Who hasn’t lived the ridiculous situation of printing a document, signing it, scanning it, and re-sending it by email, all losing precious time from your busy workday? And then how can you be sure the sender actually signed the document as well, and won’t challenge their consent in the future?
Why do you think your bank still asks you to print/sign/scan your automatic debit authorization? Easy — it’s because the French code implemented a vague provision with respect to the reliability of electronic signatures, and avoided a clear description of the practical conditions for such signatures being binding without any risk. Moreover, it implemented several levels of reliable signatures, creating confusion and uncertainty in this field.
Thankfully, the European regulations providing clearer solutions came into being on July 1st, 2016 and will replace, as of October 2016 the old and unclear provisions. This establish that electronic signatures bring with them the same effects as a handwritten signature.
There are three types of electronic signature (electronic signature, advanced electronic signature and qualified electronic signature) with different levels of reliability.
The reliability of an electronic signature depends on (i) its ability to establish the signer’s identity, (ii) the guarantee that the content of the documents signed online cannot be subsequently changed or modified, (iii) its ability to be accessed throughout the legal duration of the document’s validity and (iv) the tracking of every modification.
The first level (simple electronic signature) exists, for example, when you sign a document without any identification process; this is done by digitizing the form of your signature.
The advanced signature and the qualified signature require, by law, a strong identification process, whereby the signer uses data that only he/she is able to control.
As an example, this means that instead of sending you the document for printing, they will send you an email with a link to its platform to sign the document (using your personal access codes such as email/password and possibly an IP check). Then you are asked to confirm your identity with another layer of identification process, for example a secret password sent by text message to your personal phone, etc.
Then to ensure the integrity of the documents, the signature service provider will use a time-stamp system coupled with a cryptographic signature. These measures guarantee the state of the documents when they were signed, and that they have not been changed in any way since that date.
The combination of all of these measures and the security of their implementation will determine the reliability of the signature. The more secure (and thus tedious), the more difficult will it be for the signer to contend that they were not the real signer of the document.
This is why for the past few years, the government has implemented specific rules for electronic signatures with qualified certificates (qualified signatures). But as raised above, success has been marginal, mostly with the government and big corporations, since the process required the signer to buy a certificate (costing approximately 200€) and go through a strict ID check, including physical meeting. Besides not being smooth and easy, very few could afford it.
Up to today, in practice before the French Supreme Court, we can state that: 1) the qualified signature has the exact same value as a the handwritten signature; nevertheless, 2) the simple signature and 3) the advanced signature processes are bind the signatories, but the use of identification processes remain under the decision of the judge. If the process is not secure enough, the signature is at risk.