DRAFT
EXPLANATORY NOTES
Electronic means of communication are serious
challenge for the security and protection of transactions and
relations conducted electronically. Technological novelties require
a new corresponding legal regulation on national, regional and
international level. Classical legal rules are based on the
requirement for a paper document and handwritten signature and
therefore do not provide guarantees for lawful and trustworthy
carrying out of electronic commerce and Electronic Data Interchange
(EDI).
In the last few years the efforts to set up an
international, European and national legal framework on the use of
electronic means of communication (both general rules and rules on
certain aspects such as electronic commerce, digital signatures,
electronic documents, ect.) have strengthen considerably. A number
of international instruments, like the Model Law on Electronic
Commerce of the United Nations Commission on International Trade
Law, Guidelines on cryptography of the OECD have been adopted,
others are in the process of adoption. Nearly all developed
countries from Europe (mainly EU countries), America and Asia have
taken steps for drafting and introducing a legislation, regulating
the use of electronic means of communication.
A number of attempts have been made in order to
define electronic commerce, but they can be sum up to an
understanding that e-commerce is a contract (form of buying/selling
contract) conducted electronically, including via Internet, as an
exchange of information through electronic networks on every stage
of delivery, regardless whether they are made in the framework of
one organizational entity or between different merchants, between
merchants and consumers or between the private and public
sector.
Electronic signature is a key issue and tool for
ensuring security and confidence in electronic commerce, electronic
data interchange and in open networks as a whole. It allows the
recipient of the sent electronic data to find out from whom the
data originates, as well as to check up whether the data has been
modified and its integrity altered. In contrast with the scanned
image of a handwritten signature belonging to a particular person,
the electronic signature is an information in digital form,
sequence of bits, that are used to identify the signatory and its
consent with the data. Electronic signature is based on technology
for authentication, systems for encryption and decryption.
Regardless of the concrete methods on the use of electronic
signatures, its regulation should be technologically neutral.
The system that is most widely used is an asymmetric
cryptosystem, which is based on a key pair - public and private.
The private key is used to generate and encrypt electronic
signature in a certain algorithm. Only the person that creates the
electronically signed document has access to the key. The private
key has a corresponding public key - publicly accessible
code, with a help of which the addressee of an electronic statement
can read the statement and identify its authenticity and the
integrity of its content.
In order to fulfil its purpose, the electronic
signature should be legally recognized as being equally valid to
the handwritten signature.
The Draft Law on Electronic Document and Electronic
Signature has been made compatible with the main requirements laid
down in Directive 1999/93/EC of the European Parliament and the
Council of 13 December 1999 on a Community framework for electronic
signatures (in force since 20 January 2000) as well as with a
number of successfully implemented legislative acts in other
countries.
The law regulates electronic document and electronic
signature as well as conditions and procedure for providing
certification services.
The law envisages the application of electronic
signatures not only in the area of obligations and contracts, but
in other legal fields as well. The way written statement and
handwritten signature are regulated in civil and administrative law
has been used as a basis for the regulation of the legal effect of
electronic statement and electronic signatures, taking into
consideration all the particularities of the electronic form. This
will allow in the process of implementation of the law all
achievements of the legal science and courts' practice in areas of
proving, contesting and accepting written statements and
handwritten signatures to be used.
With its entering into force the law does not
envisage an obligation for anyone to use electronic documents and
electronic signature. On the basis of the law, legal persons could
use this opportunity, meaning that without an additional state
intervention, in practice the area of applicability of the law will
be limited only to obligations and contracts.
The Council of Ministers has a power to indicate
when and which subordinated administrative bodies will be obligated
to accept and issue electronic documents, signed with an electronic
signature, as a result the area of applicability of the law will
spread over gradually (depending on the available technological
infrastructure in different administrative bodies) also in the
field of administrative law.
In view of the requirements court proceedings to be
regulated in a law, widening of the scope of this law in the area
of legal proceedings should be made with the amendment of the
following procedural laws: Code of Civil Procedure, Code of
Criminal Procedure, Administrative Procedure Act and Administrative
Offences and Penalties Act.
Other state institutions, not subordinated to the
Council of Ministers (such as National Assembly, Constitutional
Court, Court of Auditors, Bulgarian National Bank, State
Telecommunications Commission, Commission for Consumer Protection,
ect.) municipalities and mayoralties will consider in their own
acts the moment when they are ready to accept and issue electronic
documents, signed with electronic signatures by adopting also
relevant internal rules for that. Naturally, the state has an
opportunity to oblige with an act any state institution to accept
and issue electronic documents, signed with an electronic
signature.
The simple electronic signature is defined in the
Directive 1999/93/EC of the European Parliament and the Council on
a Community framework for electronic signatures as "data in
electronic form which are attached to or logically associated with
other electronic data and which serve as a method of
authentication" and secure or "advanced" electronic signature, as
an electronic signature which meets the following requirements: (a)
it is uniquely linked to the signatory; (b) it is capable of
identifying the signatory; (c) it is created using means that the
signatory can maintain under his sole control; and (d) it is linked
to the data to which it relates in such a manner that any
subsequent change of the data is detectable;
The Law uses the definitions of "electronic
document", "electronic statement" and "electronic signature",
because they have been widely used in society alongside other
similar definitions, such as "electronic data interchange"
(electronic statements), "electronic mail", "electronic commerce",
etc. Electronic statement, document and signature are regulated as
"digital" according to Article 2, paragraph 1, Article 3, paragraph
1, Article 13, paragraph 1 and Article 15, paragraph 1. The term
"digital signature" has been widely used recently, but if it is to
be accepted, it will create a false idea for a difference from
"electronic statement" and "electronic document" (also regulated as
digital), but words like "digital statement" and "digital document"
do not sound correct and are not used neither in the Directive, nor
in the newly adopted foreign legislation. More precise would be to
accept terms "statement in a digital form" and "document in a
digital form", but they are more cumbersome for use.
Legal issues are regulated in institutes and main
definitions are given accordingly. The terms that are used in their
ordinary sense are not explicitly defined in the Law. In the
supplementary provisions of ยง1 only new terms related to the
technology for creation and use of the advanced electronic
signature, such as "asymmetric cryptosystem", "cryptographic key",
"public key" and "private key" have been defined.
The area of applicability of the law has been
regulated in the first chapter and some cases that are
outside the scope of the law are listed.
The second chapter proclaims the principle
that written form is considered to be respected if an electronic
document has been created. In this chapter the terms: electronic
statement as "a verbal statement, represented in a digital form
through common standard for transformation, reading and visual
representation of information" and electronic document as an
"electronic statement, recorded on magnetic, optical or other
carrier that allows it to be reproduced" are defined. The term
"electronic signature" is defined in a technologically neutral
manner as "any information, related to the electronic statement in
a way, concerted between the signatory and the addressee, secure
enough in view of the turnover needs, that: (a) reveals the
identity of the signatory; (b) reveals the consent of the signatory
with the electronic statement; (c) and protects the content of the
electronic statement from subsequent changes. The difference
between the electronic signature and advanced electronic signature
has been outlined as a way of attaching an information, included in
the electronic signature as secure enough in view of the turnover
needs and concerted between the author and the addressee.
Chapter three gives a definition of the
advanced electronic signature as "a transformed electronic
statement, included, added or logically related to the same
electronic statement before the transformation". Defined are also
the principles for transformation, using based on the use of
private key in an asymmetric cryptosystem. Requirements towards
algorithms are envisaged to be defined in a Regulation of the
Council of Ministers.
The secrecy of the private key guarantees the
security of the electronic signature.
The status of the certification service providers
has been also regulated. The certification service provider is a
person that issues electronic signature certificates and maintains
electronic public registry for them; allows to the owners of the
electronic signature to create public and private keys and gives
access to every third person to the registered certificates. The
requirements towards the activities of the certification service
providers, their obligations and responsibility hold in front of
the owner and the signatory of the electronic signature aim to
provide highest possible guarantees for the trustworthiness and
security of the use of electronic signatures. At the same time, the
responsibility of the owner and the signatory of the electronic
signature has been also envisaged. Relations between the
certification service provider and the owner of the electronic
signature should be based on a written contract.
The draft law lists the different parts of a
certificate as an electronic document, issued and signed by the
certification service provider, it regulates procedures for
issuance, renewal and suspension, of a certificate's validity.
General conditions on public registries for the issued certificates
have been formulated and it is envisaged that their structure and
activities should be regulated with a Regulation of the Council of
Ministers.
Regulation and control of the activities for
providing certification services are given to the State
Telecommunications Commission (STC).
Chapter four regulates the "universal electronic
signature", which is the only one to be applied in public sphere.
The requirements for maximum security require the introduction of
the registration regime for providers, offering certification
services in relation to the signature; this requirement corresponds
to the Article 3, paragraph 7 from the Directive of the European
Parliament and Council on a Community framework for electronic
signatures. Simultaneously, the Council of Ministers can determine
the state bodies that can use among themselves other electronic
signatures.
The STC as an institution, regulating and
controlling the activities of the certification service providers
should register those of them that would be able to provide
services related to the advanced electronic signatures, applicable
to the public sphere. The regime that has been envisaged is a
regime for registration and not for licensing. The procedure for
registration shall be specified with a Regulation of the Council of
Ministers. The powers of the registry institution, as well as the
procedure for registration of certification service providers and
for the termination of registration are envisaged.
The registered certification service provider could
certify the date and the hour of the presentation of the electronic
document, signed with an electronic signature.
Chapter five contains general rules on
application of electronic document and electronic signature by the
state and municipalities, that would be gradually achieved with the
creation of necessary conditions and infrastructure and with the
enactment of necessary laws for that.
Chapter six envisages protection of personal
data, collected by the certification service providers for the
purpose of performing their special activities and keeping up
registries and personal data, known to the STC, to be regulated by
the law. According to the law, the collection of personal data for
the signatory and the owner and the use of the data is permitted
only to the extent it is necessary for the issuance and use of
certificates. Exceptions from the rule are only possible if it is
permitted by the law or with a special permission of the person, to
whom the data is related.
Chapter seven sets up the conditions that
have to be fulfilled, in order to accept certificates, issued by
certification service providers, established in other countries as
being equal to the ones issued by a Bulgarian certification service
providers. It is envisaged that control over the specified
conditions has to be done by the STC that has to maintain a public
electronic register, containing the necessary data. This would not
be applicable in cases where the certificate or the certification
service provider that has issued the certificate are recognized on
the basic of an international contract that is in force.
The law contains administrative penal
provisions providing for the establishment of offences,
issuance, appeal and execution of penal enactment to be made
pursuant to the legal rules of the Administrative Offences and
Penalties Act.
|