e-Signature Without Borders

Search

News subjects

Archive

DOCUMENTS

• International Association “e-Signature Without Borders” Membership Fee STATEMENT
22.04.2014

• Decision of the Government of the Russian Federation No. 909 of September 10, 2012 on the Official Site of the Russian Federation in the Information and Telecommunicate Network Internet for Information on Tenders and on the Amendments to Certain Acts of t

18.09.2012

• The authenticity in electronic interaction Without Borders (presentation)

27.03.2012

• Test Protocol

27.03.2012

• The authenticity in electronic interaction Without Borders

27.03.2012

• Method for Authentication Provision in Cross Border Interaction

27.03.2012

e-swb.com/methodics_eng.doc

Method for Authentication Provision in Cross Border Interaction

SHORT SUMMARY

Electronic interaction plays a great role in the life of a modern society. At first, it is an electronic document flow (and, therefore, an electronic digital signature, as a document by its definition can’t exist without a signature) and electronic services requiring certain personal identification.
To provide all opportunities for interaction in a distant mode it’s necessary to exclude anonymity of participants of the process and have a reliable system of authentication.
Different means are used to solve this problem: from simple “login-password” to PKI-systems based on application of asymmetric key cryptography with public and private keys provided by qualified electronic signature certificates (related to a specific person and issued by the certification-service providers authorized by the corresponding state power authorities). Thereafter, trust level for each authentication system is different.
In a case when more reliable mean of authentication is required and advanced or qualified certificates are used to provide this, a necessity to verify these certificates to the moment of electronic digital signature creation or application to the certification-service provider appears.

There are no difficulties to get such legally valid verification only in one case – if all participants of electronic interaction are operating in the “common environment” of the certification service provider that has issued and supports the verified certificate. If this condition is not fulfilled there are some problems appeared. The problems depend on whether the process participants and the CA are operating within the same jurisdiction or in different jurisdictions. The main point of these problems is in essential differences in the sphere of standards, technologies, legislative bases applied by different countries and jurisdictions.
The present Method contains the analysis of principal problems of authentication in the sphere of electronic document circulation and electronic interaction between parties applying different jurisdictions based only on PKI-technologies; describes a universal approach to solve these problems and a principle of interaction between the parties of the authentication verification process – at first, from the technological and organizational point of view – as the interaction process description, and secondly, from the juridical point of view – as the method of verification of legitimacy of electronic digital signature or certificate while examining the question in courts of different jurisdictions.

Since the present Method in the proposed solutions takes into consideration the most complicated case of incompatibilities – the whole range of technological, standard, communication and legal incompatibilities, so, in a case of its admissibility, it can be supposed that it could be applied for solution of only several of mentioned problems of incompatibility, for example, in one country or one region.

Ways of application of these solutions from the technical point of view for the present Method are secondary, because they can be applied on the base of the available local or international standards and recommendations.

The Method is prepared on the base of the analysis of reports, publications, discussion materials, UN recommendations, original texts of legislative acts in the sphere of electronic signature and electronic authentication, best world practices in the implementation of solutions for the designated problems, practical experience of the International Association “e-Signature Without Borders”. While preparing the Method only integrated conclusions were used, therefore no copyrights were violated.

The Method is intended for specialists in the sphere of PKI-technologies and legislation who have knowledge and experience in related spheres. The Method is applied only for advanced and qualified electronic signature key certificates. Simple signatures were not examined by the Method.

The Method has been discussed and approved by the board of the International Association “e-Signature without Borders”.

For the first time the Method principles were presented at the International conference “PKI-Forum 2010” in September 2010 in Saint Petersburg.

All copyrights reserved. The material may not be published, broadcast, rewritten, used and copied in whole or part without the express written permission.

TERMS AND DEFINITIONS

The present Method uses the following terms and definitions:

Authenticity – conformity of announced and actual (person, information);
Authentication – conformity of identity;
Electronic signature (ES) – information in electronic form linked with an electronic document (other information in electronic form) in such a way that the identity of the signer and the integrity of the data can be verified;
Electronic signature verification key certificate (SVC) – an electronic or a paper document that was issued by a Certification Authority or CA trusted party and is used to verify that a public key belongs to a holder of the electronic signature verification key certificate;
Qualified electronic signature verification key certificate (qSVC) (qualified certificate) – an electronic signature verification key certificate that is issued by the accredited Certification Authority or the accredited CA trusted party or a federal executive power body authorized in the sphere of electronic signatures application (authorized federal body);
A holder of an electronic signature verification key certificate – a person who gets an electronic signature verification key certificate in the order determined by the current Federal law;
Electronic signature key or private key – a unique combination of symbols for electronic signature creation;
Electronic signature verification key or public key – a unique combination of symbols linked with a private key and meant for electronic signature verification, signed with an electronic signature by the Certification Authority that has issued SVC;
Certification Authority (CA) – a legal entity or an individual entrepreneur that creates and issues electronic signature verification key certificates and fulfills other functions provided by the current Federal law;
Electronic signature devices (ESD) – encryption (cryptographic) devices used for one of the following functions: electronic signature creation, electronic signature verification, public and private keys creation;
Certification Authority devices (CAD) – soft- and (or) hardware devices used to fulfill the functions of a Certification Authority;
Participants of electronic interaction – public authorities, local self-governed authorities, organizations and citizens realizing electronic information exchange;
Corporate information system (CIS) – information system with a certain group of participants of electronic interaction;
Public access information system (PIS) – information system for public use that cannot deny to provide a service or to provide support to a public process;
Hashing - the transformation of a string of characters into a usually shorter fixed-length value or key (hash) without an opportunity of reverse transformation;
Electronic signature creation procedure – a complex mathematical process that calculates the hash of a document and encrypts the hash with a signing key (an electronic signature key of a signatory). The document, the encrypted hash and the electronic signature verification key certificate are attached to the document or linked with it in some other way – depending on the technology used;
Validity verification of electronic signature verification key certificate – a procedure when a message recipient gets a strong proof of validity of a verified SVC at the moment of its creation. Information on validity of SVC can be obtained from the CA that issued electronic keys and electronic signature certificate to the signatory. Information can be provided in the online mode (by OCSP or VPKC protocols), usually only for contractual customers of CA. If there is no opportunity to check the certificate validity in the online mode, it can be checked via the Certificate Revocation Lists (CRL) that are published by each CA. CRLs update intervals are different. That is why, in order to get reliable information on certificate validity at the moment of electronic signature creation it’s necessary to check the certificate in the CRL on the date later than the date of creation of ES. The interval may vary from several hours to several days. Therefore, such type of verification is not always compatible with the processes that should be initiated while receiving a message (for example, a payment order) and can be accepted only after the next CRL update – in other words, in uncertain period of time. Such type of verification can hardly be considered as the efficient one, that is why only SVC validation in the online mode is acceptable.
Validity verification procedure of electronic signature – consists of two processes: validity verification of SVC and mathematical verification – the encrypted hash of the contents is decrypted by using a signatory’s public key. The decrypted hash is compared to a new hash of the data content. A signature is valid if the hashes match.
Legitimacy – compliance with laws, rules and technologies in a certain jurisdiction.
Validation – confirming that a verified product is authentic (obtained by a certain person) and valid (at a certain period of time).

PROBLEM DEFINITION

THEORETICAL PRECONDITIONS.

While developing the concept of the present Method, the following was taken as basic data:

A personal authentication for electronic services provision is connected with an applicant’s SVC validity verification. Besides this procedure, validity verification of ES is related to mathematical verification of ES. The present Method examines questions and solutions related to validity verification of ES. Since the questions related to personal authentication are a part of this procedure, then it’s not reasonable to examine these questions separately in the present Method.

The Functions of ES applications are:
Affiliation of a document;
Provision of integrity and invariability of a document in a transmission process;
Fixing the time of document signing;
Provision of non-repudiation of authorship and content of a document.

All these functions of an ES can be implemented both at a time and separately. However, after an electronic signature validity verification and (with a positive validation result) obtaining the confirmation of authorship, integrity and invariability of a document and time of its signing, in the future one may face a problem of NON-REPUDIATION. And this problem may appear after the signed document has been executed (for example, a payment order). On this basis, the present Method examines not only questions of getting momentary confirmations of electronic signature validity, but also provision of sufficient conditions for successful dispute resolutions in a court concerning repudiation of one’s signature, if such problem appears in the future.

Analysis of the present legislation of different countries in the sphere of electronic signature application shows that different countries legitimize different technologies, algorithms and rules both for ES creation (hashing and encryption) and for a document connection with a signature (S/MIME, PKCS 7, CMS, CAdES, XML-dsig, Xades, Pades, etc.). Besides, there are considerable differences in the rules of registration and application of electronic signature verification key certificates (SVCs). In some countries, SVC has to contain only identification data of a holder. By signing a document, a holder of a certificate is the one who defines his role in the situation and, accordingly, is responsible for this (for example, in Estonia). In other countries, SVC should also contain the authorities of a holder of SVC that makes it necessary to have separate SVCs – depending on the role played by a signer (a natural person, an accountant, a director, an authorized person, a property owner, etc.) – as, for example, in Russia.

The analysis of the current legislation of different countries in the sphere of electronic signatures recognition (a source: http://e-swb.com/req.html) shows that the list of conditions for recognition differs from one country to another: simple recognition; recognition guaranteed by a country resident; availability of accreditation of a foreign CA; availability of intergovernmental or international agreement, etc. Such essential and fundamental differencies in the question of foreign ES legitimacy in one jurisdiction make the problem more complicated. The experience of the European Union, where the attempts to unify the conditions and requirements to electronic signature creation and recognition by other EU countries have been undertaken for several years, confirms the conclusion that the way of implementing unified rules by way of various directives or agreements is not really efficient.

The analysis of the question of possible export of electronic signature devices shows that the problem-solving approach is incomplete.

Firstly, the question of export or import can be impeded by restrictive measures from the state (as, for example, in Russia). Bypassing these restrictions automatically makes the exported or imported electronic signature devices illegal, and consequently, electronic signatures created by these devices will be illegal as well. That makes the principle of NON-REPUDIATION unrealizable.

Secondly, electronic document circulation (EDC) presupposes documents circulation in both directions. At the same time, all tasks entrusted to ES application have to be equally implemented for all participants of the process. In other words, in a case of a dispute on ES application, both parties should have equal opportunities of successful dispute resolution in a court, including their own jurisdiction. However, use of „foreign“ technology considerably limits the opportunities of the party which goes to law in his own jurisdiction using „foreign“ technology.

CONCLUSION: In a case when it’s really necessary to implement a possibility of legal application of electronic signature in cross border EDC – it’s necessary to proceed from the available legal and technological base, unique for each jurisdiction, and take into consideration these peculiarities without imposing your own rules and technologies.

The analysis of the available judicial practice on disputes concerning repudiation of own signature in different jurisdictions shows that even in the conditions when all parties of EDC act in one jurisdiction, while examining cases with similar circumstances – a court decisions are different. Even the agreements on mutual recognition of ES (including agreements concluded between different CAs), that is allowed by the civil legislation of different jurisdictions, don’t solve the problem. As a rule, such agreements provide only an opportunity to confirm to third parties (customs, tax service and others) presence of legal relations between parties, but in a case of repudiation of one party of its own signature, a dispute can be resolved only in a court. The same principle is effective for documents formed on paper: third parties can be even showed a paper copy, but in a case of repudiation of one party of its own signature, such possible repudiation can be “blocked” either by availability of a witnessed authorized signature or by agreement notarization, in general. In the last case, the notary can appear in court as a witness of a fact of autographic signing, that completely excludes a possibility of repudiation.

As a rule, while examining such cases, a court has to engage experts (because of the peculiarities of the question) that give evaluation of the implementation of technical requirements to creation and verification of ES, which is a matter of dispute. Even in the frameworks of one country, because of insufficient elaboration of laws, allowing various interpretations of laws, different experts can give different conclusions on the same facts. If parties of EDC act in different jurisdictions and use different ES devices, the situation with expert evaluation becomes more complicated.
This statement also concerns cases when a signed document content is disputed in court. For example, an Author of a document (a payment order) affirms that he gave a commission to a bank to transfer 1 thousand dollars from his bank account on the account of the Payee X. The bank has transferred 1 million euros from the Author’s bank account on the account of Payee Y and it affirms that such was the Author’s commission. In this case, it is the Author who has to prove in court that he has made a commission different from the one executed by the Bank.

CONCLUSION: To increase the possibility to resolve the dispute on electronic signature repudiation fairly, it’s reasonable to focus the main attention not on experts, but on witnesses – participants of the validity verification process of ES or SVC. It is them who confirm the fact of signing by a concrete person on a concrete document with a concrete hash. And the hash conformity with the document content can be confirmed by an expert based on mathematical technique that could be hardly disputed or by a court judge using standard hash-calculators.

An attempt of some participants of EDC to verify ES by direct address to the foreign CA doesn’t solve the problem in general. It can be a single variant for authentication validation problem solution.

Firstly, these possibilities could be limited by the country legislation of a foreign CA, because such possibility should be provided by free export of ES devices implementing the validation function.
Secondly, few CA provide such service of verification of issued SVCs in a public mode. As a rule, they provide such service only for their clients. However, even the agreement doesn’t solve the problem because of the reasons mentioned below.
Thirdly, the most important factor: confirmation by the foreign CA of validity of a signer’s ES or SVC, while examining a dispute in court, not always can be recognized as legitimate because with the existent technologies of verification of ES and electronic signature certificates (based on international recommendations (RFC 3029 – Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols (DVCS); RFC 2560 – Online Certificate Status Protocol - OCSP. RFC 3161 – Time-Stamp Protocol (TSP)), there is exchange of requests and receipts that should be signed always by a respondent and very often by a requester. In other words, in the first case, the Requester of validation (the Recipient) should have an opportunity to verify a signature of CA on the receipt, and in the second case, the verifying CA should have an opportunity to verify a signature of the Requester.
Meanwhile, neither of the examined laws on electronic signature recognition (source: http://e-swb.com/req.html) make difference between the electronic signature of a natural person and the electronic signature of a CA. Both of them are foreign signatures from a legal point of view and conditions of their validation are equal. In other words, if a signature of a foreign natural person is not legitimate on the territory of the other country, therefore an electronic signature of a foreign CA on the receipt confirming the validity of ES or SVC of this natural person is not legitimate as well! Consequently, the validity verification result by direct address to the foreign CA is not legitimate. This is true both in a case of interaction between a natural person and a foreign CA and in a case of interaction between two CAs of different jurisdictions.
Recognition of foreign electronic signature via the accreditation of a foreign CA on the base of intergovernmental agreements may partly solve the problem. But only in each separate case.

CONCLUSION: such scheme cannot be a universal solution for the posed problem, with the exception of separate cases when a foreign CA is recognized as legitimate by the foreign jurisdiction.

In a case of a dispute between the parties of EDC on ES validity in a document, when the ES was created by rules of one of the parties, a corresponding claim can be brought. If the claim is examined in the jurisdiction of a petitioner, then even a positive court decision (from a petitioner’s point of view) may be executed only if the jurisdictions of a petitioner and a respondent have a proper agreement on mutual recognition of court decisions. If the case is examined in the jurisdiction of a respondent, it is unlikely that a court decision is positive for a petitioner. Firstly, because, court may not accept the claim at all, and, secondly, court is generally regulated by internal laws, and it’s hard enough to prove a fact of the other jurisdiction law violation.

Therefore, it’s necessary to build such a scheme of interaction where each separate stage of ES validity verification is legitimate in its own jurisdiction.

TOTAL CONCLUSION:
Independent validity verification of ES by a separate participant of EDC is hardly probable – from a technical point of view, and in the most cases won’t be legitimate – from a legal point of view. Such verification can be implemented only with participation of a third party – a Trusted Third Party. Meanwhile, to provide the principle of non-repudiation, all stages of validity verification process should be legitimate in the jurisdiction where this stage of verification is fulfilled. The evidences of ES authenticity should be also legitimate in a case of a court dispute.

PRINCIPLES OF THE METHOD

Summarizing the whole information mentioned above in the Method, aimed to make the whole process of authentication provision in the cross-border electronic document circulation legally valid, it’s lawfully to provide the following principles:

Electronic documents have to be signed by an author’s electronic signature that is fully legitimate in his own jurisdiction. This condition should also cover such specific cases when a resident from one country is an authorized person of a legal entity from another country. In this case his authorities should be properly confirmed to third parties by this legal entity (by his own ES). However, the authorized person carries on business relations with third parties by applying his own personal ES, though by option of the legal entity’s head managers, the situation is possible when legal entity’s head managers authenticate all documents signed by the authorized person – of course, after the validity verification of the authorized person’s electronic signature.
The ES validity verification process should be completely legitimate both for the jurisdiction of an author of a document and for the jurisdiction of a recipient.
The verification process should be acceptable both for corporate information systems and for information systems of public access.
Verification can be made both for a presented original document (in this case an Author and a Recipient should understand that the text of a document will be available for all persons participating in the verification process), and WITHOUT AN ORIGINAL DOCUMENT PROVISION but using only a hash of the document. On the one hand, it eliminates a necessity to submit the original document (which may contain confidential information) for third parties – participants in the verification process; on the other hand, it increases the objectivity of participants of the verification process. At the same time, obtaining the confirmation of ES validity concerning the hash of a document the initiator of the verification process should take a final decision on ES validity concerning the whole document – based on the full identity of the decrypted and independently calculated hashes.

There are two types of Verification:

Full verification of ES: validity verification of SVC; decryption by a verification key (contained in SVC) of the encrypted hash and its comparison to the hash presented by a verifying party. The confirmation of identity of decrypted and original hashes is a reason to consider the ES on a document as valid;

Validity verification of SVC on which ES was made – at the moment of ES creation. It may be applied in a case when a Recipient has a technical possibility to conduct the independent mathematical verification of ES (a proper electronic signature device is available). At the same time, it’s applied for authentication to provide an access to secure information systems.

Verification result must provide the maximum information for a verifying party: a mathematical verification result (a signature under the document is authentic and valid); or the information about SVC (a type of SVC; its validity; expiration date; a signatory role; status of CA that has issued SVC; limitations of use, etc.) – in a case of only SVC validity verification with the further independent mathematical verification (if a verifying party has all necessary electronic signature devices).

A Final decision (based on the information on verification results) on ES acceptability as a property providing legal validity to a document that provides authenticity of a specific document – should be taken by a verifying party. Verification process participants should be ready at any moment to confirm the facts and the results of their activities during the verification procedure.

Note: Sometimes a Requester wants to get not only a signature verification of validity but also verification of Author’s authorities. Of course, if a SVC contains such information and it is confirmed by the Author’s CA – it would be provided to the Requester (Verifying Party). But if SVC doesn’t contain the information, how is it possible to get such confirmation? And what to do in a case when the Author defines his role independently before signing and then signs a document (Estonia, Belgium, Germany)? Undoubtedly, it’s possible to establish a service on authorities verification via the corresponding registers and registries, but it would be a separate service.

THE ESSENCE OF THE METHOD

Taking into consideration the principles mentioned above, it’s logically to suppose the following Method for electronic documents authenticity provision in cross-border document circulation:

Participants of a process and initial conditions:

An author of a document. Uses a public and a private key, SVC and electronic signature devices, legitimate in his own jurisdiction.

A Recipient of a Document (Addressee). Uses a public and a private keys, SVC and electronic signature devices, legitimate in his own jurisdiction.

CA-1 – a certification authority in the Recipient’s jurisdiction that has contractual relations with the Recipient and that has issued SVC and electronic signature devices to the Recipient. By the Recipient’s request provides the Author’s ES verification on the contractual base. During this procedure CA-1 is a Trusted Third Party in relation to the document Recipient.

CA-2 – a certification authority in the Author’s jurisdiction that has contractual relations with the Author and that has issued SVC and electronic signature devices to the Author and is a holder of the SVC register.

A Verification Coordinator – a structure that has pais of keys and SVC of CA-1 and CA-2 on legitimate conditions which are also used by these certification authorities. Interacts with CA-1 and CA-2 on secure channels. By CA-1’s request, provides the Author’s ES verification on the contractual base. During the verification procedure the Verification Coordinator is a Trusted Third Party in relation to CA-1 (there is more information about a status and characteristics of the Coordinator below).

As it was mentioned above, there should be proper legal relations with the defined mutual rights and obligations and responsibilities between all participants of the process.

The Principle of participants interaction

It’s necessary to divide the interaction principle in two modes: usual and extreme.

A task of the usual mode is to provide a verifying party with agruments confirming the fact of the Author’s electronic signature validity and authenticity and the fact of integrity and invariability of the content in the signed document. The task of the extreme mode is to provide evidences of verification results in a court on which the verifying party made a conclusion on authenticity and validity of the Author’s signature.

Usual mode:

The author of the document signs it with his own ES, legitimate in his own jurisdiction.

The document is sent to the Recipient. A transmission channel (secure information system, electronic mail, Skype, etc.) is of no importance.

The Recipient gets the document with ES and addresses the CA-1 with a request of ES validity verification or SVC validity verification at the moment of ES creation (in a case when the Recipient has an opportunity to carry on the mathematical verification of the Author’s ES on his own). At the same time, the Recipient has to provide either a document hash and SVC (in the first case) or SVC (in the second case) to the CA-1. The request is processed under the rules of the CA-1. The request is signed with the Recipient’s ES using ES devices from the CA-1.

CA-1 verifies the Author’s signature validity under the request, creates a proper request under the technology legitimate for this certain jurisdiction and sends it to the Verification Coordinator. The request is signed with the CA-1 ES.

The Verification Coordinator verifies ES validity under the CA-1’s request with the devices got from the CA-1 and starts its processing. During the processing the request is „taken apart“ and on the ground of its component parts a corresponding request on the Author’s SVC validity verification in the CA-2 is created. This request must be created under the rules and technologies of the CA-2 and must be signed with the Coordinator’s ES created on SVC issued by the CA-2. Because the Coordinator is a client of the CA-2, the request can be carried on in the „online“ mode (for example, on OCSP protocol).

The CA-2 gets the Coordinator’s request, verifies its ES validity, makes out a receipt on the request results under its own rules and technologies. The receipt is signed with the CA-2 ES.

The Verification Coordinator verifies the CA-2 ES validity under the verification receipt and based on the results of the response from the CA-2 and depending on the type of request:
makes out its own receipt on the Author’s SVC validity at the moment of ES creation under the rules of the CA-1 and sends it to the CA-1 – if only the Author’s SVC validity is verified;
or starts the mathematical verification of ES – if the electronic signature is verified and under the verification results makes out a receipt on the ES validity concerning the hash.

Both variants of receipts are made out under the rules of the CA-1 and are signed with the Coordinator’s ES, ES keys and devices issued by the CA-1.

The CA-1 receives the receipt from the Coordinator, verifies the validity of its ES and sends its own receipt on verification results to the Recipient.

All receipts are correspondently signed with „a time stamp“ provided by the CA cooperating at this stage.

It goes without saying, that all participants of the interaction process should take part in the process voluntarily, have proper legal relationships between each other signed by agreements defining all mutual rights, obligations and responsibilities.

Thereby, as a result of the usual verification mode the verification initiator (the Recipient) gets a legitimate confirmation of the Author’s signature validity, as a result of which the verification of the document’s authorship, integrity, invariability and time of its signing is provided.

The Extreme Mode:

In a case of a dispute between the parties in respect of repudiation of his own electronic signature under the document and bringing the case to court, all participants of the verification process (CA-1, CA-2, Coordinator) take part in the legal process as witnesses and provide their own evidences of the verification results got in the usual mode.

If it’s necessary these evidences can be properly legalized – in respect to the rules of specific jurisdictions where the dispute is adjudicated. For example, in one case a notarization would be enough (if there are corresponding government agreements), in the other case – apostil is required (if both states are the Hague Convention Member states), in the third case – a consular assurance is required.

Of course, all these participants of the verification process and the Recipient who is the initiator of the verification process should provide proper documentation of their activities during the ES verification process and their storage. These obligations as well as the responsibilites in a case of their violation, should be stated in the corresponding agreements between the parties: the Recipient and the CA-1, the CA-1 and the Coordinator, the Coordinator and the CA-2 or should be specified in a public offer of the CA-2.

Thereby, all stages of ES verification under the requests and receipts don’t arise technical and juridical problems (they are carried on according to the international standards and recommendations and on legitimate ES devices). The complete legitimacy of the whole verification procedure is provided by the legitimacy of its each separate stage.

As a result, NON-REPUDIATION of an electronic signature under the document is provided. And, based on the present judicial opinion, - this mechanism can operate regardless of the conditions for recognition of a foreign electronic signature by a specific jurisdiction.

A role and a status of the Coordinator should be examined separately. Taking into consideration that in order to provide the legitimacy to the verification process, the Coordinator’s activities should be legitimate in each separate jurisdiction that is involved into the interaction, the Coordinator must have a status of an international structure. A commercial structure can hardly fulfill this condition, because a branch or representative office registration outside the jurisdiction of the company registration is a pretty complicated process. Therefore, it’s more reasonable to use a NONprofit structure for these purposes – an international association that has its own members in different countries and that could be presented within different jurisdictions – via its representative offices and via its own members (preferably certification authorities but ordinary companies are also allowed). The relationships inside this association should be regulated by the Code providing such legal relations that allow the whole structure to act as the Coordinator. Taking into consideration the whole information mentioned above, it’s logically to suppose that there is a demand for such International Association of Certification Authorities. Relations with Certification Authorities that are not the members of the association should be regulated by corresponding agreements that can be concluded by the Association itself or by another party in the same jurisdiction.

Mutual responsibility between all participants of the verification process should be provided by the Code, corresponding agreements and available liability insurance of each participant of the verification process.

THE IMPLEMENTATION PRACTICE OF THE METHOD

In order to implement the Method, a public organization the International Association „e-Signature Without Borders“ undertakes the functions of the Coordinator. The Association is a transboundary structure and is legally presented within different jurisdictions via the Assocation members or representative offices. Relations between the Association and Certification Authorities of different jurisdictions are regulated either by the Code of the Association (if a CA is a member of the Association) or by an agreement.

The Association has developed a hardware/software complex that fulfills all the tasks assigned to the Verification Coordinator (according to the Method).

The work of the hardware/software complex has been tested by verifying the validity of an electronic signature created on the Estonian qualified SVC that is included into the national ID-card – an official personal identification document of a resident of Estonia served by the Estonian Certification Authority „AS Sertifitseerimiskeskus“.

The tests (using the laboratory sample) showed that the time spent on:

creation of a DVC-request on ES verification from a side of the Russian partner – „National Certification Authority“ (NCA);

validity verification of ES under the request by the Coordinator;

creation of a OSCP-request to „AS Sertifitseerimiskeskus“;

obtaining the OCSP-receipt from „AS Sertifitseerimiskeskus“;

validity verification of ES under the receipt by the Coordinator;

mathematical verification of the verified ES;

creation of DVC-receipts to the „National Certification Authority“ by the verification results;

validity verification of the Coordinator’s ES under the receipt by the NCA

makes from 0,8 to 1,4 seconds.

Test protocol can be found here:

http://e-swb.com/sa/Protokol_NUC.PDF

CONCLUSION

The present Method is able to solve the problems of authenticity during cross-border interaction.

The present Method can be applied as for an electronic signature verification, so for the authenticity definition in electronic interaction.

The present Method can be used both in the frameworks of the corporate information systems and in the information systems of public access.

Simultaneous fulfillment of the following conditions could be the alternative for the present Method in order to achive the same goals (an opportunity to provide authenticity in cross-border interaction):

Creation of the World Certification Authority (for example, under the United Nations) that will issue root certificates for all national CAs and will be recognized by all countries.

Unification of the legislations of all countries in the sphere of recognition of foreign electronic signatures.

Implementation of full unification for the technology of ES creation and verification that violates the principles of „technologies neutrality“ currently in force.

The present Method will not be relevant only when these conditions are fulfilled.

Moreover, on the base of the present Method it seems quite promising to develop other services defined in the international recommendations X.842, such as: a service of non-repudiation, a service of evidences storage, a service of arbitration, a service of evidences provision, a service of notariat and others.

Nikolay Ermakov

Board Member of
the International Association
„e-Signature Without Borders“
Board Member of the judicial office
„Business Low Consult Service OU“

Konstantin Romanov

Director of
the law office „Romanov & Partners“
Member of the Chamber of Advocates
of Saint Petersburg

• Federal Law of the Russian Federation No. 210-FZ, dated July 27, 2010 "On organization of government and municipal services delivery"

06.04.2011

• EGYPT: Electronic Signature Law 2004
05.01.2011

Law No. 15/2004 on

E-signature and Establishment of the Information Technology Industry Development Authority (ITIDA)

In the name of the people,

The President of the Republic:

The People Assembly has decreed the following law and I have passed it:

Article I

Under this law, the following terms and definitions shall apply:

A.                Electronic Writing: All letters, digits, symbols or any other signs on an electronic, digital, photographic support or any other similar means that gives perceptible indication.

B.                 Electronically written messages: a data message that includes information created, combined, stored, transmitted or received totally or partially by use of an electronic, digital, photographical means or any other similar means.

C.                 E-signature: What is on an electronically written message in the form of letters, digits, codes, signals or others and has a unique identity that identifies the signer and uniquely distinguishes him/her from others.

D.                Electronic Media: A tool, tools or systems of establishing e-signature.

E.                 The Signer: The person who has the data of establishing the e-signature and signs for himself/herself or whomever he/she legally represents.

F.                  E-certificate: The certificate which is issued by the entity which authorized to authenticate. The certificate proves the relation between the signer and the data establishing the signature.

G.                The Authority: Information Technology Industry Development Authority (ITIDA)

H.                The Ministry with Jurisdiction: The Ministry with the jurisdiction for communications and information

I.                   The Minister with Policy Jurisdiction: The Minister with the policy jurisdiction for communications and information

Article 2

A public authority called the Information Technology Industry Development Authority (ITIDA) shall be established. The authority, which shall enjoy public corporate personality, shall be affiliated to the Minister with policy jurisdiction. ITIDA's headquarters shall be located at the Giza Governorate premises and may establish branches nationwide.

Article 3

The Authority aims at achieving the following objectives:

a)      Encouraging and developing information and communications technology

b)      Transferring and using advanced information technology

c)      Increasing opportunities for exporting communications and information technology services and the products thereof.

d) Participating in the development and improvement of entities operating in the ICT field.

e)      Directing, encouraging and developing investments in the ICT industry

f)       Protecting the common interests of information technology activities

g)      Supporting ICT research and studies and encouraging utilization thereof.

h)      Promoting and supporting small and medium enterprises (SMEs) in the area of using and applying the electronic transaction mechanisms (applications).

i)        Regulating the activities of e-signature services and other activities in relation to e-transactions and the information technology industry.

Article 4

The Authority shall have the authority required to achieve its goals particularly the following:

A.                Issuance and renewal of licenses required for operating e-signature services and other activities of e-transactions and IT industry fields in accordance with the laws and regulations regulating thereof.

B.                 Setting out the e-signature standards/ criteria to control e-signature technical specifications.

C.                 Receipt of complaints related to e-signature, e-transactions and IT activities; taking necessary actions in this regard.

D.                Evaluation of entities operating in the field of IT and identifying the technical capabilities of such entities based on the evaluation results.

E.                 Provision of technical advice on the disputes that occur between the parties involved regarding e-signature, e-transactions and IT activities.

F.                  Provision of technical advice to the entities operating in the IT field and training the personnel of such entities.

G.                Holding fairs, conferences and seminars on ICT inside and outside of Egypt.

H.                Establishment of or participation in companies which assist in developing the ICT industry.

I.                   Depositing, recording, and registration of original software and databases submitted by entities or individuals publishing, printing, and producing thereof in order to protect copyrights and other rights.

Article 5

The ITIDA shall have a charge representing 1% (one percent) of the revenues from the services and businesses provided by establishments operating in the ICT field to be paid by such establishments, and deposited in an account for contributing to the development of the ICT industry.. The ITIDA board of directors shall issue a decree identifying the services and businesses to be subject to that 1%..

Issuance and renewal of the licenses stipulated in item A of Article 4 of this law shall be in return for a fee. The categories of such fee and the rules and procedures of applying thereof shall be identified by a decision of the ITIDA Board of Directors.

Article 6

The Authority's financial resources shall be as follows:

a)      Allocations by the State for ITIDA.

b)      The charge which is stipulated in the first paragraph of Article 5 of this Law.

c)      The charge stipulated in the second paragraph of Articles 5, item (C) of Article 9, and Articles nos. 19 and 22 of this Law.

d)     Fees for other services provided by ITIDA.

e)      Gifts, donations and aid accepted by the ITIDA Board of Directors.

f)       Loans and grants contracted for ITIDA.

g)      Return on investment of ITIDA funds.

Article 7

ITIDA shall have an independent budget to be prepared in compliance with the rules of preparing economic authorities' budgets. ITIDA's fiscal year shall correspond with the State’s fiscal year. ITIDA shall maintain a bank account at the Central Bank of Egypt to deposit its funds. ITIDA may open a bank account in one of the banks pursuant to approval of the Minister of Finance.

ITIDA's annual budget surplus shall be carried forward. Based on a proposal from the Minister with policy jurisdiction, and after consultation with the Minister of Finance, the Prime Minister may issue a decree stipulating allocation of a portion of the budget surplus to the State. .

Article 8

ITIDA shall be managed by its Board of Directors which shall be appointed by Prime Ministerial decree. The Board of Directors shall be chaired by the Minister with policy jurisdiction and shall be composed of the following members:

a)      ITIDA Executive Head

b)      Advisor from the State Council to be selected by Head of the State Council

c)      Representative of the Ministry of Defense to be selected by the Minister of Defense

d)     Representative of the Ministry of Interior to be selected by the Minister of Interior

e)      Representative of the Ministry of Finance to be selected by the Minister of Finance

f)       Representative of the Presidency Authority to be selected by the Head of the Presidency Department (Diwan)

g)      Seven experts to be selected by the Minister with policy jurisdiction.

The period of service for all members shall be three renewable years. The Prime Minister shall issue a decree establishing compensation for the membership.

The Board of Directors may form, from its members, one or more committees and temporarily assign certain tasks to these committees. The Board may also delegate some of the Board's responsibilities to the Chairperson or ITIDA Executive Head.

Article 9

The Board of Directors is the authority responsible for ITIDA affairs and management. The Board may take the decisions it deems necessary to achieve the goals for which ITIDA is established. The Board shall fulfill its jurisdictions as stipulated in this Law particularly the following:

A.                Developing systems and rules for e-signature and e-transactions in compliance with the laws and regulations regulating thereof.

B.                 Developing technical, administrative and financial rules and establishing the guarantees for issuing licenses required to operate the e-signature services and other activities in the fields of e-transaction and IT

C.                 Identifying the services provided by the Authority to third parties in the ICT field and the fees for these services

D.                Developing the rules which ensure respect for professional traditions in the fields of e-transactions and ICT.

E.                 Developing internal regulations for the technical, financial and administrative affairs, procurement, storage and other regulations that regulate Authority activities without being restricted by government rules and systems.

F.                  Approving ITIDA’s annual draft budget.

G.                Developing regulations for ITIDA personnel affairs to regulate personnel appointment; identify theirs salaries, allowances, compensations, promotions, disciplinary actions, termination and all their job affairs with consideration to the rules of productive sufficiency and balance of Authority economics, in consultation with the relevant syndicate, without being restricted by the rules and systems applied to the State’s civil servants.

H.                Developing training and qualification plans and programs in the IT industry.

The Minister with policy jurisdiction shall issue a decree on the regulations and systems stipulated in this Article.

Article 10

The Board of Directors shall meet at least monthly and whenever deemed necessary upon the Chairperson’s invitation to convene. The meeting shall be valid upon the attendance of a majority of its members. Decisions shall be passed by majority voting and the Chairperson shall have the deciding vote in the event of a tie vote.

The Board may invite to its meetings whomever it deems advisable in order to utilize his/her expertise without giving said person voting rights.

Article 11

The Authority shall have an Executive Head to be appointed by a Prime Ministerial decree. The decree shall also set out his/her compensation based on the recommendation of the Minister with policy jurisdiction.

The Executive Head shall represent the Authority before the courts and in it relations with third parties. The Executive Head shall be held accountable by the Board of Directors for the progress of the Authority's technical, administrative and financial activities; and shall be responsible for the following in particular:

·                      Implementing decisions of the Board

·                     Managing ITIDA and its affairs, and supervising work thereof

·                     Submitting periodic reports to the Board on ITIDA activity, work progress and accomplishments according to the established plan and programs; identifying performance constraints and recommending solutions to overcome such constraints

·                     Fulfilling any tasks assigned to him/her by the Board

·                     Fulfilling other responsibilities set out by ITIDA internal regulations

Article 12

The Executive Head shall assume responsibilities of the chairperson in case of his/her absence.

Article 13

All entities and companies operating in the fields of e-transactions and ICT shall submit to ITIDA reports, statistics or information related to ITIDA activities.

Article 14

Within the scope of civil, commercial and administrative transactions, e-signatures shall have the same determinative effect that signatures have under the provisions of the Evidence Law in the civil and commercial articles, if the creation and completion thereof come in compliance with the terms stipulated in this Law and the technical and technological rules identified in the Executive Regulations of this law.

Article 15

Within the scope of civil, commercial and administrative transactions, e-writing and electronically written messages shall have the same determinative effect that writing, official, and unofficial messages have under the provisions of the Evidence Law in the civil and commercial articles as long as it meets the terms and regulations stipulated in this Law in compliance with the technical and technological rules identified in the Executive Regulations thereof.

Article 16

The hardcopy of the electronically written message shall have the same determinative effect on all parties to the extent that this hardcopy is conforming to the original electronically written message, and as long as the official electronically written message and the e-signature are saved on an electronic backup archiving.

Article 17

Unless stipulated in this Law or the Executive Regulations thereof, the provisions of the Evidence Law in the civil and commercial articles shall prevail in relation to proving the validity of the official and unofficial electronically written messages, e-signatures and e-writings.

Article 18

The e-signatures, e-writing, and electronically written messages shall have the determinative effect for evidence provided their compliance with the following:

A.                The e-signature is for the signer solely

B.                 The signer has sole control over the electronic medium

C.                 Possible discovery of any modification or replacement of the data of electronically written message or e-signature.

The Executive Regulations of this Law shall set out the necessary technical and technological rules.

Article 19

Digital certificates may not be issued without licensing by the Authority in return for fees to be identified by the Authority's Board of Directors in compliance with the procedures, rules, and guarantees stipulated by the Executive Regulations of this Law, without being restricted by the provisions of Law no. 129/1947 on Public Utilities, and with consideration to the following:

The Licensee shall be selected under public competition.

.The Authority’s Board of Directors shall set out the licensing period provided that it does not exceed ninety nine years.

The supervision and technical and financial monitoring mechanisms, ensuring sound and regular workflow at the Authority shall be set out.

Stopping practice of the licensed activity, merging with another entity or waiving license to a third party is not permitted without the prior written consent of the Authority.

Article 20

The Executive Regulations of this Law shall identify the data which should be included in the digital certificate.

Article 21

E-signature and e-media data and information submitted to the entity licensed to issue digital certificates are confidential and whoever receives or has access to them by virtue of work may not disclose such data and information to third parties or use them for purposes other than the purpose for which they were originally submitted.

Article 22

The Authority shall be responsible for authenticating appropriate foreign entities to issue digital certificates in return for fees identified by the Authority's Board of Directors. In such case, the certificates issued by such entities shall have the same determinative effect for evidence of other similar certificates issued internally by other similar entities in compliance with the rules, procedures and guarantees stipulated by the Executive Regulations of this Law.

Article 23

Without prejudice to more severe penalties stipulated in the Penalty Code or any other law, imprisonment and payment of a fine not less than LE 10,000 and not more than LE 100,000 or either shall be the penalty for whomever:

A.                Issues digital certificates without obtaining a license from the Authority to practice this activity.

B.                 Destroys or damages a signature, electronic medium or electronically written messages; or falsifies any of these by imitation, modification, alteration or by any other means.

C.                 Uses knowingly a falsified or damaged signature, electronic medium or electronically written messages

Electronic Documents Law

Chapter I
General Provisions

Section 1. Terms Used in this Law

The following terms are used in this Law:

1) secure electronic signature-creation devices – software packages, hardware and electronic signature-creation data that conform to the following requirements:

a) the electronic signature-creation data shall be created only once, and the secrecy thereof is ensured,

b) the electronic signature-creation data cannot be derived and, utilising technologies, the electronic signature is secured against forgery,

c) the electronic signature-creation data are securely protected against being used unlawfully by third persons, and

d) the secure electronic signature-creation devices do not alter the electronic document to be signed and do not prevent becoming acquainted with such a document before its signing;

2) secure electronic signature – an electronic signature that conforms to all of the following requirements:

a) it is linked only to the signatory,

b) it ensures the personal identification of the signatory,

c) it is created with secure electronic signature-creation devices, which may be controlled only by the signatory,

d) it is linked to a signed electronic document so that later changes in the electronic document are detectable, and

e) it is certified by a qualified certificate;

3) electronic document – any data which is created, stored, sent or received electronically, which ensures the possibility of utilising such data for the performance of some activity, realisation of a right and protection;

4) electronic signature – electronic data that is attached to or logically associated with an electronic document, and ensures the authenticity of the electronic document and confirms the identity of the signatory;

5) electronic signature-verification data – data that is utilised in order to verify an electronic signature;

6) electronic signature-creation data – data created only once, which are utilised by the signatory in order to create an electronic signature;

7) qualified certificate – a certificate which contains the information specified in this Law and which has been issued by a trusted certification service provider;

8) time-stamp – an electronically signed confirmation of the fact that at a specified date and time the electronic document has been signed at the certification service provider;

9) signatory – a person who has electronic signature-creation devices and who acts either in his or her own name or the name of the natural person or legal person or institution that he or she represents;

10) certification services – the issuance and cancellation of certificates, the suspension and renewal of the validity of certificates, registration of certificates, the maintenance of a electronic signature-verification data register, the stamping of electronic documents with time-stamps, as well as the provision of consultancy services in relation to electronic signatures; and

12) certificate – an electronic confirmation that links the electronic signature-verification data with a signatory and serves to specify the identity of the signatory.

Section 2. Application of this Law

(1) This Law determines the legal status of electronic documents and electronic signatures.

(2) The provisions of this Law are not applicable if a natural person or legal person who is not a certification service provider performs the stamping of electronic documents with a time-stamp.

Chapter II
Electronic Documents and the Derivation thereof

Section 3. Electronic Documents

(1) The requirement for a document in written form in relation to an electronic document shall be fulfilled if the electronic document has an electronic signature and the electronic document conforms to the requirements of other regulatory enactments.

(2) An electronic document shall be considered to have been signed by hand if it has a secure electronic signature.

(3) If regulatory enactments provide that, in addition to other requisites for a document to acquire legal effect, it also requires the imprint of a seal, then this requirement in relation to an electronic document shall be fulfilled if the electronic document has a secure electronic signature and a time-stamp.

(4) An electronic signature is legal evidence and the submission of an electronic document as evidence to competent institutions has no restrictions, based only upon the fact that:

a) the document is in electronic form; or

b) it does not have a secure electronic signature.

(5) In the circulation of electronic documents between State and local government institutions or between these institutions and natural persons and legal persons, the electronic document shall be considered to be signed if it has a secure electronic signature and time-stamp.

(6) The provisions of this Law are not applicable to:

1) contracts with which rights are created or transferred to immovable property, except for rental rights;

2) contracts which, in accordance with law, are not in effect if they have not been certified according to special procedures by law;

3) guarantee contracts if the guarantee grants, and security for pledges if such is provided by persons who engage in purposes, which are not related to the trade of such person, entrepreneurial activity or occupation; and

4) transactions in the field of family law and inheritance law.

Section 4. Original Electronic Documents

(1) If regulatory enactments require the storage or presentation of the original of a document, this requirement in relation to electronic documents shall be fulfilled if it conforms to the requirements of Section 3, Paragraphs two and three of this Law.

(2) Paragraph one of this Section applies to a requirement expressed in the form of a duty or in a case, where the regulatory enactments provide for a legal effect regarding the non-storage of documents or the non-presentation of document originals.

Section 5. Derivation of Electronic Documents

(1) A copy, true copy or extract in paper form of an electronic document shall have the same legal effect as the original if the correctness of the copy, true copy or extract is certified in accordance with the requirements of regulatory enactments and if the issuer of the copies, true copies or extracts in paper form can, on the basis of a request, present the document original in electronic form, and it conforms to the requirements specified by this Law.

(2) A copy, true copy or extract in electronic form of a paper document shall have the same legal effect as the original if the person who, in accordance with the requirements of regulatory enactments, has the right to certify document original copies, true copies or extracts has certified its correctness with a secure electronic signature and time-stamp, and it conforms to the requirements of regulatory enactments.

(3) A duplicate of a paper document in electronic form shall have the same legal effect as the original if the duplicate has been issued and drawn up in conformity with the requirements of this Law and other regulatory enactments.

(4) The making of derivations of electronic documents in paper form shall be only from such electronic documents as is possible to present in a readable or graphic form.

Chapter III
Provisions for the Circulation and Storage of Electronic Documents

Section 6. General Provisions for the Circulation and Storage of Electronic Documents

(1) If regulatory enactments determine requirements for the preparation, drawing up and storage of documents in a separate way, these same provisions shall be applicable also to electronic documents.

(2) The procedures for the preparation, drawing up, storage and circulation of electronic documents in State and local government institutions, and the circulation procedures between State and local government institutions, or between these institutions and natural persons and legal persons shall be regulated by Cabinet regulations.

(3) The Latvian State Archive Directorate shall be responsible for the evaluation and selection of electronic documents for long-term and permanent storage, and it shall also monitor that State and local government archives ensure the storage and accessibility of electronic documents.

(4) State and local government institutions shall develop internal circulation instructions for electronic documents which comply with this Law and the regulations of the Cabinet referred to in Paragraph two of this Section, as well as the work specifics of the institution, and shall ensure the possibility of natural persons and legal persons to submit and receive State and local government institution documents, their copies, true copies, extracts and duplicates electronically or in another form according to the choice of the person.

(5) The type of evaluation of electronic documents, and time periods for the transfer of such documents to State archives for storage shall be regulated by Cabinet regulations.

Section 7. Special Provisions for the Storage of Electronic Documents

(1) If regulatory enactments provide for the storage of specific documents, records or data, this requirement in relation to electronic documents is fulfilled if:

1) the data contained therein is accessible for utilisation;

2) the electronic document is preserved in such a form as it was initially created, sent or received, or in such a form as the initially created, sent or received data can be shown; and

3) the preserved data allows the origin or final destination of the electronic document to be specified, and the time of sending or receipt.

(2) The provisions of Paragraph one, Clause 3 of this Section shall not apply to data that is automatically created in the process of receiving or sending an electronic document.

(3) A person may fulfil the provisions of Paragraph one of this Section by utilising the services of another person if the provisions of this Law are complied with.

Chapter IV
Certificate Service Providers and Trusted Certification Service Providers

Section 8. Certification Service Providers

(1) A certification service provider is a natural or legal person, who provides certification services without the receipt of a special permit.

(2) Accreditation of a certification service provider is voluntary.

(3) A certification service provider shall be considered to be trustworthy if he or she conforms to all the requirements of Section 9 of this Law.

Section 9. Trusted Certification Service Provider

A trusted certification service provider shall be considered to be a natural or legal person who conforms to all of the following requirements:

1) utilises trustworthy personnel who have the necessary specialised knowledge, experience and qualifications for the provision of certification services, who have become acquainted with the relevant security provisions for the provision of certification services, and have not been convicted for the intentional committing of a criminal offence;

2) utilises trustworthy and secure information systems and products which are appropriately protected against unauthorised access and modification;

3) maintains sufficient financial resources in order to implement this Law and the regulatory enactment requirements issued on the basis of this Law, and shall insure itself for civil liability in order to be able to compensate losses caused to persons due to wrongful purpose or negligence;

4) is accredited with the State Data Inspection (hereinafter also – supervisory institution) in accordance with the procedures specified in this Law;

5) ensures the continuous on-line accessibility of the signature-verification data register;

6) ensures the possibility of immediate revocation, suspension of operation and renewal of qualified certificates in the cases specified in this Law;

7) ensures that at any moment the date and time of the issuance, revocation, suspension of operation and renewal of qualified certificates can be determined;

8) utilises a secure system for qualified certificate storage in a verifiable form and shall ensure that:

a) only the authorised persons of the trusted certification service provider may make entries or their changes,

b) it is possible to check and determine changes in information,

c) the qualified certificates issued are not publicly accessible, except in a case where the written consent of the signatory has been obtained,

d) any technical changes that affect security requirements are apparent to the systems administrator, and

e) such technology is utilised as will ensure that when using electronic signature-creation data they can never be copied;

9) in stamping the electronic document with a time stamp, ensures the possibility to specify without doubt the date and time of the received electronic document; and

10) ensure that the time-stamp does not alter the signed electronic document.

Section 10. Accreditation of Trusted Certification Service Providers

In order to receive accreditation, the following documents shall be submitted to the supervisory institution:

1) a written application;

2) the certification service provision regulations;

3) a description of the certification service provision information system and procedure security;

4) an examination opinion of the certification service provision information system and procedure security; and

5) a document that certifies the fulfilment of the requirements of Section 9, Clause 3 of this Law.

Section 11. Certification Service Provision Regulations

(1) The certification service provision regulations shall include:

1) the firm name of the trusted certification service provider, registration number or given name, surname, personal identity number, telephone address and electronic mail address;

2) information regarding the information system, equipment, technology, computer programmes to be utilised for the provision of certification services and the documents certifying their right of use;

3) a model trusted certification service provider and signatory contract;

4) information regarding the issuing procedures for qualified certificates and their security;

5) information regarding various possibilities of restricting the use of the secure electronic signature by the signatory;

6) information regarding the revocation, suspension of operation and renewal procedures for qualified certificates;

7) information regarding the technical and technological possibilities which are offered by the certification service provider in order to protect secure electronic signature-creation devices, electronic signature-verification data and qualified certificates from unlawful use;

8) information regarding the fact that in the continuous on-line free access regime, free access shall be ensured to the electronic signature-verification data and the issued, revoked, suspended and renewed certificate registers;

9) information regarding the stamping of electronic documents with a time-stamp and the security of the procedures thereof; and

10) information regarding the fact that in the continuous on-line regime, free access shall be ensured to the time-stamp register.

(2) If the information included in the certification service provision regulation changes, the trusted certification service provider shall, without delay, submit amendments to the certification service provision regulations to the supervisory institution.

Section 12. Description of the Certification Service Provision Information System, Equipment and Procedure Security

(1) Information to be indicated in the description of the certification service provision information system, equipment and procedure security shall be determined by the Cabinet.

(2) If the information indicated in the description of the certification service provision information system, equipment and procedure security changes, the trusted certification service provider shall, without delay, submit amendments to the description of the certification service provision information system, equipment and procedure security to the supervisory institution.

Section 13. Examination of the Certification Service Provision Information System, Equipment and Procedure Security

(1) The examination of the certification service provision information system, equipment and procedure security and the opinion regarding such shall be provided by an expert who is included in a list approved by the supervisory institution.

(2) The list approved by the supervisory institution shall include persons who conform to all of the following requirements:

1) he or she has the technical possibility to specify the conformity of the certification service provision information system, equipment and procedure security to the requirements of regulatory enactments;

2) he or she is legally and financially independent from trusted certification service providers and supervisory institutions;

3) he or she or his or her employed personnel have the necessary knowledge; and

4) he or she is not engaged in the manufacture and supply of certification service provision information systems and other information technologies.

(3) Procedures for the examination of certification service provision information system, equipment and procedure security and time periods shall be determined by the Cabinet.

Section 14. Civil Liability Insurance

(1) It is mandatory to insure against the possible risk of losses associated with the activities of a trusted certification service provider.

(2) The insurance of the risk of the activities of a trusted certification service provider shall secure claims, which may arise in relation to his or her activities.

(3) The trusted certification service provider shall enter into an insurance contract prior to receipt of accreditation, and the insurance contract shall be maintained in effect for the whole of the time period of the provision of certification services.

(4) If as a result of the actions or inaction of the trusted certification service provider, losses are incurred, the insurance company on the basis of the insurance contract shall cover such losses from the insurance compensation of the trusted certification service provider.

(5) The Cabinet shall determine the minimum amount of insurance and the procedures for calculating insurance compensation.

Section 15. Personal Data Protection

(1) A certification service provider may only acquire the personal data directly from the signatory or from a third person if the signatory has consented to this.

(2) A certification service provider may only process the personal data for the purpose of issuing and maintaining a certificate.

(3) A certification service provider may not process the personal data for other purposes without the consent of the signatory.

Chapter V
Qualified Certificates

Section 16. Information to be included in Qualified Certificates

(1) A qualified certificate shall include the following information:

1) an indication that it is a qualified certificate;

2) the firm name, registration number and the state in which the trusted certification service provider is established or given name, surname and personal identity number;

3) the given name and surname of the signatory or a pseudonym (indicating that it is a pseudonym);

4) personal identity number of the signatory;

5) term of validity of the quality certificate;

6) the consecutive number of the certificate granted by the trusted certification service provider; and

7) the electronic signature-verification data which correspond to the existing electronic signature-creation data under the control of the signatory.

(2) In addition to the information referred to in Paragraph one of this Section, a qualified certificate may also include the following information:

1) restrictions on the scope of operation of the certificate or other certificate operation restrictions;

2) specific legal facts in relation to the signatory (if such is necessary) depending upon the purpose for which the certificate is intended;

3) restrictions on the amounts of the transactions for the performance of which the qualified certificate may be utilised; and

4) the personal identity number of the signatory.

(3) A qualified certificate shall be signed with the secure electronic signature of the trusted certification service provider.

Section 17. Issuance of Qualified Certificates

(1) To receive a qualified certificate, a written application by the signatory shall be submitted.

(2) Before the issuance of a qualified certificate, the trusted certification service provider shall, in the presence of the signatory, be satisfied regarding the identity of the signatory on the basis of the personal identification document presented by the signatory.

(3) A trusted certification service provider shall, on the basis of a written application of the signatory, include in the qualified certificate information regarding the powers of the signatory or other important information, which is referred to in Section 16, Paragraph two of this Law.

(4) A trusted certification service provider on the basis of a written application of the signatory in place of the given name and surname of the signatory in the qualified certificate may record a pseudonym, in respect of which making a relevant indication in the certificate.

(5) The trusted certification service provider shall issue the qualified certificate to the signatory.

(6) A signatory may be issued several qualified certificates.

(7) The trusted certification service provider, preserving the liability specified in this Law, on the basis of a contract may entrust another person to perform the activities specified in Paragraphs two, three and four of this Section if the supervisory institution has given written consent for this.

Section 18. Revocation, Suspension of Operation and Renewal of Qualified Certificates

(1) The revocation of a qualified certificate is the recognising of the certificate as invalid. The operation of a revoked qualified certificate shall not be renewed.

(2) A trusted certification service provider shall revoke without delay a qualified certificate in the following cases:

1) the signatory requests the revocation of the certificate;

2) the trusted certification service provider receives official information regarding the death of the signatory or other information included in the certificate changes;

3) the signatory has provided the trusted certification service provider with false or misleading information in order to receive a qualified certificate; or

4) fulfilment of a court adjudication regarding the revocation of the certificate.

(3) The suspension of operation of a qualified certificate is recognition of the certificate as invalid for a time. The operation of a suspended qualified certificate may be renewed.

(4) The renewal of the operation of a qualified certificate is the recognition of the qualified certificate as valid, the operation of which was suspended.

(5) The suspension of operation and renewal of a qualified certificate shall be performed by a trusted certification service provider on the basis of a court adjudication or a written request of the signatory.

(6) A qualified certificate may not be revoked, and its operation suspended or renewed with a retroactive date.

(7) A secure electronic signature shall not be valid from the moment of the revocation or suspension of operation of the qualified certificate.

(8) In the event of the death of the signatory, the secure electronic signature shall not be valid from the moment of the death of the signatory.

(9) If a trusted certification service provider without a legal basis, on wrongful purpose or due to negligence revokes a qualified certificate, suspends or renews the operation of a qualified certificate, the trusted certification service provider shall compensate losses caused to a person that have arisen because of the unfounded revocation of the qualified certificate, and the suspension or renewal of operation of the qualified certificate.

Chapter VI
Supervision of Trusted Certification Service Providers

Section 19. Trusted Certification Service Provider Supervisory Institution

(1) The State Data Inspection shall be the supervisory institution for trusted certification service providers.

(2) The supervisory institution shall regularly supervise the conformity of the work of the trusted certification service providers to the requirements of this Law and other regulatory enactments.

Section 20. Duties of the Supervisory Institution

(1) The supervisory institution has the following duties:

1) to accredit certification service providers in accordance with the voluntary accreditation principles;

2) to check whether the trusted certification service providers comply with the certification service provision regulations;

3) to monitor that the security of the trusted certification service provider information system and procedures conform to this Law, other regulatory enactments and the description of the trusted certification service provider information system, equipment and procedure security;

4) to monitor that the electronic signature-verification data and time-stamp registers for qualified certificates issued, revoked, suspended and renewed by trusted certification service providers is accessible in a continuous on-line regime; and

5) to ensure that the Latvian accredited trusted certification service provider register in which information regarding certification service providers from other states is also included, the issued qualified certificates of which are guaranteed by a Republic of Latvia accredited trusted certification service provider, is freely accessible in a continuous on-line regime.

(3) The supervisory institution shall maintain a continuous on-line freely accessible trusted certification service provider register, in which the following information shall be accessible:

1) the firm name of the trusted certification service provider or given name and surname;

2) the address, telephone number and electronic mail address of the trusted certification service provider;

3) the certification service provision regulations;

4) a description of the certification service provision information system, equipment and procedure security;

5) an examination opinion of the certification service provision information system, equipment and procedure security;

6) the date of accreditation; and

7) information regarding reprimands, warnings or revocation of accreditation by the supervisory institution.

(4) If the documents submitted and the certification service provider conform to the requirements of this Law and other regulatory enactments, the supervisory institution shall issue, within a period of 10 days from receipt of all the documents referred to in Section 10 of this Law, to the certification service provider an accreditation certificate and shall include the information referred to in Paragraph two of this Section in the trusted certification service provider register.

(5) If the documents submitted or the certification service provider do not conform to the requirements of this Law and other regulatory enactments, the supervisory institution shall issue, within a period of 10 days from receipt of all the documents referred to in Section 10 of this Law, a written refusal of accreditation.

Section 21. Supervisory Measures

(1) The supervisory institution has the right to give instructions to trusted certification service providers to rectify non-conformity with this Law, other regulatory enactments, the certification service provision regulations included in the trusted certification service provider register or the description of the certification service provision information system, equipment and procedure security.

(2) The time period for rectification of non-conformity shall be determined by the supervisory institution.

(3) If the supervisory institution's instructions are not carried out within the time period specified by it, the supervisory institution shall warn the trusted certification service provider regarding the possible revocation of accreditation.

(4) If, within 10 days following the supervisory institution's warning regarding the possible revocation of accreditation, the supervisory institution's instructions are not carried out, the accreditation of the trusted certification service provider shall be revoked without delay and the information regarding the revocation of the accreditation shall be included in the trusted certification service provider register.

(5) After the revocation of the accreditation of the trusted certification service provider, the provisions of Section 22, Paragraphs two, three, four and five of this Law shall be applied.

(6) In performing supervision, officials of the supervisory institution shall present a service identification document. The person referred to has the following rights:

1) to freely visit any commercial premises in which the information systems and equipment of the trusted certification service provider is located, and in the presence of the certification service provider to perform the necessary examination or other measures, in order to determine the conformity of the certification service provision process to this Law, other regulatory enactments, certification service provision regulations published in the trusted certification service providers register and the description of the certification service provision information system, equipment and procedure security;

2) to request written or oral explanations from the trusted certification service provider representatives and employees;

3) to become acquainted with documents and other information which relate to certification service provision; and

4) to request the examination of the information systems, equipment and procedures of the trusted certification service provider and to specify the issues to be investigated in the independent expert-examination.

(7) The supervisory institution has the right to bring an action in court to terminate the activities of a trusted certification service provider if the relevant trusted certification service provider violates this Law or other regulatory enactments.

(8) The decisions of the supervisory institution may be appealed to a court.

Section 22. Termination of the Activities of a Trusted Certification Service Provider, Declaration of Insolvency and Suspension of Service Provision

(1) A trusted certification service provider shall, without delay, inform in writing the supervisory institution and signatories which whom a certification service provision contract has been entered into, regarding the termination of activities, declaration of insolvency or suspension of service provision of the service provider.

(2) In the cases referred to in Paragraph one of this Section, the trusted certification service provider shall ensure the preservation of the data associated with the certification service, information, databases, registers, other pertinent information, the information system and certification service, and on the basis of mutual agreement transfer them to other trusted certification service providers.

(3) In respect of all transfer procedures and time periods, the supervisory institution shall be informed without delay in writing.

(4) If the transfer referred to in Paragraph two of this Section is not possible, the trusted certification service provider shall transfer the data associated with the certification service, information, databases, registers, other pertinent information, the information system and certification service under the supervision of the supervisory institution to the State archives.

(5) A signatory after receiving information regarding the termination of the activities of the trusted certification service provider, declaration of insolvency or suspension service provision is entitled to transfer his or her own data associated with the issued qualified certificate to another trusted certification service provider at his or her discretion.

(6) The supervisory institution shall, without delay, revoke the accreditation of the terminated, declared insolvent or service provision suspended trusted certification service provider, and shall include the information regarding this in the trusted certification service provider register.

Chapter VII
Duties and Liability of Trusted Certification Service Providers and Signatories

Section 23. Duties of Trusted Certification Service Providers

A trusted certification service provider has the following duties:

1) to use secure certification service provision information systems, equipment and procedures that appropriately guarantee the security of certification services;

2) to take necessary measures in order to guarantee the secrecy of secure electronic signature-creation data and protection against illegal processing and utilisation of electronic signature-creation data, protection against forgery of qualified certificates and accessibility to such certificates only with the consent of the signatory;

3) to ensure that the certification service provision information system, equipment and procedures conforms to this Law and other regulatory enactments;

4) to ensure that signatory personal identification information is included in the qualified certificate only on the basis of a personal identification document presented in the presence of the signatory;

5) to ensure that the qualified certificate is issued by entering into a contract with the signatory regarding the provision of certification services;

6) before entering into a contract, informing the signatory in writing regarding the regulations and conditions that relate to the use of qualified certificates, including regarding any restrictions on the use of certificates, regarding procedures for examining complaints and disputes, and regarding the civil liability of the certification service provider. Information may be sent electronically and confirmed with the secure electronic signature of the trusted certification service provider. Relevant parts of this information shall be made available to persons who rely on the qualified certificate upon the request of such persons;

7) before entering into a contract, informing the signatory in writing regarding the certification service provision regulations and security measures, which are performed by the trusted certification service provider in order to prevent the illegal use of the issued qualified certificate;

8) after the issue of a qualified certificate, informing the signatory in writing regarding the conditions included in the certificate and restrictions regarding the use of the certificate;

• Latvia: Electronic Documents Law 2002
04.01.2011

Electronic Documents Law

Chapter I
General Provisions

Section 1. Terms Used in this Law

The following terms are used in this Law:

1) secure electronic signature-creation devices – software packages, hardware and electronic signature-creation data that conform to the following requirements:

a) the electronic signature-creation data shall be created only once, and the secrecy thereof is ensured,

b) the electronic signature-creation data cannot be derived and, utilising technologies, the electronic signature is secured against forgery,

c) the electronic signature-creation data are securely protected against being used unlawfully by third persons, and

d) the secure electronic signature-creation devices do not alter the electronic document to be signed and do not prevent becoming acquainted with such a document before its signing;

2) secure electronic signature – an electronic signature that conforms to all of the following requirements:

a) it is linked only to the signatory,

b) it ensures the personal identification of the signatory,

c) it is created with secure electronic signature-creation devices, which may be controlled only by the signatory,

d) it is linked to a signed electronic document so that later changes in the electronic document are detectable, and

e) it is certified by a qualified certificate;

3) electronic document – any data which is created, stored, sent or received electronically, which ensures the possibility of utilising such data for the performance of some activity, realisation of a right and protection;

4) electronic signature – electronic data that is attached to or logically associated with an electronic document, and ensures the authenticity of the electronic document and confirms the identity of the signatory;

5) electronic signature-verification data – data that is utilised in order to verify an electronic signature;

6) electronic signature-creation data – data created only once, which are utilised by the signatory in order to create an electronic signature;

7) qualified certificate – a certificate which contains the information specified in this Law and which has been issued by a trusted certification service provider;

8) time-stamp – an electronically signed confirmation of the fact that at a specified date and time the electronic document has been signed at the certification service provider;

9) signatory – a person who has electronic signature-creation devices and who acts either in his or her own name or the name of the natural person or legal person or institution that he or she represents;

10) certification services – the issuance and cancellation of certificates, the suspension and renewal of the validity of certificates, registration of certificates, the maintenance of a electronic signature-verification data register, the stamping of electronic documents with time-stamps, as well as the provision of consultancy services in relation to electronic signatures; and

12) certificate – an electronic confirmation that links the electronic signature-verification data with a signatory and serves to specify the identity of the signatory.

Section 2. Application of this Law

(1) This Law determines the legal status of electronic documents and electronic signatures.

(2) The provisions of this Law are not applicable if a natural person or legal person who is not a certification service provider performs the stamping of electronic documents with a time-stamp.

Chapter II
Electronic Documents and the Derivation thereof

Section 3. Electronic Documents

(1) The requirement for a document in written form in relation to an electronic document shall be fulfilled if the electronic document has an electronic signature and the electronic document conforms to the requirements of other regulatory enactments.

(2) An electronic document shall be considered to have been signed by hand if it has a secure electronic signature.

(3) If regulatory enactments provide that, in addition to other requisites for a document to acquire legal effect, it also requires the imprint of a seal, then this requirement in relation to an electronic document shall be fulfilled if the electronic document has a secure electronic signature and a time-stamp.

(4) An electronic signature is legal evidence and the submission of an electronic document as evidence to competent institutions has no restrictions, based only upon the fact that:

a) the document is in electronic form; or

b) it does not have a secure electronic signature.

(5) In the circulation of electronic documents between State and local government institutions or between these institutions and natural persons and legal persons, the electronic document shall be considered to be signed if it has a secure electronic signature and time-stamp.

(6) The provisions of this Law are not applicable to:

1) contracts with which rights are created or transferred to immovable property, except for rental rights;

2) contracts which, in accordance with law, are not in effect if they have not been certified according to special procedures by law;

3) guarantee contracts if the guarantee grants, and security for pledges if such is provided by persons who engage in purposes, which are not related to the trade of such person, entrepreneurial activity or occupation; and

4) transactions in the field of family law and inheritance law.

Section 4. Original Electronic Documents

(1) If regulatory enactments require the storage or presentation of the original of a document, this requirement in relation to electronic documents shall be fulfilled if it conforms to the requirements of Section 3, Paragraphs two and three of this Law.

(2) Paragraph one of this Section applies to a requirement expressed in the form of a duty or in a case, where the regulatory enactments provide for a legal effect regarding the non-storage of documents or the non-presentation of document originals.

Section 5. Derivation of Electronic Documents

(1) A copy, true copy or extract in paper form of an electronic document shall have the same legal effect as the original if the correctness of the copy, true copy or extract is certified in accordance with the requirements of regulatory enactments and if the issuer of the copies, true copies or extracts in paper form can, on the basis of a request, present the document original in electronic form, and it conforms to the requirements specified by this Law.

(2) A copy, true copy or extract in electronic form of a paper document shall have the same legal effect as the original if the person who, in accordance with the requirements of regulatory enactments, has the right to certify document original copies, true copies or extracts has certified its correctness with a secure electronic signature and time-stamp, and it conforms to the requirements of regulatory enactments.

(3) A duplicate of a paper document in electronic form shall have the same legal effect as the original if the duplicate has been issued and drawn up in conformity with the requirements of this Law and other regulatory enactments.

(4) The making of derivations of electronic documents in paper form shall be only from such electronic documents as is possible to present in a readable or graphic form.

Chapter III
Provisions for the Circulation and Storage of Electronic Documents

Section 6. General Provisions for the Circulation and Storage of Electronic Documents

(1) If regulatory enactments determine requirements for the preparation, drawing up and storage of documents in a separate way, these same provisions shall be applicable also to electronic documents.

(2) The procedures for the preparation, drawing up, storage and circulation of electronic documents in State and local government institutions, and the circulation procedures between State and local government institutions, or between these institutions and natural persons and legal persons shall be regulated by Cabinet regulations.

(3) The Latvian State Archive Directorate shall be responsible for the evaluation and selection of electronic documents for long-term and permanent storage, and it shall also monitor that State and local government archives ensure the storage and accessibility of electronic documents.

(4) State and local government institutions shall develop internal circulation instructions for electronic documents which comply with this Law and the regulations of the Cabinet referred to in Paragraph two of this Section, as well as the work specifics of the institution, and shall ensure the possibility of natural persons and legal persons to submit and receive State and local government institution documents, their copies, true copies, extracts and duplicates electronically or in another form according to the choice of the person.

(5) The type of evaluation of electronic documents, and time periods for the transfer of such documents to State archives for storage shall be regulated by Cabinet regulations.

Section 7. Special Provisions for the Storage of Electronic Documents

(1) If regulatory enactments provide for the storage of specific documents, records or data, this requirement in relation to electronic documents is fulfilled if:

1) the data contained therein is accessible for utilisation;

2) the electronic document is preserved in such a form as it was initially created, sent or received, or in such a form as the initially created, sent or received data can be shown; and

3) the preserved data allows the origin or final destination of the electronic document to be specified, and the time of sending or receipt.

(2) The provisions of Paragraph one, Clause 3 of this Section shall not apply to data that is automatically created in the process of receiving or sending an electronic document.

(3) A person may fulfil the provisions of Paragraph one of this Section by utilising the services of another person if the provisions of this Law are complied with.

Chapter IV
Certificate Service Providers and Trusted Certification Service Providers

Section 8. Certification Service Providers

(1) A certification service provider is a natural or legal person, who provides certification services without the receipt of a special permit.

(2) Accreditation of a certification service provider is voluntary.

(3) A certification service provider shall be considered to be trustworthy if he or she conforms to all the requirements of Section 9 of this Law.

Section 9. Trusted Certification Service Provider

A trusted certification service provider shall be considered to be a natural or legal person who conforms to all of the following requirements:

1) utilises trustworthy personnel who have the necessary specialised knowledge, experience and qualifications for the provision of certification services, who have become acquainted with the relevant security provisions for the provision of certification services, and have not been convicted for the intentional committing of a criminal offence;

2) utilises trustworthy and secure information systems and products which are appropriately protected against unauthorised access and modification;

3) maintains sufficient financial resources in order to implement this Law and the regulatory enactment requirements issued on the basis of this Law, and shall insure itself for civil liability in order to be able to compensate losses caused to persons due to wrongful purpose or negligence;

4) is accredited with the State Data Inspection (hereinafter also – supervisory institution) in accordance with the procedures specified in this Law;

5) ensures the continuous on-line accessibility of the signature-verification data register;

6) ensures the possibility of immediate revocation, suspension of operation and renewal of qualified certificates in the cases specified in this Law;

7) ensures that at any moment the date and time of the issuance, revocation, suspension of operation and renewal of qualified certificates can be determined;

8) utilises a secure system for qualified certificate storage in a verifiable form and shall ensure that:

a) only the authorised persons of the trusted certification service provider may make entries or their changes,

b) it is possible to check and determine changes in information,

c) the qualified certificates issued are not publicly accessible, except in a case where the written consent of the signatory has been obtained,

d) any technical changes that affect security requirements are apparent to the systems administrator, and

e) such technology is utilised as will ensure that when using electronic signature-creation data they can never be copied;

9) in stamping the electronic document with a time stamp, ensures the possibility to specify without doubt the date and time of the received electronic document; and

10) ensure that the time-stamp does not alter the signed electronic document.

Section 10. Accreditation of Trusted Certification Service Providers

In order to receive accreditation, the following documents shall be submitted to the supervisory institution:

1) a written application;

2) the certification service provision regulations;

3) a description of the certification service provision information system and procedure security;

4) an examination opinion of the certification service provision information system and procedure security; and

5) a document that certifies the fulfilment of the requirements of Section 9, Clause 3 of this Law.

Section 11. Certification Service Provision Regulations

(1) The certification service provision regulations shall include:

1) the firm name of the trusted certification service provider, registration number or given name, surname, personal identity number, telephone address and electronic mail address;

2) information regarding the information system, equipment, technology, computer programmes to be utilised for the provision of certification services and the documents certifying their right of use;

3) a model trusted certification service provider and signatory contract;

4) information regarding the issuing procedures for qualified certificates and their security;

5) information regarding various possibilities of restricting the use of the secure electronic signature by the signatory;

6) information regarding the revocation, suspension of operation and renewal procedures for qualified certificates;

7) information regarding the technical and technological possibilities which are offered by the certification service provider in order to protect secure electronic signature-creation devices, electronic signature-verification data and qualified certificates from unlawful use;

8) information regarding the fact that in the continuous on-line free access regime, free access shall be ensured to the electronic signature-verification data and the issued, revoked, suspended and renewed certificate registers;

9) information regarding the stamping of electronic documents with a time-stamp and the security of the procedures thereof; and

10) information regarding the fact that in the continuous on-line regime, free access shall be ensured to the time-stamp register.

(2) If the information included in the certification service provision regulation changes, the trusted certification service provider shall, without delay, submit amendments to the certification service provision regulations to the supervisory institution.

Section 12. Description of the Certification Service Provision Information System, Equipment and Procedure Security

(1) Information to be indicated in the description of the certification service provision information system, equipment and procedure security shall be determined by the Cabinet.

(2) If the information indicated in the description of the certification service provision information system, equipment and procedure security changes, the trusted certification service provider shall, without delay, submit amendments to the description of the certification service provision information system, equipment and procedure security to the supervisory institution.

Section 13. Examination of the Certification Service Provision Information System, Equipment and Procedure Security

(1) The examination of the certification service provision information system, equipment and procedure security and the opinion regarding such shall be provided by an expert who is included in a list approved by the supervisory institution.

(2) The list approved by the supervisory institution shall include persons who conform to all of the following requirements:

1) he or she has the technical possibility to specify the conformity of the certification service provision information system, equipment and procedure security to the requirements of regulatory enactments;

2) he or she is legally and financially independent from trusted certification service providers and supervisory institutions;

3) he or she or his or her employed personnel have the necessary knowledge; and

4) he or she is not engaged in the manufacture and supply of certification service provision information systems and other information technologies.

(3) Procedures for the examination of certification service provision information system, equipment and procedure security and time periods shall be determined by the Cabinet.

Section 14. Civil Liability Insurance

(1) It is mandatory to insure against the possible risk of losses associated with the activities of a trusted certification service provider.

(2) The insurance of the risk of the activities of a trusted certification service provider shall secure claims, which may arise in relation to his or her activities.

(3) The trusted certification service provider shall enter into an insurance contract prior to receipt of accreditation, and the insurance contract shall be maintained in effect for the whole of the time period of the provision of certification services.

(4) If as a result of the actions or inaction of the trusted certification service provider, losses are incurred, the insurance company on the basis of the insurance contract shall cover such losses from the insurance compensation of the trusted certification service provider.

(5) The Cabinet shall determine the minimum amount of insurance and the procedures for calculating insurance compensation.

Section 15. Personal Data Protection

(1) A certification service provider may only acquire the personal data directly from the signatory or from a third person if the signatory has consented to this.

(2) A certification service provider may only process the personal data for the purpose of issuing and maintaining a certificate.

(3) A certification service provider may not process the personal data for other purposes without the consent of the signatory.

Chapter V
Qualified Certificates

Section 16. Information to be included in Qualified Certificates

(1) A qualified certificate shall include the following information:

1) an indication that it is a qualified certificate;

2) the firm name, registration number and the state in which the trusted certification service provider is established or given name, surname and personal identity number;

3) the given name and surname of the signatory or a pseudonym (indicating that it is a pseudonym);

4) personal identity number of the signatory;

5) term of validity of the quality certificate;

6) the consecutive number of the certificate granted by the trusted certification service provider; and

7) the electronic signature-verification data which correspond to the existing electronic signature-creation data under the control of the signatory.

(2) In addition to the information referred to in Paragraph one of this Section, a qualified certificate may also include the following information:

1) restrictions on the scope of operation of the certificate or other certificate operation restrictions;

2) specific legal facts in relation to the signatory (if such is necessary) depending upon the purpose for which the certificate is intended;

3) restrictions on the amounts of the transactions for the performance of which the qualified certificate may be utilised; and

4) the personal identity number of the signatory.

(3) A qualified certificate shall be signed with the secure electronic signature of the trusted certification service provider.

Section 17. Issuance of Qualified Certificates

(1) To receive a qualified certificate, a written application by the signatory shall be submitted.

(2) Before the issuance of a qualified certificate, the trusted certification service provider shall, in the presence of the signatory, be satisfied regarding the identity of the signatory on the basis of the personal identification document presented by the signatory.

(3) A trusted certification service provider shall, on the basis of a written application of the signatory, include in the qualified certificate information regarding the powers of the signatory or other important information, which is referred to in Section 16, Paragraph two of this Law.

(4) A trusted certification service provider on the basis of a written application of the signatory in place of the given name and surname of the signatory in the qualified certificate may record a pseudonym, in respect of which making a relevant indication in the certificate.

(5) The trusted certification service provider shall issue the qualified certificate to the signatory.

(6) A signatory may be issued several qualified certificates.

(7) The trusted certification service provider, preserving the liability specified in this Law, on the basis of a contract may entrust another person to perform the activities specified in Paragraphs two, three and four of this Section if the supervisory institution has given written consent for this.

Section 18. Revocation, Suspension of Operation and Renewal of Qualified Certificates

(1) The revocation of a qualified certificate is the recognising of the certificate as invalid. The operation of a revoked qualified certificate shall not be renewed.

(2) A trusted certification service provider shall revoke without delay a qualified certificate in the following cases:

1) the signatory requests the revocation of the certificate;

2) the trusted certification service provider receives official information regarding the death of the signatory or other information included in the certificate changes;

3) the signatory has provided the trusted certification service provider with false or misleading information in order to receive a qualified certificate; or

4) fulfilment of a court adjudication regarding the revocation of the certificate.

(3) The suspension of operation of a qualified certificate is recognition of the certificate as invalid for a time. The operation of a suspended qualified certificate may be renewed.

(4) The renewal of the operation of a qualified certificate is the recognition of the qualified certificate as valid, the operation of which was suspended.

(5) The suspension of operation and renewal of a qualified certificate shall be performed by a trusted certification service provider on the basis of a court adjudication or a written request of the signatory.

(6) A qualified certificate may not be revoked, and its operation suspended or renewed with a retroactive date.

(7) A secure electronic signature shall not be valid from the moment of the revocation or suspension of operation of the qualified certificate.

(8) In the event of the death of the signatory, the secure electronic signature shall not be valid from the moment of the death of the signatory.

(9) If a trusted certification service provider without a legal basis, on wrongful purpose or due to negligence revokes a qualified certificate, suspends or renews the operation of a qualified certificate, the trusted certification service provider shall compensate losses caused to a person that have arisen because of the unfounded revocation of the qualified certificate, and the suspension or renewal of operation of the qualified certificate.

Chapter VI
Supervision of Trusted Certification Service Providers

Section 19. Trusted Certification Service Provider Supervisory Institution

(1) The State Data Inspection shall be the supervisory institution for trusted certification service providers.

(2) The supervisory institution shall regularly supervise the conformity of the work of the trusted certification service providers to the requirements of this Law and other regulatory enactments.

Section 20. Duties of the Supervisory Institution

(1) The supervisory institution has the following duties:

1) to accredit certification service providers in accordance with the voluntary accreditation principles;

2) to check whether the trusted certification service providers comply with the certification service provision regulations;

3) to monitor that the security of the trusted certification service provider information system and procedures conform to this Law, other regulatory enactments and the description of the trusted certification service provider information system, equipment and procedure security;

4) to monitor that the electronic signature-verification data and time-stamp registers for qualified certificates issued, revoked, suspended and renewed by trusted certification service providers is accessible in a continuous on-line regime; and

5) to ensure that the Latvian accredited trusted certification service provider register in which information regarding certification service providers from other states is also included, the issued qualified certificates of which are guaranteed by a Republic of Latvia accredited trusted certification service provider, is freely accessible in a continuous on-line regime.

(3) The supervisory institution shall maintain a continuous on-line freely accessible trusted certification service provider register, in which the following information shall be accessible:

1) the firm name of the trusted certification service provider or given name and surname;

2) the address, telephone number and electronic mail address of the trusted certification service provider;

3) the certification service provision regulations;

4) a description of the certification service provision information system, equipment and procedure security;

5) an examination opinion of the certification service provision information system, equipment and procedure security;

6) the date of accreditation; and

7) information regarding reprimands, warnings or revocation of accreditation by the supervisory institution.

(4) If the documents submitted and the certification service provider conform to the requirements of this Law and other regulatory enactments, the supervisory institution shall issue, within a period of 10 days from receipt of all the documents referred to in Section 10 of this Law, to the certification service provider an accreditation certificate and shall include the information referred to in Paragraph two of this Section in the trusted certification service provider register.

(5) If the documents submitted or the certification service provider do not conform to the requirements of this Law and other regulatory enactments, the supervisory institution shall issue, within a period of 10 days from receipt of all the documents referred to in Section 10 of this Law, a written refusal of accreditation.

Section 21. Supervisory Measures

(1) The supervisory institution has the right to give instructions to trusted certification service providers to rectify non-conformity with this Law, other regulatory enactments, the certification service provision regulations included in the trusted certification service provider register or the description of the certification service provision information system, equipment and procedure security.

(2) The time period for rectification of non-conformity shall be determined by the supervisory institution.

(3) If the supervisory institution's instructions are not carried out within the time period specified by it, the supervisory institution shall warn the trusted certification service provider regarding the possible revocation of accreditation.

(4) If, within 10 days following the supervisory institution's warning regarding the possible revocation of accreditation, the supervisory institution's instructions are not carried out, the accreditation of the trusted certification service provider shall be revoked without delay and the information regarding the revocation of the accreditation shall be included in the trusted certification service provider register.

(5) After the revocation of the accreditation of the trusted certification service provider, the provisions of Section 22, Paragraphs two, three, four and five of this Law shall be applied.

(6) In performing supervision, officials of the supervisory institution shall present a service identification document. The person referred to has the following rights:

1) to freely visit any commercial premises in which the information systems and equipment of the trusted certification service provider is located, and in the presence of the certification service provider to perform the necessary examination or other measures, in order to determine the conformity of the certification service provision process to this Law, other regulatory enactments, certification service provision regulations published in the trusted certification service providers register and the description of the certification service provision information system, equipment and procedure security;

2) to request written or oral explanations from the trusted certification service provider representatives and employees;

3) to become acquainted with documents and other information which relate to certification service provision; and

4) to request the examination of the information systems, equipment and procedures of the trusted certification service provider and to specify the issues to be investigated in the independent expert-examination.

(7) The supervisory institution has the right to bring an action in court to terminate the activities of a trusted certification service provider if the relevant trusted certification service provider violates this Law or other regulatory enactments.

(8) The decisions of the supervisory institution may be appealed to a court.

Section 22. Termination of the Activities of a Trusted Certification Service Provider, Declaration of Insolvency and Suspension of Service Provision

(1) A trusted certification service provider shall, without delay, inform in writing the supervisory institution and signatories which whom a certification service provision contract has been entered into, regarding the termination of activities, declaration of insolvency or suspension of service provision of the service provider.

(2) In the cases referred to in Paragraph one of this Section, the trusted certification service provider shall ensure the preservation of the data associated with the certification service, information, databases, registers, other pertinent information, the information system and certification service, and on the basis of mutual agreement transfer them to other trusted certification service providers.

(3) In respect of all transfer procedures and time periods, the supervisory institution shall be informed without delay in writing.

(4) If the transfer referred to in Paragraph two of this Section is not possible, the trusted certification service provider shall transfer the data associated with the certification service, information, databases, registers, other pertinent information, the information system and certification service under the supervision of the supervisory institution to the State archives.

(5) A signatory after receiving information regarding the termination of the activities of the trusted certification service provider, declaration of insolvency or suspension service provision is entitled to transfer his or her own data associated with the issued qualified certificate to another trusted certification service provider at his or her discretion.

(6) The supervisory institution shall, without delay, revoke the accreditation of the terminated, declared insolvent or service provision suspended trusted certification service provider, and shall include the information regarding this in the trusted certification service provider register.

Chapter VII
Duties and Liability of Trusted Certification Service Providers and Signatories

Section 23. Duties of Trusted Certification Service Providers

A trusted certification service provider has the following duties:

1) to use secure certification service provision information systems, equipment and procedures that appropriately guarantee the security of certification services;

2) to take necessary measures in order to guarantee the secrecy of secure electronic signature-creation data and protection against illegal processing and utilisation of electronic signature-creation data, protection against forgery of qualified certificates and accessibility to such certificates only with the consent of the signatory;

3) to ensure that the certification service provision information system, equipment and procedures conforms to this Law and other regulatory enactments;

4) to ensure that signatory personal identification information is included in the qualified certificate only on the basis of a personal identification document presented in the presence of the signatory;

5) to ensure that the qualified certificate is issued by entering into a contract with the signatory regarding the provision of certification services;

6) before entering into a contract, informing the signatory in writing regarding the regulations and conditions that relate to the use of qualified certificates, including regarding any restrictions on the use of certificates, regarding procedures for examining complaints and disputes, and regarding the civil liability of the certification service provider. Information may be sent electronically and confirmed with the secure electronic signature of the trusted certification service provider. Relevant parts of this information shall be made available to persons who rely on the qualified certificate upon the request of such persons;

7) before entering into a contract, informing the signatory in writing regarding the certification service provision regulations and security measures, which are performed by the trusted certification service provider in order to prevent the illegal use of the issued qualified certificate;

8) after the issue of a qualified certificate, informing the signatory in writing regarding the conditions included in the certificate and restrictions regarding the use of the certificate;

• THE LAW OF THE REPUBLIC OF ARMENIA “ON ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE”
27.10.2010

CHAPTER 1.

GENERAL PROVISIONS

Article 1. The subject of the Law

1. This Law regulates relations linked to application of electronic documents and electronic signatures.
2. This Law does not regulate relations linked to the use of electronic version of a person’s manuscript signature and its copies, as well as the use of documents signed in such a way.

Article 2. Definitions

The following definitions are used in this Law:
- electronic document means information or message presented in electronic version;
- electronic signature means obtained signature-creation data and a cryptographic data modification of the given electronic document presented in a unique sequence of symbols in electronic form, which is attached to or logically associated with an electronic document and which is used to identify the signatory, as well as to protect the electronic document from forgery and distortion;
- person who signs the electronic document (hereinafter referred to as the signatory) means an individual (or the person he represents) in whose name the certificate of electronic signature has been given;
- signature-creation data means unique sequence of symbols, which is used by the signatory to create an electronic signature;
- signature-verification data (hereinafter referred to as verification data) means unique sequence of symbols, which is used to verify an electronic signature;
- electronic signature-creation device means configured software or hardware used to create electronic signature by signature-creation data;
- signature-verification device means configured software or hardware used to verify the authenticity of electronic signature by signature-verification data;
- name of signature-creation device means commercial name of a signature-creation device;
-   electronic signature authenticity means positive result of use of signature-verification data and devices, which identifies the signatory;
- electronic signature certificate means a document (either paper-based, or electronic or on another carrier), which links signature-verification data to a signatory and confirms the identity of that person and serves as electronic signature-verification device;
- certification center means organization that issues certificates or provides other services related to electronic signatures;
- accreditation means recognition by the government of the quality of services provided by the certification center;
- accredited certification center means a certification center which is accredited pursuant to this Law and other normative regulations;
- information system means configured software or hardware data processing system for preparation, delivery, receipt, storage or other kind of processing of electronic documents;
- electronic carrier means magnetic disk, tape, laser disk, semi-conductor or other data carrier, which are used in electronic or other devices to record and store data;
- concerned party means the document’s addressee or other person who needs to identify the signatory.

CHAPTER 2.

ELECTRONIC DOCUMENTS

Article 3. Forms of presentation of electronic documents

Electronic documents have internal and external forms of presentation.
The internal form of document presentation is an electronic document data recording on electronic carrier.
The external form of document presentation is a document reproducing on CRT screen (display), on paper or any other tangible thing other than an electronic carrier in visually accessible and readily perceptible form.

Article 4. Legal power of electronic document protected by electronic signature

In order to protect the electronic document it can include one or several electronic signatures. The document protected by an electronic signature shall have the same legal power as the document authenticated by a person’s manuscript signature, if the electronic signature has been authenticated and there is no strong evidence that the document has been changed or forged since it was transmitted and/or stored, except for those retrievable (reset) changes that are necessary and unavoidable to provide the transmit and/or storage of that electronic document.
State and local government structures, individuals and legal entities, organizations shall not be obliged to accept electronic documents protected by electronic signature if they do not have the relevant technical devices.

Article 5. The original copy of the electronic signature

The original copy of electronic document exists only on the electronic carrier. The copy on the carrier as well as all the copies of the same document are considered the original copies and shall have the equal legal power. If it is necessary to present the original copy of the electronic document, the requirement shall be considered as met, if:
a) it is possible to prove that the electronic document has not been changed since it was transmitted and/or stored, except for those retrievable (reset) changes that are necessary and unavoidable to provide the transmit and/or storage of that electronic document;
b) the electronic document can be presented in its external version without substantial changes in available and perceptible form for a person who does not have special technical knowledge.

Article 6. Copies of electronic documents

1. The copies of electronic documents are created in external form of presentation of electronic document on paper by verification of their conformity with the original copy pursuant to the legislation.
2. The paper based copies of electronic documents shall include a note that they are the copies of the relevant electronic documents.

Article 7. Storage of electronic documents

An electronic document is considered to be duly stored, if it has not undergone any changes since it was sent for storage, or it has changed due to its storage requirement, and it is possible to restore the electronic document in the form it has before storage. The electronic document verified by electronic signature is considered duly stored, if its signature-verification data have also been kept.
The owners of information systems shall solely provide the protection of electronic documents stored in their information systems.

CHAPTER 3.

ELECTRONIC SIGNATURE

Article 8. Procedure of electronic signature use

The procedure of the use of electronic signature is defined by the producer of the electronic signature-creation device.

Article 9. Creation and distribution of electronic signature-verification data

Electronic signature-verification data are created by the signatory or by certification-service provider through software and/or hardware devices.
Electronic signature-verification data shall be distributed for usage among all concerned parties:
a) by the signatory - personally delivering or transmitting either the given data or the electronic signature certificate;
b) by the certification center -   in reply to the request of concerned parties.

CHAPTER 4.

USE OF ELECTRONIC DOCUMENTS AND ELECTRONIC SIGNATURE

Chapter 10. Regulatory legislation on the use of electronic documents and electronic signatures

The use of electronic documents and electronic signature is regulated by the Civil Code of the Republic of Armenia, this Law, other laws and normative regulations.
If international agreements of the Republic of Armenia stipulate other norms than the norms envisaged by this Law the norms of international agreements of the Republic of Armenia shall prevail.
The use of electronic signature may be limited by the legislation.

Article 11. Procedure of use of electronic documents and electronic signature

The government of the Republic of Armenia shall establish the procedure of the use of electronic documents and electronic signature.
The Central Bank of the Republic of Armenia and the parties licensed by the Central Bank shall use the electronic documents and electronic signature pursuant to the procedure established by normative regulations of the Central Bank of the Republic of Armenia.
The Treasury shall use electronic documents and electronic signature in its information systems pursuant to the procedure set by the state finance regulatory body established by the law of the Republic of Armenia “On Treasury System”. The electronic versions of the original (recording) documents shall equal their paper-based ones in cases stipulated by the government of the Republic of Armenia, or if, pursuant to the requirement of the legislation of the Republic of Armenia, their paper-based versions have been preserved.

CHAPTER 5. ELECTRONIC SIGNATURE CERTIFICATION SERVICES

Article 12. Electronic signature certification centers

Certification centers must:
a) sign a relevant contract with the signatory for providing services such as to issue a certificate or provide other services concerned with electronic signature;
b) provide electronic signature creation and verification data;
c) record all electronic signature certificates and verification data issued by them;
d) verify the affiliation of the electronic signature certificate and electronic signature-verification data to the signatory;
e) identify and certify the conformity of electronic signature-verification data with the certificate;
f) ensure the protection of electronic signature;
g) before signing a contract with a person duly inform the latter of the precise terms and conditions regarding the use of the certificate, including any limitations on its use;
h) ensure security of providing electronic signature-creation data by not storing the electronic signature-creation data.
Certification-service providers may:
a) terminate the validity of electronic signature certificate issued by them;
b) provide other services concerned with electronic signature.

State and local government structures, legal entities, organizations shall have the right to choose or create a certification center to issue certificates for electronic signatures used in their information systems and to provide other services concerned with it.

Article 13. Electronic signature certificate

Affiliation of the electronic signature and signature-verification data to the signatory is verified by electronic signature certificate issued by the certification center.
The certificate must contain:
a) the identity code of the certificate;
b) the name of a signatory or a pseudonym;
c) electronic signature-verification data;
b) the date of issue of certificate, and an indication of the beginning and end of the period of validity, if applicable; e) the name of certification center, business address and location address of the legal entity.
According to the agreement signed between the parties the certificate may also contain:
a) maximum acceptable value of transactions for which the given electronic signature is used;
b) the amount of losses that may occur due to the forgery of electronic signature, poor quality or incompleteness of the services of certification-service provider, which must be indemnified by the provider.

Article 14. Period of validity of electronic signature certificate

The electronic signature certificate may have period of validity. Upon expiry date of the certificate the documents verified by the given electronic signature shall not be considered as protected by electronic signature.

Article 15. Accreditation of certification centers

Electronic signature certification centers may get accreditation by an authorized body of the government of the Republic of Armenia (hereinafter referred to as the authorized body).
The authorized body shall:
a) execute accreditation pursuant to the procedure set by the government of the Republic of Armenia;
b) keep the register (Registry) of certification centers accredited in the Republic of Armenia pursuant to the procedure set by the government of the Republic of Armenia;
c) supervise the conformity of the activities of accredited certification centers with the legislation;
d) executes other authorities set by law.
Accreditation of a certification center may be revoked by court decision in case of breach of clauses of this Law or the requirements of accreditation procedure.
Accreditation of certification centers that issue electronic signature certificates for the Central Bank of Armenia and parties licensed by the CBA is executed by the Central Bank of Armenia pursuant to its normative regulations.
Electronic signature certificates of foreign certification centers shall be equated to the electronic signature certificates issued by accredited certification centers of the Republic of Armenia in case of respective international contracts signed between the Republic of Armenia and foreign countries.

16. Competence of accredited certification centers

Accredited certification centers, besides their rights and duties defined in article 12 of this Law,
1) must:
- identify the person whom by his identification document before issuing an electronic signature certificate to him,
- keep the Registry of electronic signature certificates issued by them and ensure their storage,
- guarantee the signatory’s personal data secrecy;
- immediately inform signatory of any technical defects that may corrupt or disable the protection of electronic signature;
2) have the right:
- to suspend or terminate the validity of electronic signature certificates on signatory’s demand or on his own initiative if there are sufficient grounds to think that the signature may be forged or its usage may cause losses to the signatory or the third parties, - to cease servicing of signatory if the validity of electronic signature certificate is suspended or terminated prematurely, and make respective recordings in the Registry.

Article 17. Termination of the activities of accredited certification centers

In case of termination of the activities of accredited certification centers the electronic signature ñertificates issued by them can be transferred to another accredited certification center upon the consent of the signatory. The electronic signature certificates that have not been transferred to another accredited certification center shall be declared invalid and sent to the authorized body for archiving.

Article 18. Responsibility for breach of electronic documents circulation process, use of electronic signature and provisioning of other relevant services
Individuals and legal entities shall bear responsibility for violation of law on electronic documents circulation, use of electronic signature and provisioning of other services in this area pursuant to the procedure established by the legislation of the Republic of Armenia.

CHAPTER 6. FINAL PROVISIONS

Article 19. Entering into force

This Law shall enter into force on the next day of its official publication.

President of the Republic of Armenia
ROBERT KOCHARYAN
January 15, 2005,
Yerevan

• Electronic Signature Law of the People’s Republic of China
06.08.2010

Article 1
This Law is enacted in order to standardize acts of electronic signature, validate the legal effect of electronic signature, and safeguard the lawful rights and interests of the parties concerned.

Article 2
For the purposes of this Law, electronic signature means the data in electronic form contained in and attached to a data message to be used for identifying the identity of the signatory and for showing that the signatory recognizes what is in the message.
The data message as mentioned in this Law means the information generated, dispatched, received or stored by electronic, optical, magnetic or similar means.

Article 3
The parties concerned may agree to use or not to use electronic signature or data message in such documentations as contracts and other documents, receipts and vouchers in civil activities.
The legal effect of a document, with regard to which the parties concerned have agreed to use electronic signature or data message, shall not be denied only because the form of electronic signature or data message is adopted.

The provisions of the preceding paragraphs shall not be applicable to the following documents:
(1) documents relating to such personal relations as marriage, adoption and succession;
(2) documents relating to the transfer of the rights and interests residing in such real estate as land and houses;
(3) documents relating to termination of such public utility services as water supply, heat supply, gas supply and power supply; and
(4) other circumstances where electronic documentation is not applicable, as provided for by laws and administrative regulations.

Chapter II Data Message

Article 4
A data message, which can give visible expression to the contents carried and can readily be picked up for reference, shall be deemed to be the written form which conforms to the requirements of laws and regulations.

Article 5
Data messages that meet the following conditions shall be deemed to satisfy the requirements for the form of the original copies as provided for by laws and regulations:
(1) messages that can give effective expression to the contents carried and can readily be picked up for reference; and
(2) messages that can unfailingly guarantee that the contents remain complete and unaltered from the time when they are finally generated. And the completeness of the data messages shall not be affected when endorsements are added to the data messages or when their forms are altered in the process of data interchange, storage and display.

Article 6
Data messages that meet the following conditions shall be deemed to satisfy the requirements for document preservation as provided for by laws and regulations:
(1) messages that can give effective expression to the contents carried and can readily be picked up for reference;
(2) the format of the data messages is the same as the format when they are generated, dispatched or received, or although the format is not the same, the contents originally generated, dispatched or received can accurately be expressed; and
(3) messages the addressers and receivers of which and the time of their dispatch and receipt can be identified.

Article 7
No data messages to be used as evidence shall be rejected simply because they are generated, dispatched, received or stored by electronic, optical, magnetic or similar means.

Article 8
The following factors shall be taken into consideration when the truthfulness of data messages to be used as evidence is examined:
(1) the reliability of the methods used for generating, storing or transmitting the data messages;
(2) the reliability of the methods used for keeping the completeness of the contents;
(3) the reliability of the methods for distinguishing the addressers; and
(4) other relevant factors.

Article 9
Any of the following data messages shall be deemed to be dispatched by the addresser:
(1) the data message is dispatched with authorization of the addresser;
(2) the data message is dispatched automatically by the information system of the addresser; and
(3) verification of the data message made by the receiver in accordance with the method recognized by the addresser proves that the message is identical with the one dispatched.
If the parties concerned have agreed otherwise with regard to the matters specified in the preceding paragraph, such agreement shall be complied with.

Article 10
If confirmation of receipt of a data message is required pursuant to the provisions of laws and administrative regulations or the agreement reached between the parties concerned, such receipt shall be confirmed. When the addresser receives the confirmation of the receipt sent by the receiver, the data message shall be deemed to have been received.

Article 11
The time when a data message enters into a certain information system beyond the control of the addresser shall be deemed to be the time when the message is dispatched.
If a receiver designates a special system for receipt of a data message, the time when the message enters into the system as designated shall be deemed to be the time when the said message is received; and if no special system is designated, the first time when the data message enters into any systems of the receiver's shall be deemed to be the time when the message is received.
If the parties concerned have agreed otherwise on the time of dispatch or the time of receipt of data messages, such agreement shall be complied with.

Article 12
The principal business place of an addresser shall be the place of dispatch of data messages, and the principal business place of a receiver shall be the place of receipt of data messages. If there are no principal business places, their habitual residences shall be the places of dispatch or receipt.
If the parties concerned have agreed otherwise on the place of dispatch or the place of receipt of data messages, such agreement shall be complied with.

Chapter III Electronic Signature and Certification

Article 13
If an electronic signature concurrently meets the following conditions, it shall be deemed as a reliable electronic signature:
(1) when the creation data of the electronic signature are used for electronic signature, it exclusively belongs to an electronic signatory;
(2) when the signature is entered, its creation data are controlled only by the electronic signatory;
(3) after the signature is entered, any alteration made to the electronic signature can be detected; and
(4) after the signature is entered, any alteration made to the contents and form of a data message can be detected.
The parties concerned may also choose to use the electronic signatures which meet the conditions of reliability they have agreed to.

Article 14
A reliable electronic signature shall have equal legal force with handwritten signature or the seal.

Article 15
An electronic signatory shall have the creation data of his electronic signature well preserved. When an electronic signatory learns that the creation data of his electronic signature have got lost or may have got lost, he shall make it known to all the parties concerned in time, and terminate the use of such data.

Article 16
If an electronic signature needs to be verified by a third party, the electronic verification service established according to law shall provide such service.

Article 17
An electronic verification service shall meet the following conditions:
(1) having the professional technicians and managerial personnel suited for provision of electronic verification services;
(2) having the funds and business places suited for provision of electronic verification services;
(3) having the technology and equipment complying with the safety standards of the State;
(4) having the certificates for the use of the codes approved by the code control institution of the State; and
(5) other conditions prescribed by laws and administrative regulations.

Article 18

A person that intends to engage in electronic verification service shall make an application to the department in charge of the information industry under the State Council and submits the materials proving fulfillment of the conditions as specified by Article 17 of this Law. Upon receiving the application, the department in charge of the information industry under the State Council shall examine it according to law and consult with the department in charge of commerce and other relevant departments under the State Council, before making a decision on whether to grant or deny approval within 45 days from the date it receives the application. If it grants approval, it shall issue the license of electronic verification; and if it denies approval, it shall inform the applicant in writing of the fact and of the reasons why.

The applicant shall, upon the strength of the license of electronic verification, go through the formalities for enterprise registration at the administrative department for industry and commerce according to law.

The electronic verification service that has been qualified for verification shall, in accordance with the regulations of the department in charge of the information industry under the State Council, make public in the Internet such information as its name and the number of its license.

Article 19

The electronic verification service shall formulate and publish its rules for electronic verification, which are in conformity with the relevant regulations of the State, and submit them to the department in charge of the information industry under the State Council for the record.
The rules for electronic verification shall include the matters such as the scope of liability, the norms for operation and the protective measures for information safety.

Article 20
When an electronic signatory applies to an electronic verification service for the certificate of his electronic signature, he shall provide truthful, complete and accurate information.
Upon receiving the application for certificate of the electronic signature, the electronic verification service shall check the identity of the applicant and examine the relevant materials.

Article 21
The certificate of an electronic signature issued by the electronic verification service shall be accurate and devoid of error, and the following items shall clearly be stated therein:
(1) the name of the electronic verification service;
(2) the name of the certificate holder;
(3) the serial number of the certificate;
(4) the term of validity for the certificate;
(5) the validation data of the electronic signature of the certificate holder;
(6) the electronic signature of the electronic verification service; and

(7) other items as prescribed by the department in charge of the information industry under the State Council.

Article 22
An electronic verification service shall guarantee that the items in the certificate of an electronic signature are complete and accurate within the term of its validity, and guarantee the party relying on the electronic signature the ability to prove or to know the items stated in the certificate of the electronic signature and other relevant matters.

Article 23
If an electronic verification service intends to suspend or terminate the service, it shall, 90 days prior to the suspension or termination of service, notify the parties concerned of how to get continued services and of other relevant matters.
If an electronic verification service intends to suspend or terminate the service, it shall report to the department in charge of the information industry under the State Council 60 days prior to the suspension or termination of service, and shall make proper arrangements by negotiating with other electronic verification services on how to carry on its business.
If an electronic verification service fails to reach an agreement with other electronic verification services on matters of how to carry on its business, it shall apply to the department in charge of the information industry under the State Council for arranging other electronic verification services to carry on its business.
If the license of electronic verification of an electronic verification service is revoked according to law, its business shall be carried on in accordance with the regulations of the department in charge of the information industry under the State Council.

Article 24

An electronic verification service shall have the information relating to verification well preserved. The time limit for preservation of such information shall at least be five years after the certificate of the electronic signature ceases to be valid.

Article 25
The department in charge of the information industry under the State Council shall, in accordance with this Law, formulate the specific measures for administration of the electronic verification services and exercise supervision over the electronic verification services according to law.

Article 26

Upon examination and approval by the department in charge of the information industry under the State Council on the basis of relevant agreements or the principle of reciprocity, the certificates of electronic signatures issued by overseas electronic verification services outside of the territory of the People's Republic of China shall have equal legal force with the ones issued by the electronic verification services established in accordance with this Law.

Chapter IV Legal Responsibility

Article 27
An electronic signatory who, having learnt that the creation data of his electronic signature have got lost or might have got lost, fails to notify in time the parties concerned of the fact and to terminate the use of the same, who fails to provide the electronic verification service with truthful, complete and accurate information, or who makes other errors, thus causing losses to the party relying on the electronic signature and to the electronic verification service, shall bear the responsibility for compensation.

Article 28
Where an electronic signatory or the party relying on the electronic signature suffers losses due to engaging in civil activities on the basis of the electronic signature verified by an electronic verification service, and if the electronic verification service fails to prove that it is free from fault, the service shall bear the responsibility for compensation.

Article 29
Where a person provides electronic verification services without permission, the department in charge of the information industry under the State Council shall order him to desist from the illegal act; the unlawful gains, if any, shall be confiscated; if such gains exceed RMB 300,000 yuan, a fine of not less than one time but not more than three times the unlawful gains shall be imposed; and if there are no unlawful gains or the amount of such gains is less than 300,000 yuan, a fine of not less than 100,000 yuan but not more than 300,000 yuan shall be imposed.

Article 30
Where an electronic verification service that intends to suspend or terminate electronic verification services fails to report to the department in charge of the information industry under the State Council 60 days prior to the suspension or termination of service, the said department shall impose a fine of not less than 10,000 yuan but not more than 50,000 yuan on the person who is directly in charge of the service.

Article 31
Where an electronic verification service fails to observe the rules for verification, fails to have the information relating to verification well preserved, or commits other illegal acts, the department in charge of the information industry under the State Council shall order it to rectify within a time limit; if it fails to comply at the expiration of the time limit, its electronic verification license shall be revoked, and the persons who are directly in charge of the service and the other persons who are directly responsible shall be prohibited from engaging in electronic verification services within the period of 10 years. If an electronic verification license is revoked, the fact shall be made known to the public and the administrative department for industry and commerce shall be informed of the same.

Article 32
Where a person counterfeits, copies or usurps the electronic signature of another person's, which constitutes a crime, his criminal responsibility shall be investigated according to law; and if losses are caused to another person, he shall bear civil responsibility according to law.

Article 33
Where a staff member of the department in charge of supervision and administration over the electronic verification industry in accordance with this Law fails to perform his duties of granting administrative license and exercising supervision and administration according to law, he shall be given an administrative sanction according to law; and if a crime is constituted, he shall be investigated for the criminal responsibility according to law.

Chapter V Supplementary Provisions

Article 34
The meanings of the following terms used in this Law are:
(1) the electronic signatory means a person who holds the creation data of an electronic signature and produces the electronic signature either in person or on behalf of the person he represents;
(2) the relying party on the electronic signature means the person who engages in relevant activities on the basis of his trust in the certificate of the electronic signature or the electronic signature;
(3) the certificate of the electronic signature means a data message or other electronic records that can prove the connection between the electronic signatory and the creation data of the electronic signature;
(4) the creation data of an electronic signature means such data as the characters and codes that are used in the course of the electronic signature and that reliably connects the electronic signature with the electronic signatory; and
(5) the validation data of an electronic signature means the data used for verifying the electronic signature, including the code, password, algorithm and public key.

Article 35

The State Council or the departments specified by the State Council may, in accordance with this Law, formulate specific measures for the use of the electronic signatures and data messages in administrative and other public activities.

Article 36
This Law shall go into effect as of April 1, 2005.

http://www.wipo.int/clea/en/text_pdf.jsp?lang=EN&id=6559

• European legislation on eSignature
21.06.2010

The main objective of the Directive on eSignature is to create a Community framework for the use of electronic signatures. It allows electronic signature products and services to flow freely across borders and ensures the legal recognition of electronic signatures.

The Directive addresses three forms of electronic signatures:

1. Basic electronic signature: understood in the simplest and broadest sense of electronic signature i.e. as a means to identify and authenticate data. It can be as simple as signing an e-mail message with a personal name.

To be a signature the authentication must relate to data and not be used as a method or technology only for entity authentication. For instance, when a person uses a PIN code to identify himself in order to get access to an electronic bank account, it is not an electronic signature. However, entering the same code in order to confirm a financial transaction and, in doing so authenticating this transaction, is an electronic signature. There are many applications making use of electronic signature technology, which do not qualify as electronic signatures according to the Directive when they are only used for entity authentication.
It should also be noted that the notion of signature used in the Directive refers to a legal concept and not to a technical one. This means that the definition is intended to cover all current and future technologies for electronic signatures as well as all possible interpretations of the term signature in the law of the Member States.

2. Advanced electronic signature(as defined by the Directive). This second form of signature has to meet the requirements defined in Article 2.2 of the Directive. In particular, this form of electronic signature is capable to be uniquely linked to the signatory and to identify the signatory, is created using means that are under the signatory's sole control and is linked to the data in such a way that any subsequent change in the data can be detected. The Directive does not favour a particular technology but in practice, this definition refers mainly to electronic signatures based on a public key infrastructure (PKI). This technology uses encryption technology to sign data, which requires a public and a private key.

3. "Qualified electronic signature": this third form is mentioned in Article 5.1 and consists of an advanced electronic signature based on a qualified certificate and created by a secure signature creation device which need to comply with the requirements in Annexes I, II and III.

http://ec.europa.eu/information_society/policy/esignature/eu_legislation/index_en.htm

• Law on the Electronic Signature of Romania
21.06.2010

Law on the Electronic Signature

(published in the Official Gazette of Romania no. 429/31.07.2001)

CHAPTER ONE
General Provisions

SECTION ONE
General Principles

Art. 1. This law regulates the legal status of the electronic signature, of the documents in electronic form as well as the requirements for electronic signatures certification service provision.

Art. 2. This law shall be complemented by the legal provisions on the conclusion of legal documents, on their validity and effects.

Art. 3. No provision herein may be construed as constraining the independent will and contractual freedom of the parties.

SECTION TWO
Definitions

Art. 4. For the purpose of this law:
Data in electronic form means information supplied in a conventional form appropriate for creating, processing, sending, receiving or storing that information by electronic means.
Document in electronic form means a collection of logically and operationally interrelated data in electronic form that reproduces letters, digits or any other meaningful characters in order to be read through software or any other similar technique.

Electronic signature means data in electronic form, which are included in, attached to or logically associated with a document in electronic form and serve as a method of identification.

Extended electronic signature means an electronic signature which meets all the conditions specified below:
a. it is uniquely linked to the signatory;
b. it allows the identification of the signatory;
c. it is created using means that the signatory can maintain under his sole control;
d. it is linked to the data in electronic form to which it relates in such a manner that any subsequent change of that document is detectable.

Signatory is a person who holds a signature-creation device and acts either on his own behalf or on behalf of a third party he or she represents.
Signature-creation data means unique data in electronic form, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature.
Signature-creation device means configured software and/or hardware, used to implement the signature-creation data.

Secure-signature-creation device means a signature-creation device which meets all the requirements below:
a. the signature-creation data used for signature generation can practically occur only once and their confidentiality can be ensured;
b. the signature-creation data used for signature generation cannot be derived;
c. the signature is protected from forgery by technological means currently available at the time it is generated;
d. the signature-creation data used for signature generation can reliably be protected by the signatory against their unauthorised use;
e. it must not alter the data in electronic form to be signed or prevent these data from being presented to the signatory prior to the completion of the signing process.

Signature-verification data means data in electronic form, including codes or public cryptographic keys, which are used for the purpose of verifying an electronic signature.
Signature-verification device means configured software and/or hardware, used to implement the signature-verification data.
Certificate means a collection of data in electronic form that attests the link between a person and the signature-verification data, confirming the identity of that person.
Qualified certificate means a certificate that meets the requirements specified in Art. 18 and is issued by a certification service provider which complies with the provisions of Art. 20.
Certification service provider means a Romanian or foreign person that issues certificates or provides other electronic signature-related services.
Qualified-certification service provider is a certification service provider that issues qualified certificates.

Electronic signature related product means any software or hardware which are intended to be used by a certification service provider for the provision of electronic signature-related services or for the creation or verification of electronic signatures.

CHAPTER TWO
The Legal Status of the Documents in Electronic Form

Art. 5. A document in electronic form that incorporates an electronic signature or has an electronic signature attached to or logically associated with it, based on a qualified certificate not suspended or not revoked at that time, and generated using a secure-signature-creation device is assimilated, in as much as its requirements and effects are concerned, to a document under private signature.

Art. 6. A document in electronic form that includes an electronic signature or has an electronic signature attached to or logically associated with it, acknowledged by the party the respective document is opposed to, has the same effects as an authentic document, between those who signed it and between those who are representing their rights.

Art. 7. Should the written form be required as proof or validity condition of a legal document in such cases as the law may provide, a document in electronic form shall satisfy to this condition if an extended electronic signature, based on a qualified certificate and created using a secure-signature-creation device was incorporated to, attached to or logically associated with it.

Art. 8. (1) If a party does not recognize a document in electronic form or an electronic signature, the court will always direct that the verification shall be made by expertise.
(2) For this purpose, the expert or specialist shall require qualified certificates and any other documents necessary, according to the law, for the identification of the author of the document in electronic form, the signatory or of the certificate titular.

Art. 9. (1) The party that claims in court an extended electronic signature must prove that it meets the requirements of Art. 4, 4th paragraph.
(2) An extended electronic signature based on a qualified certificate issued by an accredited certification service provider is presumed to satisfy the requirements of Art. 4, 4th paragraph.

Art. 10. (1) The party that claims in court a qualified certificate shall prove that the certification service provider which issued that certificate meets the provisions of Art. 20.
(2) An accredited certification service provider is presumed to meet the provisions of Art. 20.

Art. 11. (1) The party that claims in court a secure-signature-creation device shall prove that the device meets the provisions of Art. 4, 8th paragraph.
(2) A secure-signature-creation device that was homologated according to this law is presumed to meet the provisions of Art. 4, 8th paragraph.

CHAPTER THREE
Certification Service Provision

SECTION ONE
Common Provisions

Art. 12. (1) Certification service provision is not subject to prior authorisation and shall be performed in agreement with the principles of free and fair competition, and in compliance with the legal provisions in force.
(2) Certification service provision by service providers established in the Member States of the European Union shall be made under the requirements of the European Accord, establishing an association between Romania and the European Communities and their Member States.

Art. 13. (1) Any person that contemplates providing certification services shall notify the specialised supervisory and regulatory authority of the start-up of activity no later than 30 days before the date of commencement.

(2) Along with the notification provided in the 1st paragraph, certification service providers shall supply exhaustive information about the security and certification procedures they use and any further information the specialised supervisory and regulatory authority may request.
(3) Certification service providers have the obligation to notify any intention of changing the security and certification procedures to the specialised supervisory and regulatory authority, with at least 10 days in advance, indicating the date and hour when the change enters into force, as well as the obligation to confirm in 24 hours the change effected.
(4) In emergency cases, where the security of certification services is affected, certification service providers can effect changes of the reported security and certification procedures and shall notify in 24 hours the specialised supervisory and regulatory authority of the changes effected and of their justification.
(5) Throughout their activity, certification service providers shall observe their reported security and certification procedures notified according to 2nd, 3rd and 4th paragraphs above.

Art. 14. (1) A certification service provider shall ensure access to any information necessary for the proper and safe use of its services. Such information shall be made available before entering into a contractual relation with the applicant for a certificate or on request from a third party that invokes a certificate.
(2) The information provided in the 1st paragraph shall be worded in writing, in a readily accessible language and sent by electronic means, provided it can be stored and reproduced.
(3) The information provided in the 1st paragraph shall include at least:
the procedure to be followed for electronic signature creation and verification;
the fee rate charged;
the concrete ways and requirements for the use of certificates, including the limitations of their use, provided that such limitations are recognisable to third parties;
the obligations incurred by the certificate holder and certification service provider under this law;
reference to the accreditation, if applicable;
the contractual provisions under which the certificate was issued, including the limited liability of the certification service provider, if applicable;
dispute settlement;
any other information established by the specialised supervisory and regulatory authority.
(4) The certification service provider shall send to the applicant a copy of the certificate.
(5) After the applicant has agreed to the certificate, the certification service provider shall enter the certificate in the register provided in Art. 17.

Art. 15. (1) The natural persons that provide certification services in their own name and the personnel employed by a certification service provider, whether the latter is a natural or legal person, shall keep the secrecy of the information entrusted to them in their professional activity, except for such information the certificate holder may agree to be made public or to be communicated to third parties.
(2) The unauthorised breach of the obligation provided in 1st paragraph is tantamount to professional secrecy disclosure, which is an offence punishable under Art. 196 of the Criminal Code.
(3) Supplying information to a public authority, when this authority acts in performance of its legal tasks and within the limits provided by law may not amount to professional secrecy disclosure.
(4) The obligation provided in the 1st paragraph shall apply also to the personnel of the specialised supervisory and regulatory authority and to any person empowered by it.

Art. 16. (1) The specialised supervisory and regulatory authority and certification service providers are bound to comply with the legal provisions for processing of personal data.
(2) Certification service providers may collect personal data only from the applicant for a certificate, or, subject to the explicit agreement of the applicant, from third parties. Data may be collected to the extent they are required for certificate issuance and conservation. For any other purposes, data collection and use is subject to explicit agreement of the applicant.
(3) Whenever a pseudonym is used, the real identity of the holder may not be disclosed by the certification service provider unless the holder has agreed or except in such cases as provided at Art. 15, 3rd paragraph.

Art. 17. (1) Certification service providers shall open and keep an electronic register of the certificates they issue.
(2) The electronic register of certificates shall specify:
the accurate date and time of issuance of a certificate;
the accurate date and time of expiry of a certificate;
the accurate date and time of suspension or revocation of a certificate, if applicable, including the causes thereof.
(3) The register shall be available for consultation at any time, including in the on-line system.

SECTION TWO
Qualified-Certification Service Provision

Art. 18. (1) A qualified certificate shall contain:
an indication that the certification was issued as a qualified certificate;
the identification data of the certification service provider as well as its citizenship if natural person, or nationality if legal person;
the name of the signatory or a pseudonym, identified as such, and any other specific attributes thereof, provided they are relevant for the purpose for which the qualified certificate is intended;
the signatory�s personal identification code ; the signature-verification data corresponding to the signature-creation data under the exclusive control of the signatory;
the period of validity of the qualified certificate;
the qualified certificate identification code;
the extended electronic signature of the certification service provider issuing the certificate;
limitations of the scope of use of the qualified certificate or limits on the value of transactions for which the certificate can be used, if applicable;
any other information established by the specialised supervisory and regulatory authority.
(2) The certification service provider shall assign each signatory a personal code for the purpose of uniquely identifying the signatory.
(3) The generation of the personal identification code of the signatory and the qualified certificate identification code shall be generated according to a methodology defined through regulations issued by the specialised supervisory and regulatory authority.
(4) Further information other than required in the 1st paragraph may be supplied by a certification service provider in the certificate upon request of the holder, provided such information is not contrary to the law, moral standards and public order, subject to prior checking for accuracy.
(5) The qualified certificate shall expressly indicate that a pseudonym is used, if such is the case.

Art. 19. (1) Certification service providers shall check the identity of applicants on the exclusively basis of their identification papers before issuing them with qualified certificates.
(2) When issuing a qualified certificate, the certification service providers shall issue two copies of the certificate, on paper, out of which one is delivered to the holder and the other one shall be kept by the provider for no less than 10 years.

Art. 20. To issue qualified certificates, certificate service providers shall:
have the financial, material, technological and human resources appropriate to guarantee the security, reliability and continuity of the certification services offered;
ensure the operation �of a prompt and secure registration service to record the information provided at Art. 17, especially the prompt and secure operation of a suspension and revocation service;
ensure the posibility to accurately determine the date and time of issuance, suspension or revocation of a qualified certificate;
verify, by appropriate means and in accordance with the law, the identity and, if applicable, any specific attributes of the applicant for a qualified certificate;
employ personnel who possess the expert knowledge, experience and qualifications necessary for the provision of the above specified services, particularly competence at managerial level, expertise in electronic signature technology and enough practice in proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards;
use electronic signature related products that are highly reliable, protected against modification and which ensure the technical and cryptographic security of the electronic signature certification process;
take measures against forgery of certificates and, in cases where the certification service provider generates signature-creation data, guarantee confidentiality during the process of generating such data;
keep all the information about a qualified certificate for at least 10 years after the validity of that certificate has expired, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings, should a dispute occur;
not store, reproduce or disclose to third parties the signature-creation data, except in such cases as the signatory may require;
use reliable systems to store qualified certificates in a format that would meet the following requirements: only authorised persons can make entries and changes; the information may be checked for accuracy; qualified certificates may be consulted by third parties only if their holders have agreed; any technical change that may compromise these security requirements may be detected by authorised persons;
any other conditions established by the specialised supervisory and regulatory authority.

Art. 21. Qualified certification service providers shall use only secure-signature-creation devices.

Art. 22. (1) Qualified certification service providers shall have sufficient financial resources to cover the damage they may cause by their electronic signature certification-related activities.
(2) To ensure against such risks, they may subscribe an insurance policy issued by an insurance company or have a letter of guarantee issued by a specialty financial institution, or proceed in any other way established by decision of the specialised supervisory and regulatory authority.
(3) The sum for which the insurance policy or the letter of guarantee is issued shall be determined by the specialised supervisory and regulatory authority.

SECTION THREE
Suspension and Expiry of Validity of Certificates

Art. 23. (1) Any certification service provider shall suspend a certificate in 24 hours from the moment it learns, or it should and could have learnt about one of the following situations:
a request of the signatory, after checking his identity;
a court ruling so instructs;
the information contained in the certificate is no longer valid, if the revocation of the certificate is not mandatory;
any other circumstances that require suspension of the certificates under the security and certification procedures notified by the provider under Art. 13.
(2) Any certification service provider shall revoke a certificate in 24 hours from the moment it learns, or it should and could have learnt about one of the following situations:
a request of the signatory, after checking his identity;
the death of the signatory or its interdiction;
a non-contestable court ruling so instructs;
should it be proved beyond reasonable doubt that the certificate was issued on the basis of faulty or fake information;
if the essential information contained in a certificate is no longer valid;
whenever the confidentiality of the signature-creation data has been violated;
a fraudulent use of a certificate;
any other circumstances that require revocation of the certificates under the security and certification procedures notified by the provider under Art. 13.
(3) The certification service provider shall forthwith notify the holder of the suspension or revocation of the certificate and give the reasons for such a decision.
(4) The certification service provider shall make an entry regarding the suspension or revocation decision in the electronic register provided at Art. 17, in 24 hours from the moment it learns, or it should and could have learnt that the decision to this effect is made.
(5) The suspension or revocation shall be opposable to third parties as soon as it is recorded in the electronic register.

Art. 24. (1) Should a certification service provider plan to cease its electronic signatures certification-related activities or learn that it will no longer be able to provide them, it shall notify the specialised supervisory and regulatory authority at least thirty days in advance of its intention and about the appearance and nature of the circumstances that prevent it from continuing its activities.
(2) It is the duty of the certification service provider to notify the specialised supervisory and regulatory authority, if it can no longer engage in electronic signatures certification-related activities and could not foresee this at least thirty days before actually halting operations, in 24 hours from the moment it learnt or it should and could have learnt about the circumstances preventing it from continuing its activities. The notice shall specify about the appearance and nature of the circumstances that make further operation impossible.
(3) A certification service provider may transfer all or part of its activities to another certification service provider subject to the following requirements:
the certification service provider shall notify every holder of valid certificates no less than thirty days in advance of its intention to transfer its electronic signatures certification-related activities to another certification service provider;
the certification service provider shall state the identity of the certification service provider it plans to transfer its activities to;
the certification service provider shall state to every certificate holder that the latter may choose not to accept the transfer, and set a time limit and the terms of refusal; should an explicit agreement of a certificate holder not be received within the time specified by the certification service provider, the latter shall revoke the certificate.
(4) Should any of the cases provided in paragraphs (1) and (2) be applicable to a certification service provider, and its activities not be taken over by another certificate service provider, it shall revoke the certificates within thirty days of notifying their holders and take appropriate action to ensure conservation of its archives and personal data processing in compliance with the law.
(5) For the purpose of this article, dissolution or liquidation, whether voluntary or judicial, bankruptcy and any other cases of cessation of operation, except for the enforcement of penalties provided by paragraphs (2) and (3) of Art. 33, shall be construed as cases of cessation of electronic signatures certification-related activities.

CHAPTER FOUR
Monitoring and Control

SECTION ONE
Specialised supervisory and regulatory authority

Art. 25. The specialised supervisory and regulatory authority has the responsibility for applying the provisions of this law and of the related regulations.

Art. 26. (1) In no more than 18 months from the publication of this law in the Official Journal of Romania, a specialised public authority shall be established, with supervisory and regulatory tasks in the meaning of this law.
(2) Until the authority provided in the 1st paragraph is established, the specialised supervisory and regulatory authority provided herein shall be the Ministry of Communication and Information Technology.

Art. 27. The Ministry of Communication and Information Technology may delegate all or part of its responsibilities as specialised supervisory and regulatory authority provided herein to another public authority in its coordination.

Art. 28. (1) By the same time of the entry into force of this law, it shall be established the Certification Services Providers Register, named Register as follows, which is opened and updated by the specialised supervisory and regulatory authority. As the specialised public authority provided in Art. 26 is established, the Register will be taken over and updated by this authority.
(2) The Register represents an official situation of the certification services providers:
which have the headquarters in Romania;
which have the domicile or headquarters in another state and issue qualified certificates that are recognised according to Art.40.
(3) The Register ensures, by making the records provided by this law, the stocking of the identification data and of some information related to the activities of the certification service providers, as well as the public information regarding the data and information stocked.
(4) The content and structure of the Register are established through regulations issued by the specialised supervisory and regulatory authority.

Art. 29. (1) The recording of the identification data and of the information related to the activities of the certification services providers mentioned in Art. 28 2nd paragraph in the Register provided in Art. 28 should be made on a personal application base, which must be submitted to the specialised supervisory and regulatory authority no later than the date of commencement of provider�s activity. (2) The mandatory content of the application and the necessary documentation will be established through regulations issued by the specialised supervisory and regulatory authority.

Art. 30. (1) The Register is public and permanently updated.
(2) The requirements for keeping the Register, for the access to the information which it contents, for the information that may be given to the applicant are established through regulations issued by the specialised supervisory and regulatory authority.

SECTION TWO
Supervision of Certification Service Provider Operations

Art. 31. (1) The specialised supervisory and regulatory authority may, ex officio or upon request of any interested person, check compliance of a certification service provider�s activities with the provisions of this law or of the regulations issued on the basis thereof, or order that such compliance be checked. (2) The control functions of the specialised supervisory and regulatory authority as provided in the above paragraph shall be performed by purposefully empowered
personnel.
(3) In order to perform their control functions, the control personnel is entitled to:
free permanent access, according to the law, to any place where certification service provision equipment is located;
request any document or information that are necessary for control purposes;
check implementation of any security or certification procedure the certification service provider being controlled may use;
seal off any equipment required for certification service provision or retain any document related to this kind of services for up to 15 days, if necessary;
take any other action provided by law.
(4) The control personnel shall:
not disclose the data they may learn in the exercise of their functions;
keep the sources of information relating to claims or intimations confidential.

Art. 32. (1) Certification service providers are obliged to facilitate the exercise of control functions by the personnel such functions were entrusted to.
(2) In case of non-compliance with the obligation provided in 1st paragraph, apart from the penalty provided in Art. 44 letter c), the specialised supervisory and regulatory authority may order the suspension of the activities of the certification service provider until the latter cooperates with the control personnel.

Art. 33. (1) Should the control disclose non-compliance with the provisions of this law or of the regulations issued on the basis thereof, the specialised supervisory and regulatory authority shall ask the certification service provider for compliance within such a time as it may set. During this time the specialised supervisory and regulatory authority may order the suspension of the activity of the provider.
(2) Failure to comply within the time limit as provided in the above paragraph is a reason for the specialised supervisory and regulatory authority to order the certification service provider to cease its activity and be erased from the Register.
(3) In the event of a serious breach of the legal provisions, the specialised supervisory and regulatory authority may forthwith instruct that the respective certification service provider stop its activity and be struck off the Certification Service Providers� Register. �

Art. 34. (1) Whenever it orders a certification service provider to stop its activity, the specialised supervisory and regulatory authority shall ensure either revocation of certificates of that certification service provider and of the signatories, or that its activities or at least the electronic register of certificates issued and certificate revocation service are taken over by another certification service provider, subject to agreement by the latter.
(2) The specialised supervisory and regulatory authority shall promptly notify the signatories of the provider�s end of activities and of the revocation of certificates or their take-over by another provider. (3) Should no provider take over the activities of a certification service provider, the latter shall make sure that every certificate it may have issued is revoked. Should it fail to meet this obligation, the certificates shall be revoked by the specialised supervisory and regulatory authority at the provider�s expense. (4) The specialised supervisory and regulatory authority shall take over and keep the archives and the electronic register of certificates issued by the certification service provider whose activities were not taken over by another provider.

Art. 35. (1) The erasure of the certification services providers shall be made on the base of the notification made to the specialised supervisory and regulatory authority by the provider with at least thirty days before its cease of activity.
(2) The erasure can be made also ex officio by the specialised supervisory and regulatory authority, if it established by any means that the provider has ceased his activity.

SECTION THREE
Voluntary Accreditation

Art. 36. (1) In order to make proof of an increased level of security of the operations and of an appropriate level of protection of the lawful rights and interests of the users of certification services, certification service providers may apply to the specialised supervisory and regulatory authority for accreditation, if they so wish.
(2) The requirements and the procedure for issuance, suspension and withdrawal of the accreditation decision, the content of such decision, as well as the effects of its suspension and withdrawal, shall be defined through regulations issued by the specialised supervisory and regulatory authority, according to the principles of objectivity, transparency, direct proportionality and non-discrimination.

Art. 37. (1) Certification service providers accredited according to this law are entitled to specify this status in every signature certification activity they may perform.
(2) Certification service providers accredited according to this law shall ask that reference to this effect be made in the Register.

SECTION FOUR
Homologation

Art. 38. (1) The secure-signature-creation devices shall be checked for compliance with this law by homologation agencies which may be public or private legal persons agreeable to the specialised supervisory and regulatory authority in accordance with the conditions established through regulations issued by the latter.
(2) Upon completion of the checking procedure, a certificate of homologation of the secured signature-creation device is issued. The certificate may be withdrawn by the homologation agency should it find that the secured signature-creation device no longer complies with one of the provisions of this law.
(3) The conditions and procedure for the homologation agencies to be agreeable to the specialised supervisory and regulatory authority shall be defined through regulations issued by the specialised supervisory and regulatory authority.
(4) A decision of agreement shall be adopted by the specialised supervisory and regulatory authority.

Art. 39. (1) The specialised supervisory and regulatory authority shall oversee compliance by the accreditation agencies of this law, of the regulations issued on the basis thereof and of the Decision of agreement.
(2) The provisions of Arts. 30-32 shall apply mutatis mutandis to the specialised supervisory and regulatory authority�s control over the activities of the homologation agencies.

CHAPTER FIVE
Acknowledgment of Certificates Issued by Foreign Providers

Art. 40. A qualified certificate issued by a certification service provider having its domicile or headquarters in another country shall be acknowledged as having the same legal effects as a qualified certificate issued by a certification service provider residing or having its domicile or headquarters in Romania if:
the certification service provider having its domicile or headquarters in another country was accredited according to this law; or
an accredited certification service provider having its domicile or headquarters in Romania guarantees the certificate; or
the certificate or the certification service provider that issued it is recognised by virtue of a bilateral or multilateral agreement between Romania and other states or international organisations on a mutual basis.

CHAPTER SIX
Liability of Certification Service Providers

Art. 41. A certification service provider that issues certificates presented as being qualified or guarantees such certificates is liable for damage caused to any person the behaviour of which is based on the legal effects of such certificates concerning:
the accuracy at the time of issuance of a certificate of all the information included therein;
the assurance that, at the time of issuance of a certificate, the signatory identified in the certificate held the signature-creation data corresponding to the signature-verification data referred to in the respective certificate;
the assurance that the signature-creation data were consistent with the signature-verification data, if the certification service provider generates them both;
the suspension and revocation of the certificate, in cases and conditions provided in Art. 24 1st and 2nd paragraphs;
fulfillment of every obligation provided by Arts. 13-17 and 19-22 herein,
unless the certification service provider proves that, in spite of his best effort, he could not prevent the damage from occurring.

Art. 42. (1) A certification service provider may indicate in a qualified certificate limitations of the scope of use of the certificate or limits on the value of transactions for the which the certificate can be used, provided that the limitations or limits are recognisable to third parties.
(2) A certification service provider may not be held liable for damage arising from the use of a qualified certificate in breach of the limitations or limits provided therein.

CHAPTER SEVEN
Obligations of Certificate Holders

Art. 43. Certificate holders shall promptly apply for revocation of their certificates if:
a. they lost the signature-creation data;
b. have good reasons to believe the signature-creation data are known to an unauthorised third party;
c. the essential information contained in the certificate is no longer valid.

CHAPTER EIGHT
Administrative Violations and Penalties

Art. 44. The following offences by certification service providers are administrative violations, unless they are criminal offences under the law, punishable by fines ranging from ROL 5,000,000 to ROL 100,000,000:
a. failure to send the notice provided at Art. 13 paragraph (1);
b. failure to notify the specialised supervisory and regulatory authority of the security and certification procedures used in such conditions and within such time as provided at Art. 13;
c. non-compliance with the obligation to facilitate the exercise of control functions by the specialised supervisory and regulatory authority�s duly empowered personnel; d. transfer of electronic signatures certification activities in breach of the provisions of Art. 24 paragraph (3).

Art. 45. The following offences by certification service providers are administrative violations, unless they are criminal offences under the law, punishable by fines ranging from ROL 10,000,000 to ROL 250,000,000:
a. failure to provide the persons specified in Art. 14, 1st paragraph, in compliance with the conditions provided in Art. 14, 1st and 2nd paragraphs, with the mandatory information provided in Art. 14, 3rd paragraph, or to provide all this information, or to provide accurate information;
b. non-compliance with the obligation concerning the processing of personal data provided in Art. 16;
c. failure to make the entries required by law in the electronic register provided in Art. 17, or to make them within the time limit required by Art. 14, 5th paragraph, Art. 23, 1st or 2nd paragraph, or to make them accurately;
d. issuance of certificates presented as qualified to applicants, when such certificates do not contain all the mandatory specifications required by Art. 18;
e. issuance of qualified certificates containing information that is inaccurate, or contrary to the law, morals or public order, or that was not checked for accuracy as provided by Art. 18, 4th paragraph;
f. issuance of qualified certificates without the applicant�s identity being checked, as Art. 19 provides; g. failure to take action that would guarantee confidentiality in the process of signature data generation, should the provider generate such data;
h. failure to keep all the information about a qualified certificate for at least 5 years after the validity of the certificate has expired;
i. storage, reproduction or disclosure of signature-creation data to third parties, unless the signatory so requires, in cases where the provider issues qualified certificates;
j. storage of qualified certificates in a format that is in breach of the provisions of art. 20 letter j);
k. use of signature-creation devices in violation of the provisions of Art. 4, 8th paragraph herein, in cases where the provider issues qualified certificates;
l. if the provider intends to end its activities, or in any of the cases provided in Art. 24, 5th paragraph,when imposible for the provider to continue the activity, failure to notify the specialised supervisory and regulatory authority at least thirty days in advance of the specific circumstances that make further operation impossible or of its intention;
m. in any of the cases provided in Art. 24, 5th paragraph, if imposible for the provider to continue the activity and the provider could not foresee this situation with at least thirty days in advance, failure to notify within the term provided in Art. 24, 2nd paragraph of the specific circumstances that made it impossible for the continuation of electronic signatures certification-related activities;
n. failure to take appropriate action, in any of the cases provided at Art. 24, 1st and 2nd paragraphs, to ensure conservation of the archives or processing of personal data so as the law provides;
o. failure to suspend or to revoke the issued certificates, when suspension or revocation is compulsory, or failure to do so within the time provided by law;
p. continuation of electronic signatures certification activities when the specialised supervisory and regulatory authority instructed that such activities be suspended or ended;
q. undue use of the accredited provider status through a specific reference to that effect or in any other way in the issuance of certificates or performance of other electronic signatures certification-related activities;
r. failure to apply for registration at the Certification Service Provider�s Register within the term provided in Art. 29, 1st paragraph, for the data and information provided in Art.29.

Art. 46. Non-compliance by the homologation agency of its obligation to facilitate the exercise of control functions by duly delegated specialised supervisory and regulatory authority�s personnel is an administrative violation punishable by fines ranging from ROL 15,000,000 to ROL 250,000,000.

Art. 47. The assertion of the administrative violation and the aplication of the penalties provided in this Chapter shall be enforced by the specialised supervisory and regulatory authority�s personnel entrusted with control functions.

Art. 48. The provisions of this Chapter shall be complemented by the provisions of Law No.32/1968 on ascertaining and punishing administrative violations.

CHAPTER NINE
Final provisions

Art. 49. (1) The rating of the fees established by the homologation agencies for the homologation of secure-signature-creation devices and for the additional services shall be freely established, in compliance with the Competition Law no. 21/1996.
(2) The agencies mentioned in 1st paragraph may gather fees with different rates for different geographical areas or for emergency services, for on-line registrations or through the Internet, respecting their own commercial strategies and the legal provisions.
(3) Shall be forbidden for the agencies or their representatives to publish comparative tables, regarding the fees rating, and to adopt any measures that may restrict the commercials regarding the fees rating charged by the agencies for providing their services.

Art. 50. (1) The activities of the homologation agencies are subject to the provisions of the Competition Law No. 21/1996, regarding the establishment of the fees rating for the services provided and regarding the acts or facts that can restrict in any way the competition on the above mentioned services market.
(2) The homologation agencies are also subject to the provisions of the Law no. 11/1991 considering any of its meanwhile modifications, regarding the unfair competition.

Art. 51. The amount of the penalties provided in the low herein will be updated by Government Decision taking account of the evolution
of the inflation rate.

Art. 52. Within a three months period from the publication of this law in the Official Journal of Romania 1st part, the specialised supervisory and regulatory authority shall elaborate the Rules of application of this law.

Art.53. This law enters into force at the date of its publication in the Official Journal of Romania, 1st part and will apply three months after its entry into force.

http://www.legi-internet.ro/en/e-sign.htm







• Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.
21.06.2010

This Directive lays down the criteria that form the basis for legal recognition of electronic signatures by focusing on certification services. These comprise the following:

common obligations for certification service providers in order to secure transborder recognition of signatures and certificates throughout the European Community;
common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;
cooperative mechanisms to facilitate transborder recognition of signatures and certificates with third countries.

The Directive defines new ideas:

the electronic signature, data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.
the advanced electronic signature, which meets the following requirements:

- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using means that the signatory can maintain under their sole control;
- it is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable.

the qualified certificate, which must in particular include:

- an indication that it is issued as a qualified certificate;
- the identification of the certification service provider;
- the name of the signatory;
- provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended;
- signature-verification data corresponding to signature-creation data under the control of the signatory;
- an indication of the beginning and end of the period of validity of the certificate;
- the identity code of the certificate;
- the advanced electronic signature of the issuing certification service provider.

The certificate must also be issued by a certification service provider which meeting specific requirements laid down in the Directive.

Market access

Member States must not make the provision of certification services subject to prior authorisation of any kind.

They may introduce or maintain voluntary accreditation schemes aimed at enhancing levels of certification-service provision.

Member States may not limit the number of accredited certification service providers for reasons which fall within the scope of the Directive.

Member States may make the use of electronic signatures in the public sector subject to possible additional requirements.

Member States may not restrict the provision of certification services originating in another Member State in the areas covered by the Directive.

Legal effects of electronic signatures

The main provision of the Directive states that an advanced electronic signature based on a qualified certificate created by a secure-signature-creation device satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data (for convenience this type of signature is usually called a “qualified signature”. Although the Directive describes it as such, it does not give a definition for it). It is also admissible as evidence in legal proceedings.

In addition, an electronic signature may not legally be refused simply because:

it is in electronic form;
it is not based on a qualified certificate;
it is not based upon a qualified certificate issued by an accredited certification service provider;
it is not created by a secure signature-creation device.

Liability

Member States must ensure that a certification service provider which issues a qualified certificate is liable vis-à-vis any person who reasonably relies on the certificate for:

the accuracy of all information in the qualified certificate;
compliance with all requirements of the Directive in issuing the qualified certificate;
assurance that the holder identified in the qualified certificate held, at the time of the issuance of the certificate, the signature-creation device corresponding to the signature verification device given or identified in the certificate;
in cases where the certification service provider generates the signature-creation device and the signature-verification device, assurance that the two devices function together in a complementary manner.
The certification service provider must not be liable for damage arising from use of a qualified certificate that exceeds the limitations placed on it.

International aspects

Member States must ensure that mutual legal recognition of qualified certificates and electronic signatures from third countries is applied if certain reliability conditions are met. The Commission may make proposals to ensure that international standards and agreements are fully implemented.

Data protection

Member States must ensure that certification service providers and national bodies responsible for accreditation or supervision comply with Directive 95/46/EC on the protection of personal data.

RELATED ACTS

Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions “Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market”[COM(2008) 798 final – Not published in the Official Journal].

In this communication, the Commission proposes an Action Plan aimed at assisting Member States in implementing mutually recognised and interoperable electronic signatures and e-identification solutions, in order to facilitate the provision of cross-border public services in an electronic environment. This is essential to avoid fragmentation of the single market.

Electronic signatures and e-identification are essential elements in enabling businesses and citizens to access public services. In particular, cross-border access to these services requires interoperable electronic signatures and e-identification solutions at European level. However, different legal, technical and organisational issues hinder the interoperability of identification systems. Similarly, although electronic signatures enjoy legal recognition in Europe as a result of the Directive detailed above, different technical and organisational issues also hinder its interoperability.

The Action Plan is structured in three parts:

actions targeted at improving the interoperability of qualified electronic signatures and advanced electronic signatures based on qualified certificates, which will clarify the regulatory framework and increase confidence in Certification Service Providers established in another country.
actions in the medium term to encourage the interoperability of advanced electronic signatures, which, in particular, would enable the validity of a signature received from another country to be easily verified.
actions in the medium term aimed at making e-identification interoperable.
Commission report of 15 March 2006 on the operation of Directive 1999/93/EC on a Community framework for electronic signatures [COM(2006) 120 final – not published in the Official Journal].

The report indicates that EU Member States have implemented the general principles of the Directive.

The Commission notes that transposition of the Directive into the legislation of the Member States has met the need for the legal recognition of electronic signatures. It therefore considers that the Directive's objectives have been fulfilled and that no need for its revision has emerged at this stage. The Commission nonetheless plans to consult the Member States and relevant stakeholders to address a number of issues, particularly on interoperability problems, technical aspects and standardisation.

The Commission notes that, in the event, there has been far less use of qualified electronic signatures than expected. The main reason for this is economic, in that service providers have little incentive to develop a multi-application electronic signature and prefer to offer solutions for their own services. A number of applications in the future might nonetheless trigger market growth, particularly in relation to eGovernment services.

Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council

[Official Journal L 175, 15.7.2003].
This Decision gives the references of three generally recognised standards for electronic signature products which presume compliance with the qualified electronic signature.

Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures [Official Journal L 289 of 16.11.2000].
This Decision sets out the criteria that Member States must take into account when designating national bodies to evaluate the conformity of secure signature-creation devices.

http://europa.eu/legislation_summaries/information_society/l24118_en.htm

• INTERNET LAW - Malta's Electronic Commerce Act
21.06.2010

Malta, a European financial center located in the Southern areas of the Mediterranean Sea, has developed comprehensive e-commerce legislation and is an active e-commerce player. In 2001, Malta's government enacted the Electronic Commerce Act III, which has been amended five times (2002, 2004, 2005 and twice in 2007). This act establishes rules regarding electronic signatures, certification authorities, electronic contracts, consumer protection, and electronic data. This article provides a synopsis of Malta's rules on electronic contracts, electronic signatures and certification services, and computer crimes involving electronic data.

Electronic Contracts

Malta's Electronic Commerce Act III of 2001 (the E-Commerce Act) addresses electronic contracts in Part III, articles 9 through 11. Electronic contracts are valid and will not be denied legal effect, validity or enforceability just because they are celebrated or entered into by electronic means. The offer, acceptance of the offer, subsequent amendments, and cancellation or revocation of the offer may be communicated by electronic means. A contract is concluded when after placing his order the recipient of the service receives from the service provider an acknowledgement of receipt of the order made by the recipient; provided that (1) the service provider's acknowledgement is given without undue delay and by electronic means; and (2) the recipient's order and the acknowledgement of the receipt are deemed to have been received when the parties to whom they are addressed are able to access them. The E-Commerce Act requires originators to provide addressees with effective and accessible means to identify and correct errors and accidental transactions prior to conclusion of electronic contracts. Part IV of the E-Commerce Act, called Transmission of Electronic Communications, is relevant to the conclusion of electronic contracts. It describes the time of dispatch of an electronic communication, the time of receipt, the place of dispatch and receipt, and the attribution of electronic communications.

According to the First Schedule of Article 11, the following are the information requirements that electronic contracts must meet,

(1) "The name and address where the service provider is established;

(2) The electronic-mail address where the service provider can be contracted in a direct manner;

(3) The registration number of the service provider in any trade register or of any professional body if applicable;

(4) Where the activity of the service provider is subject to an authorization, the activities covered by the authorization granted to the service provider and the particulars of the authority providing such authorization;

(5) The Value Added Tax (VAT) registration number of the service provider where the service provider undertakes an activity that is subject to VAT;

(6) The different steps to follow to conclude the contract;

(7) The technical means for identifying and correcting input errors prior to the placing of the order;

(8) The language or languages in which the contract may be concluded;

(9) A statement of whether the concluded contract will be filed by the service provider and whether it will be accessible."

Electronic Signatures and Certification Services

Malta's law recognizes electronic signatures. Part V of the E-Commerce Act addresses signature certification services. The general rule is the provision of signature certification services or services related to electronic signatures do not require prior authorization. However, Minister's regulations may establish and maintain an accreditation scheme that enhances the levels of signature certification services, and designate accreditation authorities.

The Minister may supervise signature certification services that provide qualified certificates. Also, the E-Commerce Act states that those who provide qualified certificates are liable for damages caused to any person who reasonably relies on such certificates. Providers of qualified certificates may limit the use of such certificates provided that those limitations are clear and readily identified as limitations. In this case, the provider shall not be liable for damages caused for uses that did not acknowledge the limitations.

Computer Crimes Involving Electronic Data

The E-Commerce Act also typifies as criminal some acts that violate data security or computer misuse. For instance, those who without authorization use a computer or any other device to access data, software, or documentation held in a computer or in any other computer; or uses, copies, or modifies such data, software, or documents is guilty of an offense. Additionally, any person who outputs or copies any data, software, or supporting documentation from a computer in which it is held or stored, is guilty of a computer crime. Impair the operation of a system or software also constitutes a computer crime under Malta's law. Moreover, altering, taking, installing, moving, erasing, destroying, or adding to any data, software, or supporting document, without authorization, constitutes a computer crime. Disclosing or using another person's password or discovering a code or other access information without authorization constitutes computer misuse crime.

The following are computer crimes when committed without proper authorization (1) modifying computer equipment or supplies used or intended to be used in computer, computer system, or computer network; (2) taking possession of, damaging or destroying computer, computer system, computer network, or computer supplies used or intended to be used in computer, computer systems, or computer networks.

Any of these crimes are sanctioned under Malta law even if committed outside Malta, when they affect computers, computer software, data, or supporting documentation located in Malta or connected to a computer located in Malta

Therefore, it is clear that Malta e-commerce law is in accord with European and international principles regarding electronic contracts, electronic signatures, and data and computer crimes.

http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2233

• INTERNET LAW - Electronic Signature Under the Law of Slovenia
21.06.2010

Under the law of the Republic of Slovenia, electronic signature has been implemented by the Act n. 57/2000 on Electronic Commerce and Electronic Signature. This Act, which complies with the legal framework set by the European Directive 1999/93/EC of December 13, 1999 on Electronic Signature, provides that electronic signature has the same probative value as handwritten signature under certain conditions. This Act also regulates also regulate the activity of Certification Services Providers (CSPs)

The Electronic Commerce and Electronic Signature Act, completed by the Decree n. 77/2000 and 2/2001 on Conditions for Electronic Commerce and Electronic Signing, regulates legal issues that arose from fast technological development and accelerated introduction of e-commerce into the business and public sector of the Republic of Slovenia. The essential purpose of these regulations is to equalize, where it is possible and reasonable, the electronic form of operation with the earlier classical paper operation, and, under special conditions, to recognize to the electronic signature the same validity as the written signature has in the paper world. Thus these regulations have suppressed a variety of legal obstacles for the development of e-commerce in Slovenia

  Pursuant to Article 14 and 15 of the Electronic Commerce and Electronic Signature Act,

1. Electronic signature cannot be denied legal effectiveness or admissibility as evidence solely on the grounds of its electronic form or not being based on a qualified certificate or a certificate issued by an accredited certification service provider or not being created by a secure signature creation device.

2. Advanced electronic signature, verified with qualified certificate, is equal to autographic signature in relation to data in electronic form, and has therefore equal legal effectiveness and admissibility as evidence.

http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1573

• REPUBLIC OF LITHUANIA
14.06.2010

REPUBLIC OF LITHUANIA LAW ON ELECTRONIC SIGNATURE

July 11, 2000. No. VIII – 1822

(amended as of June 6, 2002. No. IX – 934)

Vilnius

CHAPTER I

GENERAL PROVISIONS

            ARTICLE 1. Purpose of the Law

            1. This Law shall regulate the creation, verification, and validity of electronic signature, signature users’ rights and obligations, establish the certification services and requirements of their providers and the rights and functions of the institution of electronic signature supervision.

            2. This Law shall not regulate the use of the signature-creation data, signature- verification data and use of electronic-signature-device to ensure confidentiality of information.

            ARTICLE 2. Basic Definitions of this Law

            1. Person is an enterprise, not having the rights of a legal person, a natural or legal person, including foreign persons.

            2. Electronic Data (hereinafter referred to as-Data) includes all data processed by information technology means.

3. Data Processing includes all operations with data: selection, recording, classification, grouping, accumulation, storing, exchanging, copying, connecting, disclosure, supply, use and destruction.

4. Electronic Signature (hereinafter referred to as-Signature) means data, which are inserted, attached to or logically associated with other data for the purpose of confirming the authenticity of the latter and (or) identification of the signatory.

5. Secure-electronic-signature means signature, which meets all of the requirements indicated in this paragraph:

            1) it is uniquely linked to the signatory;

            2) it is capable of identifying the signatory;

3) it is created using a means that the signatory can maintain under his sole control;

4) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;

           6. Signed-data means data, to which an electronic signature is inserted, attached to or logically associated with.

            7. Signatory means a capable natural person, who holds a signature-creation device and, acting voluntarily either on his own behalf or on behalf of the other person, whom he represents, creates a   signature.

            8. Signature-users means persons, who use electronic signature in their activity or obtain signed data from other persons.

            9. Signature-creation-data means unique data, which are used by the signatory to create a signature.

10. Signature-creation-device means configured computer software and (or) hardware, used to implement the signature-creation data.

11. Secure-signature-creation-device means a signature-creation device which meets all of the requirements laid down in this paragraph:

1) the signature - creation data used for electronic signature generation can practically occur only once, and their secrecy is reasonably assured;

            2) the signature-creation data, used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology;

            3) the signature creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others;

            4) in generating the signature, signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process.

12. Signature-verification-data means unique data, used in verifying an electronic signature.

13. Signature-verification-device means configured software and (or) hardware used to implement the signature-verification-data.

14. Certificate means an electronic attestation, which links signature-verification data to a signatory and confirms or allows to establish the identity of that signatory.

15. Qualified-certificate means a certificate produced by a certification-service-provider who fulfils the requirements laid down by the Government or its authorised institution. This certificate contains the following data:

            1) notation to indicate that it is a qualified-certificate;

            2) identifiers of the certification-service-provider and his country of residence;

3) name and surname or the pseudonym of the signatory ;

4) specific attributes of the signatory, if that is required considering the projected goals of the certificate’s use;

5) signature-verification data, which corresponds to the signature-creation data under the control of the signatory;

6) periods of the beginning and end of validity of the certificate;

7) certificate identifier, supplied by certification-service-provider;

8) secure-electronic-signature of the certification-service-provider;

9) limitations on the scope of use of the certificate, if applicable;

10) limits of the value of transactions fort which the certificate can be used, if applicable;

            16. Certification-service-provider means an enterprise, not having the rights of a legal person, or a legal person who issues certificates or provides other services related to electronic   signature.

            17. Electronic signature device means configured computer software and (or) hardware or the corresponding component thereof, used by certification service-providers in providing services linked with signature, or which are used in signature creation or verification.

CHAPTER II

SIGNATURE CREATION, VERIFICATION, VALIDITY, RIGHTS AND RESPONSIBILITY OF SIGNATURE-USERS

            ARTICLE 3. Generation of Signature-creation and Verification Data

            1. Following the request by a person, who has decided to use signature in his activities, the certification-service-provider, using an electronic-signature-device, shall create for him signature creation and verification data. This data may be created by the person himself.

            2. A certification-service-provider who issues qualified-certificates must give the signature-creation-data only to the person upon whose request they had been created, without keeping a copy of such for himself and ensuring their secrecy.

            3. Signature-verification-data shall be public. The certification-service-provider shall enter them in the certificate of the signatory and provide it to all signature users. Should the signatory himself have generated the signature-creation and verification data, to issue a certificate, he shall transfer the signature-verification-data to the certification-service-provider.

            ARTICLE 4.   Issuing and Processing of Certificates



1. Certification-service-providers shall issue and process the certificates of signatories.

2. A natural person, requesting the certification-service-provider to issue his certificate, must submit some documents confirming his identity and the other information, which is requested to be included in the certificate.

3. A natural person, upon whose request a certificate has been issued, shall be liable for the authenticity of the documents in accordance with the laws of the Republic of Lithuania.

4. The certification-service-provider shall suspend the validity of the certificate:

            1) upon a request by the signatory;

            2) upon the request by law enforcement institutions authorised by the Government, in seeking to prevent crimes;

            3) upon receiving information that the certificate data is false or that the signatory has lost control of signature-creation data corresponding to his certificate.

            5. Suspension of the validity of the certificate shall be revoked upon obtaining a request by the signatory or a law enforcement institution authorised by the Government, upon the request whereof the validity of the certificate had been suspended. Should the validity of the certificate be suspended for reasons indicated in item 3 of paragraph 4 of this Article, suspension of the validity of the certificate shall be revoked upon the receipt of a request and explanation by the signatory, denying the information received from the certification-service-provider. Failure to receive such a request and explanation within one month of suspension of certificate validity, shall result in revocation of validity of the certificate.

            6.A certification-service-provider shall revoke the validity of the certificate:

                        1) upon a request by the signatory;

            2) upon loss of control by the signatory of signature-creation-data      corresponding to the certificate;

            3) upon the determination that false data have been submitted for issuing the certificate;

            4) based upon the limitations of validity of the certificate, stipulated in the certificate in issuing it;

            5) upon being informed, that the signatory has become incompetent;

            6) upon being informed that the signatory has died;

            7) upon violation by the signatory of the legal acts regulating use of signature or the conditions of the contract with the certification-service-provider;

            8) upon the request of a person, whom the signing person has the right to represent, according to the information indicated on the certificate.

9) other instances established by laws.

7. The signatory must approach the certification-service-provider, who issued his certificate, concerning revocation of the validity of the certificate, if he has lost control of signature-creation-data corresponding to the certificate.

            8.The signing person must immediately inform the certification-service-provider, who issued his certificate of changes in the data, indicated on the certificate, supplying documents which attest this. If informing about the decrease in the scope of the rights, indicated on the certificate, the documents attesting the changes in data shall not be required.

9.The damage incurred as a result of unlawful suspension or revocation of validity of the certificate, must be compensated by the persons responsible for it, according to the laws of the Republic of Lithuania.

            ARTICLE 5. Validity of Foreign State Certificates

1. Qualified-certificates, issued by foreign state certification-service-providers shall be considered legally equivalent to the qualified-certificates issued by the Republic of Lithuania certification-service-providers, if:

1) they are issued by a certification-service-provider, who is accredited in the Republic of Lithuania;

2) they are issued by a certification-service-provider who is accredited in the European Union;

3) the certificate is guaranteed by the certification-service-provider of the

Republic of Lithuania, who corresponds to the requirements established by the Government or an institution authorised by it for certification-service-providers who issue qualified-certificates;

4) the certificate is guaranteed by a certification-service-provider of a European Union Member State, corresponding to the equivalent requirements for certified-service-providers who issue qualified-certificates, established by the Government of the Republic of Lithuania or an institution authorised by it.

2. Those foreign state certification-service-providers and the certificates issued by them, whose recognition is based upon international agreements shall also be recognised in the Republic of Lithuania.

ARTICLE 6. Creation of Signature

1. The signatory shall create a signature by means of a signature-creation-device from the data to be signed and signature-creation-data belonging to him alone.

2. The signatory shall be liable for the protection of signature-creation-data and signature-creation-device.

3. The signatory shall not have the right to transfer signature-creation-data to another natural person.

ARTICLE 7. Verification of Signature

1.Verification of signature means establishment of signed data authenticity and establishment of the validity of signature and identification of the signatory thereof.. The signature shall be verified with signature-verification-device, using signed data and certificate of signatory.

2. The institution of electronic signature supervision shall set the requirements for the procedure of signature verification.

3. The recipients of signed data shall be responsible for verification of the signature and keeping the device being used for this purpose.

ARTICLE 8. Force of Signature

1. A secure-electronic-signature, created by a secure-signature-creation-device and based on a qualified-certificate which is valid, shall have the same legal force that a hand-written signature in written documents has and shall be admissible as evidence in court.

            2. A signature may not be deemed invalid based on any of the grounds listed below, that it is:

            1) in electronic form;

            2) not based upon a qualified-certificate:

            3) not based upon a qualified-certificate issued by an accredited certification-service-provider;

            4) not created by a secure signature-creation device.

            3. In all cases, the electronic signature shall have the legal power laid down in paragraph one of this Article, provided that the signature users shall reach an agreement among themselves.

4. The power of the electronic signature of a legal person shall be given the same recognition as that signed by a representative of the legal person, confirmed by the stamp of the legal person, appearing in written documents, taking into account the power of the electronic signature in accordance with paragraphs one, two and three of this Article.

CHAPTER III

CERTIFICATION SERVICES AND REQUIREMENTS FOR THEIR PROVIDERS

ARTICLE 9. Certification Services

1. Certification-service-providers shall provide these certification services, linked to signature use:

            1) primary - certificate issuing and provision of certificate data to signature users for signature verification;

            2) secondary - creation of the time stamp of signed data, person consultation, person registration to obtain certificates and other services assigned to this category;

2. The institution of electronic signature supervision shall determine the procedure of the provision of secondary services.

ARTICLE 10. Registration of Certification Service Providers

Certification-service-providers of the Republic of Lithuania who issue qualified-certificates, must register with the institution of electronic signature supervision according to the procedure established by the Government or its authorised institution.

ARTICLE 11. Accreditation of Certification-service -providers

1. Certification-service-providers may voluntarily accredit themselves with an institution of electronic signature supervision. Accreditation is the assessment of a certification-service-provider’s ability to perform his functions. Accreditation is not a required condition of certification-service-providers.

2. An institution of electronic signature supervision shall establish the requirements of voluntary accreditation of certification-service-providers and procedure of accreditation.

3. The number of certification-service-providers desirous of accreditation shall be unlimited.

ARTICLE 12. Obligations, Rights and Liability of Certification-service-providers

1. In order to issue a certificate, a signatory shall sign a contract with a certification-service-provider. In drawing up a contract, the certification-service-provider must:

1) inform the signatory regarding the procedure, use and limitations of the certificate and voluntary accreditation of the certification-service-provider;

2) in issuing a signatory’s certificate, require that the person

submit documents confirming his identity;

3) ensure protection of a person’s data, regulated by the Law on

            Legal Protection of Personal Data and other Republic of Lithuania laws.

                        2. A certification-service-provider must:

            1) provide certificate data for signature users for verification of signatures twenty-four hours per day;

            2) suspend or revoke without any delay, the validity of a signatory’s certificate in instances stipulated in paragraphs 4 and 6 of Article 4;

            3) inform without any delay, the signatory concerning the suspension or revocation of his certificate;

            4) revoke without any delay, the suspension of validity of the certificate, upon receiving a request from the signatory or a law enforcement institution authorised by the Government, upon the request whereof it had been suspended.

3. A certification-service-provider who issues qualified-certificates must:

1) collect the information stipulated by the Government or an institution authorised by it, pertaining to certificate processing and replies to inquiries posed by signature users and to keep it for the stipulated length of time;

2) insure own civil responsibility by a sum no less than that stipulated by the institution of electronic signature supervision.

4. A certification-service-provider, who issues qualified-certificates, shall have the right to set limitations of certificate use purpose, limits of the value of transactions, when the certificate may be used, and shall not be liable for the damage suffered by signature users, should the limitations indicated in the certificate have been violated.

5. A certification-service-provider who issues qualified-certificates shall be liable for:

1) accuracy of issued certificate’s data;

2) that the person indicated in the issued certificate is the holder of the signature-creation-data, corresponding to the signature-verification-data indicated in the certificate;

3) correlation between signature-creation-data and signature-verification-data, when he creates both these data, upon the request of the person;

4) suspension or revocation of the validity of the certificate on time.

6. A certification-service-provider, who issues qualified-certificates or guarantees the qualified-certificates issued by other certification-service-providers, shall compensate signature users for inflicted damages, according to the procedure established by laws.

ARTICLE 13. Revocation of Certification Service Provision

1. A certification-service- provider must no later than one month prior to the revocation of certification service, inform of this the signatories, whose certificates he issued and whose certificates are valid, as well as other certification-service-providers, with whom he has signed contracts of guarantee.

2. A certification-service-provider may revoke the validity of all the certificates he issued no earlier than one month after the announcement concerning the projected revocation of certification-service-provision.

3. A certification-service-provider, issuing qualified-certificates, must no later than one month prior to revocation of the certification service, inform the institution of electronic signature supervision, concerning this.

4. A certification-service-provider who issues qualified-certificates must, within one month from the announcement of the projected revocation of certification-service-provision, hand over all of his issued qualified-certificates and information stipulated by the institution of electronic signature supervision, concerning certificate processing and the inquiries by signature users, to a successor of the activity or institution of electronic signature supervision.

CHAPTER IV

SUPERVISION OF ELECTRONIC SIGNATURE

ARTICLE 14. Functions of Institution of Electronic Signature Supervision

            1. An institution authorised by the Government shall perform the functions of electronic signature supervision.

            2. The institution of electronic signature supervision shall:

            1) draft the requirements of signature equipment;

            2) draft the requirements for certification-service-providers issuing qualified-certificates;

            3) establish the requirements of the procedure of signature verification;

            4) establish the requirements and procedure of voluntary accreditation for certification-service-providers;

            5) accredit certification-service-providers;

            6) draft the procedure of registration of certification-service-providers who issue qualified-certificates, register them and openly publish the list thereof in the “Official Gazette;”

            7) supervise how the information linked to qualified-certificate managing and signature users inquiries, collected by a certification-service-provider, is being managed;

            8) revoke by his request, the registration of a certification-service-provider who issues qualified-certificates;

9) establish the procedure of providing secondary certification services;

10) maintain contact with corresponding institutions of electronic

signature supervision abroad exchange information, collect and openly publish it;

             11) prepare annual accounts of the implementation of this Law no later than by the first day of April of each year and submit them to the Government and Seimas.

            12) perform the other functions defined in the by-laws of this institution.

           ARTICLE 15. Rights of Institution of Electronic Signature Supervision

           1. An institution of electronic signature supervision shall have the right to revoke the         accreditation of an accredited certification-service-provider, having established that he violated the requirements set forth for accredited certification-service-providers.

           2. An institution of electronic signature supervision shall have the right to warn a certification-service-provider who issues qualified-certificates and to suspend or annul his registration, upon having established that he has violated the requirements set forth by the Government or its authorised institution, for certification-service-providers who issue qualified-certificates.

3. The decisions adopted by institutions of electronic signature supervision regarding accreditation of an accredited certification-service-provider or the revocation of registration of a certification-service-provider who issues qualified-certificates, shall be appealed in accordance with the procedure established by laws.

CHAPTER V

FINAL PROVISIONS

ARTICLE 16. Implementation of the Law

1. The Government shall approve the legal acts, which are drafted according to sub-paragraphs one, two and six of paragraph two of Article 14 of this Law, by the institution, which manages the electronic signature.

2. Items 2 and 4 of paragraph 1 of Article 5 shall come into force, following the accession of the Republic of Lithuania to the to the European Union.

I promulgate this Law passed by the Seimas of the Republic of Lithuania.

PRESIDENT OF THE REPUBLIC                                        VALDAS ADAMKUS

• Estonia.Digital Signature Act
14.06.2010

Digital Signatures Act

Passed 8 March 2000, (RT* I 2000, 26, 150),amended by the following Acts:

17.12.2003 entered into force 08.01.2004 - RT I 2003, 88, 594;

17.12.2003 entered into force 01.01.2004 - RT I 2003, 88, 591;

19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375;

05.06.2002 entered into force 01.07.2002 - RT I 2002, 53, 336;

06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338;

15.11.2000 entered into force 01.01.2001 - RT I 2000, 92, 597.

Chapter I

General Provisions

§ 1. Scope of application of Act

This Act provides the necessary conditions for using digital signatures and the procedure for exercising supervision over the provision of certification services and time-stamping services.

§ 2. Digital signature

(1)        A digital signature is a data unit, created using a system of technical and organisational means, which a signatory uses to indicate his or her connection to a document.

(2)        A digital signature is created by a signatory using a signature creating device (hereinafter private key) to which a signature verification device (hereinafter public key) uniquely corresponds.

(3)        A digital signature and the system of using the digital signature shall:

1)         enable unique identification of the person in whose name the signature is given;

2)         enable determination of the time at which the signature is given;

3)         link the digital signature to data in such a manner that any subsequent change of the data or the meaning thereof is detectable.

§ 3. Legal consequences of digital signatures

(1)        A digital signature has the same legal consequences as a hand-written signature if these consequences are not restricted by law and if the compliance of the signature with the requirements of subsection 2 (3) of this Act is proved.

(2)        The compliance of a digital signature given according to the principles provided for in Chapters II-V of this Act with the requirements of subsection 2 (3) of this Act need not be proved separately if data and the digital signature enable unique determination of the certificate which contains the public key to which the private key with which the digital signature is given corresponds.

(3)        A digital signature does not have the consequences provided for in subsection (1) of this section if it is proved that the private key was used for giving the signature without the consent of the holder of the corresponding certificate.

(4)        The giving of a digital signature without the consent of the holder of the corresponding certificate is deemed to be proved if the certificate holder proves circumstances which existed and due to which it may be presumed that the signature was given without his or her consent.

(5)        In the cases specified in subsection (3) of this section, the certificate holder shall compensate damage caused to another person who erroneously presumed that the signature was given by the certificate holder, if the private key was used without the consent of the certificate holder due to the intent or gross negligence of the certificate holder.

§ 4. Use of digital signatures

(1)        In relations in private law, digital signatures shall be used according to agreement between the parties.

(2)        In relations in public law, digital signatures shall be used pursuant to this Act and legislation issued on the basis thereof.

(3)        State and local government agencies, legal persons in public law, and persons in private law performing public law functions are required to provide access through the public data communication network to information concerning the possibilities and procedure for using digital signatures in communication with such agencies and persons.

§ 4.1. Application of Administrative Procedure Act

The provisions of the Administrative Procedure Act (RT I 2001, 58, 354; 2002, 53, 336) apply to administrative proceedings prescribed in this Act, taking account of the specifications provided for in this Act.

(19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

Chapter II

Certificates

Division 1

Certificates and Requirements for Certificates

§ 5. Certificates

(1)        For the purposes of this Act, a certificate is a document which is issued in order to enable a digital signature to be given and in which a public key is uniquely linked to a natural person.

(2)        A certificate shall set out:

1)         the number of the certificate;

2)         the name of the holder of the certificate;

3)         the public key of the certificate holder;

4)         the period of validity of the certificate;

5)         the issuer and registry code of the issuer;

6)         a description of the limitations on the scope of use of the certificate.

(3)        The issuer of a certificate shall confirm each certificate issued thereby.

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

§ 6. Certificate holder

For the purposes of this Act, a certificate holder is a natural person to whose personal data the public key contained in the certificate is linked in the same certificate.

Division 2

Application for and Issue of Certificates

§ 7. Creation of private and public keys

(1)        A private key and a public key shall be created by an applicant for a certificate or, at his or her request and according to an agreement between the parties, by a certification service provider or another person or agency.

(2)        Persons who create private and public keys for other persons shall not create copies of the keys for themselves or for third parties.

§ 8. Application for certificates

(1)        In order to obtain a certificate, a person (hereinafter applicant for the certificate) shall submit a written application to a certification service provider setting out:

1)         the given name and surname of the applicant for the certificate;

2)         the personal identification code of the applicant for the certificate or, in the absence of a personal identification code, the day, month and year of birth of the applicant for the certificate;

3)         the public key of the applicant for the certificate or an authorisation of the applicant for the certificate to the certification service provider for the creation of a private and public key;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

4)         the contact details of the applicant for the certificate;

5)         the period of validity of the certificate applied for;

6)         a description of the limitations on the scope of use of the certificate;

7)         other data which the applicant applies to have added to the certificate.

(2)        If the public key of an applicant for a certificate is set out in an application specified in subsection (1) of this section, the applicant for the certificate shall prove that the private key corresponding to the public key is in his or her possession.

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

§ 9. Issuer of certificates

For the purposes of this Act, an issuer of a certificate is a person or agency who issues the certificate and is responsible for the accuracy of the data contained in the certificate.

§ 10. Issue of certificates

(1)        The issuer of a certificate is required to verify that the application submitted in order to apply for the certificate complies with this Act and that the data contained in the application is accurate.

(2)        A certificate shall be issued to a person promptly after entry of the corresponding data in the database of certificates which is maintained by the issuer of the certificate.

(3)        The issuer of a certificate is required to notify the applicant for the certificate of the conditions of use of the certificate, the rights and obligations of the certificate holder, and other circumstances related to the use of the certificate.

Division 3

Period of Validity, and Suspension and Revocation of Certificates

§ 11. Period of validity of certificates

(1)        A certificate is valid as of the beginning of the period of validity set out in the certificate but not before entry of the corresponding data in the database of certificates which is maintained by the issuer of the certificate.

(2)        A certificate expires upon expiry of the period of validity set out in the certificate or upon revocation of the certificate.

§ 12. Suspension of certificates

(1)        A certification service provider has the right to suspend a certificate if the certification service provider has a justified reason to believe that incorrect data has been entered in the certificate or that it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the certificate holder.

(2)        A certification service provider is required to suspend a certificate if this is requested by:

1)         the certificate holder;

2)         the data protection supervision authority or the chief processor of the state register of certificates if there is a justified reason to believe that incorrect data has been entered in the certificate or that it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the certificate holder;

3)         a court, prosecutor’s office or agency which conducts pre-trial investigations in criminal matters in order to combat criminal offences.

(3)        After verification of the legality of the claim for suspension of a certificate, the certification service provider is required to promptly enter the data concerning suspension in the database of certificates which is maintained thereby.

(4)        The certification service provider shall notify the certificate holder promptly of suspension of a certificate.

(5)        Certification service providers are required to maintain records of the time of and bases and applicants for suspension of certificates, and of termination of the suspension of certificates.

(6)        Digital signatures given during the period when the certificate is suspended are invalid.

§ 13. Termination of suspension of certificates

(1)        Suspension of a certificate shall be terminated on the basis of an application by the certificate holder or a person or agency which requests the suspension of the certificate by entry of the corresponding data in the database of certificates which is maintained by the certification service provider which issued the certificate.

(2)        In the cases specified in clause 12 (2) 3) of this Act, the person who initiates the suspension may terminate the suspension of a certificate.

(3)        A certification service provider shall notify the certificate holder promptly of termination of the suspension of the certificate.

§ 14. Revocation of certificates

(1)        The following are the bases for revocation of a certificate:

1)         an application by the certificate holder;

2)         the opportunity for the private key corresponding to the public key set out in the certificate to be used without the consent of the certificate holder;

3)         divestment of the certificate holder of active legal capacity;

4)         declaration of the certificate holder as dead;

5)         the death of the certificate holder;

6)         submission of false data to a certification service provider by the certificate holder in order to obtain the certificate;

7)         termination of the activities of the certification service provider;

8)         other cases provided by law.

(2)        Certificate holders or other persons have the right to request revocation of a certificate by submission of a corresponding application.

(3)        A certificate shall be revoked by a certification service provider who initiates proceedings for revocation promptly after receipt of a corresponding application or upon the existence of another basis provided for in subsection (1) of this section.

§ 15. Proceedings for revocation of certificates

(1)        If the cases set out in clauses 14 (1) 3)-8) of this Act are the reasons for revocation of a certificate, the documents which certify the basis for revocation of the certificate shall be appended to the application.

(2)        Certification service providers are required to verify the legality of applications and the bases for revocation of certificates.

(3)        A certificate expires as of entry of the corresponding data in the database of certificates which is maintained by the certification service provider.

(4)        Certification service providers are required to preserve documents which certify the reasons for revocation of a certificate until the termination of their activities, unless another term is provided for by law.

§ 16. Consequences of suspension and revocation of certificates without legal basis

A person or agency who, without legal basis, intentionally or due to gross negligence causes suspension or revocation of a certificate is required to compensate damage caused by the suspension or revocation of the certificate.

Chapter III

Certification Services and Certification Service Providers

§ 17. Certification services

(1)        The issue of certificates necessary for giving digital signatures, the enabling of verification of digital signatures given on the basis of such certificates, and proceedings for suspension, termination of suspension and revocation of such certificates are certification services.

(2)        Certification is an act as a result of which a certification service provider issues a certificate to an applicant for a certificate.

§ 18. Certification service providers

(1)        The following agencies and persons which are entered in the state register of certificates as service providers and which are registered in the corresponding register in Estonia may be certification service providers:

1)         public limited companies;

2)         private limited companies the share capital of which exceeds 400 000 kroons;

3)         legal persons in public law if this is prescribed in an Act concerning the legal person in public law;

4)         state agencies determined by the Government of the Republic.

(2)        (Repealed - 06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

§ 19. Requirements for certification service providers

(1)        Certification service providers shall comply with the requirements established by this Act and be capable of ensuring reliable certification services in accordance with Acts and legislation issued on the basis of Acts.

(2)        Certification service providers are required to ensure the conduct of an annual information systems audit by the date of entry in the state register of certificates, and to submit the results of the audit to the authorised processor of the state register of certificates.

(3)        Certification service providers shall not have tax arrears or other arrears which endanger the provision of certification services in compliance with the principles provided for in Chapters II-V of this Act.

(4)        Certification service providers are required to insure their activities pursuant to the procedure provided for in § 39 of this Act.

§ 20. Certification principles

(1)        The descriptions of the organisational and technical means which comply with this Act and requirements established on the basis thereof and which are used in certification by certification service providers, and the descriptions of the requirements set for applicants for certificates by certification service providers are certification principles.

(2)        The certification principles of a certification service provider shall set out the following:

1)         the name of the certification service provider;

2)         the address of the seat of the certification service provider;

3)         the procedure for proving the private key corresponding to the public key of the applicant for the certificate;

4)         a description of the technical means used to provide certification services;

5)         the procedure and terms for certification proceedings;

6)         the procedure for review of applications for certificates;

7)         the procedure for issue of certificates;

8)         the mechanisms for description of limitations on the scope of use of certificates;

9)         the procedure for maintaining records of the issued certificates;

10)       the procedure for release of information concerning the validity of certificates;

11)       the procedure for generation and storage of keys;

111)      the procedure for confirmation of the issued certificates;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

12)       the procedure for suspension and revocation of certificates;

13)       an action plan in case it is possible to imitate the certification service provider or the activities thereof upon provision of services;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

14)       the technical procedure for suspension, termination of suspension, and revocation of certificates issued by the certification service provider;

15)       the procedure for termination of the provision of certification services;

16)       other circumstances which the certification service provider deems necessary to have provided in the certification principles.

(3)        The certification principles of a state agency which is determined by the Government of the Republic and which provides certification services, and the cost of the services provided by the state agency shall be approved by the head of the state agency.

§ 21. Restrictions on employees of certification service providers

Employees of certification service providers who are involved in providing certification services shall not have a criminal record for an intentionally committed criminal offence.

§ 22. Duties of certification service providers

Certification service providers are required to:

1)         publicise their certification principles and ensure accessibility thereto in the public data communication network;

2)         ensure maintenance of the confidentiality of information not subject to disclosure which becomes known thereto upon the provision of certification services;

3)         maintain records of the certificates issued thereby and the validity thereof;

4)         accept applications for the suspension of certificates twenty-four hours a day;

5)         certify, at the request of an interested person, by the digital signature of a representative thereof the validity of a digital signature given by a private key corresponding to the public key contained in a certificate issued thereby;

6)         ensure that it is possible to verify the validity of certificates in the public data communication network twenty-four hours a day;

7)         preserve documentation related to certification until the termination of their activities;

8)         ensure the conduct of an annual information systems audit and submit the results of the audit to the authorised processor of the state register of certificates;

9)         publicise the conditions of compulsory insurance contracts in the public data communication network.

Chapter IV

Time-stamping Services and Time-stamping Service Providers

§ 23. Definition of time stamp

(1)        A time stamp is a data unit which is created using a system of technical and organisational means which certifies the existence of a document at a given time.

(2)        A time stamp shall be linked to data in such a manner as to preclude the possibility of changing the data undetectably after obtaining a time stamp.

(3)        Time-stamping service providers shall confirm the time stamps issued thereby.

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

§ 24. Time-stamping services

(1)        Time-stamping services are the issue of time stamps necessary to prove the official time and temporal order of digital signatures and the creation of conditions for verification of issued time stamps.

(2)        If it is impossible to determine the official time and temporal order of time stamps issued by different time-stamping service providers, the time stamps are deemed to have been issued simultaneously.

(3)        Time-stamping service providers shall ensure that it is impossible to issue a correct time stamp for a time earlier or later than application therefor or change the order in which time stamps are issued.

§ 25. Time-stamping service providers

The following persons and agencies which are entered in the state register of certificates as corresponding service providers and which are registered in the corresponding register in Estonia may be time-stamping service providers:

1)         public limited companies;

2)         private limited companies the share capital of which exceeds 400 000 kroons;

3)         legal persons in public law if this is prescribed in an Act concerning the legal person in public law;

4)         state agencies determined by the Government of the Republic.

§ 26. Requirements for time-stamping service providers

(1)        Time-stamping service providers shall comply with the requirements established by this Act and be capable of ensuring reliable time-stamping services in accordance with Acts and legislation issued on the basis of Acts.

(2)        Time-stamping service providers are required to ensure the conduct of an annual information systems audit by the date of entry in the state register of certificates, and to submit the results of the audit to the authorised processor of the state register of certificates.

(3)        Time-stamping service providers shall not have tax arrears or other arrears which endanger the provision of time-stamping services in compliance with the principles provided for in Chapters II-V of this Act.

(4)        Time-stamping service providers are required to insure their activities pursuant to the procedure provided for in § 39 of this Act.

§ 27. Time-stamping principles

(1)        The descriptions of operations performed in order to issue and verify time stamps and the descriptions of the technical means used by the time-stamping service providers are time-stamping principles.

(2)        The time-stamping principles of a time-stamping service provider shall set out the following:

1)         the name of the time-stamping service provider;

2)         a description of the technical means used to provide time-stamping services;

3)         the procedure for obtaining and verifying time stamps;

31)        the procedure for confirmation of the issued time stamps;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

4)         the procedure for maintaining records of the issued time stamps;

5)         the procedure for release of information concerning the issued time stamps;

6)         the procedure for termination of the provision of time-stamping services;

7)         an action plan in case it is possible to imitate the time-stamping service provider or the activities thereof upon provision of services;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

8)         other circumstances which the time-stamping service provider deems necessary.

§ 28. Duties of time-stamping service providers

Time-stamping service providers are required to:

1)         ensure correct indications of time on time stamps pursuant to the descriptions provided in the time-stamping principles;

2)         maintain records of issued time stamps;

3)         preserve documentation in order to verify issued time stamps;

4)         issue time stamps periodically to the database of time stamps of the state register of certificates pursuant to law and the statutes for maintenance of the state register of certificates;

5)         ensure that it is possible to obtain and verify time stamps in the public data communication network;

6)         ensure the conduct of an annual information systems audit and submit the results of the audit to the authorised processor of the state register of certificates;

7)         publicise the conditions of compulsory insurance contracts in the public data communication network.

§ 29. Restrictions on employees of time-stamping service providers

Employees of time-stamping service providers who are involved in providing certification services shall not have a criminal record for an intentionally committed criminal offence.

Chapter V

Termination of provision of certification services and time-stamping services

§ 30. Termination of provision of certification services and time-stamping services

(1)        The provision of certification services and time-stamping services (hereinafter services) shall be terminated:

1)         by a decision of the service provider;

2)         by a decision of the agency exercising supervision over the provision of services;

3)         by a court judgment;

4)         upon liquidation of the service provider or termination of the activities thereof;

5)         by a Government of the Republic resolution which terminates the provision of services by state agencies specified in clauses 18 (1) 4) and 25 4) of this Act.

(2)        Upon termination of the provision of certification services and time-stamping services, the service provider shall transfer documentation concerning provision of the service to the state register of certificates.

§ 31. Notification of termination of provision of services

(1)        A service provider is required to notify the authorised processor or the chief processor of the state register of certificates promptly of a decision to terminate provision of the service. If the person or agency notifies the authorised processor of the register of the decision to terminate the provision of services, the authorised processor is required to notify the chief processor of the register thereof promptly.

(2)        A service provider is required to notify users of the service thereof of a decision to terminate provision of the service at least one month before termination of provision of the service.

(3)        The chief processor of the state register of certificates shall notify the data protection supervision authority and the state information systems co-ordination authority of any decision to terminate provision of a service.

Chapter VI

State register of certificates

§ 32. State register of certificates

(1)        The state register of certificates is a state register (hereinafter register) established by the Government of the Republic, the purpose for the establishment and introduction of which is to maintain records of service providers and to ensure the comparability of the official time and temporal order of time stamps issued by time-stamping service providers with the precision established by the chief processor of the register.

(2)        The chief processor of the register is the Ministry of Economic Affairs and Communications.

(17.12.2003 entered into force 08.01.2004 - RT I 2003, 88, 594)

(3)       The register comprises:

1)         a database of certification service providers;

2)         a database of time-stamping service providers;

3)         a database of time stamps;

4)         the registry archives.

§ 33. Application for entry of service providers in register

(1)        In order to be registered in a register, a person or agency shall submit the following:

1)         an application for registration of the person or agency as a service provider, which is signed by a legal representative and which sets out the public key (public keys) which the person or agency will begin to use upon the provision of certification services or time-stamping services by the person or agency;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

2)         the same application in digital form, which is certified pursuant to the procedure for certification of the issued certificates and time stamps and which includes proof concerning possession of private keys used upon provision of certification services or time-stamping services;

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

3)         (Repealed - 19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

4)         the certification or time-stamping principles;

5)         (Repealed - 19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

6)         the results of the information systems audit;

7)         confirmation concerning the absence of arrears which endanger the provision of services in compliance with the principles provided for in Chapters II-V of this Act.

(19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

(2)        An application for the entry of a service provider in the register shall set out the following:

1)         the name of the service provider;

2)         the address of the seat of the service provider;

3)         the registry code of the service provider;

4)         the name, title, personal identification code and contact details of the representative of the service provider;

5)         the telecommunications numbers and addresses of the service provider;

6)         the limitations established on provision of the service.

(3)        The authorised processor of the register is required to verify the accuracy of the submitted data. Additionally, the authorised processor of the register shall verify whether the applicant has paid the state fee, whether the person or agency which provides the service is registered and whether the person owes tax arrears to the Tax and Customs Board.

(19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375; 17.12.2003 entered into force 01.01.2004 - RT I 2003, 88, 591)

(4)        The authorised processor of the register has the right to make inquiries to all state agencies and state and local government databases in order to verify the accuracy of the data submitted by a person or agency.

(5)        Before entry in the register, a person or agency is required to ensure the conduct of an information systems audit, the results of which shall be submitted to the authorised processor of the register. The cost of the information systems audit shall be borne by the person or agency.

§ 34. Registration of service providers

(1)        After verification of the documents, the authorised processor of the register shall decide on the registration of a person or agency in the register as a service provider within five working days after the date of receipt of the documents and data specified in subsections 33 (1) and (2) of this Act and shall communicate the decision to the person or agency.

(19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

(2)        If the term provided for in subsection (1) of this section is not sufficient for verification of the submitted data and documents, the chief processor of the register may extend the term up to ten working days.

(3)        After a decision is made to register a person or agency in the register, the person or agency shall submit a copy of an insurance policy which complies with the requirements of § 39 of this Act to the authorised processor after which the person or agency shall promptly be registered as a service provider.

(4)        The authorised processor of the register shall grant a non-recurrent registry code to each service provider entered in the register.

(5)        The authorised processor of the register shall approve the public keys of registered service providers set out in clause 33 (1) 1) of this Act.

(06.06.2001 entered into force 07.07.2001 - RT I 2001, 56, 338)

(6)        Upon termination of the provision of a service, a corresponding application shall be submitted to the authorised processor of the register who shall input data on the termination of provision of the service in the register.

§ 35. Refusal to register service providers

(1)        The authorised processor of the register shall refuse to register a service provider:

1)         if the person or agency does not comply with the requirements provided for in this Act;

2)         if the certification or time-stamping principles are not in compliance with the requirements provided for in this Act;

3)         (Repealed - 19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

4)         if the person or agency submits incorrect data to the authorised processor of the register;

5)         if, on the basis of the submitted results of the information systems audit, there is reason to believe that the person or agency is unable to ensure services which are in compliance with the requirements of this Act;

6)         {>if the person or agency has tax arrears, is not registered or has not paid the state fee;

(19.06.2002 entered into force 01.08.2002 - RT I 2002, 61, 375)

7)         in other cases provided by law.

(2)        The authorised processor of the register shall deliver a decision on refusal to register a service provider to the person or agency by post or by electronic means.

• The Law of Ukraine On Electronic Digital Signature
25.05.2003

The Law of Ukraine On Electronic Digital Signature determines legal status of electronic digital signature and regulates relations that arise during use of electronic digital signature. The Law shall not apply to the relations that arise during use of other types of electronic signature, including transfer in a digital form of imprint of own signature.

The subjects of legal relations in the field of services of electronic digital signature are:

signatory;

user;

center for specification of keys;

accredited center for certification of keys;

central attesting body;

certifying center of the body of executive power or other state body;

controlling body.

Electronic digital signature is equaled to own signature by its legal status provided that:

electronic digital signature is confirmed with use of a consolidated certificate of key by means of reliable devices of digital signature;

during the verification a consolidated certificate of key, which is valid for the moment of putting electronic digital signature, was used;

a signatory\\\'s personal key corresponds to the open key indicated in the certificate.

Electronic digital signature is intended for ensuring activity of natural persons and legal entities, which is carried out using electronic documents. Electronic digital signature is used by natural persons and legal entities - subjects of electronic documents circulation for identification of the signatory and confirmation of integrity of data in electronic form.

The use of electronic digital signature does not change the procedure for signing of agreements and other documents, which are set by law, for commitment of legal proceedings in a written form. Notary actions on attestation of authenticity of electronic digital signature on electronic documents are conducted according to the procedure set by law.

Bodies of state power, bodies of local self-government, state-owned enterprises, institutions and organizations use only consolidated certificate of key for attestation of validity of the open key. Other legal entities and natural persons may on contractual basis attest authenticity of opened key by the certificate of key formed by the center for certification of keys, as well as use electronic digital signature without the certificate of key.

The certificate of key contains the following obligatory data:

name and requisites of the center for certification of keys;

indication that the certificate was issued in Ukraine;

unique registration number of the certificate of key;

basic data (requisites) of the signatory - the owner of personal key;

date and time of beginning and end of the term of validity of the certificate, etc.

The signatory is entitled to and shall:

demand cancellation, blocking or renewal of its certificate of key;

appeal actions or inactivity of the center for certification of keys according to judicial proceedings;

keep personal key secret, etc.

The center for certification of keys may be a legal entity regardless of ownership form and should be accredited according to the Law.

The functions of supervisory body are performed by the specially authorized central body of the executive power in the field of cryptographic protection of information. The supervisory body verifies observation of the requirements of this Law by the central certifying body, certifying centers and centers for certification of keys. In the event of non-fulfillment or improper fulfillment of duties the supervisory body shall give instruction to the central certifying body to take actions envisaged by law.

Foreign certificates of keys, which are certified according to the legislation of those states where they were issued, are recognized and valid in Ukraine according to the procedure set by law.

• The Federal Law on Electronic Digital Signature of the Russian Federation
10.01.2002

The Federal Law on the Electronic Digital Signature of the Russian Federation of 10.01.2002

The Federal Law on the Electronic Digital Signature passed in 2002 (the “E-Signature Law”, or the “Law”),sets forth the legal framework for the use of e-signatures in electronic document flows. The Law is based on the following principles:

1.         The e-signature is recognized to be equivalent to the handwritten signature subject to the conditions provided in the Law;

2.         The government supervises commerce in products and services involving e-signatures, by way of certification of e-signature means; and

3.         Information systems are divided into common-use and corporate systems, differing in the degree of government supervision.

Under the E-Signature Law, the e-signature forms a part of an electronic document that is intended to protect the document against forgery. It is generated by cryptographic transformation of the information using a private key, permitting the holder of the e-signature key certificate to be identified, and ascertain the absence of distortion of information from the electronic document.

The procedure of electronic signing provides that three components must be present: two keys, private and public, and the certificate of the signature key. The Law defines them as follows:

The private key is a unique series of symbols known only to the holder of the certificate of the signature key;
The public key is a unique series of symbols corresponding to the private key available to any user of the information system and intended for the verification of the e-signature in the electronic document; and
The certificate of the signature key is a hardcopy or softcopy document electronically signed by an authorized officer of a certification center, which contains the public key and is issued to the user of the information system to verify the e-signature and the identity of the signatory.
The certificate must contain, in particular, the period of its validity, the name of the issuing center, the full name or pseudonym of the holder of the certificate, the public key, other details as may be requested by the certificate holder, and the details of transactions in which electronically signed documents will be legally valid. The latter provision does not appear to be entirely clear. The Law expressly states that it applies to relations arising “upon the execution of transactions under civil law and in other cases provided for by the laws of the Russian Federation”. This provision of the Law may presumably apply to the types of transactions under civil law as are provided for in the Civil Code. But the reference to “other cases opens” a wide scope of relations including various areas where public and private law apply.

A substantial difference between the E-signature Law from a number of its foreign counterparts consists in an attempt to divide all information systems into corporate and common-use systems and establish different legal treatment for each system.

• ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT OF THE USA
01.10.2000

An Act

To facilitate the use of electronic records and signatures in interstate or foreign commerce.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled

SECTION 1. SHORT TITLE.

This Act may be cited as the ‘‘Electronic Signatures in Global and National Commerce Act’’.

TITLE I—ELECTRONIC RECORDS AND SIGNATURES IN COMMERCE

SEC. 101. GENERAL RULE OF VALIDITY.

(a) IN GENERAL.—Notwithstanding any statute, regulation, or other rule of law (other than this title and title II), with respect to any transaction in or affecting interstate or foreign commerce—

(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and

(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

(b) PRESERVATION OF RIGHTS AND OBLIGATIONS.—This title does not—

(1) limit, alter, or otherwise affect any requirement imposed by a statute, regulation, or rule of law relating to the rights and obligations of persons under such statute, regulation, or rule of law other than a requirement that contracts or other records be written, signed, or in nonelectronic form; or

(2) require any person to agree to use or accept electronic records or electronic signatures, other than a governmental

agency with respect to a record other than a contract to which it is a party.

(c) CONSUMER DISCLOSURES.—

(1) CONSENT TO ELECTRONIC RECORDS.—Notwithstanding subsection (a), if a statute, regulation, or other rule of law

requires that information relating to a transaction or transactions in or affecting interstate or foreign commerce be provided or made available to a consumer in writing, the use of an electronic record to provide or make available (whichever is required) such information satisfies the requirement that such information be in writing if—

(A) the consumer has affirmatively consented to such use and has not withdrawn such consent;

(B) the consumer, prior to consenting, is provided with a clear and conspicuous statement—

(i) informing the consumer of (I) any right or option of the consumer to have the record provided or made available on paper or in nonelectronic form, and (II) the right of the consumer to withdraw the consent to have the record provided or made available in an electronic form and of any conditions, consequences (which may include termination of the parties’ relationship), or fees in the event of such withdrawal;

(ii) informing the consumer of whether the consent applies (I) only to the particular transaction which gave rise to the obligation to provide the record, or (II) to identified categories of records that may be provided or made available during the course of the parties’ relationship;

(iii) describing the procedures the consumer must use to withdraw consent as provided in clause (i) and to update information needed to contact the consumer electronically; and

(iv) informing the consumer (I) how, after the consent, the consumer may, upon request, obtain a paper copy of an electronic record, and (II) whether any fee will be charged for such copy;

(C) the consumer—

(i) prior to consenting, is provided with a statement of the hardware and software requirements for access to and retention of the electronic records; and

(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent; and

(D) after the consent of a consumer in accordance with subparagraph (A), if a change in the hardware or software requirements needed to access or retain electronic records creates a material risk that the consumer will not be able to access or retain a subsequent electronic record that was the subject of the consent, the person providing the electronic record—

(i) provides the consumer with a statement of (I) the revised hardware and software requirements for access to and retention of the electronic records, and (II) the right to withdraw consent without the imposition of any fees for such withdrawal and without the imposition of any condition or consequence that was not disclosed under subparagraph (B)(i); and (ii) again complies with subparagraph (C).

(2) OTHER RIGHTS.—

(A) PRESERVATION OF CONSUMER PROTECTIONS.—

Nothing in this title affects the content or timing of any disclosure or other record required to be provided or made available to any consumer under any statute, regulation, or other rule of law.

(B) VERIFICATION OR ACKNOWLEDGMENT.—If a law that was enacted prior to this Act expressly requires a record

to be provided or made available by a specified method that requires verification or acknowledgment of receipt,

the record may be provided or made available electronically only if the method used provides verification or acknowledgment of receipt (whichever is required).

(3) EFFECT OF FAILURE TO OBTAIN ELECTRONIC CONSENT OR CONFIRMATION OF CONSENT.—The legal effectiveness, validity, or enforceability of any contract executed by a consumer shall not be denied solely because of the failure to

obtain electronic consent or confirmation of consent by that consumer in accordance with paragraph (1)(C)(ii).

(4) PROSPECTIVE EFFECT.—Withdrawal of consent by a consumer shall not affect the legal effectiveness, validity, or

enforceability of electronic records provided or made available to that consumer in accordance with paragraph (1) prior to implementation of the consumer’s withdrawal of consent. A consumer’s withdrawal of consent shall be effective within a reasonable period of time after receipt of the withdrawal by the provider of the record. Failure to comply with paragraph (1)(D) may, at the election of the consumer, be treated as a withdrawal of consent for purposes of this paragraph.

(5) PRIOR CONSENT.—This subsection does not apply to any records that are provided or made available to a consumer who has consented prior to the effective date of this title to receive such records in electronic form as permitted by any statute, regulation, or other rule of law.

(6) ORAL COMMUNICATIONS.—An oral communication or a recording of an oral communication shall not qualify as an electronic record for purposes of this subsection except as otherwise provided under applicable law.

(d) RETENTION OF CONTRACTS AND RECORDS.—

(1) ACCURACY AND ACCESSIBILITY.—If a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be retained, that requirement is met by retaining an electronic record of the information in the contract or other record that—

(A) accurately reflects the information set forth in the contract or other record; and

(B) remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later

reference, whether by transmission, printing, or otherwise.

(2) EXCEPTION.—A requirement to retain a contract or other record in accordance with paragraph (1) does not apply to any information whose sole purpose is to enable the contract or other record to be sent, communicated, or received.

(3) ORIGINALS.—If a statute, regulation, or other rule of law requires a contract or other record relating to a transaction in or affecting interstate or foreign commerce to be provided, available, or retained in its original form, or provides consequences if the contract or other record is not provided, available, or retained in its original form, that statute, regulation, or rule of law is satisfied by an electronic record that complies with paragraph (1).

(4) CHECKS.—If a statute, regulation, or other rule of law requires the retention of a check, that requirement is satisfied by retention of an electronic record of the information on the front and back of the check in accordance with paragraph (1).

(e) ACCURACY AND ABILITY TO RETAIN CONTRACTS AND OTHER RECORDS.—Notwithstanding subsection (a), if a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be in writing, the legal effect, validity, or enforceability of an electronic record of such contract or other record may be denied if such electronic record is not in a form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record.

(f) PROXIMITY.—Nothing in this title affects the proximity required by any statute, regulation, or other rule of law with respect to any warning, notice, disclosure, or other record required to be posted, displayed, or publicly affixed.

(g) NOTARIZATION AND ACKNOWLEDGMENT.—If a statute, regulation, or other rule of law requires a signature or record relating to a transaction in or affecting interstate or foreign commerce to be notarized, acknowledged, verified, or made under oath, that requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable statute, regulation, or rule of law, is attached to or logically associated with the signature or record.

(h) ELECTRONIC AGENTS.—A contract or other record relating to a transaction in or affecting interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents so long as the action of any such electronic agent is legally attributable to the person to be bound.

(i) INSURANCE.—It is the specific intent of the Congress that this title and title II apply to the business of insurance.

(j) INSURANCE AGENTS AND BROKERS.—An insurance agent or broker acting under the direction of a party that enters into a contract by means of an electronic record or electronic signature may not be held liable for any deficiency in the electronic procedures agreed to by the parties under that contract if—

(1) the agent or broker has not engaged in negligent, reckless, or intentional tortious conduct;

(2) the agent or broker was not involved in the development or establishment of such electronic procedures; and

(3) the agent or broker did not deviate from such procedures.

SEC. 102. EXEMPTION TO PREEMPTION.

(a) IN GENERAL.—A State statute, regulation, or other rule of law may modify, limit, or supersede the provisions of section 101 with respect to State law only if such statute, regulation, or rule of law--(1) constitutes an enactment or adoption of the Uniform Electronic Transactions Act as approved and recommended for enactment in all the States by the National Conference of Commissioners on Uniform State Laws in 1999, except that any exception to the scope of such Act enacted by a State under section 3(b)(4) of such Act shall be preempted to the extent such exception is inconsistent with this title or title II, or would not be permitted under paragraph (2)(A)(ii) of this subsection; or (2)(A) specifies the alternative procedures or requirements for the use or acceptance (or both) of electronic records or electronic signatures to establish the legal effect, validity, or enforceability of contracts or other records, if—

(i) such alternative procedures or requirements are consistent with this title and title II; and

(ii) such alternative procedures or requirements do not require, or accord greater legal status or effect to, the

implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures;

and (B) if enacted or adopted after the date of the enactment of this Act, makes specific reference to this Act.

(b) EXCEPTIONS FOR ACTIONS BY STATES AS MARKET PARTICIPANTS.— Subsection (a)(2)(A)(ii) shall not apply to the statutes, regulations, or other rules of law governing procurement by any State, or any agency or instrumentality thereof.

(c) PREVENTION OF CIRCUMVENTION.—Subsection (a) does not permit a State to circumvent this title or title II through the imposition of nonelectronic delivery methods under section 8(b)(2) of the Uniform Electronic Transactions Act.

SEC. 103. SPECIFIC EXCEPTIONS.

(a) EXCEPTED REQUIREMENTS.—The provisions of section 101 shall not apply to a contract or other record to the extent it is governed by— (1) a statute, regulation, or other rule of law governing the creation and execution of wills, codicils, or testamentary trusts; (2) a State statute, regulation, or other rule of law governing adoption, divorce, or other matters of family law; or (3) the Uniform Commercial Code, as in effect in any State, other than sections 1–107 and 1–206 and Articles 2 and 2A.

Search

News subjects

Electronic Documents Law

Chapter I General Provisions

Electronic Documents Law

Chapter I General Provisions

Chapter I
General Provisions

Chapter I
General Provisions