DRAFT

EXPLANATORY NOTES

Electronic means of communication are serious challenge for the security and protection of transactions and relations conducted electronically. Technological novelties require a new corresponding legal regulation on national, regional and international level. Classical legal rules are based on the requirement for a paper document and handwritten signature and therefore do not provide guarantees for lawful and trustworthy carrying out of electronic commerce and Electronic Data Interchange (EDI).

In the last few years the efforts to set up an international, European and national legal framework on the use of electronic means of communication (both general rules and rules on certain aspects such as electronic commerce, digital signatures, electronic documents, ect.) have strengthen considerably. A number of international instruments, like the Model Law on Electronic Commerce of the United Nations Commission on International Trade Law, Guidelines on cryptography of the OECD have been adopted, others are in the process of adoption. Nearly all developed countries from Europe (mainly EU countries), America and Asia have taken steps for drafting and introducing a legislation, regulating the use of electronic means of communication.

A number of attempts have been made in order to define electronic commerce, but they can be sum up to an understanding that e-commerce is a contract (form of buying/selling contract) conducted electronically, including via Internet, as an exchange of information through electronic networks on every stage of delivery, regardless whether they are made in the framework of one organizational entity or between different merchants, between merchants and consumers or between the private and public sector.

Electronic signature is a key issue and tool for ensuring security and confidence in electronic commerce, electronic data interchange and in open networks as a whole. It allows the recipient of the sent electronic data to find out from whom the data originates, as well as to check up whether the data has been modified and its integrity altered. In contrast with the scanned image of a handwritten signature belonging to a particular person, the electronic signature is an information in digital form, sequence of bits, that are used to identify the signatory and its consent with the data. Electronic signature is based on technology for authentication, systems for encryption and decryption. Regardless of the concrete methods on the use of electronic signatures, its regulation should be technologically neutral.

The system that is most widely used is an asymmetric cryptosystem, which is based on a key pair - public and private. The private key is used to generate and encrypt electronic signature in a certain algorithm. Only the person that creates the electronically signed document has access to the key. The private key has a corresponding public key - publicly accessible code, with a help of which the addressee of an electronic statement can read the statement and identify its authenticity and the integrity of its content.

In order to fulfil its purpose, the electronic signature should be legally recognized as being equally valid to the handwritten signature.

The Draft Law on Electronic Document and Electronic Signature has been made compatible with the main requirements laid down in Directive 1999/93/EC of the European Parliament and the Council of 13 December 1999 on a Community framework for electronic signatures (in force since 20 January 2000) as well as with a number of successfully implemented legislative acts in other countries.

The law regulates electronic document and electronic signature as well as conditions and procedure for providing certification services.

The law envisages the application of electronic signatures not only in the area of obligations and contracts, but in other legal fields as well. The way written statement and handwritten signature are regulated in civil and administrative law has been used as a basis for the regulation of the legal effect of electronic statement and electronic signatures, taking into consideration all the particularities of the electronic form. This will allow in the process of implementation of the law all achievements of the legal science and courts' practice in areas of proving, contesting and accepting written statements and handwritten signatures to be used.

With its entering into force the law does not envisage an obligation for anyone to use electronic documents and electronic signature. On the basis of the law, legal persons could use this opportunity, meaning that without an additional state intervention, in practice the area of applicability of the law will be limited only to obligations and contracts.

The Council of Ministers has a power to indicate when and which subordinated administrative bodies will be obligated to accept and issue electronic documents, signed with an electronic signature, as a result the area of applicability of the law will spread over gradually (depending on the available technological infrastructure in different administrative bodies) also in the field of administrative law.

In view of the requirements court proceedings to be regulated in a law, widening of the scope of this law in the area of legal proceedings should be made with the amendment of the following procedural laws: Code of Civil Procedure, Code of Criminal Procedure, Administrative Procedure Act and Administrative Offences and Penalties Act.

Other state institutions, not subordinated to the Council of Ministers (such as National Assembly, Constitutional Court, Court of Auditors, Bulgarian National Bank, State Telecommunications Commission, Commission for Consumer Protection, ect.) municipalities and mayoralties will consider in their own acts the moment when they are ready to accept and issue electronic documents, signed with electronic signatures by adopting also relevant internal rules for that. Naturally, the state has an opportunity to oblige with an act any state institution to accept and issue electronic documents, signed with an electronic signature.

The simple electronic signature is defined in the Directive 1999/93/EC of the European Parliament and the Council on a Community framework for electronic signatures as "data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication" and secure or "advanced" electronic signature, as an electronic signature which meets the following requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using means that the signatory can maintain under his sole control; and (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;

The Law uses the definitions of "electronic document", "electronic statement" and "electronic signature", because they have been widely used in society alongside other similar definitions, such as "electronic data interchange" (electronic statements), "electronic mail", "electronic commerce", etc. Electronic statement, document and signature are regulated as "digital" according to Article 2, paragraph 1, Article 3, paragraph 1, Article 13, paragraph 1 and Article 15, paragraph 1. The term "digital signature" has been widely used recently, but if it is to be accepted, it will create a false idea for a difference from "electronic statement" and "electronic document" (also regulated as digital), but words like "digital statement" and "digital document" do not sound correct and are not used neither in the Directive, nor in the newly adopted foreign legislation. More precise would be to accept terms "statement in a digital form" and "document in a digital form", but they are more cumbersome for use.

Legal issues are regulated in institutes and main definitions are given accordingly. The terms that are used in their ordinary sense are not explicitly defined in the Law. In the supplementary provisions of §1 only new terms related to the technology for creation and use of the advanced electronic signature, such as "asymmetric cryptosystem", "cryptographic key", "public key" and "private key" have been defined.

The area of applicability of the law has been regulated in the first chapter and some cases that are outside the scope of the law are listed.

The second chapter proclaims the principle that written form is considered to be respected if an electronic document has been created. In this chapter the terms: electronic statement as "a verbal statement, represented in a digital form through common standard for transformation, reading and visual representation of information" and electronic document as an "electronic statement, recorded on magnetic, optical or other carrier that allows it to be reproduced" are defined. The term "electronic signature" is defined in a technologically neutral manner as "any information, related to the electronic statement in a way, concerted between the signatory and the addressee, secure enough in view of the turnover needs, that: (a) reveals the identity of the signatory; (b) reveals the consent of the signatory with the electronic statement; (c) and protects the content of the electronic statement from subsequent changes. The difference between the electronic signature and advanced electronic signature has been outlined as a way of attaching an information, included in the electronic signature as secure enough in view of the turnover needs and concerted between the author and the addressee.

Chapter three gives a definition of the advanced electronic signature as "a transformed electronic statement, included, added or logically related to the same electronic statement before the transformation". Defined are also the principles for transformation, using based on the use of private key in an asymmetric cryptosystem. Requirements towards algorithms are envisaged to be defined in a Regulation of the Council of Ministers.

The secrecy of the private key guarantees the security of the electronic signature.

The status of the certification service providers has been also regulated. The certification service provider is a person that issues electronic signature certificates and maintains electronic public registry for them; allows to the owners of the electronic signature to create public and private keys and gives access to every third person to the registered certificates. The requirements towards the activities of the certification service providers, their obligations and responsibility hold in front of the owner and the signatory of the electronic signature aim to provide highest possible guarantees for the trustworthiness and security of the use of electronic signatures. At the same time, the responsibility of the owner and the signatory of the electronic signature has been also envisaged. Relations between the certification service provider and the owner of the electronic signature should be based on a written contract.

The draft law lists the different parts of a certificate as an electronic document, issued and signed by the certification service provider, it regulates procedures for issuance, renewal and suspension, of a certificate's validity. General conditions on public registries for the issued certificates have been formulated and it is envisaged that their structure and activities should be regulated with a Regulation of the Council of Ministers.

Regulation and control of the activities for providing certification services are given to the State Telecommunications Commission (STC).

Chapter four regulates the "universal electronic signature", which is the only one to be applied in public sphere. The requirements for maximum security require the introduction of the registration regime for providers, offering certification services in relation to the signature; this requirement corresponds to the Article 3, paragraph 7 from the Directive of the European Parliament and Council on a Community framework for electronic signatures. Simultaneously, the Council of Ministers can determine the state bodies that can use among themselves other electronic signatures.

The STC as an institution, regulating and controlling the activities of the certification service providers should register those of them that would be able to provide services related to the advanced electronic signatures, applicable to the public sphere. The regime that has been envisaged is a regime for registration and not for licensing. The procedure for registration shall be specified with a Regulation of the Council of Ministers. The powers of the registry institution, as well as the procedure for registration of certification service providers and for the termination of registration are envisaged.

The registered certification service provider could certify the date and the hour of the presentation of the electronic document, signed with an electronic signature.

Chapter five contains general rules on application of electronic document and electronic signature by the state and municipalities, that would be gradually achieved with the creation of necessary conditions and infrastructure and with the enactment of necessary laws for that.

Chapter six envisages protection of personal data, collected by the certification service providers for the purpose of performing their special activities and keeping up registries and personal data, known to the STC, to be regulated by the law. According to the law, the collection of personal data for the signatory and the owner and the use of the data is permitted only to the extent it is necessary for the issuance and use of certificates. Exceptions from the rule are only possible if it is permitted by the law or with a special permission of the person, to whom the data is related.

Chapter seven sets up the conditions that have to be fulfilled, in order to accept certificates, issued by certification service providers, established in other countries as being equal to the ones issued by a Bulgarian certification service providers. It is envisaged that control over the specified conditions has to be done by the STC that has to maintain a public electronic register, containing the necessary data. This would not be applicable in cases where the certificate or the certification service provider that has issued the certificate are recognized on the basic of an international contract that is in force.

The law contains administrative penal provisions providing for the establishment of offences, issuance, appeal and execution of penal enactment to be made pursuant to the legal rules of the Administrative Offences and Penalties Act.