The UK eSignature Guide: Laws, Regulations, and Privacy

Unless you’re some kind of mobster, an important part of your job (even if you don’t spend a lot of time actively thinking about it) is staying on the right side of the law.

‍

And you’re not a mobster — you’re an enterprise product manager, which means following relevant laws is definitely an important part of your role. And if you ended up here, reading this article, you’re probably wondering how to stay on the right side of the law when it comes to using eSignatures for business and legal documents.

‍

In the U.K., eSignature regulations are extremely similar to those in the European Union (EU) and North America — courts have found that eSignatures are legal in most cases, but for certain documents and situations, you may need to provide more proof of the signer’s intent or even stick with a good old-fashioned written signature to keep things legal.

‍

And while the U.K. has historically been governed by the EU’s eIDAS regulation (more on that in a bit) there are naturally some important questions about how the U.K. will regulate eSignatures post-Brexit, without EU laws.

‍

So, for the very important job of making sure all the documents that cross your desk have their I’s dotted and their T’s crossed — legally — read on for everything you need to know about eSignature regulation in the U.K.

‍

A Timeline of eSignature Regulation in the UK

Back in 2000, the U.K. emerged as a world leader in regulating modern eSignature technology — unsurprising from a nation with such an impressive track record when it comes to economics.

‍

But eSignatures existed long before the internet, email, and tools like Dropbox Sign. In the 1800s, courts had to decide whether signatures sent via telegraph were valid. And then, in the 1980s, they had to answer similar questions about faxed signatures.

‍

When it comes to modern eSignatures, though, there are a few important laws to know about in the U.K. that shape how documents can be signed remotely and virtually.

‍

The Electronic Communications Act 2000

The Electronic Communications Act 2000 (ECA 2000 or often just “ECA”) was enacted in the U.K. in 2000, giving the government (among other things) oversight to make sure businesses were using eSignatures safely and securely. It also established the admissibility of eSignatures in the U.K.

‍

You might often hear the ECA discussed alongside the United States’ Electronic Signatures in Global and National Commerce Act (ESIGN) because both pieces of legislation were groundbreaking at the time and established their respective countries as world leaders in making eSignature technology safe, legitimate, and legal.

‍

But a lot has happened since 2000, especially when you consider 20 years’ worth of technological advancements. That’s where EU regulations come in.

‍

Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market

In 2014, the EU introduced Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS). eIDAS went into effect in 2016, offering new regulations that complemented what was already written in the ECA 2000.

‍

The biggest change that came with eIDAS was more specific regulation about different types of eSignatures, as well as when and where each type could legally be used.

‍

Types of eSignatures Under eIDAS

eIDAS introduced three different types of eSignatures and outlined some of the cases that called for different types.

‍

‍

Standard Electronic Signatures (SES)

Electronic signatures are the most straightforward type of eSignature under eIDAS. An SES can be as simple as a typewritten name, a scanned version of a handwritten signature, or even a tick box with “I agree” written beneath it.

‍

In the U.K., an SES shows what the law refers to as “intent to authenticate.” That means it’s acceptable for most legal documents; including HR documents, employment contracts, commercial agreements, sales documents, short-term leases, guarantees, and loan agreements.

‍

Advanced Electronic Signatures (AES)

Another type of eSignature is the Advanced Electronic Signature, or AES. An AES is created using a process that only the signatory can access. It’s also linked to other data and uniquely connected to the person making the signature, so it’s more secure than a SES. Sometimes an AES is required for a legal document for the extra layer of security it provides.

‍

Qualified Electronic Signatures (QES)

A Qualified Electronic Signature, or QES, is the final type of eSignature specified in eIDAS. A QES is equivalent to a handwritten signature.

‍

A QES must be created using a secure signature creation device that is issued by a qualified Trust Service Provider who has been approved by a member state of the EU. Once a certain TSP is approved by one country in the EU and added to the EU Trust List (as mandated by eIDAS) every other country in the EU must also recognize a QES sent using devices issued by that TSP.

‍

How Does Brexit Affect eIDAS in the UK?

Now that the U.K. has left the EU, you probably have questions about how eIDAS, an EU regulation, affects your U.K. business.

‍

So far, the way British lawmakers are handling EU laws is to keep them as U.K. law until they’re reviewed and the government can decide whether to keep, amend, or repeal them. So far, there’s been no talk about repealing any of eIDAS. For now, Britons can continue operating under eIDAS regulation as they have since the regulation went into effect in 2016.

‍

Security Checklist for eSignatures

Laws and regulations do more than legitimize eSignatures — they also help ensure that they’re safe and secure for businesses to use. But that doesn’t mean businesses should depend entirely upon the law. They should also do their own due diligence when it comes to implementing eSignatures into their workflow.

‍

With that in mind, when you choose an eSignature platform, you’ll want to assess it based on these security checkpoints:

‍

Encryption and Authentication

You’ll want to look for a platform that encrypts all your data, meaning it protects it as it’s passed between the sender and the receiver. A platform that uses Transport Layer Security (TLS) encryption is a good bet. Make sure documents are encrypted both during the signing process and when they’re being stored.

‍

It’s also important to take authentication seriously when using eSignatures, which means you need to authenticate all parties prior to signing, and then tie that authentication to the e-signed document. A common way to do this is through third-party verification via a PIN sent to a personal device. Any platform you choose should include this capability free of charge.

‍

Tamper-Proofing

With tamper-proofing on individual documents, documents are digitally “sealed” after the final signature request is fulfilled. This makes it easy to spot any changes made post-signing and uphold the validity of your documents or eSignatures should they ever come under legal scrutiny.

‍

Physical Security

We spend so much time worrying about digital security, it can be easy to overlook physical security — which is just as important. Digital services still require servers, and whatever eSignature platform you use should employ certified data centers with security staff, surveillance, fire abatement, and other important measurements to keep your data secure at all times.

‍

eSigning Capabilities Are Making Businesses Global, but Local Regulations Are Still Important

Businesses based in the U.K. are lucky to have comprehensive legislation that protects the validity of e-signed documents — not every country has that. But eSignatures and other technological advancements are making the business world more globalized than ever before, allowing businesses based all over the world to buy from, sell to, and work alongside partners across all kinds of international borders.

‍

That increase in globalization has helped the world GDP increase from around $50 trillion in 2000 to almost $85 trillion in 2018 — a 70 percent increase in less than 20 years. That presents some huge opportunities for businesses to grow, but it also presents new challenges — like the patchwork of legal regulation around eSignatures and other digital solutions around the world.

‍

The best thing businesses can do in the face of these kinds of challenges is equip themselves with tools that will help them stay in line with whatever laws apply to their dealings, in every market where they’re able to compete.

‍

To compete in the global arena, your business needs global solutions. Sign up for a free Dropbox Sign trial today and see for yourself how we make it easy for your business to navigate in international waters. And to keep learning about important eSignatures distinctions across the globe, just stay tuned to the Dropbox Sign blog.

‍

DISCLAIMER: The information in this blog is for general informational purposes only and is not intended to constitute legal advice. Since laws and regulations governing eSignatures may be frequently updated, Dropbox Sign does not guarantee all the information on its site is up-to-date or accurate. If you have legal questions about the content on this site, or about whether Dropbox Sign’s solutions fit your needs, please seek professional legal advice from a licensed attorney in your region.