| |
Draft of Electronic Commerce Act, 1998
An Act to establish the law relating to
electronic commerce.
WHEREAS it is expedient
to establish the law relating to electronic commerce;
PART I - PRELIMINARY
1.
Short Title,
Extent and Commencement.
2.
Definitions
3.
Purpose and
Construction.
4.
Application.
5.
Variation by
Agreement.
PART II -
ELECTRONIC RECORDS AND SIGNATURES GENERALLY
6.
Legal
Recognition
7.
Requirements
of Writing.
8.
Electronic
Signatures.
9.
Original
Record.
10.
Admissibility
and Evidentiary Weight of Electronic Records and Electronic
Signatures.
11.
Retention
of Electronic Records.
PART III -- SECURE
ELECTRONIC RECORDS AND SIGNATURES
12.
Secure
Electronic Record.
13.
Secure
Electronic Signature
14.
Presumptions
Relating to Secure Electronic Records and
Signatures
PART
IV -- ELECTRONIC CONTRACTS
15.
Formation
and Validity.
16.
Effectiveness
Between Parties
17.
Attribution
18.
Acknowledgment
of Receipt.
19.
Time and
Place of Dispatch and Receipt
20.
Applicable
Law
PART V -- EFFECT OF DIGITAL
SIGNATURES
21.
Secure
Electronic Record with Digital Signature.
22.
Digital
Signature as a Secure Electronic Signature.
23.
Unreliable
Digital Signatures
PART
VI -- GENERAL DUTIES RELATING TO DIGITAL SIGNATURES
24.
Foreseeability
of Reliance on Certificates.
25.
Prerequisites
to Disclosure of Certificate
26.
Publication
for Fraudulent Purpose
27.
False or
Unauthorized Request.
PART
VII - DUTIES OF CERTIFICATION AUTHORITIES
28.
Trustworthy
System
29.
Disclosure
by Certification Authorities.
30.
Issuing of
Certificate.
31.
Representations
Upon Issuance of Certificate.
32.
Fiduciary
Relationship
33.
Financial
Responsibility
34.
Suspension
of Certificate.
35.
Revocation
of Certificate
PART
VIII -- DUTIES OF SUBSCRIBERS
36.
Generating
A Key Pair.
37.
Acceptance
of Certificate.
38.
Control of
Private Key.
39.
Initiating
Suspension or Revocation.
PART
IX -- REGULATION OF CERTIFICATION AUTHORITIES AND REPOSITORIES
40.
Appointment
of Controller and Other Officers
41.
Recognition
of Foreign Certification Authorities
42.
Recommended
Reliance Limit
43.
Liability
Limits for Certification Authorities
44.
Recognition
of Repositories.
45.
Liability
of Repositories.
PART X - GOVERNMENT USE OF ELECTRONIC
RECORDS AND SIGNATURES
46.
Acceptance
of Electronic Filing and Issue of
Documents.
PART XI -- LIABILITY
OF NETWORK SERVICE PROVIDERS
47.
Liability
of Network Service Providers
PART XII - COMPUTER CRIME
48.
Computer
Crime
49.
Penalities
50.
Forfeiture
PART XIII --
GENERAL
51.
Confidentiality.
52.
Offense by
Body Corporate
53.
Controller
May Give Directions for Compliance.
54.
Power to
Investigate
55.
Access to
Computers and Data.
56.
General
Penalty
57.
Power to
Exempt
58.
Power of
Central Government to make rules.
59.
Power to
remove difficulties.
THE ELECTRONIC COMMERCE SUPPORT ACT, 1998
Amendments
to the Indian Evidence Act, 1872
Amendments
to the Indian Contract Act, 1872.
Amendment
to the Indian Telegraph Act, 1885
Amendments
to the Banker's Books Evidence Act of 1891
Amendments
to the General Clauses Act, 1897
Amendments
to the Reserve Bank of India Act, 1934,
It is hereby
enacted as follows:--
PART I -
PRELIMINARY
1. Short Title, Extent and
Commencement.
(1) This Act may be
called the Electronic Commerce Act, 1998.
(2)
This Act extends to the whole of India, except the State of Jammu and
Kashmir.
(3) This Act shall come into force on
such date as the Central Government may, by notification in the Official
Gazette, appoint in this behalf.
2.
Definitions.
In
this Act, unless the context otherwise requires -
(a) "Asymmetric
cryptosystem" means a computer-based system capable of generating and
using a secure key pair, consisting of a private key for creating a
digital signature and a public key to verify the digital signature.
Comments: Asymmetric cryptography is the core of the current digital
signature technology. An asymmetric cryptosystem is an information system
utilizing an algorithm or series of algorithms that provide for a
cryptographic key pair consisting of a private key and the corresponding
public key. A secure key pair is a key pair that is cryptographically
strong and is capable of reliably creating and verifying digital
signatures.
(b)
"Authentication" means a process used to ascertain the identity of
a person or the integrity of specific information. For a message,
authentication involves ascertaining its source and confirming that it has
not been modified or replaced in transit.
(c) "Authorized
officer" means any officer that has been authorized by the Controller
to exercise the powers of the Controller under this Act as identified in
Section 41 of this Act.
Comments: An
Authorized Officer will have the authority, if delegated by the Controller
(as defined herein), to perform the duties and obligations of the
Controller as specified herein.
(d)
"Certificate" means a record, that at a minimum: (i) identifies the
certification authority issuing it; (ii) names or otherwise identifies its
subscriber, or a device or electronic agent under the control of the
subscriber; (iii) contains a public key that corresponds to a private key
under the control of the subscriber; (iv) specifies its operational
period; and (v) is digitally signed by the certification authority issuing
it.
(e) "Certification
authority" means a person who authorizes or causes the issuance of a
certificate.
(f) "Certification
practice statement" means a statement issued by a certification
authority that specifies the policies or practices that the certification
authority employs in issuing, managing, suspending and revoking
certificates and providing access to them.
(g) "Computer"
means an electronic, magnetic, electromagnetic, digital, optical, or other
information processing system or device used for creating, generating,
transmitting, receiving, storing, displaying, or otherwise processing
information, together with any supporting software, input, output, or data
storage devices used therewith. .
(h) "Computer
network" means two or more computers in communication with or
connected to each other.
(i) "Computer
program" means a set of instructions or statements, and related data,
to be used directly or indirectly in a computer or computer network in
order to cause a certain result.
(j) "Computer
security system" means the design, procedures or other measures that
the person responsible for the operation and use of a computer employs to
restrict the use of the computer to particular persons or uses, or that
the owner or licensee of data stored or maintained by a computer in which
the owner or licensee is entitled to store or maintain the data employs to
restrict access to or protect the confidentiality of the
data.
(k) "Computer
virus" means any computer instruction, information, data or program
that degrades the performance of a computer; disables, damages or destroys
a computer; or attaches itself to another computer and executes when the
host computer program, data or instruction is executed or when some other
event takes place in the host computer, data or
instruction.
(l)
"Controller" means the Controller of Certification Authorities
appointed under Section 41. Source: Singapore Electronic Transactions Act
§2.
(m)
"Correspond" in relation to private or public keys, means to belong
to the same key pair.
(n) "Damage"
means any destruction, alteration, disruption, deletion, addition,
modification or other impairment to the integrity or availability of a
computer, data, electronic record, a program, an information system or
information.
Comment: The
definition of "damage" is based on the definition contained in the United
States Computer Fraud and Abuse Act, but includes a wider range of
categories of impairment of computer resources.
(o) "Data"
means a representation of information or of concepts that are being
prepared or have been prepared in a form suitable for use in a computer.
Source: Malaysia Computer Crimes Act §2.
(p) "Digital
signature" means an electronic signature consisting of a
transformation of an electronic record using an asymmetric cryptosystem
and a hash function such that a person having the initial untransformed
electronic record and the signer's public key can accurately determine:
(i) whether the transformation was created using the private key that
corresponds to the signer's public key and (ii) whether the initial
electronic record has been altered since the transformation was made.
.
(q)
"Electronic" includes electrical, digital, magnetic, optical,
electromagnetic or any other form of technology that entails capabilities
similar to these technologies.
(r) "Electronic
device" means a computer program or electronic record or other
automated means configured or enabled by a person to independently
initiate or respond to electronic records or performances on behalf of
that person without review by an individual.
(s) "Electronic
record" means a record generated, sent, received or stored by
electronic means for use in an information system or for transmission from
one information system to another.
(t) "Electronic
signature" means any letters, characters, numbers or other symbols in
digital form attached to or logically associated with an electronic
record, and executed or adopted with the intention of authenticating or
approving the electronic record.
(u) "Hash
function" means an algorithm mapping or translating one sequence of
bits into another, generally smaller, set (the hash result) such that: (i)
a record yields the same hash result every time the algorithm is executed
using the same record as input; (ii) it is not feasible that a record can
be derived or reconstituted from the hash result produced by the
algorithm; and (iii) it is computationally infeasible that two records can
be found that produce the same hash result using the
algorithm.
(v)
"Information" includes data, text, images, sound, codes, computer
programs, software, databases and the like.
(w) "Information
system" means a system for creating, generating, sending, receiving,
storing, displaying or otherwise processing information.
(x)"Internet"
means a global network of interconnected computer networks, each using the
transmission control protocol/internet protocol or any combination thereof
or such other standard network interconnection protocols as is used to
transmit data that is directly or indirectly delivered to a
computer.
(y) "Key pair"
in an asymmetric cryptosystem, means a private key and its mathematically
related public key, having the property that the public key can verify a
digital signature that the private key creates.
(z) "Network
service provider" means a person that provides the software, hardware,
telecommunications facilities or any combination of the above, to
facilitate access to the Internet or any other computer network, and
includes a value added network service provider.
(aa) "Operational
period of a certificate" begins on the date and time the certificate
is issued by a certification authority (or on a later date and time if
stated in the certificate), and ends on the date and time it expires as
stated in the certificate or is earlier revoked or
suspended.
(bb) "Private
key" means the key of a key pair used to create a digital
signature.
(cc)"Prescribed"
means prescribed by rules made under this Act.
(dd) "Provide
access" means, in relation to material provided by a third party, the
provision of the necessary technical means by which such material may be
accessed and includes the automatic and temporary storage of such material
for the purpose of providing access.
(ee) "Public
key" means the key of a key pair used to verify a digital
signature.
(ff) "Record"
means information that is inscribed, stored or otherwise fixed in a
tangible medium or that is stored in an electronic or other intangible
medium and may be retrieved in perceivable form.
(gg)
"Repository" means a system for storing and retrieving certificates
or other information relevant to certificates, including information
related to the status of a certificate.
(hh) "Revoke a
certificate" means to permanently end the operational period of a
certificate from a specified time forward.
(ii) "Rule of
law" includes any provision contained in an enactment or any rule
derived from any other source of law.
(jj) "Security
procedure" means a procedure for the purpose of: (i) verifying that an
electronic record is that of a specific person or (ii) detecting error or
alteration in the communication, content or storage of an electronic
record since a specific point in time. A security procedure may require
the use of algorithms or codes, identifying words or numbers, encryption,
answer back or acknowledgment procedures, or similar security
devices.
(kk) "Signed"
or "signature," in relation to electronic records, includes any symbol
executed or adopted, or any security procedure employed or adopted, using
electronic means or otherwise, by or on behalf of a person with the intent
to authenticate such record.
(ll)
"Subscriber" means a person who is the subject named or identified
in a certificate issued, who holds a private key that corresponds to a
public key listed in that certificate and who is the person to whom
digitally signed messages verified by reference to such certificate are to
be attributed.
(mm) "Suspend a
certificate" means to temporarily suspend the operational period of a
certificate from a specified time forward.
(nn) "Third
party" means, in relation to a network service provider, a person over
whom the provider has no effective control.
(oo) "Trustworthy
system or manner" means the use of, or adoption of any device
involving the use of, computer hardware, software and procedures that, in
the context in which they are used: (i) can be shown to be reasonably
resistant to penetration, compromise and misuse; (ii) provide a reasonable
level of reliability and correct operation; (iii) are reasonably suited to
performing their intended functions or serving their intended purposes;
(iv) comply with applicable agreements between the parties, if any; and
(v) adhere to generally accepted security procedures
(pp) "Valid
certificate" means a certificate that a certification authority has
issued and that the subscriber listed in the certificate has
accepted.
(qq) "Verify a
digital signature" means to use a public key listed in a valid
certificate to determine: (i) that the digital signature was created using
the private key corresponding to the public key listed in the certificate
and (ii) the electronic record has not been altered since its digital
signature was created.
3. Purpose and
Construction.
This Act shall be
construed consistently with what is commercially reasonable under the
circumstances and to effectuate the following purposes:
(a) To
facilitate electronic communications by means of reliable electronic
records;
(b) To facilitate and promote electronic commerce, to
eliminate barriers to electronic commerce resulting from uncertainties
over writing and signature requirements, and to promote the development of
the legal and business infrastructure necessary to implement secure
electronic commerce;
(c) To facilitate the electronic filing of
documents with government agencies and statutory corporations, and to
promote efficient delivery of government services by means of electronic
records;
(d) To minimize the incidence of forged electronic
records, intentional and unintentional alterations of records, and fraud
in electronic commerce and other electronic transactions;
(e) To
promote public confidence in the integrity and reliability of electronic
records, electronic signatures and electronic commerce;
(f) To
establish uniform rules and standards regarding the authentication and
integrity of electronic records; and (g) To create a legal infrastructure
for the use of digital signatures.
4.
Application.
(a) Parts II or IV of this Act shall not apply
to any law requiring writing or signatures in any of the following
circumstances:
(1) the creation or execution of a will;
(2) the
execution of negotiable instruments;
(3) the creation, performance or
enforcement of an indenture, declaration of trust or power of attorney
with the exception of constructive and resulting trusts;
(4) any
contract for the sale or other disposition of immovable property, or any
interest in such property;
(5) the conveyance of immovable property or
the transfer of any interest in immovable property;
(6) documents of
title for movable or immovable property; or
(7) where such application
would involve a construction of a rule of law that is clearly inconsistent
with the manifest intent of the lawmaking body or repugnant to the context
of the same rule of law, provided that the mere requirement that
information be "in writing," "written" or "printed" shall not by itself be
sufficient to establish such intent.
(b) The Central Government may
modify in the public interest, by notification published in the Official
Gazette, the provisions of section (a) by adding, deleting or amending any
class of transactions or matters specified in that section.
(c) In
relation to this Act, electronic records shall not be liable to stamp duty
under the Stamp Act, 1899.
(d) Notwithstanding anything contained
in the Telegraph Act, 1885, or rules made under this Act, it shall be
lawful to transmit and receive records electronically.
5. Variation by
Agreement. As between parties involved in generating, sending,
receiving, storing or otherwise processing electronic records, any
provision of Part II or IV of this Act may be varied by agreement of the
parties.
PART II - ELECTRONIC
RECORDS AND SIGNATURES GENERALLY
6. Legal
Recognition. Except as provided in Section 4 of this Act, records and
signatures shall not be denied legal effect, validity or enforceability
solely on the ground that they are in electronic form.
7. Requirements of
Writing. Except as provided in Section 4, where any rule of law
requires any matter to be in writing, that requirement sufficiently is met
by an electronic record if the matter contained therein is accessible so
as to be usable for subsequent reference.
8. Electronic
Signatures. Except as provided in Section 4, where any rule of law
requires that a record bear a signature, or provides for certain
consequences if a record is not signed, an electronic signature satisfies
that rule of law if:
(a) a method is used to identify the originator
and to indicate the originator's approval of the information contained in
the electronic record; and
(b) that method is as reliable as was
appropriate for the purpose for which the electronic record was generated
or communicated, in light of all of the circumstances, including any
relevant agreements among the parties involved.
9. Original
Record. (a) Where a rule of law requires a record to be presented or
retained in its original form, that requirement is met by an electronic
record if:
(i) there exists reliable assurance as to the integrity
of the record from the time when it was first generated in its final form,
as an electronic record or otherwise; and
(ii) where it is required
that a record be presented, that record is capable of being displayed to
the person to whom it is being presented.
(b) Subsection (a) applies
whether the requirement referred to therein is in the form of an
obligation or whether the law simply provides consequences for the record
not being presented or retained in its original form.
(c) For the
purposes of subsection (a)(i):
(i) the criteria for assessing
integrity shall be whether the information has remained complete and
unaltered, apart from the addition of any endorsement and any change which
arises in the normal course of communication, storage and display;
and
(ii) the standard of reliability required shall be assessed in
light of the purpose for which the information was generated and in light
of all the relevant circumstances.
10. Admissibility and
Evidentiary Weight of Electronic Records and Electronic
Signatures.
(a) Nothing in the Indian Evidence Act, 1872 or any
rules made under this Act shall apply in any legal proceedings so as to
deny the admissibility of an electronic record or an electronic signature
into evidence:
(i) on the sole ground that it is an electronic record
or an electronic signature; or
(ii) on the grounds that it is not in
its original form or is not an original.
(b) Information in the
form of an electronic record shall be given due evidentiary weight without
regard to the fact that it is an electronic record. In assessing the
evidentiary weight of an electronic record or an electronic signature,
regard shall be given to:
(i) the reliability of the manner in
which it was generated, stored or communicated;
(ii) the reliability of
the manner in which its integrity was maintained;
(iii) the manner in
which its originator was identified or the electronic record was signed;
and
(iv) any other factor that may be relevant.
(c) Nothing in this
section shall be construed to affect the provisions of Section 4 of this
Act.
11. Retention of
Electronic Records.
(a) Where any law for the time being in
force requires that certain documents, records or information be retained,
whether permanently or for a specified period, that requirement is
satisfied by retaining them in the form of electronic records if the
following conditions are fulfilled:
(i) the electronic record and
the information contained therein remains accessible so as to be usable
for subsequent reference;
(ii) the electronic record is retained in the
format in which it was originally generated, sent or received, or in a
format which can be demonstrated to represent accurately the information
originally generated, sent or received; and
(iii) such information as
enables the identification of the origin and destination of an electronic
record and the date and time when it was sent or received, if any, is
retained.
(b) An obligation to retain documents, records or
information in accordance with subsection (a) shall not extend to any data
the sole purpose of which is to enable the record to be sent or
received.
(c) It shall be lawful for a person to satisfy the
retention requirement referred to in Section 11(a) by using the services
of any other person, if the conditions in Sections 11(a)(i) through (iii)
are complied with. (d) Nothing in this section shall preclude any
department or ministry of the Central Government, State Government or a
statutory corporation under Central or State Government from specifying
additional requirements for the retention of electronic records that are
subject to its jurisdiction.
PART III -- SECURE
ELECTRONIC RECORDS AND SIGNATURES
12. Secure
Electronic Record.
(a) If a prescribed
security procedure or a commercially reasonable security procedure agreed
to by the parties involved has been applied to an electronic record in a
trustworthy manner and has been relied upon reasonably and in good faith
by the relying party to verify that the electronic record has not been
altered since a specified point in time, such record shall be treated as a
secure electronic record from such specified point in time to the time of
verification.
(b) For the purposes of this Section 12 and of
Section 13, whether a security procedure is commercially reasonable shall
be determined in light of the procedure used and the commercial
circumstances prevailing at the time the procedure was used,
including:
(i) the nature of the transaction;
(ii) the
sophistication of the parties;
(iii) the volume of similar transactions
engaged in by the parties involved;
(iv) the availability of
alternatives offered to but rejected by any party;
(v) the cost of
alternative procedures; and
(vi) the procedures in general use for
similar types of transactions.
(c) Whether reliance on a security
procedure was reasonable and in good faith shall be determined in light of
all the circumstances known to the relying party at the time of the
reliance, with regard to:
(i) the information that the relying
party knew or should have known of at the time of reliance that would
suggest that reliance was or was not reasonable;
(ii) the value or
importance of the electronic record, if known: (iii) any course of dealing
between the relying party and the purported sender and the available
indicia of reliability or unreliability apart from the security
procedure;
(iv) any usage of trade, particularly trade conducted by
trustworthy systems or other computer-based means; and
(v) whether the
verification was performed with the assistance of an independent third
party.
13. Secure
Electronic Signature. If, through the application of a prescribed
security procedure or a commercially reasonable security procedure agreed
to by the parties involved, an electronic signature is executed in a
trustworthy manner and reasonably and in good faith is relied upon by the
relying party, such signature shall be treated as a secure electronic
signature at the time of verification to the extent that it can be
verified that said electronic signature satisfied, at the time it was
made, the following criteria:
(a) it was unique to the person using
it;
(b) it was capable of being used to objectively identify such
person;
(c) it was created in a manner or using a means under the sole
control of the person using it, that cannot be readily duplicated or
compromised; and
(d) it is linked to
the electronic record to which it relates in a manner such that if the
record was changed to electronic signature would be
invalidated.
14. Presumptions
Relating to Secure Electronic Records and Signatures.
(a) In any
civil proceedings involving a secure electronic record, it shall be
presumed, unless the contrary is proved, that the secure electronic record
has not been altered since the specific point in time to which the secure
status relates.
(b) In any civil proceedings involving a secure
electronic signature, the following shall be presumed unless the contrary
is proved:
(i) the secure electronic signature is the signature of the
person to whom it correlates: and
(ii) the secure electronic signature
was affixed by that person with the intention of signing or approving the
electronic record.
(c) In the absence of a secure electronic record
or a secure electronic signature, nothing in this Part shall create any
presumption relating to the authenticity and integrity of the electronic
record or an electronic signature.
(d) The effect of presumptions
provided in this section is to place on the party challenging the
integrity of a secure electronic record or challenging the genuineness of
a secure electronic signature both the burden of going forward with
evidence to rebut the presumption and the burden of persuading the trier
of fact that the nonexistence of the presumed fact is more probable than
its existence.
(e) For the purposes of this section:
(i) "secure
electronic record" means an electronic record treated as a secure
electronic record by virtue of Sections 12 or 21; and
(ii) "secure
electronic signature" means an electronic signature treated as a secure
electronic signature by virtue of Sections 13 or 22.
PART IV -- ELECTRONIC
CONTRACTS
15. Formation and
Validity.
(a) In the context of the formation of contracts, unless
otherwise agreed by the parties involved, an offer and the acceptance of
an offer may be expressed by means of electronic records.
(b) Where
an electronic record is used in the formation of a contract, that contract
shall not be denied validity or enforceability on the sole ground that an
electronic record was used for that purpose.
(c) A contract may be
formed by the interaction of electronic agents. A contract is formed if
the interaction results in the electronic agents' engaging in operations
that confirm or indicate the existence of a contract.
(d) A
contract may be formed by the interaction of an electronic agent and an
individual. A contract is formed if the individual has reason to know that
the individual is dealing with an electronic agent and the individual
takes actions or makes a statement that the individual has reason to know
will cause the electronic agent to perform the subject of the contract, or
instruct a person or electronic agent to do so.
16. Effectiveness
Between Parties.
As
between the originator and the addressee of an electronic record, a
declaration of intent or other statement shall not be denied legal effect,
validity or enforceability solely on the ground that it is in the form of
an
electronic record.
17.
Attribution.
(a) An electronic
record is that of the originator if it was sent by the originator
himself.
(b) As between the originator and the addressee, an
electronic record is deemed to be that of the originator if it was
sent:
(i) by a person who had the authority (pursuant to a document in
a non-electronic form) to act on behalf of the originator in respect of
that electronic record; or
(ii) by an information system programmed by
or on behalf of the originator to operate automatically.
(c) As
between the originator and the addressee, an addressee is entitled to
regard an electronic record as being that of the originator and to act on
that assumption if:
(i) in order to ascertain whether the electronic
record was that of the originator, the addressee properly and in good
faith applied a procedure previously agreed to by the originator for that
purpose; or
(ii) the data message as received by the addressee resulted
from the actions of a person whose relationship with the originator or
with any agent of the originator enabled that person to gain access to a
method used by the originator to identify electronic records as its
own.
(d) Section 17(c) shall not apply:
(i) from the time when
the addressee has both received notice from the originator that the
electronic record is not that of the originator, and had reasonable time
to act accordingly;
(ii) at any time when the addressee knew or should
have known, had it exercised reasonable care or used any agreed procedure,
that the electronic record was not that of the originator; or
(iii) if
in all the circumstances of the case, it is unconscionable for the
addressee to regard the electronic record as that of the originator or to
act on that assumption.
(e) Where an electronic record is that of the
originator or is deemed to be that of the originator, or the addressee is
entitled to act on that assumption, then, as between the originator and
the addressee, the addressee is entitled to regard the electronic record
received as being what the originator intended to send, and to act on that
assumption. The addressee is not so entitled when the addressee knew or
should have known, had the addressee exercised reasonable care or used any
agreed procedure, that the transmission resulted in any error in the
electronic record as received.
(f) The addressee is entitled to regard
each electronic record received as a separate electronic record and to act
on that assumption, except to the extent that the addressee duplicates the
electronic record or the addressee knew or should have known, had the
addressee exercised reasonable care or used any agreed procedure, that an
electronic record received from the originator was a duplicate.
(g)
Nothing in this section shall affect the law of agency or the law on the
formation of contracts.
18. Acknowledgment
of Receipt. (a) Sections 18(b), (c) and (d) shall apply where, on or
before sending an electronic record, or by means of that electronic
record, the originator has requested or has agreed with the addressee that
receipt of the electronic record be acknowledged.
(b) Where the
originator has not agreed with the addressee that the acknowledgment be
given in a particular form or by a particular method, an acknowledgment
may be given by:
(i) any communication by the addressee, automated or
otherwise; or
(ii) any conduct of the addressee, sufficient to indicate
to the originator that the electronic record has been received.
(c)
Where the originator has stated that the electronic record is conditional
on receipt of the acknowledgment, the electronic record is treated as
though it had never been sent until the acknowledgment is received.
(d)
Where the originator has not stated that the electronic record is
conditional on receipt of the acknowledgment, and the acknowledgment has
not been received by the originator within the time specified or agreed,
or if no time has been specified or agreed within a reasonable time, the
originator:
(i) may give notice to the addressee stating that no
acknowledgment has been received and specifying a reasonable time by which
the acknowledgment must be received; and
(ii) if the acknowledgment is
not received within the time specified in Section 18(a), may, upon notice
to the addressee, treat the electronic record as though it has never been
sent, or exercise any other rights it may have.
(e) Where the
originator receives the addressee's acknowledgment of receipt, it is
presumed, unless evidence to the contrary is adduced, that the related
electronic record was received by the addressee, but that presumption does
not imply that the content of the electronic record corresponds to the
content of the record received.
(f) Where the received
acknowledgment states that the related electronic record met technical
requirements, either agreed upon or set forth in applicable standards, it
is presumed, unless evidence to the contrary is adduced, that those
requirements have been met.
(g) Except as it relates to the sending
or receipt of the electronic record, this section is not intended to
address the legal consequences that may flow either from that electronic
record or from the acknowledgment of its receipt.
19. Time and Place
of Dispatch and Receipt
(a) Unless otherwise agreed to between
the originator and the addressee, the dispatch of an electronic record
occurs when it enters an information system outside the control of the
originator or the person who sent the electronic record on behalf of the
originator.
(b) Unless otherwise agreed between the originator and
the addressee, the time of receipt of an electronic record is determined
as follows:
(i) if the addressee has designated an information
system for the purpose of receiving electronic records, receipt
occurs:
(A) at the time when the electronic record enters the
designated information system; or
(B) if the electronic record is sent
to an information system of the addressee that is not the designated
information system, at the time when the electronic record is retrieved by
the addressee.
(ii) if the addressee has not designated an information
system, receipt occurs when the electronic record enters an information
system of the addressee.
(c) Section 19(b) shall apply
notwithstanding that the place where the information system is located may
be different from the place where the electronic record is deemed to be
received under Section 19(d).
(d) Unless otherwise agreed between
the originator and the addressee, an electronic record is deemed to be
dispatched at the place where the originator has its place of business,
and is deemed to be received at the place where the addressee has its
place of business.
(e) For the purposes of this section:
(i) if
the originator or the addressee has more than one place of business, the
place of business is that which has the closest relationship to the
underlying transaction or, where there is no underlying transaction, the
principal place of business;
(ii) if the originator or the addressee
does not have a place of business, reference is to be made to the usual
place of residence; and
(iii) "usual place of residence" in relation to
a body corporate, means the place where it is incorporated or otherwise
legally constituted.
(f)This section shall not apply to such
circumstances as may be prescribed.
20 .Applicable
Law. Where a contract to which this Act applies is a transnational
contract, and a dispute arises out of or in connection with, such
contract, the following provisions shall apply:
(a) The dispute
shall be decided in accordance with the rule of law designated by the
parties as applicable to the substance of the dispute;
(b) Any
designation by the parties of the law or legal system of a given country
shall be construed, unless otherwise expressed, as directly referring to
substantive law of that country and not to its conflict of laws
rules;
(c) Failing any such designation of the law under subsection (a)
by the parties the court or arbitral tribunal shall apply the rules of law
which it considers to be appropriate given all the circumstances
surrounding the dispute;
(d) In all cases the court of tribunal shall
decide in accordance with the terms of the contract and shall take into
account the usage of the trade applicable to the
transaction;
Explanation: In this
section "transnational contract" means a contract in which at least one of
the parties is (i) an individual who is a national of or habitually
resident in any country other than India; (ii) a body corporate which is
incorporated in any country other than India; (iii) a company or an
association or a body of individuals whose central management and control
is situated in any country other than India; or (iv) the Government of a
foreign country.
PART V -- EFFECT OF
DIGITAL SIGNATURES
21. Secure
Electronic Record with Digital Signature. The portion of an electronic
record that is signed with a digital signature shall be treated as a
secure electronic record if the digital signature is a secure electronic
signature by virtue of Section 13.
22. Digital
Signature as a Secure Electronic Signature. When any portion of an
electronic record is signed with a digital signature, the digital
signature shall be treated as a secure electronic signature with respect
to such portion of the record, if:
(a) the digital signature was
created during the operational period of a valid certificate and is
verified by reference to the public key listed in such certificate;
and
(b) the certificate is considered trustworthy, in that it is an
accurate binding of a public key to a person's identity because the
following requirements have been fulfilled:
(i) the certificate was
issued by a certification authority operating in compliance with the rules
made under this Act;
(ii) the certificate was issued by a certification
authority outside India recognized for this purpose by the Controller
pursuant to rules made under this Act;
(iii) the certificate was issued
by a department or ministry of the Central Government, State Government or
a statutory corporation of Central or State Government approved by Central
Government to act as a certification authority on such conditions as the
Controller may by rules impose or specify; or
(iv) the parties have
expressly agreed between themselves (originator and addressee) to use
digital signatures as a security procedure, and the digital signature was
properly verified by reference to the originator's public
key.
23. Unreliable
Digital Signatures. Unless otherwise provided by a rule of law or
contract, a person relying on a digitally signed electronic record assumes
the risk that the digital signature is invalid as a signature or
authentication of the signed electronic record, if reliance on the digital
signature is not reasonable under the circumstances having regard to the
following factors:
(a) facts which the person relying on the
digitally signed electronic record knows or has notice of, including all
facts listed in the certificate or incorporated in it by
reference;
(b) the value or importance of the digitally signed
record, if known;
(c) the course of dealing between the person
relying on the digitally signed electronic record and the subscriber and
any available indicia of reliability or unreliability apart from the
digital signature; and
(d) usage of trade, particularly trade
conducted by trustworthy systems or other electronic
means.
PART VI -- GENERAL
DUTIES RELATING TO DIGITAL SIGNATURES
24. Foreseeability
of Reliance on Certificates. It may be presumed that persons relying
on a digital signature also will rely on a valid certificate containing
the public key by which the digital signature can be
verified.
25. Prerequisites
to Disclosure of Certificate. A person shall not publish a certificate
or otherwise make it available to anyone known by that person to be in a
position to rely on the certificate or on a digital signature that is
verifiable with reference to a public key listed in the certificate, if
such person knows that:
(a) the certification authority listed in the
certificate has not issued it;
(b) the subscriber listed in the
certificate has not accepted it; or (c) the certificate has been revoked
or suspended, unless such publication is for the purpose of verifying a
digital signature created prior to such suspension or
revocation.
26. Publication for
Fraudulent Purpose. Any person who knowingly creates, publishes or
otherwise makes available a certificate for any fraudulent or unlawful
purpose shall be guilty of an offense and shall be liable on conviction to
imprisonment for a term not exceeding 2 years or a fine not exceeding
Rs.1,00,000 or both.
27. False or
Unauthorized Request. Any person who knowingly misrepresents to a
certification authority his identity or authorization for the purpose of
requesting a certificate or for suspension or revocation of a certificate
shall be guilty of an offense and shall be liable on conviction to
imprisonment for a term not exceeding 6 months or a fine not exceeding Rs.
50,000 or both.
PART VII - DUTIES OF
CERTIFICATION AUTHORITIES
28. Trustworthy
System. Except as otherwise conspicuously set forth in its
certification practice statement, a certification authority and a person
maintaining a repository must:
(a) maintain and utilize trustworthy
systems and operate in a trustworthy manner in performing its
services;
(b) possess the reliability necessary for offering
certification services;
(c) employ personnel which possess the expert
knowledge, experience and qualifications necessary for the offered
services;
(d) record and retain records of all relevant information
concerning a certificate for an appropriate period of time, in particular
to be able to provide evidence of certification in the context of a
dispute or lawsuit; and
(e) publish all relevant information concerning
the proper and secure use of certification services and established
procedures for complaints and dispute resolution and
settlement.
29. Disclosure by
Certification Authorities.
(a) A certification authority shall
disclose the following:
(i) its certificate that contains the public
key corresponding to the private key used by that certification authority
to digitally sign another certificate (defined for purposes of this
section as a certification authority certificate);
(ii) any relevant
certification practice statement;
(iii) notice of any revocation or
suspension of its certification authority certificate; and (iv) any other
fact that materially and adversely affects either the reliability of a
certificate that the authority has issued or the authority's ability to
perform its services.
(b) In the event of an occurrence that
materially and adversely affects a certification authority's trustworthy
system or its certification authority certificate, the certification
authority shall act in accordance with procedures governing such an
occurrence specified in its certification practice statement or, in the
absence of such procedures, use reasonable efforts to notify any person
who is known to be or reasonably foreseeably will be affected by that
occurrence.
30. Issuing of
Certificate. A certification authority may issue a certificate to a
prospective subscriber only after the certification authority has received
a request for issuance from the prospective subscriber and
(a) if it
has a certification practice statement, complied with all of the practices
and procedures set forth in such certification practice statement
including procedures regarding identification of the prospective
subscriber; or
(b) in the absence of a certification practice
statement addressing these issues, or if the parties involved have not
entered into an agreement specifically providing otherwise, confirmed by
itself or through an authorized agent that the following is the
case:
(i) the prospective subscriber is the person to be listed in
the certificate to be issued;
(ii) if the prospective subscriber is
acting through one or more agents, the subscriber authorized the agent to
have custody of the subscriber's private key and to request issuance of a
certificate listing the corresponding public key;
(iii) the information
in the certificate to be issued is accurate;
(iv) the prospective
subscriber rightfully holds the private key corresponding to the public
key to be listed in the certificate;
(v) the prospective subscriber
holds a private key capable of creating a digital signature; and
(vi)
the public key to be listed in the certificate can be used to verify a
digital signature affixed by the private key held by the prospective
subscriber.
31. Representations
Upon Issuance of Certificate.
(a) By issuing a certificate, a
certification authority represents, to any person who reasonably relies on
the certificate or a digital signature verifiable by the public key listed
in the certificate, that the certification authority has processed,
approved and issued, and will manage and if necessary suspend or revoke
the certificate, in accordance with any applicable certification practice
statement incorporated by reference in the certificate, or of which the
relying person has notice.
(b) In the absence of such a
certification practice statement, the certification authority represents
that it has confirmed the following:
(i) the certification
authority has complied with all applicable requirements of this Act and
other appropriate authority in issuing the certificate and, if the
certification authority has published the certificate or otherwise made it
available to such relying person, that the subscriber listed in the
certificate has accepted it;
(ii) the subscriber identified in the
certificate holds the private key corresponding to the public key listed
in the certificate;
(iii) the certification authority has verified the
identity of the subscriber to the extent stated in the certificate or its
applicable certification practice statement or, in lieu thereof, that the
certificate authority has reasonably verified the identity of the
subscriber;
(iv) the subscriber's public key and private key constitute
a functioning key pair;
(v) all information in the certificate is
accurate, unless the certification authority has stated in the certificate
or incorporated by reference in the certificate a statement that the
accuracy of specified information is not confirmed; and
(vi) that the
certification authority has no knowledge of any material fact which if it
had been included in the certificate would adversely affect the
reliability of the representations in this section.
(c) Where there
is an applicable certification practice statement which has been
incorporated by reference in the certificate, or of which the relying
person otherwise has notice, subsection (b) shall apply to the extent that
the representations are not inconsistent with the certification practice
statement.
(d) Certification authorities shall keep and maintain as
current a publicly accessible electronic register of certificates issued,
indicating the time when any individual certificate expires or when it was
suspended or revoked.
(e) Notwithstanding subsection (a) through
(d), if a certification authority issued the certificate subject to the
laws of another jurisdiction, the certification authority makes all
warranties and representations, if any, otherwise applicable under the law
governing its issuance.
32. Fiduciary
Relationship. (a) A certification authority is a fiduciary to a
subscriber where a certification authority holds that subscriber's private
key or where provided by contract among the parties involved.
(b) A
certification authority is not otherwise a fiduciary to a subscriber and
is not a fiduciary to any relying party, except where otherwise expressly
provided by contract or law.
33. Financial
Responsibility. A certification authority must have sufficient
financial resources: (a) to maintain its operations in conformity with its
duties; and
(b) to be reasonably able to bear its risk of liability to
subscribers and other relying parties relying on certificates issued by
the certification authority and digital signatures verifiable by reference
to public keys listed in such certificates.
34. Suspension of
Certificate. (a) Unless the certification authority and the subscriber
agree otherwise, the certification authority that issued a certificate
shall suspend the certificate as soon as possible after receiving a
request by a person whom the certification authority reasonably believes
to be one of the following:
(i) the subscriber listed in the
certificate;
(ii) a person duly authorized to act for that subscriber;
or
(iii) a person acting on behalf of that subscriber, who is
unavailable.
(b) Except as otherwise specifically provided in its
certification practice statement, or unless the certification authority
and the subscriber agree otherwise, a certification authority that issued
a certificate shall suspend the certificate as soon as possible after
confirmation by the certification authority that:
(A) a material
fact represented in the certificate is false;
(B) a material
requirement for issuance of the certificate was not satisfied;
(C) the
certification authority's private key or trustworthy system was
compromised in a manner materially affecting the certificate's
reliability; or
(D)the subscriber's private key has been
compromised.
(c) Immediately upon suspension of a certificate by a
certification authority, the certification authority shall notify the
subscriber and relying parties in accordance with its certification
practice statement or, in the absence of such statement, shall promptly
notify the subscriber, promptly publish a signed notice of the suspension
in the repository specified in the certificate for publication of notice
of suspension, and otherwise disclose the fact of suspension on inquiry be
any relying party. Where one or more repositories are specified, the
certification authority shall publish signed notices of the suspension in
all such repositories.
35. Revocation of
Certificate
(a) Except as otherwise specifically provided in
its certification practice statement, or unless the certification
authority and the subscriber agree otherwise, a certification authority
shall revoke a certificate that it issues upon the occurrence of the
following:
(i) receiving a request for revocation by the subscriber
named in the certificate, and confirming that the person requesting
revocation is the subscriber or is an agent of the subscriber with
authority to request the revocation;
(ii) receiving a certified copy of
the subscriber's death certificate, or upon confirming by other verifiable
evidence that the subscriber is dead;
(iii) upon presentation of
documents effecting a corporate dissolution of the subscriber or upon
confirming by other verifiable evidence that the subscriber has been
dissolved or has ceased to exist; or
(iv) confirmation by the
certification authority that of the following events has occurred,
provided that no such revocation may be made until the subscriber has had
a reasonable opportunity for a hearing:
(A) a material fact
represented in the certificate is false;
(B) a material requirement for
issuance of the certificate was not satisfied;
(C) the certification
authority's private key or trustworthy system was compromised in a manner
materially affecting the certificate's reliability; or
(D)the
subscriber's private key has been compromised.
(b) Upon effecting
such a revocation, the certification authority shall immediately provide
notice as follows:
(i) immediately upon revocation of a certificate
by a certification authority, the certification authority shall promptly
notify the subscriber listed in the revoked certificate (if not deceased,
dissolved or ceased to exist) and any relying parties in accordance with
its certification practice statement or, in the absence of such statement,
shall promptly notify the subscriber, promptly publish a signed notice of
the revocation in the repository specified in the certificate for
publication of notice of revocation, and otherwise disclose the fact of
revocation on inquiry by a relying party; and
(ii) where one or more
repositories are specified, the certification authority shall publish
signed notices of the revocation in all such
repositories.
PART VIII -- DUTIES OF
SUBSCRIBERS
36. Generating A
Key Pair.
(a) If the subscriber generates the key pair whose
public key is to be listed in a certificate issued by a certification
authority and accepted by the subscriber, the subscriber shall generate
that key pair using a trustworthy system.
(b) This section shall
not apply to a subscriber who generates the key pair using a system
approved by the certification authority. 37. Obtaining A Certificate. All
material representations made by the subscriber to a certification
authority for purposes of obtaining a certificate, including all
information known to the subscriber and represented in the certificate,
shall be accurate and complete to the best of the subscriber's knowledge
and belief, regardless of whether such representations are confirmed by
the certification authority.
37. Acceptance of
Certificate.
(a) A subscriber shall be deemed to have accepted
a certificate if that subscriber:
(i) publishes or authorizes the
publication of a certificate in one of the following ways:
(A) to
one or more persons; or
(B) in a repository; or
(ii) otherwise
demonstrates approval of a certificate while knowing or having notice of
its contents.
(b) By accepting a certificate issued by a
certification authority, the subscriber listed in the certificate
certifies to all who reasonably rely on the information contained in the
certificate as follows:
(i) that the subscriber rightfully holds the
private key corresponding to the public key listed in the
certificate;
(ii) that all material representations made by the
subscriber to the certification authority and material to the information
listed in the certificate are true; and
(iii) that all information in
the certificate that is within the knowledge of the subscriber is
true.
38. Control of
Private Key.
(a) By accepting a certificate issued by a
certification authority, the subscriber identified in the certificate
assumes a duty to exercise reasonable care to retain control of the
private key corresponding to the public key listed in such certificate and
to prevent its disclosure to any person not authorized to create the
subscriber's digital signature.
(b) Such duty shall continue during the
operational period of the certificate and during any period of suspension
of the certificate.
39. Initiating
Suspension or Revocation. A subscriber who has accepted a certificate
shall as soon as possible notify the issuing certification authority and
request said authority to suspend or revoke the certificate if the private
key corresponding to the public key listed in the certificate has been
compromised.
PART IX -- REGULATION
OF CERTIFICATION AUTHORITIES AND REPOSITORIES
40. Appointment of
Controller and Other Officers
(a) The Central Government shall
appoint a Controller of Certification Authorities for the purpose of this
Act and, in particular, for the purposes of licensing, certifying,
monitoring and overseeing the activities of certification
authorities.
(b) The Controller may, after consultation with the
Central Government, appoint such number of Deputy and Assistant
Controllers of Certification Authorities and officers as the Controller
considers necessary to exercise and perform all or any of the powers and
duties of the Controller under this Act or rules made under this Act,
except for the Controller's power to direct compliance as set forth in
Section 54 of this Act.
(c) The Controller, the Deputy and Assistant
Controllers and officers appointed by the Controller under Section 41
shall exercise, discharge and perform the powers, duties and functions
conferred on the Controller under this Act or any rules made under this
Act, subject to such written directions as may be issued by the Central
Government to the Controller and subject to Section 54 of this Act.
(d)
The Controller shall maintain a publicly accessible database containing a
certification authority disclosure record for each certification authority
which shall contain all the particulars required under the rules made
under this Act.
(e) The Controller may investigate complaints or other
information indicating violations of rules adopted under this Act, and may
refer for prosecution any suspected or alleged violations to the
appropriate government agency.
(f) In the application of the provisions
of this Act to certificates issued by the Controller and digital
signatures verified by reference to those certificates, the Controller
shall be deemed to be a certification authority.
(g) The Controller,
the Deputy, Assistant Controller and officers appointed by the Controller
shall be deemed to be public servants for the purposes of the Penal
Code.
(h) In exercising any of the powers under this Act, any officer
appointed by the Controller shall on demand produce to the person against
whom he is acting the authority issued to him by the
Controller.
41. Recognition of
Foreign Certification Authorities
(a) Certificates issued by a
foreign certification authority, and signatures and records complying with
the laws of another jurisdiction relating to digital or other electronic
signatures, are recognized as legally equivalent to certificates issued by
certification authorities operating under this Act, and to the signatures
and records complying with this Act, if the laws of the other jurisdiction
and the practices of the foreign certification authority require a level
of reliability at least equivalent to that required for such certificates,
records and signatures under this Act.
(b) Notwithstanding the
preceding paragraph, the Controller and parties to commercial and other
transactions may specify that a particular certification authority, class
of certification authorities or class of certificates must be used in
connection with messages or signatures submitted to them.
(c) The
determination of equivalence described in subsection (a) may be made by a
published determination of the Controller in the Official Gazette or
through bilateral or multilateral agreement with other jurisdictions. The
determination of equivalence, shall be made with regard to the following
factors:
(i) financial and human resources, including existence of
assets within jurisdiction;
(ii) trustworthiness of hardware and
software systems; (iii) procedures for processing of certificates and
applications for certificates and retention of records;
(iv)
availability of information to subscribers identified in certificates and
to potential relying parties;
(v) regularity and extent of audit by an
independent body;
(vi) the existence of a declaration by the
jurisdiction, an accreditation body or the certification authority
regarding compliance with or existence of the foregoing;
(vii)
susceptibility to the jurisdiction of the courts of the enacting
jurisdiction; and
(viii) the degree of discrepancy between the law
applicable to the liability of the certification authority and the law of
the enacting jurisdiction.
42. Recommended
Reliance Limit
(a) A certification authority may, in issuing a
certificate to a subscriber, specify a recommended reliance limit in the
certificate.
(b) The certification authority may specify different
limits in different certificates as it deems
appropriate.
43. Liability
Limits for Certification Authorities. Unless a certification authority
expressly waives the application of this section, a certification
authority shall not be liable for the following:
(a) For any loss
caused by reliance on a false or forged digital signature of a subscriber
if, with respect to the false or forged digital signature, the
certification authority complied with the requirements of this Act and
applicable regulations; and
(b) For an amount in excess of the
amount specified in the certificate as its recommended reliance limit for
either:
(i) a loss caused by reliance on a misrepresentation in the
certificate of any fact that the certification authority is required to
confirm; or
(ii) intentional or knowing failure to comply with any
provisions of this Act in issuing the certificate, unless such failure to
comply was done intentionally or knowingly.
44. Recognition of
Repositories.
(a) The Controller may recognize one or more
repositories after determining that a repository to be recognized
satisfies the requirements prescribed in the regulations made under this
Act.
(b) The Controller shall publish a list of recognized repositories
in such form and manner as he may determine.
45. Liability of
Repositories.
(a) Notwithstanding any disclaimer by the
repository or any contract to the contrary between the repository and a
certification authority or a subscriber, a repository shall be liable for
a loss incurred by a person reasonably relying on a digital signature
verified by the public key listed in a suspended or revoked certificate,
if loss was incurred more than one business day after receipt by the
repository of a request to publish notice of the suspension or revocation,
and the repository had failed to publish the notice when the person relied
on the digital signature.
(b) Unless waived, a recognized
repository or the owner or operator of a recognized repository:
(i)
shall not be liable for failure to record publication of a suspension or
revocation, unless the repository has received notice of publication and
one business day has elapsed since the notice was received;
(ii) shall
not be liable under subsection (a) in excess of the amount specified in
the certificate as the recommended reliance limit;
(iii) shall not be
liable under subsection (a) for:
(A) punitive or exemplary damages;
or
(B) damages for pain or suffering;
(iv) shall not be liable
for misrepresentation in a certificate published by a certification
authority;
(v) shall not be liable for accurately recording or
reporting information which a certification authority, a court or the
Controller has published as required or permitted under this Act,
including information about the suspension or revocation of a certificate;
and
(vi) shall not be liable for reporting information about a
certification authority, a certificate or a subscriber, if such
information is published as required or permitted under this Act or is
published by order of the Controller in the exercise of his powers under
this Act.
PART X - GOVERNMENT
USE OF ELECTRONIC RECORDS AND SIGNATURES
46. Acceptance of
Electronic Filing and Issue of Documents.
(a) Any department or
ministry of Central Government, State Government or a statutory
corporation under Central or State Government that, pursuant to any
enactment:
(i) accepts the filing of documents or requires that
documents be created or retained;
(ii) issues any permit, license or
approval; or
(iii) provides for the method and manner of payment, may,
notwithstanding anything to the contrary in such enactment:
(A)
accept the filing of such documents, or the creation or retention of such
documents, in the form of electronic records;
(B) issue such
permit, license or approval in the form of electronic records;
or
(C) make such payment in electronic form.
(b) In any case
where a department or ministry of Central Government, State Government or
a statutory corporation under Central or State Government decides to
perform any of the functions in subsection (a)(i), (ii), or (iii), such
agency may specify:
(i) the manner and format in which such electronic
records shall be filed, created, retained or issued;
(ii) where such
electronic records are required to be signed, the type of electronic
signature required (including, if applicable, a requirement that the
sender use a secure electronic signature);
(iii) the manner and format
in which such signature shall be affixed to the electronic record, and the
identity of or criteria that shall be met by any certification authority
used by the person filing the document;
(iv) control processes and
procedures as appropriate to ensure adequate integrity, security and
confidentiality of electronic records or payments; and
(v) any other
required attributes for electronic records or payments that are currently
specified for corresponding paper documents.
(c) Nothing in this
Act shall by itself compel any department or ministry of the Central
Government, State Government or a statutory corporation under Central or
State Government to accept or issue any document in the form of electronic
records.
PART XI -- LIABILITY
OF NETWORK SERVICE PROVIDERS
47.Liability of
Network Service Providers. (a) A network service provider shall not be
subject to any civil or criminal liability under any rule of law in
respect of third party material in the form of electronic records to which
such provider merely provides access if such liability is founded
on:
(i) the making, publication, dissemination or distribution of
such materials or any statement made in such material; or
(ii) the
infringement of any rights subsisting in or in relation to such
material.
(b) Nothing in this section shall affect:
(i) any
obligation of the network service provider founded on principles of
contract law;
(ii) the obligation of a network service provider as such
under a licensing or other regulatory regime established under any
enactment for the time being in force; or
(iii) any obligation imposed
under any enactment for the time being in force or by a court to remove,
block or deny access to any material;
(iv) the provisions of Section 52
of this Act.
(c) Nothing in clause (a) of this section shall render
a network service provider immune from liability for any violation of law
for the time being in force (including provisions of this Act) committed
intentionally or knowingly.
PART XII - COMPUTER
CRIME
48. Computer
Crime. For the purpose of this Act, any person who commits any of the
following acts is guilty of an offense of computer crime:
(a)
Intentionally accesses, damages or conceals, or attempts to access, damage
or conceal, temporarily or permanently, any computer data base, computer,
information system or computer network, without permission from the owner,
in order to either:
(i) wrongfully control, obtain, make use of or
prevent others from deriving the benefits of money, property, data or
electronic records;
(ii) copy or destroy any data or electronic
records;
(iii) use or disrupt any functions of computers, computer
networks or information systems; or
(iv) commit any act that is an
offense under the Indian Penal Code.
(b) Knowingly, and with the
intent to defraud, obtains or attempts to obtain any computer services by
false representation, false statement or unauthorized charging to the
account of another, by installing or tampering with any facilities or
equipment, or by any other means.
(c) Intentionally or recklessly
introduces or allows the introduction of any computer virus into any
computer, computer system or computer network without permission of the
owner.
49.
Penalities
(a) Any person who commits the offense of
computer crime as set forth in the provisions of Section 49(a) of this Act
is punishable as follows:
(i) For the first offense that does not
result in damage, by imprisonment up to 1 year or by a fine not to exceed
Rs. 1,00,000 or both;
(ii) For second or subsequent offenses, or in
cases where damage occurs, by imprisonment up to three years or by a fine
up to Rs. 2,00,000, or by both, and if government or public property is
injured, by imprisonment up to three years or by a fine up to Rs. 5,00,000
or both;
(b) Any person who commits offense as under Section 49(b)
of this Act shall be punishable as follows :
(i) For the first
offense which does not result in damage, and where the value of the
computer services used does not exceed Rs. 10,000, by a fine not exceeding
Rs. 1,00,000, or by imprisonment not exceeding one year, or by
both.
(ii) For any offense which results in damage of an amount
greater than Rs. 1,00,000 or in an damage, or if the value of the computer
services used exceeds Rs. 10,000, or for any second or subsequent
violation, by a fine not exceeding Rs. 2,00,000, or by imprisonment up to
three years, or by both.
(c) Any person who commits offense as per
Section 49(c) of this Act is punishable as follows :
(i) For a
first offense which does not result in damage, an infraction punishable by
a fine not exceeding Rs. 10,000. (ii) For any offense which results in
damage in an amount not greater than Rs. 50,000, or for a second or
subsequent violation, by a fine not exceeding Rs. 1,00,000 or by
imprisonment not exceeding one year, or by both.
(iii) For any
offense which results in damage in an amount greater than Rs. 50,000, by a
fine not exceeding Rs. 2,00,000, or by imprisonment up to three years, or
by both.
(d) Notwithstanding anything contained in the Code of
Criminal Procedure, 1973, all offenses under this Act shall be bailable,
noncognizable, and triable exclusively by the Chief Metropolitan
Magistrate, Additional Chief Metropolitan Magistrate, Chief Judicial
Magistrate or Additional Chief Judicial Magistrate.
50.
Forfeiture.
(a) Any person who commits the offense of
computer crime as set forth in Section 49 of this Act shall forfeit,
according to the provisions of this section, any monies, profits or
proceeds, and any interest or property which the sentencing court
determines he has acquired or maintained, directly or indirectly, in whole
or in part, as a result of such offense. Such person shall also forfeit
any interest in, security, claim against or contractual right of any kind
which affords him a source of influence over any enterprise which he has
established, operated, controlled, conducted or participated in
conducting, where his relationship to or connection with any such thing or
activity directly or indirectly, in whole or in part, is traceable to any
item or benefit which he has obtained or acquired through computer
fraud.
(b) Any computer, computer system, computer network or any
software or data, owned by such person, which is used during the
commission of any public offense described in Section 49 or any computer,
owned by the person, which is used as a repository for the storage of
software or data illegally obtained in violation of Section 49 shall be
subject to forfeiture under orders of the Court ordering his
conviction.
PART XIII --
GENERAL
51.
Confidentiality.
(a)Obligation of
Confidentiality.
(i) Except where compelled by any court of law
or pursuant to any law for the time being in force, no certification
authority, Controller or network service provider, or their respective
agents or employees, that have obtained access to any material, shall
disclose such material to any other person without the prior consent of
the owner of such material, except in cases where such disclosure is being
made for the purpose of protecting his interest or for such other purpose
as may be prescribed.
(ii)Except where compelled by any court of law or
pursuant to any law for the time being in force, no person who has
obtained unauthorized access to any electronic record shall intentionally
or knowingly disclose such record or its contents to any other person. The
provisions of this section shall be without prejudice to any liability
which such person may have incurred by reason of the unauthorized
access.
(b) Penalty for Breach of
Confidentiality.
(i) Any network service provider who
intentionally, knowingly or negligently contravenes subsections (a) shall
be (A) enjoined by a court from acting as a network service provider for a
period not to exceed three (3) months, or (B) liable in damages sustained
by the owner, such damages to amount to no less than Rs. 10,000, or (C)
both.
(ii) Any person other than a network service provider who
intentionally contravenes subsection (a) shall be guilty of an offense and
shall be liable upon conviction to imprisonment not to exceed 6 months or
fines not to exceed Rs. 50,000 or to both. Explanation: In this section,
"material" includes any electronic record, book, register, correspondence,
information or document.
52. Offense by Body
Corporate. Where an offense under this Act or any rules made under
this Act is committed by a body corporate and such offense is proved to
have been committed with the consent or connivance of, or is proved to be
attributable to, any act or default on the part of any director, manager,
secretary or other similar officer of the body corporate, he as well as
the body corporate, shall be guilty of that offense and shall be liable to
be proceeded against and punished accordingly.
53. Controller May
Give Directions for Compliance.
(a) The Controller may direct,
by notice in writing, a certification authority or any officer or employee
thereof to take such measures or stop carrying on such activities as are
specified in the notice, if such action is necessary to ensure compliance
with the provisions of this Act or any rules made under this Act.
(b)
Any person who fails to comply with any direction specified in a notice
issued under subsection(a) shall be guilty of an offense and shall be
liable on conviction to imprisonment for a term not exceeding 1 year or a
fine not exceeding Rs. 1,00,000 or both.
54. Power to
Investigate.
(a) The Controller or an authorized officer may
investigate, pursuant to a written order issued by the Controller or the
officer, the activities of a certification authority in relation to its
compliance with this Act and any rules made under this Act.
(b) For the
purposes of subsection (a), the Controller may in writing issue an order
to a certification authority to further its investigation.
(c) The
Controller or an authorized officer may make reasonable inquiry, pursuant
to a written order, of any person reasonably believed to have relevant
information in connection with the commission of any offense under this
Act.
55. Access to
Computers and Data. The Controller or an authorized officer
shall:
(a) be entitled at any time reasonable under the
circumstances to:
(i) have access to, inspect and check the
operation of any information system and any associated apparatus or
material which he has reasonable cause to suspect is or has been in use in
connection with any offense under this Act;
(ii) use or caused to be
used any such information system to search any data contained in or
available to such information system; or
(b) be entitled to
require:
(i) the person by whom or on whose behalf the Controller
or authorized officer has reasonable cause to suspect the computer is or
has been so used; or
(ii) any person having charge of, or otherwise
concerned with the operation of, the computer, apparatus or material, to
provide him with such reasonable technical and other assistance as he may
require for the purposes of subsection (a).
57. Production of
Documents, Data, etc. The Controller shall, for the purposes of the
implementation of this Act, have power to do all or any of the
following:
(a) require, by a written order, the production of
records, accounts, data and documents kept by a certification authority
and to inspect, examine and copy any of them;
(b) require, by a written
order, the production of any document from any person reasonably in
relation to any offense under this Act or any regulations promulgated
under this Act.
56. General
Penalty. Any person who (a) contravenes any provision of this Act or
(b) fails to comply with any notice or written order lawfully issued under
this Act, shall be guilty of an offense and, if no penalty is provided in
this Act for such offense, shall be punished with imprisonment for a term
not exceeding 6 months or a fine not exceeding 1,00,000 or both. 59.
Sanction for prosecution. No prosecution in respect of any offense under
this Act or any rule made under this Act shall be instituted except by or
with the previous sanction of the Central Government.
57. Power to
Exempt. The Central Government may by notification published in the
Official Gazette, exempt, in the public interest, any person or class of
persons from all or any of the provisions of this Act or any rules made
under this Act.
58. Power of
Central Government to make rules.
(a) The Central Government
may make rules, by notification in the Official Gazette, to carry out the
purposes of this Act.
(b) Without prejudice to the generality of the
power conferred by clause (a), the rules made thereunder may provide for
all or any of the following matters:
(i) to define when a digital
signature qualifies as a secure electronic signature consistent with the
provisions of this Act;
(ii) to ensure the quality of repositories and
the services they provide;
(iii) licensing of certification authorities
and their authorized representatives and matters incidental thereto; the
activities of certification authorities, including the manner, method and
place of soliciting business, and the conduct of such solicitation, if
any.
(v) the standards to be maintained by certification
authorities;
(vi) prescribing the appropriate standards with respect to
the qualifications, experience and training of applicants for any
certification authority or for their employees;
(vii) prescribing the
conditions for the conduct of business by a certification
authority;
(viii) providing for the content and distribution of
written, printed or visual material and advertisements that may be
distributed or used by a person in respect of a digital certificate or
key;
(ix) prescribing the form and content of a digital certificate or
key;
(x) prescribing the particulars to be recorded in, or in respect
of, accounts kept by certification authorities;
(xi) providing for the
appointment and remuneration of an auditor appointed under the regulations
and for the costs of an audit carried out under the regulations;
(xii)
providing for the establishment and regulation of any electronic system by
a certification authority, whether by itself or in conjunction with other
certification authorities, and for the imposition and modification of such
requirements, conditions or restrictions as the Controller may deem
appropriate;
(xiii) the manner in which a certification authority
conducts its dealings with its customers, conflicts of interest involving
the certification authority and its customers, and the duties of the
certification authority to its customers with respect to digital
certificates;
(xiv) prescribing any forms for the purposes of the
rules; and
(xv) prescribing fees to be paid in respect of any matter or
thing required for the purposes of this Act or the rules.
(c) Rules
made under this section may provide that a contravention of a specified
provision shall be an offense and may provide penalties not exceeding a
fine of Rs. 50,000.
(d)Every rule made by the Central Government
under this Act shall be laid, as soon as may be after it is made, before
each House of Parliament, while it is in session, for a total period of
thirty days which may be comprised of in one session or in two or more
successive sessions, and if, before the expiry of the session immediately
following the session or the successive sessions aforesaid, both Houses
agree in making any modification in the rule or both Houses agree that the
rule should not be made, the rule shall thereafter have effect only in
such modified form or be of no effect, as the case may be; so, however,
that any such modification or annulment shall be without prejudice to the
validity of anything previously done under that rule.
(e) All rules
made by the Central Government under this Act shall be published in the
Official Gazette.
59.Power to remove
difficulties. If any difficulty arises in giving effect to the
provisions of this Act, the Central Government may by an order published
in the Official Gazette make such provisions as necessary for the purpose
of removing the difficulty. No such order shall be made after two years
from the commencement of this Act.
THE ELECTRONIC
COMMERCE SUPPORT ACT, 1998
An Act to amend
various Central Acts to facilitate electronic commerce. WHEREAS the rapid
development of electronic commerce in India makes it expedient to amend
existing legislation to facilitate the continued growth of electronic
commerce and to resolve questions raised regarding the applicability of
such legislation to the unique features of the electronic regime;
It is
hereby enacted as follows:
1.Short title, Extent
and Commencement. This Act may be called the Electronic Commerce Support
Act, 1998. This Act extends to the whole of India, except the state of
Jammu and Kashmir.
This Act shall come into force on such date as the
Central Government may, by notification in the Official Gazette, appoint
in this behalf.
2.Amendments to the Indian Penal Code.
(a). The
Indian Penal Code is amended by adding to the end of section 29 the words
";or an electronic record as defined by the Electronic Commerce Act,
1998."
(b). A new Section 4A shall be added to the Indian Penal Code
after section 4 of that Code, as under:
"4A. Electronic
Records and Electronic Signatures. In the application of the provisions of
this Code to offences relating to electronic records or electronic
signatures, due regard shall be given to the provisions of the Electronic
Commerce Act, 1998 and, in particular, words and expressions used but not
defined in this Code shall, unless the context otherwise requires, be
construed as having the same meaning as is assigned to them respectively
by that Act."
(c). New sections 29A, 29B, 29C and 29D shall be
added to the Indian Penal Code after section 29, as under:
"29A.
Electronic Record. The term "electronic record," shall have the same
meaning as assigned to it in the Electronic Commerce Act,
1998.
29B. Electronic
Signature. The term "electronic signature" shall have the same meaning as
assigned to it in the Electronic Commerce Act, 1998.
29C. Signature
and Sign. The terms "signature" and "sign" shall have the same meanings as
assigned to them in the Electronic Commerce Act, 1998.
29D.
Writing. The term "writing" shall have the same meaning as assigned to it
in the General Clauses Act, 1897, as amended by the Electronic Commerce
Support Act, 1998."
3.Amendments to the
Indian Evidence Act, 1872. (a) Section 1 of the Indian Evidence Act,
1872 shall be amended by inserting at the end of the paragraph entitled
"Extent" the following:
"In the application of
this Act to electronic records or electronic signatures as defined in the
Electronic Commerce Act, 1998, due regard shall be had to the provisions
of the latter Act."
(b) The definition of "document" in Section 3
of the Indian Evidence Act, 1872 shall be replaced with the following
definition:
"Document means (i) any matter expressed, inscribed or
described upon any substance by means of letters, figures or marks, or by
more than one of those means, which is intended to be used or which may be
used for the purpose of recording that matter; or (ii) any electronic
record."
(c) Section 3 of the
Indian Evidence Act, 1872 shall be amended by adding the following
definitions at the end of that section:
"electronic signature"
shall have the meaning assigned to it in the Electronic Commerce Act,
1998.
"electronic record" shall have the meaning assigned to it in the
Electronic Commerce Act, 1998.
"writing" shall have the meaning
assigned to it in the General Clauses Act, 1897 as amended by the
Electronic Commerce Support Act, 1998.
"signature" or "signed" shall
have the meaning assigned to it in the Electronic Commerce Act,
1998.
"books" shall include electronic records and shall be construed
accordingly.
(d) The definition of "evidence" in Section 3 of the
Indian Evidence Act, 1872 shall be amended by replacing the second clause
with the following:
"(2) all documents produced for the inspection
of the court, including matter in the form of electronic
records."
(e) Section 35 of the Indian Evidence Act, 1872 shall be
amended by adding the words "including an electronic record" after the
word "record."
(f) Section 47 of the Indian Evidence Act, 1872
shall be amended by adding at the end of that section the
following:
"In assessing the weight of electronic records or
electronic signatures, due regard shall be had to the provisions of the
Electronic Commerce Act, 1998."
(g) Section 58 of the Indian
Evidence Act, 1872 shall be amended by inserting after the words "under
their hands" the words "or under their electronic signature."
(h)
Section 61 of the Indian Evidence Act, 1872 shall be amended by adding at
the end of that section the following:
"Provided that nothing in
this section shall affect the provisions of the Electronic Commerce Act,
1998."
(i) Section 62, Explanation 2 of the Indian Evidence Act,
1872 shall be amended by adding at the end of that Explanation the
following:
"Nothing in this Section shall affect the provisions of
Section 9 or 10 of the Electronic Commerce Act, 1998."
(j) Section
63 of the Indian Evidence Act, 1872 shall be amended by adding at its end
the following:
"(6) electronic records that do not qualify as
originals under Section 9 of the Electronic Commerce Act,
1998."
(k) Section 65 of the Indian Evidence Act, 1872 shall be
amended by adding in clause (d) after the word "movable" the following:
"or forms part of an electronic record."
(l) A new Section 67A
shall be inserted into the Indian Evidence Act after Section 67 as
under:
"67A. Proof of electronic signatures. Subject to the
provisions of the Electronic Commerce Act, 1998, if an electronic record
is alleged to bear the electronic signature of any person, such signature
must be proved to be his.
Comments: This section is intended to
amend the Indian Evidence Act to facilitate the use of electronic records
and signatures as evidence and to harmonize this Act with the Electronic
Commerce Act.
4.Amendments to the
Indian Contract Act, 1872. (a) Section 1 of the Indian Contract Act,
1872 is amended by adding at the end of the paragraph entitled "Extent,
commencement" the following:
"In the application of this Act to
contracts entered into through an electronic record or bearing an
electronic signature, as those terms are defined by the Electronic
Commerce Act, 1998, due regard shall be had to the provisions of the
latter Act."
(b) New sections 2A, 2B, 2C and 2D shall be added to
the Indian Contract Act, 1872, as under: "2A. Electronic Record. The term
"electronic record," shall have the same meaning as assigned to it in the
Electronic Commerce Act, 1998.
2B. Electronic Signature. The term
"electronic signature" shall have the same meaning as assigned to it in
the Electronic Commerce Act, 1998.
2C. Signature and Sign. The
terms "signature" and "sign" shall have the same meanings as assigned to
them in the Electronic Commerce Act, 1998.
2D. Writing. The term
"writing" shall have the same meaning as assigned to it in the General
Clauses Act, 1897, as amended by the Electronic Commerce Support Act,
1998."
5.Amendment to the
Indian Telegraph Act, 1885. The Indian Telegraph Act, 1885 is amended
by adding a new section 34A as under:
"Nothing in this Act shall
affect the provisions of the Electronic Commerce Act, 1998 and, in
particular, nothing in this Act shall be construed to prohibit the
transmission or receipt of encrypted data in the form of electronic
records, as that term is defined in the Electronic Commerce Act, 1998."
6. Amendments to
the Banker's Books Evidence Act of 1891. (a) In Section 2 of the
Banker's Books Evidence Act, 1891, sub-section (3) is replaced with the
following:
"(3)" banker's books" include ledgers, day-books, cash
books, account-books and other records used in the ordinary business of
the bank, whether those records are in written form or are electronic
records, as defined in the Electronic Commerce Act, 1998."
(b) New
sections 2A, 2B, 2C and 2D shall be added to the Indian Penal Code, as
under:
"2A. Electronic Record. The term "electronic record," shall
have the same meaning as assigned to it in the Electronic Commerce Act,
1998.
2B. Electronic Signature. The term "electronic signature"
shall have the same meaning as assigned to it in the Electronic Commerce
Act, 1998.
2C. Signature and Sign. The terms "signature" and "sign"
shall have the same meanings as assigned to them in the Electronic
Commerce Act, 1998.
2D. Writing. The term "writing" shall have the
same meaning as assigned to it in the General Clauses Act, 1897, as
amended by the Electronic Commerce Support Act, 1998."
7. Amendments to the
General Clauses Act, 1897. (a) The General Clauses Act, 1897 is
amended by inserting immediately after section 3(18) the
following:
"and includes an electronic record, as defined by the
Electronic Commerce Act, 1998."
(b) The General Clauses Act, 1897
is amended by inserting at the end of section 3(65) the
following:
"and includes electronic records, as defined by the
Electronic Commerce Act, 1998."
Comments: This section expands the
definitions of "document" and "writing" under the General Clauses Act to
incorporate electronic records.
8. Amendments to
the Reserve Bank of India Act, 1934,
(a) The Reserve Bank of
India Act, 1934 is amended by inserting after Chapter IIIC, the following
Chapter III D: "Chapter III D
(1) If the Bank is satisfied that in
the interest of development of efficient payment systems it is necessary
to promote and establish multiple electronic funds transfer (EFT) systems,
it may by order, allow banking companies, financial or other institutions,
or any other person desirous of setting up an EFT System to apply for
authorisation from the Bank to commence and operate an EFT
System.
(2) An application for approval under sub-section (1) shall
be submitted in the form specified by the Bank from time to time, along
with a scheme of operations of the proposed system and the documents
relating to rights, duties and liabilities of the person participating in
such system.
(3) The Bank may, before granting approval for any
such proposed system, require the applicant or the proposed participants
in the system to submit such further information and particulars as
considered necessary and the Bank may also cause such reasonable
inspection of the premises, equipments, machineries, books or other
documents, or accounts and transactions, relating to the proposed system
as considered essential by the Bank, with permission of the
applicant.
(4) The Bank may, subject to such modifications and
alterations to the scheme and any contract and documents submitted
therewith as are considered desirable, approve or reject any application
submitted for approval under sub-section (2). Provided that while
approving the scheme, the Bank may impose such terms, restrictions,
limitations and conditions as it may deem fit, on the applicant or the
proposed participant or any other person likely to be affected or
benefited thereby. Provided further, that before rejecting any such
application the Bank may serve notice on the applicant requiring it to
show cause as to why the application should not rejected and if so
requested by the applicant, an opportunity for hearing should also be
given.
(5) Any Regulation framed by the Bank for regulation of
multiple payment systems shall be binding on the applicant, the proposed
participants and any other person likely to be affected or benefited
thereby.
(6) No person, other than a person whose application is
approved by the Bank under sub-section (4) shall commence or operate any
EFT System.
Explanation: For the purpose of this
Section:
"EFT System" means the Electronic Fund Transfer
System established by these Regulations for carrying out interbank and
intrabank funds transfers within India, through EFT centres connected by a
network, and providing for settlement of payment obligations arising out
of such funds transfers, between participating banks or institutions.
"banking company" means a company as defined in Section 5 of the
Banking Regulation Act, 1949, and includes the State Bank of India,
constituted by the State Bank of India Act, 1955, a Subsidiary Bank
constituted under the State Bank of India (Subsidiary Banks) Act, 1959, a
Corresponding New Bank constituted under the Banking Companies
(Acquisition and Transfer of Undertakings) Act, 1970 or the Banking
Companies (Acquisition and Transfer of Undertakings) Act, 1980, a
cooperative bank, as defined in Section 56 of Part V of the Banking
Regulation Act, 1949 and such other banks as may be specified from time to
time. "Financial Institutions" shall bear the meaning assigned to it in
Section 4A(1) of the Companies Act, 1956 and includes an institution
notified under Sub-section (2) of that Section. "Institution" means a
public financial institution and includes a department or agency of the
Central or State Government or any other organisation approved by the
Reserve Bank as eligible to open a settlement account with it."
(b)
Section 58(2) of the Reserve Bank of India Act, 1934, is amended by
inserted after existing clause (P), the following new clause
(PP):
"(PP) The regulation of multiple payment systems"
|
|
