Proposed Regulations for Trinidad and Tobago s E-transactions Bill

Transcription

1 Proposed Regulations for Trinidad and Tobago s E-transactions Bill Port of Spain April 2011 This Presentation is under the Auspices of the ITU/EU-funded HIPCAR Project in Collaboration with the Government of Trinidad & Tobago. This document has been produced with the financial assistance of the European Union. The views expressed herein do not necessarily reflect the views of the European Union.

2 2 Purpose The Regulation is aimed at providing uniform guidelines for the implementation of Trinidad and Tobago s Electronic Transactions Bill, 2011 in the various areas affected by it. The HIPCAR project has provided the following specifications: Draft regulations and guidelines required to give effect to the Electronic Transactions Bill, The regulations are to be formulated under technology-neutrality aspects. The regulations would be guided by the specific areas pointed out in the draft Bill, 2011 (viz. electronic signatures, registration of electronic authentication service providers, identification of the types of Electronic Authentication Products which are associated with varying liability and specific legal purposes). The scope of the regulations is to be defined by the confines and requirements of the legislation. The regulations are required solely and in so far as it is necessary to ensure the operational effectiveness of the Act.

3 3 Contents The provisions of the ETB to be addressed by specific provisions in the Regulation are the following: Section 5 (d): Uniformity of rules, regulations and standards regarding authentication and integrity of electronic records; Section 34 (3): Criteria and Procedure for Registration of Electronic Authentication Service Providers Sections 50 (2), 51 (2) (a), and 52 (1) and (2): Procedure and/or code of conduct or standards with regard to intermediaries and telecommunications service providers Section 53 (3): Determination of what type of signature (and security setting) may be required in submitting documents, records or information in electronic form to public bodies Section 64 (a), and 66 (1) (2) and (3): Any such regulations to give effect to the Electronic Transactions Bill or to be made under it.

4 Sources The Regulation as proposed has the following sources: Responses to the Questionnaire submitted during the Stakeholder Consultations; Document Initial Report on the National Stakeholder Consultations ; Policies recommendation based on the Stakeholder Consultations; Document Initial Report on the National Policy Framework of Trinidad and Tobago - Electronic Transactions ; Several documents proposing Trinidad and Tobago s policies in 2006; Document Policy Framework for e-business in Trinidad and Tobago, of 2008; HIPCAR Assessment Report on Electronic Transactions; HIPCAR Policy Building Blocks on Electronic Transactions, and Policy Guidelines on Electronic Transactions; International norms and conventions, such as European Directives, Commonwealth Model Law, UNCITRAL Model Laws and International Convention, and others; Benchmark, state-of-the-art country legislations on Electronic Transactions, focusing especially in the United States of America, United Kingdom, Canada, Australia, Singapore, and Brazil. 4

5 5 Considerations - Regulation: an intermediate layer bridging the Act and the rulings, coregulation, and self-regulation to be produced in the sequence - Areas such as e-signatures comprise great number of options for policy models; the proposed Regulation has incorporated the ones of the document Recommended Policies, which reflects Stakeholders responses - There are subjects such as time-stamping which may be ancillary for enforcement of the Act, and may be dealt with by other norms. - The Regulation shall leave room for co-regulation on areas such as Code of Conduct for spamming. - Matters such as m-payments are important for e-transactions but are still going through a process of observation and analysis by regulators in most countries.

6 Inputs from Stakeholders Stakeholders have expressed the following points: Regulation shall take into account particular needs and possibilities of Trinidad and Tobago, yet ensure proper insertion of country in e-commerce international arena Compatibility between the Regulation on Electronic Transactions and other norms, such as the ones which address Data Protection, Consumer Protection, and others; Do no create requirements which may be too cumbersome or unreasonable; There may be a gap vis-à-vis current stage of e-government practices; Regulation shall assign some time for implementation of its provisions; Protection of on-line consumers and of users of ISPs is imperative. 6

7 7 Table of Provisions The Regulation takes benefit of the glossary provided by the Act. The provisions focus directly on substantive issues, most procedural matters shall be left for second-tier, more detailed regulations The table of provisions reflects the scope prescribed by the Act. A process of review and update of policies which base the provisions may be established so to preserve longevity of the Act to the extent possible.

8 8 Justification A document containing justification of the provisions of the Regulation has been prepared in order to facilitate comprehension and interpretation. Justification indicates sources which have inspired relevant provisions, mentioning associated policies, comparative law, and other aspects. Justification is not been intended to integrate the Regulation; but it may help to provide a clear vision on the Regulation and on its future implementation.

9 9 Implementation The role of implementing the Regulation is expected to be spread over several sectors of government and segments of the private sector. Telecommunications Authority, Bureau of Standards, Central Bank, Customs Authority, are examples of public bodies which may have a mission with regards to implementation of the Act and of the Regulation. In some jurisdictions, some Ministry and/or Steering Committee coordinates consistency and integration of implementation efforts and actions

10 10 Next steps This Workshop is expected to provide opportunity for validation of recommended policies and of proposed regulation Training on preparation of the implementation may also be considered A final report shall be eventually prepared contemplating any adjustments discussed during the Workshop

11 Regulation - structure 11

12 12 Introduction ETB: Electronic signature associated with an accredited electronic authentication product An electronic signature that is associated with an electronic authentication product issued by an Electronic Authentication Service Provider accredited under Part V (hereinafter referred to as a qualified electronic authentication product ), is deemed to satisfy the requirements set out in section 31 for reliability and integrity.

13 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 13 In Section 12, the Bill has established relevant criteria on integrity and reliability of data messages and of information or records in electronic form, while in Section 31 it has established criteria that shall be used to determine reliability and integrity of electronic signatures. However, i) where electronic signing shall be required for ensuring integrity and reliability of electronic records, and ii) which kind of electronic signing should be required in order to ensure and ascertain authentication and integrity of electronic signatures, are items which have been left in Section 5 (d) of the Bill, for regulation, with the command that uniformity should be sought. The proposed Regulation has then provided uniform criteria for consideration and requirement of authentication and integrity of electronic records (3.(1)) and of their availability for access and retention for use (3(2)). As mentioned in the Preamble to the European Directive 1999/93: (4) Electronic communication and commerce necessitate "electronic signatures" and related services allowing data authentication; divergent rules with respect to legal recognition of electronic signatures and the accreditation of certification-service providers in the Member States may create a significant barrier to the use of electronic communications and electronic commerce; on the other hand, a clear Community framework regarding the conditions applying to electronic signatures will strengthen confidence in, and general acceptance of, the new technologies; legislation in the Member States should not hinder the free movement of goods and services in the internal market;. (quotes of interest have been highlighted) Such wording is in line, for instance, with Singapore s Electronic Transactions Act, Section 3: (e) to help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; Reliability of data messages and criteria for determination of reliable electronic signatures are examples of the concern shown in legislation of various countries, regarding reliability of electronic records. For instance, in China s Electronic Signature Act, of 2004: Article 8. The following factors shall be taken into consideration when the truthfulness of data messages to be used as evidence is examined: (1) the reliability of the methods used for generating, storing or transmitting the data messages; (2) the reliability of the methods used for keeping the completeness of the contents; (3) the reliability of the methods for distinguishing the addressers; and (4) other relevant factors., and Article 13. If an electronic signature concurrently meets the following conditions, it shall be deemed as a reliable electronic signature: (1) when the creation data of the electronic signature are used for electronic signature, it exclusively belongs to an electronic signatory; (2) when the signature is entered, its creation data are controlled only by the electronic signatory; (3) after the signature is entered, any alteration made to the electronic signature can be detected; and (4) after the signature is entered, any alteration made to the contents and form of a data message can be detected.

14 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 14 First of all, those criteria acknowledge that most electronic communications do not make use of electronic signature, so item 3(1)(a) recognizes, wherever no electronic signature is required, the writing of the name of the signatory in an electronic document and the insertion of user-id and password in secure data networks or web sites. This provision is aligned with the evolution of concepts in common law jurisdictions, and with UNCITRAL s 1996 Model Law on Electronic Commerce ( UNCITRAL S Model Law ) and 2005 International Convention on the Use of Electronic Communications in International Contracts ( UNCITRAL s International Convention ), which have expressly avoided the imposition of electronic signatures as mandatory requirement for recognition of validity and effect of signed electronic records. It is also in line with concerns voiced by Stakeholders, who have highlighted that electronic signatures, though being very important for purposes of providing greater certainty on the integrity and reliability of data messages, should not be required everywhere, otherwise it could become too much cumbersome. The link between insertion of user-id and password and secure data networks and web sites has envisaged to cause implementation of second-tier regulation, in the form of standards setting or of co-regulation, regarding information security procedures, patterns, and classification. As in a comment contained" in U.S.A. s Uniform Electronic Transactions Act (1999): A digital signature using public key encryption technology would qualify as an electronic signature, as would the mere inclusion of one's name as a part of an message - so long as in each case the signer executed or adopted the symbol with the intent to sign. (quotes of interest have been highlighted) The use of numerical codes and PIN numbers, and the importance of secure environments, have been acknowledged in U.S.A. s Uniform Electronic Transactions Act (1999): Certain information may be present in an electronic environment that does not appear to attribute but which clearly links a person to a particular record. Numerical codes, personal identification numbers, public and private key combinations all serve to establish the party to whom an electronic record should be attributed. Of course security procedures will be another piece of evidence available to establish attribution. (quotes of interest have been highlighted)

15 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 15 ( ), in the last 150 years, common law jurisdictions have seen an evolution of the concept of signature from an original emphasis on form to a focus on function. Variations on this theme have been considered by the English courts from time to time, ranging from simple modifications such as crosses or initials, to pseudonyms and identifying phrases, to printed names, signatures by third parties and rubber stamps. In all these cases the courts have been able to resolve the question as to whether a valid signature was made by drawing an analogy with a manuscript signature. This, it could be said that against a background of some rigid general form requirements, courts in common law jurisdictions have tended to develop a broad understanding of what the notions of authentication and signature mean, focusing on the intention of the parties, rather than on the form of their acts. ( Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods, UNCITRAL, United Nations, Vienna, 2009, p. 3) As in the Preamble of UNCITRAL s International Convention: Being of the opinion that uniform rules should respect the freedom of parties to choose appropriate media and technologies, taking account of the principles of technological neutrality and functional equivalence, to the extent that the means chosen by the parties comply with the purpose of the relevant rules of law,. In the Explanatory Notes to its International Convention, UNCITRAL stresses the importance of the principle of technological neutrality for purposes of limiting the introduction of terminology and definitions which could have a restrictive effect: Indeed, language that directly or indirectly excludes any form or medium by way of a limitation in the scope of the Convention would run counter to the purpose of providing truly technologically neutral rules. Furthermore, it explains that technological neutrality encompasses also media neutrality. The Explanatory Notes to UNCITRAL s International Convention emphasize the role of the principle of functional equivalence: The Convention does not attempt to define a computerbased equivalent to any particular kind of paper document. Instead, it singles out basic functions of paper-based form requirements, with a view to providing criteria which, once they are met by electronic communications, enable such electronic communications to enjoy the same level of legal recognition as corresponding paper documents performing the same functions. ( ) The Convention is intended to permit States to adapt their domestic legislation to developments in communications technology applicable to trade law without necessitating the wholesale removal of the paper-based requirements themselves or disturbing the legal concepts and approaches underlying those requirements.

16 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 16 It is also in line with the following comment contained in U.S.A. s Uniform Electronic Transactions Act (1999): This definition includes as an electronic signature the standard webpage click through process. For example, when a person orders goods or services through a vendor's website, the person will be required to provide information as part of a process which will result in receipt of the goods or services. When the customer ultimately gets to the last step and clicks "I agree," the person has adopted the process and has done so with the intent to associate the person with the record of that process. The actual effect of the electronic signature will be determined from all the surrounding circumstances, however, the person adopted a process which the circumstances indicate s/he intended to have the effect of getting the goods/services and being bound to pay for them. The adoption of the process carried the intent to do a legally significant act, the hallmark of a signature. (quotes of interest have been highlighted) Besides being cumbersome, too much stringent evidentiary requirements may be counter-productive: ( ) the more elaborate the evidentiary requirements, the greater the opportunity a party has to invoke formal defects with a view to invalidating or denying enforceability to obligations they no longer intend to perform, for instance because the contract has become commercially disadvantageous. The interest for promoting security in the exchange of electronic communications needs therefore to be balanced against the risk of providing an easy way for traders in bad faith to repudiate their freely assumed legal obligations. Achieving this balance through rules and standards that are internationally recognized and operable across national borders is a major task of policymaking in the area of electronic commerce. ( Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods, UNCITRAL, United Nations, Vienna, 2009, p. 8). The fact that security may be determinant of attribution is recognized in U.S.A. s Uniform Electronic Transactions Act (1999), as per this comment contained therein: The inclusion of a specific reference to security procedures as a means of proving attribution is salutary because of the unique importance of security procedures in the electronic environment. In certain processes, a technical and technological security procedure may be the best way to convince a trier of fact that a particular electronic record or signature was that of a particular person. In certain circumstances, the use of a security procedure to establish that the record and related signature came from the person's business might be necessary to overcome a claim that a hacker intervened. The reference to security procedures is not intended to suggest that other forms of proof of attribution should be accorded less persuasive effect. It is also important to recall that the particular strength of a given procedure does not affect the procedure's status as a security procedure, but only affects the weight to be accorded the evidence of the security procedure as tending to establish attribution. (quotes of interest have been highlighted)

17 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 17 UNCITRAL s Explanatory Notes to the International Convention highlights the possible convenience of graduating security of electronic records in ways similar to the ones relating to paper records: it may be more appropriate to graduate security requirements in steps similar to the degrees of legal security encountered in the paper world and to respect the gradation, for example, of the different levels of handwritten signature seen in documents of simple contracts and notarized acts. Hence the flexible notion of reliability appropriate for the purpose for which the electronic communication was generated. This is in conformity with the concept of security procedure as defined in the U.S.A. s Uniform Electronic Transactions Act (1999): (14) "Security procedure" means a procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or for detecting changes or errors in the information in an electronic record. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment procedures. The same Act contains the following comment: A security procedure may be technologically very sophisticated, such as an asymmetric cryptographic system. At the other extreme the security procedure may be as simple as a telephone call to confirm the identity of the sender through another channel of communication. It may include the use of a mother's maiden name or a personal identification number (PIN). Each of these examples is a method for confirming the identity of a person or accuracy of a message. (quotes of interest have been highlighted). Example of application of such concept can be found in the following provision of the same Act (in its Section 9. Attribution and effect of electronic record and electronic signature): (a) An electronic record or electronic signature is attributable to a person if it was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable. It is also in conformity with the definition of security procedure found in Singapore s Electronic Transactions Act: "security procedure" means a procedure for the purpose of (a) verifying that an electronic record is that of a specific person; or (b) detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time, which may require the use of algorithms or codes, identifying words or numbers, encryption, answerback or acknowledgment procedures, or similar security devices; (quotes of interest have been highlighted)

18 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 18 Secondly, in item 3(1)(b), the formulated criteria establishes acceptance of every method of electronic signature, including not only digital signature but also certification of time (timestamp), biometric means, and any other secure means. Such provision purports to avoid limiting the use of electronic signature to more sophisticated and less affordable means, such as digital signature, which is asymmetric cryptography technology usually associated with Public Key Infrastructure (PKI). This is, again, in conformity with concerns raised by Stakeholders. Another important aspect of such provision is the acknowledgment of certification of time (time-stamp) as an acceptable means of electronic signature. Actually, time-stamp is a technology capable of determining the integrity of an electronic record as any change to the record would imply the attribution of another time, the absence of which induces conclusion that integrity has been maintained. Finally but not least important, the provision at hand provides an open-ended reference to other secure means, which, again, invites and stimulates definition of security standards, aimed at supporting interpretation and enforcement of the Bill and of the Regulation. The Explanatory Notes to UNCITRAL s International Convention list surrounding factors which may guide judgment on where electronic signatures are appropriate: Legal, technical and commercial factors that may be taken into account in determining whether the method used under paragraph 3 (a) is appropriate, include the following: (a) the sophistication of the equipment used by each of the parties; (b) the nature of their trade activity; (c) the frequency at which commercial transactions take place between the parties; (d) the kind and size of the transaction; (e) the function of signature requirements in a given statutory and regulatory environment; (f) the capability of communication systems; (g) compliance with authentication procedures set forth by intermediaries; (h) the range of authentication procedures made available by any intermediary; (i) compliance with trade customs and practice; (j) the existence of insurance coverage mechanisms against unauthorized communications; (k) the importance and value of alternative methods of identification and the cost of implementation; (m) the degree of acceptance or non-acceptance of the method of identification in the relevant industry or field both at the time the method was agreed upon and the time when the electronic communication was communicated; and (n) any other relevant factor. For instance, the Explanatory Notes to UNCITRAL s International Convention quotes the use of biometric devices based on handwritten signatures, where the signatory signs manually using a special pen, either on a computer screen or on a digital pad, as well as identification of individuals by their physical characteristics such as hand or face geometry, fingerprint, voice, or retina. This may facilitate common self-regulatory market practices ( In addition to governments, many industries have established regulations (e.g., FDA 21 CFR Part 11 in the Life Sciences industry) that define digital signatures as a replacement for handwritten signatures., comment available at The use of personal identification numbers (PINs), digitized versions of handwritten signatures, tokens, and of the so-called OK box may be alternatives to consider, as indicated in UNICTRAL s Explanatory Notes to its International Convention.

19 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 19 European Directive 1999/93 has included time-stamp among the technologies which can provide attribution of electronic records: (9) Electronic signatures will be used in a large variety of circumstances and applications, resulting in a wide range of new services and products related to or using electronic signatures; the definition of such products and services should not be limited to the issuance and management of certificates, but should also encompass any other service and product using, or ancillary to, electronic signatures, such as registration services, time-stamping services, directory services, computing services or consultancy services related to electronic signatures; (quotes of interest have been highlighted) Of particular interest here, the information security standards issued by international standards organizations, such as the ISO, which have issued, for instance, the ISO family of norms.

20 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 20 As in a comment contained in U.S.A. s Uniform Electronic Transactions Act (1999): A digital signature using public key encryption technology would qualify as an electronic signature, as would the mere inclusion of one's name as a part of an message - so long as in each case the signer executed or adopted the symbol with the intent to sign. (quotes of interest have been highlighted) The use of numerical codes and PIN numbers, and the importance of secure environments, have been acknowledged in U.S.A. s Uniform Electronic Transactions Act (1999): Certain information may be present in an electronic environment that does not appear to attribute but which clearly links a person to a particular record. Numerical codes, personal identification numbers, public and private key combinations all serve to establish the party to whom an electronic record should be attributed. Of course security procedures will be another piece of evidence available to establish attribution. (quotes of interest have been highlighted) ( ), in the last 150 years, common law jurisdictions have seen an evolution of the concept of signature from an original emphasis on form to a focus on function. Variations on this theme have been considered by the English courts from time to time, ranging from simple modifications such as crosses or initials, to pseudonyms and identifying phrases, to printed names, signatures by third parties and rubber stamps. In all these cases the courts have been able to resolve the question as to whether a valid signature was made by drawing an analogy with a manuscript signature. This, it could be said that against a background of some rigid general form requirements, courts in common law jurisdictions have tended to develop a broad understanding of what the notions of authentication and signature mean, focusing on the intention of the parties, rather than on the form of their acts. ( Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods, UNCITRAL, United Nations, Vienna, 2009, p. 3)

21 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 21 As in the Preamble of UNCITRAL s International Convention: Being of the opinion that uniform rules should respect the freedom of parties to choose appropriate media and technologies, taking account of the principles of technological neutrality and functional equivalence, to the extent that the means chosen by the parties comply with the purpose of the relevant rules of law,. In the Explanatory Notes to its International Convention, UNCITRAL stresses the importance of the principle of technological neutrality for purposes of limiting the introduction of terminology and definitions which could have a restrictive effect: Indeed, language that directly or indirectly excludes any form or medium by way of a limitation in the scope of the Convention would run counter to the purpose of providing truly technologically neutral rules. Furthermore, it explains that technological neutrality encompasses also media neutrality. The Explanatory Notes to UNCITRAL s International Convention emphasize the role of the principle of functional equivalence: The Convention does not attempt to define a computer-based equivalent to any particular kind of paper document. Instead, it singles out basic functions of paper-based form requirements, with a view to providing criteria which, once they are met by electronic communications, enable such electronic communications to enjoy the same level of legal recognition as corresponding paper documents performing the same functions. ( ) The Convention is intended to permit States to adapt their domestic legislation to developments in communications technology applicable to trade law without necessitating the wholesale removal of the paper-based requirements themselves or disturbing the legal concepts and approaches underlying those requirements. It is also in line with the following comment contained in U.S.A. s Uniform Electronic Transactions Act (1999): This definition includes as an electronic signature the standard webpage click through process. For example, when a person orders goods or services through a vendor's website, the person will be required to provide information as part of a process which will result in receipt of the goods or services. When the customer ultimately gets to the last step and clicks "I agree," the person has adopted the process and has done so with the intent to associate the person with the record of that process. The actual effect of the electronic signature will be determined from all the surrounding circumstances, however, the person adopted a process which the circumstances indicate s/he intended to have the effect of getting the goods/services and being bound to pay for them. The adoption of the process carried the intent to do a legally significant act, the hallmark of a signature. (quotes of interest have been highlighted)

22 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 22 Besides being cumbersome, too much stringent evidentiary requirements may be counter-productive: ( ) the more elaborate the evidentiary requirements, the greater the opportunity a party has to invoke formal defects with a view to invalidating or denying enforceability to obligations they no longer intend to perform, for instance because the contract has become commercially disadvantageous. The interest for promoting security in the exchange of electronic communications needs therefore to be balanced against the risk of providing an easy way for traders in bad faith to repudiate their freely assumed legal obligations. Achieving this balance through rules and standards that are internationally recognized and operable across national borders is a major task of policymaking in the area of electronic commerce. ( Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods, UNCITRAL, United Nations, Vienna, 2009, p. 8). The fact that security may be determinant of attribution is recognized in U.S.A. s Uniform Electronic Transactions Act (1999), as per this comment contained therein: The inclusion of a specific reference to security procedures as a means of proving attribution is salutary because of the unique importance of security procedures in the electronic environment. In certain processes, a technical and technological security procedure may be the best way to convince a trier of fact that a particular electronic record or signature was that of a particular person. In certain circumstances, the use of a security procedure to establish that the record and related signature came from the person's business might be necessary to overcome a claim that a hacker intervened. The reference to security procedures is not intended to suggest that other forms of proof of attribution should be accorded less persuasive effect. It is also important to recall that the particular strength of a given procedure does not affect the procedure's status as a security procedure, but only affects the weight to be accorded the evidence of the security procedure as tending to establish attribution. (quotes of interest have been highlighted) UNCITRAL s Explanatory Notes to the International Convention highlights the possible convenience of graduating security of electronic records in ways similar to the ones relating to paper records: it may be more appropriate to graduate security requirements in steps similar to the degrees of legal security encountered in the paper world and to respect the gradation, for example, of the different levels of handwritten signature seen in documents of simple contracts and notarized acts. Hence the flexible notion of reliability appropriate for the purpose for which the electronic communication was generated.

23 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 23 This is in conformity with the concept of security procedure as defined in the U.S.A. s Uniform Electronic Transactions Act (1999): (14) "Security procedure" means a procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or for detecting changes or errors in the information in an electronic record. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment procedures. The same Act contains the following comment: A security procedure may be technologically very sophisticated, such as an asymmetric cryptographic system. At the other extreme the security procedure may be as simple as a telephone call to confirm the identity of the sender through another channel of communication. It may include the use of a mother's maiden name or a personal identification number (PIN). Each of these examples is a method for confirming the identity of a person or accuracy of a message. (quotes of interest have been highlighted). Example of application of such concept can be found in the following provision of the same Act (in its Section 9. Attribution and effect of electronic record and electronic signature): (a) An electronic record or electronic signature is attributable to a person if it was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable. It is also in conformity with the definition of security procedure found in Singapore s Electronic Transactions Act: "security procedure" means a procedure for the purpose of (a) verifying that an electronic record is that of a specific person; or (b) detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time, which may require the use of algorithms or codes, identifying words or numbers, encryption, answerback or acknowledgment procedures, or similar security devices; (quotes of interest have been highlighted) The Explanatory Notes to UNCITRAL s International Convention list surrounding factors which may guide judgment on where electronic signatures are appropriate: Legal, technical and commercial factors that may be taken into account in determining whether the method used under paragraph 3 (a) is appropriate, include the following: (a) the sophistication of the equipment used by each of the parties; (b) the nature of their trade activity; (c) the frequency at which commercial transactions take place between the parties; (d) the kind and size of the transaction; (e) the function of signature requirements in a given statutory and regulatory environment; (f) the capability of communication systems; (g) compliance with authentication procedures set forth by intermediaries; (h) the range of authentication procedures made available by any intermediary; (i) compliance with trade customs and practice; (j) the existence of insurance coverage mechanisms against unauthorized communications; (k) the importance and value of alternative methods of identification and the cost of implementation; (m) the degree of acceptance or non-acceptance of the method of identification in the relevant industry or field both at the time the method was agreed upon and the time when the electronic communication was communicated; and (n) any other relevant factor.

24 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 24 For instance, the Explanatory Notes to UNCITRAL s International Convention quotes the use of biometric devices based on handwritten signatures, where the signatory signs manually using a special pen, either on a computer screen or on a digital pad, as well as identification of individuals by their physical characteristics such as hand or face geometry, fingerprint, voice, or retina. This may facilitate common self-regulatory market practices ( In addition to governments, many industries have established regulations (e.g., FDA 21 CFR Part 11 in the Life Sciences industry) that define digital signatures as a replacement for handwritten signatures., comment available at The use of personal identification numbers (PINs), digitized versions of handwritten signatures, tokens, and of the so-called OK box may be alternatives to consider, as indicated in UNICTRAL s Explanatory Notes to its International Convention. European Directive 1999/93 has included time-stamp among the technologies which can provide attribution of electronic records: (9) Electronic signatures will be used in a large variety of circumstances and applications, resulting in a wide range of new services and products related to or using electronic signatures; the definition of such products and services should not be limited to the issuance and management of certificates, but should also encompass any other service and product using, or ancillary to, electronic signatures, such as registration services, time-stamping services, directory services, computing services or consultancy services related to electronic signatures; (quotes of interest have been highlighted)

25 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 25 Finally but not least important, the provision at hand provides an open-ended reference to other secure means, which, again, invites and stimulates definition of security standards, aimed at supporting interpretation and enforcement of the Bill and of the Regulation. Of particular interest here, the information security standards issued by international standards organizations, such as the ISO, which have issued, for instance, the ISO family of norms.

26 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 26 Thirdly, item 3(1)(c) addresses authenticated electronic signatures (defined in the glossary contained in Section 2), complementing the glossary set forth in the Bill, and denominating the signature referred to in Section 32 of the Bill. Such item expressly allows that not only national, but also international electronic authentication products be accepted, provided i) they are generally accepted, and that ii) the authentication be performed by an accredited electronic authentication service provider. The first aspect stressed above reflects common sense that most electronic authentication products have been developed and are offered by foreign suppliers / providers, and are, nevertheless, generally accepted, internationally; therefore, it would be unrealistic to not consider this fact. However, in order to ensure the existence of some local control on the performance of electronic authentication provision, the requirement that such service be performed by accredited electronic authentication providers has been added. Such provider may be national, or may be foreign (as per Section 37), but in either hypothesis there would be some control, be it based on local presence or on local judgment and decision on the equivalence of criteria for accrediting electronic authentication providers. The reference to national electronic authentication products provides a hook to the possibility of development, at some point, of a local national algorithm to be used in electronic authentication products. This might guarantee greater control by local authorities on the secrecy of electronic communications (for instance, the ones relating to national security). As in the Explanatory Notes to UNCITRAL s International Convention: The place of origin of an electronic signature, in and of itself, should in no way be a factor determining whether and to what extent foreign certificates or electronic signatures should be recognized as capable of being legally effective in a contracting State. Determination of whether, or the extent to which, an electronic signature is capable of being legally effective should not depend on the place where the electronic signature was created or where the infrastructure (legal or otherwise) that supports the electronic signature is located, but on its technical reliability.

27 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 27

28 ETB: Purposes and Construction 5. This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes to: (d) help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; 28

29 ETB: Application for registration 34.(1) A person wishing to be registered as an accredited Electronic Authentication Service Provider shall apply to the Minister or the designated authority in the manner prescribed and pay the prescribed fee.(...) (3) The Minister may make Regulations specifying the procedure for registration and the information required for that purpose. 29 Section 34 (3) of the Bill has established that the Minister may make Regulations specifying the procedure for registration of Electronic Authentication Service Providers and the information required in the relevant application process; Given the fact that integrity and reliability of authenticated electronic signatures is presumed (as per Section 32 of the Bill), the process of accreditation of relevant providers shall indeed deserve special attention. European Directive 1999/93 has expressed that voluntary accreditation schemes may enhance the level of market best practices, beyond what may be required by governmental accreditation rules: (11) Voluntary accreditation schemes aiming at an enhanced level of service-provision may offer certification-service-providers the appropriate framework for developing further their services towards the levels of trust, security and quality demanded by the evolving market; such schemes should encourage the development of best practice among certification-service-providers; certification-serviceproviders should be left free to adhere to and benefit from such accreditation schemes; (12) Certification services can be offered either by a public entity or a legal or natural person, when it is established in accordance with the national law; whereas Member States should not prohibit certification-service-providers from operating outside voluntary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services; (13) Member States may decide how they ensure the supervision of compliance with the provisions laid down in this Directive; this Directive does not preclude the establishment of private-sector-based supervision systems; this Directive does not oblige certification-service-providers to apply to be supervised under any applicable accreditation scheme; (quotes of interest have been highlighted)

30 ETB: Application for registration 34.(1) A person wishing to be registered as an accredited Electronic Authentication Service Provider shall apply to the Minister or the designated authority in the manner prescribed and pay the prescribed fee.(...) (3) The Minister may make Regulations specifying the procedure for registration and the information required for that purpose. 30 Sections 6 and 7 of the proposed Regulation cover, respectively, the information and the procedure required for carrying out such process. The set of required information is self-explanatory In some jurisdictions, the applicant shall also offer the deposit of some amount of money as guarantee of satisfaction of any pecuniary sanctions or of payment of required indemnification.

31 ETB: Application for registration 34.(1) A person wishing to be registered as an accredited Electronic Authentication Service Provider shall apply to the Minister or the designated authority in the manner prescribed and pay the prescribed fee.(...) (3) The Minister may make Regulations specifying the procedure for registration and the information required for that purpose. 31

32 ETB: Application for registration 34.(1) A person wishing to be registered as an accredited Electronic Authentication Service Provider shall apply to the Minister or the designated authority in the manner prescribed and pay the prescribed fee.(...) (3) The Minister may make Regulations specifying the procedure for registration and the information required for that purpose. 32

33 33 ETB: Codes of conduct and service standards for intermediaries and telecommunications service providers 52.(1) Where the Minister has developed a code of conduct or service standards for intermediaries and telecommunications service providers, the intermediaries and telecommunications service providers shall comply with the code of conduct or service standards. The Bill has clearly expressed (as per Sections 50 (2), 51 (2)(a), and 52 (1) and (2)) the legislators intent that some matters be regulated in the form of standards, codes of conduct, or regulatory requirements, with regard to intermediaries and telecommunications service providers. Sections 10 through 13 of the proposed Regulation have contemplated provisions that provide organizational guidelines and contents criteria for further implementation of such kind of second-tier regulation. Wherever the codes of conduct and services standards apply to intermediaries or to telecommunication service providers, they shall be jointly developed by representatives of the respective industries, consumers, and regulatory bodies. This provision envisages to ensure that all interested Stakeholders have an opportunity to take part in the drafting of specific codes of conduct and service standards. Such joint efforts materialize co-regulation, a modality of regulation very appropriate for dealing with public-private common interests and concerted action.

34 ETB: Codes of conduct and service standards for intermediaries and telecommunications service providers 52.(1) Where the Minister has developed a code of conduct or service standards for intermediaries and telecommunications service providers, the intermediaries and telecommunications service providers shall comply with the code of conduct or service standards. 34 The principle of technological neutrality shall be imperative in the drafting of codes of conduct of or service standards. As a matter of fact, the election of certain technology is not seen as a suitable way to promote faster and more affordable technological progress. Besides, several service standards are mostly of procedural nature, not of predominant technical nature, so they do not even touch the matter of technical specifications. Alternative means of regulation, and relevant kinds of regulatory organizations, have been considered in the context of electronic commerce, for instance, in U.S.A. s E-sign Act: (11) SELF-REGULATORY ORGANIZATION. The term self-regulatory organization means an organization or entity that is not a Federal regulatory agency or a State, but that is under the supervision of a Federal regulatory agency and is authorized under Federal law to adopt and administer rules applicable to its members that are enforced by such organization or entity, by a Federal regulatory agency, or by another self-regulatory organization. Some country national legislation on electronic commerce have expressly stated the purpose that it shall establish minimum regulation. For instance, Costa Rica s Law 8454, of 2005, has established, as the first principle to guide its implementation, interpretation, and enforcement, Minimum legal regulation, and deregulation of procedures ( En materia de certificados, firmas digitales y documentos electrónicos, la implementación, interpretación y aplicación de esta Ley deberán observar los siguientes principios: a) Regulación legal mínima y desregulación de trámites. ).

35 ETB: Codes of conduct and service standards for intermediaries and telecommunications service providers 52.(1) Where the Minister has developed a code of conduct or service standards for intermediaries and telecommunications service providers, the intermediaries and telecommunications service providers shall comply with the code of conduct or service standards. 35 For purposes of reference, it should be stressed that European Directive 1999/93 provides illustrative guidance on criteria to ascribe liability to intermediaries: Article 6 Liability: 1. As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate: (a) as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate; (b) for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature-creation data corresponding to the signature-verification data given or identified in the certificate; (c) for assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification-service-provider generates them both; unless the certification-service-provider proves that he has not acted negligently. 2. As a minimum Member States shall ensure that a certification-service-provider who has issued a certificate as a qualified certificate to the public is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate for failure to register revocation of the certificate unless the certificationservice-provider proves that he has not acted negligently. 3. Member States shall ensure that a certification-service-provider may indicate in a qualified certificate limitations on the use of that certificate. provided that the limitations are recognisable to third parties. The certification-service-provider shall not be liable for damage arising from use of a qualified certificate which exceeds the limitations placed on it. 4. Member States shall ensure that a certification-service-provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties. The certification-service-provider shall not be liable for damage resulting from this maximum limit being exceeded. 5. The provisions of paragraphs 1 to 4 shall be without prejudice to Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts(8). As in the Preamble to the European Directive 1999/93: 5) The interoperability of electronic-signature products should be promoted;, and (8) Rapid technological development and the global character of the Internet necessitate an approach which is open to various technologies and services capable of authenticating data electronically;.

36 ETB: Codes of conduct and service standards for intermediaries and telecommunications service providers 52.(1) Where the Minister has developed a code of conduct or service standards for intermediaries and telecommunications service providers, the intermediaries and telecommunications service providers shall comply with the code of conduct or service standards. 36 The feasibility and convenience of combining technical and substantive issues has been acknowledged by UNCITRAL s Explanatory Notes to its International Convention: UNCITRAL nevertheless recognized that a strict separation between technical and substantive issues in the context of electronic commerce was not always feasible or desirable. International best practices shall also be taken in consideration, as electronic transactions become increasingly global, so the creation of an environment compatible with international patterns favors the attractiveness of country s positioning as safe platform for doing business. The recourse to co-regulation, either establishing codes of conduct or service standards, shall not preclude regulatory bodies from performing their functions. The selection of topics and contents to be addressed in co-regulation shall respect relevant areas of competence of the regulatory bodies. Every electronic communication relies on intermediaries and on telecommunication service providers as enabling technological service suppliers. Therefore, all users must count on the comprehensiveness and accuracy of their operational and security apparatus. Such greater responsibility shall require the use of authenticated electronic signatures and of time-stamp. This provision meets the opinion of Stakeholders as result from their responses to the Questionnaire submitted by HIPCAR consultants. Clear, accessible information is perhaps the most effective protection available to consumers. Hence, the level of technical security offered by intermediaries and by telecommunication service providers shall be disclosed to their users. By the same token, the procedures committed to be followed by them in case they are made aware of illicit actions perpetrated by users of their services shall be conspicuously visible to consumers.

37 ETB: Codes of conduct and service standards for intermediaries and telecommunications service providers 52.(1) Where the Minister has developed a code of conduct or service standards for intermediaries and telecommunications service providers, the intermediaries and telecommunications service providers shall comply with the code of conduct or service standards. 37 For instance, possible regulation of electronic financial transactions (such as the ones which may use electronic money ) shall respect the regulatory competence of relevant authorities, as it has been the option followed by U.S.A. s Uniform Electronic Transactions Act (1999), expressed in its comment: Articles 3, 4 and 4A of the UCC impact payment systems and have specifically been removed from the coverage of this Act. The check collection and electronic fund transfer systems governed by Articles 3, 4 and 4A involve systems and relationships involving numerous parties beyond the parties to the underlying contract. The impact of validating electronic media in such systems involves considerations beyond the scope of this Act. (quotes of interest have been highlighted). The same applies, for instance, to mobile payments, in what concerns specific competence reserved to the telecommunications regulatory body, as well. Similar consideration on the implications of dependence to technological service providers (especially the ones which provide service from the distance) has been discussed by the Forum of European Supervisory Authorities for Electronic Signatures (FESA) in its Public Statement on Server Based Signature Services, of October 17, 2005 (available at where it analyzed which criteria should be established so that such kind of service could be used for providing authenticated electronic signatures for in such services the signature creation data are not stored in a signature creation device located at the signatory, but rather in a central hardware security module located at the signature service provider (while European Directive 1999/93/EC requires that authenticated electronic signature are created using means that the signatory can maintain under his sole control and that secure signature-creation devices must, by appropriate technical and procedural means, ensure that the signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others ). These criteria may be helpful for determination on the equivalence between qualified authentication electronic products (and accredited electronic authentication service providers) in Trinidad and Tobago and the ones from elsewhere, as per Section 37 of the Bill.

38 ETB: Codes of conduct and service standards for intermediaries and telecommunications service providers 52.(1) Where the Minister has developed a code of conduct or service standards for intermediaries and telecommunications service providers, the intermediaries and telecommunications service providers shall comply with the code of conduct or service standards. 38 Example of which is found in regulation by the Board of Governors of U.S.A. s Federal Reserve System regarding disclosure of information to consumers in electronic lending where consumers consent to receive disclosure under the U.S.A. s Electronic Signatures in Global and National Commerce Act ( E-Sign Act ), of 2000; relevant full text is available at The provision of information to customers of intermediaries or of telecommunication service providers may be seen, in some jurisdictions, as part of the contract entered into between them. Therefore, failure to comply with such the duty to inform may be considered to constitute contract breach. Further, the laws of certain jurisdictions have reinforced the requirement of compliance with such contractual duty to inform by means of contemplating specific penalties in case of noncompliance. As referred to in the Explanatory Notes to UNCITRAL s International Convention: Domestic laws contemplate a wide variety of consequences for failure to comply with requirements concerning the availability of contract terms negotiated electronically. Some legal systems provide that failure to make the contract terms available constitutes an administrative offence and subject the infringer to payment of a fine. In other jurisdictions, the law gives the customer the right to seek an order from any court having jurisdiction in relation to the contract requiring that service provider to comply with that requirement. Under yet other systems, the consequence is an extension of the period within which a consumer may avoid the contract, which does not begin to run until the time when the merchant has complied with its obligations. In most cases, these sanctions do not exclude other consequences that may be provided in law, such as sanctions under fair competition laws.

39 ETB: General authorization. Where a document, record or information in electronic form under subsection (2) is required to be signed, the Minister may by Regulations specify the type of signature required, including, where applicable, the requirement that the sender use a particular type of encrypted electronic signature 39 Electronic government (e-government) is an area where electronic records and transactions may present different connotations and therefore may require different regulation. For instance, there are governmental rules which determine special security and confidentiality measures for the production, storing, keeping, and discarding of public records, which compliance shall be safeguarded in spite of the concerned public records being in electronic form. Standards or rules specifically conceived for meeting electronic government requirements shall be considered. Given the social outreach of governmental activities, information classified as confidential in such context shall be managed by making use of authenticated electronic signature, irrespective of being or not a public body the electronic authentication service provider used to authenticate such signatures. The number of possible applications for electronic government which may make use of electronic transactions may represent is of considerable magnitude. As a result, sectorial regulation is encouraged, where appropriate, although there is also a great deal of matters which may require common rules and controls. Although the interoperability of electronic government applications with private sector applications recommends that the particularization of the former be limited to the minimum necessary, as reflected in the following comments contained in U.S.A. s Uniform Electronic Transactions Act (1999): Of paramount importance in all States however, is the need for States to assure that whatever systems and rules are adopted, the systems established are compatible with the systems of other governmental agencies and with common systems in the private sector. A very real risk exists that implementation of systems by myriad governmental agencies and offices may create barriers because of a failure to consider compatibility, than would be the case otherwise., and Section 19 is the most important section of the three. It requires governmental agencies or state officers to take account of consistency in applications and interoperability to the extent practicable when promulgating standards. This section is critical in addressing the concern that inconsistent applications may promote barriers greater than currently exist. Without such direction the myriad systems that could develop independently would be new barriers to electronic commerce, not a removal of barriers. The key to interoperability is flexibility and adaptability. The requirement of a single system may be as big a barrier as the proliferation of many disparate systems. (quotes of interest have been highlighted)

40 ETB: General authorization. Where a document, record or information in electronic form under subsection (2) is required to be signed, the Minister may by Regulations specify the type of signature required, including, where applicable, the requirement that the sender use a particular type of encrypted electronic signature 40 The need of addressing special requirement in electronic government has been recognized in Section 19. Interoperability, of U.S.A. s Uniform Electronic Transactions Act (1999): The [governmental agency] [designated officer] of this State which adopts standards pursuant to Section 18 may encourage and promote consistency and interoperability with similar requirements adopted by other governmental agencies of this and other States and the federal government and nongovernmental persons interacting with governmental agencies of this State. If appropriate, those standards may specify differing levels of standards from which governmental agencies of this State may choose in implementing the most appropriate standard for a particular application.] (quotes of interest have been highlighted) As contemplated in Section 17. Creation and retention of electronic records and conversion of written records by governmental agencies, and in Section 18. Acceptance and distribution of electronic records by governmental agencies, of U.S.A. s Uniform Electronic Transactions Act (1999): [Each governmental agency] [The [designated state officer]] of this State shall determine whether, and the extent to which, [it] [a governmental agency] will create and retain electronic records and convert written records to electronic records.], and (a) Except as otherwise provided in Section 12(f), [each governmental agency] [the [designated state officer]] of this State shall determine whether, and the extent to which, [it] [a governmental agency] will send and accept electronic records and electronic signatures to and from other persons and otherwise create, generate, communicate, store, process, use, and rely upon electronic records and electronic signatures. (b) To the extent that a governmental agency uses electronic records and electronic signatures under subsection (a), the [governmental agency] [designated state officer], giving due consideration to security, may specify: (1) the manner and format in which the electronic records must be created, generated, sent, communicated, received, and stored and the systems established for those purposes; (2) if electronic records must be signed by electronic means, the type of electronic signature required, the manner and format in which the electronic signature must be affixed to the electronic record, and the identity of, or criteria that must be met by, any third party used by a person filing a document to facilitate the process; (3) control processes and procedures as appropriate to ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of electronic records; and (4) any other required attributes for electronic records which are specified for corresponding non-electronic records or reasonably necessary under the circumstances. (c) Except as otherwise provided in Section 12(f), this [Act] does not require a governmental agency of this State to use or permit the use of electronic records or electronic signatures.] (quotes of interest have been highlighted)

41 ETB: General authorization. Where a document, record or information in electronic form under subsection (2) is required to be signed, the Minister may by Regulations specify the type of signature required, including, where applicable, the requirement that the sender use a particular type of encrypted electronic signature 41 Such matter of bridging special and general issues in electronic government has been faced and regulated, extensively, in Section 104 U.S.A. s E-Sign Act: USA E=sign Act, Section 104, Applicability to Federal and State Governments: (a) FILING AND ACCESS REQUIREMENTS. Subject to subsection (c)(2), nothing in this title limits or supersedes any requirement by a Federal regulatory agency, self-regulatory organization, or State regulatory agency that records be filed with such agency or organization in accordance with specified standards or formats. (b) PRESERVATION OF EXISTING RULEMAKING AUTHORITY. (1) USE OF AUTHORITY TO INTERPRET. Subject to paragraph (2) and subsection (c), a Federal regulatory agency or State regulatory agency that is responsible for rulemaking under any other statute may interpret section 101 with respect to such statute through (A) the issuance of regulations pursuant to a statute; or (B) to the extent such agency is authorized by statute to issue orders or guidance, the issuance of orders or guidance of general applicability that are publicly available and published (in the Federal Register in the case of an order or guidance issued by a Federal regulatory agency). This paragraph does not grant any Federal regulatory agency or State regulatory agency authority to issue regulations, orders, or guidance pursuant to any statute that does not authorize such issuance. (2) LIMITATIONS ON INTERPRETATION AUTHORITY. Notwithstanding paragraph (1), a Federal regulatory agency shall not adopt any regulation, order, or guidance described in paragraph (1), and a State regulatory agency is preempted by section 101 from adopting any regulation, order, or guidance described in paragraph (1), unless (A) such regulation, order, or guidance is consistent with section 101; (B) such regulation, order, or guidance does not add to the requirements of such section; and (C) such agency finds, in connection with the issuance of such regulation, order, or guidance, that (i) there is a substantial justification for the regulation, order, or guidance; (ii) the methods selected to carry out that purpose (I) are substantially equivalent to the requirements imposed on records that are not electronic records; and (II) will not impose unreasonable costs on the acceptance and use of electronic records; and (iii) the methods selected to carry out that purpose do not require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures. (3) PERFORMANCE STANDARDS. (A) ACCURACY, RECORD INTEGRITY, ACCESSIBILITY. Notwithstanding paragraph (2)(C)(iii), a Federal regulatory agency or State regulatory agency may interpret section 101(d) to specify performance standards to assure accuracy, record integrity, and accessibility of records that are required to be retained. Such performance standards may be specified in a manner that imposes a requirement in violation of paragraph (2)(C)(iii) if the requirement (i) serves an important governmental objective; and (ii) is substantially related to the achievement of that objective. Nothing in this paragraph shall be construed to grant any Federal regulatory agency or State regulatory agency authority to require use of a particular type of software or hardware in order to comply with section 101(d). (B) PAPER OR PRINTED FORM. Notwithstanding subsection (c)(1), a Federal regulatory agency or State regulatory agency may interpret section 101(d) to require retention of a record in a tangible printed or paper form if (i) there is a compelling governmental interest relating to law enforcement or national security for imposing such requirement; and (ii) imposing such requirement is essential to attaining such interest. (4) EXCEPTIONS FOR ACTIONS BY GOVERNMENT AS MARKET PARTICIPANT. Paragraph (2)(C)(iii) shall not apply to the statutes, regulations, or other rules of law governing procurement by the Federal or any State government, or any agency or instrumentality thereof. (c) ADDITIONAL LIMITATIONS. (1) REIMPOSING PAPER PROHIBITED. Nothing in subsection (b) (other than paragraph (3)(B) thereof) shall be construed to grant any Federal regulatory agency or State regulatory agency authority to impose or reimpose any requirement that a record be in a tangible printed or paper form. (2) CONTINUING OBLIGATION UNDER GOVERNMENT PAPERWORK ELIMINATION ACT. Nothing in subsection (a) or (b) relieves any Federal regulatory agency of its obligations under the Government Paperwork Elimination Act (title XVII of Public Law ). (d) AUTHORITY TO EXEMPT FROM CONSENT PROVISION. (1) IN GENERAL. A Federal regulatory agency may, with respect to matter within its jurisdiction, by regulation or order issued after notice and an opportunity for public comment, exempt without condition a specified category or type of record from the requirements relating to consent in section 101(c) if such exemption is necessary to eliminate a substantial burden on electronic commerce and will not increase the material risk of harm to consumers.