This post is also available in: Español
On February 19, Spain’s Council of Ministers agreed to submit a draft bill of the Spanish Act regulating certain aspects of electronic trust services (the “Trust Services Act”) to the country’s Parliament for its consideration, and all indications suggest that final approval will soon be granted for the text of the new law.
As we have reported in previous posts, since April 2018, work has been continuing on a new Spanish Trust Services Act, which in addition to transposing certain aspects of Regulation (EU) 9102014 on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”), will replace the outdated but still valid Act 59/2003 on Electronic Signatures.
Although the eIDAS Regulation—which covers not only electronic signatures but also a broader category of electronic trust services (such as electronic seals, website authentication, and certified electronic deliveries)—has been directly applicable in Spain since 2016, the new act is needed to produce a more precise adaptation of the country’s legal framework to the system established by the EU regulations.
One important new aspect of the draft bill is therefore a new system governing the legal effects of electronic documents that are used to support public, administrative, and private documents, establishing that their value and effectiveness must be determined under the applicable law, according to their nature.
In relation to proving the authenticity, integrity, or validity of other aspects of electronic documents if they are challenged, there would be an assumption of valid and correct provision of trust services if their provider was included on the pertinent trusted list at the relevant time. As a means of introducing this new system, amendment of the current text of article 326 of Act 1/2000, of January 7, on Civil Procedure is being proposed.
Also, the draft bill—which stipulates that the new law would apply to public and private providers of electronic trust services established in Spain—adds a series of obligations with which the providers must comply, including the following highlights:
- To publish accurate information in compliance with the law, and to refrain from storing or copying data related to creation of signatures or seals or to website authentication (unless providing management services on behalf of the owner);
- To provide a service available to the public to respond to any questions regarding the validity or revocation of certificates issued;
- For qualified providers, to store information related to the services provided for 15 years, counted from the certificate’s expiration date or the completion date of the service;
- To contract a civil liability insurance policy with at least €1.5 million in coverage, with an additional €500,000 in coverage for each type of qualified service provided;
- To give notice at least two months in advance, to both customers and the supervisory authority, if a provider intends to stop providing services;
- To make the declaration of practices for electronic trust services easily available to the public, electronically and free of charge, and which must contain a description of how the service is provided, a guarantee of compliance with the legal obligations, and information about the correct way of making use of the services;
- To notify Spain’s Ministry of Economic Affairs and Digital Transformation regarding any security breaches or data losses, or to notify the Spanish Data Protection Agency in cases where applicable.
The draft legislation also addresses some more specific issues regarding the trust services provided, such as periods of validity, expiration, revocation, and suspension of electronic certificates, as well as the system used in relation to the identity and attributes of qualified certificate holders.
Another noteworthy aspect is the system on liability for providers of electronic services, since they would be liable for any harm or losses caused to any person by exercise of their activities in a manner that fails to comply with the legal obligations. They would also assume all liability for harm caused to third parties by the actions of any persons or other providers to which they fully or partially delegate the activities required for provision of their services. However, the draft bill also establishes limits on that liability, for example, in cases where customers have provided inaccurate information or have failed to provide notification of changes to it, or where certificates have been used in a negligent manner.
Finally, it is also worth noting the infringements regime and the sanctions, which will be the responsibility of Spain’s Ministry of Economic Affairs and Digital Transformation or State Secretariat for Digitalization and Artificial Intelligence. The sanctions imposed could amount to €300,000, based upon the scale of severity established.
Now we have to wait to see whether the text of this draft bill is approved by Parliament, or what sort of amendments will be introduced by the different parliamentary groups before this latest chapter can be closed.
Author: Claudia Morgado
This post is also available in: Español