legal framework of e-government

Legal Framework of E-Government

Dr. Bernhard Karning

Bundeskanzleramt

[email protected]

eGovernment Legal Framework | 19.11.2014 2 |

Typical E-Government-Process

eDelivery

servicebackofficeportal

HELP.gv.at

USP.gv.at

Electronic File System (ELAK),

Central Register,

Official Signature

eDelivery

www.zustellung.gv.at

1 2 3

http://www.zustellung.gv.at/


Legal bases

Legal Bases

E-Goverment

Act

General Admin.

Procedure Act

1991

Electronic Signature Act

Delivery

Act

Data Protection Act 2000

Register of Residents Act

Fed. Law on

Associations

2002

Fee Act 1957

Register of Buildings and

Homes Act


Electronic Signatur Act

eSignature – overview and legal frame

EU Signature Directive (1999/93)

AT Signature Act (190/1999) plus amendments (2000,

2001, 2005, 2008 and 2010)

– AT Signature Ordinance 2008 (3/2008 replacing the

Ordinance from 2000)

AT E-Government Act (10/2004) plus amendments

(2008, 2009 and 2010): „Citizen Card Concept“

(combines qualified signature with eID)


eSignature – overview and legal frame

EU Signature Directive (1999/93)

– will be replaced by EU Regulation (2014/940) on electronic

identification and trust services for electronic transactions in the

internal market

– Includes eID and eSignature topic

– directly applicable in the member states!

– enters into force 1st July 2016

AT Signature Act and Signature Ordinance will be repealt

– there will be only a short Signatur Act for the supervision

AT E-Government Act

– will be amended


Types of electronic signatures in the SigG

3 different types of signatures:

electronic signature

advanced electronic signature

qualified electronic signature

– must fulfill all requirements of an advanced electronic signature

– based on an qualified certificate

– created by a secure signature creation device (SSCD)


General legal effect

Signature procedures with different levels of security and different

classes of certificates can be used for legal or commercial

transactions. (§ 3 Abs. 1)

The legal effects of an electronic signature and its use as

evidence can-not therefore be excluded merely by reason of the

fact that the electronic signature is only available in electronic

form, is not based on a qualified certificate or on a qualified

certificate issued by an accredited certification service provider or

was not created using the technical components and procedures

as defined in § 18 (§ 3 Abs. 2).

„Principle of non-discrimination“

Electronic Signatures must be admitted as evidence



Specific legal effect for qualified signatures

Qualified electronic signature fulfills legal requirement for a hand-written signature especially the requirement for the written form as defined in § 886 of the Austrian Civil Code (ABGB)

– unless a different definition is laid down by law or

– by an agreement between the parties

Exceptions of specific legal effect

Qualified signature does not have the legal effects of the written form in the case of:

– legal transactions under family and inheritance law which require the written form or a stricter formal requirement *

– other declarations of intent or legal transactions which require official certification, judicial or notarial authentication or a notarial deed in order to be valid *

– other declarations concerning land register, companies register or other official register *

– declarations of guarantee („Bürgschaftserklärung“) outside business activity *

* still possible if there is a declaration of a legal attorney or a notary that he has enlightened the signatory of the legal consequences of his signature



Certification Service Provider (CSP)

Certification service provider (CSP):

a natural or juristic person or some other legally

capable Institution, which issues certificates or

provides other signature and certification services.

CSPs shall require no special permit to establish and

exercise their activities, but shall immediately notify

the supervisory body of the establishing of activities.

– Only for CSPs which issue qualified certificates

Supervisory Body is

Telekom-Control-Kommission / RTR


Issuing of qualified certificate

CSP (or an institution acting on his behalf) has to

prove the identity of natural person by

an official photo ID (“Lichtbildausweis”) or

verifying by the others in its reliability equivalent

documented or documented evidence

– e.g. “RSa-Brief”


E-Government Act

citizen

card

identity-link

mandates source PINsector

specificeID

source PINREGISTER

supplementREGISTER

standard-documentREGISTER

officialsignature

Registerqueries


eGovernment Act the main legal basis

entered into force on 1st March 2004

designed especially for the electronic communication between citizens and the business world with and between public administrations (eGovernment Act)

considers Data Protection

Barrier-free access to websites

http://www.digitales.oesterreich.gv.at/DocView.axd?CobId=31191


The Austrian citizen card

Card based (e-card, …)

Mobile phone signature


Implementetion of this function

§ 4 Abs. 2 E-GovG:

The unique identifcation of an natural person results of

his/her Source-PIN

(= encrypted Number of the Central Resident

Register/CRR)

§ 4 Abs. 4 E-GovG:

The authenticity of the electronically electronically

submitted application is provided by means of the

electronic signature.


Central Register of Residents

Each resident has a unique number (ID) „ZMR-Zahl“ in the Central Register

of Residents (CRR)

CRR

SupR


Online identity = CSP + public register

Trust center: Certification Service Provider(CSP)

public sector registries

CRRBMI

Electronic Identity

CSPA-Trust

CSP…

SupplementaryRegister


Function of the cititzen card

The citizen card serves as proof

the unique identity of a person and

the authenticity of electronically submitted application

That means, that the citizen card is:

E-Identity Document and

Handwritten Signature on the internet


Sector specific approach in Austria

Austrian eGovernment Act:

The base registers provide for unique

identification

The SourcePIN represents the

uniquely identified person; it is a

hidden number, stored only in the

Citizen Card, which is in the

possession of the data subject

In government data bases only the

appropriate sector specific PIN

appears for identifying data subjects

Sect.spec.PIN

SourcePIN

Base register(s)


Electronic identity of natural persons

Central Residents Register

Number (CRRegNo)

Source PIN

ssPIN

education

ssPIN

Soc. Sec.

ssPIN

taxation

ssPIN

…

Base

RegistersSupplementary Register

Number for non-residents


ssPIN: Generation

Conversion impossible!

ssPIN a

e.g. taxes & dutiese.g. constructing &

living

ssPIN b

irreversiblederivation

Source PIN


eID citizen card function

Bank cards

Health insurance card

Affinity cards

Mobile phones

Access to e-business:• eBanking

• eBilling

• eProcurement

• CyberDoc

• Archivium

• eDelivery

Within administration:• eSignature

• eRegisters

• eFile System

Access to e-gov:• eForms

• eHealth

• eDelivery

• eDocument-Safe

• eUniversity

• eVoting



server-based citizen card solution for

qualified electronic signatures via mobile phone

familiar technology and comfortable alternative to the

current smartcards

important step towards usability and dissemination of

modern eGovernment services because

– no software installation on the local PC, just the browser,

– no special computer skills and

– no card readers are needed for use.

No requirement on the mobile phone or SIM

– Just receiving SMS



Core Aspects

– Operated by a Certification Service Provider

(CSP) for qualified certificates

– Signature-creation data (cryptographic keys) kept

at CSP but controlled by the signatory

• 2-factor authentication (knowledge &

possession) as known from smartcards

– Secure Signature-Creation Device

• 1999/93/EC Annex III, confirmed by a notified

body


Registration possibilities

„self registration“ using a qualified

signature (existing citizen card):

https://www.handy-signatur.at/

Registration authorities/ registration

officers at various institutions (finance authorities,

expanding: post offices…)

https://www.a-trust.at/Aktivierung/ro/OfficerData.aspx?t=mobile

Using „trusted systems“ (currently e.g. FinanzOnline,

registration via online banking in cooperation with telecom providers)

https://www.handy-signatur.at/

https://www.a-trust.at/Aktivierung/ro/OfficerData.aspx?t=mobile


E-Government Act

officialsignature


Use of eDocuments (Validity)

Electronic documents need the potential for being

authentic

Even if printed on paper such documents shall keep

validity

Official signatures serve to facilitate recognition of the

fact that a document originates from an authority

„Official signature“ of documents

It facilitates recognition of

the fact that a document

originates from an authority

It has to be visualized with

certain elements



Official Signatur (Amtssignatur)

only for signing by of the public sector

at least advanced electronic signature

The signature certificate includes a specific attribute,

which only the public sector is allowed to use

Signatory can also be a legal person or other legal

entity; that means that an authority may act as

signatory

Official signature can be based on software-based

server certificate


Concept of official signatures

date and time

logo of

authority

validity hint

signing person

(function)

Check

information

Different implementations rgd visualization


Minimum content:

• logo of the authority

• Explicit information

that it was “officially

signed”

• Information needed

for the verification of

the electronic

signature and the

printout


Logos of the public sector

https://www.help.gv.at/Portal.Node/hlpd/public/content

/221/Seite.2210001.html

https://www.help.gv.at/Portal.Node/hlpd/public/content/221/Seite.2210001.html

Signature verification

Follow the link in

the individual

document for

information or

go directly to the

signature

verification

service of the AT

Supervisory

Authority for

electronic

signatures


www.signature-verification.gv.at

http://www.signature-verification.gv.at/

The verification procedure and result

Upload doc.

See:

– Signatory

– Verification

successful

– Valid

certificate

chain

– (Poss.

manifest)

– Link to

detailed report


Detailed report (signed by RTR)


Details on

– Certificate

– Signature type

– Signature

attribute „official

signature“

– …

Signed by

Supervisory

Authority


Probative Value of Printouts (§ 20 E-GovG)

electronic official signed document is always

considered as original = authentic public document

(öffentliche Urkunde)

also an electronic document of an authority (e.g.

“Bescheid”) printed out on to paper is assumed to be

authentic (§ 292 ZPO)

regardless of whether authority or recipient prints the

official signed document


Documents issued by Public Authorities

§ 18 of the General Administrative Procedure Act 1991 (AVG) foresees that (since 1.1.2011)

– Official documents issued electronically have to bear an official signature (§ 19 E-GovG)

– Official documents issued on paper have to be • manually signed by the official approving the document or

• manually certified by the office, indicating that the document corresponds with the document approved by the responsible official or

• the paper document is the printout of an electronic document which bears an official signature. In this case, no further requirements need to be met.


General Administration Procedure Act (AVG)


Submissions/Applications (Anträge)

Submissions may be filed in writing, orally or by

telephone (§ 13 Abs. 1 AVG)

Written submissions may be communicated to the

authority in any technically feasible form

by e-mail however to the extent that no specific means

of communication are provided for the electronic

communication between the authority and the persons

involved. (§ 13 Abs. 2 AVG)

e.g. e-form



Eventual technical requirements (file format, interfaces)

or

organisational restrictions of the electronic

communication between the authority and the persons

involved (time limitation, certain e-mail-address)

are to be published in the internet

– is no enabling provision, but merely a publicity requirement for

any organizational rextriction (VfGH-Erkenntnis 106/2013-10

vom 3.3.2014)

– Sending an application to an other e-mail-address than the

published, bears the risk of loss or of delay of the application



the authority is obligated only during office hours to

accept submissions in writing or

operate receiving appliances (Fax!)

the office hours and the hours for the public are to be

published in the internet (§ 13 Abs. 5 AVG)

– AVG links only to the organizational set office hours and their

publication in the internet

(VfGH-Erkenntnis 106/2013-10 vom 3.3.2014)



Therefore, on the basis of the right to organize,

possibilities of the authority (with procedural

consequences):

e-forms instead of e-mail

set the file formats

time restrictions (on office hours)

certain e-mail addresses


Service of documents (delivery act)


Delivery (in general)

e-mail: delivery unverifialbe

electronic delivery:

– official documents are transmitted electronically

– with or without proof of delivery

– unique identification of recipient

• substitute for registered mail

– No Spam!


Electronic Delivery (Zustellgesetz)

transmission of documents in execution of the

laws (§ 1 ZustG)

not applicable for private sector

different regulations for finance authorities

(Finanz Online!) and

courts of law (ERV – Elektronischer

Rechtsverkehr für Gerichte)

4 Types of electronic delivery (ZustG)

1. delivery to an electronic delivery address (e-mail)

– without proof of service

2. via the electronic communication system of the authority

(§ 37 ZustG)

– without proof of service

3. immediate electronic release (§ 37a ZustG)

– without proof of service exept citizen card was used for logon


4 Types of electronic delivery (ZustG)

4. e-Delivery via electronic delivery service providers

(§ 35 ZustG)

– delivery with proof of service (like Rsa/RSb in paper)

– delivery confirmation through using the qualified electronic

signature of the citizen card

– cititzen card is mandatory

– service provider are authorized (§ 30 ZustG) and

– supervised (§ 31 ZustG) by the Federal Chancellor



e-Delivery via electronic delivery service

providers

1) document

transmitted by

administration

2) eMail notification

3) eID and signature based login

(to confirm receipt)

4) deliver document content


Notification through delivery service provider


providers:

2

2. Electronic notification (if the document is not picked up within 48 hours)

3

3. postal notification (if the document is not picked up within the subsequent 24 hours and if

addressee has notified to the delivery service provider a delivery address)

1

1. Electronic notification (immediately to all electronic addresses)



providers: delivery effect (Zustellwirkung)

Document is at the latest considered as delivered

when picked up (§ 35 Abs. 5 ZustG)

else on the first workday after the 2nd electronic

notification has been sent (§ 35 Abs. 6 ZustG)

else on the third workday after sending the (3rd) postal

notification, if a postal delivery address has been

specified (§ 35 Abs. 7 ZustG)

– delay because of absence until return to delivery place

(“Abgabestelle”) on the following day possible

Document is considered to be delivered without being

picked-up by the recipient

Thank youfor your attention!

Dr. Bernhard Karning

Federal Chancellery of Austria

Section I/Department 11

E-Government –

Legal, Organisational and International Issues