|Přinášíme naším čtenářům první anglicky psaný článek připravený pro ITprávo. Zabývá se českou právní úpravou elektronického podpisu a přináší několik zajímavých pohledů a srovnání.
Some insights on the Czech Law on Electronic Signatures
The security of the electronic transactions over the Internet is regarded as a crucial issue in the digital world. The share of transactions carried out in cyberspace environment is gradually increasing.  Thus the paper form in more and more cases is substituted by the electronic form and consequently the hand-written signature by electronic signature. Since 1996 a lot of effort was made to meet the requirements brought by the technical progress. Both international and supranational organizations on governmental and business level have being trying on the one hand to promote the use of electronic signatures in e-commerce and on the other hand to lay down the appropriate apparatus to secure electronic signatures' application. In order to increase trust in e-signs' application and generally in e-commerce, the different laws and guidelines were enacted. The one of the most crucial among them is European Parliament Directive  on a Community framework for the electronic signatures, which sets the obligation for the Member States to lay down the legislations on electronic signatures. Simultaneously, the Directive provides the general directions for modeling the national laws on electronic signatures in order to achieve a certain level of conformity within the concerned issue in the Member States' legislations.
On the basis of EU Directive on electronic signatures, the Czech parliament in May 2000 adopted the Law on Electronic Signatures, which became effective on 1. September 2001. The goal of this paper is to assess critically some specific issues in Czech Law on Electronic Signatures, which in our mind deserve particular attention.
The Czech law is derived from basic principles of the EU Directive. The law has exactly copied the definitions of certain notions (electronic signature, advanced signature and etc.) from the Directive.
The legal effect of the data message attributed to the electronic signature is regulated in the Article 3. According to this article the data message is signed as long as the electronic signature is attached to it. From the interpretation of this article, it becomes obvious that unlike the EU Directive Czech Law on Electronic Signatures strongly adheres to the "media-neutral" ("technology-neutral") rule, according to which any kind of electronic signature (including e-mail signature or the e-signatures which are supposed to be invented in future) is considered enough to create the legal consequences. EU Directive in this issue has slightly different approach. Although it proclaims the nondiscrimination principle, it is not absolutely neutral regarding the legal effect of electronic signatures. Article 5 of Directive considers only advanced electronic signatures (for example, digital signatures) to be equal to handwritten ones. 
When regarding interpretational conflict we encounter the issue of the legal effect of the electronic signature. The explanatory report to the project of the Law on Electronic Signatures provides interpretation on this issue, which is close to that, which is provided in the EU Directive. Specifically speaking, the explanatory report holds the opinion that not every electronic signature but only advanced electronic signatures based on a qualified certificate can constitute the same legal effect as handwritten signatures.  On the other hand the literal interpretation of Article 3 of the Law on Electronic Signatures (which regulates the legal effect of the electronic signature) provides a fundamentally different conclusion. From the wording of this article it is clear that Czech Law is in favor of an absolute neutrality rule, in favor of substituting the handwritten signature with any kind of electronic signature. In the condition of conflict between these two diverse conclusions, the author favors the literal one. First of all the text of the Law lacks any direct wording, which would clearly constitute that only advanced electronic signatures based on the qualified certificate can completely substitute the handwritten signatures. (Such direct wording is provided in EU Directive in article 5 (1)). Also Article 3 (2) of the Law on Electronic Signatures does not set a different classification of electronic signatures in resulted legal effects. According to this article, "the application of advanced electronic signature based on a qualified certificate and generated by secure-signature-creation device enables to verify one that the data-message was signed by the person indicated on the qualified certificate". This article does not constitute any obligation; it only serves as proclamative norm, which encourages the parties within their relations to use the advanced electronic signature, but not for the reason of higher legal consequences or effects (for example, serving as a handwritten signature) but for the sake of their security.  This article recommends to parties way to minimize the risk, which in high level is characteristic of an electronic signatures' application. This risk is indicated in Article 4 of the Law, which states that the advanced electronic signature guarantees that any changes in a signed data message, made after attributing the electronic signature, can be detected.
As we see, the media neutrality principle is completely followded by the Law. According to the Law, it can be differed the following categories of electronic signatures: electronic signature; advanced electronic signature; advanced electronic signature based on qualified certificate, issued by the accredited certification service provider.  However these classifications of electronic signatures do not indicate their different legal effect. Although the support and recommendation for the application of advanced electronic signatures is disclosed in the Law, the use of such signatures does not result in stronger, better legal effects, and not only from the material but also from procedural view. Firstly, the data message signed electronically, regardless of the technology used, can serve as evidence in proceedings and may not be discriminated.  Secondly, through proclaiming advanced signatures as reliable, the Law does not constitute the substantive rule of advanced signatures' reliability. In other words any electronic signature is considered to be based on the presumption that it is reliable. That means that on the objection of any party the court will assess ex post in the light of objective circumstances the reliability of the used electronic signature.  Thus it is admitted possible to rebut the reliability presumption and consequently the person can adduce evidence of the non-reliability of the used electronic signature.
The neutrality rule can be limited by the freedom of the parties to stipulate in their agreement to use a certain type of electronic signature. In this case only use of the agreed electronic signature can result in the relevant legal consequences.
The substitution of handwritten signatures by any kind of electronic signature does not seem to cover all situations where the Czech legislation requires directly the use of a handwritten signature. The general rule that handwritten signatures can be substituted by electronic ones has some exceptions. Handwritten signatures, which by legislation or by the agreement of the parties are subjected to the notary verification, cannot be substituted at all by the electronic signatures. In this case we are speaking about the handwritten signatures, which do not require notary verification. The cases, in which the substitution of handwritten signatures cannot be made, are found in the public law sphere. In certain circumstances legislation sets an obligation to use a handwritten signature. For example, one of the requirements for conducting a referendum is the collecting of certain number of handwritten signatures of the supporters who are demanding the referendum. In this case it may be supposed that, handwritten signature can not be substituted by electronic one. The question is how to determine such exceptions. The notion of nature of matter (Czech povaha věci or German natur der sache) can serve as criteria for defining the exceptions from the general rule. If we return to the above-mentioned example, it can be argued, that even theoretically in this case it is impossible to substitute handwritten signatures by the electronic ones. We think that same criteria can be used in the private law sphere, where actually the legislation requirements for the handwritten signature are minimal.
The structure of Czech Law seems to follow the PKI model, because it is based on regulation of the interplay among three parties: the signatory, the certificate provider and relying (third) persons.  The Law lays down a "code of conduct" for these parties. For example, the signatory is obliged to exercise reasonable care  in order to avoid the unauthorized use of "signature creation data". The law obliges the signatory without undue delay to notify the certificate service provider that there is substantial risk that "signature creation data" may be compromised. However such notification obligations exist only in relation to certificate service providers, not in relation to third parties, which might rely on the electronic signature. To avoid the harmful consequences of the relying parties, in certain situations it would be more appropriate to constitute also the obligation of the signatory alongside the certificate service provider to inform any person that might be expected to rely on the electronic signature, when this electronic signature might have been compromised. However it might be impossible for the signatory to notify every person that may rely on the signature, because in certain circumstances the public key can be available for a wide range of people, including the persons whose personality is not known to the signatory at all. Consequently it would be very burdensome to charge the signatory with such notification obligation towards every person who relied or is going to rely on the signature. In this case, the signatory should carry out "reasonable efforts" for notification that means that signatory should be sufficiently diligent to inform the potentially relying parties, expected in a great level to rely on the signature.
Alongside defining the obligation of the signatory while using the electronic signature, the Law does not guarantee that the appropriate signatory signed the data message. Theoretically it can be admited cases, when the private key is stolen and then misused in different ways (for example, by the stolen key was closed transactions). The complicated issue for the signatory is to prove that although obligation was generated under his electronic signature, it was not his will to create such an obligation, in other words to prove that his private key was misused.  Here also we encounter the main risk inherent with in the electronic signatures' application. Such a situation can be very perilous particularly for the relying parties. Imagine the situation, that the third party relied on the misused signature and under the created obligation has expended certain financial means. In this case the signatory may prove that his authentic willingness to form of the obligation was not involved, and that he exercised reasonable care to avoid unauthorized use of this signature. If also the misused party is not detected (which also seems to be very complicated task), the relying party should put up with the fact that he himself should carry all sustained damages, although he was acting in a good faith.  Unfortunately, so far there is no efficient apparatus, which can protect relying parties from such risk.
Article 6 (1) of the Law on the Electronic Signatures defines the essential duties and obligation of the service provider. Noncompliance with the defined duties will cause the certificate provider's liability, which is to be determined according the Czech Civil Code.  While defining the extent of civil liability of the certificate service provider, the following determinants can be taken into account, inter alia: i) the cost of obtaining the certificate; ii) the nature of the information being certified; iii) the existence and extent of any limitation on the purpose for which the certificate may be used; v) any contributory conduct of the relying party.
According to Article 6 (2), the contract, under it the qualified electronic signature is provided should be in written form, otherwise the contract is void. Let us imagine the situation in which the qualified certificate was not provided under the written contract. Consequently such a transaction has no legal effects and if it objected, by the virtue of Czech Civil Code article 451(2) the parties of the void transaction are obliged to return their performances (unlawful enrichment). That means that the certificate service provider must return the price paid for the services, while the signatory - provided service, specifically speaking data, on the basis of which the electronic signature was generated (actually this data should be revoked by the certification service provider). It can be argued, that such electronic signature (provided without sufficient formal requirement), if used in business or in other kinds of relations, have full legal consequences, because the good faith of the relied parties should be simultaneously respected. However, the formal requirement for the qualified signatures seems to be redundant. The question is why the legislation defines such a formal requirement at all. If the Law wants to provide security for the parties and keep the evidence about the existence of the certificate provide fact, there are enough other means that can serve this purpose. One of the strongest pieces of evidence can be the certificate itself, which simultaneously can serve as evidence that such services were provided.  At the same time it can be assumed that the written form is used for the purposes of agreeing the specific fee for the provided service. However, the Czech Civil Code's regulations regarding the service contracts  does not require a formal written contract, because in case the fee is not agreed in advance or not fixed by the certain regulations, reasonable compensation should be provided.  So author does not see any reasons to set up compulsory written forms for contracts for a providing qualified certificates.
The Law on Electronic Signatures, in relation to the requirement of the EU Directive, lays down the voluntary accreditation system. That means that certificate service providers can apply for special accreditation, however such an accreditation is not mandatory. Regarding the accredited certificate providers, more strict regulations and limitations are applied. By the virtue of one of the limitations, certificate providers should have their headquarters in the territory of Czech Republic. This requirement in relation to the EU legislation seems to be an uncommon approach.  Also article 10 (6) of Law states that, the accredited certificate provider without prior authorization cannot carry out activities other rather than notary, attorney or expert activities. One benefit for the accredited certificate service provider is that in the public sphere only advanced signatures and qualified certificates issued by accredited certification service providers can be used. 
In conclusion, electronic signatures do play a crucial role in e-commerce by providing security and reliability for closing transactions in the electronic environment. Consequently for achieving this aim it is extremely important to lay down appropriate normative schemes. Czech Law on Electronic Signatures is a new enactment; many aspects of the Law still should be worked out in order to suffice the users and market's needs.
Mgr. Irakli Sokolovski
The author is internal Ph.D. student at Masaryk University in Brno, Law Faculty
In 2000, 30$ billion worth of transaction took place over the Internet. It is predicted that in 2003 this number will triple reaching about 1,6$ trillion.
The directive itself does not guarantee the high level of harmonization as for example convention. However in the framework of the directive the Member States should take due regards of its basic principles, such as maintaining technology neutrality, guarantying the security and trust in electronic signatures, respecting the autonomy of parties to opt the certain kind of electronic signature and etc.
Such an approach is called "two-tier approach" and it is widely criticized. It is argued that while market and technology are constantly and swiftly developing, it is unwise in the frame of legislations regarding the electronic signatures to focus only on the certain forms of electronic signatures, digital signatures. See, Spyrelli, C, "Electronic Signatures: A Transatlantic Bridge? An EU and US Legal Approach Towards Electronic Authentication", The Journal of Information, Law and Technology (JILT) 2002 (2) . Also see: An Analysis of International Electronic and Digital Signature Implementation Initiatives, Presentations and international discussion, September 10, 2000: http://www.ilpf.org/groups/reports_IEDSII.htm.
See Mlynař, V. a spol.: Důvodová zpráva k návrhu zákona o elektronickém podpisu. Zvláštní část k §3, in ASPI 14841
Czech Law on Electronic Signatures defines the security characteristics of electronic signatures in the definition of advanced digital signatures. Such a signature i) is uniquely linked to the signatory ii) enables authentication of signatory iii) is created using means that the signatory can maintain under his sole control iv) is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. See Czech Law on Electronic Signatures article 2 (b).
See Matejka, J.: Úprava electronického podpisu v pravním řadu ČR. Právník 6/2001, p. 563
Nondiscrimination of electronic signatures in proceedings is required by EU Directive. See EU Directive on a community framework for electronic signatures, article 5 (2)
It is obvious that the presumption of the reliability in case of advanced electronic signatures will be significantly higher rather then those of conventional electronic signatures, for example signatures signed in an e-mail message
Although the Law does not lay down any special article about the obligations of relying party, such obligation can be derived from some articles. For example, such obligation of relying party is implied in article 5 (2), where relying party is obliged to take reasonable steps to verify validity or revocation of the certificate.
When interpreting the notion "reasonable care" relevant practices if any and relevant circumstances need to be taken into account.
See Matejka, J.; Krádež elektronického podpisu, aneb s čím tvůrci zákona (ne)počítali?, in itpravo.cz, 2001
The EU directive on electronic signature is clearly aware of such threat since in lays down: "The storage and copying of signature-creation data could cause a threat to the legal validity of electronic signatures". See EU Directive on a community framework for electronic signatures, rubric 18
Besides the compensation of damages (civil law sanction), the certificate service provider can be liable according to criminal law. Also by virtue of Law on Electronic Signatures, the Office for Personal Data Protection is entitled to impose on the certificate service provider diverse penalties for noncompliance with the law. See Law on Electronic Signatures, article 18
According to the article 12§ of law on electronic signatures the qualified certificate should contain the name of the signatory and the commercial name of the certification service provider. Thus certificate itself can serve as strong evidence indicating the existence of the contract relations.
The contractual relations between service provider and the signatory are likely to be regulated in the frame of service contracts. See Czech Civil Code, article 631-656
See Czech Civil Code, article 634
See Matejka, J.: Úprava elektronického podpisu v právním řádu ČR. Právník 6/2001, p. 572
See The Law on Electronic Signatures, article 11