Updated: Friday November 20, 2009/AlJumaa Thoul Hijjah 03, 1430/Sukravara Karthika 29, 1931, at 02:49:01 PM
The Electronic Transactions’ Ordinance, 2002
AN ORDINANCE to recognize and facilitate
documents, records, information, communications and transactions
in electronic form, and to provide for the accreditation of certification service providers.
WHEREAS it is expedient to provide for the recognition and facilitation of documents, records, information, communications and transactions in electronic form, accreditation of certification service providers, and for matters connected therewith and ancillary thereto;
The electronic communication is now a part of commercial transactions. Such transactions are to be protected by the law. In order to meet such objectives and to provide recognition and facilitation of documents, records, information, communications and transactions in electronic form and to regulate the functions of accredited certificate service providers; Electronic Transaction Ordinance, 2002 was promulgated.
AND WHEREAS the President is satisfied that circumstances exist which render it necessary to take immediate action;
NOW, THEREFORE, in pursuance of the Proclamation of Emergency of the fourteenth day of October, 1999, and the Provisional Constitution Order No. 1 of 1999, read with the Provisional Constitution (Amendment) Order No. 9 of 1999, and in exercise of all powers enabling him in that behalf the President of the Islamic Republic of Pakistan is pleased to make and promulgate the following Ordinance:---
1. Short title, extent and commencement:--- (1) This Ordinance may be called the Electronic Transactions’ Ordinance, 2002.
(2) It extends
to the whole of
(3) It shall come into force at once.
Comments on Section 1:
The Ordinance was promulgated by the President of
Pakistan and published in the Official Gazette vide F-No. 2(I)/2002 – Pub on 11th
September, 2002. It came into force with effect on the same date i.e. 11th
2. Definitions: -- (1) In this Ordinance, unless there is anything repugnant in the subject or context,—
(a) “Accreditation certificate” means a certificate granted by the Certification Council to a Certification Service Provider.
(b) “Certification Council” means the Electronic Certification Accreditation Council established under Section 18;
(c) “Accredited Certification Service Provider” means a Certification Service Provider accredited under this Ordinance to issue certificates for the use of its cryptography services;
(d) “addressee” means the person intended by the originator to receive the electronic communication but does not include an intermediary;
(e) “advanced electronic signature” means an electronic signature which is either—
(i) unique to the person signing it, capable of ident ifying such person, created in a manner or using a means under the sole control of the person using it, and attached to the electronic document to which it relates in a manner that any subsequent change in the electronic document is detectable ; or
(ii) provided by an accredited certification service provider and accredited by the Certification Council as being capable of establishing authenticity and integrity of an electronic document;
(f) “appropriate authority” means,---
(i) in relation to items contained in the Federal Legislative List of the Constitution of the Islamic Republic of Pakistan, 1973, the Federal Legislature or Federal Government;
(ii) in relation to items contained in the Concurrent Legislative List of the Constitution of the Islamic Republic of Pakistan, 1973, for which a Federal law is in force, the Federal Legislature or Federal Government, and, in all other cases, respective Provincial Legislature or Provincial Government;
(iii) in relation to the functions of the Federal Government or respective Provincial Governments being discharged by a statutory body, that statutory body ; and
(iv) in relation to matters in respect whereof the Supreme Court or the High Courts are empowered to make rules for the regulation of their proceedings, the Supreme Court or High Court, as the case may be.
(g) “authority” means, in relation to an electronic document or electronic signature, the identification of and attribution to a particular person or information system;
(h) “automated” means without active human intervention;
(i) “certificate” means a certificate issued by a Certification Service Provider for the purpose of confirming the authenticity or integrity or both, of the information contained therein, of an electronic document or of an electronic signature in respect of which it is issued;
(j) “certification practice statement”, means the statement prepared by a certification service provider specifying the practices it employs in relation to the issuance of certificates and matters connected therewith;
(k) “cryptography services” means services in relation to the transformation of contents of an electronic document from its original form to one that cannot be understood or decoded by any unauthorized person;
(1) “electronic” includes electrical, digital, magnetic, optical, biometric, electro-chemical, wireless or electromagnetic technology;
(m) “electronic document” includes documents, records, information, communications or transactions in electronic form;
(n) “electronic signature” means any letters, numbers, symbols, images, characters or any combination thereof in electronic form, applied to, incorporated in or associated with an electronic document, with the intention of authenticating or approving the same, in order to establish authenticity or integrity, or both;
(o) “information” includes text, message, data, voice, sound, database, video, signals, software, computer programs, codes including object code and source code;
(p) “information system” means an electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording or processing information.
(q) “integrity” means, in relation to an electronic document, electronic signature or advanced electronic signature, the electronic document, electronic signature or advanced electronic signature that has not been tampered with, altered or modified since a particular point in time;
(r) “intermediary” means a person acting as a service provider in relation to the sending, receiving, storing or processing of the electronic communication or the provision of other services in relation to it;
(s) “network service provider” means a person who owns, possesses, operates, manages or controls a public switched network or provides telecommunication services;
(t) “originator”, means a person by whom, or on whose behalf, electronic document purports to have been generated or sent prior to receipt or storage, if any, but does not include an intermediary;
(u) “person” includes an individual, appropriate authority, trust, waqf, association, statutory body, firm, company including joint venture or consortium, or any other entity whether registered or not;
(v) “prescribed” means prescribed by rules made under this Ordinance;
(w) “repository” means an information system for storing and retrieving certificates or other information related thereto established under section 23;
(x) “security procedure” means a procedure which :
(i) is agreed between parties;
(ii) is implemented in the normal course by a business and which is reasonably secure and reliable ; or
(iii) in relation to a certificate issued by a certification service provider, is specified in its certification practice statement;
for establishing the authenticity or integrity, or both, of any electronic document, which may require the use of algorithms or codes,. identifying words and numbers, encryption, answer back or acknowledgment procedures, software, hardware or similar security devices;
(y) “subscriber” means a person who subscribes to the services of a certification service provider;
(z) “transaction” means an act or series of acts in relation to creation or performance of rights and obligations;
(aa) “valid accreditation certificate” means an accreditation certificate which has not been suspended or revoked.
Comments on Section 2:
This section deals with various terminologies used in the Ordinance. Most of the terms used are defined with the phrase ‘means’ and therefore, they are restricted to the meaning given in the Ordinance.
Just like conventional signatures identify a person or entity signing a document, ‘Electronic Signature [2(n)]’recognizes the signer of a document electronically signed. Each electronic signature stocks information about the signer and about the exact state of the document when it was electronically signed (also digitally signed). When a person views a signed document, he can authenticate the signature to verify the identity of the signer and to confirm that the document has not been intercepted or altered by any intervener after it was electronically signed by the signer. By adding an electronic signature to a document, the signer intended to attest the document in its present form.
electronic signature may be a handwritten name, a logo or other graphic of an
establishment, or text. The particular appearance of a signature is determined by
the certificate service provider. Some certificate service providers also allow
a signature to be invisible. (It is important to note that the appearance of a
signature is just its representation on the page and is not the actual
electronic signature information). An electronic signature may be (i) Text
signature [e.g. Name] (ii) Graphic signature [e.g. a company logo] (iii)
Handwritten name signature [an image file/scanned signature].
In the Ordinance, two types of electronic signatures are defined. One is simply; ‘electronic signature’ and another is ‘Advanced Electronic Signature [2(e)]’. In advanced electronic signatures there is a third party to whom both the parties trust. This trusted third party is the Certification Service Providers who is entrusted with the responsibility of verifying the sender’s identity. An ‘Accredited Certification Service Providers [2(c)]’is one who holds a valid ‘Accreditation Certificate [2(a)]’ issued by the ‘Certification Council [2(b)]’ under section 24 of the Ordinance. The sender/originator first registers with the certification authority for an electronic identity. This electronic identity takes the form of an electronic signature issued to the sender/originator by a certification service provider. Such identity is only known to the sender/originator. The sender/originator affixes with the message such unique signature as electronic signature. When the message is received by the recipient/addressee, the recipient/addressee checks such signatures from a trusted certification authority or a trusted ‘repository [2(w)]’’ (information storage house established and managed by Certification Council under section 23 of the Ordinance) to check the sender’s/originator’s real identity.
The meanings of the following terms are enlarged:- (i) Electronic [2(l)] (ii) Electronic Document [2(m)] (iii) Information [2(o)]: The meanings of these terms are enlarged so as to meet the requirements of the Ordinance as well as the changing technology. (iv) Person [2(u)]: In the Ordinance the meaning of the person is enlarged by including appropriate authority, trust, wakf, association, statutory body, firms, company incorporated under law, joint venture, consortium or any entity such as un-registered firm or a group of person whether such entity is registered under the law or not.
RECOGNITION AND PRESUMPTION
3. Legal recognition of electronic forms:--- No document, record, information, communication or transaction shall be denied legal recognition, admissibility, effect, validity, proof or enforceability on the ground that it is in electronic form and has not been attested by any witness.
Comments on Section 3:
This section makes document, record, information, communication or transaction in electronic form as legal and admissible evidence. Under this provision of law, electronic documents and transactions etc. are made admissible, valid proof and such documents cannot be denied as proof on the ground that such electronic documents etc. have not been attested by any witness. It means that electronic records etc. and traditional documents both are equal in the eyes of law. The condition of attestation by any witness, so far as the electronic documents are concerned, if required under any law is waived under this provision.
4. Requirement for writing:-- The requirement under any law for any document, record, information, communication or transaction to be in written form shall be deemed satisfied where the document, record, information, communication or transaction is in electronic form, if the same is accessible so as to be usable for subsequent reference.
Comments on Section 4:
This section clarifies that where under a provision of a law, documents, records etc. is to be presented or retained in written form, same can be written or stored in electronic form as long as the stored information can be subsequently retrieved. The effect of this section is that an electronic record can be used as a legally recognizable substitute for a document in writing. The person storing such information in electronic form shall be excused from the consequences of not presenting, storing information in writing. E.g. Insurance policies are to be in writing; however, same can be stored in electronic form subject to the Ordinance.
5. Requirement for original form:-- (1) The requirement under any law for any document, record, information, communication or transaction to be presented or retained in its original form shall be deemed satisfied by presenting or retaining the same if:---
(a) there exists a reliable assurance as to the integrity thereof from the time when it was first generated in its final form ; and
(b) it is required that the presentation thereof is capable of being displayed in a legible form.
(2) For the purposes of clause (a) of sub-section (1);
(a) the criterion for assessing the integrity of the document, record, information, communication or transaction is whether the same has remained complete and unaltered, apart from the addition of any endorsement or any change which arises in the normal course of communication, storage or display ; and
(b) the standard for reliability of the assurance shall be assessed having regard to the purpose for which the document, record, information, communication or transaction was generated and all other relevant circumstances.
Comments on Section 5:
The requirement of filing or retaining documents etc. in original form under any law is deemed to be satisfied if such documents etc. are filed or retained in electronic form on the condition that there exist reliable assurance as to the integrity of such documents etc. and such documents are capable of being displayed in legible form. The integrity would be assessed on the standard that whether the document is tampered or not. The standard for reliability of assurance would be assessed keeping in consideration the purpose for which the document is generated and all other relevant circumstances. This section therefore, allows and accepts electronic filing of documents. For instance the condition of filing of original income tax return to the Income Tax Department can be now fulfilled by electronic filing of return but for that purpose the Income Tax authorities have to specify the manner and format in which such electronic records be submitted, created, retained or issued. See also section 16 of this Ordinance.
6. Requirement for retention:-- The requirement under any law that certain document, record, information, communication or transaction be retained shall be deemed satisfied by retaining it in electronic form if:---
(a) the contents of the document, record, information, communication or transaction remain accessible so as to be usable for subsequent reference;
(b) the contents and form of the document, record, information, communication or transaction are as originally generated, sent or received, or can be demonstrated to represent accurately the contents and form in which it was originally generated, sent or received; and
(c) such document, record, information, communication or transaction, if any, as enables the identification of the origin and destination of document, record, information, communication or transaction and the date and time when it was generated, sent or received, is retained.
Comments on Section 6:
Certain laws provide that records, documents or information are to be retained for a particular period. The retention of records, documents etc. also may be required due to various accounting, secretarial or reporting requirements. Traditionally such documents, records etc. are kept in writing on papers. This section allows retaining of such documents, records, information, etc. in electronic form so far as the said documents, records etc. are usable. However, to prevent cases of fabrication, falsification or alteration to these electronic records, the retention of these records is subject to certain conditions stated therein the section, such as ensuring that the electronic record accurately represents the original information and that information regarding identification such as origin, destination, date and time of the documents are retained. For instance Sales Tax law requires books of accounts, registers, etc to be maintained by the tax payers. A tax payer now may maintain such accounts etc in electronic form. However, the conditions as set out in the section must be complied with.
7. Legal recognition of electronic signatures:-- The requirement under any law for affixation of signatures shall be deemed satisfied where electronic signatures or advanced electronic signature are applied.
Comments on Section 7:
A question would arise that, how the author of a document signs the document in an electronic environment and whether electronic signatures will be given legal recognition? This section has clarified such doubts. Under this provision of the Ordinance, the electronic signature or advanced electronic signature shall deem to satisfy the provision of any law that requires a signature.
8. Proof of electronic signature:-- An electronic signature may be proved in any manner, in order to verify that the electronic document is of the person that has executed it with the intention and for the purpose of verifying its authenticity or integrity or both.
Comments on Section 8:
The concept of signatures is now very wide. It is not confined to traditional handwritten signatures. Facsimile signatures are commonly used by businessmen. The concept of company seal is also very familiar. This section is a logical extension of the same concepts into the electronic environment. The section states that any electronic sign used by a person with the intention of authenticating the record shall be a signature for the purpose of authenticity of the document. Such electronic signature may be proved in any manner under the Qanun-e-Shahadat Order, 1984 to verify such electronic signature.
9. Presumption relating to advanced electronic signature:-- In any proceedings, involving an advanced electronic signature, it shall be presumed unless evidence to contrary is adduced, that,---
(a) the electronic document affixed with an advanced electronic signature, as is the subject-matter of or identified in a valid accreditation certificate is authentic and has integrity; or
(b) the advanced electronic signature is the signature of the person to whom it correlates, the advanced electronic signature was affixed by that person with the intention of signing or approving the electronic document and the electronic document has not been altered since that point in time.
Comments on Section 9:
See section 2(e) for the definition of “advanced electronic signature”. If a document is affixed with an advanced electronic signature, it shall be presumed that the signature is that of the signatory and that the signatory applied his signature to authenticate the record. The presumption will be that the advanced electronic signature identified by a valid accreditation certificate is authentic. It shall also be presumed that such advanced electronic signature was affixed by the originator. It shall also be presumed that such document has not been altered from the time such document was signed and sent. However, the signatory/or any one else may prove contrary to the presumption by adducing evidence.
10. Stamp Duty:-- Notwithstanding anything contained in the Stamp Act, 1899 (II of 1899), for a period of two years from the date of commencement of this Ordinance or till the time the Provincial Governments devise and implement appropriate measures for payment and recovery of stamp duty through electronic means, whichever is later, stamp duty shall not be payable in respect of any instrument executed in electronic form.
Comments on Section 10:
Under the Stamp Act, 1899 certain documents and instruments are to be stamped i.e stamp duty is to be paid and affixed on certain documents. (See section 3 and Schedule 1 of the Stamp Act, 1899). Stamp duty however, is not payable on instruments executed in electronic form, for the period setout in the section. Note that the Ordinance is not applicable on certain documents mentioned in section 31 and therefore, those documents are to be duly signed and stamped.
11. Attestation and notarization:-- Notwithstanding anything contained in any law for the time being in force, no electronic document shall require attestation and notarization for a period of two years from the date of commencement of this Ordinance or till the time the appropriate authority devise and implement measures for attestation and notarization of electronic ocuments, whichever is later.
Comments on Section 11:
Under various enactments certain documents require attestation and notarization. Under this section such requirements, so far as electronic documents are concerned, are exempt from attestation and notarization for a period of two years from the date the Ordinance came into force or till such time the appropriate authority develop and implement measures for attestation and notarization of electronic documents, whichever is later.
12. Certified copies:-- Where any law requires or permits the production of certified copies of any records, such requirement or permission shall extend to printouts or other forms of display of electronic documents where, in addition to fulfillment of the requirements as may be specified in such law relating to certification, it is verified in the manner laid down by the appropriate authority.
Comments on Section 12:
Qanun-e-Shahadat Order, 1984 and certain other laws permit production of certified copies. There is always a presumption that such certified copies are genuine. Under this section such permission is extended to printout or other forms of electronic documents etc. Electronic documents in addition to fulfillment of the requirement as specified in such law are also to be verified in the manner that may be laid down by the appropriate authority.
13. Attribution of communications:-- (1) Unless otherwise agreed as between an originator and the addressee, an electronic communication shall be deemed to be that of the originator if it was sent:---
(a) by the originator himself;
(b) by a person who had the authority to act for and on behalf of the originator in respect of that electronic communication; or
(c) by an automated information system programmed by, or on behalf of the originator.
(2) Unless otherwise agreed as between the originator and the addressee, the addressee is to regard an electronic communication as being that of the originator, and is entitled to act on that assumption if:
(a) the addressee has no reason to suspect the authenticity of the electronic communication; or
(b) there do not exist any circumstances where the addressee knows, or ought to have known by exercising reasonable care, that the electronic communication was not authentic.
14. Acknowledgment of receipt:-- (1) Unless otherwise agreed where the originator has stated that the electronic communication is conditional on receipt of acknowledgment, the electronic communication is treated as though it has never been sent, until the acknowledgment is received.
(2) Where the originator has not agreed with the addressee that the acknowledgment be given in a particular form or by a particular method, an acknowledgment may be given by:---
(a) any communication, automated or otherwise, by the addressee ; or
(b) any conduct of the addressee, sufficient to indicate to the originator that the electronic communication is received.
15. Time and place of dispatch and receipt of electronic communication:-- (l) Unless otherwise agreed between the originator and the addressee, the dispatch of an electronic communication occurs when it enters an information system outside the control of the originator.
(2) Unless otherwise agreed between the originator and the addressee, or unless proved otherwise, the time of receipt of an electronic communication is determined as follows:---
(a) if the addressee has designated an information system for the purpose of receiving the electronic communication, receipt occurs:.(i) at the time when the electronic communication enters the designated information system ; or
(ii) if the electronic communication is sent to an information system of the addressee that is not the designated information system, at the time when the electronic communication is retrieved by the addressee;
(b) if the addressee has not designated an information system, receipt occurs when the electronic communication enters and information system of the addressee.
(3) Sub-section (2) applies notwithstanding that the place where the information system is located may be different from the place where the electronic communication is deemed to be received under subsection (4).
(4) Unless otherwise agreed between the originator and the addressee, an electronic communication is deemed to be dispatched at the place where originator ordinarily resides or has his place of business, and is deemed to be received at the place where the addressee ordinarily resides or has his place of business.
(5) For the purpose of this section:---
(a) if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction or, where there is no underlying transaction, the principal place of business ;
(b) if the originator or the addressee does not have a place of business, reference is to be made to the usual place of residence ; and
(c) “usual place of residence” in relation to a body corporate, means the place where it is incorporated or otherwise legally constituted.
16. Electronic documentation of appropriate authority.(1) Nothing contained hereinbefore shall confer a right upon any person that any appropriate authority should accept, issue, create, retain, preserve any document in electronic form or effect monetary transaction in electronic form.
(2) Any appropriate authority pursuant to any law or procedure.
(a) accepts the filing of documents, or requires that documents be created or retained;
(b) issues any permit, certificate, licence or approval; or
(c) provides for the method and manner of payment, procurement or transaction may notwithstanding anything contained to the contrary in such law or procedure:
(i) accept the filing of such documents, or creation or retention of such documents in the form of electronic documents;
(ii) issue such permits, certificate, licence or approval in the form of electronic document; or
(iii) make such payment, procurement or transaction in electronic form.
(3) In any case where an appropriate authority decides to perform any of the functions in clause (1) (i), (ii) and (iii) of sub-section (2) may specify:---
(a) the manner and format in which such electronic documents shall be filed, created, retained or issued;
(b) when such electronic documents has to be signed, the type of electronic signature, advanced electronic signature or a security procedure required;
(c) the manner and format in which such signature shall be affixed to the electronic document, and the identity of or criteria that shall be met by any certification service provider used by the person filing the document;
(d) control process and procedures as appropriate to ensure adequate integrity, security and confidentiality of electronic documents, procurement, transactions or payments; and
(e) any other required attributes for electronic documents or payments that are currently specified for corresponding paper documents.
CERTIFICATION SERVICE PROVIDERS
17. Certification Service Providers. (1) Nothing in this Ordinance shall impede or in any way restrict the rights of any certificate service provider to engage in the business of providing certification services without being accredited.
(2) No person shall hold himself out as an accredited certification service provider unless he holds a valid accreditation certificate issued under section 24 by the Certification Council.
18. Establishment of the Certification Council:-- (1) Within sixty days of the promulgation of this Ordinance, the Federal Government shall, by notification in the official Gazette, constitute an Certification Council to be known as Electronic Certification Accreditation Council.
(2) The Certification Council shall be a body corporate with perpetual succession and a common seal, and shall by the said name sue or be sued.
(3) The Certification Council shall comprise of five members, with four members from the private sector. One of the Members shall be designated as the chairman.
(4) The members of the Certification Council shall be appointed by the Federal Government for a term of three years and shall be eligible for reappointment once for an equal term after the expiry of their first term of appointment.
(5) No act or proceeding of the Certification Council shall be invalid by reason only of the existence of any vacancy among its members or any defect in its constitution discovered after such act or proceeding of the Certification Council..
(6) Except for the grant, renewal, revocation or suspension of accreditation, the Certification Council may from time to time delegate one or more of its functions and powers to one or more of its members.
(7) A member of the Certification Council shall not be removed except on the grounds of misconduct.
(8) No member, once appointed, shall have any direct financial interest in any concern or business relating to cryptography services.
(9) Decisions of the Certification Council shall be taken by a majority of the members, however in case of tie the Chairman shall have a casting vote.
(10) Save as provided herein, the terms and conditions of service of the members of the Certification Council shall be such as may be prescribed.
19. Qualifications of member : -- Of the five members of the Certification Council:
(a) one shall be telecommunications engineer with at least seven years work experience, of which at least one year is in the field of cryptography services;
(b) two shall be professional or academics with at least seven years work experience in the field of information technology;
(c) one shall have an administrative background with at least seven years experience in a private or public organization ; and
(d) one member shall be an advocate with at least seven years experience and adequate knowledge of laws relating to information technology and telecommunications.
20. Funds of the Certification Council:-- The funds of the Certification Council shall comprise of:---
(a) grants from the Federal Government;.
(b) fee for grant and renewal of accreditation certificate; and
(c) fee, not exceeding ten Rupees, for every certificate deposited in the repository.
21. Functions of the Certification Council:-- (1) The Certification Council shall perform such functions as are specified in this Ordinance or may be prescribed.
(2) Without prejudice to the generality of the foregoing subsection, the Certification Council shall:---
(a) grant and renew accreditation certificates to certification service providers, their cryptography services and security procedures;
(b) monitor and ensure compliance by accredited certification service providers with the terms of their accreditation and revoke or suspend accreditation in the manner and on the grounds as may be specified in regulations;
(c) monitor compliance of accredited certification service providers with the provisions of this Ordinance;
(d) establish and manage the repository;
(e) carry out research and studies in relation to cryptography services and to obtain public opinion in connection therewith;
(f) recognize or accredit foreign certification service providers;
(g) encourage uniformity of standards and practices;
(h) give advice to any person in relation to any matter covered under this Ordinance,. make recommendations to an appropriate authority in relation to the matters covered under this Ordinance.
22. Application of Act XVII of 1996:-- Notwithstanding anything contained in the Pakistan Telecommunication (Re-organisation) Act, 1996 (XVII of 1996), the Certification Council shall be exclusively responsible to grant, renew, suspend or revoke the accreditation to certification service providers, their cryptography services and security procedures:---
Provided that, the foregoing provision shall not affect the applicability or operation of the provisions of the Pakistan Telecommunication (Re-organisation) Act, 1996 (XVII of 1996) to the telecommunication systems or telecommunication services, other than cryptography services, provided by the cryptography service providers.
23. Repository:-- (1) The Certification Council shall establish and manage a repository for all accreditation certificates, certificates issued by accredited certification service providers and for such other information as may be specified in regulations made by the Certification Council.
(2) The Certification Council shall take appropriate measures to ensure the security of all information contained in the repository.
(3) All information contained in the repository shall be open to public inspection.
(4) Notice of suspension or revocation of any accreditation or of certificate issued by an accredited certification service provider, shall be posted in the repository within the prescribed time.
24. Grant of accreditation:-- (1) The Certification Council may grant accreditation to certification service provider, its cryptography services, electronic signature or advanced electronic signature and security procedures who complies with the criteria for accreditation specified in the regulations.
(2) The terms and conditions of the accreditation, including those relating to duration of the accreditation, renewal, suspension or revocation, shall be specified in regulations.
(3) The fee for grant and renewal of the accreditation shall be as prescribed.
(4) The form and manner of proceedings for the consideration of application for grant, renewal, suspension or revocation of accreditation shall be specified in the regulations.
Provided that, the regulations shall provide for a transparent procedure with due regard to the right of hearing.
25. Certification practice statement:-- (1) Each certification service provider, desirous of being accredited, shall prepare and have at all times accessible a certification practice statement in such form and with such details, particulars and contents as may be specified in regulations made by the Certification Council.
(2) Without prejudice to the generality of the foregoing, the regulations may provide for:
(a) prompt information to persons likely to be adversely affected by any event relating to the information system of the certification service provider or inaccuracy, invalidity or misrepresentation contained in a certificate;
(b) identification of subscribers;
(c) suspension or revocation of certificates;
(d) accuracy of information contained in a valid accreditation certificate;
(e) foreseeability of reliance on valid accreditation certificates; and
(f) deposit of certificates or notification of any suspension or revocation of any accreditation certificate or any other fact or circumstance affecting the certificate, in the repository.
(3) The certificate practice statement shall be sub mitted to Certification Council for approval along with the application for accreditation.
(4) Any subsequent change in the approved certification practice statement shall be initiated and processed in such manner as may be specified in regulations made by the Certification Council, and upon approval by the Certification Council, shall be incorporated in the certification practice statement.
(5) A copy of the certification practice statement shall be maintained at the office of the Certification Council and shall be open to public inspection.
(6) Subject to such limitations as may be specified in the regulations made under sub-section (1), a certification service provider shall, during the period of validity of an accreditation certificate published for reliance by any person, be deemed to warranting to such person that:
(a) the certification service provider has complied with the requirements of this Ordinance, rules and regulations made under this ordinance ; and
(b) the information contained in the certificate is accurate.
(7) The Certification Council may suspend or revoke the accreditation of a certification service provider for failure to comply with the provisions of this section:
Provided that, an order for suspension or revocation of accreditation shall be made in the manner specified in regulations made under sub-section (1) after providing reasonable right of hearing.
26. Decision of Certification Council:-- All applications and matters coming before the Certification Council shall be decided through a speaking order, as expeditiously as possible but not later than ninety days except in extraordinary circumstances and for reasons to be recorded.
27. Appointment of offices, employees and advisers:-- The Certification Council may appoint such officers, employees and advisers as it may consider necessary for the efficient performance of its functions on such terms and conditions as it may prescribe by regulations.
(2) The Certification Council may establish regional or local offices as may be necessary for efficient performance of its functions.
Comments on Section 27:
(Sections 18 to 27)
Chapter 5 deals with the regulations of certification service providers and the establishment of Certification Council for that purpose. The members of the Certification Council and their qualifications have been set out in section 19 and 20. The functions of the Certification Council have been mentioned in section 21. The Certification Council shall have powers to grant, renew or suspend accreditation certificates to certificates service providers. Such certificate service providers in order to obtain the license shall prepare a certification practice statement i.e a statement of the practice/procedure of issuing certificates under section 25. The council would also regulate their cryptography services and security procedures. Under Pakistan Telecommunication (Re-organisation) Act, 1996, the Pakistan Telecommunication Authority (PTA) deals with regulation, operation and maintenance of telecommunication systems. [See also section 4 & 5 of Pakistan Telecommunication (Re-organisation) Act, 1996]. Section 22 restricts the functions of PTA and the Certification Council is exclusively granted the powers to grant, renew, suspend or revoke the accreditation certificates to certificates service providers. Under section 23 a repository (information storage house) shall be maintained where all information of the accredited certification service providers shall be stored and which shall be open to public inspection.
AMENDMENTS OF CERTAIN LAWS
of Act XVII of 1996 : -- (1) In the
(2) Any provision in any licence issued by the Pakistan Telecommunication Authority under the aforesaid Act prohibiting the provision or use of cryptography services shall cease to have effect subject to provisions of this ordinance.
Comments on Section 28:
Section 57 of the Pakistan Telecommunication
(Re-Organisation) Act, 1996 reads as under:
57. Power to make rules.‑(1) For carrying out the purposes of this Act and where provided for hereinbefore, the Federal Government may, from time to time, by notification in the official Gazette, make rules not inconsistent with this Act.
(2) Without prejudice to the foregoing powers the Federal Government may make rule‑‑
(a) extending the categories of telecommunication systems or telecommunication services for which a licence is not required under section 20;
(b) regulating the use of encryption
apparatus or software by requiring use of approved apparatus or software or
such appropriate apparatus or software be lodged with the Authority free of
cost; and [Omitted
by section 28 of the Electronic Transaction Ordinance, 2002]
(c) restricting or prohibiting the use of any public switched network for signalling purposes in circumstances in which charges otherwise payable may be avoided or reduced, or the advertising of means or services for such use.
The effect of omission is that rules regarding encryption services, would not be made by the Federal Government for Pakistan Telecommunication Authority. Encryption services would be regulated solely by Certification Council established under section 18 of the Ordinance.
29. Amendment of Presidential Order No. X of 1984 : -- For the purposes of this ordinance, the Qanun-e-Shahadat Order, 1984, (P.O. No. 10 of 1984) shall be read subject to the amendments specified in the Schedule to this Ordinance.
30. Extension to electronic forms. Notwithstanding anything contained in any other law for the time being in force, the expressions “attestation”, “books”, “books of accounts”, “certificate”, “charts”, “deed”, “document”, “document of title”, “execution”, “instrument”, “ledger”, “map”, “original”, “plans”, “publish”, “record”, “register”, “seal”, “signature”, “witnessing”, “words”, “writing”, or other words assuming paper or other tangible medium in relation thereto, shall, mutatis mutandis, extend to electronic forms thereof.
Comments on Section 30:
Although in section 2, most of the terms used are started with expression ‘means’ and therefore, the meaning of such words are to be restricted to the definition as used in section 2. Words stated in this section and other words used for paper and other tangible medium in relation thereto will also extend to electronic forms. E.g. ‘publish’ in traditional language means ‘to print’; ‘to make out public’, if we extend the meaning of publish to electronic media, we would understand that putting some material on internet for the public is actually ‘publishing’. Similarly ‘record’ of traditional registers and database ‘records' infact possesses same meanings.
OTHER LAWS AND JURISDICTION
31. Application to certain laws barred. (1) Subject to sub-section (2), nothing in this Ordinance shall apply to:---
(a) a negotiable instrument as defined in section 13 of the Negotiable Instruments Act, 1881 (XXVI of 1881);
(b) a power-of-attorney under the Powers of Attorney Act, 1881 (VII of 1882).
(c) a trust as defined in the Trust Act 1882 (II of 1882), but excluding constructive, implied and resulting trusts;
(d) a will or any form of testamentary disposition under any law for the time being in force; and
(e) a contract for sale or conveyance of immovable property or any interest in such property.
(2) The Federal Government after consultation with the provinces may, by notification in the official Gazette and subject to such conditions and limitations as may be specified therein, declare that the whole or part of this Ordinance shall apply to the whole or part of one or more instruments specified in clauses (a) to (e) of sub-Section (1).
Comments on Section 31:
The general rule under the Ordinance is that no discrimination is to be practiced between the traditional forms of writing and signatures and their electronic counterparts. Also, section 33 of the Ordinance overrides the effect of any provision in any other law. However, section 31 is an exception to the general rule under the Ordinance. Section 31 explicitly sets the laws referred in this section outside the purview of this Ordinance. It means this Ordinance, is not applicable on laws and documents spelt out in section 31. For example conveyance of immovable properties are still to be in writing (non-electronic), still to be signed by the parties (non-electronically), still to be witnessed, still to be stamped and registered etc. under relevant laws. However, considering the changing business environment, the Federal Government in consultation with Provincial Governments may declare that the whole or any part of this Ordinance to any of the law(s) stated in sub-section of this section by notification in the official gazette.
to acts done outside
Comments on Section 32:
This section states that even if any act is done
33. Overriding effect. The provisions of this Ordinance shall apply notwithstanding anything to the contrary contained in any other law for the time being in force.
Comments on Section 33:
The Ordinance is been superceded over all other laws for the time being in force through this section.
34. Provision of false information, etc. by the subscriber. (1) Any subscriber who:---
(a) provides information to a certification service provider knowing such information to be false or not believing it to be correct to the best of his knowledge and belief;
(b) fails to bring promptly to the knowledge of the certification service provider any change in circumstances as a consequence whereof any information contained in a certificate accepted by the subscriber or authorised by him for publication or reliance by any person, ceases to be accurate or becomes misleading, or
(c) knowingly causes or allows a certificate or his electronic signatures to be used in any fraudulent or unlawful manner, shall be guilty of an offence under this Ordinance.
(2) The offence under sub-section (1) shall be punishable with imprisonment either description of a term not exceeding seven years, or with fine which may extend to ten million rupees, or with both.
Comments on Section 34:
Section 34 sets punishments and defines offences committed by a subscriber under this Ordinance. In simple words offences under the Ordinance are publication for fraudulent purpose. False information, intentionally not informing change of information and allowing a certificate to be used for fraudulent purposes are offences under the Ordinance. Such offences are punishable with imprisonment upto seven years or with fine upto Rs.10 million or with both.
35. Issue of false certificate, etc:-- (1) Every director, secretary and other responsible officer, by whatever designation called, connected with the management of the affairs of a certification service provider, which:
(a) issues, publishes or acknowledges a certificate containing false or misleading information;
(b) fails to revoke or suspend a certificate after acquiring knowledge that any information contained therein has become false or misleading;
(c) fails to revoke or suspend a certificate in circumstances where it ought reasonably to have been known that any information contained in the certificate is false or misleading;
(d) issues a certificate as accredited certification service provider while its accreditation is suspended or revoked;
shall be guilty of any offence under this Ordinance.
(2) The offence under sub-section (l) shall be punishable with imprisonment either description of a term not exceeding seven years, or with fine which may extend to ten million rupees, or with both.
(3) The certification service provider or its employees specified in sub-section (1), shall also be liable, upon conviction, to pay compensation for any foreseeable damage suffered by any person or subscriber as a direct consequence of any of the events specified in clauses (a) to (d) of sub-section (1).
(4) The compensation mentioned in sub-section (3) shall be recoverable as arrears of land revenue.
Comments on Section 35:
The punishment for the offences committed by
certification service providers, their directors, secretary and other
responsible officer is set out in sub-section (2) of the section. Sub-section
(3) also states that such certification service provider, their directors,
secretary and other responsible officer would also be liable for compensation
for any foreseeable damage. The offences as stated in sub-section (1) are
issuing and publishing certificates containing false information; not revoking
such certificates after getting knowledge; not revoking or suspending when
reasonably have knowledge that information in the certificate is false; and
issuing a certificate as accredited certification service provider during a
period of suspension or revocation.
†Should be “an” instead of “any”
36. Violation of privacy of information:-- Any person who gains or attempts to gain access to any information system with or without intent to acquire the information contained therein or to gain knowledge of such information, whether or not he is aware of the nature or contents of such information, when he is not authorised to gain access, as aforesaid, shall be guilty of an offence under this Ordinance punishable with either description of a term not exceeding seven years, or fine which may extend to one million rupees, or with both.
Comments on Section 36:
Violation of privacy of information is a serious offence under the Ordinance. A person who acquires or attempts to access any information system by violating rules of privacy either intentionally or unintentionally is said to commit an offence. Such offence is punishable with imprisonment upto seven years or with fine upto Rs.10 million or with both.
37. Damage to information system, etc.:-- (1) Any person who does or attempts to do any act with intent to alter, modify, delete, remove, generate, transmit or store any information through or in any information system knowingly that he is not authorised to do any of the foregoing, shall be guilty of an offence under this Ordinance.
(2) Any person who does or attempts to do any act with intent to impair the operation of, or prevent or hinder access to, any information contained in any information system, knowingly that he is not authorised to do any of the foregoing, shall be guilty of an offence under this Ordinance.
(3) The offences under sub-section (1) and (2) of this section will be punishable with either description of a term not exceeding seven years or fine which may extend to one million rupees, or with both.
Comments on Section 37:
Another offence under the Ordinance is intentionally tampering or storing the data of any information system for which he has no authority. Such offences are punishable with imprisonment upto seven years or with fine upto Rs.10 million or with both.
38. Offences to be non-bailable, compoundable and cognizable:-- All offences under this Ordinance shall be non-bailable, compoundable and cognizable.
Comments on Section 38:
Electronic Transactions may involve billion of rupees and therefore, the punishment for offences under the Ordinance are in million of rupees. In order to make the punishments stricter, imprisonments may also extended upto 7 years may also be awarded. Such strictness and severity can only be maintained if the offences are non-bailable and cognizable. However, offences are also compoundable.
and trial of offences:--
Comments on Section 39:
Original jurisdiction for trying offences under the Ordinance is court of sessions.
40. Limitation on liability of network service providers:-- In the absence of intent to facilitate, aid or abet, a network service provider shall not be subject to any civil or criminal liability solely for the reason of use of his telecommunication system in connection with a contravention of this Ordinance by a person not subject to the direction or control of the network service provider.
Explanation:-- Telecommunication system in this section shall have the meaning given thereto under the Pakistan Telecommunication (Re-organisation) Act, 1996 (XVII of 1996).
Comments on Section 40:
A network service provider may be subjected to
civil or criminal liability for publication, distribution or dissemination of
material of a third party by a subscriber, content provider etc. For example
the network service provider may be potentially liable for making available
materials on its network that defames a person though published by one of its
subscriber. This section absolves the network service providers of all such
liability, provided the network service providers merely provide access.
Network service providers however, shall be liable for any publication or
distribution by the person is under the control and direction of network
Section 2(u) of Pakistan Telecommunication (Re-Orgainsation) Act, 1996 defines telecommunication system as under:-
"telecommunication system" means any electrical, electro‑magnetic, electronic, optical of optical electronic system for the emission, conveyance, switching or reception of any intelligence within, or into, or from Pakistan, whether or not that intelligence is subjected to re‑arrangement computation or any other process in the course of operation of the system and includes a cable transmission system, a cable television transmission system and terminal equipment;
41. Immunity against disclosure of information relating to security procedure:-- (1) Subject to sub-section (2), no person shall be compelled to disclose any password, key or other secret information exclusively within his private knowledge, which enables his use of the security procedure or advanced electronic signature.
(2) Sub-section (1) shall not confer any immunity where such information is used for the commission of any offence under any law for the time being in force.
Comments on Section 41:
Immunity against disclosure of any confidential information relating to security procedure of an information system or advanced electronic signatures is granted under this section. However, such immunity is discharged when such information is utilized for commission of any offence under any law. E.g. the Internet Service Providers (ISPs) are usually not required under the law to disclose any information of their client. They do not give the name of their client who sent a particular email message etc. However, when a crime is committed on internet, the ISPs disclose complete information to police and FIA authorities. This general practice has been incorporated in law through this section.
42. Power to make rules:-- The Federal Government may, by notification in the official Gazette, make rules to carry out the Purposes of this Ordinance.
Comments on Section 42:
The rule making power is solely with the Federal Government through notification in the Official Gazette.
43. Power to make regulations:-- (l) The Certification Council may, with the prior approval of the Federal government, make regulations to carry out the purpose of this Ordinance.
(2) Without prejudice to the generality of the sub-section (1), regulations may provide for:---
(a) safety, control or management of keys, passwords or other secret information relating to use of services of accredited certification service providers;
(b) standards, procedures and practices for time and date stamping;
(c) minimum qualifications of staff of accredited certification service providers;
(d) adequacy of facilities and equipment for secure and reliable operation;
(e) privacy and protection of data of subscribers;.(f) inspection of operations;
(g) cross-certifications, accreditation, recognition, bridge certification or other arrangements with certification service providers based in other countries;
(h) development of certification management system;
(i) reparation to subscrib ers for damage arising from negligence of certification service provider with conditions for and limits to liability;
(j) identification of areas of commerce or governance for use of certificates;
(k) standardization and technology relating to protocols, algorithms, interoperability of systems, applications and infrastructure for accredited certification service providers;
(1) form and contents of applications for accreditation;
(m) suspension or revocation of certification;
(n) suspension or revocation of accreditation;
(o) certificate profiles with mandatory and optional fields and extension fields, if any;
(p) certificate revocation and suspension list profiles with mandatory and optional fields, and extension fields (if any);
(q) retention of records by certification authorities and the repository;
(r) recommended code of practice for handling and storage of business information and records in elections form; and
(s) regulation of access and audit trails.
Comments on Section 43:
The Certification Council has powers to make regulations for carrying out the purpose of the Ordinance. This section provides the Council to make regulations in connection with the regulation and licensing of certification authorities. This section allows the Council to define when an electronic signature qualifies as an advance electronic signature.
44. Prior publication of rules and regulations:-- (1) All rules and regulations proposed to be made by the Federal Government and the Certification Council under this Ordinance shall be published in the official Gazette and in at least one English and one Urdu daily with natio nwide circulation, in draft form at least thirty days before the intended date of coming into operation.
(2) The Certification Council shall keep record of all comments received on the draft of the rules or regulations, and shall prepare a report thereon addressing each comment.
(3) The notification of the rules or regulations in their final form in the official Gazette shall be accompanied with a report of the Certification Council referred to in sub-section (2).
Comments on Section 44:
This section provides that proposed rules and regulations are to be published in at least one English and Urdu daily newspapers and at least thirty days before passing any rule or regulation. The Certification Council then shall prepare a report incorporating all the comments received from public regarding intended rule or regulation. The rule or regulations shall be published in the official Gazette alongwith the report of the Council.
45. Removal of difficulties:-- The Federal Government may by notification in the official Gazette, make provisions for removal of difficulties in a manner not inconsistent with the provisions of this Ordinance.
Comments on Section 45:
The Federal Government is empowered to notify any provision for removing the difficulties.
(See section 29)
AMENDMENT IN QANUN-E-SHAHADAT ORDER, 1984 (P.O. No. 10 OF 1984)
1. Amendment of Article 2, P.O. No. 10 of 1984 : -- In the Qanun-e-Shahadat Order, 1984 (P.O. No. 10 of 1984), hereinafter referred to as the said Order, in Article 2 in clause (1), after sub-clause (d), the following new sub-clauses (e) and (f) shall be added, namely:---
“(e) the expression, “automated”, “electronic”, “information”, “information system”, “electronic document”, “electronic signature”, “advanced electronic signature” and “security procedure”, shall bear the meanings given in the Electronic Transactions Ordinance, 2002;
(f) the expression “certificate”, where the context so admits, includes the meaning given to it in the Electronic Transactions Ordinance, 2002.”
Comments on Clause 1 of the Schedule:
Article 2 of Qanun-e-Shahadat, Order 1984 (Law of Evidence) is interpretation clause. Amended Article 2 clause (1) is reproduced as under:-
2. Its Interpretation.‑‑(1) In this Order, unless there is anything repugnant in the subject or context,‑‑-
(a) "Court" includes all Judges and Magistrates, and all person, except arbitrators, legally authorized to take evidence;
(b) "document" means any matter expressed or described upon any substance by means of letters, figures or marks, or by more than one of those means, intended to be used, or which may be used, for the purpose of recording that matter;
A writing is a document;
Words printed, lithographed or photographed are document;
A map or plan is a documents; An inscription on a metal plate or stone is a document; A caricature is a document.
(c) "evidence" includes—
(i) all statements which the Court permits or requires to be mad before it by witnesses, in relation to matters to fact under inquiry such statement are called oral evidence; and
(ii) all documents produced for the inspection of the Court, such documents are called documentary evidence;
(d) "fact" includes—
(i) anything, state of things, or relation of things capable of being perceived by the senses; and
(ii) any mental condition of which any person is conscious.
(a) that there are certain objects arranged in certain order in a certain place, is a fact.
(b) that a man heard or saw something, is a fact.
(c) that a man said certain words, is a fact.
(d) that a man holds a certain opinion, has a certain intention, acts in good faith or fraudulently, or uses a particular word in a particular sense, or is or was at a specified time conscious of a particular sensation, is a fact.
(e) that a man has a certain reputation, is a fact.
(e) the expression, “automated”, “electronic ”, “information”, “information system ”, “electronic document ”, “electronic signature”, “advanced electronic signature” and “security procedure”, shall bear the meanings given in the Electronic Transactions Ordinance, 2002; [Inserted by Electronic Transaction Ordinance, 2002]
(f) the expression “certificate ”, where the context so admits, includes the
meaning given to it in the Electronic Transactions
Ordinance, 2002.[Inserted by Electronic Transaction Ordinance, 2002]
2. Amendment of Article 30, P.O. No. 10 of 1984 : -- In the said Order, in Article 30, for the full stop at the end a colon shall be substituted and thereafter the following explanation shall be added, namely:---
“Explanation:-- Statements generated by automated information systems may be attributed to the person exercising power or control over the said information system.”
Comments on Clause 2 of the Schedule:
The explanation to Article 30 says that when an
admission is in a form of electronic statement, such electronic statement may
be related to the person who is exercising power or control over the
information system generating the statement.
Amended Article 30 reads as under:-
30. Admission defined. An admission is a statement, or documentary, which suggests any inference as to any fact in issue or relevant fact, and which is made by any of the persons, and under the circumstances, hereinafter mentioned:---
Explanation.— Statements generated by automated information systems may be attributed to the person exercising power or control over the said information system.
[Inserted by Electronic Transaction Ordinance, 2002]
3. Insertion of new Article 46, P.O. No. 10 of 1984:-- In the said Order, after Article 46, the following new Article shall be inserted, namely:---
“46-A. Relevance of information generated, received or recorded by automated information system:-- Statements in the form of electronic documents generated, received or recorded by an automated information system while it is in working order, are relevant facts.
4. Amendment of Article 59, P.O. No. 10 of 1984:-- In the said Order, in Article 59,---
(a) after the word “impressions” the comma and the words “, or as to authenticity and integrity of electronic documents made by or through an information system” shall be inserted; and
(b) for the words “are relevant facts” the words and commas “or as to the functioning, specifications, programming and operations of information systems, are relevant facts” shall be substituted.
5. Amendment of Article 73, P.O. No. 10 of 1984:-- In the said Order, in Article 73, after the second Explanation, the following new Explanations shall be added, namely:---
“Explanation 3:-- A printout or other form of output of an automated information system shall not be denied the status of primary evidence solely for the reason that it was generated, sent, received or stored in electronic form if the automated information system was in working order at all material times and, for the purposes hereof, in the absence of evidence to the contrary, it shall be presumed that the automated information system was in working order at all material times.
“Explanation 4:-- A printout or other form of reproduction of a Electronic Document, other than a Document mentioned in Explanation 3 above, first generated, sent, received or stored in electronic form, shall be treated as primary evidence where a security procedure was applied thereto at the time it was generated, sent, received or stored.”
6. Insertion of new Article, P.O No. 10 of 1984:-- In the said Order, after Article 78, the following new Article shall be inserted, namely:--
“78-A. Proof of electronic signature and electronic document:-- If an electronic document is alleged to be signed or to have been generated wholly or in part by any person through the use of an information system, and where such allegation is denied, the application of a security procedure to the signature or the electronic document must be proved.”
7. Amendment of Article 85, P.O No. 10 of 1984:-- In the said Order, in Article 85, after clause (5), the following new clause (6) shall be added, namely:---
“(6) certificates deposited in a repository pursuant to the provisions of the Electronic Transactions Ordinance, 2002.”