Regulations on electronic trust services have recently been modified in our country. Law 6/2020, of 11 November, regulating certain issues in electronic trust services, has just been published in the BOE (Official State Bulletin) and is applicable to Qualified Trust Service Providers (QTSP), such as Camerfirma.
This Law arises within the European regulatory context and completes the specific European standard that deals with electronic identification and trust services for electronic transactions in the internal market; we are referring to Regulation (EU) No 910/2014, or the eIDAS Regulation, in force since 2016. Thus, Law 6/2020, which is applicable exclusively to our national territory, has emerged as an accessory to the aforementioned Regulation, complementing it in respect of certain issues that the latter has not standardised and that are pending development at the national level. These features include the QTSP liability regime, penalty system, the verification of identity and attributes of applicants for qualified certificates, the inclusion of national identifiers in certificates, the maximum period of validity, the withdrawal of certificates or knowing the effects of electronic documents and trust services in general.
Both the eIDAS Regulation and Law 6/2020 establish a specific legal regime for qualified trust services that does not apply to unqualified trust services. The supervision and security requirements required to be able to offer a qualified trust service serve to strengthen the legal security of electronic transactions between companies, individuals and Public Administrations.
What are the main changes introduced by Law 6/2020?
The new regulation introduces the following changes in the provision of Qualified Trust Services that affect the current Spanish market:
- First, it introduces modifications in the identity and attributes of the qualified certificate holder (art. 6):
Article 6 of the new law expressly states that in certificates whose owner is a natural person, the identity of the latter will be recorded in the certificate by “their full name and National Identity Document number, Foreigner Identification number or Tax Identification number or through a pseudonym that is unequivocally stated as such. The aforementioned numbers may be replaced by another identification code or number only in the event that the holder lacks all of the foregoing for lawful reasons, and provided that such code/number serves to identify them uniquely and permanently over time.”
This article, therefore, opens up the issuing of certificates to citizens and companies of other countries: the identity document field in certificates is opened up to other possible identification codes, apart from the DNI and NIE (or the NIF for entities), such as the card number of the country of origin, or passport, driving licence, Social Security number, date of birth, company VAT or registration number, etc. (provided that the holder does not have a DNI/NIE or NIF). It thus opens the door for QTSPs (Qualified Trust Service Providers) to provide their services to citizens or companies from other countries, and this may, in turn, end up obliging public administrations to enable their systems to comply with one of the objectives set by the eIDAS regulation regarding “mutual recognition” of electronic identification means in online services.
- Establishes changes in identity verification methods to issue qualified certificates (art. 7):
This article, based on article 24.1 d) of the eIDAS Regulation, establishes the bases at the national level to enable “other identification methods” such as videoconference or video identification. The related requirements will be developed through ministerial Orders, which will define the conditions and technical requirements for remote identity verification.
The draft Ministerial Order, which the Ministry of Economic Affairs and Digital Transformation has already prepared, will be published shortly, and includes two remote identification methods:
- Assisted video identification, in which the applicant interacts during the entire identification process with an operator, who validates the process at the end.
- Unassisted video identification, in which the user follows the automatic identification process and an operator subsequently verifies that everything is in order.
- Certificate chaining (art. 7.3 and 7.6)
As in the LFE (Law on Electronic Signatures), certificate chaining is permitted, namely, the issuing of a qualified certificate based on a “pre-existing relationship” in which the interested party has been identified as a physical person within the last 5 years.
- Recognition of the evidentiary value of Qualified Services (Second Add. Prov.)
The new law modifies article 326 of Law 1/2000 of Civil Procedure, to include two scenarios:
- If a NON-qualified Trust Service is used (art. 326.3): the burden of proof regarding the effectiveness, authenticity, integrity, etc. of the electronic document, falls on the party that wants to use said electronic document as evidence. This implies that, if the other party does not recognise said document as valid, the party interested in such validity being recognised must provide the corresponding evidence that proves the authenticity, the identity of the signatory, the date and time of the signature, its integrity… in accordance with the trusted service used.
- If a Qualified Trust Service is used (art. 326.4): it is presumed that the electronic document complies with the requirements of the trust service (identity of the signatory, integrity, date and time, authenticity of origin, certified notification, encrypted communications, etc.). If a party does not recognise said document as valid, it will be the latter who must provide proof thereof (that the signature is not theirs, that the date and time are not correct, that the document is not authentic or complete…) and assume any expenses incurred in the event that validity is verified.
- Eliminates the concept or figure of “trusted third party” (repealing provision)
This part of the new Law 6/2020 repeals article 25 of Law 34/2002, of 11 July, on information society services and electronic commerce, which “created” the figure of the “Trusted Third Party” in order to offer technical-legal guarantees for electronic contracts.
Now, this activity is integrated into the non-qualified trust services of the eIDAS Regulation, fundamentally in the services of certified electronic delivery and storage of electronic signatures and seals. But, above all, this enables Spanish users, citizens and companies to know and understand that only qualified services have a specific legal regime that, given the requirements thereof in terms of security and supervision, strengthens the legal security of their electronic transactions.