|
About the author
Born in Ankara in 1971. After completing graduate degree at Marmara University Faculty of Law, she was awarded LL.M. on the Assignment of the Claim in Civil Action and PhD on Multiparty International Economic Arbitration by the Marmara University Social Sciences Institute. Besides she has authored books and articles on Electronic Payment, E-signatures, The Application of ICC Arbitration Rules and Computer Forensics. She is founder and director of the first IT Law Research Center in Turkey since 01.06.2004.
Abstract
On 23rd of July 2004, the Act on E-Signature came into force in Turkey. The Act was prepared in line with the EU E-Signature Directive and with the guidance of some of the member states. After the Act on E-Signatures, the E-Signature Regulation and communique became operative.
This paper is written about the Act on E-Signature and the E-Signature Regulation. As the paper explains the new regime offered with these legal regulations, it also provides the differences from the EU Directive. Apart from the general characteristics of the Turkish E-Signature Regulation, the main subject of the paper is the Turkish Telecommunication Board which is the responsible body of the operation of the E-Signatures regulations. Therefore, the duties of the Turkish Telecommunication Board, the principles followed by it in the operation, certificate service providers and their positions in the system are analysed in the paper.
Introduction
The Act on E-Signature which came into force on 23rd of July 2004 was prepared with the guidance of EU Directive and the practice of the member states such as
Germany ,
France ,
Austria , and
Belgium . E-signature Regulation and Communique has been entered into force on 6th January 2005 by way of publication in the Official Gazette. Before commenting on the new regulation regime provided by the E-signature Act and the relevant Regulation, it might be of use to explain about some important aspects of the Act.
Differing from EU Directive, Turkish E-signature Act provides detailed provisions only for the secure digital signature amongst other types. Turkish Act does not make distinction between secure, qualified and advanced e-signatures as provided in the EU Directive. The Act thoroughly explains the qualified electronic certificate as being one of the requisites of a secure digital signature and provides that a secure digital signature would bear all legal consequences of signature by hand. [1] Besides, the Act also provides that secure digital signature could not be used for the transactions of guarantee contracts and for those which are required to be effected by either official form or procedure. Accordingly under Turkish Law, sale of real property or marriage ceremony may not be effected by secure e-signature.
The Act on E-signature (No:5070) is a new regulation area for Turkish Telecommunication Board [2]. Accordingly, the provisions of the Act [3] designate the Board as the authorised body for many issues such as the review of the notifications to be made by the Certificate Service Providers in order to start operation, inspection of the quality, stability and reliability of the service, and finally the preparation of the necessary regulations.
The Telecommunication Board, acting on the statutory powers, has prepared a draft E-signature Regulation and Communique. Those regulations as having entered into force, e-signature is fully operative in
Turkey .
Principles to be Followed Telecommunication Board in Regulating E-signature Services
Both the Act and the Regulation determine some principles for the Board to be taken into account while regulating the activity. The Directive provides for: The inspection of the qualitative stability, reliability and the efficiency of the service together with optimum use of the sources, transparency and openness, protection of the consumer rights, the provision and support of the effective and sustainable competition environment in the market, compliance with the international standards regard to advancing technology, the nation wide expanding of the E-signature practice and support of the new investments. It is also essential that a holder of the electronic certificate should not be imposed to purchase other services and financing of a service with the price of another service is prohibited.[4]
Conditions in order to operate as Certificate Service Provider
In the light of above e-signature sector shall be regulated as follows: Under the existing law, in order to operate as a Certificate Service Provider (CSP) in
Turkey , a notification to the Board is sufficient and permission from the Board is not required. A CSP complying with the conditions provided in the Act and the Regulation may start to operate within 2 months. The Board immediately starts investigation upon the receipt of the notification. The Board requires the following documents and information with the notification: The use of the secure systems and equipment, provision of a reliable service, the provision of all measures to prevent the destruction or counterfeiting of the certificates, communication details, details of the company, and the details of the employees, the Certification Policy (CP) and Certification Practice Statements (CPS), time stamp policy and time stamp practice statements, sample of the certificate, liability insurance, a copy of the contract to signed with the e-signature holders and with service receivers where service.[5]
If there is a missing information or document the Board gives CSP one month period. If all requirements are not met within this period. The Board shall make a decision to determine that the applicant does not qualify as a CSP anymore. [6]
The Board is responsible to announce in its website: the notifications, information about the foreign CSPs operating in
Turkey and samples of the certificates. An other responsibility is to prepare a report on the progress and the general conditions of the sector. [7]
The Board shall also determine the principles regarding the margins of the tariffs. However, since E-signature is a new sector, the Board shall not determine any figures until the market reaches a stable condition. According to the provisional article contained in the Regulation, CSPs shall determine the prices in accordance with the above mentioned principles until a further notice received from the Board. The same principle is also applicable for administrative fees. The Board shall ask for %0.4 of the previous year?s turnover as the fee.
The Duties of CSPs
According to E-signature Act article 10, the duties of a CSP are as follows:
The employment of the qualified personnel, recording of true identity based on the official documents of the persons that are given certificates, determining the true identity and authority of any legal representatives for the usage of e-signature produced by the CSP as well as by the certificate holder; providing security of the data used for the formation of the e-signature either by the CSP or by the certificate holder within the premises belonging to the CSP; providing the security of the procedure where the e-signature is produced by the certificate holder by the tools provided by the CSP; before the delivery of the certificate informing of the certificate holder on the usage of the certificate and the method for resolving any disputes together with the legal requirements and, informing the certificate holder of the fact that e-signature had all the legal effects of a signature by hand with the proviso of exceptions; warning of the certificate holder that he/she should not allow other persons to use the data to form e-signature; keeping of the records for all transaction for 20 years; notification to the electronic certificate holder and the Board 3 months prior to the termination of the services.
CSP cannot maintain or store a copy of the e-signature data.
Termination of the services by the Board
The Board is also responsible for the stability of the E-signature services. The Board shall inspect every CSP either on complaint or on its own motion in every two years. [8]
The Telecommunication Board shall follow the below principles in inspection of the CSPs: Impartiality in the conduct of the inspection, assessment and consequently in preparation of the report, to avoid any occurrence which my jeopardize impartiality and diligence, to act with utmost care in all procedures.[9] The review of the applications to operate as CSP and the reports subsequent to inspection shall be conducted by a Committee chosen within the Telecommunication Board.
Following to inspection where the Board finds out that the CSP is lacking one or more of the notification conditions, the CSP shall be suspended of its activities and shall be provided one month period to remedy the situation. Failure of compliance within a month shall result with the termination of its services. [10]
A CSP that its services has been terminated, may agree with an other CSP for the transfer of the qualified electronic certificates within 15 days following to the termination. Where such agreement exists the Board decides for the transfer of the certificates and in the absence of such agreement the Board shall choose a CSP on its own motion. The CSP which is the transferee shall finish renewal of the certificates within in a month starting with the notification of the decision for the transfer.
The CSP that its services has been terminated, shall provide the documents needed for identity verification, the index, the archive and other records of the canceled certificates to the transferee CSP.
Where the Board is unable to designate a CSP for the transfer, the certificates shall be canceled. The CSP that its services has been terminated, shall provide records of the cancellation until the expiry date of the latest certificate and shall maintain the archive for 20 years.
Upon the notification of the Board?s decision as to the termination of the services, the CSP may no longer offer services of electronic certificate, time seal and e-signature. However shall continue with the certificate cancellation records until the renewal of the certificates by the transferee CSP are completed.
The CSP that its services are terminated, shall prepare the cancellation records at the end of the expiry date of the latest certificate and destroy all e-signature data and respective back up.
The decision for the transfer of the qualified electronic certificates shall be promulgated in the web site of the Board. The CSP that its services are terminated, shall electronically notify the certificate holders of the transfers.
Cancellation of the Certificates and the CSPs deciding to terminate their services
A CSP shall cancel the certificate where it is demanded by the holder, where it is found that the information contained in the electronic certificate database was inaccurate, forged or changed, where it is found that the certificate holder has been limited of his/her capacity, the bankruptcy, absence or the death of the certificate holder.
The CSP shall keep a record which enables to determine the exact time of cancellation and easily accessible by the third parties.
Where the services of a CSP are terminated by the Board and certificates are not transferred to another CSP, the certificates shall be cancelled immediately.
A CSP may not cancel certificates as having retrospective effect.
A CSP deciding to cease its services, shall notify the Board in writing 3 months in advance. Following such notification, the CSP may not accept new applications and cannot issue a new qualified electronic certificate.
A CSP deciding to cease its services, shall inform the holders of its decision in its website and in 3 national newspapers of highest circulation 3 months in advance.
A CSP may transfer certificates that have expiry dates exceeding the date on which the services shall be terminated, to another CSP until a month before the termination. The transferee CSP shall finish the renewal of the certificates within one month following to the notification of the transfer.
The CSP that its services has been terminated, shall provide the documents needed for identity verification, the index, the archive and other records of the canceled certificates to the transferee CSP.
Where it has not been possible to transfer the certificates or the service cannot be continued by another CSP, the CSP terminating its services shall cancel the certificates latest at the date of termination of its services. The CSP shall notify the certificate holders of the cancellation latest 15 days in advance of the cancellation.
The CSP that its services has been terminated, shall keep records of the cancellation until the expiry date of the latest certificate and shall maintain the archive for 20 years.
The CSP that its services are terminated, shall prepare the cancellation records at the end of the expiry date of the latest certificate and destroy all e-signature data and respective back up.
Activity Reports
All CSPs shall provide to the Board an annual report of the previous year in every March. The report shall at least contain the below:
- Types of issued certificates and respective numbers
- The number of the canceled certificates for each type.
- Documents and information indicating the financial situation of the CSP
- The information as to the transferred certificates, if exist any.
- The market projection of the CSP for the coming year.
- Other documents and information required by the Board.
The legal liability of the CSPs
As to the legal liability of the CSPs the Act on E-signature provides that [11] the liability of a CSP against the certificate holder is covered by the general rules of liability. Accordingly a CSP is liable for the damages sustained through an action of the CSP which violates the rules contained in the Act or the Regulation. The CSP is burdened with proving it had no negligence in order to discharge liability. Where the act is committed by an employee of the CSP, then the CSP may not benefit from the relevant provisions of the Code of Obligation which allows an employee to present evidence to discharge its vicarious liability.
Apart from the limitations arising from the technical specifications and the substantial scope of the e-signature, any agreements or covenants excluding the liability of a CSP, are null and void.
Certificate Liability Insurance
Differing from other e-signature laws, Turkish Act on E-signature does not require the provision of some security in order to start operating as a CSP. Instead, CSPs are obliged to purchase insurance to cover any damages arising from the incompliance with the duties vested by the Act. The rules and the procedure for this insurance shall be determined by a separate regulation of the Board after having received the opinion of the Undersecreteriat of Treasury. [12] The regulation has been prepared and entered into force as published in the Offi. Gazz. on 26.08.2004. Accordingly [13]; CSPs are required to have insurance to cover the damages arising from incompliance with the statutory duties. The scope of the insurance is to cover the damages of the third parties sustained through the incompliance of the duties as to usage of secure products and systems for electronic certificates, conduct of services in a secure manner and avoid forgery or replication of the certificates. The art. 8 of the Regulation as to Liability Insurance provides that the general clauses, tariffs and other conditions of the insurance shall be determined by the Undersecreteriat of Treasury.
The general clauses and tariffs prepared by the Undersecreteriat was submitted to the Board as of the end of November 2004. The Clauses provide that the scope of the insurance will cover certificate holders as well as third parties. Assuming that the risks are minimised due to the technical aspects of e-signature, Tariffs set relatively low premiums.
Foreign Electronic Certificates
The acceptance of foreign electronic certificates requires either an international agreement or the surety of a domestic CSP. The Board is responsible to publish the information about the foreign CSP and a copy of the certificate in its web site. The CSP in
Turkey is jointly liable for any damages to be sustained as a result of the usage of an accepted foreign certificate.
The consequences of foreign certificate issued abroad are regulated in the Act as follows: many EU members provide that the legal status of foreign electronic certificates shall be regulated by international agreements. Despite the reference in many national laws, such agreement does not exist yet. Secondly the Turkish Act states that where a foreign certificate is accepted by a CSP in Turkey, such certificates are deemed to be qualified electronic certificates and both the foreign and the local CSP shall be jointly liable for damages resulting from the usage of these foreign certificates. [14]
The Regulation brings the below minimum requirements for the acceptance of foreign certificates: [15]
- The foreign certificates should bear all technical specifications of a qualified electronic certificate,
- The foreign certificate issuer must qualify as a CSP in its country of origin.
- The accepting CSP in
Turkey shall submit to the Board one month in advance the below information for any foreign certificate to be accepted.
- A certificate sample of the foreign CSP
- The document proving the qualification of the foreign CSP as issued by the relevant authority in the country of origin.
- Documents to prove that foreign certificates s bear all technical specifications of a qualified electronic certificate,
The Board shall publish the certificate sample and other relevant information as to the foreign CSP in its web site. It is repeated in the Regulation that the local CSP shall be jointly liable with the foreign CSP
Another vital issue with electronic documents is the time stamp. Both the Act and the Directive provides that CSPs are obliged to give time stamp service. Users having qualified Electronic Certificates are entitled to this service.
With a view to assist the Board and inform about the problems of the sector, the CSPs are required to submit a report to the Board until the March of every year.
As the e-signature shall be applicable in
Turkey in the following days, there will be the need to observe and determine the shortcomings of the legal regulations and to create solutions for the problems which are foreseen.
END NOTES
[1] Act Article 5/1.
[2] http://www.tk.gov.tr .
[3] Act Article 3/j.
[4] Directive Article 5.
[5] Directive Article 6,7.
[6] Directive Article 7.
[7] Directive Article 17.
[8] Act Article 15; Directive Article 22.
[9] Directive Article 27,28.
[10] Directive Article 29.
[11] Act Article 13.
[12] Act Article 13/5.
[13] Act Article 5.
[14] Act Article 14.
[15] Directive Article 32.
|
