The Committee on Industry, Research and Energy adopted the report by Marita ULVSKOG (S&D, SE) on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
The committee recommended that the position of the European Parliament adopted in first reading following the ordinary legislative procedure should amend the Commission proposal as follows:
Scope: this Regulation should apply to notified electronic identification schemes mandated, recognised or issued by or on behalf of Member Sates, and to trust service providers established in the Union. It should also apply to both qualified and non-qualified trust service providers established in the Union.
Electronic identification systems: Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: (i) a description of the notified electronic identification scheme and its security assurance level; (ii) information on which entity or entities manage the registration of the appropriate attributes identifiers; (iii) a description of how the requirements of the interoperability framework are met; (iv) a description of the authentication possibility and any technical requirements imposed on relying parties.
Security breach: where there is a breach of security that would affect the reliability of that scheme for cross-border transactions, the notifying Member State shall without undue delay suspend or revoke the cross-border function of that electronic identification scheme or that authentication possibility or the compromised parts concerned and inform other Member States and the Commission thereof.
Liability: the amended text introduced a new provision providing that the notifying Member State shall be liable for any damage caused to a natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to comply with this Regulation, unless it can show that it has acted with due diligence.
Coordination and interoperability: Member States and the Commission shall in particular prioritize interoperability for e-services with the greatest cross border relevance. The provisions intended to guarantee technical interoperability have to be technologically neutral so as not to interfere with the options favoured by Member States when developing their national electronic identification and authentication schemes.
Liability of qualified trust service providers: Members took the view that only qualified trust service providers should be subject to the liability scheme, as in Directive 1999/93/EC. Non-qualified service providers should be covered by the general scheme of civil and contractual liability defined in the national law of each Member State.</Amend>
Qualified trust services providers from third countries: Members wished to refer to the provision of EU personal data protection law which specifies the adequacy of the level of protection afforded by a third country.
Processing of personal data: processing of personal data might be necessary in case of a breach or in order to take appropriate counter measures and should be applied where this is absolutely necessary and be a "legitimate interest" under the Data Protection Directive and thus be lawful.
Disabled persons: trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities in accordance with Union law.
Supervisory body: the designated supervisory body, its addresses and the names of responsible persons shall be communicated to the Commission. Supervisory bodies shall be given adequate resources necessary for the exercise of their tasks.
Supervision of trust service providers: qualified trust service providers shall be audited annually by an independent body whose competence to carry out the audit has been demonstrated to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting compliance audit report to the supervisory body. Such audit shall also be carried out following any significant technological or organizational changes. If, after three years, the annual audit reports raise no concerns, the audits shall be carried out every two years only.
‘EU’ qualified trustmark: Members introduced the possibility for qualified trust service providers to use an EU trustmark to present and advertise the qualified trust services which they offer that meet the requirements laid down in this Regulation.
Parliament already called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market.
Electronic documents: Members stated that an electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic format. A document bearing a qualified electronic signature or a qualified electronic seal, shall have the equivalent legal effect of a paper document bearing a handwritten signature or a physical seal, where this exists under national law, provided the document does not contain any dynamic features capable of automatically changing the document.
Implementing measures and delegated acts: the proposed Regulation empowers the Commission in many provisions to adopt delegated acts or implementing measures. Members have reservations to an approach that relies upon acts and measures so heavily. They proposed amendments that will restrict the proposed acts strictly to technical implementation of the legal act in question in a uniform manner.