LAW OF GEORGIA ON ELECTRONIC SIGNATURES AND ELECTRONIC DOCUMENTS

Transcription

1 LAW OF GEORGIA ON ELECTRONIC SIGNATURES AND ELECTRONIC DOCUMENTS Article 1 - Purpose and scope of the law 1. This Law establishes a legal framework for electronic document flow systems and the use of electronic signatures within such systems. 2. The State shall ensure mechanisms for exercising an effective security policy on electronic signatures within the scope of this Law. 3. This Law shall not apply to the categories of information classified as state secrets and subject to state protection. Article 2 - Definition of terms The terms used in this Law have the following meanings for the purposes of this law: a) written document: a.a) electronic document - written information which affirms legally significant facts or legally insignificant facts, which was created by means of electronic, optical or any other similar medium and has been sent, or received, or saved; a.b) tangible document - information on paper or any other tangible carrier, which affirms legally significant facts or legally insignificant facts; b) electronic document flow system - a system for the exchange of electronic documents, where relationships between the participants are regulated under this Law and other normative acts; c) author (owner) of digital signature ('signatory') - a person who holds a digital signature certificate and uses a digital signature to sign an electronic document in accordance with the procedures specified in this Law d) addressee of electronic document - a person who is defined as the recipient of an electronic document; e) electronic signature - a set of data created by means of any electronic medium, which is adopted by a signatory in order to authenticate a document; f) digital signature - a variety of electronic signature,which is created by means of cryptographic transformation and with the use of a private key, which is logically linked with the electronic document and meets the following requirements: it is exclusively linked to the signatory, it can be used to identify the signatory, it is created under the sole control of the user's private key and attached to the data in a manner which enables the detection of the changes made to them; g) cryptographic transformation - encryption and decryption of electronic data by means of mathematical and logical transformations; h) key pair - a private key created in asymmetric cryptography and a public key mathematically linked to it; a key pair is created by the signatory or/and the certification-service-provider at the request of the signatory; i) private key - a unique set of randomly generated electronic data, which are accessible only by the signatory and are used for the purpose of creating an electronic signature; j) public key - a unique set of electronic data, which are accessible by any person and are used for the purpose of verifying an electronic signature; k) verification of electronic signature-operations which are designed to confirm that: k.a) the signature has been created with the use of the matching key pair of the certificate (attestation); k.b) the data of the electronic document have not been changed since the digital signature was created. l) compromise of a signature private key - any event and/or action, whereby the unsanctioned use of private key has been or can be caused; m) attestation-service-provider - an entity or a person who provides services related to the issuance of electronic signature certificates; n) attestation for digital signature - means an electronic document issued by an unaccredited attestation service-provider, which contains a public cryptography key and which can be used for -creating an electronic signature, and for authentication of an electronic signature or for the identification of the signatory; o) certification service-provider - attestation service provider with voluntary accreditation; p) certificate for digital signature - an electronic document which has been issued by a certification service-provider, and which contains a public cryptography key and can be used for creating an electronic signature, and for authentication of an electronic signature or for the identification of the signatory; q) database - the system of storing and requesting certificates (attestations) for a digital signature and other information related to them; r) signature-creation devices - a set of electronic (software) means and cryptographic methods, used for the creation of a key pair and/or a digital signature and the authentication of a digital signature;

2 s) certification (attestation) service regulation - a mandatory public statement on service procedures for the issuance of certificates, submitted to a certification service provider; t) time stamp - a set of data, created by means of a technical device system, confirming the time when an electronic certificate was originally created; u) time - a year, month, date, hour, minute; v) certificate (certificate) applicant - a legal or natural person, who submits an application with the purpose of obtaining a certificate (certificate). Article 3 - Conditions for recognition of equal legal effect of hand-written and electronic signatures 1. A digital signature on an electronic document is deemed to have legal effect equivalent to a handwritten signature if at the time of signing an electronic document a digital signature is being used in accordance with the data stated in the certificate (certificates) and can be identified and verified. 2. In accordance with the requirements of this Law, the use of an electronic document, which has been created on the basis of a certificate and has been certified or/and verified by digital signature, shall be permitted in all cases where the tangible form of the document is required under the legislation of Georgia. 3. In accordance with the requirements of this law, the use of electronic document, which has been created on the basis of the certificate and has been certified or/and verified by digital signature, shall be permitted in all cases where the legislation of Georgia, in accordance with paragraph 2 of this article does not explicitly require the use of a digital signature, created on the basis of a certificate. 4. In the case of non-compliance with the conditions prescribed in this Law, if an agreement between two or more persons exists, any electronic signature for these individuals shall have legal effect equivalent to a handwritten signature on a tangible document. 5. Evidence of electronic document and electronic signature shall not be ruled inadmissible only because it is presented in electronic form. 6. Paragraph 2 of this article does not apply to transactions and agreements specified in Articles 341, 892, 942, and 1357 of the Civil Code of Georgia. Article 4 - Originals and copies of clectronic documents 1. All copies of a signed electronic document shall be considered as originals in accordance with the regulations under this Law. An electronic document shall not have an electronic copy. 2. A signatory or any other person, authorised under the legislation of Georgia, shall certify and verify a document during the procedure of converting the tangible document into electronic form. 3. A signatory or any other person, authorised under the legislation of Georgia, shall certify and verify a document with a digital signature during the procedure of converting the tangible document into electronic form. This type of electronic document shall be considered as the copy of a tangible document and shall have equal legal effect to it. 4. Paragraph 2 of this article shall not be applied to the cases specified in Article 16 of this Law. Article 5 - Sending and receiving electronic documents 1. Unless the parties agree otherwise or where provided for by the legislation of Georgia, a signed electronic document shall be deemed to be sent when it leaves an information system under the control of the originator and its retrieval is impossible by the originator. 2. Unless the parties agree otherwise or where provided for by the legislation of Georgia, a signed electronic document shall be deemed to be received when it enters the information system under the control of the addressee and it is accessible to the addressee. 3. The legal grounds for sending and receiving documents, not requiring an electronic signature in accordance with the legislation of Georgia, shall be determined by the legislation of Georgia. Article 6 - Certificates (attestation) 1. A certificate (attestation) shall, as a minimum include data on: a) the full name of a signatory (in the case of a legal person - the full business name); b) data related to cryptographic algorithms and digital signatures; c) the public key of a digital signature; d) the date of commencement and the validity period of certificates (attestation); e) where requested of a signatory the scope of official duties, and the mission and objectives of the business activities of the signatory;

3 f) full company details of the certification service provider (including details of the database web page address). 2. When requested by the signatory a pseudonym of the signatory may be recorded together with the data referred to in paragraph (a) of this article. Article 7 - Applications for certificates (attestation) 1. In order to obtain a certificate (attestation) the applicant shall submit to a certification service-provider an application, containing the following data: a) the full name of the applicant (in the case of a legal person-the full business name); b) the date and birthplace of the applicant (in the case of a legal person - the registration body, registration number and registration date); c) the personal identification number of the applicant according to an identification card (passport) (in the case of a legal person - the taxpayer's identification number); d) the validity period of the certificate (attestation) (where the validity period has not been indicated, certificates (attestation) shall be deemed to have indefinite validity); e) the scope of official duties, mission and objectives of the applicant's business activities, where requested by the applicant; f) the applicant's signature; g) other data, permitted under the legislation of Georgia, where requested by the applicant. 2. A pseudonym, if such is presented, specified in paragraph 6(2) of this Law shall be recorded in the application together with the data under paragraph 1 of this article. Article 8 - Issuance of certificates (attestation) 1. The certification service provider shall verify the compliance of applications with the requirements of this Law and shall identify the signatories. 2. The certification service provider may reject the issuance of a certificate (attestation) only in the event of inaccurate or defective data. 3. The certification-service-provider is obliged to immediately add a certificate (attestation) to its database after the certificate (attestation) has been issued. 4. A certificate (attestation) is issued in electronic form; at the request of the applicant the certificate may be issued in paper form. Article 9 - Rights and obligations of a holder of a certificate (attestation) 1. A holder of a certificate (attestation)may: a) request the suspension and renewal of certificates (attestation), an extension of its validity period or the revocation of a certificate (attestation); b) exercise rights laid down in Article 6(2) of this Law. c) request compensation for damage in accordance with the cases referred to in this Law; d) request the information specified in Article 10(2)(a) of this Law from the certificate-service-provider; e) exercise other rights, authorised by the legislation of Georgia. 2. A holder of a certificate (attestation) is obliged to: a) prevent the unsanctioned use of a private key; b) abstain from using a private key if he/she becomes aware that the key has been compromised and promptly notify the certificate service provider about the fact; c) abstain from using the private key of a suspended or revoked certificate (attestation) on digital signatures; d) promptly inform a certificate-service-provider about the changes in data specified in the application for the certificate (attestation). 3. A holder of a certificate (attestation) shall be liable to compensate any damages resulting from the failure to fulfil obligations in accordance with paragraph 2 of this article, where he/she has acted with intent in relation to the obligations provided for therein. Article 10 - Rights and obligations of certification (attestation) service provider 1. A certification (attestation) service provider may:

4 a) issue a certificate (attestation) of digital signature and provide services related to it; b) establish fees for the issuance of a certificate (attestation) and services related to it. 2. A certification service-provider is obliged: a) to develop certification (attestation) service regulations for the issuance of an certificatess (attestation) and services related to them and ensure free access to it. The certification service regulation shall contain the following information: a.a) the description of the electronic means of digital signature; a.b) the procedure and terms for reviewing an application for a certificate (attestation); a.c) the procedure for the issuance of a certificate (attestation); a.d) the scope of a certificate (attestation); a.e) the procedure for recording and storing an issued certificate (attestation); a.f) the procedure for creating and storing a key pair; a.g) the rules and technical procedure for the suspension and renewal, and the validity period extension and revocation of a certificate (attestation); a.h) the scope of the civil liability of a certification (attestation) service provider; a.i) the rules for the termination of the services of certification-service-provider or for transferring its services to a third party; a.j) the procedure for determining the amount of certification service fees and possible changes in the terms and conditions of payment; a.k) any other terms and conditions prescribed by a normative act enacted in accordance with this Law; b) to use only certified electronic means for a digital signature; c) to ensure compliance between public and private keys while issuing a certificate (attestation); d) to ensure the prompt revocation, suspension and renewal of certificates (attestations) in accordance with the regulations laid down in the legislation of Georgia; e) to ensure the revocation of certificates (attestations) and the issuance of new certificates (attestations) where changes have been made in relation to the data specified in Article 7 of this Law. f) to ensure the provision of efficientservices in relation to the suspension and renewal, and validity period extension, and revocation of a certificate (attestation); g) to develop database of the issued, valid, suspended and revoked certificate (attestation); h) to ensure the efficient operation of databases in communication channels accessed by customers; i) to ensure the storage of issued certificates (attestations) for the period applicable to the storage of tangible documents in accordance with the legislation of Georgia; j) to use appropriate electronic means for private key creation to ensure the protection of key confidentiality; k) to provide consultations to signatories on issues related to a digital signature, when required; l) to ensure the protection of confidential information submitted by signatories; m) to disclose identifying information on a signatory registered under a pseudonym where so provided for by the legislation of Georgia. 3. A certification service provider shall notify signatories on the termination of its services no later than 30 days before the date of termination. Otherwise, a certification service provider shall compensate any damage that has arisen from the failure to notify signatories, except in circumstances due to force majeure. 4. A certification service provider is liable to compensate for any damage resulting from a failure to fulfil obligations in accordance with this Law. 5. A certification service provider is obliged to ensure smooth service in accordance with the technical regulations made pursuant to this Law. Article 11 - Suspension of certificates (attestations) 1. The circumstances which require the suspension of an issued certificate (attestation) are as follows: a) upon the request of the signatory; b) if there is reasonable suspicion that a private key might be compromised;

5 c) if there is reasonable suspicion that false information has been provided in the application for certificate (attestation); d) a failure to fulfil obligations in accordance with Article 9 (2) of this Law; e) in other cases provided for by the legislation of Georgia. 2. A certification service provider shall promptly notify the signatory on the suspension of a certificate (attestation) and shall submit information related to the suspension to the database. 3. In the cases laid down in paragraphs (b), (c) and (d) of this article, the period of suspension of the certificate (attestation) shall not exceed 10 days. 4. An electronic document, which has been certified and/or verified by digital signature on the basis of a certificate (attestation) during the period of its suspension, shall be invalid. Article 12 - Renewal of certificate (attestation) 1. The circumstances for the renewal of a certificate (attestation) are as follows: a) upon the request of the signatory; b) if the circumstances specified under paragraphs (a), (b), (c) and (d) of this Law have not been confirmed; 2. A certification service provider shall promptly notify the signatory of the renewal of a certificate (attestation) and shall submit information related to the renewal to the database. Article 13 - Revocation of certificate (attestation) 1. The circumstances that require the revocation of an issued certificate (attestation) are as follows: a) upon the request of the signatory; b) if circumstances specified under paragraphs (a), (b),(c) and (d) of this Law have been confirmed; c) upon the termination of the operation of the certification service provider, where powers to issue certificates (attestation) and provide services have not been transferred to a third party; d) in the case of non-payment of the certificate service fees, unless the parties have agreed otherwise; e) upon the expiry date of the certificate (attestation) if the certificate (attestation) has been issued for a specified period; f) in other cases as provided for by the legislation of Georgia. 2. A certification (attestation) service provider shall promptly notify the signatory of the revocation of a certificate (attestation) and submit information related to the suspension to the database. Article 14 - Legal consequences ofssuspension and revocation of a certificate (attestation), without legal grounds Physical and legal persons, and state and local authorities,who without grounds established by this Law, carry out the suspension or revocation of a certificate (attestation) shall compensate for any damage caused by the suspension or revocation thereof. Article 15 - Voluntary accreditation 1. Legal and natural persons who intend to issue digital signature certificates shall, have the right to apply for accreditation at the Unified National Body of Accreditation- Accreditation Centre in order to ensure quality of service and its compliance with technical procedures established under this Law. 2. The general requirements for certification service providers are as follows: a) to provide the financial and technical means and the qualified human resources which are sufficient to ensure secure, reliable and prompt service; b) to ensure prompt and secure service for the issuance, suspension, renewal and revocation of certificates and other relevant operations; c) to provide the accurate time and date of issuance, and suspension and renewal, and validity period extension, and revocation of certificates; d) to use secure electronic means, which are protected from unauthorised modification for generating private and public keys of digital signatures in order to ensure the protection of confidentiality; e) to provide storage of information on a certificate for at least 6 years after its revocation; f) to ensure the functioning of a database, in a manner that only an authorized person can add information and make changes, and to identify any

6 technical changes resulting in a reduction of the security level; g) to act in compliance with any other requirements established by technical regulations in accordance with this Law. 3. Public officials in exercising official duties shall use services provided only by certification service providers. 4. Certification service providers shall obtain a mandatory contract of civil liability and efficient operation insurance. 5. Documents, certified or verified by electronic signature, may be stored by independent third parties. Documents stored by a third party may be used when they have been compromised, in the manner that is specified in the legislation of Georgia. Storage of electronic documents with a third party is voluntary. 6. Certification (attestation) service provider may develop additional security mechanisms related to the issuance of certificates (attestations). 7. The Public Service Development Agency ('the Agency'), a legal entity under public law operating within the Ministry of Justice of Georgia, shall be entitled to issue certificates without accreditation. 8. Paragraph 4 of this article shall not apply to the Agency. Law of Georgia No 4940 of 24 June website, Law of Georgia No 5579 of 20 December website, Law of Georgia No 6317 of 25 May website, Article 16 - Verification of information system (database) 1. A document, requested from any information system shall have legal effect, where the system allows verification of the document automatically. 2. The verification of an information system related to a digital signature shall be conducted in accordance with the provisions of this Law. Article 17 - Liability 1. Forging electronic documents shall result in liability in accordance with Articles 341 and 362 of the Criminal Code of Georgia. 2. Other violations related to electronic documents shall result in liability in accordance with the provisions on tangible (written) documents provided for by the legislation of Georgia. Article 18 - Recognition of certificates issued in foreign states 1. Certificates issued in foreign states shall have equivalent legal effect to certificates issued in accordance with this Law where at least one of the following conditions apply: a) the certification service provider is accredited in a country which has a bilateral or multilateral agreement with Georgia on these issues; b) the technical regulations of the country where the certificate has been issued are recognised under an ordinance of the Government of Georgia and have been applied properly and in parallel with the technical regulations of Georgia; c) a certification service provider, accredited in Georgia, acts as a guarantor of a foreign certification service provider. 2. Under the conditions provided for in paragraph (c) of this article the guarantor shall become liable if a foreign certification service provider has failed to comply with the provisions of this Law. Article 19 - Transitional provisions 1. The Government of Georgia shall determine the drafting and approval procedures for technical regulations on digital signature certificates and certification service providers under Article 15(2) of this Law within a month after this Law enters into force. 2. The Government of Georgia shall approve the technical regulations within 4 months after this Law enters into force. 3. The State shall develop appropriate mechanisms to ensure the security of electronic signature policy within the scope of this Law. 4. This Law, except for Article 16 (1) of this Law, shall not apply to the activities of governmental bodies (organisations and entities, including legal entities under public law) when exercising public and/or legal powers, except for where the use of an electronic document or electronic signature is prescribed directly, or an appropriate ordinance of the Government of Georgia has been issued, until the provisions of paragraph 3 of this article are enacted and/or for a period of one year after the recognition of certificates issued abroad in accordance with Article 18 of this Law. 5. The standards and regulations related to the use of electronic (digital) signatures in banking operations shall be effective until the provisions of paragraph 3 of this article are enacted and/or for a period of one year after the recognition of certificates issued abroad in accordance with Article 18 of

7 this Law. 6. Governmental bodies (organisations and entities, including legal entities under public law) are entitled to use an electronic document flow system and electronic signatures where a relevant decision has been made by the Government of Georgia. An electronic document and a printed version of an electronic document shall have the same legal effect as a tangible document. Law of Georgia No 3449 of 16 July SSM I, No 42, Article Article 20 - Conclusive provision This Law shall enter into force on the 15th day of its promulgation. President of Georgia M. Saakashvili Tbilisi 14 March 2008 No 5927-IS