Electronic Transactions Ordinance

ELECTRONIC TRANSACTIONS ORDINANCE

CONTENTS

Section

Page

PART 1 Preliminary
1.	Short title and commencement	A13
2.	Interpretation	A13
PART II Application
3.	Matters to which sections 5, 6, 7, 8 and 17 are not applicable	A21
4.	Ordinance to bind Government	A21
PART III Electronic Records and Digital Signatures
5.	Requirement for writing	A23
6.	Digital signatures	A23
7.	Presentation or retention of information in its original form	A23
8.	Retention of information in electronic records	A25
9.	Admissibility of electronic records	A25
10.	Construction of this part subject to Part IV	A27
PART IV Limitations on Operation of Sections 5, 6, 7 and 8
11.	Secretary may make orders excluding application of section 5, 6, 7 or 8	A27
12.	Electronic record to comply with specified requirements to satisfy sections 5, 6, 7 and 8	A27
13.	Rules of court or procedure only to apply where relevant authority provides for application	A29
14.	Sections 5, 6, 7 and 8 not to affect specific provisions as to electronic records in other Ordinances	A29
15.	When sections 5, 6 and 7 apply to transactions between persons who are not government entities	A29
16.	Sections 5, 6, 7 and 8 not to have effect if their operation affects other statutory requirements	A31
PART V Electronic Contracts
17.	Formation and validity of electronic contracts	A33
PART VI Attribution of Sending and Receiving Electronic Records
18.	Attribution of electronic record	A33
19.	Sending and receiving electronic records	A35
PART VII Recognition of Certification Authorities and Certificates by Director
20.	Certification authority may apply to Director for recognition	A37
21.	Director may on application recognize certification authorities	A39
22.	Director may recognize certificates	A41
23.	Director may revoke recognition	A43
24.	Director may suspend recognition	A43
25.	Matters Director may take into account in revoking or suspending a recognition	A45
26.	Effect of revocation, suspension of recognition or expiry of validity of recognized certificate	A45
27.	Director may renew recognition of certification authority	A47
28.	Certification authority may appeal to Secretary against decision of Director	A49
29.	How Director may give notices under this part	A51
30.	Director to specify particulars and documents by notice in the Gazette	A51
PART VIII Certification Authority Disclosure Records and Code of Practice
31.	Director to maintain certification authority disclosure record	A51
32.	Director to notify revocations, suspensions and non-renewals recognition, etc.	A51
33.	Director may issue code of practice	A53
PART IX Postmaster General to be Recognized Certification Authority
34.	The Postmaster General as recognized certification authority	A55
35.	Postmaster General may perform functions and provide services of certification authority	A55
PART X General Provisions as to Recognized Certification Authorities
36.	Publication of issued and accepted certificates	A57
37.	Recognized certification authority to use trustworthy system	A57
38.	Presumption as to correctness of information	A57
39.	Representations upon issuance of recognized certificate	A57
40.	Representations upon publication of recognized certificate	A59
41.	Reliance limit	A59
42.	Liability limits for recognized certification authorities	A59
43.	Recognized certification authority to furnish report on compliance with Ordinance and code of practice	A61
44.	Recognized certification authority to issue a certification practice statement	A61
45.	Recognized certification authority to maintain repository	A61
PART XI Provisions as to Secrecy, Disclosure and Offences
46.	Obligation of secrecy	A63
47.	False information	A63
48.	Other offences	A63
PART XII Secretary’s Power to Amend Schedules and Make Subsidiary Legislation and Immunity of Public Officers
49.	Regulations	A65
50.	Secretary may amend Schedules	A65
51.	Protection of public officers	A65

Schedule 1	Matters excluded from application of sections 5, 6, 7, 8 and 17 of this Ordinance under section 3 of this Ordinance	A67
Schedule 2	Proceedings in relation to which sections 5, 6, 7 and 8 of this Ordinance do not apply under section 13(1) of this Ordinance	A67

HONG KONG SPECIAL ADMINISTRATIVE REGION

---

Ordiance No. 1 of 2000

An Ordinance to facilitate the use of electronic transactions for commercial and other purposes, to provide for matters arising from and related to such use, to enable the Postmaster General to provide the services of a certification authority and to provide for connected purposes.

[7 January 2000]

Enacted by the Legislative Council.

PART I
Preliminary

1. Short title and commencement

(1) This Ordinance may be cited as the Electronic Transactions Ordinance.

(2) Part I, sections 4 and 9, Part V (other than in relation to the matters referred to in Schedule 1) and Part VI, sections 31 and 33 and Parts IX, X, XI and XII shall come into operation at the beginning of the day on which this Ordinance is published in the Gazette.

(3) Sections 3, 5, 6, 7, 8 and 10, Part IV, Part V (in relation to the matters referred to in Schedule 1) and Part VII, section 32 and Schedules 1 and 2 shall come into operation on a day to be appointed by the Secretary for Information Technology and Broadcasting by notice in the Gazette.

2. Interpretation

(1) In this Ordinance, unless the context otherwise requires—

“accept a certificate” (接受證書), in relation to a person to whom a certificate is issued, means that the person while having notice of the contents of the certificate—

(a) authorizes the publication of the certificate to one or more persons or in a repository;

(b) uses the certificate; or

(c) otherwise demonstrates the approval of the certificate;

“addressee” (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary;

“asymmetric cryptosystem” (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature;

“certificate” (證書) means a record which—

(a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair;

(b) identifies the certification authority issuing it;

(c) names or identifies the person to whom it is issued;

(d) contains the public key of the person to whom it is issued; and

(e) is signed by a responsible officer of the certification authority issuing it;

“certification authority” (核證機關) means a person who issues a certificate to a person (who may be another certification authority);

“certification authority disclosure record” (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority;

“certification practice statement” (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates;

“code of practice” (業務守則) means the code of practice issued under section 33;

“correspond” (對應), in relation to private or public keys, means to belong to the same key pair;

“digital signature” (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can determine—

(a) whether the transformation was generated using the private key that corresponds to the signer’s public key; and

(b) whether the initial electronic record has been altered since the transformation was generated;

“Director” (署長) means the Director of Information Technology Services;

“electronic record” (電子紀錄) means a record generated in digital form by an information system, which can be—

(a) transmitted within an information system or from one information system to another; and

(b) stored in an information system or other medium;

“electronic signature” (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record;

“hash function” (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that—

(a) a record yields the same hash result every time the algorithm is executed using the same record as input;

(b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and

(c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm;

“information” (資訊) includes data, text, images, sound codes, computer programmes, software and databases;

“information system” (資訊系統) means a system which—

(a) processes information;

(b) records information;

(c) can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and

(d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated);

“intermediary” (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record;

“issue” (發出), in relation to a certificate, means the act of a certification authority of creating a certificate and notifying its contents to the person named or identified in that certificate as the person to whom it is issued;

“key pair” (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates;

“originator” (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary;

“Postmaster General” (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap. 98);

“private key” (私人密碼匙) means the key of a key pair used to generate a digital signature;

“public key” (公開密碼匙) means the key of a key pair used to verify a digital signature;

“recognized certificate” (認可證書) means—

(a) a certificate recognized under section 22;

(b) a certificate of a type, class or description of certificate recognized under section 22; or

(c) a certificate designated as a recognized certificate issued by the certification authority referred to in section 34;

“recognized certification authority” (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34;

“record” (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form;

“reliance limit” (倚據限額) means the monetary limit specified for reliance on a recognized certificate;

“repository” (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates;

“responsible officer” (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance;

“rule of law” (法律規則) means—

(a) an Ordinance;

(b) a rule of common law or a rule of equity; or

(c) customary law;

“Secretary” (局長) means the Secretary for Information Technology and Broadcasting;

“sign” and “signature” (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record;#

“subscriber” (登記人) means a person (who may be a certification authority) who—

(a) is named or identified in a certificate as the person to whom the certificate is issued;

(b) has accepted that certificate; and

(c) holds a private key which corresponds to a public key listed in that certificate;

“trustworthy system” (穩當系統) means computer hardware, software and procedures that—

(a) are reasonably secure from intrusion and misuse;

(b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time;

(c) are reasonably suitable for performing their intended function; and

(d) adhere to generally accepted security principles;

“verify a digital signature” (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that—

(a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and

(b) the electronic record has not been altered since its digital signature was generated,

and any reference to a digital signature being verifiable is to be construed accordingly.

(2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer.

PART II
Application

3. Matters to which sections 5, 6, 7, 8 and 17 are not applicable

Sections 5, 6, 7, 8 and 17 do not apply to any—

(a) requirement or permission for information to be or given in writing;

(b) requirement for the signature of a person;

(c) requirement for information to be presented or retained in its original form;

(d) requirement for information to be retained,

under a rule of law in a matter or for an act set out in Schedule 1, unless that rule of law expressly provides otherwise.

4. Ordinance to bind Government

This Ordinance binds the Government.

PART III
Electronic Records and Digital Signatures

5. Requirement for writing

(1) If a rule of law requires information to be or given in writing or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference.

(2) If a rule of law permits information to be or given in writing, an electronic record satisfies that rule of law if the information contained in the electronic record is accessible so as to be usable for subsequent reference.

6. Digital signatures

(1) If a rule of law requires the signature of a person or provides for certain consequences if a document is not signed by a person, a digital signature of the person satisfies the requirement but only if the digital signature is supported by a recognized certificate and is generated within the validity of that certificate.

(2) In subsection (1), “within the validity of that Certificate” (在該證書的有效期内) means that at the time the digital signature is generated—

(a) the recognition of the recognized certificate is not revoked or suspended;

(b) if the Director has specified a period of validity for the recognition of the recognized certificate, the certificate is within that period; and

(c) if the recognized certification authority has specified a period of validity for the recognized certificate, the certificate is within that period.

7. Presentation or retention of information in its original form

(1) Where a rule of law requires that certain information be presented or retained in its original form, the requirement is satisfied by presenting or retaining the information in the form of electronic records if—

(a) there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form; and

(b) where it is required that information be presented, the information is capable of being displayed in a legible form to the person to whom it is to be presented.

(2) For the purposes of subsection (1)(a)—

(a) the criterion for assessing the integrity of the information is whether the information has remained complete and unaltered, apart from the addition of any endorsement or any change which arises in the normal course of communication, storage or display; and

(b) the standard for reliability of the assurance is to be assessed having regard to the purpose for which the information was generated and all the other relevant circumstances.

(3) This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being presented or retained in its original form.

8. Retention of information in electronic records

(1) Where a rule of law requires certain information to be retained, whether in writing or otherwise, the requirement is satisfied by retaining electronic records, if—

(a) the information contained in the electronic record remains accessible so as to be usable for subsequent reference;

(b) the relevant electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and

(c) the information which enables the identification of the origin and destination of the electronic record and the date and time when it was sent or received, is retained.

(2) This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being retained.

9. Admissibility of electronic records

Without prejudice to any rules of evidence, an electronic record shall not be denied admissibility in evidence in any legal proceeding on the sole ground that it is an electronic record.

10. Construction of this part subject to Part IV

This Part is to be construed subject to Part IV.

PART IV
Limitations on Operation of Sections 5, 6, 7 and 8

11. Secretary may make orders excluding application of section 5, 6, 7 or 8

(1) The Secretary may by order published in the Gazette exclude an Ordinance or a particular requirement or permission in an Ordinance or a class or description of requirements or permissions in an Ordinance, to which this Ordinance would otherwise apply, from the application of section 5, 6, 7 or 8.

(2) The Secretary may, in relation to an Ordinance to which this Ordinance applies, specify by notice published in the Gazette—

(a) the manner and format in which information in the form of an electronic record is to be given, presented or retained for the purposes of that Ordinance or a particular requirement or permission in that Ordinance or a class or description of requirements or permissions in that Ordinance; and

(b) the procedure and criteria for verification of the receipt of that information and for ensuring the integrity and confidentiality of the information.

(3) The Secretary may specify different requirements under subsection (2)(a) or (b) in relation to persons or Cases of different classes or descriptions.

(4) An order under subsection (1) is subsidiary legislation.

(5) A notice under subsection (2) is not subsidiary legislation.

(6) In this section, “manner and format” (方式及規格) includes requirements as to software, communication, data storage, how the electronic record is to be generated, sent, stored or received and where a signature is required, the type of signature and how the signature is to be affixed to the electronic record.

12. Electronic record to comply with specified requirements to satisfy sections 5, 6, 7 and 8

If the Secretary has specified any requirement under section 11(2) in relation to an Ordinance, the information given, presented or retained or the signature made, as the case may require, for the purpose of that Ordinance does not satisfy that Ordinance unless it complies with the specified requirements.

13. Rules of court or procedure only to apply where relevant authority provides for application

(1) Section 5, 6, 7 or 8 does not apply in relation to information given, presented or retained or signatures required for the purposes of any proceedings set out in Schedule 2, unless any rule of law relating to those proceedings provide for its application.

(2) Subsection (1) is not to be construed as affecting any provision in a rule of law referred to in that subsection, requiring or permitting, otherwise than by reference to this Ordinance, the use of electronic records or electronic signatures for the purposes of the proceedings to which the rule of law relates.

(3) Any authority given by a rule of law to make rules (however described) for the purpose of any proceedings set out in Schedule 2 is to be construed as including a power to provide for—

(a) the application of section 5, 6, 7 or 8; and

(b) the specification of the matters referred to in section 11(2)(a) and (b), by subsidiary legislation or otherwise, consequent to such application.

14. Sections 5, 6, 7 and 8 not to affect specific provisions as to electronic records in other Ordinances

If an Ordinance requires or permits giving, presenting or retaining information in the form of an electronic record or the authentication of information by an electronic signature for the purposes of that Ordinance, but contains an express provision which—

(a) specifies requirements, procedures or other specifications for that purpose;

(b) requires the use of a specified service, or

(c) confers a discretion on a person whether or when to accept electronic records or electronic signatures for that purpose,

section 5, 6, 7 or 8 is not to be construed as affecting that express provision.

15. When sections 5, 6 and 7 apply to transactions between persons who are not government entities

(1) If an Ordinance requires information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(1) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record.

(2) If an Ordinance permits information to be given by a person to another and neither person is or is acting on behalf of a government entity, section (2) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record.

(3) If an Ordinance requires the signature of a person (“the signer”) and neither the signer nor the person to whom the signature is to be given (“the second mentioned person”) is or is acting on behalf of a government entity, section 6 applies only if the second mentioned person consents to the signer’s digital signature being given.

(4) If an Ordinance requires information to be presented in its original form and neither the person presenting it nor the person to whom it is to be presented (“the second mentioned person”) is or is acting on behalf of a government entity, section 7(1) applies only if the second mentioned person consents to it being presented in the form of an electronic record.

(5) In this section—

“consent” (同意) includes consent that can be reasonably inferred from the conduct of the person concerned;

“government entity” (政府單位) means a public officer or a public body.

16. Sections 5, and 8 not to have effect if their operation affects other statutory requirements

(1) If the effect of section 5 on a requirement or permission in an Ordinance for information to be or given in writing (“requirement for writing”) is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for writing) cannot be complied with due to the operation of that section, section 5 does not apply to the requirement for writing.

(2) If the effect of section 6 on a requirement in an Ordinance for the signature of a person is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for the signature of a person) cannot be complied with due to the operation of that section, section 6 does not apply to the requirement for the signature of a person.

(3) If the effect of section 7 on a requirement in an Ordinance for information to be presented or retained in its original form (“requirement for original form”) is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for original form) cannot be complied with due to the operation of that section, section 7 does not apply to the requirement for original form.

(4) If the effect of section 8 on a requirement in an Ordinance for information to be retained (“requirement for retention”) is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for retention) cannot be complied with due to the operation of that section, section 8 does not apply to the requirement for retention.

PART V
Electronic Contracts

17. Formation and validity of electronic contracts

(1) For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records.

(2) Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose.

(3) For the avoidance of doubt, it is stated that this section does not affect any rule of common law to the effect that the offeror may prescribe the method of communicating acceptance.

PART VI
Attribution of Sending and Receiving Electronic Records

18. Attribution of electronic record

(1) Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is that of the originator if it was—

(a) sent by the originator;

(b) sent with the authority of the originator; or

(c) sent by an information system programmed by or on behalf of the originator to operate and to send the electronic record automatically.

(2) Nothing in subsection (1) is to affect the law of agency or the law on the formation of contracts.

19. Sending and receiving electronic records

(1) Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is sent when it is accepted by an information system outside the control of the originator or of the person who sent the electronic record on behalf of the originator.

(2) Unless otherwise agreed between the originator and the addressee of an electronic record, the time of receipt of an electronic record is determined as follows—

(a) if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs—

(i) at the time when the electronic record is accepted by the designated information system; or

(ii) if the electronic record is sent to an information system of the addressee that is not the designated information system, at the time when the electronic record comes to the knowledge of the addressee;

(b) if the addressee has not designated an information system, receipt occurs when the electronic record comes to the knowledge of the addressee.

(3) Subsections (1) and (2) apply notwithstanding that the place where the information system is located is different from the place where the electronic record is taken to have been sent or received under subsection (4).

(4) Unless otherwise agreed between the originator and the addressee, an electronic record is taken to have been—

(a) sent at the place of business of the originator; and

(b) received at the place of business of the addressee.

(5) For the purposes of subsection (4)—

(a) if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction, or where there is no underlying transaction, the principal place of business of the originator or the addressee, as the case may be;

(b) if the originator or the addressee does not have a place of business, the place of business is the place where the originator or the addressee ordinarily resides.

(6) Where the originator and the addressee are in different time zones, time refers to Universal Standard Time.

PART VII
Recognition of Certification Authorities and Certificates by Director

20. Certification authority may apply to Director for recognition

(1) A certification authority may apply to the Director to become a recognized certification authority for the purposes of this Ordinance.

(2) Subject to subsection (4) and section 21(3), an application under subsection (1) must be made in the prescribed manner and in a form specified by the Director and the applicant must pay the prescribed fee in respect of the application.

(3) An applicant must furnish to the Director—

(a) the relevant particulars and documents specified under section 30; and

(b) a report which—

(i) contains an assessment as to whether the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice; and

(ii) is prepared by a person acceptable to the Director as being qualified to give such a report.

(4) The Director may waive—

(a) the requirements as to manner and form of making the application in subsection (2); or

(b) the requirement of a report under subsection (3),

in relation to a certification authority, in the circumstances specified in subsection (5).

(5) The Director may waive the requirements referred to in subsection (4) only if—

(a) the applicant is a certification authority with a status in a place outside Hong Kong comparable to that of a recognized certification authority (“comparable status”); and

(b) the competent authority of that place accords to a recognized certification authority a comparable status on the basis of it being a recognized certification authority.

21. Director may on application recognize certification authorities

(1) The Director may—

(a) recognize an applicant under section 20 as a recognized certification authority if the Director is satisfied that the applicant is suitable for such recognition; or

(b) refuse the application for recognition.

(2) The Director must give reasons in writing to the applicant for refusing an application under subsection (1)(b).

(3) The Director may, in recognizing a certification authority referred to in section 20(4), waive the whole or part of the prescribed fee as the Director may decide in relation to a particular case.

(4) In determining whether an applicant is suitable for recognition under subsection (1), the Director shall, in addition to any other matter the Director considers relevant, take into account the following—

(a) whether the applicant has the appropriate financial status for operating as a recognized certification authority in accordance with this Ordinance and the code of practice;

(b) the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of this Ordinance;

(c) the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers;

(d) the report referred to in section 20(3)(b) (if applicable);

(e) whether the applicant and the responsible officers are fit and proper persons; and

(f) the reliance limits set or proposed to be set by the applicant for its certificates.

(5) In determining whether a person referred to in subsection (4)(e) is a fit and proper person, the Director shall, in addition to any other matter the Director considers relevant, have regard to the following—

(a) the fact that the person has a conviction in Hong Kong or elsewhere for an offence for which it was necessary to find that the person had acted fraudulently, corruptly or dishonestly;

(b) the fact that the person has been convicted of an offence against this Ordinance;

(c) if the person is an individual, the fact that the person is an undischarged bankrupt or has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap. 6) within the 5 years preceding the date of the application; and

(d) if the person is a body corporate, the fact that the person is in liquidation, is the subject of a winding-up order or there is a receiver appointed in relation to it or it has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap. 6) within the 5 years preceding the date of the application.

(6) In recognizing a certification authority under subsection (1), the Director may—

(a) attach conditions to the recognition; or

(b) specify a period of validity for the recognition.

22. Director may recognize certificates

(1) The Director may recognize certificates issued by a recognized certification authority as recognized certificates, upon application by that authority.

(2) An applicant under subsection (1) must make the application in the prescribed manner and in a form specified by the Director and furnish to the Director the relevant particulars and documents specified under section 30.

(3) A recognition under subsection (1) may relate to—

(a) all certificates issued by the recognized certification authority;

(b) certificates of a type, class or description; or

(c) particular certificates.

(4) An applicant must pay the prescribed fee (if any) in respect of an application under subsection (1) unless the Director waives it in whole or in part.

(5) In recognizing certificates under this section, the Director shall in addition to any other matter the Director considers relevant take into account the following—

(a) whether the certificates are issued in accordance with the certification practice statement;

(b) whether the certificates are issued in accordance with the code of practice;

(c) the reliance limit set or proposed to be set for that type, class or description or the particular certificate, as the case may require; and

(d) the arrangements put in place or proposed to be put in place by the certification authority to cover any liability that may arise from the issue of that type, class or description or the particular certificate, as the case may be.

(6) The Director may refuse an application under subsection (1).

(7) The Director must give reasons in writing to the applicant for refusing an application under subsection (6).

(8) The Director may specify a period of validity for a recognition under this section.

(9) The Director may upon application renew a recognition under this section.

(10) Subsections (2), (3), (4), (5), (6), (7) and (8) apply to a renewal under subsection (9), subject to necessary modifications.

23. Director may revoke recognition

(1) The Director may revoke a recognition granted under section 21 or 22 or renewed under section 22 or 27.

(2) Before revoking a recognition, the Director must give the certification authority a notice of intention to revoke the recognition specifying the reasons for the intended revocation.

(3) In a notice under subsection (2), the Director must invite the certification authority to make representations as to why the recognition should not be revoked and specify a period for making the representations.

(4) If the Director decides to revoke a recognition, the Director must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made.

(5) A revocation of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate.

(6) Subject to subsection (7), a revocation takes effect on the expiry of 7 days from the date on which the decision to revoke the recognition is made.

(7) If the certification authority appeals under section 28 against the revocation, the revocation does not take effect until the expiry of 7 days from the date on which the Secretary confirms the revocation on appeal.

24. Director may suspend recognition

(1) The Director may suspend a recognition granted under section 21 or 22 or renewed under section 22 or 27 for a period not exceeding 14 days.

(2) If the Director decides to suspend a recognition, the Director must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made.

(3) A suspension of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate.

(4) Subject to subsection (5), a suspension takes effect on the expiry of 7 days from the date on which the decision to suspend the recognition is made.

(5) If the certification authority appeals under section 28 against the suspension, the suspension does not take effect until the expiry of 7 days from the date on which the Secretary confirms the suspension on appeal.

(6) If the period of suspension expires during the validity of a recognition and the recognition is not revoked, the recognition is taken to be reinstated.

25. Matters Director may take into account in revoking or suspending a recognition

The Director may, in revoking or suspending a recognition under section 23 or 24, in addition to any other matter that the Director considers relevant, take into account the following—

(a) any matter set out in section 21(4);

(b) whether the certification authority has failed—

(i) to operate in accordance with the certification practice statement;

(ii) to comply with the code of practice;

(iii) to use a trustworthy system; or

(iv) to comply with any provision of this Ordinance; and

(c) the relevant report furnished under section 43.

26. Effect of revocation, suspension of recognition or expiry of validity of recognized certificate

(1) Where the revocation or suspension of a recognition of a certification authority has taken effect or the period of validity of a recognition specified under section 21(6)(b) has expired, the provisions of this Ordinance relating to—

(a) a recognized certification authority do not apply to that certification authority;

(b) recognized certificates issued by a recognized certification authority do not apply to the certificates issued by that certification authority; and

(c) digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the digital signatures supported by the certificates issued by that certification authority.

(2) Where the revocation or suspension of the recognition of a recognized certificate has taken effect, the provisions of this Ordinance relating to a recognized certificate or digital signatures supported by a recognized certificate do not apply to—

(a) the certificate of which the recognition is revoked or suspended;

(b) any certificate of the type, class or description of certificate the recognition of which is revoked or suspended;

(c) digital signatures supported by that certificate or a certificate of that type, class or description,

as the case may be.

(3) Where the validity of a recognized certificate or the period of validity of a recognition specified under section 22(8) has expired, the provisions of this Ordinance relating to recognized certificates issued by a recognized certification authority and digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the certificate and the digital signatures supported by the certificate.

(4) The revocation or suspension of the recognition of a certification authority does not affect the valid use of a recognized certificate issued by that certification authority before the revocation or suspension took effect or after the reinstatement of the recognition.

(5) The revocation or suspension of the recognition of a certificate does not affect the valid use of the certificate concerned before the revocation or suspension took effect or after the reinstatement of the recognition.

(6) The expiry of the period of validity of the recognition of a certificate specified under section 22(8) or the expiry of the period of validity of a recognized certificate does not affect the valid use of the certificate concerned before the expiry of the period of validity of the recognition or the certificate, as the case may be.

(7) The expiry of the period of validity of the recognition of a certification authority specified under section 21(6)(b) does not affect the valid use of a recognized certificate issued by that certification authority during the period of validity of its recognition.

27. Director may renew recognition of certification authority

(1) A certification authority recognized under section 21 may apply to the Director for renewal of a recognition.

(2) An application for renewal must be made at least 30 days before but not earlier than 60 days before the expiry of the period of validity of the recognition.

(3) An application for renewal must be sent to the Director as an electronic record or delivered by hand to the Director or left at the office of the Director during the ordinary business hours of that office.

(4) Subject to subsections (2), (3) and (6), an application for renewal is to be made in the prescribed manner and in a form specified by the Director and if the Director so requires, the applicant must furnish to the Director the relevant particulars and documents specified under section 30.

(5) Subject to subsection (6), an applicant must pay the prescribed fee in respect of an application for renewal.

(6) The Director may, in the circumstances specified in section 20(5), waive the requirements in subsection (4) or the whole or part of the prescribed fee as the Director may decide in relation to a particular case.

(7) Section 21(4) and (6) applies to a renewal of a recognition subject to necessary modifications.

28. Certification authority may appeal to Secretary against decision of Director

(1) A certification authority aggrieved by a decision of the Director—

(a) refusing an application for recognition under section 21 or 22;

(b) refusing an application for renewal of a recognition under section 22 or 27; or

(c) revoking or suspending a recognition under section 23 or 24,

may appeal to the Secretary against the decision within 7 days from the date on which the relevant decision is made.

(2) An appeal under subsection (1) must be commenced by sending a notice of appeal to the Secretary as an electronic record or delivering the notice by hand to the Secretary or leaving the notice at the office of the Secretary during the ordinary business hours of that office.

(3) A certification authority who appeals to the Secretary under this section must also give notice of the appeal to the Director as soon as practicable.

(4) On appeal under subsection (1), the Secretary may confirm, vary or reverse the decision of the Director.

(5) The Secretary must give the appellant notice of the decision on appeal, together with reasons—

(a) by sending it to the appellant as an electronic record; or

(b) by sending it by post or registered post to the last known address of the appellant.

(6) If in a particular case it is not reasonably practicable to give the notice of the decision on appeal by either of the means specified in subsection (5), the notice is taken to have been given if the Secretary publishes it in the certification authority disclosure record maintained under section 31 for the appellant.

29. How Director may give notices under this Part

(1) A notice or other document the Director is required to give to a certification authority under this Part is taken to have been given if it is—

(a) sent to the certification authority as an electronic record; or

(b) sent by post or registered post to the last known address of the certification authority.

(2) If in a particular case it is not reasonably practicable to give a notice or other document under this Part by either of the means specified in subsection (1), the notice or document is taken to have been given if the Director publishes it in the relevant certification authority disclosure record.

30. Director to specify particulars and documents by notice in the Gazette

(1) The Director must specify by notice published in the Gazette any particulars and documents to be furnished under sections 20(3)(a), 22(2) and (10) and 27(4).

(2) A notice under subsection (1) is not subsidiary legislation.

PART VIII
Certification Authority Disclosure Records and Code of Practice

31. Director to maintain certification authority disclosure record

(1) The Director must maintain for each recognized certification authority an on-line and publicly accessible record.

(2) The Director must publish in the certification authority disclosure record information regarding that certification authority relevant for the purposes of this Ordinance (in addition to the information required to be given in it under other provisions of this Ordinance).

32. Director to notify revocations, suspensions and non-renewals of recognition, etc.

(1) The Director must give notice in the relevant certification authority disclosure record, immediately—

(a) when the Director makes a decision to revoke a recognition under section 23(4);

(b) when a revocation has taken effect under section 23(6) or (7);

(c) when the Director makes a decision to suspend a recognition under section 24(2);

(d) when a suspension has taken effect under section 24(4) or (5);

(e) when the recognition of a suspended recognition is reinstated;

(f) when the Director receives a notice of appeal under section 28(3); or

(g) on becoming aware that the Secretary has confirmed, varied or reversed the decision of the Director to revoke or suspend a recognition.

(2) Where the revocation or suspension of a recognition has taken effect, the Director must, as soon as practicable, give notice of the revocation or suspension for at least 3 consecutive days in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong.

(3) If a recognized certification authority does not apply for renewal before the end of the period during which an application for renewal can be made under section 27(2), the Director must, at least 21 days before the expiry of the period of validity of the recognition, give notice—

(a) for at least 3 consecutive days in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong; and

(b) in the certification authority disclosure record maintained for the certification authority,

of the date of the expiry of the validity and that the certification authority has not applied for renewal.

33. Director may issue code of practice

The Director may issue a code of practice specifying standards and procedures for carrying out the functions of recognized certification authorities.

PART IX
Postmaster General to be Recognized Certification Authority

34. The Postmaster General as recognized certification authority

(1) The Postmaster General is a recognized certification authority for the purposes of this Ordinance.

(2) Part VII does not apply to the Postmaster General as a certification authority.

35. Postmaster General may perform functions and provide services of certification authority

(1) For the purposes of section 34, the Postmaster General may by himself or by the officers of the Post Office—

(a) perform the functions and provide the services of a certification authority and services incidental or related to the functions or services of a certification authority; and

(b) do anything that is necessary or expedient for the purposes of paragraph (a) and for complying with any provision of this Ordinance relating to a recognized certification authority.

(2) The Postmaster General may determine and charge fees for providing the services of a certification authority or services incidental or related to the functions or services of a certification authority.

(3) The fees determined and charged under subsection (2) shall not be limited by reference to the administrative or other costs incurred or likely to be incurred or recovery of expenditure in the provision of the services of a certification authority or services incidental or related to the functions or services of a certification authority.

(4) The Postmaster General may give particulars of any fees determined under subsection (2) in such manner as the Postmaster General thinks fit.

PART X
General Provisions as to Recognized Certification Authorities

36. Publication of issued and accepted certificates

(1) Where a subscriber accepts a recognized certificate issued by a recognized certification authority, the certification authority must publish the certificate in a repository.

(2) If the subscriber does not accept the recognized certificate, the recognized certification authority must not publish it.

37. Recognized certification authority to use trustworthy system

A recognized certification authority must use a trustworthy system in performing its services—

(a) to issue or withdraw a recognized certificate; or

(b) to publish in a repository or give notice of the issue or withdrawal of a recognized certificate.

38. Presumption as to correctness of information

It shall be presumed, unless there is evidence to the contrary, that the information contained in a recognized certificate issued by a recognized certification authority (except information identified as subscriber’s information which has not been verified by the recognized certification authority) is correct if the certificate was published in a repository.

39. Representations upon issuance of recognized certificate

By issuing a recognized certificate, a recognized certification authority represents to any person who reasonably relies on the information contained in the certificate or a digital signature verifiable by the public key listed in the certificate, that the recognized certification authority has issued the certificate in accordance with any applicable certification practice statement incorporated by reference in the certificate, or of which the relying person has notice.

40. Representations upon publication of recognized certificate

By publishing a recognized certificate, a recognized certification authority represents to any person who reasonably relies on the information contained in the certificate, that the recognized certification authority has issued the certificate to the subscriber concerned.

41. Reliance limit

(1) A recognized certification authority may, in issuing a recognized certificate, specify a reliance limit in the certificate.

(2) The recognized certification authority may specify different limits in different recognized certificates or in different types, classes or description of certificates.

42. Liability limits for recognized certification authorities

(1) Unless a recognized certification authority waives the application of this subsection, the recognized certification authority is not liable for any loss caused by reliance on a false or forged digital signature of a subscriber supported by a recognized certificate issued by that certification authority, if the recognized certification authority has complied with the requirements of this Ordinance and the code of practice with respect to that certificate.

(2) Unless a recognized certification authority waives the application of this subsection, the recognized certification authority is not liable in excess of the amount specified in the certificate as its reliance limit, for a loss caused by reliance on any information—

(a) that the recognized certification authority is required to confirm according to the certification practice statement and the code of practice; and

(b) which is misrepresented on that recognized certificate or in a repository,

if the recognized certification authority has, in relation to that certificate, complied with the requirements of this Ordinance and the code of practice.

(3) The limitation of liability under subsection (2) does not apply if the fact was misrepresented due to the negligence of the recognized certification authority or it was intentionally or recklessly misrepresented by the recognized certification authority.

43. Recognized certification authority to furnish report on compliance with Ordinance and code of practice

(1) At least once in every 12 months, a recognized certification authority must furnish to the Director a report containing an assessment as to whether the recognized certification authority has complied with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice during the report period.

(2) A report under subsection (1) must be prepared, at the expense of the certification authority, by a person approved by the Director as being qualified to make such a report.

(3) The Director must publish in the certification authority disclosure record for the certification authority the date of the report and the material information in the report.

(4) In subsection (1) “report period” (所涵蓋的期間), in relation to a report (“current report”), means the period beginning on—

(a) the date on which recognition is granted under section 21 or section 34 comes into operation; or

(b) the day following the last day of the period for which the last report under that subsection was furnished,

as the case may require, and ending on the last day of the period for which the current report is furnished.

44. Recognized certification authority to issue a certification practice statement

A recognized certification authority must issue and maintain an up to date certification practice statement and notify the Director of changes to the practices of the certification authority as set out in that statement.

45. Recognized certification authority to maintain repository

(1) A recognized certification authority must maintain or cause to be maintained an on-line and publicly accessible repository.

(2) The Director must publish in the Gazette a list of the repositories maintained under subsection (1).

PART XI
Provisions as to Secrecy, Disclosure and Offences

46. Obligation of secrecy

(1) Subject to subsection (2), a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Ordinance shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person.

(2) Subsection (1) does not apply to disclosure—

(a) which is necessary for performing or assisting in the performance of a function under or for the purposes of this Ordinance;

(b) for the purpose of any criminal proceedings in Hong Kong;

(c) for the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Hong Kong; or

(d) under the direction or order of a magistrate or court.

(3) A person who contravenes subsection (1) commits an offence and is liable to a fine at level 6 and in the case of an individual also to imprisonment for 6 months.

47. False information

A person who knowingly or recklessly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Ordinance which is untrue, inaccurate or misleading commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

48. Other offences

A person who makes a false claim that a person is a recognized certification authority commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

PART XII
Secretary’s Power to Amend Schedules and Make Subsidiary Legislation and Immunity of Public Officers

49. Regulations

The Secretary may make regulations for all or any of the following—

(a) to prescribe the manner of applying to the Director for recognition or renewal of recognition as a recognized certification authority or for recognition or renewal of recognition of certificates and the manner of recognition;

(b) to prescribe the fees payable in respect of applications for the recognition of certification authorities, the recognition of certificates or the renewal of such recognition;

(c) to prescribe the form of certification practice statements;

(d) to provide for the manner of appealing against a decision of the Director and the procedure for determining appeals;

(e) to provide for such other matters as are necessary or expedient to give effect to the provisions of this Ordinance.

50. Secretary may amend Schedules

The Secretary may by order published in the Gazette amend Schedules 1 and 2.

51. Protection of public officers

(1) No liability is incurred by the Government or a public officer by reason only of the fact that a recognition is granted, renewed, revoked, suspended or reinstated under Part VII.

(2) Without prejudice to subsection (1), no civil liability is incurred by a public officer in respect of anything done or omitted to be done by the public officer in good faith in the performance or purported performance of any function under a Part other than Part VII.

(3) The protection conferred under subsection (2) does not in any way affect the liability, if any, of the Government for the act or omission of the public officer in the performance or purported performance of the relevant function.

Matters Excluded from Application of Sections 5, 6, 7, 8 and 17 of this Ordinance under Section 3 of this Ordinance

1. The creation, execution, variation, revocation, revival or rectification of a will, codicil or any other testamentary document.

2. The creation, execution, variation or revocation of a trust (other than resulting, implied or constructive trusts).

3. The creation, execution, variation or revocation of a power of attorney.

4. The making, execution or making and execution of any instrument which is required to be stamped or endorsed under the Stamp Duty Ordinance (Cap. 117) other than a contract note to which an agreement under section 5A of that Ordinance relates.

5. Government conditions of grant and Government leases.

6. Any deed, conveyance or other document or instrument in writing, judgments, and lis pendens referred to in the Land Registration Ordinance (Cap. 128) by which any parcels of ground tenements or premises in Hong Kong may be affected.

7. Any assignment, mortgage or legal charge within the meaning of the Conveyancing and Property Ordinance (Cap. 219) or any other contract relating to or effecting the disposition of immovable property or an interest in immovable property.

8. A document effecting a floating charge referred to in section 2A of the Land Registration Ordinance (Cap. 128).

9. Oaths and affidavits.

10. Statutory declarations.

11. Judgments (in addition to those referred to in section 6) or orders of court.

12. A warrant issued by a court or a magistrate.

13. Negotiable instruments.

Proceedings in relation to which sections 5, 6, 7 and 8 of this Ordinance do not apply under section 13(1) of this Ordinance

Proceedings before any of the following—

(a) the Court of Final Appeal;

(b) the Court of Appeal;

(c) the Court of First Instance;

(d) the District Court;

(e) the Mental Health Review Tribunal established under the Mental Health Ordinance (Cap. 136);

(f) the Lands Tribunal;

(g) a coroner appointed under section 3 of the Coroners Ordinance (Cap. 504);

(h) the Labour Tribunal;

(i) the Obscene Articles Tribunal established under the Control of Obscene and Indecent Articles Ordinance (Cap. 390);

(j) the Small Claims Tribunal;

(k) a magistrate.