E-commerce has become a standard means by which business is being done in the modern world. As a result, new technologies and legal regimes have been developed to support this shift in how businesses and consumers alike are transacting.

But, if you sign up to a contract electronically, how can you be sure that the terms you have agreed are legally binding? In this blog, we consider the legality of electronic signatures.

The legal regime

Despite the use of e-signatures only becoming more common in recent times, a regulatory regime has been in place since 2000. However, there was limited uptake, and the European Commission perceived that this was due to a lack of confidence in the technology and the law. As such, the Commission developed a consistent European framework for the use of electronic signatures and online authentication, in the form of the Electronic Identification Regulation (the Regulation), which came into force in 2014 and has had direct effect in EU member states since 2016.

What is an E-signature?

Put simply, an electronic signature, or e-signature, is a means by which a document may be signed online without the need to put pen to paper.

The Regulation governs the use of many forms of e-signature, including electronic seals (used by corporate entities), electronic time stamps, and electronic registered delivery services. Under the Regulation, each type of authentication is broadly treated in the same way as e-signatures.

Categories of E-signature

The Regulation sets out three categories of electronic signature: simple; advanced and qualified. Each is an effective way of executing a document online, and the Regulation confirms that e-signatures are legally binding.

Examples of ‘simple’ e-signatures include typewritten names (such as at the end of an email), scanned copies of handwritten signatures and ticking a box on an electronic document stating “I agree”.

However, in order to qualify as an ‘advanced’ electronic signature, the signature must be: (i) uniquely linked to the signatory; (ii) capable of identifying the signatory; (iii) created using electronic signature creation data that the signatory can (with a high level of confidence) use under his sole control; and (iv) linked to the data signed therewith in such a way that any subsequent change is detectable. This definition softened the previous legal stance, which placed on absolute obligation on the signatory to retain ‘sole control’ of the data which implied physical control of the data, and potentially excluded cloud-based signature creation devices. And, as we all know, computers can be hacked. The new definition clarifies that the use of appropriate security measures will suffice, and acknowledges that, practically speaking, absolute control may be difficult to achieve.

A ‘qualified’ e-signature has the most onerous requirements. It is essentially an advanced e-signature, which is created by a qualified electronic signature device, based on a qualified certificate for e-signatures. A qualified electronic signature device is signature generation device certified and approved for use to create qualified e-signatures. A qualified certificate for e-signatures is a certificate issued by a Qualified Trust Services Provider (more on Trust services Providers below).

It is worth pointing out that there is a slight distinction between the use of e-signatures by natural persons (i.e. individuals) and legal persons (i.e. corporate entities). Electronic signatures can only be used by individuals and not corporate entities, but e-signatures can still be used by individuals to bind corporate entities in the same way that a written signature. However, if an agreement is to be executed by a corporate entity itself (as opposed to by an individual on a corporate entity’s behalf), a corporate seal should be used.

Trust factors

Verifying authenticity was historically one of the major challenges to the perceived trustworthiness of e-signatures. However, the establishment of ‘Trust Service Providers’, namely companies that provide services that can verify or validate e-signatures and other forms of electronic authentication, has gone some way to boost confidence around the validity of e-signatures. Examples of trust services include the creation, verification and validation of e-signatures, seals, time stamps and certificates for website authentication. Trust Service Providers are also regulated by the Information Commissioner’s Office (the ICO).

It is also vitally important to ensure that when signing documents online, you do so through a secure site. As such, website authentication is important. A website that benefits from website authentication is simply a website that has a digital certificate linking it to the business or person that you are dealing with. Ideally, we would recommend avoiding the execution of any type of online e-signature through a site that does not have this, as there is no guarantee it is secure.

Would you like to know more about electronic signatures from a legal standpoint? Please get in touch with our team here at Pannone Corporate. You can do so by either calling the team on 0800 131 3355 or by filling out our contact form.

Finding appropriate ways to protect your business is an important part of your long-term business strategy. Protecting your organisation’s confidential information should form a key part of this strategy.

In this blog, we will consider how the use of non-disclosure agreements (also known as NDAs or confidentiality agreements) can help protect your information and your business.

What is an NDA and what is the benefit of using one?

The law of confidential information offers protection in relation to commercially sensitive information which cannot be protected by intellectual property rights, such as copyright, or which can only be protected in this way to a limited extent.

In order for information to qualify for protection under the law of confidential information, the relevant information must be confidential in nature and disclosed in circumstances that impose an obligation on confidence.

An NDA is a practical way in which a business can seek to ensure that its confidential information is protected. An NDA is a written contract that sets out the terms on which the parties will share confidential information. It provides some comfort for the disclosing party (being the party that is sharing its confidential information) that the receiving party (being the party that receives it) is on notice that the information being disclosed pursuant to the NDA is confidential, and that the receiving party is under a contractual obligation to keep it that way.

Enforcing an obligation of confidentiality under a contract will most likely be more straightforward than trying to enforce an obligation of confidentiality under general law.

So, what specifically does your NDA need to cover?

Define the information to be protected

A key aspect of the NDA is defining the information that is to be protected. If there is certain specific information that you wish to keep confidential – for example, a recipe – this should be specifically identified, but also consider that including a broader definition of information may be useful in order to capture any wider or inadvertent disclosures of information. It is worth bearing in mind that once information ceases to be truly confidential, nothing that is set out in a contract can change this. This is often reflected in the definition of confidential information by including a description of circumstances in which information will cease to be protected.

Obligation to keep the information secret and permitted use

The NDA must specify that the confidential information should be kept secret or remain confidential, and set out the specific purpose for which the receiving party may use the information.

Permitted disclosures

There are certain circumstances in which it will be reasonable for the receiving party to disclose the confidential information. Employees and/or advisors of the receiving party may need to be privy to the information, but consider linking their use back to the purpose for which the information has been shared. Consider also whether the receiving party should be obliged to ensure that all such employees and advisors are under separate obligations of confidentiality to the receiving party. The receiving party may argue that this is too onerous; however, at the very least, the receiving party should be liable for any breach of confidentiality obligations by such employees or advisors. No attempt should me made to restrict disclosures required by law.

Duration of the obligation

How long the obligation of confidentiality should exist for will depend on the type of information being disclosed. Certain information may only have a very short shelf life in terms of commercial value, and so to include an indefinite obligation of confidentiality could be deemed to be unreasonable in these circumstances. As such, you will need to consider what is appropriate in the specific circumstances.

Return or destruction of information

In certain circumstances, it may be appropriate to include an obligation on the receiving party to return or destroy your confidential information, for example, if negotiations in respect of a particular transaction come to an end. This will provide you with certainty that the confidential information does not remain in their possession.   

Consequences of Breach

From the perspective of the disclosing party, it is desirable to see a clause in the NDA that states that damages alone will not be an adequate remedy in respect of any breach. The courts have been willing to issue injunctions to prevent or stop the misuse of confidential information in certain circumstances, and also to order the destruction of confidential information. The inclusion of this type of clause may go some way to persuade the court that such an injunction would be reasonable in the circumstances, and may be of more practical benefit to a party if issued at the right time (namely before the information has been disclosed or used).

The disclosing party will also typically seek damages to compensate them for the loss which the defendant’s breach has caused. If the claimant would have used the information themselves to generate profit, damages will be measured based on what would be fair compensation for such loss. However, if the claimant would have licensed or sold the information to a third party, damages will be calculated based on what is deemed to be fair market value of such information in the context of a sale or licence between two willing parties.

For more information regarding how you can seek to protect your organisation’s confidential information, please get in touch with our team here at Pannone Corporate. You can do so by either calling the team on 0800 131 3355 or by filling out our contact form.

Uber France SAS (Uber France) is the latest Uber group company to receive a fine from its national regulator, the Commission Nationale de l’Information et des Libertés (the CNIL), following a serious security breach in 2016 that led to the unauthorised access and download of personal data relating to 57 million Uber drivers and customers from across the globe. The CNIL levied a fine of €400,000 on Uber France SAS on 20 December 2018.

Background: In November 2017, Uber revealed that it had suffered a major security breach a year earlier.

A taskforce was set up by the Article 29 Working Party (an advisory body made up of representatives from across Europe) to investigate the breach.

Uber’s responses to a questionnaire issued by the taskforce revealed that hackers had gained access to credentials stored in plain text on GitHub, a development platform used by Uber’s software engineers. Using those credentials, the hackers found an access key (also written in plain text) within a source code file, which the hackers used to access Uber servers and download the personal data.

Security measures: The CNIL found that the data breach would have been preventable, had Uber implemented appropriate basic security measures, such as:

• requiring its software engineers to use a stronger authentication method to connect to GitHub (for example, using a two step authentication process);
• not storing credentials that allowed access to the server in plain text within source code; and
• implementing an IP filtering system to access the servers containing its personal data.

All for one and one for all: The CNIL rejected an argument from Uber France that the CNIL could only impose a fine on the data controller (being, jointly, Uber entities established in the US and Denmark) and not a mere subsidiary of the data controller (i.e. Uber France).

The CNIL cited German case law, which stated that where a business has subsidiaries in various EU Member States, the data regulator in each Member State may exercise its powers in respect of each such subsidiary, even where the responsibility for collecting and processing personal data for the entire territory of the EU belongs to a group company in another territory.

To date, Uber entities based in the UK and Denmark have also received fines of £385,000 and €600,000 respectively in relation to the same breach.

Points to note: The CNIL’s reasoning in its decision to fine Uber France has provided a useful insight into what regulators may deem sufficient in terms of the appropriate security measures a company may be expected to take in order to protect personal data. It also sends a clear message regarding responsibilities in relation to personal data within a group of companies and highlights the fact that businesses with global establishments can be fined in relation to the same breach throughout multiple jurisdictions.

If your business requires advice in relation to its responsibilities under data protection law, please do not hesitate to contact a member of our Commercial Services team.