Digital Signatures in the COVID-19 World
First published in the Privacy Law Bulletin 2020, Vol 17, No 4
Given the COVID-19 world in which we now all operate, we are likely to see an increased use of digital signatures in the legal and commercial spheres going forward. Whilst courts generally consider that digital and electronic signatures are “a fact of modern commercial life”,1 it is important for businesses and individuals to consider how their private data and information is stored, processed, maintain, accessed and secured.
Key points/how does it affect you
What are digital signatures?
Digital and electronic signatures have been used in the commercial and legal industries since at least 2000. At the Federal level, the use of digital and electronic signatures is governed by the Electronic Transactions Act 1999 (Cth) (Commonwealth ETA). There are similar statutes in each state and territory.2
Pursuant to s 10 of the Commonwealth ETA, electronic and digital signatures will have the same effect as written signatures where the requirements of “identity”,3 “reliability”,4 and “consent”5 have been satisfied. Although there is some debate over exact definitions:
- A “wet signature” refers to an individual physically marking a document (ie with a pen).
- An “electronic signature” refers to the acknowledgement or adoption of an electronic message, transaction or document (ie an “electronic version” of someone’s signatures which is placed onto a document, a typed name on an electronic form or document, a scribbled name on a device following a delivery).
- A “digital signature” uses “cryptographic authentication technology” which is an encryption sitting underneath the signature and provides for the tracking of each step of the execution/signature process and can assist parties (and a court) in determining who actually signed the document and when they purportedly signed it. Programs such as Adobe EchoSign and DocuSign are now commonly used by businesses and individuals to facilitate digital signatures.
Whilst in times gone by, there would have been a crowded boardroom with individuals — dressed in nice suits — attending to the signing of voluminous amounts of paper (within nicely laminated folders), this is increasingly becoming an antiquated form of operating. Obvious benefits of digital signatures are that it makes commercial dealings more efficient, quick and cost-effective. And it saves paper and improves sustainability.
What are the privacy considerations?
Digital signatures necessarily involve the uploading and exchange of documentation in a cloud platform. A question arises as to commercial confidentiality when documents are uploaded to cloud platforms. Companies who provide these services purport that when documents are uploaded to their platform, the substantive content of the document, agreement, contract or the like is encrypted; meaning they have no control over, or access to, the specific contents of the documents.
In engaging an external service provider to store documents and information in the cloud, individuals and companies must be satisfied that the cloud service provider can adequately protect the security of documents and other data. They should also be satisfied that documents uploaded to the platform are protected from unauthorised amendments, which is a particular risk with an increase in cybercrime and hacking, both nationally and globally.
A key consideration is where the cloud server (which hosts the relevant contents and data) is located. Where the server is hosted overseas, it will generally be subject to both its local laws regarding data protection and the laws of the nation hosting the server. Foreign government agencies can — legally — have more extensive powers to access information. Realistically, is it likely that companies, let alone individuals, are going to examine the small print of where the data is going to be stored? Maybe … but maybe not and the risk of not doing this is that it could result in a material breach of private information.
What protections exist in Australia?
The Privacy Act 1988 (Cth) governs and regulates how relevant businesses handle personal information.
Personal information is defined as any information or opinion about an individual who is “reasonably identifiable”. Businesses subject to the Privacy Act (ie a business with an annual turnover of $3 million) are subject to the obligations set out in the Australian Privacy Principles (APP).
The obligations can be summarised as follows:6
- The privacy policies of cloud providers must notify customers as to what personal information will be collected and state the intended disclosure arrangements of that personal information, including whether it will be placed in any international data storage locations.
- Cloud servers can only disclose personal information internationally if the overseas recipient does not breach the APPs.
- Cloud servers must give customers their personal information upon request.
- Cloud providers must take reasonable steps to secure personal information from misuse, interference or loss and from unauthorised access, modification or disclosure, including security breaches that occur internationally.
- Cloud providers must take reasonable steps to delete or de-identify personal information that is no longer needed for the purpose for which it was originally stored.
There will also, in appropriate scenarios, be remedies available under the Australian Consumer Law as it provides customers with protections including, but not limited to, those involving false and misleading conduct, unfair contractual terms and unconscionable conduct.
APP 8 and APP 11
APP 8 states that a relevant entity (such as a cloud server) which discloses personal information about an individual to an overseas recipient must take “such steps as are reasonable in the circumstances” to ensure that it complies with the APPs generally. In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under s 16C of the Privacy Act, to have been done, or engaged in, by the APP entity and to be a breach of the APPs.
APP 11 states that if a relevant entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss; and from unauthorised access, modification or disclosure. APP 11 further holds that such personal information is destroyed or de-identified once the entity no longer requires the information.
Importantly, the Federal Court can impose civil penalties of up to $2,100,000 per breach for each serious and/or repeated interference with an individual’s privacy.7 Therefore, there is an incentive for cloud servers that facilitate exchange of documents via digital signatures to comply with the Privacy Act and the APPs.
Best practice for Australian cloud servers will be to ensure that they operate in accordance with the Privacy Act and other global privacy regimes and standards, such as the European General Data Protection Regime. Such practices will involve allowing customers to submit requests regarding their personal data, customers to determine their account retention policies, allowing customers to choose where their data will be located and having privacy policies which are easily accessible and understandable (to the non-Bill Gates’ of the world).
As technology in this area becomes increasingly sophisticated and more widely and regularly used, it is likely that breaches of the Privacy Act will rise and result in financial penalties. It is important for both servers which facilitate the exchange of documents using digital signatures and for companies/individuals who utilise such services to be aware of their rights and obligations when it comes to privacy and, in particular, the storage and maintenance of personal and/or important data.
Stuart v Hishon  NSWSC 766; BC201303109 at .
Including the Electronic Transactions (Victoria) Act 2000 (Vic), the Electronic Transactions Act 2000 (NSW), the Electronic Transactions Act 2000 (Tas), the Electronic Communications Act 2000 (SA) and the Electronic Transactions Act 2011 (WA).
Electronic Transactions Act 1999 (Cth), s 10(1)(a).
Above n 3, s 10(1)(b).
Above n 3, s 10(1)(c).
Australian Government Department of Communications Cloud Computing and Privacy: Consumer Factsheet (2014) www.communications.gov.au/sites/default/files/2014-112101-CLOUD-Consumer-factsheet.pdf?acsf_files_redirect.
Privacy Act 1988 (Cth), ss 80W and 13G.