PRC Electronic Signatures Law

Revised on April 24 2015. Latest revision can be found at:
http://www.chinalawandpractice.com/Article/3457499/PRC-Electronic-Signatures-Law-Revised-in-2015.html

(Promulgated on August 28 2004 and effective as of April 1 2005.)

PRC President's Order No.18

PART ONE: GENERAL PROVISIONS

Article 1: This Law has been formulated in order to regulate acts associated with electronic signatures, establish the legal validity and effect of electronic signatures and safeguard the lawful rights and interests of relevant parties.

Article 2: For the purposes of this Law, the term "electronic signature" means data in electronic form contained in or attached to a data message and that is used to identify the signatory and indicate his endorsement of the contents of such document.

For the purposes of this Law, the term "data message" means information that is generated, sent, received or stored in electronic, optical, magnetic or other similar form.

Article 3: The parties to contracts or other documents used in civil activities may agree to use or not use electronic signatures and data messages.

If the parties agree to use documents in the form of data messages with electronic signatures, they may not deny the legal validity of such documents solely based on the fact that they are in the form of data messages with electronic signatures.

The provisions of the preceding paragraphs shall not apply to the following types of documents:

(1) documents pertaining to human relations, such as marriage, adoption, succession, etc.;

(2) documents pertaining to the transfer of rights and interests in immovables, such as land, buildings, etc.;

(3) documents pertaining to the suspension of such public utilities as water supply, heat supply, gas supply, electricity supply, etc.; and

(4) other circumstances specified in laws and regulations where electronic documents are not appropriate.

PART TWO: DATA MESSAGES

Article 4: Data messages that can exhibit their contents in tangible form and be retrieved, consulted and used at any time shall be deemed to comply with the written form required by laws and regulations.

Article 5: A data message complying with the conditions set forth below shall be deemed to satisfy the requirements of an original as specified in laws and regulations:

(1) it can effectively exhibit its contents and may be retrieved, consulted and used at any time; and

(2) it can reliably ensure that its contents have maintained their integrity without modification since its finalization. However, the addition of an endorsement on a data message or changes in form arising in the course of data exchange, storage or display shall not affect the integrity of such message.

Article 6: Data messages complying with the conditions set forth below shall be deemed to satisfy the requirements of document preservation as specified in laws and regulations:

(1) it can effectively exhibit its contents and may be retrieved, consulted and used at any time;

(2) its format is identical to that at the time of its creation, sending or receipt, or, despite a difference in its format, it can nonetheless accurately exhibit the original content at the time of its creation, sending or receipt; and

(3) it can identify the sender and recipient of the data message as well as the time of sending and receipt.

Article 7: The use of a data message as evidence may not be refused solely on the grounds of its creation, sending, receipt or storage in electronic, optical, magnetic or other similar form.

Article 8: When examining the authenticity of a data message as evidence, the following factors shall be taken into consideration:

(1) the reliability of the method of creation, storage or transmission of the data message;

(2) the reliability of the method of maintaining the integrity of its contents;

(3) the reliability of the method used to identify the sender; and

(4) other related factors.

Article 9: A data message shall be deemed sent by the sender if:

(1) the sending thereof was authorized by the sender;

(2) it was sent automatically by the sender's information system; or

(3) after verification by the recipient using the method approved by the sender, the results are consistent.

If the parties have otherwise agreed on the matters specified in the preceding paragraph, such agreement shall prevail.

Article 10: If laws or administrative regulations stipulate or the parties agree that receipt of a data message requires confirmation, receipt shall be confirmed. Once the sender receives the confirmation of receipt from the recipient, the data message shall be deemed received.

Article 11: The time at which a data message enters a certain information system other than that of the sender shall be deemed the time at which such data message is sent.

If the recipient designates a specific system for the receipt of data messages, the time at which a data message enters such specific system shall be deemed the time at which such data message is received. If the recipient has not designated a specific system, the time at which a data message first enters any of the recipient's systems shall be deemed the time at which such data message is received.

If the parties have agreed otherwise on the time of sending or receipt of data messages, such agreement shall prevail.

Article 12: The principal place of business of the sender shall be the place from where a data message is sent and the principal place of business of the recipient shall be the place where the data message is received. In the absence of a principal place of business, the sender's or recipient's usual place of residence shall be deemed the place of sending or receipt of the data message.

If the parties have agreed otherwise on the place of sending or receipt of a data message, such agreement shall prevail.

PART THREE: ELECTRONIC SIGNATURES AND CERTIFICATION

Article 13: An electronic signature that simultaneously satisfies all of the following conditions shall be deemed a reliable electronic signature:

(1) at the time the electronic signature creation data is used for an electronic signature, it is proprietary to the electronic signatory;

(2) at the time of signing, the electronic signature creation data is controlled solely by the electronic signatory;

(3) any change to the electronic signature after signing can be noticed; and

(4) any change to the content and form of the data message after signing can be noticed.

The parties may select for use electronic signatures that comply with the reliability conditions agreed upon by them.

Article 14: A reliable electronic signature shall have the same legal validity and effect as a handwritten signature or an affixed seal.

Article 15: An electronic signatory shall duly safeguard his electronic signature creation data. If an electronic signatory learns that his electronic signature creation data has been descrambled or may have been descrambled, he shall promptly notify the relevant parties thereof and cease to use such electronic signature creation data.

Article 16: If an electronic signature requires third party certification, the certification service shall be provided by an electronic certification service provider established in accordance with the law.

Article 17: To provide electronic certification services, the following conditions shall be satisfied:

(1) having professional technicians and management personnel commensurate with the provision of electronic certification services;

(2) having the funds and business premises commensurate with the provision of electronic certification services;

(3) having technologies and equipment that comply with state security standards;

(4) having documentary evidence from the state encryption administrative authority consenting to the use of encryption; and

(5) other conditions specified in laws and administrative regulations.

Article 18: To engage in the provision of electronic certification services, an application and the relevant materials complying with the conditions specified in Article 17 hereof shall be submitted to the State Council department in charge of the information industry. After receipt of the application, the State Council department in charge of the information industry shall examine the same in accordance with the law and seek the comments of the State Council department in charge of commerce and other relevant departments. Thereafter, the State Council department in charge of the information industry shall render its decision on whether or not to give its permission within 45 days of the application date. If it gives its permission, it shall issue an electronic certification permit. If it denies permission, it shall notify the applicant thereof in writing and inform it as to the reason therefor.

The applicant shall carry out the enterprise registration procedures with the administration for industry and commerce in accordance with the law on the strength of the electronic certification permit.

An electronic certification service provider that has obtained certification qualifications shall post such information as its name, permit number, etc. on the internet in accordance with the provisions of the State Council department in charge of the information industry.

Article 19: An electronic certification service provider shall formulate and publish electronic certification rules that comply with relevant state provisions and submit the same to the State Council department in charge of the information industry for the record.

Electronic certification rules shall include the scope of liability, operational standards, the measures for the preservation of information security, etc.

Article 20: When applying to an electronic certification service provider for an electronic signature certificate, an electronic signatory shall provide true, complete and accurate information.

After receiving the application for an electronic signature certificate, the electronic certification service provider shall check the applicant's identity and examine the relevant materials.

Article 21: The electronic signature certificates issued by an electronic certification service provider shall be accurate and error free and shall specify the following particulars:

(1) the name of the electronic certification service provider;

(2) the name of the certificate holder;

(3) the certificate number;

(4) the term of validity of the certificate;

(5) the certificate holder's electronic signature verification data;

(6) the electronic signature of the electronic certification service provider; and

(7) other particulars specified by the State Council department in charge of the information industry.

Article 22: An electronic certification service provider shall ensure that the contents of electronic signature certificates are complete and accurate during the term of validity and ensure that the parties that rely on electronic signatures can verify or obtain an understanding of the contents of the electronic signature certificate and other relevant matters.

Article 23: If an electronic certification service provider intends to suspend or terminate its provision of electronic certification services, it shall notify the relevant parties concerning the taking over of its business by a third party and other relevant matters 90 days prior to the suspension or termination of its services.

If an electronic certification service provider intends to suspend or terminate its provision of electronic certification services, it shall submit a report to the State Council department in charge of the information industry 60 days prior to the suspension or termination of its services and it shall consult with other electronic certification service providers on the taking over of its business and make suitable arrangements.

If the electronic certification service provider is unable to reach an agreement with another electronic certification service provider on matters relating to the taking over of its business, it shall apply to the State Council department in charge of the information industry to arrange for another electronic certification service provider to take over its business.

If an electronic certification service provider has its electronic certification permit revoked in accordance with the law, the handling of matters relating to the taking over of its business shall be carried out in accordance with the provisions of the State Council department in charge of the information industry.

Article 24: An electronic certification service provider shall duly preserve information relating to certification for a period of at least five years from the expiration of an electronic signature certificate.

Article 25: The State Council department in charge of the information industry shall formulate the specific measures for the administration of the electronic certification service industry in accordance with this Law and regulate electronic certification service providers in accordance with the law.

Article 26: After approval by the State Council department in charge of the information industry pursuant to the relevant agreement or the principle of reciprocity, electronic signature certificates issued by electronic certification service providers outside the People's Republic of China shall have the same legal validity and effect as electronic signature certificates issued by electronic certification service providers established in accordance with this Law.

PART FOUR: LEGAL LIABILITY

Article 27: If an electronic signatory is aware that its electronic signature creation data has been descrambled or may have been descrambled but fails to inform relevant parties thereof in a timely manner and fails to cease using such electronic signature creation data, or if he fails to provide true, complete and accurate information to the electronic certification service manner provider or if he commits another fault thereby causing parties that rely on electronic signatures and/or the electronic certification service provider to incur a loss, he shall be liable for damages.

Article 28: If an electronic signatory or a party that relies on electronic signatures incurs a loss as a result of relying on the electronic signature certification service provided by an electronic certification service provider when engaging in civil activities and if the electronic certification service provider fails to provide evidence that it was not at fault, the electronic certification service provider shall be liable for damages.

Article 29: If electronic certification services are offered without a permit, the State Council department in charge of the information industry shall order a halt to the violation. If there is illegal income, such illegal income shall be confiscated. If the illegal income totalled not less than Rmb300,000, a fine equivalent to not less than the amount of and not more than three times the illegal income shall be imposed. If there was no illegal income or if such illegal income was less than Rmb300,000, a fine of not less than Rmb100,000 and not more than Rmb300,000 shall be imposed.

Article 30: If an electronic certification service provider suspends or terminates the provision of its electronic certification services but fails to submit a report to the State Council department in charge of the information industry 60 days prior to such suspension or termination, the State Council department in charge of the information industry shall fine the person directly in charge not less than Rmb10,000 and not more than Rmb50,000.

Article 31: If an electronic certification service provider fails to abide by the certification rules, fails to duly preserve information relating to certification or commits another violation of the law, the State Council department in charge of the information industry shall order it to rectify the matter within a specified period of time; if it fails to rectify the matter within the specified period of time, its electronic certification permit shall be revoked and the person directly in charge and the other persons directly responsible shall be prohibited from engaging in the provision of electronic certification services for 10 years. If an electronic certification service provider has its electronic certification permit revoked, the same shall be publicly announced and the administration for industry and commerce shall be notified.

Article 32: If a third party's electronic signature is forged, fraudulently used or misappropriated, and such forgery, fraudulent use or misappropriation constitutes a criminal offence, criminal liability shall be pursued in accordance with the law. If such action causes a third party to incur a loss, civil liability shall be borne in accordance with the law.

Article 33: If a member of the working personnel of an authority responsible, in accordance with this Law, for the regulation of the electronic certification service industry fails to perform his administrative permit or regulation responsibilities, he shall be subjected to administrative punishment in accordance with the law. If a criminal offence is constituted, his criminal liability shall be pursued in accordance with the law.

PART FIVE: SUPPLEMENTARY PROVISIONS

Article 34: The following terms used in this Law shall have the meanings assigned to them below:

(1) "electronic signatory" means a person who holds electronic signature creation data and affixes an electronic signature in his own capacity or in the name of the party that he represents.

(2) "party that relies on electronic signatures" means the party that engages in the relevant activity based on its reliance on an electronic signature certificate or electronic signature.

(3) "electronic signature certificate" means the data message or other electronic record that can authenticate the connection between an electronic signatory and the electronic signature creation data.

(4) "electronic signature creation data" means such data as symbols, numbers, etc. used in the electronic signature process that can reliably connect an electronic signature to the electronic signatory.

(5) "electronic signature verification data" means the data used to verify an electronic signature, including codes, passwords, algorithms or public keys, etc.

Article 35: The State Council or the departments specified by the State Council may formulate specific procedures for the use of electronic signatures and data messages in political activities and other social activities based on this Law.

Article 36: This Law shall be implemented as of April 1 2005.