The Lawphil Project - Arellano Law Foundation
JOINT DEPARTMENT ADMINISTRATIVE ORDER NO. 02 SEPTEMBER 28, 2001
PROVIDING IMPLEMENTING RULES AND REGULATIONS ON ELECTRONIC AUTHENTICATION AND ELECTRONIC SIGNATURES


Republic of the Philippines
DEPARTMENT OF TRADE AND INDUSTRY
DEPARTMENT OF SCIENCE AND TECHNOLOGY


JOINT DEPARTMENT ADMINISTRATIVE ORDER NO. 02
Series of 2001

SUBJECT: PROVIDING IMPLEMENTING RULES AND REGULATIONS ON ELECTRONIC AUTHENTICATION AND ELECTRONIC SIGNATURES

Whereas, the State recognizes the vital role of information and communications technology in nation building as well s its own obligation to ensure network security, connectivity and neutrality of technology for the national benefit;

Whereas, section 29 of R.A. 8792 (Electronic Commerce Act of 2000) mandates the Department of Trade and Industry (DTI) to direct and supervise the promotion and development of electronic commerce in the Philippines with relevant government agencies, without prejudice to the provisions of Republic Act 7653 (Charter of Bangko Sentral ng Pilipinas) and Republic Act 8791 (General Banking Law of 2000);

Whereas, the issuance of clear, transparent, predictable and enforceable rules to clarify and ensure the legal validity and enforceability of electronic signatures and contracts will encourage and promote the development of electronic commerce in the Philippines, enhance its competitiveness in the new economy, protect the consumer, and encourage efficiency and transparency in commercial transactions;

Whereas, technological developments in electronic authentication and modes of generating electronic signatures are rapid, ongoing and market-led;

Whereas, rules and guidelines on electronic signatures and contracts that are technology-neutral will help ensure continued private sector initiative and innovation and encourage consumer trust in these new technologies;

And finally, recognizing that where appropriate, market-driven, rather than government-imposed standards, contractual arrangements and codes of practice are better tools for validating electronic transactions and developing user confidence in global electronic commerce;

Now, therefore, pursuant to the provisions of sections 24 and 29 of Republic Act No. 8792, otherwise known as the Electronic Commerce Act 2000 (hereinafter referred to as the "Act"), the following Implementing Rules and Regulations on Electronic Authentication and promulgated for the compliance of all concerned:

Section 1. General Rule of Validity. – As a general rule, and subject to the provisions of the Electronic Commerce Act of 2000 and these Rules,

(a) a signature, contract or other record relating to such transaction may not be denied legal effect, validity or enforceability solely because it is in electronic form; and

(b) A contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic document was used in its formation.

Section 2. Scope of Application. – These Rules apply where electronic signatures and/or electronic documents are used in the context of any commercial and noncommercial transaction, activity or dealings, whether public or private, occurring between and among parties. These include, and are not limited to, the following transactions: the sale, supply, procurement or exchange of goods or services, including the manufacture, processing, purchase, sale, supply, distribution or transacting in any manner, of tangible and intangible property of all kinds such as commodities, goods, merchandise, financial and banking products, patents, participations, shares of stocks, software, books, works of art and other intellectual property; distribution agreement; commercial representation or agency; the filing and payment of taxes; factoring; leasing; construction of works; consulting; engineering; licensing; investment; financing; banking; insurance; exploitation agreement or concession; joint venture and other forms of industrial or business cooperation; and carriage of goods and passengers by air, sea, rail or road.

Section 3. Definitions. – For the purposes of these Rules:

(a) "Asymmetric or public cryptosystem" is the type of signature creation technology and refers to a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key for verifying the digital signature.

(b) "Certificate" means an electronic document issued to support a secure electronic signature which purports to confirm the identity or other significant characteristics of the person who, in the case of digital signatures, holds a particular key pair or, in other cases, such signature creation or verification device or method as may be applicable under the circumstance.

(c) "Certification authority" is a type of information certifier which, in the course of its business, engages in issuing certificates in relations to cryptographic keys used for the purposes of digital signatures.

(d) "Digital Signature" is a type of secure electronic signature consisting of a transformation of an electronic document or an electronic data message using asymmetric or public cryptosystem such that a person having the initial untransformed electronic document and the signer’s public key can accurately determine;

(i) whether the transformation was created using the private key that corresponds to the signer’s public key; and

(ii) whether the initial electronic document had been altered after the transformation was made.

(e) "Electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic messages or documents, in whole or in part, without review or action by an individual at the time of action or response.

(f) "Electronic authority signature" refers to an electronic signature that establishes the authority, position or attribute of the signer as the duly authorized proxy, agent or representative of another person, and therefore, by such signature to bind the latter as if he had created and/or issued the electronic signature himself.

(g) "Electronic data message" refers to information generated, sent, received or stored by electronic, optical or similar means.

(h) "Electronic document" refers to information or the representation of information, data, figures, symbols or other modes of written expression, described or however represented by which a right is established or an obligation extinguished or by which a fact may be proved and affirmed, which is received, recorded, transmitted, stored, processed, retrieved or produced electronically. It includes documents signed with secure electronic signatures and any printout or output, readable by sight or other means, which accurately reflects the electronic data message or electronic document. For purposes of these Rules, the term "electronic document" may be used interchangeably with "electronic data message."

(i) "Electronic signature" refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person, and attached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of authenticating or approving an electronic data message or electronic document. For purposes of these Rules, electronic signatures include digital signatures and secure electronic signatures.

(j) "Information and communication system" refers to a system intended for and capable of generating, sending, receiving, storing or otherwise processing electronic data message or electronic documents and includes the computer system or other similar device by or in which data is recorded or stored and any procedures related to the recording or storage of electronic data message or electronic document.

(k) "Information Certifier" means any person who, or entity which in curse of its business, issues certificates as means of providing identification services and/or certifying information which are used to support the use of and trust in secure electronic signatures. For purposes of these Rules, the term "information certifier" includes but is not necessarily limited to certification authorities.

(l) "Key pair" in an asymmetric cryptosystem refers to the private key and its mathematically related public key such that the latter can verify the digital signature that the former creates.

(m) "Person" means any natural or juridical person including, but not limited to, an individual, corporation, partnership, joint venture, unincorporated association, trust or other juridical entity, or any governmental authority.

(n) "Private Key" refers to the key of a key pair used to create a digital signature.

(o) "Public Key" refers to the key of a pair used to verify a digital signature.

(p) "Secure Electronic Signature" means an electronic signature which is created and can be verified through the application of a security procedure or combination of security procedures that ensures such electronic signature:

a. is unique to the signer;

b. can be used to identify objectively the signer of the data message

c. was created and affixed to the date message by the signer or using a means under the sole control of the signer; and

d. was created and is linked to the data message to which it relates in a manner such that any change in the data message would be revealed.

For purposes of these Rules, secure electronic signatures include but is not necessarily limited to digital signatures.

(q) "Signature creation device, method or technology" refers to any device, method or technology used to create an electronic signature in respect of which it can be shown, through the use of a security procedure or method, that such signature (a) is unique to the signer for the purpose for which it is used; (b) was created and affixed to the data message by the signer or using a means under the sole control of the signer; and (c) was created and is linked to the electronic data message to which it relates in a manner which provides reliable assurance as to the integrity of the message.

(r) "Signer" means the person who uses, creates and affixes an electronic signature to an electronic data message.

Section 4. Technology Neutrality. – None of the provisions of these Rules shall be applied so as to exclude, restrict, or deprive of legal effect any method of electronic signature that satisfies the requirements referred to in Section 8 of the Act, or in Rule 5 of these Rules which is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement.

Section 5. Legal Recognition of Electronic Signatures. – An electronic signature on the electronic document shall be equivalent to the signature of a person on a written document if that signature is proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic document, existed under which:

(a) A method is used to identify the party sought to be bound and to indicate said party’s access to the electronic document necessary for his consent or approval through the electronic signature;

(b) Said method is reliable and appropriate for the purpose for which the electronic document was generated and communicated, in the light of all circumstances, including any relevant agreement;

(c) It is necessary for the party sought to be bound, in order to proceed further with the transaction, to have executed or provided the electronic signature; and

(d) The other party is authorized and enabled to verify the electronic signature, and to make the decision to proceed with the transaction authenticated by the same.

The parties may agree to adopt supplementary or alternative procedures provided that the same are not contrary to law or public policy.

Section 6. Authority Signatures. – None of the provisions of these Rules shall be applied so as to exclude, disallow, or deprive electronic authority signatures, as defined in Section 3 above, or legal effect and validity.

Section 7. Electronic Agents. – A contract or other record relating to a transaction may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action or operation of one or more electronic agents so long as such electronic agent is under the control of, or its action or operation is legally attributable to the person sought to be bound.

Section 8. Liability for unauthorized use of secure electronic signatures. – Where the use of a secure electronic signature was unauthorized and the purported signer did not exercise reasonable care to avoid the unauthorized use of the signature or to prevent the addressee from replying on such a signature, the signature shall nevertheless be regarded as that of the purported signer, unless the relying party knew or should have known that the signature was not that of the purported signer.

Section 9. Responsibilities of an information certifier. – An information certifier shall:

(a) act in accordance with the representations it makes with respect to its practices;

(b) exercise due diligence to ensure the accuracy and completeness of all material representations it makes that are relevant to the life-cycle of its certificates or which are included in its certificates;

(c) provide reasonably accessible means which enable a relying party to ascertain:

i. the identify of the information certifier;

ii. that the person who is identified in the certificate holds, at the relevant time, the signature device referred to in the certificate;

iii. the method used to identify the signer, provided however, the information certifier shall not be required to reveal any of its trade or industrial secrets;

iv. any limitations on the purposes or value for which the signature device may be used; and

v. whether the signature device is valid and has not been compromised;

(d) provide reasonably accessible means for signers to give notice that a signature device has been compromised and ensure the operation of a timely and secure revocation service; and

(e) utilize trustworthy systems, and procedures in performing is services.

(f) engage trustworthy personnel who possess the expert knowledge, experience and qualifications necessary for its services, in particular, but not limited to, expertise in electronic signature technology and familiarity with proper security procedures;

(g) maintain sufficient financial resources to operate as an information certifier and to bear the risk of potential liability for damages;

(h) Record, whether electronically or not, for an appropriate period of time all relevant information concerning issued certificates for, but not limited to, the purpose of providing evidence of certification in legal proceedings;

(i) for purposes of issuing and maintaining a certificate, collect and utilize personal data only insofar as it is necessary for the purposes of issuing and maintaining the certificate. Such data may not be collected, sold, distributed, processed or used for any other purpose without the express consent of the data subject.

An information certifier shall be liable for damages caused by its failure to satisfy the requirements provided under this and the following Rules.

Section 10. Certificate Requirements. – At a minimum, certificates shall state:

(a) the identity of the information certifier;

(b) that the person who is identified in the certificate holds, at the relevant time, the signature device referred to in the certificate;

(c) that the signature device was effective on the date when the certificate was issued;

(d) an indication of the beginning and end of the period of validity of the certificate;

(e) where applicable, any limitation on the purposes or value for which the certificate may be used; and

(f) any limitation on the scope or extent of liability that the information certifier accepts, or alternatively, information on where such limitations on the scope or extent of liability, if any, may be found.

Section 11. Liability for incorrect or defective certificates. – If damage has been caused as a result of the certificate being incorrect or defective, the information certifier shall be liable for damage suffered by either:

(a) the party who has contracted with the information certifier for the provision of a certificate; or

(b) any person who reasonably relies on a certificate issued by the information certifier as regards the fact that the certificate complies with all the requirements for a certificate, and as regards the truth and accuracy, at the time of the issuance of the certificate, of all information and representations contained in the certificate.

In assessing the loss, regard shall had to the following factors:

(a) the amount of damages caused by the incorrect or defective certificate;

(b) the cost of obtaining the certificate;

(c) the nature of the information being certified;

(d) the existence and extent of any limitation on the purpose for which the certificate may be used;

(e) the existence of any statement limiting the scope or extent of the liability of the information certifier;

(f) any contributory conduct by the relying party; and

(g) any other relevant factor.

Section 12. Voluntary accreditation. – A certificate shall be presumed to bind a secure electronic signature to the signer’s identity if the certificate was issued by an information certifier duly accredited by the Department of Trade and Industry (DTI), in coordination with the Department of Science and Technology (DOST), which shall apply commercially appropriate and internationally recognized standards covering the trustworthiness of the information certifier’s technology, practices and other relevant characteristics. A non-exhaustive list of bodies or standards that comply with this paragraph may be published from time to time by the DTI jointly with the DOST.

This Rule shall not be applied so as to exclude or prevent the validity of a certificate issued by a nonaccredited information certifier where such certificate is shown to have otherwise been issued in accordance with commercially appropriate and international recognized standards, or where sufficient evidence indicates that the certificate accurately binds the secure electronic signature to the signer’s identify.

Section 13. Responsibilities of the signer. – Each signer shall:

(a) Exercise reasonable care to avoid unauthorized use of his electronic signature and/or signature creation device;

(b) Notify appropriate persons, including the concerned information certifier, without undue delay if:

i. The signer knows that the private key or other signature creation device has been exposed or revealed to unauthorized persons, or that his electronic signature has been compromised; or

ii. the circumstances known to the signer give rise to a substantial risk that his electronic signature may have been compromised;

(c) A signer shall be liable for damages caused by failure to satisfy the requirements provided under this Rule.

Section 14. Reliance on electronic signatures. -

(a) A person shall rely on an electronic signature only to the extent that it is reasonable to do so. If reliance on the electronic signature is not reasonable in the circumstances having regard to the factors enumerated below,

(b) In determining whether it was reasonable for a person to have relied on the electronic signature, regard shall be had, if appropriate to:

i. the nature of the underlying transaction that the electronic signature was intended to support;

ii. whether the relying party, where warranted, has taken appropriate steps to determine the reliability of the electronic signature;

iii. whether the relying party took steps to ascertain whether the electronic signature was supported by a certificate;

iv. whether the relying party knew or ought to have known that the electronic signature device had been compromised or revoked;

v. any agreement or course of dealing which the relying party has with the signatory or subscriber, or any trade usage or practice which may be applicable;

vi. any other relevant factor.

Section 15. Recognition of foreign certificates and electronic signatures.

(a) In determining whether, or the extent to which, a certificate or an electronic signature is legally effective, no regard shall be had to the place where the certificate or the electronic signature was issued, nor to the country in which the issuer had its place of business.

(b) Parties to commercial and other transactions may specify that a particular information certifier or supplier or supplier of certification services, class of suppliers of certification services or class of certificates must be used in connection with messages or signatures submitted to them.

(c) Where parties agree, as between themselves, to the use of certain types of electronic signatures and certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition.

Section 16. Reciprocity. – All benefits, privileges, advantages or statutory rules established under these Rules shall be enjoyed only by parties whose country origin grants the same benefits and privileges and advantages to Filipino citizens.

Section 17. Variation by agreement. – Unless otherwise provided by law, contracting parties may derogate from or modify these Rules by agreement.

Section 18. Interpretation. – Unless otherwise expressly provided for, in the interpretation of these Rules, due regard is to be given to their international origin and to the need to promote uniformity in their application and the observance of good faith in international trade relations. The generally accepted principles of international law and convention on electronic commerce shall likewise be considered.

Section 19. Separability. – If any provision in these Rules or application of such provision to any circumstance is held invalid, the remainder of these Rules shall not be affected thereby.

Section 20. Effectivity. – These Rules shall take effect after fifteen (15) days following the completion of their publication in the Official Gazette or in a newspaper of general circulation in the Philippines.

Done this 28th day of September 2001 in Metro Manila, Republic of the Philippines.


(Sgd.) MAR ROXAS
Secretary
Department of Trade and Industry


(Sgd.) ESTRELLA F. ALABASTRO
Secretary
Department of Science and Technology


The Lawphil Project - Arellano Law Foundation