From GDPR to eiDAS: Navigating eSignatures in International Waters

There’s not a single product manager who doesn’t remember the great GDPR (General Data Protection Regulation) situation of spring 2018.

‍

Consumers weren’t left out of the discussion either, enduring waves of emails from all types of businesses explaining their compliance with the new regulation. In short, the effects were widespread.

‍

Those who work with SasS, however, require a much deeper understanding of the reasoning behind this type of regulation and what they need to do to be compliant.

‍

Although it didn’t get quite as much press, the Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS) is equally important for software companies to understand, especially if you’re working with folks in the EU. eIDAS has been in effect since 2016.

‍

While the two regulations govern different aspects of digital transactions (we’ll get to each in the following paragraphs), product managers need to keep a keen eye on each to make their software compliant, their customers happy, and their product roadmaps moving in the right direction.

‍

At DropboxSign, this is a situation we monitor extremely closely, as Standard Electronic Signatures are a huge part of doing business online.

‍

In this post, we’ll tell you what you need to know about using Standard Electronic Signatures in an eIDAS and GDPR world. We’ll explain the differences between the two regulations, cover the basics of each, and provide some insight into how they might affect your work with eSignatures.

‍

Let’s dive into it.

‍

The European Legal Framework for Identity and Data

Politics aside, the EU is setting forth benchmarks for how companies are able to use the personal data of their customers, as well as how the member states of the EU will recognize electronic identification from users.

‍

Put another way, one might say these two regulations are designed to protect user privacy while also making it more convenient to express your digital identity.

‍

Product managers of SaaS companies can either view this as a win for consumers or an inconvenience for their product requirements. But the truth is, it doesn’t really matter how they view it. Each regulation has strict criteria for compliance, and you really don’t want to be on the wrong side of that. There are penalties associated with non-compliance with both eIDAS and GDPR, which you’ve likely heard about.

‍

Each of these regulations affects how the online signature process works, so if you have eSignatures in your products (or are planning to) it’s important to have a thorough understanding of each regulation.

‍

With that said, let’s take a closer look at both eIDAS and GDPR in the context of eSignatures.

‍

How eIDAS Makes eSignatures Legal in the European Union

eIDAS was designed to implement a legal space for secure electronic business processes for the European Union (EU).

‍

In essence, the regulation simplifies and standardizes digital identification and eSignatures in order to facilitate a “digital single market.” It was designed to make it easier and more secure to conduct digital transactions in Europe. The EU now has a uniform legal framework that allows companies to accept electronic identities and signatures.

‍

There are a few more things you need to know about eIDAS.

‍

First is that eIDAS has two key areas of focus: Electronic identification (eID) and electronic trust services (eTS).

‍

Electronic identification allows people and businesses to use their own national electronic identification schemes to access public services.

‍

Electronic trust services deal with eSignatures, electronic seals, time stamps, electronic delivery service, and website authentication. eIDAS ensures that all these will work across country borders and maintain the same legal status as older paper processes.

‍

In this way, individuals and businesses can confidently use and accept eSignatures knowing that there is a legal formality in place to deal with any discrepancies that may arise in the case of error, fraud, etc.

‍

The second thing you’ll want to know about eIDAS is that it recognizes three distinct eSignature types:

1. Standard Electronic Signatures (SES): Standard Electronic Signatures, often referred to as an eSignature, is a person's electronic expression of his or her agreement to the terms of a particular document.
2. Advanced Electronic Signatures (AES): These types of signatures must be uniquely linked to the signer, who creates their signature using data that is 100% under their control.
3. Qualified Electronic Signatures (QES): This is the most strict form of eSignature. QES signers must use certificate-based digital identification issued by an EU qualified Trust Service Provider, as well as a signature creation device like a USB token, smart card, or mobile application with a single-use passcode

Which type of eSignature you need depends on your need for authentication and assurance — the requirement defined by state laws — as well as other factors, like if you need to make changes to the document.

‍

The third thing you need to know about eIDAS is that in order to comply, you’ll need testing by dedicated conformity assessment bodies in order to be included in the list of trust service providers. The List of eIDAS Trusted Lists (LOTL) provides an overview for the EU of all audited and approved national providers.

‍

So what does all this mean?

‍

In part, eSignatures may be admissible as evidence in EU courts and are unlikely to be denied legal effect solely because they take electronic form. This increases the validity, confidence, and comfort for businesses looking to use eSignatures, which can help your company get to revenue faster.

‍

Let’s move onto another important EU regulation when it comes to eSignatures — GDPR.

GDPR Consent and eSignatures

You’ve likely seen plenty of pop-ups from your favorite websites asking you if it’s OK to use your cookies, but GDPR actually reaches beyond that in authority. Here’s how GDPR specifically affects Standard Electronic Signatures.

‍

What Is GDPR Consent?

One of the first things GDPR did was to define consent, which is as follows:

‍

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

‍

What this does is move away from “implied consent” to “express consent.” Implied consent is a legal term that means consent is implied or assumed given a person's actions or behavior, even if that person never actually gave consent. Express consent means the user has been provided a request to use his or her data in easily understandable terms and has agreed to them.

‍

Again, you’ve likely seen plenty of this in the form of email and website cookie banners. But what does GDPR mean for eSignatures?

‍

eSignatures are actually a great match for GDPR consent requirements. Using Standard Electronic Signatures is a great way to comply with the active opt-in requirement of GDPR while issuing exact details of the consent. Additionally, eSignatures offer tracking via an electronic audit trail of the entire process.

‍

Note: Dropbox Sign offers electronic signatures to collect signers’ consent, but we are not a consent management tool for web visitors’ consent of sharing cookies. We have implemented extensive compliance measures for GDPR including internal compliance training for our team, Privacy Impact Assessments, and more. You can read more about our GDPR compliance here.

‍

The use of eSignatures lives up to all the principles of GDPR:

• Clarity
• Visibility
• Accountability
• Active Opt-In

And arguably one of the most convenient aspects of eSignatures in regard to compliance is that this methodology can be used to set up the contracts between a data controller and data processors. This means you can use a third-party Standard Electronic Signatures provider (like Dropbox Sign!) and be fully compliant with GDPR without having to jump through a bunch of hoops or create your own technology infrastructure.

‍

At this point, you should have a solid overview of working with eIDAS and GDPR in the context of eSignatures. But how can you put it into practice?

Evaluating eSignature Solutions With eIDAS and GDPR Compliance

Here are a few things to consider as you navigate how to handle eSignatures within the EU.

‍

Right of Access

One of the important provisions of GDPR is that the consumer has a right to access their data from the business to which they provided it.

‍

Sécurité

When you partner with a provider that specializes in eSignature software, it’s critical that the solution has four things: Security, audit trails, data protection, and authentication.

‍

This level of security measures keeps eSignature transactions secure even at the two most vulnerable touchpoints for any digital transmission — the passage from the sender to the receiver and the physical server where the data is eventually stored.

‍

Localization

One of the key components of finding the proper eSignature vendor to work in Europe is to ensure that they capture, process, and store the data within the EU.

‍

One of the key components of finding the proper eSignature vendor to work in Europe is to ensure that they store your documents in your region.

‍

Get Started With International eSignatures Today

Have some electronic documents that need to be signed fast, quick, and in a hurry? Then you’re in the perfect place.

‍

At Dropbox Sign, we closely follow GDPR, eIDAS, and other eSignature guidelines to help you stay informed on important business matters.

‍

Sign up for a free Dropbox Sign trial today and see for yourself how we can help you navigate business in international waters.

‍

DISCLAIMER: The information in this blog is for general informational purposes only and is not intended to constitute legal advice. Since laws and regulations governing eSignatures may be frequently updated, Dropbox Sign does not guarantee all the information on its site is up-to-date or accurate. If you have legal questions about the content on this site, or about whether Dropbox Sign’s solutions fit your needs, please seek professional legal advice from a licensed attorney in your region.