Wednesday, June 3, 2020

eSignatures under Omani Law

In 2008 the Electronic Transactions Law (the “Law”) was promulgated by Sultani Decree 29/2008 in order to regulate electronic commerce in Oman. Since then, eSignatures have become increasingly accepted and used by businesses in Oman.

eSignatures are valid, admissible in court and enforceable, subject to the conditions set out below.

The Law recognises three types of eSignatures:

1. Secure eSignatures (Article 22)

This category of eSignatures is best protected under the Law because reliance on such signatures is presumed to be reasonable. Consequently, protected eSignatures are accepted as valid and have probative value unless otherwise established.

An eSignature is considered “protected” if it is possible to verify, through (1) the implementation of precise authentication procedures as required by the Law (such as by way of an electronic authentication certificate); or (2) as commercially acceptable and agreed upon between the parties, that at the time of its execution, the eSignature is attributable only to the person who used it, and:

  • the signature-generating apparatus is used only by the signatory;
  • the signature-generating apparatus was, at the time of signing, under the control of the signatory and no other;
  • any alteration to the electronic signature after the time of signing is discoverable; and
  • any alteration to the information relating to the signature after the time of signing is discoverable. However, any concerned person may adduce evidence to prove that the electronic signature is reliable or not.

2. eSignatures which do not fall into the “protected” category (Articles 11 and 23)

eSignatures which are not considered “protected” pursuant to Article 22 may nevertheless also be recognised as having legal force and effect, as long as reliance on the eSignature is reasonable.

Reasonableness is not presumed in such cases; the court will, in order to determine whether reliance on an eSignature is reasonable, take into account several factors, including the following:

  • the nature, value and importance of the concerned transaction;
  • whether the person relying on the eSignature took appropriate steps to determine whether the eSignature or certificate is reliable;
  • any previous agreement or transaction between the originator and the approved party; and
  • any other relevant factor.
Reliance is not considered reasonable where the eSignature is enhanced with an electronic authentication certificate and the relying party fails to verify the validity, applicability and restrictions of the certificate. In such cases, the relying party will be responsible for all risks resulting from the invalidity of the signature unless otherwise established.

3. Foreign eSignatures (Article 42)

In determining whether a foreign eSignature is valid, any agreement between the parties in respect of the transaction in which that signature is used shall be considered, provided that it is not contrary to Omani law.

The Omani courts accept eSignatures as having legal force and effect as long as they meet the requirements of the Law. For example, in order to consider an eSignature valid, Omani courts will determine whether the eSignature is protected and/or the reasonableness of the reliance a person may have on the eSignature. The Omani courts will also consider available evidence including electronic evidence.

eSignatures in connection with electronic transactions and commerce have probative force. Article 2 of the Law provides that the Omani courts will not, however, accept eSignatures with respect to the following documents:
  1. transactions and matters concerning civil status such as marriage, divorce, and wills and endowments;
  2. court proceedings, judicial summons, proclamations, summons, search orders, arrest orders and judicial decrees; and
  3. any document required by law to be authenticated by a notary public.
With respect to the incorporation of the use of eSignatures, ‘protected signatures’ are the best protected type of eSignature under the Law. In order to avail the benefit of this protection, it is important to ensure the requirements in Article 22 (as listed above) are satisfied.

Steps to adopt in order to incorporate the use of eSignatures include:
  1. Determining a duly accredited person which issues electronic authentication certificates and any services or tasks related to it and to eSignatures as regulated under the Law. In order to be duly accredited, this person must hold a certification services provider license in Oman;
  2. Engaging this person to issue an eSignature tool and electronic authentication certificates for your use; and
  3. Implementing all due care and diligence in your use of the eSignature tool, in line with the directions provided by the certification service provider.
It is also important to ensure, when incorporating the use of eSignatures, that such eSignatures are not used with respect to the classes of documents excluded by Article 2 (listed above).

In summary, when deciding whether the use of an electronic signature will be recognised and enforceable, it is important to consider the following:
  1. Whether the type of document with respect to which the eSignature is used may be signed by way of eSignature under the Law.
  2. Whether the signature qualifies as a protected signature under Article 22;
  3. Where an eSignature is being relied on, other than pursuant to Article 22, whether such reliance would be considered reasonable by the courts; and
  4. The jurisdiction in which the agreement or document will need to be recognised and/or enforced. If a jurisdiction other than Oman is involved, it is important to consider its laws regarding eSignatures.
The use of eSignatures also imposes additional duties on a signatory, set out under Article 19. There may be repercussions if these duties are not fulfilled. These duties include notifying concerned persons, without any unjustifiable delay, in the instance of finding out the signatory’s signature tool was or may have been exposed to safety risks based on circumstances or facts made known to him/her.

What would be the risks of proceeding with eSignatures in the event that the law is vague or does not permit/recognise them?

As long as the requirements set out above are fulfilled, there should be no significant risk that the Omani courts will not consider the eSignatures valid.

That said, certain non-legal concerns that must be addressed, in particular with respect to the possible vulnerability of eSignature tools to cyber-attacks, security breaches or misuse. Misuse of an eSignature may result in significant damage to the authorised person to whom the eSignature is linked.

It is therefore extremely important, in order to protect the signatory from any external or internal misuse, to implement high security measures to ensure only the authorised person to whom the eSignature is linked may access and use the eSignature. Measures that may be undertaken include secure storage of the eSignature and authentication certificate, and not sharing access to the eSignature or authentication certificate with any other person.