Disini & Disini
HOME|ABOUT|NEWS|PUBLICATIONS|RESOURCES|CONTACT US
     

I.R.R. on Electronic Authentication & Electronic Signatures

REPUBLIC OF THE PHILIPPINES

DEPARTMENT OF TRADE AND INDUSTRY

DEPARTMENT OF SCIENCE AND TECHNOLOGY

DEPARTMENT OF BUDGET MANAGEMENT

BANGKO SENTRAL NG PILIPINAS JOINT

ADMINISTRATIVE ORDER NO. ____________ Series of 2001

SUBJECT : PROVIDING IMPLEMENTING RULES AND REGULATIONS ON ELECTRONIC AUTHENTICATION AND ELECTRONIC SIGNATURES

Whereas,the State recognizes the vital role of information and communications technology in nation building, as well as its own obligation to ensure network security, connectivity and neutrality of technology for the national benefit;

Whereas, Section 29 of R.A. 8792 (Electronic Commerce Act of 2000) mandates the Department of Trade and Industry (DTI) to direct and supervise the promotion and development of electronic commerce in the Philippines with relevant government agencies, without prejudice to the provisions of Republic Act 7653 (Charter of Bangko Sentral ng Pilipinas) and Republic Act 8791 (General Banking Law of 2000);

Whereas,the issuance of clear, transparent, predictable and enforceable rules to clarify and ensure the legal validity and enforceability of electronic signatures and contracts will encourage and promote the development of electronic commerce in the Philippines, enhance its competitiveness in the new economy, protect the consumer, and encourage efficiency and transparency in commercial transactions;

Whereas,technological developments in electronic authentication and modes of generating electronic signatures are rapid, ongoing and market-led;

Whereas,rules and guidelines on electronic signatures and contracts that are technology-neutral will help ensure continued private sector initiative and innovation, and encourage consumer trust in these new technologies;

And finally, recognizing that where appropriate, market-driven, rather than government-imposed standards, contractual arrangements and codes of practice are better tools for validating electronic transactions and developing user confidence in global electronic commerce;

Now, therefore, pursuant to the provisions of Section 29 of Republic Act No. 8792, otherwise known as the Electronic Commerce Act of 2000 (hereinafter referred to as the “Act”), the following Implementing Rules and Regulations on Electronic Authentication and Electronic Signatures (hereinafter referred to as the “Rules”) are hereby prescribed and promulgated for the compliance of all concerned:

Section 1. General Rule of Validity. - As a general rule, and subject to the provisions of the Electronic Commerce Act of 2000 and these Rules,

  1. A signature, contract or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and
  2. A contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic document was used in its formation.

Section 2. Scope of Application. - These Rules apply where electronic signatures and/or electronic documents are used in the context of any commercial and non-commercial transaction, activity or dealings, whether public or private, occurring between and among parties. These include, and are not limited to, the following transactions: the sale, supply, procurement or exchange of goods or services, including the manufacture, processing, purchase, sale, supply, distribution or transacting in any manner, of tangible and intangible property of all kinds such as commodities, goods, merchandise, financial and banking products, patents, participations, shares of stock, software, books, works of art and other intellectual property; distribution agreement; commercial representation or agency; factoring; leasing; construction of works; consulting; engineering; licensing; investment; financing; banking; insurance; exploitation agreement or concession; joint venture and other forms of industrial or business cooperation; and carriage of goods or passengers by air, sea, rail or road.

Section 3. Definitions. - For the purposes of these Rules:

  1. “Asymmetric or public cryptosystem” is a type of signature creation technology and refers to a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key for verifying the digital signature.
  2. “Certificate” means an electronic document issued to support a secure electronic signature which purports to confirm the identity or other significant characteristics of the person who, in the case of digital signatures, holds a particular key pair or, in other cases, such signature creation or verification device or method as may be applicable under the circumstances.
  3. “Certification authority” is a type of information certifier which, in the course of its business, engages in issuing certificates in relation to cryptographic keys used for the purposes of digital signatures.
  4. “Digital Signature” is a type of secure electronic signature consisting of a transformation of an electronic document or an electronic data message using an asymmetric or public cryptosystem such that a person having the initial untransformed electronic document and the signer’s public key can accurately determine:
    1. whether the transformation was created using the private key that corresponds to the signer’s public key; and
    2. whether the initial electronic document had been altered after the transformation was made.
  5. “Electronic agent” means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic messages or documents, in whole or in part, without review or action by an individual at the time of the action or response.
  6. “Electronic authority signature” refers to an electronic signature that establishes the authority, position or attribute of the signer as the duly authorized proxy, agent or representative of another person, and therefore, by such signature to bind the latter as if he had created and/or issued the electronic signature himself.
  7. “Electronic data message” refers to information generated, sent, received or stored by electronic, optical or similar means.
  8. “Electronic document” refers to information or the representation of information, data, figures, symbols or other modes of written expression, described or however represented, by which a right is established or an obligation extinguished, or by which a fact may be proved and affirmed, which is received, recorded, transmitted, stored, processed, retrieved or produced electronically. It includes documents signed with secure electronic signatures and any print-out or output, readable by sight or other means, which accurately reflects the electronic data message or electronic document. For purposes of these Rules, the term “electronic document” may be used interchangeably with “electronic data message.”
  9. “Electronic signature” refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person, and attached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of authenticating or approving an electronic data message or electronic document. For purposes of these Rules, electronic signatures include digital signatures and secure electronic signatures.
  10. “Information and communication system” refers to a system intended for and capable of generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or in which data is recorded or stored and any procedures related to the recording or storage of electronic data message or electronic document.
  11. “Information Certifier” means any person who, or entity which, in the course of its business, issues certificates as a means of providing identification services and/or certifying information which are used to support the use of and trust in secure electronic signatures. For purposes of these Rules, the term “information certifier” includes but is not necessarily limited to certification authorities.
  12. “Key pair” in an asymmetric cryptosystem refers to the private key and its mathematically related public key such that the latter can verify the digital signature that the former creates.
  13. “Person” means any natural or juridical person including, but not limited to, an individual, corporation, partnership, joint venture, unincorporated association, trust or other juridical entity, or any governmental authority.
  14. “Private Key” refers to the key of a key pair used to create a digital signature.
  15. “Public Key” refers to the key of a key pair used to verify a digital signature
  16. “Secure Electronic Signature” means an electronic signature which is created and can be verified through the application of a security procedure or combination of security procedures that ensures such electronic signature: a. is unique to the signer; b. can be used to identify objectively the signer of the data message c. was created and affixed to the data message by the signer or using a means under the sole control of the signer; and d. was created and is linked to the data message to which it relates in a manner such that any change in the data message would be revealed. For purposes of these Rules, secure electronic signatures includes but is not necessarily limited to digital signatures.
  17. “Signature creation device, method or technology” refers to any device, method or technology used to create an electronic signature in respect of which it can be shown, through the use of a security procedure or method, that such signature
    1. is unique to the signer for the purpose for which it is used;
    2. was created and affixed to the data message by the signer or using a means under the sole control of the signer; and
    3. was created and is linked to the electronic data message to which it relates in a manner which provides reliable assurance as to the integrity of the message.
  18. “Signer” means the person who uses, creates and affixes an electronic signature to an electronic data message. Section 4. Technological Neutrality. - None of the provisions of these Rules shall be applied so as to exclude, restrict, or deprive of legal effect any method of electronic signature that satisfies the requirements referred to in Section 8 of the Act, or in Rule 5 of these Rules which is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement.

Section 5. Legal Recognition of Electronic Signatures. - An electronic signature on the electronic document shall be equivalent to the signature of a person on a written document if that signature is proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic document, existed under which:

  1. A method is used to identify the party sought to be bound and to indicate said party’s access to the electronic document necessary for his consent or approval through the electronic signature;
  2. Said method is reliable and appropriate for the purpose for which the electronic document was generated and communicated, in the light of all circumstances, including any relevant agreement;
  3. It is necessary for the party sought to be bound, in order to proceed further with the transaction, to have executed or provided the electronic signature; and
  4. The other party is authorized and enabled to verify the electronic signature, and to make the decision to proceed with the transaction authenticated by the same.

The parties may agree to adopt supplementary or alternative procedures provided that the same are not contrary to law or public policy.

 Section 6. Authority Signatures. - None of the provisions of these Rules shall be applied so as to exclude, disallow, or deprive electronic authority signatures, as defined in Rule 3 above, of legal effect and validity.

Section 7. Electronic Agents. - A contract or other record relating to a transaction may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents so long as such electronic agent is under the control of, or its actions are legally attributable to the person sought to be bound.

 Section 8. Liability for unauthorized use of secure electronic signatures. - Where the use of a secure electronic signature was unauthorized and the purported signer did not exercise reasonable care to avoid the unauthorized use of the signature or to prevent the addressee from relying on such a signature, the signature shall nevertheless be regarded as that of the purported signer, unless the relying party knew or should have known that the signature was not that of the purported signer.

Section 9. Responsibilities of an information certifier. - An information certifier shall:

  1. act in accordance with the representations it makes with respect to its practices;
  2. exercise due diligence to ensure the accuracy and completeness of all material representations it makes that are relevant to the life-cycle of its certificates or which are included in its certificates;
  3. provide reasonably accessible means which enable a relying party to ascertain:
    1. he identity of the information certifier;
    2. that the person who is identified in the certificate holds, at the relevant time, the signature device referred to in the certificate;
    3. the method used to identify the signer, provided however the the information certifier shall not be required to reveal any of its trade or industrial secrets;
    4. any limitations on the purposes or value for which the signature device may be used; and
    5. whether the signature device is valid and has not been compromised;
  4. Provide a means for signers to give notice that a signature device has been compromised and ensure the operation of a timely revocation service; and
  5. Utilize trustworthy systems, procedures and human resources in performing its services. An information certifier shall be liable for damages caused by its failure to satisfy the requirements provided under this and the following Rule.

Section 10. Certificate Requirements. - At a minimum, certificates shall state:

  1. the identity of the information certifier;
  2. that the person who is identified in the certificate holds, at the relevant time, the signature device referred to in the certificate;
  3. that the signature device was effective at or before the date when the certificate was issued;
  4. any limitation on the purposes or value for which the certificate may be used; and
  5. any limitation on the scope or extent of liability that the information certifier accepts.

Section 11. Liability for incorrect or defective certificates. - If damage has been caused as a result of the certificate being incorrect or defective, the information certifier shall be liable for damage suffered by either:

  1. the party who has contracted with the information certifier for the provision of a certificate; or
  2. any person who reasonably relies on a certificate issued by the information certifier.

In assessing the loss, regard shall be had to the following factors:

  1. the amount of damages caused by the incorrect or defective certificate;
  2. the cost of obtaining the certificate;
  3. the nature of the information being certified;
  4. the existence and extent of any limitation on the purpose for which the certificate may be used;
  5. the existence of any statement limiting the scope or extent of the liability of the information certifier;
  6. any contributory conduct by the relying party; and
  7. any other relevant factor.

Section 12. Voluntary accreditation. - A certificate shall be presumed to bind a secure electronic signature to the signer’s identity if the certificate was issued by an information certifier duly accredited by the Department of Trade and Industry (DTI), in coordination with the Department of Science and Technology (DOST), which shall apply commercially appropriate and internationally recognized standards covering the trustworthiness of the information certifier’s technology, practices and other relevant characteristics. A non-exhaustive list of bodies or standards that comply with this paragraph may be published from time to time by the DTI jointly with the DOST. This Rule shall not be applied so as to exclude or prevent the validity of a certificate issued by a non-accredited information certifier where such certificate is shown to have otherwise been issued in accordance with commercially appropriate and international recognized standards, or where sufficient evidence indicates that the certificate accurately binds the secure electronic signature to the signer’s identity.

Section 13. Responsibilities of the signer. - Each signer shall:

  1. Exercise reasonable care to avoid unauthorized use of his electronic signature and/or signature creation device;
  2. Notify appropriate persons, including the concerned information certifier, without undue delay if: i. the signer knows that the private key or other signature creation device has been exposed or revealed to unauthorized persons, or that his electronic signature has been compromised; or ii. the circumstances known to the signer give rise to a substantial risk that his electronic signature may have been compromised;
  3. A signer shall be liable for damages caused by failure to satisfy the requirements provided under this Rule.

Section 14. Reliance on electronic signatures.

  1. A person shall rely on an electronic signature only to the extent that it is reasonable to do so. If reliance on the electronic signature is not reasonable in the circumstances having regard to the factors enumerated below, a relying party assumes the risk that the signature is not a valid signature.
  2. In determining whether it was reasonable for a person to have relied on the electronic signature, regard shall be had, if appropriate, to:
    1. the nature of the underlying transaction that the electronic signature was intended to support;
    2. whether the relying party, where warranted, has taken appropriate steps to determine the reliability of the electronic signature;
    3. whether the relying party took steps to ascertain whether the electronic signature was supported by a certificate;
    4. whether the relying party knew or ought to have known that the electronic signature device had been compromised or revoked;
    5. any agreement or course of dealing which the relying party has with the signatory or subscriber, or any trade usage or practice which may be applicable;
    6. any other relevant factor.

Section 15. Recognition of foreign certificates and electronic signatures.

  1. In determining whether, or the extent to which, a certificate or an electronic signature is legally effective, no regard shall be had to the place where the certificate or the electronic signature was issued, nor to the country in which the issuer had its place of business.
  2. Parties to commercial and other transactions may specify that a particular information certifier or supplier of certification services, class of suppliers of certification services or class of certificates must be used in connection with messages or signatures submitted to them.
  3. Where parties agree, as between themselves, to the use of certain types of electronic signatures and certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition.

Section 16. Reciprocity. - All benefits, privileges, advantages or statutory rules established under these Rules shall be enjoyed only by parties whose country of origin grants the same benefits and privileges and advantages to Filipino citizens.

Section 17. Variation by agreement. - Unless otherwise provided by law, contracting parties may derogate from or modify these Rules by agreement.

Section 18. Interpretation. - Unless otherwise expressly provided for, in the interpretation of these Rules, due regard is to be given to their international origin and to the need to promote uniformity in their application and the observance of good faith in international trade relations. The generally accepted principles of international law and convention on electronic commerce shall likewise be considered.

Section 19. Separability. - If any provision in these Rules or application of such provision to any circumstance is held invalid, the remainder of these Rules shall not be affected thereby.

Section 20. Effectivity. - These Rules shall take effect fifteen (15) days following the completion of their publication in the Official Gazette or in a newspaper of general circulation in the Philippines.

Done this ___ day of August, 2001 in Metro Manila, Republic of the Philippines.



   
RESOURCES -> TECHNOLOGY  /  COMMERCIAL /  BANKING /  INTELLECTUAL PROPERTY /  LABOR /  IMMIGRATION/OCWs

HOME   |  ABOUT US   |   NEWS   |   PUBLICATIONS   |   RESOURCES   |   CONTACT US

35 Buchanan St., North Greenhills San Juan, Metro Manila 1502 PHILIPPINES
Tel. Nos. (+63 2) 725-2799, (+63 2) 727-1437 Fax Nos. (+63 2) 725-2799, (+63 2) 727-1437 ext. 104 E-Mail: info@disini.ph

Copyright © 2000-2002 Disini & Disini. All rights reserved.
Please view Terms of Use and Disclaimer