The just passed IT Bill-99 makes it mandatory for Certifying authorities to register and obtain license from the Controller. Otherwise, the digital certificates issued by them would not be valid. This means that if any contract carries a digital signature of a person holding the digital certificate issued by an unregistered Certifying authority, the adjudicating officer or the other Cyber regulatory agencies may consider that the signature would not be considered valid.

This situation is evident from the following two sections.

According to Section 2(g) of the Act,

If for argument sake let us say that a Contract is signed by an Indian using a digital certificate issued by a properly licensed Certifying Authority and a foreigner using a certificate issued by an agency which though recognized in his country, is not registered in India. 

It is a debatable point whether such contracts must be considered "Void" or "Voidable". If it is considered "Void", both parties perhaps would be in a similar predicament eventhough most international contracts may place the responsibility for local legal compliance on the resident party. Most probably they would be considered "Voidable" since there is no doubt about the intention of the parties. The situation would not be much different from contracts where a "Stamp Act" or "Registration Act" provision has not been complied with.
 

The interesting fallout of this situation is the issue- If the contract is considered voidable, will it be voidable at the instance of the Indian whose signature is good and binding, or at the instance of the Foreigner whose signature is flawed? This will be unfair even though, technically the law recognizes the obligations attributable to the "good signature" and not those attributable to the "bad signature"

If the Indian courts consider the contract as void, a foreign court may still consider it as valid. The foreigner will therefore have recourse to courts while the Indian will not. If a foreign court passes a judgement against the Indian based on the contract, there will be no remedy for the Indian in the Indian courts. 

This is not a hypothetical situation. There are already lakhs of digital certificates issued abroad by Certifying authorities, which may go unrecognized as per the provisions of the proposed Act. Since these agencies need to compulsorily set up offices in India to apply for recognition, many of them may not be keen in applying for a license in India. The Government should thank its stars that Verisign has made a premature announcement of its entry to India. If it had held its intention back, the Government would have been forced to prostrate before the company and request them to apply for a license in India since nearly 90 % of the global certificate market at present belongs to them. Without their participation, the Indian certifying system would be a non-starter. Even now there is a doubt whether the recognition in India would validate only those certificates issued after the date of registration and not before it and hence several lakh certificates now in circulation may be invalid under the Indian Law.

So, What is the remedy? 

The Act should be amended to state that " Not withstanding any thing contained to the contrary in Sec 19 of the Act, Certificates issued by Certifying Authorities already recognized by the root certifying authorities of any of the UN member nations would be deemed as valid against any person who is not a citizen of India, even though the certifying authority has not applied for and obtained a valid license in India or his license has been rejected, suspended or revoked for any reason." 

If such an amendment is not made to the Act, Indians would be at a disadvantage in the Global Digital Contract Market.

Na.Vijayashankar

June, 2, 2000