The Chinese Approach to Electronic Transactions Legislation

Post time:07-18 2007 Source:Zhang Chu Author:Zhang Chu
font-size: +-
563
Abstract: Electronic business raises a series of legal challenges to traditional legal systems. This paper discusses the Chinese legislative approach to accommodating these challenges, especially that embodied in its recently adopted Electronic Signatures Law. The authors analyze from an inside perspective the scope and content of the law, its solution to technical issues, and the style of regulating certification services, concluding with an outline of prospective legislative activities in this field.
Keywords: electronic business, electronic commerce, legal challenges, Chinese legislative approach, Electronic Signatures Law

Contents

Introduction
I.Earlier Legislative Endeavors to Accommodate to Electronic Commerce in China
II. The Features of Chinese Electronic Signatures Law
A. Legislative Framework
(i) Scope
(ii) Content
(iii) Legislative Model: Tackling of Technical Issues
B. Reliability of Certification Service Providers
(i) Market Access Control
(ii) Supervision of Certification Service Providers’ Practices
(iii) Liability Regime
III. The Road Ahead
A. Tasks at Hand
B. Tasks in the Long Run
Conclusion

Introduction
Ecclesiastes reminds us that there is nothing new under the sun, and that may be equally true when it comes to electronic transactions. Deals and agreements are still embodied in contracts, contracts are still entered into when two parties reach an enforceable agreement on terms, and objective evidence still determines whether an agreement has been reached. Fraud and piracy are no less illegal just because they happen online. In other words, rules (including legal rules) of the physical world are not irrelevant to the virtual world. Nevertheless, despite all the similarities, there may still be some differences in form, and there are times when the law respects form over substance. [3] Consequently, differences in form may raise obstacles to using electronic commerce.
Like many other countries, China has endeavored to overcome this formal barrier. After several preliminary trials at both national and local levels, in August 2004, it finally enacted the Electronic Signatures Law. This is the first law China enacted specifically for electronic transaction issues. This paper aims to characterize the Chinese approach to electronic transaction legislation, based on a comparative study of several critical points. First, it will address earlier legislative endeavors in this field. Second, it will touch on the approach the new law takes to respond to various challenges. In doing so, it adopts an inside perspective, by taking advantage of the co-authors’ unique experiences in drafting this law, exploring the legislative history and revealing the policy considerations behind the written words. Based on these analyses, the conclusion outlines the road ahead toward a sound legal environment for electronic transactions in China.

I. Earlier Legislative Endeavors to Accommodate
Electronic Commerce in China
Electronic commerce, while promoting economic development, has raised a series of legal challenges to traditional legal systems. As in other countries, the most sensitive reaction first came from academics: legal research on electronic commerce has long been a “hot” topic in China. As Chinese scholars ambitiously endeavored to draft an Economic Commerce Model Law, [4] publications were compiled, [5] specific websites for this subject [6] were booming, specialized academic organizations [7] were instituted, and annual electronic commerce law forums were held. [8]
Legal research in this field is significant in two respects: first, it prepared the necessary theoretical basis on which to draft the new law; second, it, along with other events in China and abroad, created an atmosphere which propelled Chinese legislators to focus on this area. Initially, the heated debate caused several government agencies to initiate some electronic commerce research programs. [9] From that point it did not take much for this hot topic to attract attention from legislative bodies at all levels.
The first notable legislative attempt occurred in March 1999, when the National People’s Congress (NPC) enacted the new Contract Law. It is noteworthy because the law addresses some key legal issues arising from electronic commerce: it acknowledges the validity of data messages and sets the time and venue rules for them. [10] However, the Contract Law treats these issues in a rudimentary and highly simplified way and has limited practical application. [11] At the next NPC session, [12] another legislative proposal, entitled Prompting Chinese Electronic Commerce Legislation, invited attention from the public and legislature. However, there was no further legislative or regulatory action at the national level until 2004. During this period, efforts to accommodate electronic commerce’s legal challenges were mainly made at the provincial and departmental level. Below is an outline of these trials:
China’s earliest regulatory attempt was encompassed in the Draft Ordinance on Regulating the Certification Authorities, drafted by the Ministry of Information Industry (MII) in 1999. [13] Unfortunately, this draft was fruitless due to the subject matter’s complexity and jurisdictional overlap and conflict among government agencies.
Even in the absence of a sound legal framework, certification services provisions, for such purposes as validating the identity of digitally signed electronic messages senders, have grown rapidly throughout China. [14] Cautious of certification services’ rapid growth, some local governments made attempts to regulate. Shanghai paved the way with measures on the supervision of digital certificate in December 1999, [15] followed by Hainan Province’s digital certificate rules in August 2001, , and the Ordinance on Electronic Transactions, enacted by the Guangdong Provincial Congress, in December 2002. [16] What distinguishes the Guangdong ordinance is that it was the first attempt by a legislative body, albeit a local legislative body, to enact basic legislation that can be cited as authority in courts to remove electronic transaction barriers.
In 2003, after inadequacies had been appearing in local regulations throughout China, [17] resulting with an eager industry and concerned public, the Chinese central government finally began the legislative process to set basic, nationally applicable rules for electronic commerce. The Legislative Affairs Offices of the State Council, with help from a consulting board of leading experts in the field, drafted the Electronic Signatures Law. On August 28, 2004 it was presented to and adopted at the 11th session of the Standing Committee of the 10th National People’s Congress and became effective on April 1, 2005. [18] Undoubtedly this is China’s most significant progress in the electronic commerce field: it is the first law enacted by the national congress specifically for electronic transactions; it removes the main legal barriers to electronic transactions; it provides uniform rules applicable nationwide; and it promotes China’s confidence in companies, consumers, and governments that transact business online.

II. The Features of Chinese Electronic Signatures Law
In light of the Chinese Electronic Signatures Law’s overwhelming significance, it is important to understand the key issues encountered in its drafting, as well as the policy considerations that motivated the drafting effort. This not only helps us get an in-depth understanding of the new law, but also provides a background against which we can judge its merit and determine whether China needs prospective legislation to completely realize its underlying policy objectives.
A. Legislative Framework
This first issue the drafters confronted was what type of electronic business, or “e-business,” law China actually needed. This issue may be analyzed from three aspects: First, what is the scope of the proposed law? Should it govern all electronic transactions, regardless of whether they are governmental or commercial?Second, what should this law include? Should it be a basic, comprehensive law covering every aspect of electronic transactions, or should it be a more concentrated, focusing only on critically important and urgent issues such as electronic signatures?And finally, what approach should drafters take to tackle the technical issues? Two very different approaches have been proposed in electronic commerce legislation abroad. One has been coined the “technology neutral” solution, while the other is the “technology specific” solution. Which model is more appropriate for China? Or is it possible to devise a third approach?
(i) Scope
The changes information technology made to commercial transactions in the early information era are stunning. IT’s booming performance in NASDAQ in the latter half of the 1990s dazzled the world. Many countries and international organizations, such as South Korea, the United Kingdom and the European Union, have specific laws for electronic commerce. China also sees an emerging opportunity in electronic commerce. Undoubtedly, in China, one of e-business legislation’s basic objectives is to promote electronic commerce and economic development.
But is that all? Information technology’s influence goes far beyond commerce, to almost every aspect of social, political and cultural life. In particular, technology has had (and will have) a significant impact on government administrative affairs. To keep up with this new trend, many countries have enacted more comprehensive electronic transactions laws with the ambitious aim to facilitate not only electronic commerce between private individuals, but also “e-administration”. Such laws define “transaction” broadly to cover both electronic commerce and e-administration issues. For instance, the Uniform Electronic Transactions Act in the United States defines “transaction” as “an action or set of actions occurring between two or more persons relating to the conduct of business, commercial, or governmental affairs” [19].
Now it is the Chinese legislators’ turn to confront this issue: should the new law apply to governmental transactions? There are strong reasons for an affirmative response to this question. China’s e-administration development is at least as remarkable as, if not more remarkable than, that of electronic commerce. As early as 1985, China initiated the “Hainei Gongcheng” [In-home Project] to build an automated office environment within the central government. In a broad sense, that was the China’s first step to carry out electronic administration. In the ensuing years, the central government issued a series of decrees to advance the automation project, ranging from pure computerization to network building. [20] In the 1990s, the e-administration practices achieved substantial progress. In March 1993, the State Council launched the “Golden Customs Project”. [21] Unlike earlier projects, which focused on automation inside the government, this project was devised mainly to provide services to the public and carry out supervisory affairs. [22] After this project, a series of “Golden Projects” started up, including the Golden Taxation Project, the Golden Finance Project, the Golden Audit Project, and the Golden Trade Project. [23] The Golden Customs Project is achieving remarkable success. On June 1, 2001, twelve central government departments cooperatively established the “China ePort” [24] to carry out export-import supervision online. Currently, the certification authority operating under the China ePort is China’s largest, with more than 900,000 importer and exporter subscribers. [25] This has had tremendous influence on China’s customs administration.
Even the judicial branch finds information technology a useful tool. It is reported that some courts have allowed electronic signatures as substitutes for traditional seals, especially in remote regions where judicial branches would otherwise have to go a long way to get the rulings sealed, since the seals are kept in the parental courts. [26]
Because of the lag time for legislation, the legal validity of data messages and electronic signatures were of initial concern. .This concern has impeded e-administration. For example, the certification authority, operating under the China ePort program, has to enter into separate contracts with each of its 900,000 subscribers, requiring them to disclaim any possible right to deny the validity of data messages and electronic signatures.
Though it is undoubtedly necessary to establish e-administration’s legal validity, there is some discrepancy among lawmakers as to how to prescribe the specific rules applicable to e-administration. This is not difficult to understand, given China’s large territory and complex development situation; there is still a long way to go to establish e-administration nationwide. This immaturity is especially obvious in two respects.
First, is the government prepared? Or does the government have an appropriate infrastructure to support e-administration? Because of the uneven development situation in different regions, along with insufficient investment in information infrastructure, many government bodies, especially those in the western regions and those lower units in rural areas, still have no online “faces.” Even established government websites are not well prepared. In 2002 a report indicated that China’s e-administration is still in a rather underdeveloped stage. [27] Few government websites provide practical information and service to the public. Most government websites have problems, such as: little information, lack of interactive communications, impracticability, delayed update, inconvenient access, and so on. Such a situation could hardly meet the public’s expectations and the government’s administration requirements. [28]
The second aspect of China’s immaturity regarding e-administration is, is the public prepared? Can Chinese citizens and businesses afford or support e-governments? The growth rate in the number of China’s Internet users may be high, but, when considered in light of the 1.3 billion population base nationwide, the percentage seems too small. A recent survey indicated that, as of July 1, 2004, China had only 87 million Internet users. [29] That means more than 93% of the Chinese population still has no Internet or e-government access.
One of the main differences between commercial and governmental affairs is that in a commercial transaction, parties have the autonomy to choose the form of their transaction, electronic or traditional. However, when handling governmental affairs, the government has the unilateral authority to order that the transaction be conducted in some form, and the other party or the subordinate government unit must obey. Though it is possible to require some highly homogeneous industries, such as the export-import industry, to practice in a uniform manner, it is hard to require all of society to do so. In legislating an act applicable nationwide, there must be a balance between the e-administration’s utility and the public’s rights. Therefore, both government and society’s abilities to support e-government will determine the extent to which, and the means by which, the e-government can be established. In this sense, China’s e-administration situation is much more complex than that in a state with a more developed information infrastructure or a smaller territory, where an information society could be built more easily, and the government could relatively easily require that certain actions be in some specific forms.
The result is a compromise that considers all these situations. The Electronic Signatures Law includes electronic transactions in commercial and civil contexts. [30] At the same time, it prescribes in the supplementary part that, “[t]he State Council or the departments and organs specified by the State Council may set specific rules, according to this law, on the use of electronic signatures and data messages in governmental affairs and other social affairs.” [31] From this provision we infer that governmental transactions could, generally speaking, be conducted in electronic forms. However, until we receive further detailed provisions, it is still unclear which fields of electronic governmental transactions can be accepted and how exactly to conduct them.
(ii) Content
E-business legislation has two main goals: to eliminate the existing legal barriers to e-business and to create a sound legal environment for e-business. We refer to the first goal as e-business’ core function because failure to eliminate barriers would completely impede e-business. To accomplish this function, the law should at least assure the legal validity of data messages, electronic signatures, and electronic contracts and also assure the admissibility and evidential weight of data messages. The latter goal is e-business law’s supporting function. Failure to create a sound legal environment for e-business would not totally impede e-business, but its success would help build participants’ confidence. To create a sound environment, the law may need to address such issues as consumer protection, personal data protection, and intermediary service provider liability.
Some laws concentrate on the core function. The UNCITRAL Model Law on Electronic Commerce (“1996 UN Model Law”), for example, provides how to accomplish the core function. [32] It provides for legally recognizing data messages; fulfilling the electronic context of the legal requirements of writing, signing, retaining the original; and the admissibility and weight of data messages, etc. [33] If the UNCITRAL Model Law omitted any of these provisions, the legal status of electronic transactions would be uncertain, thus creating barriers to electronic commerce. However, the 1996 UN Model Law is relatively silent on building a sound supporting environment. Many countries and territorial entities, such as Singapore, South Korea, Chinese Taiwan, and Hong Kong Special Administration Region of China, follow its solution for the core issues, but go further. Singapore’s Electronic Transactions Act has provisions on network service provider liability; Korean Basic Law for Electronic Commerce prescribes consumer protection. Some international organizations have made special proposals for structures supporting a sound environment for e-business. For instance, the Organization for Economic Cooperation and Development (“OECD”) has proposed special guidelines for consumer protection in the electronic context, [34] and the European Union has enacted a directive on personal data protection. [35]
Partly due to the complexity and difficulty in drafting a comprehensive electronic commerce enactment, most regulations at China’s local level only attempt to solve some of electronic commerce’s core issues. They mostly focus on electronic signatures’ legal validity, especially digital signatures, and accordingly provide for supervising certification service providers. At the same time, there are more ambitious attempts at regulation. [36]
The Electronic Signatures Law Bill’s initial draft focused only on electronic signatures issues. There was a debate on whether or not to solve problems other than electronic signatures. However, given that it was China’s first attempt to legislate specifically in this field, all agreed that, at minimum, the new law should include data messaging rules. There was no consensus on whether to make further provisions for issues such as consumer protection, personal data protection, and intermediary service provider liability. The prevailing opinion was that it was too difficult and time-consuming to provide for these extensive issues. Additionally, since the most urgent pressures arose from using electronic signatures and data messages in commerce, it was decided that the new law should concentrate on these two issues. As a result, the Chinese Electronic Signatures Law is composed primarily of the 1996 UN Model Law provisions, supplemented by the UNCITRAL Model Law on Electronic Signatures. The law recognizes the legal validity of data messages, electronic signatures, and electronic contracts, and assures the admissibility and evidential weight of data messages. It also provides for attributing data messages; acknowledging receipt, time, and place of dispatch; receiving data messages; and supervising certification service.
In view of this legislative history, one can see that the odd title of this law, referencing “electronic signatures,” is slightly misleading; the law itself is somewhat more comprehensive as a result of its evolution over time and the debate over its scope.
(iii) Legislative Model: Tackling of Technical Issues
Electronic transactions are rooted in the ever-changing environment of information technology. Inevitably, the legal and technical aspects of electronic transactions are closely intertwined. Naturally, effective e-business legislation should confront these technical issues. However, in some sense, there is tension: the laws are built for order and certainty over a relatively long period of time, but the technology is advancing and changing daily. One of the key issues in e-business legislation is how to deal with this tension.
Early legislators, advocating e-business legislation, identified two models for tackling technical issues. One is the so-called “technology-specific” model, which was typically illustrated by one of the earliest e-business laws, the Utah Digital Signature Act, and dealt with a specific technology: digital signatures. [37] The other more popular approach is called the “technology-neutral” model. Many countries, including the United States (at the federal level), advocate and abide by this model. [38]
Technology-specific solutions bring more certainty and security to transactions. In that regard, they should be encouraged. When dealing with a specific technology, one can determine with a fair degree of certainty, based upon the applicable legislation, what rules apply. The legal issue, however, is whether legislation should mandate or enshrine a particular technological solution. This approach has several obvious disadvantages. First, it has less flexibility and thus may be unable to accommodate differing transactions that may require different levels of security and different technologies. Second, mandating or enshrining some currently advanced technique may discourage or discriminate against emerging techniques that would otherwise succeed. [39] Third, what may be an adequate technical solution today may cease to be adequate with advances in information technologies tomorrow. [40]
On the other hand, a technology-neutral solution gives adequate consideration to a variety of transactions and accommodates all kinds of techniques. However, it lacks certainty and security. For example, the 1996 UN Model Law provides that legally requiring a person’s signature is met if:
(a) a method is used to identify that person and to indicate that person’s approval of the information contained in the data message; and
(b) that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. [41]
This provision is inadequate in that it does not supply any objective standard for determining the method’s reliability, as the technology-specific solution does. One could not expect a definite conclusion on the method’s reliability until a court gives its ruling, after considering the method “in the light of all the circumstances, including any relevant agreement”. [42]
Is there a third way that combines the advantages of both solutions while avoiding either disadvantage? In this respect, Singapore and the European Union’s efforts are especially relevant. The Singapore Act deals with electronic signatures’ legal validity at three levels. At the first level, it provides, in a rather neutral way, that:
(1) Where a rule of law requires a signature, or provides for certain consequences if a document is not signed, an electronic signature satisfies that rule of law.
(2) An electronic signature may be proved in any manner, including by showing that a procedure existed by which it is necessary for a party, in order to proceed further with a transaction, to have executed a symbol or security procedure for the purpose of verifying that an electronic record is that of such party. [43]
No specific technique is required here. Most usual signature techniques will get legal recognition under this provision, if they fall under the rather broad definition of “electronic signature”. [44]
At the second level, the Singapore Act recognizes “secure electronic signatures”:
If, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, it can be verified that an electronic signature was, at the time it was made —
a. unique to the person using it;
b. capable of identifying such person;
c. created in a manner or using a means under the sole control of the person using it; and
d. linked to the electronic record to which it relates in a manner such that if the record was changed the electronic signature would be invalidated, such signature shall be treated as a secure electronic signature. [45]
This section still does not call for any specific technique, but it does identify some technical properties that such techniques may possess. Obviously, not all electronic signatures can satisfy these requirements. In this sense, it is more specific than the first level’s requirements. Accordingly, these “secure electronic signatures” enjoy a more favorable presumption [46] about their validity than do ordinary electronic signatures, and thus enjoy a more certain position in the law.
At the third level, the Singapore Act distinguishes a specific technique among those secure electronic signatures, known as the “secure digital signature”. [47] This section does not just identify some technical properties that a technique must possess; it specifies the technique itself.+ [48]
In Singapore’s case, the legal certainty of an electronic signature varies with its specific technical properties. Through this three-level mechanism, it achieves both certainty and flexibility.
In some ways this new trend also can be found in UNCITRAL Model Law on Electronic Signatures (hereinafter referred to as the “2002 UN Model Law”). [49] While reiterating [50] the flexible criterion set forth in the 1996 UN Model Law [51], the 2002 UN Model Law introduces a new paragraph [52] with a view to adding certainty to operating that flexible criterion. It even allows the enacting state to specify which techniques satisfy the reliability test prescribed in this law. [53] Thus it establishes two distinct regimes, the first of which is a broader one described in 1996 UN Model Law’s neutral language, and the second of which is a narrower and more specific one, bringing certainty to the users of such electronic signature techniques before they actually use the electronic signature techniques. Therefore, the 2002 UN Model Law “establish[es] a mechanism through which electronic signatures that meet objective criteria of technical reliability can be made to benefit from early determination as to their legal effectiveness.” [54]
From the 1996 UN Model Law to the 2002 UN Model Law, there has been an evolution in thinking about how to tackle the technical issues. Chinese legislators have noticed this attractive new trend. They adopted an approach similar to that reflected in the 2002 UN Model Law, to strike a balance between legal certainty and technical and transactional flexibility. It appears in a three-tier provision:
First, all reliable electronic signatures are as effective in law as hand-written signatures and seals. [55] Second, an electronic signature is considered to be reliable if: (a) the signature creation data are, when they are used to create the electronic signature, linked solely to the signatory; (b) the signature creation data were, at the time of signing, under the sole control of the signatory; (c) any alteration to the electronic signature, made after the time of signing, is detectable; and (d) any alteration made to the content and form of the data message, to which the electronic signature relates, after the time of signing, is detectable. [56] Third, parties to a transaction may determine to use an electronic signature that conforms to the agreed terms and conditions of reliability. [57] Unlike the 2002 UN Model Law, however, the Chinese law does not authorize any other person, organ or authority, whether public or private, to determine whether an electronic signature satisfies the requirements mentioned in the second point.

B. Reliability of Certification Service Providers

In addition to concerns about the legal validity of electronic transactions, another concern that perplexes many online businesses is the issue of trust. People conducting business in an open network, such as the Internet (as opposed to those doing business in a closed or contained environment), may not be able to establish the necessary trust between the parties. If there were no trust that the transactions would be completed as anticipated, there would be few transactions, even if the legal validity were no longer a problem. In light of these, it is understandable that certification service providers (“CSPs”) play an imperative intermediary role in some transactions. Certification services are available to provide assurances to the players in electronic commerce that the messages they receive and rely upon in entering into transactions come from dependable source. Therefore the issue of how to ensure the reliability of CSPs is worthy of lawmakers’ attention. On this point three regimes are proposed:

(i) Market Access Control

One method used to guarantee the reliability of businesses, or to keep the market order “normal”, is market access control. According to this solution, every market player must get approval from (or be licensed by) the government before carrying out business. It is assumed that, by this prior inspection, the government is able to filter out those “unqualified” candidates and thus safeguard the market order. Today, the idea of prior inspection and authorization is still popular in China, especially inside the government departments.
But this traditional solution has been challenged in China. More and more people realize that no one can guarantee the capability or the reliability of a governmental bureaucracy that is performing this duty; and no one could properly predict the quality of a business in its future operation after a license or approval has been obtained. If under the prior authorization regime the regulators could neither properly judge the merits of a market candidate, nor ensure the lawful operation of a market player afterward, then the regime is useless. Moreover, it is frequently reported that the prior authorization regime has caused serious rent-seeking corruption and low efficiency. In this context, the central government has announced its intent to reform the omnipresent prior authorization regimes. [58] In 2000, it formally launched a campaign to review all existing license regimes. Up to 4,159 license requirements were removed as a result of preliminary efforts by 2002. [59] In August 2003, the Standing Committee of the Tenth National People’s Congress of China adopted the Administrative License Law to “regulate the establishment and carrying out of administrative license regime.” [60]
The tension between the desire to regulate and the trend against licensing or approval schemes was encountered in the preparation of the Electronic Signature Law Bill. Though those advocating free access for certification service got strong support from the newly adopted Administrative License Law and the practices in influential market economies such as European Union, the U.S., and Singapore, where prior authorization is not a necessary condition for business of certification service, or even prohibited, those others prevailed, who insisted on prior authorization. They argued that the CSP provides basic trust services to the public, which involve important public interests, and needs strict scrutiny. Additionally, they argued that the Chinese market economy system is still not mature, business credits and trust are not well established yet, so it is impractical to build CSPs’ reliability solely through a market mechanism. And thirdly, China has a long tradition of centrally planned economic development, under which Chinese look to the government for guidance; therefore prior authorization from government could help establish the necessary trust relationship for electronic transactions.
The Ministry of Information Industry is responsible for issuing prior authorizations for CSPs, after consulting the Ministry of Commerce and other relevant departments. A certification service provider is required to satisfy the following criteria to qualify for a license:
(a) To have the competent technical personnel and management who are fitted for providing certification service;
(b) To have the necessary financial resources and domicile which are fitted for providing certification service;
(c) To have techniques and equipments that conform to the state security standard;
(d) To have got the license issued by the state cryptographical authority to authorize to use cryptograph; and
(e) To conform to other requirements prescribed by laws and administrative regulations.

(ii) Supervision of Certification Service Providers’ Practices

Whether or not there is a prior authorization regime, it is necessary to establish an effective mechanism to regulate CSPs’ practices. What is of uttermost importance in this regime is to require CSPs to disclose its business practices. No technique, procedure or measure is absolutely reliable for all kinds of transactions. Reliability could only be properly evaluated in the light of specific circumstances in particular transactions. Therefore the parties to the transactions are in best positions to evaluate the reliability when possessing adequate information about its certification service provider. To give the parties the necessary information, CSPs must disclose their business practices so that relying parties could reasonably make judgments concerning the reliability of the certificate. Such information is usually disclosed in the so-called “certification practice statement” used by many providers. There have already been some relatively mature standards as to the disclosure of certification practices. [61]
According to the Chinese Electronic Signatures Law, CSPs shall comply with five requirements. First, they shall prepare and make public their certification practice statements according to applicable specifications promulgated by competent authority. The statements shall include in them provisions regarding apportionment of liability, operational procedures and measures to safeguard the security of the information system. These statements are required to file with the Ministry of Information Industry. The CSPs must abide by their certification practice statements. Violation of the statements may incur revocation of service provision licenses, and those directly responsible for the violation are prohibited to provide certification service in 10 years. Second, the CSPs have a statutory obligation to authenticate a certificate applicant, and verify other relevant materials prior to certificate issuance. Third, a certificate is required to include in it names of the service provider and the subscriber, its serial number, the period of validity, the signature verification data, electronic signatures of the service provider, and other information that the Ministry of Information Industry requires to disclose. The service providers have obligations to ensure the accuracy and completeness of all representations made in the certificate throughout its period of validity, and provide appropriate means to enable a relying party to ascertain or verify the information represented in the certificate and other relevant information. Fourth, the CSPs have the obligation to ensure the continuity of their services. In case of suspending or terminating service, the service provider shall make appropriate arrangements with other service providers as to the continuity of services, and notify, 90 days prior to the suspension and termination, all relevant parties the arrangements and other relevant affairs. Besides, it shall report to the Ministry of Information Industry 60 days prior to such suspension and termination. In case that no arrangements was attained, the service provider shall apply to the Ministry of Information Industry to assign other service providers to succeed its service. Finally, the CSPs shall retain carefully the certification-related materials for at least five years as of the expiration of the certificate.
In view that effective regulation requires more detailed rules, the law authorizes the Ministry of Information Industry to set down specific rules to regulate certification service. There are several good studies abroad as to appropriate practices and legislation in these aspects. [62] They are good examples for Chinese authority in preparing further provisions.

(iii) Liability Regime

Perhaps the most effective way to guarantee the reliability of the CSP is to establish a comprehensive liability regime applicable to CSPs. An effective liability regime will encourage CSPs’ self-regulation, and thus do more than a prior authorization regime to ensure the reliability.
Unfortunately, practices in various states are far from uniform. For example, the liability regime in the United Kingdom is different from that in Germany [63], and neither is exactly the same as that provided in European Union directive. In the United States, it is theorized that there are four possible different tests as to the CSP’s liability to relying parties. [64]
The key question here is, “To whom the CSP owe a duty of care?” Some scholars advocate that CSPs are part of a profession like lawyers and public accountants; therefore CSPs owe a duty of care to all the parties who rely on their certificates (whether or not there is privity between them). [65] However, in many countries, such as the European Union member states, unqualified certificates disclaiming liability to relying parties are not prohibited. [66] The result of such an approach is that CSPs issuing such unqualified certificates (and routinely disclaiming liability) do not look like professionals such as lawyers or accountants at all. Rather CSPs begin to look more like common businesses: they assume no special professional duty to the public as a whole (except those prescribed in their certification practice statements in a particular transaction.) They are under no obligation to guarantee the reliability of their certificates to those with whom there is no privity. If such an approach is adopted, then the only way to analyze CSP liability is within the context of the issuer’s certification practice statements. [67]
The Chinese approach on this issue could be analyzed along two lines of inquiry: first, to whom the certification service providers would be liable; and second, in what case such liability arises. According to the Electronic Signatures Law, CSPs owe a duty of care to any subscribers or people who rely on their services, and subscribers and relying parties can claim damages if such reliance incurs damage to them. The CSP is liable notwithstanding that there is no proof that its actions were negligent unless it can prove that in fact it was not negligent.

Comment

Consultation