Electronic Transactions Bill
Facilitate the use of electronic transactions for commercial and other purposes, to provide for matters arising from and related to such use, to enable the Postmaster General to provide the services of a certification authority and to provide for connected purposes.
Enacted by the Legislative Council.
PART I
Preliminary
1. Short title and commencement
(1) This Ordinance may be cited as the Electronic Transactions Ordinance.
(2) This Ordinance shall come into operation on a day to be appointed by the Secretary for Information Technology and Broadcasting by notice in the Gazette.
2. Interpretation
(1) In this Ordinance, unless the context otherwise requires---
"accept a certificate" (接受證書), in relation to a person to whom a certificate is issued, means that the person while having notice of the contents of the certificate---
(a) authorizes the publication of the certificate to one or more persons or in a repository; or
(b) otherwise demonstrates the approval of the certificate;
"addressee" (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary;
"asymmetric cryptosystem" (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature;
"certificate" (證書) means a record which---
(a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair;
(b) identifies the certification authority issuing it;
(c) names or identifies the person to whom it is issued;
(d) contains the public key of the person to whom it is issued; and
(e) is signed by a responsible officer of the certification authority issuing it;
"certification authority" (核證機關) means a person who issues a certificate to a person (who may be another certification authority);
"certification authority disclosure record" (核證機關披露紀錄), in relation to a recognized certification authority, means an on-line and publicly accessible record maintained by the Director in respect of that certification authority, which contains information relevant for the purposes of this Ordinance, regarding that certification authority;
"certification practice statement" (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates;
"code of practice" (業務守則) means a code of practice issued under section 39;
"correspond" (對應), in relation to private or public keys, means to belong to the same key pair;
"digital signature" (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine---
(a) whether the transformation was generated using the private key that corresponds to the signer's public key; and
(b) whether the initial electronic record has been altered since the transformation was generated;
"Director" (署長) means the Director of Information Technology Services;
"electronic record" (電子紀錄) means a record generated in digital form by an information system, which can be---
(a) transmitted within an information system or from one information system to another; and
(b) stored in an information system or other medium;
"electronic signature" (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record;
"hash function" (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that---
(a) a record yields the same hash result every time the algorithm is executed using the same record as input;
(b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and
(c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm;
"information" (資訊) includes data, text, images, sound codes, computer programmes, software and databases;
"information system" (資訊系統) means a system which---
(a) automatically processes information;
(b) automatically records information;
(c) can be used to cause information to be automatically recorded, stored or otherwise processed in other information systems (wherever situated); and
(d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated);
"intermediary" (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record;
"issue" (發出), in relation to a certificate, means the act of a certification authority of creating a certificate and notifying of its contents to the person named or identified in that certificate as the person to whom it is issued;
"key pair" (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates;
"originator" (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary;
"Postmaster General" (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap. 98);
"private key" (私人密碼匙) means the key of a key pair used to generate a digital signature;
v"public key" (公開密碼匙) means the key of a key pair used to verify a digital signature;
"recognized certificate" (認可證書) means---
(a) a certificate recognized under section 21;
(b) a certificate of a type, class or description of certificate recognized under section 21;
(c) a certificate issued by the certification authority referred to in section 28;
"recognized certification authority" (認可核證機關) means a certification authority recognized under section 20 or a certification authority referred to in section 28;
"record" (記錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form;
"reliance limit" (倚據限額) means the monetary limit specified for reliance on a recognized certificate;
"repository" (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates;
"responsible officer" (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance;
"rule of law" (法律規則) means---
(a) an Ordinance; or
(b) a rule of common law or equity;
"Secretary" (局長) means the Secretary for Information Technology and Broadcasting;
"sign" and "signature" (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record;
"subscriber" (登記人) means a person (who may be a certification authority) who---
(a) is named or identified in a certificate as the person to whom the certificate is issued;
(b) has accepted that certificate; and
(c) holds a private key which corresponds to a public key listed in that certificate;
"trustworthy system" (穩當系統) means computer hardware, software and procedures that---
(a) are reasonably secure from intrusion and misuse;
(b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time;
(c) are reasonably suitable for performing their intended function; and
(d) adhere to generally accepted security procedures;
"verify a digital signature" (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that---
(a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and
(b) the electronic record has not been altered since its digital signature was generated,
and any reference to a digital signature being verifiable is to be construed accordingly.
(2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer.
PART II
Application
3. Matters to which sections 5, 6, 7, 8
and 16 are not applicable
Sections 5, 6, 7, 8 and 16 do not apply to any---
(a) requirement or permission to give or present information in writing;
(b) requirement for the signature of a person;
(c) requirement for information to be presented or retained in its original form;
(d) requirement for documents, records or information to be retained,
under a rule of law in a matter or for an act set out in Schedule 1, unless that rule of law expressly provides otherwise.
4. Rules of law and electronic transactions
to which Ordinance applies
Subject to the exceptions in this Ordinance, this Ordinance applies to---
(a) a rule of law irrespective of whether the rule of law is applicable to an individual, public body (whether or not it is a public body within the meaning of section 3 of the Interpretation and General Clauses Ordinance (Cap. 1)), public authority, private body, organ or any other person; or
(b) a transaction executed by means of electronic records irrespective of whether an individual, public body (whether or not it is a public body within the meaning of section 3 of the Interpretation and General Clauses Ordinance (Cap. 1)), public authority, private body, organ or any other person is a party to the transaction.
PART III
Electronic Records and Digital Signatures
5. Requirement for writing
(1) If a rule of law requires information to be in writing, given or presented in writing or provides for certain consequences if it is not, an electronic record satisfies that rule of law if the information contained in the electronic record is accessible so as to be usable for subsequent reference.
(2) If a rule of law permits information to be given or presented in writing, the information may be given or presented in the form of an electronic record if the information contained in the electronic record is accessible so as to be usable for subsequent reference.
6. Digital signatures
(1) If a rule of law requires the signature of a person or provides for certain consequences if a document is not signed by a person, a digital signature of the person satisfies that rule of law but only if the digital signature is supported by a recognized certificate and is generated within the validity of that certificate.
(2) In subsection (1), "within the validity of that certificate" (在該證書的有效期內) means that at the time the digital signature is generated---
(a) the recognition of the recognized certificate is not revoked or suspended;
(b) if the Director has specified a period of validity for the recognition of the recognized certificate, the certificate is within that period; and
(c) if the recognized certification authority has specified a period of validity for the recognized certificate, the certificate is within that period.
7. Presentation or retention of information
in its original form
(1) Where a rule of law requires that certain information be presented or retained in its original form, that rule of law is satisfied by presenting or retaining the information in the form of electronic records if---
(a) there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form as an electronic record; and
(b) where it is required that information be presented, the information is capable of being displayed in a legible form to the person to whom it is to be presented.
(2) For the purposes of subsection (1)(a)---
(a) the criterion for assessing the integrity of the information is whether the information has remained complete and unaltered, apart from the addition of any endorsement or any change which arises in the normal course of communication, storage or display; and
(b) the standard for reliability of the assurance is to be assessed having regard to the purpose for which the information was generated and all the other relevant circumstances.
(3) This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being presented or retained in its original form.
8. Retention of information in electronic records
(1) Where a rule of law requires certain documents, records or information to be retained, whether in writing or otherwise, that rule of law is satisfied by retaining electronic records, if---
(a) the information or the information contained in the document or record remains accessible so as to be usable for subsequent reference;
(b) the relevant electronic record is retained in the form in which it was originally generated, sent or received, or in a form which can be demonstrated to represent accurately the information originally generated, sent or received; and
(c) the information which enables the identification of the origin and destination of the electronic record and the date and time when it was sent or received, is retained.
(2) This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being retained.
9. Admissibility of electronic records
Without prejudice to any rules of evidence, an electronic record shall not be denied admissibility in evidence in any legal proceeding on the sole ground that it is an electronic record.
10. Construction of this Part subject to Part IV
This Part is to be construed subject to Part IV.
PART IV
Limitations on Operation of Sections 5, 6, 7 and 8
11. Secretary may make orders excluding
application of section 5, 6, 7 or 8
(1) The Secretary may by order published in the Gazette exclude a rule of law or a particular requirement or permission in a rule of law or a class or description of requirements or permissions in a rule of law, to which this Ordinance would otherwise apply, from the application of section 5, 6, 7 or 8.
(2) The Secretary may, in relation to any rule of law to which this Ordinance applies, specify by notice published in the Gazette---
(a) the manner and format in which information in the form of an electronic record is to be given, presented or retained for the purposes of any rule of law or a particular requirement or permission in a rule of law or a class or description of requirements or permissions in a rule of law; and
(b) the procedure and criteria for verification of the receipt of that information and for ensuring the integrity and confidentiality of the information.
(3) The Secretary may specify different requirements under subsection (2)(a) or (b) in relation to persons of different classes or descriptions.
(4) An order under subsection (1) is subsidiary legislation.
(5) A notice under subsection (2) is not subsidiary legislation.
(6) In this section, "manner and format" (方式及規格) includes requirements as to software, communication, data storage, how the electronic record is to be generated, sent, stored or received and where a signature is required, the type of signature and how the signature is to be affixed to the electronic record.
12. Electronic record to comply with
specified requirements to satisfy
sections 5, 6, 7 and 8
If the Secretary has specified any requirement under section 11(2) in relation to any rule of law, the information given, presented or retained or the signature executed, as the case may require, for the purpose of the rule of law does not satisfy that rule of law unless it complies with the specified requirements.
13. Rules of court or procedure only to
apply where relevant authority
provides for application
(1) Section 5, 6, 7 or 8 does not apply in relation to information given, presented or retained or signatures required for the purposes of any proceedings set out in Schedule 2, unless any rule of law relating to those proceedings provide for its application.
(2) Subsection (1) is not to be construed as affecting any provision in a rule of law referred to in that subsection, requiring or permitting, otherwise than by reference to this Ordinance, the use of electronic records or electronic signatures for the purposes of the proceedings to which the rule of law relates.
(3) Any authority given by a rule of law to make rules (however described) for the purpose of any proceedings set out in Schedule 2 is to be construed as including a power to provide for---
(a) the application of section 5, 6, 7 or 8; and
(b) the specification of the matters referred to in section 11(2)(a) and (b), by subsidiary legislation or otherwise, consequent to such application.
14. Sections 5, 6, 7 and 8 not to affect
specific provisions as to electronic
records in other Ordinances
If an Ordinance requires or permits giving, presenting or retaining information in the form of an electronic record or the authentication of information by an electronic signature for the purposes of that Ordinance, but contains an express provision which---
(a) specifies requirements, procedures or other specifications for that purpose;
(b) requires the use of a specified service; or
(c) confers a discretion on a person whether or when to accept electronic records or electronic signatures for that purpose,
section 5, 6, 7 or 8 is not to be construed as affecting that express provision.
15. Sections 5, 6, 7 and 8 not to have
effect if their operation affects
other statutory requirements
(1) If the effect of section 5 on a rule of law is such that any other requirement in that rule of law or a related rule of law (that is a requirement other than the requirement or permission to give or present information in writing) cannot be complied with due to the operation of that section, section 5 does not apply to that rule of law.
(2) If the effect of section 6 on a rule of law is such that any other requirement in that rule of law or a related rule of law (that is a requirement other than the requirement for the signature of a person) cannot be complied with due to the operation of that section, section 6 does not apply to that rule of law.
(3) If the effect of section 7 on a rule of law is such that any other requirement in that rule of law or a related rule of law (that is a requirement other than the requirement for information to be presented or retained in its original form) cannot be complied with due to the operation of that section, section 7 does not apply to that rule of law.
(4) If the effect of section 8 on a rule of law is such that any other requirement in that rule of law or a related rule of law (that is a requirement other than the requirement for documents, records or information to be retained) cannot be complied with due to the operation of that section, section 8 does not apply to that rule of law.
PART V
Electronic Contracts
16. Formation and validity of
electronic contracts
(1) For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of electronic records.
(2) Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose.
PART VI
Attribution of Sending and Receiving
Electronic Records
17. Attribution of electronic record
(1) Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is that of the originator if it was---
(a) sent by the originator;
(b) sent with the authority of the originator; or
(c) sent by an information system programmed by or on behalf of the originator to operate and to send the electronic record automatically.
(2) Nothing in subsection (1) is to affect the law of agency or the law on the formation of contracts.
18. Sending and receiving electronic records
(1) Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is sent when it is accepted by an information system outside the control of the originator or of the person who sent the electronic record on behalf of the originator.
(2) Unless otherwise agreed between the originator and the addressee of an electronic record, the time of receipt of an electronic record is determined as follows---
(a) if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs---
(i) at the time when the electronic record is accepted by the designated information system; or
(ii) if the electronic record is sent to an information system of the addressee that is not the designated information system, at the time when the electronic record comes to the attention of the addressee;
(b) if the addressee has not designated an information system, receipt occurs when the electronic record comes to the attention of the addressee.
(3) Subsections (1) and (2) apply notwithstanding that the place where the information system is located is different from the place where the electronic record is taken to have been sent or received under subsection (4).
(4) Unless otherwise agreed between the originator and the addressee, an electronic record is taken to have been---
(a) sent at the place of business of the originator; and
(b) received at the place of business of the addressee.
(5) For the purposes of subsection (4)---
(a) if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction, or where there is no underlying transaction, the principal place of business of the originator or the addressee, as the case may be;
(b) if the originator or the addressee does not have a place of business, the place of business is the place where the originator or the addressee ordinarily resides.
(6) Where the originator and the addressee are in different time zones, time refers to Universal Standard Time.
PART VII
Recognition of Certification Authorities and
Certificates by Director
19. Certification authority may apply
to Director for recognition
(1) A certification authority may apply to the Director to become a recognized certification authority for the purposes of this Ordinance.
(2) Subject to subsection (4) and section 20(2), an application under subsection (1) must be made in the prescribed manner and in a form specified by the Director and the applicant must pay the prescribed fee in respect of the application.
(3) An applicant must furnish to the Director---
(a) the prescribed particulars and documents, if any; and
(b) a report which---
(i) certifies that the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and any code of practice; and
(ii) is prepared by a person acceptable to the Director as being qualified to give such a report.
(4) The Director may waive---
(a) the requirements as to manner and form of making the application in subsection (2); or
(b) the requirement of a report under subsection (3),
in relation to a certification authority, if the Director considers it appropriate to do so.
20. Director may on application recognize
certification authorities
(1) The Director may---
(a) recognize an applicant under section 19 as a recognized certification authority if the Director is satisfied that the applicant is suitable for such recognition; or
(b) refuse the application for recognition.
(2) The Director may, in recognizing a certification authority referred to in section 19(4), waive the whole or part of the prescribed fee as the Director may decide in relation to a particular case.
(3) In determining whether an applicant is suitable for recognition under subsection (1), the Director shall, in addition to any other matter the Director considers relevant, take into account the following---
(a) the financial status of the applicant;
(b) the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of this Ordinance;
(c) the system, procedure and standard used or proposed to be used by the applicant to issue certificates to subscribers;
(d) the report referred to in section 19(3)(b) (if applicable);
(e) whether the applicant and the responsible officers are fit and proper persons; and
(f) the reliance limits set or proposed to be set by the applicant for its certificates.
(4) In determining whether a person referred to in subsection (3)(e) is a fit and proper person, the Director, in addition to any other matter the Director considers relevant, shall have regard to the following---
(a) the fact that the person has a conviction in Hong Kong or elsewhere for an offence for which it was necessary to find that the person had acted fraudulently, corruptly or dishonestly;
(b) the fact that the person has been convicted of an offence against this Ordinance;
(c) if the person is an individual, the fact that the person is an undischarged bankrupt or has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap. 6) within the 5 years preceding the date of the application; and
(d) if the person is a body corporate, the fact that the person is in liquidation, is the subject of a winding-up order or there is a receiver appointed in relation to it or it has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap. 6) within the 5 years preceding the date of the application.
(5) In recognizing a certification authority under subsection (1), the Director may---
(a) attach conditions to the recognition; or
(b) specify a period of validity for the recognition.
21. Director may recognize certificates
(1) The Director may recognize certificates issued by a recognized certification authority as recognized certificates, upon application by that authority.
(2) A recognition under subsection (1) may relate to---
(a) all certificates issued by the recognized certification authority;
(b) certificates of a type, class or description; or
(c) particular certificates.
(3) An applicant must pay the prescribed fee (if any) in respect of an application under subsection (1) unless the Director waives it in whole or in part.
(4) In recognizing certificates under this section, the Director shall in addition to any other matter the Director considers relevant take into account the following---
(a) whether the certificates are issued in accordance with the certification practice statement;
(b) whether the certificates are issued in accordance with the code of practice;
(c) the reliance limit set or proposed to be set for that type, class or description or the particular certificate, as the case may require; and
(d) the arrangements put in place or proposed to be put in place by the certification authority to cover any liability that may arise from the issue of that type, class or description or the particular certificate, as the case may be.
(5) The Director may refuse an application under subsection (1).
(6) The Director may specify a period of validity for a recognition under this section.
(7) The Director may upon application renew a recognition under this section.
(8) Subsections (2), (3), (4), (5) and (6) apply to a renewal under subsection (7), subject to necessary modifications.
22. Revocation of recognition
(1) The Director may revoke a recognition granted under section 20 or 21 or renewed under section 21 or 26.
(2) Before revoking a recognition, the Director must give the certification authority notice in writing of the intention to do so and the reasons for the intended revocation.
(3) In a notice under subsection (2), the Director must invite the certification authority to make representations as to why the recognition should not be revoked and specify a period for making the representations.
(4) If the Director decides to revoke the recognition, the Director must inform the certification authority of the decision by notice in writing.
(5) A revocation of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate.
(6) Subject to subsection (7), a revocation takes effect on the expiry of
7 days from the date on which the notice under subsection (4) is served on
the certification authority.
(7) If the certification authority appeals under section 27 against the revocation, the revocation does not take effect until the expiry of 7 days from the date on which the Secretary confirms the revocation on appeal.
(8) Where the revocation of a recognition has taken effect, the Director must, as soon as practicable give notice of the revocation---
(a) in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong for at least 3 consecutive days; and
(b) in the certification authority disclosure record maintained for that certification authority.
(9) The validity of a revocation is not affected by non-compliance with subsection (8).
23. Director may suspend recognition
(1) The Director may suspend a recognition granted under section 20 or 21 or renewed under section 21 or 26 for a period not exceeding 14 days by serving a notice of suspension on the certification authority. The Director must in the notice give reasons for the suspension.
(2) A suspension of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate.
(3) If the certification authority appeals under section 27 against the suspension, the suspension does not take effect until the expiry of 7 days from the date on which the Secretary confirms the suspension on appeal.
(4) A suspension takes effect 7 days from the date the notice of suspension is served on the certification authority.
(5) If the period of suspension expires during the validity of a recognition and the recognition is not revoked, the recognition is taken to be reinstated.
(6) Where the suspension of a recognition has taken effect, the Director must, as soon as practicable give notice of the suspension---
(a) in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong for at least 3 consecutive days; and
(b) in the certification authority disclosure record maintained for that certification authority.
(7) The validity of a suspension is not affected by non-compliance with subsection (6).
24. Matters Director may take into account in
revoking or suspending a recognition
The Director may, in revoking or suspending a recognition under section 22 or 23, in addition to any other matter that the Director considers relevant, take into account the following---
(a) any matter set out in section 20(3);
(b) whether the certification authority has failed---
(i) to operate in accordance with the certification practice statement;
(ii) to comply with the code of practice;
(iii) to use a trustworthy system; or
(iv) to comply with any provision of this Ordinance; and
(c) the results of the audit conducted under section 37.
25. Effect of revocation, suspension of
recognition or expiry of validity
of recognized certificate
(1) Where the revocation or suspension of a recognition of a certification authority has taken effect, the provisions of this Ordinance relating to---
(a) a recognized certification authority do not apply to that certification authority;
(b) recognized certificates issued by a recognized certification authority, do not apply to the certificates issued by that certification authority; and
(c) digital signatures supported by a recognized certificate issued by a recognized certification authority, do not apply to the digital signatures supported by the certificates issued by that certification authority.
(2) Where the revocation or suspension of the recognition of recognized certificates has taken effect, the provisions of this Ordinance relating to a recognized certificate or digital signatures supported by a recognized certificate do not apply to---
(a) the certificate of which the recognition is revoked or suspended;
(b) any certificate of the type, class or description of certificate the recognition of which is revoked or suspended;
(c) digital signatures supported by that certificate or a certificate of that type, class or description,
as the case may be.
(3) Subsection (1) or (2) is not to be construed as affecting the validity of---
(a) a recognized certificate used before the revocation or suspension taking effect or after reinstatement of a suspended recognition; or
(b) the digital signatures supported by such a recognized certificate before the revocation or suspension taking effect or after reinstatement of a suspended recognition.
(4) Where the validity of a recognized certificate or the period of validity of a recognition specified under section 21(6) has expired, the provisions of this Ordinance relating to recognized certificates issued by a recognized certification authority and digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the certificate and the digital signatures supported by the certificate.
(5) Subsection (4) is not to be construed as affecting the validity of---
(a) the use of the certificate; or
(b) the digital signatures supported by such a certificate,
before the expiry of the validity of the certificate or the expiry of the recognition of the certificate.
26. Director may renew recognition of
certification authority
(1) A certification authority recognized under section 20 may apply for renewal of a recognition not later than 30 days and not earlier than 60 days before the expiry of the validity of the recognition.
(2) Subject to subsection (4), an application for renewal is to be made in the prescribed manner and in a form specified by the Director and if the Director so requires, the applicant must furnish to the Director the prescribed particulars and documents, if any.
(3) Subject to subsection (4), an applicant must pay the prescribed fee in respect of an application for renewal.
(4) The Director may waive the requirements in subsection (2) or the whole or part of the prescribed fee as the Director may decide in relation to a particular case.
(5) If the certification authority does not apply for renewal before the end of the period during which an application can be made under subsection (1), the Director must, not later than 21 days before the expiry of the validity give notice---
(a) in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong for at least 3 consecutive days; and
(b) in the certification authority disclosure record maintained for that certification authority,
the date of the expiry of the validity and that the certification authority has not applied for renewal.
(6) Section 20(3) applies to a renewal of a recognition subject to necessary modifications.
27. Certification authority may appeal
to Secretary against decision
of Director
(1) A certification authority aggrieved by a decision of the Director---
(a) refusing an application for recognition under section 20 or 21;
(b) refusing an application for renewal of a recognition under section 21 or 26;
(c) revoking or suspending a recognition under section 22 or 23,
may appeal to the Secretary against the decision within 7 days of the date on which the notice of the decision is served on the certification authority.
(2) On appeal, the Secretary may confirm, vary or reverse the decision of the Director.
PART VIII
Postmaster General to be Recognized
Certification Authority
28. The Postmaster General as recognized
certification authority
(1) The Postmaster General is a recognized certification authority for the purposes of this Ordinance.
(2) Part VII does not apply to the Postmaster General as a certification authority.
29. Postmaster General may perform
functions and provide services
of certification authority
(1) For the purposes of section 28, the Postmaster General may by himself or through the officers of the Post Office---
(a) perform the functions or provide the services of a certification authority and services incidental or related to the functions or services of a certification authority; and
(b) do anything that is necessary or expedient for the purposes of paragraph (a) and for complying with any provision of this Ordinance relating to a recognized certification authority.
(2) The Postmaster General may determine and charge fees for providing the services of a certification authority or services incidental or related to the functions or services of a certification authority.
(3) The fees determined and charged under subsection (2) shall not be limited by reference to the administrative or other costs incurred or likely to be incurred or recovery of expenditure in the provision of the services of a certification authority or services incidental or related to the functions or services of a certification authority.
(4) The Postmaster General may give particulars of any fees determined under subsection (2) in such manner as the Postmaster General thinks fit.
PART IX
General Provisions as to Recognized
Certification Authorities
30. Publication of issued and
accepted certificates
(1) Where a subscriber accepts a recognized certificate issued by a recognized certification authority, the certification authority must publish the certificate in a recognized repository.
(2) If the subscriber does not accept the recognized certificate, the recognized certification authority must not publish it and, if it has already been published, cancel the publication.
31. Recognized certification authority
to use trustworthy system
A recognized certification authority must use a trustworthy system in performing its services---
(a) to issue or withdraw a recognized certificate; or
(b) to publish in a repository or give notice of the issue or withdrawal of a recognized certificate.
32. Presumption as to correctness
of information
It shall be presumed, unless there is evidence to the contrary, that the information contained in a recognized certificate issued by a recognized certification authority (except information identified as subscriber's information which has not been verified by the recognized certification authority) is correct if the certificate was published in a recognized repository.
33. Representations upon issuance of
recognized certificate
By issuing a recognized certificate, a recognized certification authority represents to any person who reasonably relies on the information contained in the certificate or a digital signature verifiable by the public key listed in the certificate, that the recognized certification authority has issued the certificate in accordance with any applicable certification practice statement incorporated by reference in the certificate, or of which the relying person has notice.
34. Representations upon publication of
recognized certificate
By publishing a recognized certificate, a recognized certification authority represents to the repository in which the certificate is published and to any person who reasonably relies on the information contained in the certificate, that the recognized certification authority has issued the certificate to the subscriber concerned.
35. Reliance limit
(1) A recognized certification authority may, in issuing a recognized certificate, specify a reliance limit in the certificate.
(2) The recognized certification authority may specify different limits in different recognized certificates or in different types, classes or description of certificates.
36. Liability limits for recognized
certification authorities
(1) Unless a recognized certification authority waives the application of this subsection, the recognized certification authority is not liable for any loss caused by reliance on a false or forged digital signature of a subscriber supported by a recognized certificate issued by that certification authority, if the recognized certification authority has complied with the requirements of this Ordinance and the code of practice with respect to that certificate.
(2) Unless a recognized certification authority waives the application of this subsection, the recognized certification authority is not liable in excess of the amount specified in the certificate as its reliance limit, for a loss caused by reliance on any information---
(a) that the recognized certification authority is required to confirm according to the certification practice statement and the code of practice; and
(b) which is misrepresented on that recognized certificate or in a recognized repository,
if the recognized certification authority has, in relation to that certificate, complied with the requirements of this Ordinance and the code of practice.
(3) The limitation of liability under subsection (2) does not apply if the fact was misrepresented due to the negligence of the recognized certification authority or it was intentionally or recklessly misrepresented by the recognized certification authority.
37. Audit of performance of recognized
certification authorities
(1) The operations of a recognized certification authority must, at least once in every 12 months, be audited, at the expense of the recognized certification authority, for the purpose of assessing whether the recognized certification authority has complied with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice.
(2) An audit under subsection (1) is to be conducted by a person approved by the Director as being qualified for that purpose.
(3) The certification authority must submit the results of the audit to the Director as soon as practicable after the completion of the audit.
(4) The Director must publish in the certification authority disclosure record maintained for that certification authority the date and result of the audit.
38. Recognized certification authority to issue
a certification practice statement
A recognized certification authority must issue and maintain an up to date certification practice statement and notify the Director of changes to the practices of the certification authority as set out in that statement.
PART X
Issue of Code of Practice and Recognition
of Repositories by Director
39. Director may issue code of practice
The Director may issue a code of practice specifying standards and procedures for carrying out the functions of recognized certification authorities.
40. Recognition of repositories
(1) The Director may recognize one or more repositories as recognized repositories.
(2) The Director must publish in the Gazette a list of the recognized repositories.
PART XI
Provisions as to Secrecy, Disclosure and Offences
41. Obligation of secrecy
(1) Subject to subsection (2), a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Ordinance shall not disclose such record, book, register, correspondence, information, document or other material to any other person.
(2) Subsection (1) does not apply to disclosure---
(a) for the purposes of performing or assisting in the performance of a function under or for the purposes of this Ordinance;
(b) for the purpose of any criminal proceedings in Hong Kong or an investigation conducted with a view to instituting such proceedings; or
(c) under the direction or order of a magistrate or court.
(3) A person who contravenes subsection (1) commits an offence and is liable to a fine at level 6 and in the case of an individual also to imprisonment for 6 months.
42. False information
A person who knowingly or recklessly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Ordinance which is untrue, inaccurate or misleading commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.
43. Other offences
A person who makes a false claim that a person or an organization is a recognized certification authority commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.
PART XII
Secretary's Power to Amend Schedules and Make Subsidiary
Legislation and Immunity of Public Officers
44. Regulations
The Secretary may make regulations for all or any of the following---
(a) to prescribe the manner of applying to the Director for recognition or renewal of recognition as a recognized certification authority, the particulars and documents to be supplied by an applicant and the manner of recognition;
(b) to prescribe the fees payable in respect of recognition of certification authorities, the recognition of certificates or the renewal of such recognition;
(c) to prescribe the form of certification practice statements and matters relating to the recognition of repositories;
(d) to provide for the manner of appealing against a decision of the Director and the procedure for determining appeals;
(e) to provide for such other matters as are necessary or expedient to give effect to the provisions of this Ordinance.
45. Secretary may amend Schedules
The Secretary may by order amend Schedules 1 and 2.
46. Immunity of public officers
(1) Subject to subsection (2), no liability shall be incurred by a public officer in respect of anything done or omitted to be done by that officer in good faith in the performance or purported performance of a function under this Ordinance.
(2) Subsection (1) does not apply in relation to any function performed for the purposes of or under Part VIII.
SCHEDULE 1 [ss. 3 & 45]
Matters Excluded from Application of Sections 5, 6, 7 and 8
of this Ordinance under Section 3 of this Ordinance
1. The creation, execution, variation, revocation, revival or rectification of a will, codicil or any other testamentary document.
2. The creation, execution, variation or revocation of a trust.
3. The creation, execution, variation or revocation of a power of attorney.
4. The making, execution or making and execution of any instrument which is required to be stamped or endorsed under the Stamp Duty Ordinance (Cap. 117) other than a contract note to which an agreement under section 5A of that Ordinance relates.
5. Government conditions of grant and Government leases.
6. Any deed, conveyance or other document or instrument in writing, judgments, and lis pendens referred to in the Land Registration Ordinance (Cap. 128) by which any parcels of ground tenements or premises in Hong Kong may be affected.
7. Any assignment, mortgage or legal charge within the meaning of the Conveyancing and Property Ordinance (Cap. 219) or any other contract relating to or effecting the disposition of immovable property or an interest in immovable property.
8. An estate agency agreement entered into between an estate agent and its client.
9. Oaths and affidavits.
10. Statutory declarations.
11. Judgments (in addition to those referred to in section 6) or orders of court.
12. Warrants.
13. Bills of exchange within the meaning of the Bills of Exchange Ordinance (Cap. 19).
------------------------------
SCHEDULE 2 [ss. 13(1) & (3) & 45]
Proceedings in Relation to which Sections 5, 6, 7 and 8 of this
Ordinance do not Apply under Section 13(1) of this Ordinance
Proceedings before any of the following---
(a) the Court of Final Appeal;
(b) the Court of Appeal;
(c) the Court of First Instance;
(d) the District Court;
(e) the Mental Health Review Tribunal established under the Mental Health Ordinance (Cap. 136);
(f) the Lands Tribunal;
(g) a coroner appointed under section 3 of the Coroners Ordinance (Cap. 504);
(h) the Labour Tribunal;
(i) the Obscene Articles Tribunal established under the Control of Obscene and Indecent Articles Ordinance (Cap. 390);
(j) the Small Claims Tribunal;
(k) a magistrate.
Explanatory Memorandum
The object of this Bill is to provide a statutory framework for conducting by electronic communication commercial and other transactions.
Part I
2. Clause 1 gives the Bill its short title and enables the Ordinance when enacted to be brought into operation on a day or days appointed by the Secretary for Information Technology and Broadcasting ("the Secretary").
3. Clause 2 contains the definitions necessary for the interpretation of the Bill.
Part II
4. Clause 3 excludes from the application of clauses 5, 6, 7, 8 and 16 certain matters and acts which are set out in Schedule 1 with the result that they cannot be executed or conducted by an electronic transaction or authenticated by a digital signature in satisfying a rule of law in those matters or for those acts. (Under clause 45, Schedule 1 can be amended by the Secretary).
5. Clause 4 states that subject to the exceptions in the Bill, it applies in relation to any rule of law applicable to an individual, public body or public authority and to any electronic transaction to which any such person is a party.
Part III
6. Clause 5 provides that where a rule of law requires or provides any information to be given or presented in writing, it can be done by an electronic record, to comply with the rule of law.
7. Clause 6 provides that where the rule of law requires a signature in any matter a digital signature (which is an electronic signature the characteristics of which are defined in clause 2) is acceptable in place of a manual signature.
8. Clause 7 states that where a rule of law requires information to be presented or retained in its original form, it is acceptable for the purposes of that rule of law to present or retain the information as an electronic record, if the integrity of the retained information can be secured and the presented information can be displayed in a legible form.
9. Clause 8 provides that if information is required to be retained by a rule of law, that rule of law is satisfied by retaining it as an electronic record if the information contained in the electronic record can be used for subsequent reference, if it is retained in its original form or in a form which accurately represents the original information and also if information which can identify the origin, destination and the date and time when the information was sent or received is retained.
10. Clause 9 provides that an electronic record is not to be denied admissibility as evidence solely on the ground that it is an electronic record, but that this is without prejudice to any rules of evidence.
11. Clause 10 provides that the provisions of Part III are to be construed subject to Part IV which sets out the limitations on the application of Part III.
Part IV
12. Clause 11 empowers the Secretary to exclude by order published in the Gazette a rule of law (which includes any provision in a rule of law) or any requirement or permission or a class or description of requirements or permissions from the operation of clause 5, 6, 7 or 8. For rules of law to which clause 5, 6, 7 or 8 applies, the Secretary may by notice published in the Gazette specify the requirements as to manner and format in which the information is to be given and the information is to be verified.
13. Clause 12 provides that where requirements as to manner and format and verification are specified by the Secretary, the information given for the purpose of a rule of law does not satisfy that rule of law unless those requirements are complied with.
14. Clause 13 excludes from the application of clause 5, 6, 7 or 8 information to be given or retained for the purpose of certain specified proceedings unless the rules relating to those proceedings provide for its application. Any authority given by law to make rules for those proceedings is to be construed as including a power to provide for the application of clause 5, 6, 7 or 8 and the specification of requirements as to manner and format.
15. Clause 14 provides that if any other Ordinance makes express provision regarding electronic records for the purposes of that Ordinance, clause 5, 6, 7 or 8 is not to affect that express provision.
16. Clause 15 provides that if the effect of clause 5, 6, 7 or 8 on any rule of law is such that any other requirement in that rule of law cannot be complied with, the relevant clause does not apply to that rule of law.
Part V
17. Clause 16 contains an avoidance of doubt provision to the effect that unless otherwise agreed by the parties, contracts can be formed by means of electronic records.
Part VI
18. Clause 17 specifies that an electronic record is that of the originator, if it was sent by the originator or with his authority or by an information system programmed by or on behalf of the originator to send the electronic record automatically.
19. Clause 18 sets out what constitutes sending and receiving an electronic record and when and where it is regarded as sent or received.
Part VII
20. Clause 19 provides that a certification authority (a person who issues certificates) can apply to the Director of Information Technology Services ("the Director") to be recognized as a recognized certification authority for the purposes of this Ordinance.
21. Clause 20 enables the Director to recognize a certification authority the Director considers suitable for recognition and sets out some of the matter the Director shall take into consideration in assessing suitability. Those include the financial status of the certification authority, arrangements to cover liability, procedure and standards for issuing certificates, report on the capability to comply with the Ordinance and the code of practice and whether the applicant and its responsible officers are fit and proper persons and the reliance limits of the certificates.
22. Clause 21 empowers the Director to recognize certificates issued by a recognized certification authority, as recognized certificates. The clause also sets out the matters the Director may take into account in recognizing certificates.
23. Clause 22 empowers the Director to revoke the recognition of a certification authority and to revoke the recognition of certificates. The clause sets out the procedure for revocation which includes giving notice of intention to revoke and an opportunity to make representations.
24. Clause 23 empowers the Director to suspend the recognition of a certification authority or recognized certificates and sets out the procedure for suspension.
25. Clause 24 sets out the matters that the Director may take into account in deciding to revoke or suspend a recognition. They include the matter that can be taken into account in recognizing a certification authority, failure to conform to the certification practice statement or use a trustworthy system, non-compliance with a code of practice, and the result of a performance audit.
26. Clause 25 provides that when a revocation or a suspension of a recognized certification authority or a recognized certificate takes effect, the provisions relating to recognized certification authorities and recognized certificates do not apply to the certification authority and the certificates issued by the certification authority. But that does not affect the validity of certificates or digital signatures supported by a certificate issued before the revocation or suspension.
27. Clause 26 empowers the Director to renew the recognition of a certification authority on application.
28. Clause 27 enables a certification authority whose application for recognition or renewal of recognition has been refused or whose recognition or the recognition of whose certificates has been revoked or suspended, to appeal to the Secretary.
Part VIII
29. Clause 28 specifies the Postmaster General as a certification authority who can function as a recognized certification authority for the purposes of the Ordinance without having to be recognized by the Director.
30. Clause 29 empowers the Postmaster General functioning as a recognized certification authority to charge fees for the services of a recognized certification authority and related and incidental services, on a commercial basis.
Part IX
31. Clause 30 requires a recognized certification authority to publish in a recognized repository the certificate issued to the subscriber.
32. Clause 31 requires a certification authority to use a trustworthy system to issue, withdraw or give notice of the issue or withdrawal of a certificate.
33. Clause 32 creates a rebuttable presumption as to the correctness of information contained in a certificate published in a recognized repository.
34. Clause 33 states that by issuing a recognized certificate the recognized certification authority represents to a person who relies on the information contained in it or a digital signature verifiable with reference to a public key listed in that certificate, that the certification authority has issued the certificate in accordance with the applicable certification practice statement.
35. Clause 34 provides that publication of a certificate in a repository by a recognized certification authority amounts to a representation that the certification authority has issued a certificate to the subscriber concerned.
36. Clause 35 permits a recognized certification authority to set a reliance limit on certificates issued by it.
37. Clause 36 limits the liability for a loss caused by reliance on the certificate unless there has been negligence on the part of the certification authority or the certification authority has acted recklessly or intentionally in misrepresenting particulars.
38. Clause 37 requires the operations of a recognized certification authority to be audited at least once in 12 months to evaluate whether the certification authority has complied with the provisions of the Bill and a code of practice applicable to it. The result of the audit has to be submitted to the Director.
39. Clause 38 requires a recognized certification authority to issue and maintain an up to date certification practice statement, that is a statement which sets out the practices adopted by it to issue certificates, and to notify the Director of any changes in the statement.
Part X
40. Clause 39 empowers the Director to issue a code of practice specifying standards and procedures for carrying out the functions of recognized certification authorities.
41. Clause 40 empowers the Director to recognize a repository as a recognized repository.
Part XI
42. Clause 41 makes it an offence to disclose any information or other record to which a person has access in the course of performing the functions under or for the purposes of the Bill and sets out the exceptions to the duty of non-disclosure.
43. Clause 42 makes it an offence for a person to furnish false information under the Ordinance.
44. Clause 43 makes it an offence for a person to falsely claim that a person is a recognized certification authority.
Part XII
45. Clause 44 authorizes the Secretary to make regulations for the purposes of the Ordinance.
46. Clause 45 empowers the Secretary to amend the Schedules to the Ordinance.
47. Clause 46 confers immunity on a public officer performing functions under the Ordinance other than the functions of a certification authority under Part VIII.