|
The Electronic Transaction Ordinance (Cap 553) was enacted in 2000. It aims to provide security for electronic transactions. It deals with two areas generally: (1) electronic records and digital signature and (2) the application of certificate authority and recognition by director.
Interpretation (s2)
"digital signature", in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine:
- whether the transformation was generated using the private key that corresponds to the signer's public key; and
- whether the initial electronic record has been altered since the transformation was generated.
"electronic record" means a record generated in digital form by an information system, which can be:
- transmitted within an information system or from one information system to another; and
- stored in an information system or other medium.
"electronic signature" means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record.
"key pair", in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates.
Application
Matters to which certain provisions are not applicable:
Sections 5, 6, 7, 8 and 17 do not apply to certain matters including the following:
will, testamentary document, any documents related to land, oaths and affidavits, statutory declarations, judgments, orders of court, etc. (s3, Schedule 1).
Writing Requirement
If a rule of law permits or requires information to be or given in writing, or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference (s5).
Digital Signature
If a rule of law requires the signature of a person or provides for certain consequences if a document is not signed by a person, a digital signature of the person satisfies the requirement, provided it is supported by a recognized certificate and is generated within the validity of that certificate (s6).
Presentation or Retention of Information in Its Original Form
Where a rule of law requires that certain information be presented or retained in its original form, the requirement is satisfied by presenting or retaining the information in the form of electronic records if:
- there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form; and
- where it is required that information be presented, the information is capable of being displayed in a legible form to the person to whom it is to be presented. (s7).
Retention of Information in Electronic Records
Where a rule of law requires certain information to be retained, the requirement is satisfied by retaining electronic records, if:
- the information contained remains accessible and usable;
- the relevant electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and
- the information which enables the identification of the origin and destination of the electronic record and the date and time when it was sent or received, is retained(s8).
Admissibility of Electronic Records
An electronic record shall not be denied admissibility in evidence in any legal proceeding on the sole ground that it is an electronic record (s9).
Formation and Validity of Electronic Contracts
In the context of the formation of contracts, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records. Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose. (s17)
Attribution of Electronic Records
An electronic record is that of the originator if it was-
- sent by the originator;
- sent with the authority of the originator; or
- sent by an information system programmed by or on behalf of the originator to operate and to send the electronic record automatically. (s18)
Sending and Receiving Electronic Records (s19)
Unless otherwise agreed between the originator and the addressee of an electronic record,
- an electronic record is sent
- when it is accepted by an information system outside the control of the originator or of the person who sent the electronic record on behalf of the originator.
- the time of receipt of an electronic record is
- at the time when the electronic record is accepted by the designated information system (if the addressee has designated an information system for that purpose);
- at the time when the electronic record comes to the knowledge of the addressee (if it is sent to an information system of the addressee that is not the designated information system);
- when the electronic record comes to the knowledge of the addressee (if the addressee has not designated an information system);
- if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction, or
- where there is no underlying transaction, the principal place of business of the originator or the addressee;
- if the originator or the addressee does not have a place of business, the place of business is the place where the originator or the addressee ordinarily resides.
To facilitate secure encryption of digital signature and records, ETO uses a voluntary licensing system to allow certificate authority (CA) to act as the trusted third party who generates public and private keys and issues certificate of authentication. The first CA is the Postmaster General designated by the Hong Kong government, which operates through officers of Hong Kong Post Office.
Application to Director
A certification authority may apply to the Director to become a recognized certification authority. An application must be made in the prescribed manner and in a form specified by the Director and the applicant must pay the prescribed fee in respect of the application. (s20)
Publication of Issued and Accepted Certificates
Where a subscriber accepts a recognized certificate issued by a recognized certification authority, the certification authority must publish the certificate in a repository. (s36)
|
