Anda di halaman 1dari 10

August 2001

IMPLEMENTING RULES AND REGULATIONS ON ELECTRONIC SIGNATURES


Whereas, the State recognizes the vital role of information and communications
technology in nation building, as well as its own obligation to ensure network
security, connectivity and neutrality of technology for the national benefit; CHEIcS
Whereas, section 29 of the Electronic Commerce Act of 2000 gives to the
Department of Trade and Industry (DTI) the mandate to direct and supervise the
promotion and development of electronic commerce in the Philippines with relevant
government agencies, without prejudice to the provisions of Republic Act 7653
(Charter of Bangko Sentral ng Pilipinas) and Republic Act 337 (General Banking Act),
as amended;
Whereas, the issuance of clear, transparent, predictable and enforceable rules to
clarify and ensure the legal validity and enforceability of electronic signatures and
contracts will encourage and promote the development of electronic commerce in
the Philippines, enhance its competitiveness in the new economy, protect the
consumer, and encourage efficiency and transparency in commercial transactions;
Whereas, technological developments in electronic authentication and modes of
generating electronic signatures are rapid, ongoing and market-led;
Whereas, rules and guidelines on electronic signatures and contracts that are
technology-neutral will help ensure continued private sector initiative and
innovation, and encourage consumer trust in these new technologies;
And finally, recognizing that where appropriate, market-driven, rather than
government-imposed standards, contractual arrangements and codes of practice
are better tools for validating electronic transactions and developing user
confidence in global electronic commerce;
Now, therefore, pursuant to the provisions of Rule 29 of Republic Act No. 8792,
otherwise known as the Electronic Commerce Act of 2000 (the "Act"), the following
Implementing Rules and Regulations on Electronic Authentication and Electronic
Signatures (the "Rules") are hereby promulgated:
RULE 1.
General Rule of Validity. As a general rule, and subject to the
provisions of the Electronic Commerce Act of 2000 and these Rules,
a.
A signature, contract or other record relating to such transaction may not be
denied legal effect, validity, or enforceability solely because it is in electronic form;
and

b.
A contract relating to such transaction may not be denied legal effect,
validity, or enforceability solely because an electronic signature or electronic
document was used in its formation.
RULE 2.
Scope of Application. These Rules apply where electronic signatures
and/or electronic documents are used in the context of any commercial and noncommercial transaction, activity or dealings, whether public or private, occurring
between and among parties. These include, and are not limited to, the following
transactions: the sale, supply, procurement or exchange of goods or services,
including the manufacture, processing, purchase, sale, supply, distribution or
transacting in any manner, of tangible and intangible property of all kinds such as
commodities, goods, merchandise, financial and banking products, patents,
participations, shares of stock, software, books, works of art and other intellectual
property; distribution agreement; commercial representation or agency; factoring;
leasing; construction of works; consulting; engineering; licensing; investment;
financing; banking; insurance; exploitation agreement or concession; joint venture
and other forms of industrial or business cooperation; and carriage of goods or
passengers by air, sea, rail or road. aITECA
RULE 3.

Definitions. For the purposes of these Rules:

a.
"Asymmetric or public cryptosystem" is a type of signature creation
technology and refers to a system capable of generating a secure key pair,
consisting of a private key for creating a digital signature, and a public key for
verifying the digital signature.
b.
"Certificate" means an electronic document issued to support a secure
electronic signature which purports to confirm the identity or other significant
characteristics of the person who, in the case of digital signatures, holds a particular
key pair or, in other cases, such signature creation or verification device or method
as may be applicable under the circumstances.
c.
"Certification authority" is a type of information certifier which, in the course
of its business, engages in issuing certificates in relation to cryptographic keys used
for the purposes of digital signatures.
d.
"Digital Signature" is a type of secure electronic signature consisting of a
transformation of an electronic document or an electronic data message using an
asymmetric or public cryptosystem such that a person having the initial
untransformed electronic document and the signers public key can accurately
determine:
i.
whether the transformation was created using the private key that
corresponds to the signers public key; and

ii.
whether the initial electronic document had been altered after the
transformation was made.
e.
"Electronic agent" means a computer program or an electronic or other
automated means used independently to initiate an action or respond to electronic
messages or documents, in whole or in part, without review or action by an
individual at the time of the action or response.
f.
"Electronic authority signature" refers to an electronic signature that
establishes the authority, position or attribute of the signer as the duly authorized
proxy, agent or representative of another person, and therefore, by such signature
to bind the latter as if he had created and/or issued the electronic signature himself.
g.
"Electronic data message" refers to information generated, sent, received or
stored by electronic, optical or similar means. cACEHI
h.
"Electronic document" refers to information or the representation of
information. Data, figures, symbols or other modes of written statement, described
or however represented, by which a right is established or an obligation
extinguished, or by which a fact may be proved and affirmed, which is received,
recorded, transmitted, stored, processed, retrieved or produced electronically. It
includes documents signed with secure electronic signatures and any print-out or
output, readable by sight or other means, which accurately reflects the electronic
data message or electronic document. For purposes of these Rules, the term
"electronic document" may be used interchangeably with "electronic data
message."
i.
"Electronic signature" refers to any distinctive mark, characteristic and/or
sound in electronic form, representing the identity of a person, and attached to or
logically associated with the electronic data message or electronic document or any
methodology or procedures employed or adopted by a person and executed or
adopted by such person with the intention of authenticating or approving an
electronic data message or electronic document. For purposes of these Rules,
electronic signatures include digital signatures and secure electronic signatures.
j.
"Information and communication system" refers to a system intended for and
capable of generating, sending, receiving, storing or otherwise processing electronic
data messages or electronic documents and includes the computer system or other
similar device by or in which data is recorded or stored and any procedures related
to the recording or storage of electronic data message or electronic document.
k.
"Information Certifier" means any person who, or entity which, in the course
of its business, issues certificates as a means of providing identification services
and/or certifying information which are used to support the use of and trust in
secure electronic signatures. For purposes of these Rules, the term "information
certifier" includes but is not necessarily limited to certification authorities.

l.
"Key pair" in an asymmetric cryptosystem refers to the private key and its
mathematically related public key such that the latter can verify the digital
signature that the former creates.
m.
"Person" means any natural or juridical person including, but not limited to,
an individual, corporation, partnership, joint venture, unincorporated association,
trust or other juridical entity, or any governmental authority.
n.

"Private Key" refers to the key of a key pair used to create a digital signature.

o.
"Public Key" refers to the key of a key pair used to verify a digital signature.
HcSaAD
p.
"Secure Electronic Signature" means an electronic signature which is created
and can be verified through the application of a security procedure or combination
of security procedures that ensures such electronic signature:
1.

is unique to the signer;

2.

can be used to identify objectively the signer of the data message

3.
was created and affixed to the data message by the signer or using a means
under the sole control of the signer; and
4.
was created and is linked to the data message to which it relates in a manner
such that any change in the data message would be revealed.
For purposes of these Rules, secure electronic signatures includes but is not
necessarily limited to digital signatures.
q.
"Signature creation device, method or technology" refers to any device,
method or technology used to create an electronic signature in respect of which it
can be shown, through the use of a security procedure or method, that such
signature (a) is unique to the signature device holder for the purpose for which it is
used; (b) was created and affixed to the data message by the signature device
holder or using a means under the sole control of the signature device holder; and
(c) was created and is linked to the electronic data message to which it relates in a
manner which provides reliable assurance as to the integrity of the message.
r.
"Signer" means the person who uses, creates and affixes an electronic
signature to an electronic data message.
RULE 4.
Technological Neutrality. None of the provisions of these Rules shall
be applied so as to exclude, restrict, or deprive of legal effect any method of
electronic signature that satisfies the requirements referred to in Section 8 of the
Act, or in Rule 5 of these Rules which is as reliable as was appropriate for the
purpose for which the data message was generated or communicated, in the light of
all the circumstances, including any relevant agreement.

RULE 5.
Legal Recognition of Electronic Signatures. An electronic signature
on the electronic document shall be equivalent to the signature of a person on a
written document if that signature is proved by showing that a prescribed
procedure, not alterable by the parties interested in the electronic document,
existed under which:
a.
A method is used to identify the party sought to be bound and to indicate
said partys access to the electronic document necessary for his consent or
approval through the electronic signature;
b.
Said method is reliable and appropriate for the purpose for which the
electronic document was generated and communicated, in the light of all
circumstances, including any relevant agreement;
c.
It is necessary for the party sought to be bound, in order to proceed further
with the transaction, to have executed or provided the electronic signature; and
d.
The other party is authorized and enabled to verify the electronic signature,
and to make the decision to proceed with the transaction authenticated by the
same. IASTDE
The parties may agree to adopt supplementary or alternative procedures provided
that the same are not contrary to law or public policy.
RULE 6.
Authority Signatures. None of the provisions of these Rules shall be
applied so as to exclude, disallow, or deprive electronic authority signatures, as
defined in Rule 3 above, of legal effect and validity.
RULE 7.
Electronic Agents. A contract or other record relating to a
transaction may not be denied legal effect, validity, or enforceability solely because
its formation, creation, or delivery involved the action of one or more electronic
agents so long as such electronic agent is under the control of, or its actions are
legally attributable to the person sought to be bound.
RULE 8.
Disputable Presumptions Relating to Electronic Signatures. Where an
electronic signature is established or shown to be genuine, it shall be presumed
that:
a.

The electronic signature is the signature of the person to whom it correlates;

b.
The electronic signature was affixed by that person with the intention of
authenticating or approving the electronic document to which it is related or to
indicate such persons consent to the transaction embodied therein;
c.
The methods or processes utilized to affix or verify the electronic signature
operated without error or fault. SCHIac

RULE 9.
Disputable Presumptions Relating to Secure Electronic Signatures.
Secure electronic signatures, in addition to those mentioned in the immediately
preceding Rule, shall enjoy the following presumptions:
a.
The information contained in a certificate, where present and applicable, is
correct, and that the secure electronic signature was created during the operational
period of such certificate;
b.
No cause exists to render such certificate, where present and applicable,
invalid or revocable;
c.
The message associated with the secure electronic signature has not been
altered from the time it was signed; and
d.
The certificate, where present and applicable, was issued by the information
certifier indicated therein.
RULE 10.
Liability for unauthorized use of secure electronic signatures. Where
the use of a secure electronic signature was unauthorized and the purported signer
did not exercise reasonable care to avoid the unauthorized use of the signature or
to prevent the addressee from relying on such a signature, the signature shall
nevertheless be regarded as that of the purported signer, unless the relying party
knew or should have known that the signature was not that of the purported signer.
RULE 11.
shall:

Responsibilities of an information certifier. An information certifier

a.
act in accordance with the representations it makes with respect to its
practices;
b.
exercise due diligence to ensure the accuracy and completeness of all
material representations it makes that are relevant to the life-cycle of its certificates
or which are included in its certificates;
c.
provide reasonably accessible means which enable a relying party to
ascertain:
i.

the identity of the information certifier;

ii.
that the person who is identified in the certificate holds, at the relevant time,
the signature device referred to in the certificate;
iii.
the method used to identify the signature device holder, provided however
the information certifier shall not be required to reveal any of its trade or industrial
secrets;
iv.
any limitations on the purposes or value for which the signature device may
be used; and

v.
whether the signature device is valid and has not been compromised;
SEACTH
d.
Provide a means for signature device holders to give notice that a signature
device has been compromised and ensure the operation of a timely revocation
service; and
e.
Utilize trustworthy systems, procedures and human resources in performing
its services.
An information certifier shall be liable for damages caused by its failure to satisfy
the requirements provided under this and the following Rule.
RULE 12.
a.

Certificate Requirements. At a minimum, certificates shall state:

the identity of the information certifier;

b.
that the person who is identified in the certificate holds, at the relevant time,
the signature device referred to in the certificate;
c.
that the signature device was effective at or before the date when the
certificate was issued;
d.
and

any limitation on the purposes or value for which the certificate may be used;

e.
any limitation on the scope or extent of liability which the information
certifier accepts to any person. aHcACI
RULE 13.
Liability for incorrect or defective certificates. If damage has been
caused as a result of the certificate being incorrect or defective, the information
certifier shall be liable for damage suffered by either:
a.
the party who has contracted with the information certifier for the provision
of a certificate; or
b.
any person who reasonably relies on a certificate issued by the information
certifier.
In assessing the loss, regard shall be had to the following factors:
a.

the amount of damages caused by the incorrect or defective certificate;

b.

the cost of obtaining the certificate;

c.

the nature of the information being certified;

d.
the existence and extent of any limitation on the purpose for which the
certificate may be used;

e.
the existence of any statement limiting the scope or extent of the liability of
the information certifier;
f.

any contributory conduct by the relying party; and

g.

any other relevant factor.

RULE 14.
Voluntary accreditation. A certificate shall be presumed to bind a
secure electronic signature to the signers identity if the certificate was issued by an
information certifier duly accredited by the Department of Trade and Industry (DTI),
in coordination with the Department of Science and Technology (DOST), which shall
apply commercially appropriate and internationally recognized standards covering
the trustworthiness of the information certifiers technology, practices and other
relevant characteristics.
A non-exhaustive list of bodies or standards that comply with this paragraph may be
published from time to time by the DTI jointly with the DOST.
This Rule shall not be applied so as to exclude or prevent the validity of a certificate
issued by a non-accredited information certifier where such certificate is shown to
have otherwise been issued in accordance with commercially appropriate and
international recognized standards, or where sufficient evidence indicates that the
certificate accurately binds the secure electronic signature to the signers identity.
RULE 15.

Responsibilities of the signer. Each signer shall:

a.
Exercise reasonable care to avoid unauthorized use of his electronic signature
and/or signature creation device; CASIEa
b.
Notify appropriate persons, including the concerned information certifier,
without undue delay if:
i.

the signer knows that the electronic signature has been compromised; or

ii.
the circumstances known to the signer give rise to a substantial risk that his
electronic signature may have been compromised;
c.
A signer shall be liable for damages caused by failure to satisfy the
requirements provided under this Rule.
RULE 16.

Reliance on electronic signatures.

a.
A person is not entitled to rely on an electronic signature to the extent that it
is not reasonable to do so. If reliance on the electronic signature is not reasonable in
the circumstances having regard to the factors enumerated below, a relying party
assumes the risk that the signature is not a valid signature.

b.
In determining whether it was reasonable for a person to have relied on the
electronic signature, regard shall be had, if appropriate, to:
1.
the nature of the underlying transaction that the electronic signature was
intended to support;
2.
whether the relying party, where warranted, has taken appropriate steps to
determine the reliability of the electronic signature;
3.
whether the relying party took steps to ascertain whether the electronic
signature was supported by a certificate;
4.
whether the relying party knew or ought to have known that the electronic
signature device had been compromised or revoked;
5.
any agreement or course of dealing which the relying party has with the
signatory or subscriber, or any trade usage or practice which may be applicable;
6.

any other relevant factor.

RULE 17.

Recognition of foreign certificates and electronic signatures.

a.
In determining whether, or the extent to which, a certificate or an electronic
signature is legally effective, no regard shall be had to the place where the
certificate or the electronic signature was issued, nor to the country in which the
issuer had its place of business.
b.
Parties to commercial and other transactions may specify that a particular
information certifier or supplier of certification services, class of suppliers of
certification services or class of certificates must be used in connection with
messages or signatures submitted to them. cHaCAS
c.
Where parties agree, as between themselves, to the use of certain types of
electronic signatures and certificates, that agreement shall be recognized as
sufficient for the purpose of cross-border recognition.
RULE 18.
Reciprocity. All benefits, privileges, advantages or statutory rules
established under these Rules shall be enjoyed only by parties whose country of
origin grants the same benefits and privileges and advantages to Filipino citizens.
RULE 19.
Variation by agreement. These Rules may be varied by agreement,
unless otherwise provided by law.
RULE 20.
Interpretation. Unless otherwise expressly provided for, in the
interpretation of these Rules, due regard is to be given to their international origin
and to the need to promote uniformity in their application and the observance of
good faith in international trade relations. The generally accepted principles of

international law and convention on electronic commerce shall likewise be


considered.
RULE 21.
Separability. If any provision in these Rules or application of such
provision to any circumstance is held invalid, the remainder of these Rules shall not
be affected thereby. cDTaSH
RULE 22.
Effectivity. These Rules shall take effect fifteen (15) days from the
complete publication thereof in a newspaper of general circulation.
DONE this ___ day of August, 2001 in Metro Manila, Republic of the Philippines.