EXPLANATORY STATEMENT

This Bill seeks to make provision for, and to regulate the use of, digital signatures and to provide for matters connected therewith.

2. Part I contains preliminary matters.

Clause 1 contains the short title and provisions on the commencement of the proposed Act.

Clause 2 contains the definitions of several expressions used in the proposed Act.

3. Part II deals with the Controller of Certification Authorities and the licensing of certification authorities.

Clause 3 seeks to empower the Minister to appoint a Controller of Certification Authorities. It also seeks to empower the Controller, after consultation with the Minister, to appoint such number of officers and servants as the Controller considers necessary. The function of the Controller is primarily to license certification authorities and to monitor and oversee the activities of certification authorities.

Clause 4 seeks to introduce a mandatory licensing scheme for certification authorities. The mandatory licensing scheme is proposed to establish a minimum regulatory system to provide a basic level of reliability in certification authority practice without undermining the reliability of any signature by invalidating it for lack of a regulatory licence. Under the proposed scheme, a digital signature may nevertheless be reliable and legally valid if verified by a certificate issued by an unlicensed certification authority or without verification by any certificate at all. However, in such cases and as expressly provided in clause 13 of the proposed Act, neither the liability limits specified in Chapter 8 of Part IV of the proposed Act nor Part V of the proposed Act shall apply.

Subclause 4(3) seeks to allow the Minister to exempt a person operating as a certification authority within an organisation where certificates and key pairs are issued to members of the organisation for internal use only and such other person or class of persons as the Minister considers fit.

Clause 5 seeks to empower the Minister to prescribe the qualification requirements for certification authorities by regulations made under the proposed Act.

Clause 6 seeks to make provision for the functions of licensed certification authorities. It also seeks to impose a duty on the licensed certification authority to take all reasonable measures to check for proper identification of a subscriber before issuing a certificate.

Clauses 7 to 11 seek to make provision for the application for licences and the issue, surrender and revocation of licences.

Clause 12 seeks to provide for the effect of the revocation, surrender or expiry of licences. Subclauses 12(5) to (8) seek to make provision for the certificates issued by a certification authority where its licence has been revoked or surrendered or has expired.

Clause 13 seeks to clarify the effect of the lack of a licence, that is, Chapter 8 of Part IV of the proposed Act will not apply to the unlicensed certification authority and Part V of the proposed Act will not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.

Clause 14 seeks to require the return of revoked or expired licences.

Clause 15 seeks to allow the Controller to classify licences according to specified limitations and provides that where a licensed certification authority issues a certificate exceeding the restrictions of its licence, the licensed certification authority commits an offence. Further, the liability limits specified in Chapter 8 of Part IV shall not apply to it. However, this shall not affect the validity or effect of the issued certificate.

Clause 16 seeks to restrict the use of the expression "certification authority" and "licensed certification authority".

Clause 17 seeks to provide for the renewal of licences whilst Clause 18 seeks to provide for the replacement of lost licences.

Clause 19 seeks to allow the Controller, by order published in the Gazette, to recognise foreign certification authorities thereby allowing the recommended reliance limits specified in the certificates issued by the foreign certification authorities to apply and Part V of the proposed Act to apply to the certificates issued by it.

Clause 20 seeks to provide for performance audits of licensed certification authorities to evaluate its compliance with the proposed Act. Clause 21 seeks to provide limited exemptions from performance audits to small businesses.

4. Part III (clauses22 to 26) deals with the requirements imposed on licensed certification authorities and includes requiring the licensed certification authority to only carry on activities specified in its licence, to display its licence and to submit information relating to its business operations.

5. Part IV (clauses 27 to 61) deals with the duties of licensed certification authorities and subscribers. The duties of a licensed certification authority include using a trustworthy system to issue, suspend or revoke a certificate, to publish or give notice thereof and to create a private key, to publish issued and accepted certificates and to suspend or revoke certificates immediately where the need arises. Clause 31 provides that a licensed certification authority may conform to standards, certification practice statements, security plans or contractual requirements more rigorous than the proposed Act provided that they are not inconsistent therewith.

The duties of a subscriber include retaining control of the private key and practising safe key management. Clause 44 provides that the private key is the personal property of the subscriber who rightfully holds it.

Clauses 34 to 42 seek to provide the warranties and obligations of the licensed certification authority and subscriber on the issue and acceptance of a certificate.

Clauses 60 and 61 seek to provide for a recommended reliance limit. By specifying a recommended reliance limit in a certificate, the issuing certification authority and accepting subscriber recommend that a person rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

6. Part V deals with the effect of digital signatures.

Clause 62 seeks to provide that a digital signature created in accordance with the proposed Act shall satisfy the requirements of law with respect to signatures and that notwithstanding any written law to the contrary, a document signed with a digital signature in accordance with the proposed Act shall be as legally binding as a document signed with a handwritten signature, an affixed thumb-print or any other mark. However, the proposed Act does not preclude any symbol from being valid as a signature under any other applicable law.

Clause 63 seeks to provide that the recipient of a digital signature assumes the risk that a digital signature is forged if under the circumstances reliance on it is not reasonable. It also seeks to impose a duty on the recipient who does not rely on a digital signature to notify the signer of its determination and the grounds for that determination.

Clause 64 seeks to deem a digitally signed document to be a written document whilst clause 65 seeks to deem a digitally signed document to be an original document.

Clause 66 seeks to provide for the authentication of digital signatures.

Clause 67 seeks to provide certain presumptions in adjudicating disputes.

7. Part VI deals with repositories and date/time stamp services.

Clauses 68 and 69 seek to provide for the recognition of repositories and their liabilities.

Clause 70 seeks to provide for the recognition of date/time stamp services.

8. Part VII deals with general matters.

Clause 72 seeks to impose an obligation of secrecy on persons who have access to confidential information obtained under the proposed Act.

Clause 73 seeks to make it an offence to furnish untrue, inaccurate or misleading information.

Clause 74 seeks to provide for offences committed by a body corporate.

Clause 75 seeks to empower the Minister to authorise any public officer or officer of the Controller to exercise the powers of enforcement under the proposed Act.

Clauses 76 to 82 seek to give the Controller powers relating to investigation, search and seizure.

Clause 83 seeks to provide a general penalty for contravention of the proposed Act of a fine not exceeding two hundred thousand ringgit or imprisonment for a term not exceeding four years or both, and in the case of a continuing offence, a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed.

Clause 84 seeks to empower the Controller to recover the costs incurred in relation to prosecution and adjudication proceedings.

Clause 85 seeks to provide that costs or damages arising from a proper exercise of the powers of seizure under the proposed Act shall not be recoverable.

Clause 86 seeks to provide that a prosecution for an offence under the proposed Act shall only be instituted with the written consent of the Public Prosecutor.

Clause 87 seeks to provide that notwithstanding any written law to the contrary, a Court of a Magistrate of the First Class shall have jurisdiction to try any offence under the proposed Act and to impose the full punishment for any such offence.

Clause 89 seeks to empower the Minister to exempt any person or class of persons from all or any of the provisions of the proposed Act, except section 4.

Clause 91 seeks to empower the Minister to make regulations. Subclause 91(2) seeks to provide that the regulations may prescribe penalties of a fine not exceeding one hundred thousand ringgit or imprisonment for a term not exceeding two years or both for a contravention of the regulations.

Clause 92 seeks to provide savings and transitional provisions.

This Bill will involve the Government in extra financial expenditure the amount of which cannot at present be ascertained.

[ PN.(U2)1971.]