According to Hungarian judicial practice, legal statements sent by simple e-mail are not considered to be in writing, which can have serious consequences in the case of contracts concluded via electronic correspondence if the law requires a written form for the given contract or contractual clause. In our article, we examine the background of this judicial practice and provide solutions for both law enforcement agencies and the law-abiding public.
What does the law say about writing? According to the main rule of the Civil Code, a legal statement (such as a contractual offer or its acceptance) is considered to be in writing if the declaring party has signed the legal statement. This rule is supplemented by Section 6:7 of the Civil Code. § (3) states that a legal statement shall be considered to be in writing even if it is communicated in a form that is suitable for (i) the unchanged recall of the content of the legal statement, (ii) the identification of the person making the statement (iii) and the date of making the statement.
The legislator used an explicitly technology-neutral formulation here in order to ensure that continuous technological changes do not necessitate new and new amendments to the law. However, this solution resulted in a broadly interpreted definition, and therefore it became necessary for judicial practice to provide an answer to the question of exactly what is considered written and what is not, in order to avoid legal uncertainty.
The established judicial practice and its background The courts have so far interpreted the concept of technology-neutral written form of the law strictly, and in our opinion, judicial practice has thus turned in a rather debatable direction. For example, the Budapest Court of Appeal ruled in a press correction case (Pf.20.435/2017/3.) that an electronic legal statement sent by e-mail is not considered to be in writing unless it is accompanied by a highly secure signature. The decision was also published in the Court of Appeals (BDT2018. 3931.), stating that: “A statement made electronically is considered to be in writing if it can be used to verify the fulfilment of the requirements of authenticity and authenticity, and at the same time, the date of making the statement can be identified. Only an electronic document with a highly secure electronic signature meets these conditions.”
The legislation cited by the court In the above case, the Budapest Court of Appeal referred, among others, to Article 26 of the eIDAS Regulation. Based on this, a highly secure electronic signature (a) can only be linked to its signatory; (b) is suitable for identifying the signatory; (c) the signatory most likely created it using data that he or she can use only; and (d) it allows it to be determined if the signed electronic document has been altered later. According to the Court, this provision is significant because only by maintaining this can the requirement of authenticity and unfalsification be met.
Authenticity and unfalsification We agree that the authenticity and unfalsification of an electronic document can be ensured with an enhanced security electronic signature, but – in our opinion – the Civil Code, by prescribing “unchanged recall of the content” and “identification of the person making the declaration” when listing the three criteria of writing, does not require that the person making the declaration and the content of the original legal declaration be proven beyond all doubt.
As a result of this judicial interpretation, disproportionately stricter requirements must be met to meet the criteria of written form in the case of electronic documents than in the case of ordinary paper-based documents, for which a simple handwritten signature is sufficient – regardless of whether it is legible or whether it resembles the signatory’s previous handwritten signatures or, for example, the one on his/her personal identification documents.
Exclusively an enhanced security electronic signature? Perhaps the most controversial part of the court decision cited above is the word “exclusively”, which makes the enhanced security signature the exclusive qualification for written documents in the case of legal statements made electronically. The Budapest Court of Appeals clearly did not take into account, for example, the AVDH-certified document, which is a private document with full evidentiary value according to the Act on Civil Procedure.
If we truly accepted that only an electronic document with an enhanced security signature is considered to be in writing, then we could conclude that an AVDH-encrypted electronic document cannot be considered in writing – despite the fact that it is considered a private document with full probative value.
(In parentheses, we note that according to the definition of the eIDAS Regulation, the qualified electronic signature mentioned in the previous two parts of our article series is also an enhanced security electronic signature, namely one that was created with a qualified electronic signature creation device and that is based on a qualified electronic signature certificate. Therefore, an electronic document with a qualified electronic signature can be considered written even under the strictest interpretation.)
The position of the Advisory Board of the New Civil Code According to the majority position of the members of the Advisory Board of the New Civil Code, Section 6:7. (3) of the Civil Code, which establishes the three requirements of writing, does not regulate the requirement of authenticity and authenticity, and does not expect the statement to be absolutely unforgeable in order for it to be considered a written statement. The court must therefore examine and determine in each case whether the given form of communication met the conditions listed in the law in the given circumstances.
We fully agree with this position, therefore, taking the above idea further, we outline below some circumstances that, in our opinion, the courts should consider on a case-by-case basis when classifying e-mails as written.
Circumstances to be examined In our opinion, an e-mail should be considered written if it has been received from a unique e-mail address that can be linked to a specific person. For example, a company manager sends it from an address that includes his/her last and first name and also refers to the company name (as, for example, e-mail addresses are structured in many business organizations: lastname.firstname@companyname.hu). If, at the end of the e-mail message (i.e. scrolled down completely to the bottom), the signature section contains the sender’s full name, position, company name, and possibly even a logo, then, in our opinion, the court should accept that such an e-mail is suitable for identifying the sender. In general, an e-mail can only be sent from such an e-mail address if the user logs into their personalized user profile on their company computer with their own password. Of course, it is possible that the system administrator or an unauthorized employee could take advantage of the momentary absence of the authorized person and gain access to the e-mail program without permission, but the practical probability of this is extremely low. In the case of such an e-mail address, the sender can be identified with at least as much probability as in the case of a simple handwritten signature.
Another circumstance to consider may be the history of the e-mail, which in most cases appears unchanged at the bottom of the latest e-mail message. In business life, it is very common, and in some cases business etiquette almost requires, to respond to an e-mail not with a completely new message, but using the e-mail program’s “reply” (or “reply to all” if there are several participants). In this case, all previous e-mails are placed at the bottom of the latest message – as a well-traceable history. In our opinion, if a previous message in the antecedents already contained the name of the given party (position, company represented, etc.), then the legal declaration made in the subsequent electronic mail should also be considered written.
In our opinion, the court should always examine the circumstance of whether the recipient party was able to identify the other party even if the identity of the sender could not be established at all by an independent third party. It may happen that the sender and the recipient party have been business partners for a long time and have communicated with each other at regular intervals at that specific e-mail address, or for example, the sender had previously verbally indicated to the recipient by telephone that he would send an e-mail with the specified subject.
In our opinion, if the recipient could have known who sent the e-mail, the qualification of the legal statement contained therein as written cannot be denied just because the electronic document was not provided with an enhanced security signature, and thus the identity of the sending party could not be proven to anyone else.
Another circumstance to be taken into account may be a contractual provision in which the parties have agreed to classify statements made by e-mail as written communication, especially if the contact persons and their e-mail addresses have been recorded. In our opinion, in this case, the recipient cannot successfully plead in court that a message received at an e-mail address specified in the contract is not considered to be written, and therefore is invalid.
The development of judicial practice in general Judicial practice develops as a result of legal disputes. No matter how broadly or imprecisely the law is worded, no matter how many questions of legal interpretation arise in theory, in the absence of a legal dispute brought to court, the position of the courts cannot mature. This may be one explanation for the fact that judicial rulings on the qualification of legal statements made electronically as written have mostly not been made in cases in which one of the parties would have disputed the validity of the contract concluded by e-mail. This occurs extremely rarely, since economic actors initially enter into contracts with complete unity of will, only later a dispute arises between them, typically due to a breach of a contractual provision, while the formation of the contract itself is only rarely questioned.
Court decisions concerning the written nature of e-mails have most often been made in press correction lawsuits, the peculiarity of which – unlike economic lawsuits – is that there is a sharp conflict of interest between the parties from the outset. Such a lawsuit can be initiated if the person concerned – who is offended by a publication published about him – requests the editorial office of the press product in writing within a 30-day limitation period to publish a correction, but this does not happen.
In the cases that served as the basis for the relevant court judgments, the press organ usually referred to the fact that the request for correction received by them was only received in a simple e-mail, which, according to them, cannot be considered as being in writing. The Budapest Court of Appeal shared this position in the aforementioned case No. Pf.20.435/2017/3. and explained in the justification of its judgment that: “An important guarantee requirement with regard to a request for correction received by e-mail is that its content and origin from the right holder can be established beyond doubt.”
This argument raises two questions. One is how exactly this guarantee requirement can be derived, if the law only requires that a request for correction be in writing, and not in any other form, such as a private document with full evidentiary force. The other question is whether this guarantee requirement also exists in other cases where the law requires a written form, such as a rental agreement, a lease agreement, a mortgage agreement, a surety agreement, or a clause on liquidated damages and retention of title? Or is it possible that in these cases – since it is not a press correction request – a simple e-mail is sufficient to be considered as being in writing?
Until a uniform judicial practice is established on this latter issue – and for the reasons explained above, this is not expected in the near future – we can only advise that we provide our electronic documents with a qualified electronic signature or document authentication traced back to identification whenever possible
Data protection issues in digital education – NAIH information on the data security aspects of distance learning During the second wave of the coronavirus epidemic, due to the number of confirmed infections and the rapid spread of the epidemic, more and more educational institutions are repeatedly deciding to introduce digital education. Given the topicality of the topic, the NAIH issued a position statement.
The changed life situation caused by the coronavirus epidemic has also presented new challenges to institutions providing school-based training, so digital education introduced outside the curriculum has raised numerous data protection issues. Although digital education is not currently a nationwide phenomenon in our country, the National Authority for Data Protection and Freedom of Information (NAIH) nevertheless considered it justified to answer the most important data protection questions arising in this regard. The NAIH issued a briefing on the data protection and data security aspects of digital distance learning, which particularly concerns the uploading, sharing and storage of teaching materials, video recordings of students completing their tasks, and other documents. The NAIH took a position on the data processing of teachers, public education institutions and higher education institutions in four subject areas – taking into account the basic principles set out in the GDPR.
- The names and other identification data of students, the content of written and oral assessments, their comments in class, their results, their photographs, and their exam results all constitute personal data, and any operation performed on the data constitutes data processing. (Article 4, points 1-2, GDPR). Data relating to the teacher’s voice, image and teaching and training activities are also considered personal data. It should be emphasized that, pursuant to Recital 38 of the GDPR, the data protection regulation provides for increased and special protection for children’s personal data – given that they may be less aware of the circumstances related to the processing of their data and the risks that may arise.
- The NAIH highlighted that the framework and detailed rules of digital distance learning are currently not regulated in law, so legislation has become appropriate in areas of law affecting public education and higher education institutions. The NAIH explained that since the purpose of data processing during digital distance learning is to provide school education and training – as a basic public education task –, it does not qualify as private data processing despite the home activity. Thus, the educational institution is considered the data controller, and therefore it will be responsible for providing appropriate information about data processing and ensuring compliance with other data protection requirements.
Since the teacher is subject to a confidentiality obligation [Public Education Act. Section 42 (1)] is liable for the data acquired in relation to the child, so if it is used (transferred or stored for an unnecessary period of time) for any other purpose beyond the performance of its public duties, its conduct may be considered unlawful data processing, and in other cases may be considered a criminal offence. - Article 5 of the GDPR contains a series of basic principles that provide the data controller with aspects to be continuously applied and taken into account when processing personal data – regardless of the legal basis for data processing. For this reason, it is the responsibility of the data controller to verify compliance, who, taking into account the principle of accountability, is obliged to document the data and keep records related to the data in such a way that its legality can be proven later.
According to the NAIH, during data processing, it should be examined whether there is a solution that poses less risk to the privacy of the data subjects. The NAIH – with regard to the principle of data economy – drew attention to the fact that the camera should be placed in such a way that it does not broadcast children as much as possible, and that unnecessary recording of lessons should be avoided – taking into account the principle of purpose limitation and the principle of limited storage. According to the NAIH’s position, the teacher is obliged to delete the recordings immediately and irreversibly after evaluating them.
Regarding strictly necessary data processing, the NAIH takes the position that the legal basis for the data processing of the educational institution is the performance of a public task [GDPR Article 6 (1) para. e)], so the consent of the data subject is not required for its lawfulness. The data controller, as an educational institution, is obliged to provide the data subjects – parents/person exercising parental supervision – with appropriate information as stipulated in the GDPR in order to ensure the transparency of data processing. On the other hand, the data subject has the right to object to the method or practice of certain data processing, which the educational institution is obliged to examine and is obliged to consider whether other means that are less restrictive of the data subject’s privacy could be used.
In accordance with the principle of confidentiality and integrity [Article 5 (1) (e) GDPR], it must be ensured that video recordings are stored in a way that prevents unauthorised third parties from accessing them. The data controller must choose the appropriate method and technology for data security, taking into account the specific protection of children’s rights and the principles of data protection by design and by default (Article 25 GDPR).4. The NAIH has formulated a series of data protection requirements in accordance with the information published by the Polish Data Protection Authority, which are the following:
- mandatory use of a work email address,
- use of legally compliant software, antivirus scanners, anti-virus software, continuous updates,
- creation of uniform email addresses under the address (domain name) of the educational institution,
- creation of a platform suitable for sending video recordings – apart from the use of Viber, Messenger, Whatsup, etc. applications,
- ensuring enhanced protection of privacy during examinations via camera,
- imposing and enforcing strong password requirements for devices that are used by several people,
- use of a data processor that provides appropriate guarantees [Article 28 (1) GDPR]