Legal base	—
Document originated	28 November 2008
Deposited in Parliament	9 December 2008
Department	Cabinet Office
Basis of consideration	EM of 10 March 2009
Previous Committee Report	None; but see (27369) 7560/06: HC 34-xxviii (2005-06), chapter 14 (10 May 2006)
To be discussed in Council	To be determined
Committee's assessment	Politically important
Committee's decision	Cleared, but further information requested

Background

10.1 The Directive on a Community Framework for Electronic Signatures (1999/3/EC), commonly referred to as the E-signatures Directive, was adopted in December 1999. Its main objective was to create a Community framework for the use of electronic signatures, allowing the free flow of electronic signature products and services across borders and ensuring a basic legal recognition of electronic signatures. It did not address the conclusion, form and validity of contracts or other legal obligations prescribed by national or Community law, nor affect rules and limitations relating to the use of documents provided in national or Community law (e.g., the use of paper for certain type of contracts or parties in a closed system (e.g. corporate intranet or between a service provider and its customers) negotiating their specific terms for the use of electronic signatures within this system).

10.2 The three forms of electronic signature that the Directive addresses are:

—  the simplest form of the Electronic Signature, which has a wide meaning and can be as simple as signing an e-mail message with a person's name or using a PIN-code;

—  the Advanced Electronic Signature, which has to meet the requirements defined in Article 2.2 of the Directive, which refers mainly to electronic signatures based on a public key infrastructure (PKI). As both public and private service providers and businesses increasingly turn to electronic means of doing business, electronic credentials that prove identity are becoming a critical necessity. Much like a passport proves identity in the offline world, PKI provides a way to prove identity in the online world, ensuring that people are who they say they are and that documents have not been tampered with;

—  a third form of electronic signature mentioned in Article 5.1, which the Directive did not give a term of its own, is known as a Qualified Electronic Signature: an advanced electronic signature based on a qualified certificate and created by a secure-signature-creation device.[55]

10.3 Article 12 of the Directive required a review of its operation, the outcome of which the then Committee considered on 10 May 2006. The Report was the result of an external review by and consultation with "all the interested parties". So far, the two "dominating electronic signature applications" related to e-government and personal e-banking services. The Commission said that many Member States and several other European countries had launched e-government applications or were planning to do so, with a number of applications being based on the use of electronic ID cards, both as an identification document and to provide on-line access to public services for the citizens. "In most cases these ID cards will contain the three functionalities: identification, authentication and signing". Personal e-banking was now "taking off in most EU countries". Most of the authentication systems relied on one-time passwords (OTP), i.e., "the simplest form of electronic signature according to the Directive". Though many e-banking applications were using these technologies only for authentication of the user, electronic signing of transactions was increasing. Smart cards, which were considered to provide a higher level of security, were more common for corporate e-banking (business-to-business) and inter-bank clearing. The "spectrum of services requiring a level of authentication corresponding to the simple form of electronic signature" was also being widened in several Members States. The objectives of the Directive had been largely fulfilled and there was no clear need for its revision at this stage. Overall, however, the use of qualified electronic signatures had been much less than expected, which meant that "the internal market objective of the Directive, the free circulation of qualified electronic signatures, cannot be assessed comprehensively at this stage". So far, service providers had preferred to offer solutions for their own services (e.g., solutions developed by the banking sector), which slowed down the process of developing interoperable solutions. But, the Commission felt, a number of future applications might trigger market growth; the use of signatures in e-government services had already reached a certain volume and would probably be an important driver in the future, as "the need for secure electronic means of identification to access and use public services is essential for citizens and businesses and will promote the use of electronic signatures. Different forms of eID will be emerging and will require some degree of interoperability". Internally, the Commission intended to continue the modernisation of its own administration, with the future deployment of e-signatures to reduce paper circulation; it would also continue to encourage the development of e-signatures services and applications and monitor the market. Beyond support through eGovernment activities, particular emphasis would be placed on interoperability and cross-border use of electronic signatures; the Commission would encourage further standardisation work in order "to promote the interoperability and use of all kinds of technologies for qualified electronic signature in the internal market" and prepare a report on standards for electronic signatures in 2006. Given its concerns about mutual recognition of e-signatures and interoperability of systems, it would be seeking meetings with Member States and relevant stakeholders to discuss:

• differences in transpositions;
• clarifications of specific articles of the Directive;
• technical and standardisation of e-signatures; and
• interoperability problems.

10.4 The then Minister of State for Industry and the Regions at the then Department of Trade and Industry (Alun Michael) said that demand in the UK for qualified electronic signatures had been low. The Government was content with the outcome of the review. Transposition in the UK (through a combination of the Electronic Communications Act 2000 and the Electronic Signature Regulations 2002) had taken a minimal approach that had played well with users and avoided the failings of the over-zealous implementations adopted by some Member States. This approach provided legal certainty as to the use of electronic signatures and enabled organisations to adopt the qualified signature approach, should they wish, with a minimum of cost and bureaucracy. The Commission had likewise taken an intelligent approach: recognising that the Directive had had limited — but important — success and, instead of changes, proposing "the far more practical approach of increasing the dialogue around the use of electronic signatures and the linkages with other related initiatives in relation to electronic identities and identity cards". Unless the proposed further discussion and review of standards resulted in proposals to change the existing system, he thought there would be minimal impact on UK business and/or the economy.

10.5 Although entirely uncontroversial, the then Committee thought that the report warranted a Report to the House, not only because of what the then Minister rightly described as the intelligent approach taken by the Commission and the contentment of the UK industry with this approach, but also because of the growth of, and interest in, e-banking and e-commerce generally and the prospective growth of internet-based public services.[56]

The Commission Communication

10.6 The Commission recalls that the "Lisbon Strategy for Growth and Jobs" committed the EU to improve the legal and administrative environment with the aim of unlocking business potential. Bringing public administrations online and the cross-border communication of businesses and individuals with them is a means of encouraging entrepreneurship and facilitating the citizen's contact with public services. Public authorities across Europe have started to offer electronic access to government services. But they have focussed mostly on national needs and means, producing a complex system with different solutions; this risks creating new barriers to cross-border markets and hampering the functioning of the single market for both enterprises and citizens. Major barriers to cross-border access to electronic services of public administrations are linked to the use of electronic identification and of electronic signatures; as in the nondigital environment, access to public administrations' electronic procedures often implies the need for the individuals involved to identify themselves (allowing the administration to make sure that the persons are who they claim to be by checking their personal credentials) and the need to provide an electronic signature (allowing the administration to identify the signatory as well as to make sure that the data submitted has not been altered during transmission): "The main barrier is the lack of interoperability, be it legal, technical or organisational." Though the E-signatures Directive established the legal recognition of electronic signatures and a legal framework to promote their interoperability, a number of practical, technical and organisational requirements need to be met to establish such interoperability. Furthermore, effective interoperability is also required if Member States are to comply with their legal obligations under other EU legislation, in particular under specific internal market instruments; several internal market initiatives foresee that businesses should be able to use electronic means to communicate with public bodies, exercise their rights and do business across borders (the Commission cites as examples the Services Directive and the Public Procurement Directive).

10.7 The Commission accordingly proposes an Action Plan, in line with the proposal to adopt an Action Plan on e-signatures and e-authentication in the 20 November 2007 Commission Communication "A single market for the 21^st century". It would aim to offer a "comprehensive and pragmatic framework" to achieve interoperable electronic signatures (e-Signatures) and electronic identification (e-Identification),[57] with the intention of assisting Member States "in implementing mutually recognised and interoperable electronic signatures and e-identification solutions", and focussing on "a number of practical, organisational and technical issues, complementing the existing legal framework." Although dealing mainly with e-Government applications, the Commission maintains the actions will also benefit businesses' applications with respect to both Business to Business (B2B) and Business to Consumers (B2C).

10.8 The Commission would:

—  update the existing list of recognised standards for e-Signature products in an effort to reduce complexity of the current landscape;

—  compile a 'Trusted List' of e-Signature service providers at European level in an effort to centralise all required information on existing service providers;

—  establish guidelines and guidance on common requirements for the use of e-Signatures to improve use by stakeholders;

—  update the country profiles of the study on the mutual recognition of e-Signatures for e-Government applications;

—  investigate the feasibility of a European federated validation study, and based on the results of the study, determine if and how to implement such a validation service;

—  report on whether further action is needed to facilitate cross-border use of e-Signatures based on ongoing work in the field; and

—  invite Member States to provide the Commission with necessary information on a regular basis and where needed, complete steps following on from the actions as mentioned above, including, if necessary, testing the implementation of these actions in a pilot project.

10.9 Actions relating to e-Identification would see the Commission:

—  update country profiles of the 'e-ID Interoperability Study for Pan European e-Government Services', enabling better awareness of latest developments;

—  launch specific surveys on the use of e-ID in Member States, complementary to the ongoing work of the EU e-Identity Large Scale European pilot project, informally known as Project STORK;

—  assess what additional actions may be required depending on the outcome of Project STORK; and

—  invite Member States to demonstrate solutions for cross-border use of e-ID in Project STORK.

10.10 The Action Plan would combine the work of various European Commission services, linking several of the technical measures that are included in existing work programmes, such as "eIdentity Interoperability for European e-Government Services", "e-Signatures for eGovernment applications" and the "European Federated Validation Service", to the ongoing work regarding e-Signatures and Internal Market Instruments.

The Government's view

10.11 The Commission Communication is commented upon fully and helpfully by the Parliamentary Secretary at the Cabinet Office (Mr Tom Watson) in his Explanatory Memorandum of 10 March 2008. He describes the Government as "committed to the delivery of better and innovative public services to citizens and businesses, including through the development of e-Identification", which he says is "part of Government's Transformational Government programme to deliver public services in a more efficient and effective way that better meets the needs of the public through improved use of technology including the internet."[58]

10.12 The Minister says that the Commission's use of the term 'e-Signatures':

"… is very broad and this confuses debates and negotiations on the matter. The meaning of e-Signatures in the UK is generally understood to mean a complex authentication system but the Commission's use of it in this Communication covers both simple username and password to the advanced-level authentication model."

10.13 The Minister then says that the Government recognises the advantage to the citizen of simplifying access to government services based on e-Identification:

"There is already a much greater delivery of UK public services using new technology and online access involving e-Identification. The role of the Government Gateway, administered by DWP, is key to the success of European cross-border services, acting as a broker to trusted identity service providers as well as continuing to provide a common identity registration and authentication process for remote access to public services in the UK. The Government Gateway has 14 million online registered users (as reported in the Transformational Government Annual Report 2007), protecting their information with a username and password.

"The National Identity Strategy, coordinated by the Identity and Passport Service (IPS) has looked into inclusion of a government-wide core service for secure and easy access to public services."

10.14 The Minister goes on to say that the UK is examining possible ways to achieve interoperability of e-Identification, as described in this Commission Communication, by taking part in Project STORK:

"The UK is already a lead partner in the pilot, a consortium of 14 Member States, which sets out to address the interoperability of e-Identification in public services across Europe. STORK is a key first step towards providing access to UK public services by non-UK and UK-based citizens outside of the UK. A number of the Communication's actions provide supportive measures to further the development of the pilot. The UK is encouraged by these measures and will continue to be an active participant in this area of work."

10.15 The Minister then looks at what he describes as "a long history of the European Commission advocating the use of advanced e-Signatures and a European 'model signature', which began in 1999 with the e-Signatures Directive." Noting that implementation of this Directive is led by the Department of Business, Enterprise and Regulatory Reform, the Minister says that they have noted a lack of interest from the private sector in adopting the European model set out in the Directive:

"The UK is not alone — the Directive has made little impact in Sweden, Finland, Ireland and the Netherlands where there is no commercial take-up of the European signature and their administrations do not require the use of advanced e-Signatures/e-Identification to access government services. The technology for high-end e-Signatures (known as digital signatures and the form promoted by the Directive) is expensive and often not easy to use. Adoption in the UK has accordingly focused on high value transactions and with little take-up in mass market applications.

"Some countries — especially those with a more legislatively defined concept of signatures — have tried to apply digital signatures to a variety of online Government services and some popular commercial services such as online banking. The Commission's Communication supposes that greater use of digital signatures is a good thing and that adoption is prevented by cross-border interoperability problems. It is the Government's consistent view that it is the lack of a clear business case for digital signatures that has been the primary barrier to the development of interoperable e-Signatures rather than those suggested by the Commission."

10.16 Finally, the Minister says that the actions are to be carried out by the Commission and that there is no impact on UK policy:

"These actions are aimed at information gathering and enabling actions rather than seeking to impose any specific solutions or requirements on Member States. When Member States are invited to provide input, the UK will, under guidance of the relevant cross-government group, ensure that emerging EU e-Signature and e-Identity management policy is consistent with UK policy and is compliant with emerging standards, including standards to support a trusted identity service provider model that is accepted by all Member States."

Conclusion

10.17 Though it contains no immediate legislative proposals, the Commission Communication suggests that little has changed since 2006 and reveals a degree of exasperation on the Commission's part that Member States have still not embraced the E-signatures Directive as much as it would have wished, which it sees as being "required if Member States are to comply with their legal obligations under other EU legislation".

10.18 The Minister's position contradicts this: though the Commission "supposes that greater use of digital signatures is a good thing and that adoption is prevented by cross-border interoperability problems … it is the Government's consistent view that it is the lack of a clear business case for digital signatures that has been the primary barrier to the development of interoperable e-Signatures rather than those suggested by the Commission".

10.19 Given the reference to requirements if Member States are to comply with other legal obligations, we are not as sure as the Minister appears to be that the Commission will not at some point seek to move beyond "information gathering and enabling actions" to "seeking to impose … specific solutions or requirements on Member States". There is no mention of any further review point. We should therefore be grateful if the Minister would write to us in a year's time with a description and assessment of what has transpired, including whether he is as sanguine then as he is now about the Commission's intentions.

10.20 In the meantime, we clear the document.

56   See headnote: (27369) 7560/06: HC 34-xxviii (2005-06), chapter 14 (10 May 2006). Back

57   The Commission defines Identification as "the process of using claimed or observed attributes of an entity to deduce who the entity is", and says that the term "identification" is also referred to as entity authentication. It also refers to E-authentication, which it says is understood here as entity authentication, i.e. e-identification, which term "is used in this document for the sake of clear separation between entity and data authentication." Back

58   See http://archive.cabinetoffice.gov.uk/e-government/strategy/ for more on 'Transformational Government - Enabled by Technology', which was published by the Government in November 2005 and sets out "how effective use of technology to deliver services designed around the needs of citizens and businesses can make a real difference to people's lives." Back