Guangdong Province, Electronic Transactions Regulations

(Promulgated on December 6 2002 and effective as of February 1 2003.)

PART ONE: GENERAL PROVISIONS

Article 1: These Regulations have been formulated pursuant to relevant State laws and regulations and in line with actual conditions in Guangdong in order to regulate electronic transactions, safeguard the normal order in electronic transactions, ensure the security and reliability of electronic transactions, protect the legitimate rights and interests of the various parties to electronic transactions and promote the development of e-commerce.

Article 2: These Regulations shall govern electronic transactions within the administrative territory of Guangdong Province.

Article 3: Electronic transactions shall be conducted in compliance with principles of fair trade, equality, free will and good faith.

The use in electronic transactions of electronic contracts executed using secure electronic signatures is encouraged.

Article 4: People's governments at various levels shall provide incentives to promote the development of e-commerce as well as related electronic technologies and electronic transaction methods, and to promote systemic innovation.

Article 5: The provincial people's government administrative department in charge of the information industry (the Provincial Information Industry Department) shall be responsible for policy guidance, industry oversight and coordination in respect of electronic transactions.

The administrative departments for communications, industry and commerce, public security, taxation, etc. shall, within their respective jurisdictions, supervise electronic transactions and investigate and handle violations of the law in a timely manner in accordance with the law.

PART TWO: ELECTRONIC SIGNATURES AND ELECTRONIC RECORDS

Article 6: In the course of an electronic transaction, the parties may agree to use an electronic signature procedure. If the procedure used for an electronic signature can evidence the following matters, such electronic signature is a secure electronic signature:

(1) confirming the identity of the signer who used the said electronic signature;

(2) establishing that the electronic signature is unique to the signer; and

(3) establishing that the contents of the electronic record to which the said electronic signature was affixed were not modified.

If laws or administrative regulations provide otherwise, such laws or regulations shall prevail.

Article 7: A digital signature that complies with the criteria set forth below is an electronic signature that satisfies the security requirements of Article 6:

(1) the said electronic signature was generated by the private key corresponding to the public key in the digital certificate and can be authenticated by the public key;

(2) the digital certificate was issued by a legally established and qualified e-commerce certification authority (Certification Authority); and

(3) the said digital signature was signed during the term of validity of the digital certificate.

Article 8: In the course of electronic transactions, secure electronic signatures and hand-written signatures shall be equally valid.

Article 9: Electronic records that have been signed using a secure electronic signature are secure electronic records.

A secure electronic record is a genuine, integral and unmodified electronic record and shall be as valid as a record made in writing.

PART THREE: ELECTRONIC CONTRACTS

Article 10: Offers and acceptances may be made, in whole or in part, in the form of an electronic record, unless otherwise specified in laws or regulations or agreed upon by the parties.

Article 11: An offer or acceptance expressed in any of the electronic record formats set forth below is a declaration of the intent of the contracting party:

(1) an electronic record sent by the party himself;

(2) an electronic record sent by the agent of the party;

(3) an electronic record automatically transmitted or automatically sent as a reply by the information system set up by the party himself; or

(4) an electronic record automatically transmitted or automatically sent as a reply by the information system set up by the agent of the party.

Article 12: The time by which an electronic record expressing an offer or acceptance is deemed to have reached the addressee shall be determined by either of the methods set forth below:

(1) if the addressee has designated a specific information system, the electronic record is deemed to have reached the addressee when it enters the specific information system; or

(2) if the addressee has not designated a specific information system, the electronic record is deemed to have reached the addressee at its first entry into any of the addressee's information systems.

Article 13: A contract concluded in electronic record form is formed when the electronic record expressing acceptance reaches the offeror.

If the parties have required the execution of a letter of confirmation before the contract is formed, the contract is formed when the letter of confirmation is executed.

Article 14: The authenticity of the identities of the parties to the contract or the contract execution date may be confirmed by the secure electronic signatures and the digital date marks on the offer, acceptance and letter of confirmation.

PART FOUR: CERTIFICATION AUTHORITIES

Article 15: If a party uses a digital signature to certify his identity in the course of an electronic transaction, he may apply to a Certification Authority for a digital certificate.

Article 16: A Certification Authority shall satisfy the following criteria:

(1) having legal person status;

(2) having a key management centre established with the approval of the State encryption management authority;

(3) having the appropriate professional technical and management personnel to engage in certification business;

(4) having technologies and equipment that have been inspected and certified as secure and reliable by the public security department;

(5) having the necessary funds and business premises and the capacity to provide certification services for clients and to bear risk liability; and

(6) other criteria specified in laws and regulations.

Article 17: A Certification Authority may only commence its digital certificate certification business after it has had its qualifications recognized by the provincial information industry department and has submitted its operational standards for certification business and its digital certificate management system to the Provincial Information Industry Department for the record. The Provincial Information Industry Department shall implement a system of annual inspections of the qualifications of Certification Authorities.

The standards and procedures for the recognition and annual inspection of the qualifications of Certification Authorities shall be formulated and published by the Provincial Information Industry Department.

Article 18: A Certification Authority shall perform the following responsibilities:

(1) examining the authenticity of the relevant materials submitted by, and the identities of, applicants for digital certificates and issuing digital certificates after examining and confirming their identities;

(2) publishing the operational standards for certification business and the digital certificate management systems of Certification Authorities;

(3) protecting non-public domain information of digital certificate clients such as trade secrets of organizational clients and personal information of individual clients;

(4) establishing backup mechanisms and contingency procedures for their certification systems so as to ensure secure use of the certification system and digital certificates in the event of sabotage or a natural disaster;

(5) in the event of a dispute arising in connection with an electronic transaction, providing electronic proofs of identity to the relevant parties and assisting relevant departments in their investigations; and

(6) announcing online, and making available for public searching, its clients' digital certificates.

Article 19: In the event that the security of its certification system is compromised, a Certification Authority may suspend the use of digital certificates. If a digital certificate client requests the suspension of the use of certificates, the Certification Authority shall do so and announce its suspension of such use.

Article 20: A digital certificate shall be revoked if any of the following circumstances arises during its term of validity:

(1) important particulars supplied when the client applied for the digital certificate are false;

(2) the client's digital certificate has been passed off, forged or altered;

(3) the client is dissolved or terminated;

(4) the individual client is deceased; or

(5) another circumstance specified in laws or administrative regulations arises.

The Certification Authority shall announce the revocation of a digital certificate. The client shall be promptly notified of the revocation except in the circumstances specified in Items (3) and (4) of the preceding paragraph.

Article 21: If a digital certificate client requests the revocation of a digital certificate during the term of validity of such certificate, the Certification Authority shall do so and announce the same.

Article 22: When a digital certificate client applies for a certificate, he must provide true, complete and accurate identification particulars and relevant information. The digital certificate client shall duly protect the private key for his certificate and abide by the Certification Authority's operational standards for certification business and its digital certificate management system.

PART FIVE: ELECTRONIC TRANSACTION SERVICE PROVIDERS

Article 23: An electronic transaction service provider shall obtain a business licence, operational permit and organization code certificate in accordance with State laws and regulations and register with the provincial information industry department.

The provincial information industry department shall announce the registrations.

Article 24: When registering, an electronic transaction service provider shall submit the following materials:

(1) the certification documents specified in the preceding article;

(2) the basic particulars of the persons in charge of the sponsor and those in charge of the website;

(3) the URL of the website and the items of business; and

(4) other materials specified in laws and regulations.

Article 25: An electronic transaction service provider may not impede the parties to a transaction from investigating its creditworthiness, searching for information on the merchandise or freely selecting merchandise.

Article 26: Electronic transaction service providers shall provide good service to the parties to transactions and periodically examine the legal operation certificates and the level of creditworthiness of business entities. An electronic transaction service provider shall execute contracts with business entities that use its platform to conduct electronic transactions, which contracts shall stipulate the rights and obligations of the parties and their liability for breach of contract.

Article 27: Electronic transaction service providers shall adopt technical and administrative measures such as data backup, crash recovery, etc. to ensure the security, integrity and accuracy of electronic transaction data.

The term for the preservation of electronic transaction data shall be agreed upon by the electronic transaction service provider and the parties to the transaction. In the absence of such an agreement, electronic transaction data shall be preserved for a minimum of three years.

If the relevant department wishes to examine electronic transaction data according to law, the electronic transaction service provider shall provide the same.

Article 28: Electronic transaction service providers shall adopt strict security and confidentiality measures for the information provided by parties in the course of electronic transactions and may not disclose or sell such information to any third party without the consent of the parties to the electronic transactions, unless otherwise provided in laws or regulations.

PART SIX: LEGAL LIABILITY

Article 29: If a Certification Authority violates these Regulations by disclosing non-public domain information of digital certificate clients such as trade secrets of organizational clients or personal information of individual clients or uses such information to engage in activities that threaten State security or harm the interests of an enterprise or individual, it shall be punished by the relevant administrative department in charge in accordance with relevant laws and regulations. If the circumstances are serious, the provincial information industry department shall revoke its certification qualifications. If a criminal offence is constituted, criminal liability shall be pursued in accordance with the law.

Article 30: If a Certification Authority deliberately provides spurious certification, its certification shall be invalid and the provincial information industry department shall pursue the liability of the person(s) directly responsible. If a criminal offence is constituted, criminal liability shall be pursued in accordance with the law.

Article 31: If a client's digital certificate is compromised or becomes invalid due to a reason attributable to the Certification Authority, resulting in an incorrect recognition of the client's identity or if the Certification Authority fails to suspend or revoke a digital certificate at the request of a client, causing the client to incur a loss, the Certification Authority shall be liable for damages.

Article 32: If a client provides false information when applying for a digital certificate, his legal liability shall be pursued by the relevant administrative department in accordance with the law.

PART SEVEN: MISCELLANEOUS PROVISIONS

Article 33: For the purposes of these Regulations, the following terms shall have the meanings set forth below:

The term "e-commerce" means the entire process involved in product and service trade activities conducted over an electronic network, principally including the three stages of information searching, ordering and payment, and shipment.

For the purposes of the preceding paragraph, the term "electronic network" means an information network based on an electronic communication system, and includes telephone systems, facsimile systems, television systems, electronic payment and currency circulation systems, EDI, the internet and other lawful computer networks, etc.

The term "electronic transaction" means a commercial transaction conducted over an electronic network and is a part of e-commerce.

The term "electronic record" means readable data stored on, or otherwise fixed onto, an electronic medium.

The term "electronic signature" means an electronic record electronically expressed in the form of letters, symbols, digits or other code and used to differentiate identities, including such differentiation methods as digital signatures, passwords, keys, biometrics, etc.

The term "public key" means a public key generated for a digital certificate user using asymmetric encryption technology.

The term "private key" means a private key generated for a digital certificate user using asymmetric encryption technology.

The term "digital signature" means a type of electronic signature converted into an electronic record by means of asymmetric encryption technology and used to ensure the authenticity, integrity, confidentiality and incontestability of an electronic record.

The term "digital certificate" means an electronic document issued in order to support a digital signature and containing the user's identity and other relevant information. The users of digital certificates use the digital signatures generated by the certificates to authenticate the identities of the parties participating in an electronic transaction.

The term "electronic contract" means a contract concluded wholly or partially in the form of an electronic record.

The term "e-commerce certification authority" means a third party organization that provides such services as online identity certification, issuance and management of digital certificates, etc. to parties participating in electronic transactions.

The term "electronic transaction service provider" means a for-profit work unit that has obtained a business licence in accordance with State laws and regulations and uses an electronic network to provide platform services for electronic transactions.

Article 34: These Regulations shall be implemented as of February 1 2003.