Image source: ENISA
The EPO accepts qualified digital signatures. Richardt Patentanwälte provides digital signature services for our clients through DocuSign.
In accordance with the Notice of the European Patent Office (EPO) as published in the Official Journal of November 2021, A86 a request for registration of a transfer of ownership can be made without a wet signature, in other words: putting pen to paper. Before, the EPO interpreted Rules 22 and 85 EPC to require a handwritten “wet” signature. However, now a digital signature meets the requirements of the EPO if it is “qualified”. For a digital signature to be considered “qualified” there are several conditions that need to be fulfilled according to the EPO:
A qualified electronic signature (QES) is an electronic signature that
is uniquely linked to and capable of identifying the person signing;
is created by means that the person signing can use with a high level of confidence and over which they have sole control;
is associated with the electronic document to be authenticated in such a way that any subsequent change in the data is detectable;
is created by a qualified electronic signature device; and
is based on a qualified certificate.”
(Source: European Patent Office, “Official Journal” of November 2021, A86, p. 12 https://www.epo.org/law-practice/legal-texts/official-journal/2021/11/2021-11.pdf)
Those requirements are met by DocuSign due to their use of Public Key Cryptography and the ID-verification. Users can choose between “Advanced Electronic Signatures” (AES) and “Qualified Electronic Signature” (QES). As mentioned above, a “QES” is required for registration of a transfer.
How does the Qualified Electronic Signature (QES) work?
After the boxes for signing have been set, the document can be sent to the recipients to sign. Those recipients who use DocuSign for the first time will then go through an online face-to-face ID-verification process carried out by a “qualified trust service provider”. According to DocuSign, this takes customarily just a few minutes. Afterwards, they are issued the digital certificate which serves to validate a signature that has been established. After registering on DocuSign, no further identification is needed. When having to sign another contract you will be able to log in to your account without additional verification. To sign a document, you do not have to conclude a contract with DocuSign.
However, if you want to send documents to other people to sign, a contract is necessary. In addition, our firm is set up to provide digital signature services through DocuSign to facilitate your administrative process.
According to DocuSign, their security contains both physical security control onsite and state-of-the-art security software and hardware, which they achieve by using a “centralized management system” and a “two-factor authentication process”. Furthermore, the product environment is protected by anti-virus software and malware detector as well as security tests, which detect vulnerabilities in the system. There is also the possibility of a “multi-factor-authentication”, giving only authorized people access to the documents.
Technical background of encrypted signatures/documents
Regarding cryptography, there are two main types of it. The first one is called “Shared secret cryptography”. In this case, both recipient and sender possess the same digital key for encryption and decryption. Therefore, it is likely several clients need to use the same key. This makes the encryption insecure and more vulnerable for hackers. As an alternative, the “Public Key Infrastructure” (PKI) can be used, just as in DocuSign. PKI works with two digital keys for every user: The public key and the private key. The first one is accessible for everyone whereas the latter is only available for the user. To write an encrypted message to someone, you need the recipient’s public key. The message can only be decrypted with the private key. So private keys< and public keys belong to each other. In general, certificates from “Certificate Authorities” (AC) confirm the validity of the recipient’s identity so counterfeiting is impossible.
This technology can also be used to sign documents, just as DocuSign. When signing the document, the signatory’s private key is used to generate a signature. Therefore, the document is encrypted with the private key. The encryption is a secure signature because the private key is created in the above-mentioned online face-to-face ID-verification, so only the validated signatory can access it. When the document is changed after signing, the digital signature is deleted.
These technical methods make sure the QES is secure and legally valid.