The Electronic Signatures Law: China's First National E-Commerce Legislation
October 02, 2004 | BY
clpstaff &clp articlesThe NPC has passed a new legislation on electronic signatures. This new legislation helps to regulate electronic commerce and security of electronic transactions.
By Wendy Yan, Faegre & Benson, Shanghai
In the wake of the increased use of new electronic and information technologies in commerce, adoption of a modern legal framework to regulate electronic commerce is particularly important for China's economic reforms. The enforceability and security of electronic transactions and records, and specifically data messages, are the most fundamental issues to be addressed by China's e-commerce legislation. In this context, during the past few years China has made considerable progress towards the creation of a favourable legal environment to enable and facilitate the use of e-commerce by means of regulating data messages and electronic signatures. On August 28 2004, the National People's Congress passed the PRC Electronic Signatures Law (E-Signatures Law), and it becomes effective on April 1 2005.
Generally speaking, the E-Signatures Law deals with the following two key areas, which have seen the most activity and have generated the most legal work in e-commerce: (1) the enforceability and legal effect of data messages; and (2) electronic signatures and their verification.
As discussed further below, the E-Signatures Law does not merely regulate electronic signatures in e-commerce transactions, as might be suggested by its name. Instead, it is a set of rules to recognize the enforceability and ensure the security of data messages in the context of e-commerce with an aim to remove legal obstacles to, and provide a more secure legal environment for, the increased use of e-commerce in China. The E-Signatures Law should be regarded as the first national e-commerce legislation in China.1
Data Messages
What is a "Data Message"?
A data message, as defined in Article 2 of the E-Signatures Law, means any information generated, sent, received or stored by electronic, optical, magnetic or similar means. This broad definition of data message seems to indicate that it encompasses all types of messages generated, sent, received or stored in a paper-less form, which includes both the communication and records of communication in e-commerce transactions and information recorded that is not intended for communication. The latter may be presented in a court as evidence if it complies with relevant legal requirements.
In addition, the reference to "similar means" in the data message definition reflects the fact that the E-Signatures Law has been enacted not only for application to existing communication techniques but also to accommodate as far as possible any foreseeable technical developments.
The E-Signatures Law does not explain what types of messages are presumed to be included under the definition of a data message. Nevertheless, the PRC Contract Law2 sheds some light on the issue. The Contract Law provides that sundry data messages, including telegrams, telexes, faxes, electronic data interchange3 and e-mail, are deemed to be capable of tangibly representing their content so as to satisfy the requirement of "written form" under Chinese law. It is therefore reasonable to assume that telegrams, telexes, faxes, electronic data interchange and e-mail are at least a portion of those data messages that the E-Signatures Law intends to regulate.
Enforceability of Data Messages
Article 3 of the E-Signatures Law stipulates that, subject to some exceptions,4 parties have discretion whether to use data messages in contracts or other documents in the context of civil activities. Where a document that the parties agreed to uses data messages, such document shall not be denied validity or enforceability on the sole ground that data messages were used for that purpose (Article 3).
It is recognized that legal requirements prescribing the use of traditional paper-based documents, for example the use of "written", "signed" or "original" documents, constitute the main obstacle to the development of e-commerce. The E-Signatures Law adopts a "functionally equivalent approach" when envisaging the use of data messages as alternatives to paper-based forms of communication, information and records. The functionally equivalent approach is based on an analysis of the purposes and functions of the traditional paper-based requirements with a view to determining how those purposes or functions could be fulfilled through electronic techniques.5 Without removal of the paper-based requirements in the existing legal system, the E-Signatures Law provides that once data messages meet some criteria they will enjoy the same level of legal recognition as corresponding paper documents performing the same function.
Written Messages
A data message that is capable of tangibly representing its content and is accessible for use and investigation shall be deemed to be in writing (Article 4).
Original Form
A data message shall be deemed to be in its original form as required by laws and regulations where it satisfies the following requirements (Article 5):
(1) the information therein is capable of being effectively displayed and is accessible for use and investigation; and
(2) a reliable method is used with the data message to assure the integrity of the content of the information from the time when it is generated in its final form without any alteration. However, the addition of any endorsement or any changes of format that may arise in the course of communication, storage, or display of data does not affect the integrity of that information.
Deemed as Signed
Subject to some exceptions,6 a data message shall be deemed to be signed when it is affixed with a reliable electronic signature, as a reliable electronic signature7 shall have the same legal effect as a handwritten signature or a seal (Article 14). An electronic signature is considered to be reliable if it satisfies all of the following requirements (Article 13):
(1) the signature creation data8 are, within the context in which they are used in an electronic signature, linked to the signatory9 and to no other person;
(2) the signature creation data were, at the time of signing, under the control of the signatory and of no other person;
(3) any alteration to the electronic signature, made after the time of signing, is detectable; and
(4) any alteration to the contents and format of the data message made after the time of signing is detectable.
However, parties may determine to use an electronic signature that satisfies the requirements in respect of reliability as agreed upon.
Retention of Data Messages
It is recognized that some existing legal requirements regarding the storage of information may constitute obstacles to the use of data messages in e-commerce. To deal with this issue, Article 6 provides that a data message shall be deemed to be retained pursuant to laws and regulations if:
(1) the information therein is capable of being effectively displayed and is accessible for use and investigation;
(2) it is retained in the same format in which it was generated, transmitted or received, or if in a different format it can be demonstrated to represent accurately the information generated, transmitted or received; and
(3) it is retained so as to enable the identification of its originator and recipient and the date and time of its dispatch and receipt.
Admissibility and Evidential Weight of Data Messages
Pursuant to Article 7 of the E-Signatures Law, a data message shall not be denied to be admitted as evidence on the sole ground that it is generated, sent, receipted or stored by electronic, optical, magnetic or similar means. The evidential value of a data message should be assessed by taking into consideration all relevant factors, including (Article 8): the reliability of the manner in which the data message was generated, stored or sent; the reliability of the manner in which the integrity of the information therein was maintained; and the reliability of the manner in which its originator was identified.
Communication of Data Messages
Dispatch of Data Messages
Unless otherwise agreed by the parties, a data message is deemed to be dispatched when (1) it is sent under the authorization of the originator; (2) it is sent automatically by the originator's information system; or (3) it is verified and ascertained by the addressee after the addressee applies a procedure previously agreed to by the originator (Article 9).
In addition, except where otherwise agreed by the parties, the time of dispatch of a data message is the time when the data message enters an information system outside the control of the originator (Article 11).
Receipt of Data Messages
Under the Contract Law, offer and acceptance become effective when they are received rather than dispatched.10 Therefore it is critical to determine when the offer and acceptance are deemed to be received by the parties in the formation of electronic contracts. The E-Signatures Law takes the exact same approach as the Contract Law to ensure the legal certainty that the contract can be concluded by electronic means. In Article 11, it is provided that (unless otherwise agreed by the parties) where the addressee designates an information system to receive data messages, the time of receipt of a data message is presumed to be the time when the data message enters such information system. If the addressee has not designated an information system, receipt occurs when the data message first enters an information system of the addressee (Article 11).
In addition, where an acknowledgement of receipt of a data message is required by laws, administrative regulations or as agreed to by the parties, such data message is deemed to be received upon the receipt of the acknowledgement by the originator from the addressee (Article 10).
Location of Dispatch and Receipt
A data message is deemed to be dispatched at the place where the originator has its principle place of business and deemed to be received at the place where the addressee has its principle place of business. If a party does not have a principle place of business, reference is to be made to its habitual residence (Article 12).
Electronic Signatures
In the E-Signatures Law, "electronic signature" is a generic, technologically neutral term that refers to various techniques currently available or still under development by which one can electronically sign a data message. The actual technology used in creating or effecting an electronic signature is at the discretion of the parties to the contract or record, and the E-Signatures Law provides criteria for the legal recognition of electronic signatures irrespective of the technology used (Article 13). Such a technologically neutral approach has been adopted so as not to stifle the development of new technologies used for personal identification in e-commerce, or unfairly favour one technology over another.
Nevertheless, the drafters seem to believe that it is necessary to offer some practical standards against which the technical reliability of electronic signatures may be measured. With an aim to foster confidence that certain electronic signature techniques can be relied upon in legally significant transactions, the E-Signatures Law emphasizes some unique issues arising out of a particular type of electronic signature - a digital signature involving third party certification - because it both plays a predominant role in emerging e-commerce practices and also raises certain unique issues that must be addressed at some point by transaction parties. These issues include, among other things, the interplay of relationships between three distinct types of parties (i.e., signatories, certification service providers and relying parties) corresponding to this digital signature model and the legal requirements and operational guidelines for the certification service provider (CSP).
Digital Signatures and Public Key Infrastructure
Generally speaking, a digital signature is a form of electronic signature that uses asymmetric cryptography to create two encrypted keys. The "private key", which is kept secret, is only used by the signatory to sign the message and the "public key" is held in the public domain. Both keys are mathematically linked in pairs, and when used together provide both data security and authenticity with respect to transformation of the message.
Use of digital signatures can take the form of digital certificates. A CSP established and operated in accordance with law may issue a data message or other electronic record confirming the link between a signatory and signature creation data (which is also called an "Electronic Signatures Certificate", or ESC).11 The ESC represents independent verification that a particular network server or party is trusted by an authorized CSP, and is as a result trusted by the party to a transaction.
A digital signature integrates the use and administering of a key pair (a private key and a public key), an ESC and a CSP. This operational relationship is known as "public key infrastructure" (PKI). The PKI allows a party to send a secure message over an open computer network and therefore increases the security of e-commerce transactions.
Legal Requirements for CSP and ESC
The E-Signatures Law does not require the use of a third CSP to independently validate electronic signatures. However, an ESC that is issued by a CSP who meets a set of minimum standards as required by law is deemed to be sufficiently trustworthy (Article 16).
Legal Requirements for a CSP
A qualified CSP should meet the following legal requirements (Article 17):
(1) it shall have professional technical and management personnel qualified to provide the ESC services;
(2) it shall have sufficient capital funds and an operational site that is appropriate to its corresponding ESC services;
(3) it shall have technologies and equipment that meet national security standards;
(4) it shall obtain a certificate verifying that it is approved to use secret codes by the national secret code administration; and
(5) other requirements as provided by laws and regulations.
Approval Process and the Authority in Charge
In addition, in order to engage in ESC services, a CSP should submit an application to the relevant information industry administration of the State Council (the Authority) for approval (Article 18). After its application is approved, the CSP will obtain a licence and shall then register with the relevant administration for industry and commerce in accordance with law (Article 18). The approved CSP should also publish its name, licence number and other required information on the website designated by the Authority (Article 18).
The Authority is responsible for supervising the administration of all CSPs in China and implementing administrative regulations to regulate the ESC service industry in accordance with the E-Signatures Law (Article 25).
Information Required in an ESC
The CSP should issue an accurate ESC and include therein the following information (Article 21): the name of the CSP; the name of the ESC subscriber; the serial number of the ESC; the validation period of the ESC; the subscriber's electronic signature verification data;12 the electronic signature of the CSP; and other information required by the Authority.
Legal Responsibilities: CSP
Where a CSP provides services to support an electronic signature in accordance with the E-Signatures Law, it shall, after receiving the application from the signatory, review all the relevant material and verify the identity of the signatory (Article 20). The CSP should ensure the accuracy and completeness of all information included in the ESC throughout the life cycle thereof (Article 22). It should also ensure that a relying party13 ascertains or understands all of the information included in, and relevant matters with respect to, the ESC (Article 22).
The CSP shall formulate, publish and file with the Authority its practice guidelines with respect to its ESC business in accordance with law. The practice guidelines shall cover the scope of liabilities, operation standards, information security safeguard measures and other related matters (Article 19).
The CSP should duly retain all the information in connection with an ESC for a minimum period of five years after the expiration date of the ESC (Article 24).
The E-Signatures Law imposes strict liabilities on the CSP. It provides that where a signatory or relying party suffered losses when acting in its civil activities based on the ESC services provided by the CSP, the CSP shall be responsible for relevant damages if it fails to prove it is not at fault (Article 28).
Signatory
When the signatory applies to the CSP for an ESC, it should provide real, complete and accurate information (Article 20). If the signatory fails to do so, it should be responsible for any damages suffered by relevant relying parties and the CSP arising out of its failure (Article 27).
The signatory shall exercise reasonable care to protect the signature creation data (Article 15). Without undue delay, the signatory shall notify relevant parties and cease using the electronic signature creation data if it knows that the signature creation data has been or may have been compromised. If the signatory fails to do so, it should be responsible for any damages suffered by relevant relying parties and the CSP arising out of its failure (Article 27).
International Recognition
Subject to the verification by the Authority based on relevant international treaties or the principle of reciprocity, an ESC issued outside China by a foreign CSP shall have the same legal effect in China as an ESC issued by a CSP established in accordance with the E-Signatures Law (Article 26).
The E-Signatures Law has been designed and enacted to remove legal obstacles to the recognition of data messages and electronic signatures and to promote and establish the predictability and trust needed by parties doing business electronically. In addition, it is aimed to facilitate the continued expansion of e-commerce in China by facilitating the use of new business models and technologies.
Nevertheless, the E-Signatures Law does not cover every aspect of the use of data messages and electronic signatures in e-commerce. Instead, it focuses on essential principles for advancing e-commerce transactions and practices in China. In other words, the E-Signatures Law only sets up a framework for development of a Chinese e-commerce legal system, and it needs to be supplemented by more detail and comprehensive implementing rules and administrative regulations, which we expect to see in the near future.
In addition, during the evolution of the Chinese e-commerce legal system, market participants in China will undoubtedly act quickly to determine whether their electronic business practices and transactions are compliant with the E-Signatures Law, and how they can increase the use of new electronic information and technologies in their businesses in China in order to maximize the new business opportunities offered by the E-Signatures Law.
Endnotes
1 On December 6 2002 Guangdong province passed the first piece of provincial e-commerce legislation in China, the Electronic Transactions Regulations, which became effective as of February 1 2003.
2 See the Contract Law, Article 11.
3 Electronic data interchange (EDI) has not been defined in the E-Signatures Law. EDI usually means electronic transfer from computer to computer of information using an agreed standard to structure the information. See UNCITRAL Model Law on Electronic Commerce (1996).
4 See Article 3. Data messages and electronic signatures shall not be applied to the following documents in connection with: (1) marriage, adoption, inheritance or other personal relationship; (2) transfer of interests in real estate such as land and houses; (3) suspension of public utility services such as water, heat, gas and electricity; or (4) as otherwise provided by laws and regulations.
5 See UNCITRAL Model Law on Electronic Signatures with Guide to Enactment (2001)
6 See Article 3.
7 An electronic signature refers to any data in electronic form in or affixed to a data message, which may be used to identify the person holding the signature creation data and indicate that person's approval of the information contained in the data message (Article 2).
8 Signature creation data refers to data (such as keys and codes) that are used during the making of the signature to provide a secure link between the resulting electronic signature and the signatory (Article 34).
9 Signatory refers to a person that holds signature creation data and acts either on its own behalf or on behalf of the person it represents (Article 34).
10 See the Contract Law, Articles 16 and 26.
11 See Article 34(3). Signature creation data refers to data such as keys and codes that link the electronic signature with the signatory in the making of such electronic signature (Article 34(4)).
12 See Article 34(5). Electronic signature verification data refers to data used to verify electronic signatures including code, instruction, methodology, public key, etc.
13 See Article 34(2). A relying party means a person that acts on the basis of an ESC or an electronic signature.
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now