Transcript FTAA.ecom/inf/124 February 14 , 2002 Peru’s legal

Public
FTAA.ecom/inf/124
February 14 , 2002
Original: Spanish
Translation: FTAA Secretariat
Peru’s legal framework for
electronic commerce and
some implications for
consumer protection
HUGO GALLEGOS C.
General Manager
Peruvian Institute
for Electronic Commerce
I. General consumer
protection issues
A. CONSUMER
PROTECTION
Potential threats faced by consumers:
Fraud and deceit: The consumer does
not have direct contact with the
producer and is unable to verify the
quality of the product or the
trustworthiness of the producer.
Contract terms: Information both prior
and subsequent to the conclusion of
an on-line contract must be clear and
accurate
.
Contract terms: Must include the legal
identity and physical location of the
merchant, the total price of the
products, provisions on the method of
payment, any condition governing the
purchase, including warranties, refund
terms, duration, validity of the offer, and
how to lodge complaints and receive
compensation.
Privacy: The ease with which personal
information can be collected and shared.
Jurisdiction and dispute resolution:
Cross-border transactions cause greater
difficulties than those within a given
country. This is a significant problem with
transactions involving small amounts.
B. PRIVACY
What are the potential threats?:
– The growing capacity to gather and
distribute personal information.
– By comparing information from
several sources it is possible to
obtain a picture of a person’s lifestyle.
– Database sharing may cause errors to
spread from one computer to another
before they can be corrected.
C. DISPUTE RESOLUTION
– Devise an instrument to help resolve
disputes that occur in the use of the
Internet.
– Support the security system that protects
electronic transactions and
communication.
D. E-CONTRACTS.
• Recognizing the validity of e-documents.
• Allowing expression of intent via electronic
means.
• There should be no discrimination based on
whether contracts are on paper or electronic.
• Allowing contracts to be made over the
Internet.
• They are the foundation for e-business.
E. DIGITAL SIGNATURES AND
CERTIFICATES.
• Creating a functional equivalent
of handwritten signatures.
• Making electronic
communications and transactions
secure.
• The four principles of security must
be guaranteed: authenticity, integrity,
confidentiality and non-repudiation.
• Does not make the contents legal or
guarantee the agent’s capacity
(analyze role of notary public).
II. Peru’s regulatory
framework for e-commerce
and its link to consumer
protection
A. LAW PERMITTING ELECTRONIC
CONTRACTS (LAW 27291)
Key aspects:
– Allows the use of electronic media to communicate
one’s expression of intent, and electronic signatures
where required by law.
– With Article 141, the use of electronic or similar
media is added as a means of expressing intent
(previously consent could only be given orally, in
writing, or through any other direct means).
– If the law requires an express declaration of intent,
such declaration may be given electronically.
Key aspects:
• Internet contracts are accepted. When contracts are
made electronically, acceptance and any other
contractual representation addressed to a given
individual is deemed received when the sender
receives acknowledgment of receipt.
• This will facilitate and speed up negotiations and
contracts, and, more importantly, it will be the platform
for B2B relationships.
Key aspects:
• This is an improvement over microforms, as it gives
legal value to e-documents.
• The Law on Electronic Contracts will complement it,
specifying how e-documents are to be received
(acknowledgment of receipt, information backup,
etc.). It is expected to be passed this year or early
next year.
Key aspects:
• This law gives consumers legal security when
conducting on-line transactions in which they
express intent by clicking on the “I AGREE/I
ACCEPT” button.
• The granting of legal validity to the expression of
intent by electronic means consumers are forced to
exercise caution when proceeding with or
concluding on-line transactions, since they cannot
later deny having made the transaction.
• Consumers may use electronic records as evidence
in the litigation and judges may not refuse to admit
such records.
B. LAW ON COMPUTER-RELATED
CRIMES (LAW 27309)
• This Law adds new articles to the Criminal Code
(Legislative Decree 635) and includes a chapter on
computer-related crimes.
• Article 207 A.- Any person who wrongfully uses or logs on
to a database or a computer system or network or any part
thereof with the purpose of designing, running, or altering
a program or device with intent to commit fraud or obtain
money, goods or information will be sentenced to
incarceration for up to two years or to performing
community services for between 52 and 104 days.
• Under this law hackers and sniffers are held criminally
liable for their actions.
• Article 207 B.- Any person who wrongfully
interferes with, receives, uses, alters,
damages or destroys a computer program or
support-device or the data contained thereon
or in the database, system, or network shall
be sentenced to incarceration for up to two
years.
• This law allows crackers and virus authors to be
held criminally liable for their actions.
• This law is especially important in terms of
protecting the information systems of private and
public organizations.
• Most tangibly, home Internet users could be
protected from unauthorized entries while online, particularly when would-be intruders are
within Peru.
• It can be used against persons who write
destructive viruses and who are within Peruvian
jurisdiction.
• It could also be used to prevent unauthorized
entry by government agents conducting
investigations.
C. LAW ON DIGITAL SIGNATURES AND
CERTIFICATES (LAW 27269)
• Elements:
– Certification Body: A legal entity that issues and
cancels or performs other services involved in
digital certification. A certification body may also
perform duties of a registration or verification body.
– Registration or Verification Body: A natural
person or legal entity that is responsible for
gathering and verifying information regarding a
person applying for a digital certificate and whose
services are used by certification bodies.
• Elements:
– Competent Administrative Authority: A
government agency responsible for
registering certification and registration or
verification bodies, for recognizing the
technological standards in the Official
Electronic Signature Infrastructure, and for
overseeing that Infrastructure, as well as
for performing the other duties indicated in
these regulations.
Digital Signature Regulations –
Initial Considerations
• Throughout the world, digital certification services
operate within a framework of free competition and
are provided in accordance with international
standards and certification policies determined by
each certification body. The policies are set out in the
bodies’ respective statements of certification
practices.
• The importance of digital signatures varies according
to the type of e-business; although they do play an
important role in B2C relations they are vital for B2B
transactions, since they are the means through which
e-contracts are entered into and they provide a
means for expressing intent.
• Although digital signatures are technologically
designed to provide technical security for data
messages, they must go hand in hand with a
sound legal framework. In the case of Peru, the
soundness of the legal framework lies in the
legal validity ascribed to digital signatures.
• Such legal security must be based on creating
conditions whereby digital signatures become
the functional equivalent of handwritten
signatures and to be acknowledged as a form of
evidence.
• It must be consistent with the legal requirements
for certification of certain acts defined by current
regulations or when so requested by agents.
• Since this is a technology-based service,
regulation should not interfere with the processes
followed by certification bodies in delivering the
service.
• Otherwise the ability to provide this service might
be compromised, leading to extra costs for users
or to the creation of entry or exit barriers.
• The idea behind regulating agencies is to
guarantee continuity in the service (by ensuring
the fulfillment of the Statement of Certification
Practices of each certification body); they also
attempt to ensure that users and third parties
acting in good faith are not affected in
communications based on data messages
(whether or not these messages constitute
contracts).
OBJECTIVES OF THE
REGULATIONS
• To define the Official Electronic Signature
Infrastructure.
• To provide the framework for the use and
application of digital signatures in Peru,
giving legal validity and force to digitally
signed data messages.
• To permit the use of another type of
electronic signatures, as well as the
provision of the certification service by
domestic and foreign entities.
Validity and legal effects of electronic
signatures
• For purposes of expressing intent, esignatures attached to or logically associated
with a data message have the same validity
and legal force as handwritten signatures, as
long as they bind and identify the signer and
ensure the authenticity and integrity of edocuments.
E-signatures constitute valid judicial evidence
in judicial and administrative proceedings as
long as they demonstrate this equivalence of
functions (Article 5).
• Barring evidence to the contrary, all electronic
signatures attached to or logically associated
with a data message and generated in
accordance with the Official Electronic
Signature Infrastructure are presumed to
comply with the requirement that they bind
and identify the signer and that they ensure
the authenticity and integrity of e-documents
(Article 6).
• Hence, they have a role vis-à-vis both users
(by guaranteeing their identification and that
they are legally bound and preventing them
from later repudiating the transaction) and edocuments.
• These
regulations
do
not
preclude
compliance
with
additional
formalities
required under other legal regulations
governing acts having legal effects, and
hence do not affect the function of persons
empowered to attest to signatures in
documents and to convert them to public
documents (Article 8).
• Hence, the role of notaries public and
certifying public officers is recognized, as far
as their work, as defined in the current legal
framework, is concerned.
Key Concepts
• How to distinguish between electronic signatures
that conform to the law and the respective
regulations and those that do not?
• Official Electronic Signature Infrastructure: A
reliable system that is regulated and overseen by
the competent administrative authorities and that is
made up of programs, equipment, standards,
policies, procedures and other resources that make
it possible to generate electronic signatures that
bind and identify the signer and guarantee the
authenticity and integrity of e-documents.
• Official Electronic Signature
Infrastructure.- Official Electronic
Signature Infrastructure based on digital
signature technology. Certification and
registration or verification bodies registered
with the Competent Administrative Authority,
which regulates and supervises them, also
play a role.
Official Electronic
Signature Infrastructure
Official
Electronic
Signature
Infrastructure
Digital
signatures
Electronic
signature
X
Electronic
signature
de
Z
Other
electronic
signatures
Electronic
signature
Y
OFFICIAL ELECTRONIC SIGNATURE
INFRASTRUCTURE--A FLOWCHART
Regulator:
• Competent administrative authority
Regulated Parties:
• Certification bodies
• Registration or verification bodies
Others:
• Digital certificate holders (individuals
and legal entities)
Flow-Chart of Responsibilities
Competent Administrative
Authoritiy
Certification
Bodies
Registration or
Verification Bodies
Digital
Certificate
Holders
Competent Administrative
Authority
1
2
Certification
Bodies
1. Certification bodies register with the CAA, and
facilitate its auditing tasks.
2. The CAA registers the CB and ensures that it
complies with the CCA’s statement of certification
practices.
Competent Administrative
Authority
3
4
Registration or
Verification Bodies
3. RVBs register with the CAA and facilitate its
oversight tasks.
4. The CAA registers and oversees RVBs.
5
Certifying
Bodies
Registration or
Verification Bodies
6
Once a contractual outsourcing relationship has been
established between one or more certification
body(ies) and RVB(s).
5. The CB delegates the task of analyzing information
from RVB applicants.
6. The RVB verifies and validates an applicant’s
information and then instructs that a digital
certificate be issued to the CB.
Certifying
Bodies
Registration or Verification
Bodies
7
8
Digital
Certificate
Holders
7. The applicant goes in person to a CB or an RVB and
applies for a digital certificate, providing reliable,
factual information.
8. The CB, whether directly or through an RVB, verifies
and validates the applicant's information, and
issues a digital certificate to it.
• How to create a framework for certificate
holders that takes into account issues such
as representation and powers-of-attorney
specific to legal entities
• Objectives of the differentiation between certificate
and digital signature holders:
– To create a framework for individuals.
– To create a framework for legal entities that takes
into account the fact that they hold certificates
and, moreover, that allows them to manage their
certificates and to respond to any changes in the
powers-of-attorney of their legal representatives
and thus avoid falling prey to them.
• Digital certificate holder.- Person to whom a
digital certificate is exclusively assigned.
• Digital signature holder.- Individual with
whom a digitally signed data message is
exclusively associated, through his use of a
private key.
Exceptionally, in the case of digital signatures
generated through automated agents, the
individual or legal entity that holds the digital
certificate from which the digital signatures
are generated is considered to be the holder
of the digital signature.
• The American Bar Association (ABA)
makes a similar distinction:
ABA
Peruvian Proposal
– Subscriber = Digital certificate holder
– Signer = Digital signature holder
Digital Signature Holders
• Within the Official Electronic Signature
Infrastructure, responsibility for the legal
consequences stemming from the use of
digital signatures falls to the digital
certificate holder.
Individuals
Digital
Same
certificate
holder
Digital signature Same, even
holder
when
automated
agents are
used.
Legal Entities
Same
Representatives who
are duly accredited
and who also
generate private
keys of digital
certificates (except in
the case of
automated agents).
.
Digital Certificates
Issue
Individuals
Legal Entities
Digital
certificate
applicant
Strictly
personal.
Through duly
accredited legal
representatives.
Requirements
for holding a
digital
certificate
Must have full
capacity to
exercise their
civil rights.
Must be duly
registered
before the
public registry.
• For legal entities, the representative
who will generate and use the private
key (the holders of the digital signature)
must be clearly specified in every case,
as well as the corresponding powers-ofattorney and authorizations.
Competent Administrative
Authority
• The regulation of digital certification
services must be pegged to existing
technology, so as to avoid regulatory
requirements that may interfere with
or disrupt certification services.
• The set of rules must be able to
regulate the market without creating
barriers to the entry of foreign
competitors.
• The Competent Administrative Authority has the
following responsibilities:
– Registering certification bodies.
– Registering registration or verification bodies.
– Overseeing registered certification and registration or
verification bodies, and, where applicable, establishing
the corresponding penalties.
– Canceling the registration of certification and
registration or verification bodies, pursuant to these
regulations.
– Publishing a list of registered entities, on an on-going
and continuous basis.
– Approving the use of international technical standards
under the Official Electronic Signature Infrastructure
and determining the degree to which other technical
standards are consistent with international standards.
• The Competent Administrative Authority has the
following responsibilities:
– Establishing minimum requirements for providing
certification and registration or verification services that
shape the policies and procedures of registered
entities.
– Determining criteria for evaluating the sufficiency of the
financial backing that registered entities are required to
have.
– Approving the use of electronic signature technologies
other than digital signatures, subject to verification that
the requirements set forth in Article 2 of the Law have
been fulfilled, and regulating the use of such
technologies in accordance with an Official Electronic
Signature Infrastructure.
– Signing mutual recognition agreements with foreign
administrative
authorities
having
similar
responsibilities, for the purpose of recognizing digital
certificates issued by foreign certification bodies.
• The Competent Administrative Authority will
determine the procedure and timeframe for the
registration process.
• The Authority is to ensure that the procedure
provides the opportunity to correct problems
arising during the registration process.
• Registrations will remain in effect for 10 years
and may be renewed. During this period, annual
inspections will be conducted.
• Evaluations made abroad may be accepted as
long as findings are made under conditions
comparable to those in Peru.
• Registration costs will be borne by the entities
requesting registration.
LAW AND REGULATIONS GOVERNING
DIGITAL SIGNATURES AND
CERTIFICATES AND THEIR
RELATIONSHIP WITH THE CONSUMER
• The authenticity principle allows for clearer
identification of consumers who use digital
signatures while conducting transactions on the
Internet. Moreover, consumers will feel safe
when conducting transactions with companies
who also use them.
• Under the principles of integrity and nonrepudiation, neither party may disavow its
actions during a transaction in which one or
both has used digital signatures.
• The use of digital signatures should be viewed
as a mechanism that is becoming an explicit
expression of intent by electronic means and
the functional equivalent of handwritten
signatures.
• Therefore, digital signatures may be used as a
form of immediate proof in legal disputes,
provided they have been used in accordance
with the Official Electronic Signature
Infrastructure. When digital signatures are not
used in this manner, judges may not refuse
them, although they may request additional
proof.
• This means that the guarantee of the identity of
the parties and the existence of a record of
expression of intent and of exchange of
information can be used by the consumer in a
consumer protection proceeding, pursuant to
the relevant law.
• Although in setting forth these entities’
obligations the regulatory framework protects
the consumer’s relationship with participating
entities within the Official Electronic Signature
Infrastructure, it also creates a series of
obligations with which the consumer must
comply.
Thank you.
Hugo Gallegos
General Manager, IPCE
[email protected]