This post is also available in: Español
On Wednesday November 11, 2020, the Spanish Parliament passed Spanish Act 6/2020 regulating certain aspects of electronic trust services (the “Trust Services Act”), thus concluding a protracted parliamentary process that lasted more than two years.
As we reported in previous posts, this new Act, which came into force on Friday November 13, does not attempt to provide a comprehensive regulation of the electronic signature, although it does finally repeal the now obsolete Electronic Signature Act (Ley 59/2003, de Firma Electrónica). The vast majority of the regulation is taken from Regulation (EU) 910/2014, on electronic identification and trust services for electronic transactions (the “eIDAS Regulation”), which the Trust Services Act merely adds to.
The key developments offered by the new Act (which we already commented on here) have been kept in its final version, although there were two last-minute changes made in the final stage, triggered by amendments from a number of parliamentary groups:
- It recognizes that some remote identification methods could offer an equivalent level of trust to physical presence. The Trust Services Act mentions video conference or video identification, although those methods are not the only ones offering equivalent security. As mentioned in previous posts, an order from the Ministry for Economic Affairs and Digital Transformation will establish technical conditions and requirements.
- The official list of unqualified trust service providers should include a detailed and clear description of the specific features distinguishing qualified providers from unqualified ones.
One of the most important overall aspects of the Trust Services Act is the evidentiary advantage electronic trust services offer in court cases where the authenticity, integrity, accuracy of date and time or other features of an electronic document, linked to a qualified electronic trust service, are challenged. In such cases, the Act introduces a presumption that the trust service will have been provided correctly if it was included, in good time, on the trust list published by the Ministry of Economic Affairs and Digital Transformation. In introducing this new system, the Act amends the current wording of section n 326 of the Spanish Civil Procedure Act (Ley de Enjuiciamiento Civil).
The Act also addresses some more specific issues regarding the provision of trust services, such as periods of validity, expiration, revocation, and suspension of electronic certificates, which cannot last longer than five years, as well as the identification system and attributes of qualified certificate holders.
It also adds a series of obligations that trust service providers must meet, including:
- To publish accurate information that complies with the law, and to refrain from storing or copying data related to the creation of signatures or seals or to website authentication (unless providing management services on behalf of the owner).
- To provide a publicly accessible service to answer questions on the validity or revocation of certificates issued.
- For qualified providers, to store information on the services provided for 15 years, starting from the certificate’s expiration date or the completion date of the service.
- To contract a civil liability insurance policy with at least €1.5 million in coverage, with an additional €500,000 in coverage for each type of qualified service provided.
- To notify customers and the oversight body two months in advance in the event of the qualified service provider terminating its business activity.
- To make the declaration of practices for electronic trust services easily available to the public, electronically and free of charge. It must contain a description of how the service is provided, a guarantee of compliance with the legal obligations, and information about the correct way of making use of the services;
- To notify Spain’s Ministry of Economic Affairs and Digital Transformation of any security breaches or data losses, or to notify the Spanish Data Protection Agency in applicable cases.
Another noteworthy aspect is the system on liability for providers of electronic services, since they would be liable for any injury or loss suffered by any person, through exercising their activities in a manner that does not comply with the legal obligations. They would also assume all liability for harm caused to third parties by the actions of any persons or other providers to which they fully or partially delegate service provision activities. However, the Act also establishes limits on that liability, for example, in cases where customers have provided inaccurate information or have failed to notify changes to it, or where certificates have been used in a negligent manner.
Trusted service providers are also facing a new infringements regime and sanctions, to be applied by Spain’s Ministry of Economic Affairs and Digital Transformation or the Secretary of State for Digitalization and Artificial Intelligence. The sanctions imposed could amount to €300,000, based on a sliding scale of severity.
Last but not least, the Trust Services Act also defines the sanctions rules for breaches of Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services (the “P2B Regulation”), which we discussed here, which could levy penalties of up to €150,000 depending on the seriousness of the breach, and of Regulation (EU) 2018/302 on addressing unjustified geo-blocking and other forms of discrimination based on customers’ nationality, place of residence or place of establishment within the internal market (the ”Geo-blocking Regulation”). Any breach of that regulation will be considered unfair under the Spanish Unfair Competition Act (Ley de Competencia Desleal), without affecting the relevant sanctions rules of the Consolidated Spanish Consumer Protection Act (Ley General para la Defensa de Consumidores y Usuarios), where they apply.
Authors: Álvaro Bourkaib y Claudia Morgado
This post is also available in: Español