United Arab Emirates: Reliance on Electronic Signatures and Secure Electronic Signatures under the UAE Law

"A signature is a stylised script associated with a person. It is comparable to a seal. In commerce and the law, a signature on a document is an indication that the person adopts the intentions recorded in the document. An electronic signature is any legally recognised electronic means that indicates that a person adopts the contents of an electronic message".¹;

Electronic Signature
Under the UAE law, the term Electronic Signature has two statutory definitions, which are:

• "Any letters, numbers, symbols, voice or processing system in Electronic form applied to, incorporated in, or logically associated with a Data Message with the intention of authenticating or approving the same."²
• "... any unique set of letters, numbers, symbols, images or voice that would enable the identification of the signatory and distinguish him from all others as stated in the Electronic Transactions & Commerce Law."³

As for reliance on an Electronic Signature, the UAE law asserts that "Electronic Signatures shall have the same force and effect as other signatures mentioned in this Law⁴ provided they comply with the provisions of the Electronic Transactions & Commerce Law.⁵ Further, one can rely on an Electronic Signature (in place of a physical signature on a document)⁶ as long as it is reasonable to do so.⁷ The threshold as to what is reasonable depends upon the following aspects:⁸

• The nature of the underlying transaction the given Electronic Signature was intended to support;
• The value or importance of the underlying transaction (if this is known to the party relying on the Electronic Signature);
• Whether the Relying Party ... had taken appropriate steps to determine the reliability of the Electronic Signature ...;
• Whether the Relying Party ... had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate;⁹
• Whether the Relying Party... knew or ought to have known that the Electronic Signature ... had been compromised or revoked;
• Any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature ..., or any trade usage or practice which may be applicable; or/and
• Any other relevant factor.

Secure Electronic Signature
Under the UAE law a signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure¹⁰ or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made:¹¹

• Unique to the person using it;
• Capable of identifying such person;
• Was, at the time of signing, under the sole control of the Signatory¹² in terms of the creation data and the means used; and
• Linked to the Electronic Record to which it relates in a manner which provides reliable assurance as to the integrity of the signature such that if the record was changed the Electronic Signature would be invalidated.

The UAE law also asserts that "Absent proof to the contrary, reliance on a Secure Electronic Signature is deemed reasonable".¹³ This statutory presumption, by implication, also means that as long as a Secure Electronic Signature meets the requirements of the UAE law (as described in the preceding paragraph), reliance on the given Secure Electronic Signature is construed as reasonable. Of course, as per the threshold/scheme highlighted above, one must also prove existence of an Electronic Signature before establishing existence of a Secure Electronic Signature.

Further, the UAE law provides for the statutory presumption that "... Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature:
- Is reliable;
- Is the signature of the person to whom it correlates; and
- Was affixed by that person with the intention of signing or approving the Data Message attributed to him".¹⁴

Signatory's Duties
As for the duties of the Signatory, the UAE law provides that:

• "A Signatory shall:
  - Not unlawfully use its Signature Creation Device;
  - Exercise reasonable care to avoid the unauthorised use of its Signature Creation Device;
  - Without undue delay, notify concerned persons if,
  (a) the Signatory becomes aware that the security of its Signature Creation Device¹⁵ has been compromised, and (b) the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and - Where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle
• A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article."¹⁶

Footnotes
1 See "Electronic Signature" at http://en.wikipedia.org/wiki/Electronic_signature
2 See Article 1 of the Federal Law No. 1 of 2006 On Electronic Commerce and Transactions (hereinafter 'ECT 1/2006')
3 See Article 17bis(1) of the Federal Law No. 10 of 1992 Concerning Proof in Civil and Commercial Transactions (as amended by Federal Law No. 36 of 2006) (hereinafter 'PCCT 10/1992')
4 Reference here is to PCCT 10/1992
5 See Article 17bis(3) of PCCT 10/1992
6 See Article 8(1) of ECT 1/2006
7 See Article 18(1) of ECT 1/2006
8 See Article 18 of ECT 1/2006
9 Per Article 1 of ECT 1/2006, the term Electronic Attestation Certificate means "A certificate issued by a Certification Service Provider confirming the identity of the person or entity holding an Electronic Signature Creation Device"
10 Per Article 1 of ECT 1/2006 the term Secure Authentication Procedures mean "Procedures aimed at verifying that a Data Message is that of a specific person and detecting error or alteration in the communication, content or storage of a Data Message or Electronic Record since a specific point in time, which may require the use of algorithms or codes, identifying words or numbers, encryption, answerback or acknowledgement procedures, or similar information security devices"
11 See Article 17(1) of ECT 1/2006
12 Per Article 1 of ECT 1/2006 the term Signatory means "A natural or legal person who holds an Electronic Signature Creation Device and by whom or on whose behalf a signature is applied to a Data Message by use of the device"
13 See Article 17(2) of ECT 1/2006
14 See Article 10(3) of ECT 1/2006
15 Per Article 1 of ECT 1/2006 the term Signature Creation Device means "A uniquely configured device or Electronic Information that is required, alone or in conjunction with other devices or Electronic Information, in order to create an Electronic Signature attributable to a specific person including systems or devices which generate or capture unique information such as codes, algorithms, letters, numbers, private keys, personal identification numbers or personal attributes"
16 See Article 19 of ECT 1/2006

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.