Physical to Digital: Be Careful What You Hope For
The move to assert digital identities in instances when previously a person (or persons) would need to be present has undoubtedly brought convenience and speed to executing many legal, travel and governmental transactions. ID & Secure Document News™ has previously reported on the benefits that eSignatures can bring in executing contracts – particularly in a world living with COVID (see IDN June 2021). But, as this salutary tale adapted from CRYPTOMATHhIC1 teaches us, convenience sometimes comes at a high price.
On 21 September, the Swiss-based train manufacturer, Stadler, announced that it lost a €3 billion contract with the Austrian Federal Railways ÖBB due to a legally impermissible electronic signature on the purchase agreement.
What went wrong?
From a technical point of view the eSignature was not flawed. It was the surrounding legal framework that failed.
The contract was governed by Austrian law and needed to be signed with a Qualified Electronic Signature (QES). The Austrian Signature Law is directly derived from EU law, the Electronic Identification and Trust Services (eIDAS) regulation, which warrants that a QES has the equivalent legal effect of a handwritten signature.
Stadler used a QES to sign the contract, which in principle is fine. The problem lies with the Trust Service Provider (TSP) used to deliver the signature service.
Stadler used a Swiss TSP, which means the QES is thereby considered qualified under Swiss Signature Law (ZertES). From a technical point of view, a QES under ZertES and a QES under eIDAS are almost identical. They follow the exact same technical standards together with a very similar certification framework. The main difference lies in the liability of the services rendered. EU and EEA (EU plus Iceland, Norway, and Liechtenstein) member states follow the eIDAS framework, which offers crossborder interoperability between all EU and EEA member states. In other words, what is qualified in Germany will have the exact same legal effect as what is qualified in Austria.
This interoperability is, however, strictly limited to the EU and EEA member states. The eIDAS and ZertES regulations allow for the possibility to establish a recognition agreement with third-party countries, but, in this case, none had been negotiated or entered into. Inevitably then, the Austrian Federal Administrative Court declared that Switzerland is not part of the EU and that the jurisdictions are not aligned.
To avoid this procedural flaw, Stadler could have signed using a Qualified Electronic Signature, delivered by a trust service provider legally domiciled and supervised in an EU or EEA country and duly registered in the EU trusted lists. Any other service provided from third party countries such as Switzerland or the UK would not be fit for purpose.
Most providers including Docusign and Adobe offer, by default, qualified seals or simple electronic signatures. The electronic signatures are admissible in court but do not provide legal certainty; they would not have satisfied the requirements for the Austrian contract.
What does this teach us?
This case demonstrates the critical importance of selecting the right eSignature partner and solution provider to ensure that the transaction cannot be repudiated due to a procedural flaw. Even high assurance that the contract is signed is not enough for sensitive operations or high value transactions. Legal certainty is required.
Countries in the EU are in the fortunate position to have a legal framework where certain types of accredited trust services are granted the same legal effect as handwritten signatures. This principle of equivalence means that a document, which is ‘duly’ signed electronically, will be regarded as legally equivalent to the paper-based version with a handwritten signature.
This principle of equivalence is however not present in all jurisdictions. The US eSign Act, for instance, grants legal recognition and court admissibility for electronic signatures and records, but it does not provide full legal certainty.
Returning to the Stadler issue, it seems now that the company is set to appeal against the Austrian Federal Administrative Court’s decision to nullify the contract. According to Stadler, the signature used to execute the contract fulfils the Austrian procurement law requirement of a qualified electronic signature.
The company highlighted that this signature has been used hundreds of times when participating in tenders in the EU and multiple offers signed this way were won in the past – including an order from ÖBB for the delivery of rescue trains in January 2021. According to the Austrian Public Procurement Act, errors such as signatures can be corrected retrospectively and Stadler is disappointed that ÖBB has restarted the tender rather than correct the error.
Whatever the outcome of the appeal, I’m sure that the lawyers at Stadler will be looking long and hard at their use of eSignatures as they don’t always give you the convenience and certainty you might hope for!
1 - https://www.cryptomathic.com/news-events/blog/all-trains-cancelled-how-an-e-signature-failure-derailed-a-3bn-swiss-austrian-transport-deal
Subscriber content
Read the full article
Full access to ID & Secure Document News articles, newsletters and archives.