1. Introduction
In the current era of unparalleled technological advancement and the growing use of Information and Communication Technology in all spheres of communication, most commercial transactions are conducted in the framework of the e-commerce system. Electronic and digital signatures have been recognized by e-commerce laws of several countries replacing handwritten signatures and traditional means of authentications.
In Ethiopia, there has been a limited recognition of E-signatures under Art 25(8) of the Ethiopian commodity Exchange Proclamation No 550/2007 and Art. 23 of the National Payment System Proclamation No. 718/2011.
However, in February 2018, the Ethiopian Parliament adopted the Electronic Signature Proclamation No. 1072/2018 (the “Proclamation”), a general law applicable for all transactions. The Information Network security Agency (INSA), the institution with the mandate to implement the Proclamation, is yet to pass the required regulation and directives. Moreover, the significance of the Proclamation will need complimentary legal and policy frameworks such as a National E-Commerce Law and National Electronic Commerce Policy for effective implementation. While these legislations and systems are not yet in place, this issue of our legal update will discuss the salient features of the E-Signature Proclamation.
2. Definition and Scope of Application
The Proclamation defines Electronic signature as “information in electronic form, affixed to or logically associated with, an electronic message, which may be used to identify the signatory in relation to the electronic message and to indicate the signatory’s approval of the information contained in the electronic message” [the definition is directly taken from UNCITRAL Model Law on Electronic Signatures (2001)]. Hence, electronic signature is any electronic process that indicates acceptance of an agreement or record.
As regard subject matter, the Proclamation is applicable to any electronic message exchange. Electronic message is an information generated, sent, received or stored by electronic means (Art 2(5)). It is the freedom of the parties to agree to use or not to use electronic signatures. If the law or the circumstances require the use of electronic signature, the Proclamation prescribes that the situation of disabled persons needs to be considered (Art. 4).
The Proclamation defines the powers and duties of authority responsible for e-signature and also govern the relationship between parties involved in e-communication. These entities are the Root Certificate Authority, Certificate Provider, subscribers, signatories and relying parties. The Root Certificate Authority (“RCA”) is a body legally authorized to perform the power and duties related to regulatory and supervisory services. It serves as the supreme administration agency in so far as the application of the Proclamation is concerned. Certificate Provider is a legal person duly authorized or recognized to issue certificate and related services under the Proclamation (Art. 2(3)). Whereas, a Subscriber is a person who is the subject named in a certificate, accepts the authenticity of the content in the certificate and owns a private key which corresponds to a public key listed in that certificate (Art 2(18)). In other words, the Subscriber is the user of the electronic signature service. Further, Signatory is a person who holds private key and signs either on his own behalf or on behalf of the person he represents Art 2(17)). Lastly, a Relying Party is a person who acts relying on the information contained in a certificate or in the authenticity of digital signature (Art. 2(13)).
3. The Legal Recognition of Electronic Signature and Electronic Messages
The Proclamation opens up a new era for commercial transactions by equally treating electronic signatures and electronic messages with hand written signatures and documents. It also repealed several laws, regulations and practices that mandatorily require handwritten signatures and documents.
The Proclamation explicitly recognizes the legal effect, validity and admissibility of electronic messages and electronic signatures by affirming that the mere fact of its being electronic signature or electronic message shall not deprive it of such effects. Where the law requires the information to be made in writing, it is deemed to have been made in the same form if it is made in electronic form and accessible for subsequent reference. In effect, the Proclamation repeals provisions in other laws of the country that require the handwritten forms of writing and signature of contracting parties. Such is the fate of the provisions of the Ethiopian Civil Code of 1960 on contracts and wills; and the provisions of the Commercial Code that require writing and signature.
It is important to note the legal presumption in the Proclamation that an electronic signature is deemed to be that of the Subscriber; it was affixed by that person with the intention of approving the electronic message; and that the electronic message and the signature have not been altered since the specific point in time to which the electronic signature was affixed.
The same legal presumption and recognition is applicable for digital signatures so long as they are supported by a valid certificate.
4. The power and duties of the Root Certificate Authority
The Proclamation declares that the RCA serves as the supreme body empowered to administer it. INSA serves as the RCA. Among other things, the RCA has the power to issue license to Certificate Providers, renew, terminate or revoke it and monitor their activities and operations; ensure the trustworthiness and the overall security of the crypto system; and issue working procedures and standards that Certificate Providers shall follow. The RCA has also the power to issue directives and to audit the overall operation and safety measures of Certificate Provider.
5. Certificate Providers and Certifications Service
Certificate Providers are only legal persons duly authorized or recognized by the RCA to issue certificate and related services. Individuals are not allowed to provide a certification service. In fact, the Proclamation makes it a ground for denial of license if the Certificate Provider happens to be a natural person.
It is prohibited to provide a certification service without having a valid license from RCA. The license once issued lasts only for five years. Unless renewed, the license will expire after such period. A foreign Certificate Provider may be recognized by RCA as long as it satisfies the recommended reliance limit. Recommended reliance limit is the monetary amount recommended for reliance on a certificate. The recommended reliance limit is the maximum threshold for a given certificate. The Proclamation has not provided the amount of reliance limit; it has instead mandated the Certificate Provider to fix the amount for the certificate it issues. The Certificate Provider has the power to Issue digital certificate, provide encryption service and provide time stamp service. Among others, the Certificate Provider has the obligations to manage a key pair (a private key and its corresponding public key in an asymmetric cryptosystem, a system capable of providing reliable digital signature and encryption service ), to use trustworthy system and to have reliable financial capacity. The level of financial capacity required to be a Certificate Provider is not provided under the Proclamation and is left to regulation and directives to be issued in accordance with the Proclamation.
The Certificate Provider shall warrant the subscriber and relying parties as to the authenticity and verification of the contents of the certificate by the Certificate Provider. It is also required to specify the recommended reliance limit in the certificate issued, that may vary for different certificates (Art (42)).
Certificate Providers have liabilities emanating from the contract signed with the subscriber and the Proclamation. They are liable for the damage sustained by subscribers, relying parties or any other person subject to the recommended reliance limit.
6. Certification Services
Certification service is the other area regulated by the Proclamation. It is the process of providing digital certificate for any person by the Certificate Provider. When a person satisfies the requirements provided under the Proclamation, regulation, directive and the terms and conditions of the Certificate Provider, it can apply for a certificate. After charging the appropriate service fees and verifying the fulfillment of the conditions, the Certificate Provider furnishes the digital certificate at which point the applicant formally becomes a subscriber. The certificate can be suspended or revoked voluntarily or without the consent of the subscriber. The subscriber or his agent may at any time require the revocation or suspension of the certificate and the Certificate Provider shall act accordingly within 48 hours without requiring the consent of the subscriber, the Certificate Provider may revoke or suspend the certificate on the grounds of falsification, death of subscriber (Art 35(1)).
7. Subscribers and relying parties
The subscriber is the one who receives the certification service from the Certificate Provider as the ultimate user of the certificate. The users exploit the certificate in order to conduct a commercial transaction or for any other electronic message purposes. The relying party, on the other hand, is a person who acts based on the information contained in a certificate or in the authenticity of digital signature. This includes parties exchanged electronic communication with the subscriber.
The subscriber has the obligations to provide accurate information, accept the certificate, verifies to relying parties, to safeguard private key and to request a suspension or revocation of a certificate forthwith when it knows or have adequate suspicion that the security of the private key is compromised.
The relying parties have the obligation to follow explicit certificate verification procedure, rely only on a recommended reliance limit and transaction type expressly stated in the certificate, follow procedures to verify the authenticity, ensure whether the certificate is suspended, revoked or otherwise, or similar recent status of the certificate it relies on and observe policies, practice statements and other documents publicized by Certificate Provider.
8. Dispute Settlement mechanism and procedure of Appeal
The Proclamation establishes two distinct dispute settlement mechanisms on the basis of the identity of the parties involved in the dispute. If the dispute is between the RCA and the Certificate Provider, it would be resolved by National Crypto Council. A party dissatisfied with the decision of the Council may lodge its appeal to the Federal High Court. The National Crypto Council consist of members drawn from the concerned bodies.
On the other hand, if the dispute is between the Certificate Provider and the subscriber or the relying parties, a complaint can be lodged to the RCA. The RCA shall give appropriate decision on the dispute within 30 days. A party dissatisfied with the decision of the Council may lodge its appeal to the Federal High Court.
9. Offences and penalties
The Certificate Provider will be held liable for operating without having a valid license and for other offences. The person who is found guilty of these offences will be punished to pay fine ranging from Birr 100, 000- Birr 200,000. The Subscriber will be held liable if it uses suspended or revoked certificate or provides inaccurate information in its application to obtain certificate. The person who is found guilty of these offences will be punished to pay fine ranging from Birr 20, 000- Birr 50,000.