Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
“We are seeing a real uptick in demand for digital signatures and are thrilled to see rapid adoption in the legal industry where physical closings were a staple. Led by the impact of COVID-19, mentalities are changing.”
What is a digital signature? How is it different from an electronic one? In a world where new technological solutions materialize on daily basis, users often find themselves confused by the number of options at their disposal, also confused if those solutions are regulated by domestic laws or not.
Understanding the difference between digital signature and electronic signature is important to know how far they are regulated.
A look back at the changing face of the signature from the distant past right through to present-day, how have signatures evolved throughout history?
Very generally, ‘electronic signature’ is a broad term referring to any electronic process that indicates acceptance or approval of an agreement or a record. An electronic signature would encompass a simple digital scan of a ‘wet signature’ through to a much more sophisticated authentication mechanism. A ‘digital signature’ is one specific type electronic signature.
Typical electronic signature solutions use common electronic authentication methods to verify signer identity (e.g. as an email address, a corporate ID, or a phone PIN). If increased security is needed, multifactor authentication may be used.
Digital signatures use certificate-based digital identifiers (generated and authenticated by public key encryption) to authenticate signer identity and demonstrate proof of signing by binding each signature to the document with encryption. Validation occurs through trusted certificate authorities or trust service providers.
Digital signatures, like handwritten signatures, are unique to each signer. Digital signature solution providers currently follow a specific protocol, called PKI (Public Key Infrastructure). PKI requires the provider to use a mathematical algorithm to generate two long numbers, called keys. One key is public, and one key is private.
When a signer electronically signs a document, the signature is created using the signer’s private key, which is always securely kept by the signer. The mathematical algorithm acts like a cipher, creating data matching the signed document, called a hash, and encrypting that data. The resulting encrypted data is the digital signature. The signature is also marked with the time that the document was signed. If the document changes after signing, the digital signature is invalidated.
Digital signatures has sophisticated and complex encryptions which does not allow for any kind of manipulating with the signed documents.
In brief, all digital signatures are electronic, but not all electronic signature are digital.
Back to regulation developments in UAE concerning electronic signatures:
Federal Law No. (1) of 2006 Concerning E-transactions and E-commerce (“ETL”), defines Electronic Signature as:
Any letters, numbers, symbols, voice or processing system in Electronic form applied to, incorporated in, or logically associated with an electronic message with the intention of authenticating or approving the same.
Under the ETL a person may rely on an Electronic Signature to the extent that such reliance is reasonable. In determining whether it is reasonable for a person to have relied on an Electronic Signature regard must be given, if appropriate, to the following (see Article 18 of ETL):
In practical terms, when considering how best to implement electronic signatures it is recommended to use a solution that is likely to meet as many of these Article 18 criteria as possible.
The ETL expressly contemplates the use of digital signatures.
An Electronic Attestation Certificate is defined under the ETL as a certificate issued by a Certification Services Provider confirming the identity of the person or entity holding an Electronic Signature creation tool.
A “Certification Service Provider (“CSP”) is defined as an accredited or authorized person or organization that issues Electronic Attestation Certificates, or provides other services in this regard. A Certification Service Provider is required to be licensed by / registered with the Telecom Regulatory Authority (“TRA”), and the current process contemplates a licensing system for local entities wishing to be recognized as CSPs under the Electronic Transactions Law, and a registration system for foreign entities wishing to be recognized under the law.
Presently, CSPs registered with the TRA include: Adobe, Lleida, Palaxo, Ascertia, First Abu Dhabi Bank, Digital Trust and Docusign.
Accordingly, using a CSP’s electronic signature and digital certification solution will enhance the reliability of an electronic signature under the ETL.
The ETL also provides for a “Secure Electronic Signature” An Electronic Signature will be treated as a Secure Electronic Signature, if, through the application of a prescribed or commercially reasonable Secure Authentication Procedures agreed to by the parties, it can be verified that an Electronic Signature was, at the time it was made:
In the absence of proof to the contrary, reliance on a Secure Electronic Signature Electronic Signature is presumed to be reasonable under the Electronic Transaction Law (and that the Secure Electronic Signature is the signature of the person to whom it relates).
“Secure Authentication Procedures” are procedures aimed at verifying that an electronic message is that of a specific person and detecting error or alteration in the message, content or storage of an electronic message or Electronic Record since a specific point in time, which may require the use of algorithms or codes, identifying words or numbers, encryption, answerback or acknowledgement procedures, or similar information security devices.
In order to determine whether a Secure Authentication Procedures are commercially reasonable, such procedures shall be considered in the commercial circumstances at the time of use thereof, including:
It is important to understand that the ETL does not expressly deem that having an Electronic Signature supported by an Electronic Attestation Certificate issued by CSP to be a Secure Electronic Signature.
While it may well be that having an Electronic Attestation Certificate issued by CSP will be a Secure Authentication Procedure, it remains open under the ETL for it to be determined in a particular case if it is a commercially reasonable Secure Authentication Procedure.
It is also important to understand that not all the electronic signature solutions offered by licensed CSPs in the UAE are supported by qualified digital certificates that would mean that they would be considered equivalent to handwritten signatures under the EU eIDAS regulation. Accordingly, due diligence on what CSP, and more particularly, what solution is to be used, is recommended to get the maximum benefit of the UAE law.
Enhancing the reliability of the electronic signature solution is critical, as in assessing the evidential weight of electronic information, due regard will be paid by the Court (under Article 10 of the ETL) to the following:
Finally, it is important to recognise that Article 6 of the Electronic Transactions Law provides that nothing in the ETL requires a person to use or accept information in Electronic form, but a person’s agreement to do so may be inferred from the person’s affirmative conduct.
Consequently, it is recommended that a contracting party wishing to rely on an electronic signature, incorporates specific reference to the use of a particular electronic signature solution in the contract documentation, so that there will be less likelihood that another party can challenge the use and reliability of the electronic signature. A Court should also recognise that the parties had agreed that the use of electronic signatures, and that a particular electronic signature solution provider is reliable.
While the ETL refers to “electronic signatures” only, the provisions in the law for electronic signatures to be supported by electronic attestation certificates issued by CSPs and secure electronic signatures that use secure authentication procedures actually contemplates what have become more colloquially known as “digital signatures”. Further the ETL indicates that digital signatures are the most reliable electronic signatures under that law.
That does not mean that use of digital signatures is necessary in every case. As discussed above, under the ETL reliability (and presumptions of reliability) is determined through a number of factors including the nature and value of the underlying transaction and commercial reasonableness. So for a low risk and low value transaction a simple electronic signature can be viable.
The enhanced reliability afforded to digital signatures under the ETL does not mean that simple electronic signatures are not reliable. It simply means that if reliability of an Electronic Signature were challenged in Court, the party relying on that signature will need to establish it is reasonable for them to have done so in the particular case.
While the ETL has been in force since 2006, the uptake of electronic signature solutions (particularly CSP solutions or digital signatures) had not been widespread in the UAE. However, the current COVID-19 circumstances, and the need to undertake transactions remotely, has significantly increased the usage of electronic signatures, and the Courts will be required to have a greater understanding of electronic signatures and digital signatures and their reliability. In addition, we understand that there are likely to be changes to the laws to further support the use of electronic signatures and digital signatures.