The adoption of a modern legal framework for the application of new information technologies, including electronic communications, is of specific importance for the economic and administrative reform in Bulgaria as well as for the country’s accession to the European Union. In this context, during the last few years Bulgaria made considerable progress towards the creation of a favorable legal environment for the use of electronic documents and electronic signatures. The process was initiated by the Center for the Study (CSD) and was further developed in cooperation with the respective public institutions and experts. As a result, on March 22, 2001, the National Assembly adopted the Law on Electronic Document and Electronic Signature (promulgated in State Gazette No. 34 of April 6, 2001, in force since October 7, 2001).
The Law on Electronic Document and Electronic Signature is based on the principles of Directive 1999/93/EC of the European Parliament and the Council of December 13, 1999, on a Community Framework for Electronic Signatures as well as on a number of international acts and successfully implemented national provisions in other countries.
The Law was developed by a Task Force with the CSD set up in early 1999 and including prominent Bulgarian lawyers experienced in the area of legal regulation of information technologies and civil and commercial law. Members of the Task Force are Dr. Maria Yordanova, Director of CSD Law Program, Mr. Borislav Belazelkov, Judge at the Supreme Court of Cassation and lecturer at the Sofia University Faculty of Law, Professor Angel Kalaidzhiev, Attorney-at-Law and lecturer at the Sofia University Faculty of Law, Mr. Stephan Kyutchukov, Attorney-at-Law, and Dr. Vesela Stancheva, Attorney-at-Law.
The drafting process was based on comprehensive research of the most important foreign and international instruments already in place or in process of preparation, conducted by the Task Force members with the assistance of the CSD Law Program. The results of the research work together with the initial version of the Draft Law on Electronic Document and Electronic Signature were included in the collection Electronic Commerce and Electronic Signature: Legal Aspects, published by CSD in 2000.
Following the adoption of the Law two more experts joined the CSD Task Force: Mr. George Dimitrov, Attorney-at-Law, and Mr. Dimitar Markov, Project Coordinator at the CSD Law Program. The Task Force continued its work by providing expert assistance to the elaboration of the respective secondary legislation. The process started in late 2001 and was assigned to the then existing State Telecommunications Commission (replaced since February 2002 by the Communications Regulation Commission). As a result of the combined efforts three ordinances were adopted by the Council of Ministers in January 2002: the Ordinance on the Requirements to the Algorithms for Qualified Electronic Signature, the Ordinance on the Procedure for Registration of the Certification-Service-Providers and the Ordinance on the Activities of the Certification-Service-Providers, the Procedure for Termination of their Activities and on the Requirements for Provision of Certification Services. The ordinances on the implementation of the Law on Electronic Document and Electronic Signature entered into force on February 8, 2002.
In the year 2003, the Communications Regulation Commission registered the first two certification service providers offering services for universal electronic signatures – Information Services and Bankservice . Their registration and start of operation was the necessary prerequisite for the use of electronic documents and electronic signatures in the public sphere (primarily in relation to the provision of public services).
As a next step towards completing the legal framework for the use of electronic documents and electronic signatures, in November 2003 the Council of Ministers adopted a decision for setting up an Expert Inter-institutional Task Force to elaborate the legal framework for issuance and acceptance of electronic documents, signed with universal electronic signatures, within the judiciary.
Basic Principles of the Law on Electronic Document and Electronic Signature
The Law on Electronic Document and Electronic Signature regulates the electronic document and electronic signature and the conditions and procedure for providing certification services.
The Law envisages the application of electronic signatures not only in the area of obligations and contracts, but in other legal fields as well. The way written document and handwritten signature are regulated in civil and administrative law has been used as a basis for the regulation of the legal effect of electronic documents and electronic signatures, taking into consideration all the particularities of the electronic form. This will allow the process of implementation of the law to follow all achievements of the legal science and courts’ practice in the area of proving, contesting and accepting written documents and handwritten signatures.
With its entering into force the Law does not envisage an obligation for anyone to use electronic documents and electronic signature. On the basis of the Law, private persons could use this opportunity, meaning that without an additional state intervention, in practice the area of applicability of the Law will be limited only to obligations and contracts.
The Council of Ministers has a power to indicate when and which subordinated administrative bodies will be obliged to accept and issue electronic documents, signed with an electronic signature, which will allow the area of applicability of the Law to spread over gradually (depending on the available technological infrastructure in different administrative bodies) also in the field of administrative law.
In view of the requirements court proceedings to be regulated in a law, widening of the scope of the Law on Electronic Document ad Electronic Signature in the area of legal proceedings should be made with respective amendments of the relevant procedural laws: the Code of Civil Procedure, the Code of Criminal Procedure, the Law on Administrative Proceedings, the Law on the Supreme Administrative Court, and the Law on Administrative Offences and Penalties.
Other state institutions, not subordinated to the Council of Ministers (such as the National Assembly, the Constitutional Court, the National Audit Office, the Bulgarian National Bank, the Financial Supervision Commission, the Commission on Protection of Competition, the Ombudsman, etc.) municipalities and mayoralties will determine by their own acts the moment when they are ready to accept and issue electronic documents, signed with electronic signatures, and will adopt relevant internal rules for that as well. Naturally, an opportunity remains for the state to oblige through a law any state institution to accept and issue electronic documents, signed with an electronic signature.
The Law uses the definitions of “electronic statement”, “electronic document”, and “electronic signature”, because they have been widely used in society alongside other similar definitions, such as “electronic data interchange” (electronic messages), “electronic mail”, “electronic commerce”, etc. Electronic statement, document and signature are regulated as “digital” according to Article 2, paragraph (1), Article 3, paragraph (1), Article 13, paragraph (1) and Article 15, paragraph (1). The term “digital signature” has been widely used recently, but words like “digital statement” and “digital document” do not sound correct and are used neither in the Directive, nor in the newly adopted foreign legislation.
Legal issues are regulated in institutes and main definitions are given accordingly. The terms that are used in their ordinary sense are not explicitly defined in the Law. In the additional provision under §1 besides the definition of a qualified written form only new terms related to the technology for creation and use of the qualified electronic signature are explained, such as “asymmetric cryptosystem”, “cryptographic key”, “public key” and “private key”.
The area of applicability of the Law is regulated in chapter one and some cases that are outside the scope of the Law are listed.
Chapter two proclaims the principle that written form is considered to be respected if an electronic document has been created. In this chapter the terms: electronic statement as “a verbal statement, represented in a digital form through a common standard for transformation, reading and visual representation of information” and electronic document as an “electronic statement, recorded on magnetic, optical or other carrier that allows it to be reproduced” are defined. Rules are also envisaged on defining the signatory, the owner and the addressee of an electronic statement, on the time and place of its sending and receiving and the risk of errors during its transmission. The term electronic signature is defined in a technologically neutral manner as “any information, related to the electronic statement in a way, concerted between the signatory and the addressee, secure enough in view of the turnover needs, that: (a) reveals the identity of the signatory; (b) reveals the consent of the signatory with the electronic statement; (c) and protects the content of the electronic statement from subsequent changes”. The legal effect of an electronic signature among the signature owner and the addressee is acknowledged, unless the owner or the addressee of an electronic statement is a state body or a local self-government authority. The universal electronic signature is recognized the same legal effect as a hand-written signature regarding everybody.
Chapter three gives a definition of the qualified electronic signature as “a transformed electronic statement, included, added or logically related to the same electronic statement before the transformation”. The transformation according to the Law should be done by using algorithms which include the use of private key of an asymmetric cryptosystem. Requirements towards the algorithms are envisaged to be defined in an Ordinance of the Council of Ministers. The secrecy of the private key guarantees the security of the electronic signature.
The status of the certification service providers is also regulated. The certification service provider is a person that issues electronic signature certificates, maintains a public electronic registry for them, and gives access to every third party to the published certificates. Certification-service-providers may offer services on the creation of the qualified electronic signature private and public key. The requirements towards the activities of the certification service providers, their obligations and responsibility before the signatory, the signature owner and third parties aim to provide highest possible guarantees for the trustworthiness and security of the use of electronic signatures. At the same time, the scope of responsibility of the owner and the signatory before the provider and third parties is also envisaged. Relations between the certification service provider and the signature owner should be based on a written contract.
The law lists the different parts of a certificate as an electronic document, issued and signed by the certification service provider, and regulates the procedures for the issuance of certificates and for the suspension, renewal, and revocation of their effect. General conditions on public registries for the issued certificates have been formulated and it is envisaged that their structure and activities should be regulated with an Ordinance of the Council of Ministers.
Regulation and control of the activities for providing certification services are given to the Communications Regulation Commission (CRC).
Chapter four regulates the universal electronic signature, which is the only one to be applied in the public sphere. The need for maximum security requires the introduction of a registration regime for providers, offering certification services in relation to universal signatures; this requirement corresponds to Article 3, paragraph (7) of the Directive of the European Parliament and Council on a Community framework for electronic signatures. Simultaneously, the Council of Ministers can determine the state bodies that can use among themselves other electronic signatures.
The CRC as an institution, regulating and controlling the activities of the certification service providers should register those of them that would be able to provide services related to the qualified electronic signatures, applicable to the public sphere. The regime that has been envisaged is a regime for registration and not for licensing. The procedure for registration is specified with an Ordinance of the Council of Ministers. The CRC may deny registration only in case that the requirements of the Law are not met. The powers of the registry institution together with the procedures for registration of certification service providers and for deletion of registration are envisaged.
The registered certification service providers are obliged to certify the date and the hour of the presentation of the electronic document, signed with an electronic signature.
Chapter five contains general rules on application of electronic document and electronic signature by the state and municipalities, which would be gradually achieved with the creation of the necessary conditions and infrastructure and with the enactment of the respective laws or regulations.
Chapter six envisages protection of personal data, collected by the certification service providers for the purpose of performing their special activities and keeping up registries to be regulated by the Law. According to the Law, the collection of personal data for the signatory and the signature owner and the use of the data are permitted only to the extent it is necessary for the issuance and use of certificates. Exceptions from the rule are only possible if it is permitted by the Law or with an explicit permission of the person, to whom the data is related.
Chapter seven sets up the conditions that have to be fulfilled, in order to accept certificates, issued by certification service providers, established in other countries as being equal to the ones issued by a Bulgarian certification service providers. It is envisaged that control over the specified conditions has to be done by the CRC that has to maintain an electronic register, containing the necessary data. This is not applicable in cases where the certificate or the certification service provider that has issued the certificate is recognized on the basis of an international contract that is in force.
Chapter eight contains administrative penal provisions providing for the establishment of offences, issuance, appeal and execution of penal enactment to be made pursuant to the legal rules of the Law on Administrative Offences and Penalties.
The secondary legislation
Beside the Law on Electronic Document and Electronic Signature the legal framework includes a set of three ordinances on the implementation of the Law, adopted by the Council of Ministers in the beginning of 2002 (promulgated in the State Gazette. No. 15 of February 8, 2002, in force since February 8, 2002):
- The Ordinance on the Requirements to the Algorithms of Qualified Electronic Signature lays down the algorithm requirements through which the data for qualified electronic signature creation are generated (the cryptographic key pairs), and the algorithms through which the actual electronic signature is created (the hash messages, the private key and hashed message combinations, etc.). The requirements should be observed by every person performing the activities of generating data for qualified electronic signature creation, and/or verifying an qualified electronic signature. The algorithms should be secure in the practice and incorporated in documents in force (standards, technical specifications, recommendations, guides and reports). The Communications Regulation Commission is responsible for the publication and maintenance of a list of documents in force, containing the technical requirements to the algorithms.
- After the Ordinance on the Procedure for Registration of Certification Service Providers the Communications Regulation Commission is the body charged with the registration of the Certification-Service-Providers, which issue universal electronic signature certificates. The CRC supports a public register of persons registered and collects fees for the registration services, determined in the Tariff on Fees, adopted pursuant to a Council of. Ministers Decree. The ordinance includes provisions on the necessary stages of registration procedure, as well as amendments and deletion of the registration.
- The Ordinance on the Activities of the Certification-Service-Providers, the Terms and Procedures of Termination Thereof, and the Requirements for Provision of Certification Services includes provisions on the general, personnel and technical requirements as well as the available funds the CSPs have to answer to provide for certification services. It. regulates the requirements regarding the format of the certificates issued and the storage of information about the services provided. The Ordinance charges the Certification Service Provider with the obligation to keep an Electronic Directory containing the certificates of X.500 or LDAP based access issued by it, as well as the certificate of the Provider’s electronic signature, and information under Article 28, Paragraph (3) of the Law on Electronic Document and Electronic Signature relating to the security procedures, the way of using, storing and issuing the qualified electronic signatures, the price for the services provided, the liability of the CSP, etc.
The edition: Electronic Document and Electronic Signature. Legal Framework
The current edition was prepared by the CSD Task Force, which developed the Law on Electronic Document and Electronic Signature and participated in the elaboration of the respective secondary legislation. It is aimed to facilitate the process of implementing the e-signature legislation by providing governmental institutions, business associations, and the general public with detailed analysis of the provisions of the Law on Electronic Document and Electronic Signature.
Together with the full text of the Law on Electronic Document and Electronic Signature and the ordinances on its implementation as well as a commentary on them, the edition offers additional materials related to the legal regulation of electronic documents and electronic signatures such as:
-An extensive introduction reviewing the development of e-document and e-signature legislation in other countries and on international level as well as the major initiatives undertaken in Bulgaria;
-The most important international instruments and EU legislation, translated in Bulgarian: UNCITRAL Model Law on the Electronic Commerce, UNCITRAL Model Law on the Electronic Signatures, Directive 1999/93/EC of the European Parliament and the Council of 13 December 1999 on a Community framework for electronic signatures, Directive 2000/31/EC of the European Parliament and the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on Electronic Commerce);
-A selection of foreign laws on electronic signature, translated or summarized in Bulgarian, including the laws of Austria, the Czech Republic, Slovenia, Germany, USA, the State of Utah, Argentina, Singapore;
-Two separate papers: one on the issues of harmonization of the Bulgarian Law on Electronic Document and Electronic Signature with Directive 1999/93/EC of the European Parliament and of the Council of December 13, 1999, on a Community Framework for Electronic Signatures, and the other on the legal regulation of computer crime under Bulgarian criminal law;
-A glossary of the most frequently used terms in the area of electronic signatures;
-Standard documents for registration of certification service providers and a set of lists, prepared by the Communications Regulation Commission according to the Law and the ordinances on its implementation;
-Figures and schemes demonstrating the process of preparation and use of electronic documents and electronic signatures, the parties of the electronic communications and the relations between them, the mechanism for creation and use of qualified electronic signatures, the issuance of certificates for qualified electronic signatures, etc.
The materials included in the edition are updated as of December 2003. In addition, each legal instrument or initiative referred to provides reference to the respective web site, thus providing opportunities for the readers to follow the further development of the process.