INTRODUCTION

This paper briefs Members on the proposed legal framework for the conduct of electronic transactions.

BACKGROUND

2. To promote the development of electronic commerce in Hong Kong and to facilitate the implementation of the Electronic Service Delivery scheme for the provision of public services to the community on-line, we consider it necessary to establish a clear legal framework to enhance certainty and security in the conduct of electronic transactions. This is essential to address public concerns about legal recognition of electronic records and digital signatures, confidentiality and integrity of electronic transmissions, and the authentication and non-repudiation of electronic messages.

3. The key principles which we propose to follow in establishing this legal framework are as follows -

1. the framework should remove any legal impediments to the conduct of electronic transactions;
   
   
2. the framework should provide certainty and security in the conduct of electronic transactions, thereby enhancing the confidence and trust of the public in carrying out such transactions;
   
   
3. the framework should adopt a technology neutral approach to cope with rapid technological changes; and
   
   
4. the framework should adopt a minimalist regulatory approach so as not to unnecessarily constrain the development of electronic commerce in the private sector.

ELECTRONIC TRANSACTIONS BILL

The Bill

4. Taking account of the principles set out in paragraph 3 above, we are now preparing a bill which will -

1. give equivalent legal status to electronic records and digital signatures in the conduct of electronic transactions as that of their paper-based counterparts; and
   
   
2. provide for the establishment of certification authorities (CAs) to ensure trust and security in electronic transactions through the issue of digital certificates and the use of public/private key technology.

Electronic records and digital signatures

5. To provide legal recognition to electronic records and digital signatures, we propose that the bill should be modelled on the United Nations Commission on International Trade Law - Model Law on Electronic Commerce with the following stipulations -

1. information shall not be denied legal effect solely on the ground that it is in the form of electronic records;
   
   
2. where the law requires information to be provided in writing, that requirement is met by electronic records;
   
   
3. where the law requires information to be presented or retained, that requirement is met by presenting or retaining the information in the form of electronic records;
   
   
4. electronic records shall not be denied admissibility as evidence in court soley because they are in the form of electronic records;
   
   
5. messages shall not be denied legal effect in the formation of contract solely on the ground that they are in the form of electronic records; and
   
   
6. where the law requires a signature of a person, that requirement is met by a digital signature which shall have the same legal effect as a hand-written signature (subject to paragraph 10 below).

Certification authorities

6. We propose that the bill should provide a legal framework for the operation of CAs in order to build up a local public key infrastructure and a secure and trustworthy environment for the conduct of electronic transactions. With the issue of digital certificates by CAs and through the use of digital signatures and public/private key encryption, individuals and businesses will be able to establish the identity of the opposite party in electronic transactions, authenticate the electronic messages received, ensure that the confidentiality and integrity of electronic messages have not been breached and that the messages cannot be repudiated.

7. To encourage the early establishment of a local public key infrastructure, Government will take the lead in providing CA services. The Hongkong Post will operate CA services by the end of 1999 on a non-exclusive basis. The number of CAs to be established in Hong Kong will be determined by market demands. The private sector will be free to set up CAs to serve the specific needs of particular sectors. In line with our minimalist approach and to encourage private sector initiatives, we do not propose to introduce any form of mandatory licensing requirement under the proposed legal framework, as is the case for some other places like Singapore or Malaysia.

8. But to protect consumer interest and enhance users' confidence in electronic transactions we propose to introduce a regime whereby CAs are free to apply for recognition from Government. Such a scheme will also help to maintain inter-operability within the local public key infrastructure. We propose that Government recognition should be granted only to those CAs -

1. which have achieved a trust standard acceptable to Government; and
   
   
2. which adopt common and open standards in their operation, thus ensuring inter-operability with other recognised CAs under the local public key infrastructure.

9. For CAs to gain recognition under this voluntary regime, they will have to meet the following requirements which will be stipulated in the proposed bill -

1. the publication of a certification practice statement which clearly specifies the practices employed in issuing digital certificates to subscribers;
   
   
2. the use of a trustworthy system in performing CA services;
   
   
3. the engagement of an accredited computer security professional to conduct an annual audit on the provision of CA services; and
   
   
4. the compliance with a code of practice issued by Government.

Failure to meet these requirements may result in revocation of the recognition granted by Government. Through the operation of this regime, consumers will be able to assess the trust standard of individual CAs and to make an informed choice in obtaining CA services.

10. To encourage CAs to seek Government recognition under the regime set out above, we will stipulate in the proposed bill that the provision therein regarding legal recognition of digital signatures (referred to in paragraph 5(f) above) will apply only to those digital signatures arising from digital certificates issued by recognised CAs. In addition, we shall, in line with international practice, introduce a provision to allow recognised CAs to set a recommended reliance limit for the certificates they issue and to confine their liabilities to the specified limit.

11. For CAs which have not obtained recognition from Government and thus not covered by the proposed statutory provisions, they and their subscribers will rely on common law principles in providing and obtaining CA services respectively.

Miscellaneous items

12. We shall also introduce general provisions in the proposed legal framework to deal with the obligation of secrecy and to provide safeguards against the provision of false information. In addition, we shall make consequential amendments to relevant legislation to enable the Hongkong Post to operate as a CA and to set its fees on a commercial basis. Consultation with Information Infrastructure Advisory Committee

13. We have consulted the Information Infrastructure Advisory Committee on the proposed legal framework and have obtained their support.

Next step

14. Drafting of the bill on electronic transactions is now in progress on the basis of the legal framework proposed in this paper. We aim to introduce the bill into the Legislative Council within the first half of 1999.


Information Technology & Broadcasting Bureau
January 1999