitutes an electronic signature from being left, in the same way, for regulation in each individual area of law. However, the Government has found it best to introduce a general provision stating that each statutory formal requirement concerning signatures on data messages shall be understood to mean that the requirement can be met by using an electronic signature that complies with some security requirements described in detail. The need for such a rule is bound up with the fact that Article 5, paragraph 1, of the EC Directive on a Community framework for electronic signatures contains a rule on the legal effects of electronic signatures, which means, among other things, that signatures complying with certain security requirements etc. must be deemed to meet requirements in the Member States' legislation on electronic signatures. Only in the case of communication with public authorities does the Directive (Article 3, paragraph 7) to a limited extent enable Member States to make more stringent requirements. In other words, with the Directive a kind of European standard for electronic signatures is introduced. If a person sends or receives a signature that complies with the requirements of the Directive, he should be able to expect it to comply with formal requirements concerning the use of electronic signatures in all EU countries. Correct implementation of the Directive thus means that Danish legislation must not contain any formal requirement for electronic signatures to comply with more stringent security requirements etc. than what follows from the Directive. This is best ensured by introducing a general rule with the described contents. Furthermore, it is more complicated to decide what is needed to meet a formal requirement concerning electronic signatures than a requirement concerning traditional signatures. This is because an electronic signature is based on methods that are technically complicated and difficult for most people to understand. The encryption algorithms on which an electronic signature is based have different security levels - at least at the moment - and are being constantly improved. A signature that is secure today may not be so in five years' time, and some signatures provide only limited security from the outset as to the identity of the signatory because, for example, the identity was only superficially checked in connection with the issuance of the certificate. Proof that a signature originates from the indicated signatory also depends on a number of circumstances that recipients of a signature have only a limited chance of checking. This applies, for example, to the circumstances in connection with the issuance of a certificate and the security procedures for use of the signature-creation device (PIN codes etc.). Because of the many different types of signature with different levels of security, a formal requirement concerning use of electronic signatures that can be met by any signature would be largely without content, and it must thus be expected that, in the vast majority of cases, more detailed rules would be needed concerning the requirements to be complied with by an electronic signature in order to meet a specific formal requirement in the legislation. A general provision specifying the content of such formal requirements would facilitate the drafting of legislation for the areas in which it is desired to introduce formal requirements on the use of electronic signatures. It would thus suffice to refer to the proposed general provision instead of specific technical provisions on the requirements to be met by an electronic signature in order to comply with the formal requirement in each and every rule of law. It is important to emphasise that the proposed provision is of no significance to the question of the areas of law in which electronic communication may be used. The rule will only affect the areas of law in which, according to the applicable rules, it is possible to use electronic communication. Whether electronic communication may be used in a specific area of law depends on whether there are formal requirements that can only be met by the use of paper documents. The Ministry of Justice's committee on the legal effects of digital signatures etc. is currently considering whether a legislative initiative is needed to enable use of electronic communication in all areas where that is possible and expedient. Article 5 of the Directive also specifies that Member States must ensure that electronic signatures can be used as evidence in legal proceedings. Danish law is based on a principle of freedom to produce evidence, which means that the parties to a lawsuit have the right to produce any (relevant) fact as evidence. Thus, according to Danish law, there is no obstacle to using electronic documents, electronic signatures etc. as evidence in lawsuits, so legislation will not be needed to comply with the Directive's requirement on this matter. Finally, Article 5, paragraph 2, of the Directive contains a general ban on refusal to give electronic signatures legal effect solely on the grounds that the signature is electronic or fails to comply with the conditions for being an "advanced electronic signature". It must be assumed that the provision serves as a kind of "discrimination ban", meaning that the Members States must not refuse to give an electronic signature legal effect solely on the grounds that it is in electronic form. Such rules have existed earlier in legal systems in other European countries. However, Danish law does not contain any rules with such content, so legislation will not be needed to comply with the requirement of the Directive on this matter. F. The economic, administrative, commercial and environmental consequences of the Act Economic and administrative consequences for the State and local and county authorities The Bill implies establishment of a regulatory authority for certification authorities wishing to offer qualified certificates. It is suggested that the National Telecom Agency act as this authority. To undertake this task, the National Telecom Agency would need an additional two to three man-years. The Bill authorises the Minister of Research and Information Technology to lay down rules to the effect that the costs of the regulation must in the long term be financed by the certification authorities involved. However, governmental co-financing of the regulatory scheme is needed so as not to burden the market in the preliminary establishment phase. Apart from that, the Bill is not expected to have any particular economic consequences for the State. The Bill will improve the possibility of using electronic signatures in practice, also in areas where legally binding transactions are made, and where proof is needed of the use of reliable products (certificates and signatures). Public authorities will be able to offer a number of new electronic functions and services for situations in which they need to be sure who they are communicating with and what they are communicating about. Use of electronic signatures will enable public authorities to offer solutions that enable citizens to get access to electronic self-service facilities via the Internet. In the long term, such use must be expected to reduce the administration resources of the public authorities in question. Economic and administrative consequences for the business community Implementation of a regulatory scheme and clear regulation of the liability of certification authorities covered by the scheme may increase confidence in the use of electronic signatures and certificates and thus create a better basis for business activities for the certification authorities. Access to electronic communication based on common standards and a high security level are expected to give added profit in individual companies due to rationalisation and also to increase the competitiveness of companies via improved facilities for electronic interaction with other companies. Likewise, it may be expected that the administrative burdens on companies will be eased because it will be possible for them to report information to public authorities electronically. Environmental consequences Gradually as the Bill takes effect, it will provide clear benefits for the environment, partly because of lower resource requirements for transport of messages and partly because of savings in paper consumption. The Bill has no appreciable negative consequences for the environment. Administrative consequences for citizens The improved possibilities of electronic communication with public authorities described above will also mean considerably easier administration for the citizens. G. Consultation A draft for this Bill has been circulated for consultation to: [original Danish text] Advokatsamfundet, Akademikernes Centralorganisation, Amtsrådsforeningen i Danmark, Arbejderbevægelsens Erhvervsråd, Arbejdsløshedskassen for selvstændige erhvervsdrivende i Danmark, Arbejdsmarkedsstyrelsen, Arbejdsministeriet, Arbejdsskadestyrelsen, Beredskabsstyrelsen, Brancheforeningen for telekommunikationsindustrien, Brancheorg. for Forbruger Elektronik, By- og Boligministeriet, Børsmæglerforeningen, Canal Digital Danmark A/S, Center for IT-forskning, Center for Ligebehandling af Handicappede, Center for Menneskerettigheder, Christian Rovsing A/S, Civilretsdirektoratet, Copy-Dan, CSC Datacentralen, Danmarks Aktive Forbrugere (DAF), Danmarks Nationalbank, Danmarks Radio, Danmarks Rederiforening, Danmarks Statistik, Dansk Autoriseret Markedsplads A/S, Dansk BiblioteksCenter A/S, Dansk Blindesamfund, Dansk EDI Råd, Dansk Dataforening, Dansk Ejendomsmæglerforening, Dansk Handel & Service, Dansk Industri, Dansk O.T.C., Dansk Standard, Danske Dagblades Forening, Danske Elværkers Forening, De Samvirkende Invalideorganisationer, Debitel Danmark A/S, Den Sociale Ankestyrelse, Den Sociale Sikringsstyrelse, Det Centrale Handicapråd, Det Danske Handelskammer, Det Kommunale Kartel, Det Kongelige Bibliotek, Direktoratet for Arbejdsløshedsforsikringen, Direktoratet for Arbejdstilsynet, Direktoratet for Kriminalforsorgen, Den Danske Dommerforening, Dommerfuldmægtigforeningen v. Retsassessor Carin Heiner Holm, DSB, Eksport Kredit Fonden, Eksportfremmerådet, Elektronikindustrien, Energistyrelsen, Erhvervs- og Selskabsstyrelsen, Erhvervsfremme Styrelsen, Erhvervsministeriet, EU-direktoratet, FDA v/landsformand Viggo Bækgaard, Finansministeriet, Finansrådet, Finanstilsynet, Folketingets Ombudsmand, Fondsrådet, Forbrugerombudsmanden, Forbrugerrådet, Forbrugerstyrelsen, Foreningen af Interne Revisorer, Foreningen af Internetleverandører, Foreningen af Management Konsulenter, Foreningen af Registrerede Revisorer, Foreningen af Statsautoriserede Revisorer, Foreningen for Dansk Internet Handel, Forsvarsministeriet, Frederiksberg Kommune, Færøernes Landstyre, Global One, GN Store Nord, Grossistforeningen for Radio og Elektronik, Grønlands Hjemmestyre, Handelshøjskolen i København, Håndværksrådet, Indenrigsministeriet, InvesteringsForeningsRådet, IT-Brancheforeningen, ITEK, Justitsministeriet, KODA, Kommunedata, Kommunernes Landsforening, Kongeriet Danmarks Hypotekbank, Konkurrencerådet, Kort & Matrikelstyrelsen, Kulturministeriet, Københavns Fondsbørs A/S, Københavns Kommune, Landsorganisationen i Danmark LO, Leverandørforeningen for Radiokommunikation, Miljø- og Energiministeriet, Mobilix, Multi Medie Foreningen, Næstved Kommune, Patentdirektoratet, Pengeinstitutternes Betalings Service PBS A/S, Plantedirektoratet, Post Danmark, Realkreditrådet, Registertilsynet, Rigspolitichefen, Rigsrevisionen, Ringsted Kommune, Rådet for Dansk Forsikring og Pension, Skatteministeriet, Socialministeriet, Sonofon I/S, Statens Arkiver, Statens Bibliotekstjeneste, Statens Bilinspektion, Statens Information, Statens Luftfartsvæsen, Statsadvokaten for Særlig Økonomisk Kriminalitet, Statsministeriet, Sundhedsministeriet, Sundhedsstyrelsen, SU-styrelsen, Søfartsstyrelsen, Tele Danmark A/S, Tele2 A/S, Telekommunikationsforbundet, Telestyrelsen, Telia A/S, Told- og Skattestyrelsen, Trafikministeriet, Udenrigsministeriet, Udlændingestyrelsen, Undervisningsministeriet, Vordingborg Kommune, Værdipapircentralen, Ældre Sagen, Økonomiministeriet, Økonomistyrelsen, Århus Amt, Advokat Hanne Bender, Professor dr.jur. Jens Peter Christensen and professor dr. jur. Karsten Revsbech, Århus Universitet, Centerleder Knud Erik Skouby, Danmarks Tekniske Universitet, as well as Professor Mads Bryde Andersen, professor dr. jur. Mogens Koktvedgaard and professor dr. jur. Peter Blume, Københavns Universitet. H. Table of the consequences of the Bill | | Positive consequences/lower costs | Negative consequences/additional costs | | Economic consequences for the State and local and county authorities | Lower resource requirements for undertaking various services offered by using electronic communication and electronic signatures. | To undertake the task of regulating certification authorities, the National Telecom Agency would need an additional two to three man-years. Investments needed in new technology, training of personnel, etc. in connection with the provision of new electronic services. | | Administrative consequences for the State and local and county authorities | Better possibility for public authorities to use electronic signatures that comply with a sufficiently high level of security to meet citizens' need for use and protection of personal data in connection with electronic services. | None | | Economic and administrative consequences for the business community | Certification authorities offering qualified certificates must pay the cost of a system auditor and of submitting various data to the National Telecom Agency. In the long term it is also intended to lay down rules to the effect that the State's costs in connection with the National Telecom agency's regulatory activities must be paid by the certification authorities. | The introduction of rules on regulation of and liability for certain certification authorities is expected to increase the credibility of electronic signatures and thus to improve the basis of business activities for the certification authorities. Improved possibility of using and developing electronic commerce, which may result in considerable savings for the business community and improve its competitiveness to foreign companies. | | Environmental consequences | As the use of electronic services spreads, it will produce clear environmental benefits because of lower resource requirements for transport of messages, savings in paper consumption, etc. | The Bill has no appreciable negative consequences to the environment. | | Administrative consequences for citizens | The improved possibility of communicating electronically with public authorities would mean considerably easier administration for citizens. | No negative administrative consequences for citizens. | | Relationship to EU law | The Bill contains rules that implement Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. | Notes to the individual provisions of the Bill Part 1 Scope and application Section 1: The purpose of the Bill is to ensure that there will be products and certification authorities on the market that comply with requirements that make them secure to use. The Bill thus lays down requirements for certificates offered as "qualified certificates". The providers of such qualified certificates will be subject to a number of minimum requirements, public regulation and a special liability regulation. It is not a question of an actual prior authorisation scheme, but a scheme based on submission of documentation (including, in particular, system auditor reports) of compliance with the minimum requirements, combined with the possibility of suspending a certification authority's right to use the government-regulated product description "qualified certificates" about its product if the documentation is insufficient or the requirements are not complied with. The Bill will thus help to advance secure and efficient use of digital communication. The purpose of the Bill is not to regulate all offers to provide certificates for electronic signatures. Certification authorities will be able to decide for themselves whether to use the term "qualified certificates" about their products and thus be covered by the Act's regulatory scheme and associated liability provision. In addition to the above-mentioned, the Bill contains specific regulation of the minimum requirements concerning signature-creation devices, see also the notes on sections 14-15 of the Bill. Section 2: The provision specifies the application of the Bill. The Bill will primarily apply to certification authorities established in Denmark and to the qualified certificates that these authorities issue to the public. The Bill also contains rules on signature-creation and signature-verification data that certification authorities provide in combination with a qualified certificate. Finally, the Bill lays down a number of requirements for secure signature-creation devices that are marketed and used in Denmark, including that they must basically be verified by a body or authority designated by the Minister of Research and Information Technology. Subsection (1): As far as the specific regulation of certification authorities is concerned, the territorial scope of the Bill covers only certification authorities established in Denmark For a certification authority to be regarded as established in Denmark it must undertake financial activities from a permanent address in Denmark for a non-specified period of time or for a certain period of time. An example of a certification authority that will undoubtedly be covered by the provisions of this Act, is a company established and registered as a Danish company in accordance with Danish company law, and domiciled in Denmark. Such establishment and registration must be taken to mean that the company is managed in this country and is carrying out its main financial activities here. If such a certification authority chooses to offer its services in another country, it will still have to comply with the provisions of this Act and will still be subject to Danish regulation. Contrary to this, a certification authority that offers its services on a website on the Internet set up via a Danish Internet provider but does not otherwise undertake activities in Denmark will not be regarded as established in Denmark (i.e. in the country where the Internet provider is located). It does not matter in which countries the website of a certification authority is accessible. If a certification authority is established in several locations, the decisive factor is the location from which the services in question are supplied. If that is difficult to decide, importance must be attached to where the centre of the certification authority's activities relating to the services in question is located and, ultimately, also where the company's head office is domiciled. Whether a certification authority must be regarded as being established in Denmark or in another country within the European Economic Area (EEA) is important for deciding which country's authorities etc. are to check that it complies with the requirements for issuing qualified certificates. Article 4, paragraph 1, of the Directive thus introduces a form of work-sharing between the Member States. A more detailed definition of when a certification authority must be regarded as being established in Denmark or another country must be decided in practice on the basis of an interpretation of the rules contained in the Treaty on European Union regarding the right of freedom of establishment and other relevant EC directives. In accordance with the requirement in Article 4, paragraph 1, of the principles of the Treaty on European Union on freedom to provide services, the Bill does not impose limitations on certification authorities established in another country within the European Economic Area (EEA) with respect to marketing and issuing certificates on the Danish market. Certification authorities established in EEA countries may, in so far as they comply with the requirements of the Directive, also market and issue certificates termed qualified certificates in Denmark. Qualified certificates issued by a certification authority established in these countries may be used to meet formal requirements in the legislation, see section 13 of the Bill, in the same way as a qualified certificate issued by a certification authority established in Denmark. This also applies to certificates issued by certification authorities in third countries, provided the conditions stipulated in section 23 are complied with. Whether a certification authority not established in Denmark meets the Directive's requirements on certification authorities that issue qualified certificates must be checked by the authority or private body in the country of establishment designated to do so in accordance with the rules of the country in question. Article 3, paragraph 3, of the Directive states that each Member State must ensure the establishment of an "appropriate system that allows for regulation of" certification authorities that are established on its territory and issue qualified certificates to the public. No further requirements are specified as to the scope of such regulation and this may thus vary in extent and detail from one Member State to another. The Bill applies primarily to the provision of qualified certificates to the public and thus does not regulate the use of electronic signatures and certificates used exclusively within dedicated systems based on voluntary agreements between a specified number of participants. The Directive does not contain any detailed definition of what provision of certificates "to the public" shall be understood to mean, which is why it must be decided in practice how to interpret the expression. However, in the assessment of concrete cases the critical question is probably whether or not a certificate can be used vis-à-vis third parties with whom the signatory has not made any prior agreement on use or acceptance of the certificate in question. An example of such a dedicated system not regulated by the Bill would be an Internet banking system where it is only the bank that has to use and accept the signatory's certificate. Similarly, it must be assumed that certificates that can only be used within one or more organisations or companies will not be covered. The Bill's rules on certification authorities, with the exception of the provisions in section 12, must only apply to certification authorities established in Denmark and which issue qualified certificates. Section 12, however, applies to all certification authorities established in Denmark whether or not they issue qualified certificates or certificates to the public. For the sake of the formulation of the Bill's provisions, the term "certification authority" is used everywhere in the Bill. See also the notes on section 12. Subsection (2): The Bill applies also to verification of compliance by signature-creation devices with the specified requirements for secure signature-creation devices. See also the notes on section 15 on the geographic scope of these provisions. Part 2 Definitions Part 2 contains the definitions of the terms used in the Bill. The terms originate, inter alia, from the definitions in Article 2 of the Directive, and they form the basis for establishing an internal market for certification services that comply with these requirements. Section 3: Subsection (1), 1): This provision defines what an electronic signature shall be understood to mean. The most widely used electronic signature technology today is the so-called digital signature, which is based on a system with a private and public signature key. However, the Bill also covers other electronic systems intended to identify users such as codes and biometric values. The Bill is based on a principle of technology-neutral regulation and thus covers all kinds of electronic methods to establish the authenticity of a message. A method of authentication means a method to check that a message originates from the person indicated as signatory and that the content has not been changed after the electronic signature was attached. A digital signature works as follows: the signatory has a private signature-generation key, which he uses to create or generate the digital signature. To this private key is attached a public signature-verification key. The private key is used to check the digital signature. The private and the public key match like two halves of a lock or a code so that a message signed with one of the keys can only be verified with the other. 2): Point 2) contains a definition of what an advanced electronic signature shall be understood to mean. For an electronic signature to be regarded as an advanced electronic signature it must be able to identify the signatory and be uniquely linked to that person, see points (a) and (b). With respect to the security of the electronic signature, it is required in point (c) that an advanced electronic signature be based on a signature-creation device using means that the signatory can keep under his sole control. Point (d) stipulates that an advanced electronic signature must be able to reveal any change made in the signed data after the signature was attached to them. The user must thus be able to see if changes have been made to the signed data after the signature was attached to or logically associated with them. This definition is used in section 13 of the Bill, which contains the first part of a specific regulation of the legal effects of using electronic signatures. 3): A definition is given in point 3) of what a signatory shall be understood to mean. The signatory is the person that controls a signature-creation device and holds the signature-creation data (the private key). It is thus the person that appears from the certificate and that has created the signature on the signed data. 4): Point 4) defines what signature-creation data shall be understood to mean. Signature-creation data are the data used to create the electronic signature. In the digital-signature technology, signature-creation data are called the private key. 5): Point 5) specifies what a signature-creation device shall be understood to mean. A signature-creation device is the system used to create the electronic signature and is typically based on an encryption algorithm and a decryption algorithm with associated encryption keys. An encryption algorithm is a formalised way of creating an electronic signature. The encryption keys are parameters that are used for the encryption algorithms for practical reasons. The keys decide how the algorithms create the electronic signature. The signature-creation device uses the signature-creation data. The device can be software-based as well as hardware-based. A possible hardware solution is when the signature-creation data is stored on a so-called chipcard (a plastic card). A software-based signature-creation device will typically be contained in the electronic mail system. Sections 14 and 15 contain further rules on so-called "secure signature-creation devices". 6): According to point 6), the signature-verification data are the data used to verify the electronic signature, i.e. the public part of the key pair. 7): The provision in point 7) specifies what a signature-verification device shall be understood to mean. It is a system used to verify the electronic signature. 8): Point 8) defines a certificate. A certificate for an electronic signature contains information about the signatory. The signatory is the person that holds a signature-creation device and that makes an agreement with a certification authority on the issue of a certificate for the signatory's signature. The certificate is the electronic attestation stating the connection between the identity of the signatory and the latter's signature-verification data (also called the public key in digital signature technology). 9): Point 9) defines what is considered in the Bill to be a certification authority. The core activity of a certification authority is to verify the identity of the signatory and state the connection between the signatory and his or her signature-verification data in a certificate issued by the certification authority. In addition, certification authorities that issue qualified certificates must ensure the operation of a prompt and secure directory and a secure and immediate revocation service, see section 9. A certification authority is free to carry out other forms of activities, including a number of related services such as validation and time stamping, and to guarantee certificates issued by other certification authorities, | 
Problématique
