Chapter 1: General Principles
1.
This Act is enacted to encourage the use of an electronic signature, ensure the
security of electronic signatures, and facilitate the development of digital economy, smart government and digital service.
If provisions of this Act are not applicable to judicial procedure, a public announcement thereof shall be made by the Judicial Yuan or the Ministry of Justice.
2.
The terms of this Act are defined as follows:
(1)
"electronic record" means a record in electronic form, which is made of any text, sound, picture, image, symbol, or other information generated by electronic or other means
not directly recognizable by human perceptions, and which is capable of conveying its intended information.
(2)
"electronic signature" means data attached to and associated with an electronic record, and executed with the intention of identifying and authenticating the identity or qualification
of the signatory of the electronic record and verifying the electronic record.
(3)
"digital signature" means a kind of electronic signature generated by the use of mathematic algorithm or other cryptographic
means to create a certain length of digital data encrypted by the signatory's private key, and capable of being verified by the public key and supported by a certificate issued by a certification
authority.
(4)
"encrypt" means to cipher an electronic record by mathematic algorithm or other means.
(5)
"certification authority" means a government agency or a juristic person that issues certificates.
(6)
"certificate" means an electronic attestation which links signature-verification data to a person and confirms the identity and attribute of that person.
(7)
"certification practice statement" means a practice statement announced by a certification authority to specify the practices that the certification authority employs in issuing
certificates and managing other certification-related services.
(8)
"information system" means a system that generates, sends, receives, stores, or otherwise processes information or data in electronic form.
The competent authority may announce the electronic signature technology with effect of an electronic signature, and review it in a timely manner.
3.
The competent authority of this Act shall be the Ministry of Digital Affairs.
Chapter 2: Electronic record and electronic signature
4.
If an electronic record and an electronic signature satisfy requirements of this
Act and are functionally equivalent to a physical document and signature, their legal effect may not be denied only for the reason of their electronic form.
5.
The requirement for the use of a document and a signature is satisfied by using
an electronic record and an electronic signature.
Where a law or regulation requires that information be provided in writing, if the content of the information can be presented in its integrity and remains accessible for subsequent
reference, the requirement is satisfied by providing an electronic record.
Where a law or regulation requires a signature or seal, the requirement is satisfied by using an electronic signature.
If the use of a document or a signature under the preceding three paragraphs involves another party, unless the counterparty has agreed to the use of electronic form, counterparty
shall be provided with the opportunity of objection thereto within a reasonable period and in a reasonable manner, and counterparty shall be informed that if no object is raised, it shall be presumed to have agreed to the use of electronic form.
The above said counterparty may indicate the discontinuance of the use of electronic form at any time; provided, however,
the effect of legal acts conducted in electronic form before its indication of discontinuance shall not be affected.
6.
Where a digital signature employed in an electronic record satisfies the following
requirements, it shall be presumed as the signature or seal affixed in person:
(1)
it shall be supported by a certificate issued by a certification authority which have been approved by the competent authority in accordance with Article 12 or Article 15; and
(2)
the certificate has not exceeded its validity period and its limitation of use.
7.
Where a law or regulation requires a document to be presented in its original
form or exemplification, the requirement is satisfied by providing an electronic record, and that the content of the document can be presented in its integrity and remains accessible for subsequent reference. The preceding rule shall not apply in the situation
where verification of handwriting, seals, or other methods for authenticating the integrity of a document is required, or where a law or regulation provides otherwise.
The requirement for the content of a document to be presented in its integrity in accordance with the first paragraph does not apply to the additional information arising in the course
of sending, receiving, storing, and displaying in the electronic form.
8.
Where a law or regulation requires a document to be retained, if the content
of the document can be presented in its integrity and remains accessible for subsequent reference, the requirement is satisfied by retaining an electronic record.
The electronic record under the preceding paragraph may be retained together with its dispatch place, receiving place, internet protocol address, record of signing process, date, time,
and other information or data sufficient to verify or authenticate contents of the electronic record.
9.
The time of dispatch of an electronic record occurs when it enters the information
system outside the control of the originator, unless otherwise agreed by the parties or otherwise announced by a government agency, in each case, such agreement or announcement shall be followed.
Unless otherwise agreed between the parties or announced by government agencies, the time of receipt of an electronic record is determined as follows:
(1)
if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs at the time when the electronic record enters the designated
information system; or if the electronic record is sent to an information system that is not the designated information system, at the time when the electronic record is retrieved by the addressee.
(2)
if the addressee has not designated an information system, receipt occurs at the time when the electronic record enters an information system of the addressee.
10.
The dispatch place of the electronic record shall be the place where the originator has
its place of business, and the receiving place of the same shall be the place where the addressee has its place of business, unless otherwise agreed by the parties or otherwise announced by a government agency, in each case, such agreement or announcement
shall be followed.
If the originator or the addressee has more than two places of business, the place of dispatch or receipt is the place that has the closest relationship to the underlying transaction
or communication, or where there is no underlying transaction or communication, the principal place of business.
If the originator or addressee does not have a place of business, the domicile shall be deemed to be the place of dispatch or receipt.
11.
The application of paragraphs 1 to 3 of Article 5 and Paragraph 1 of Article 8 may be exempted
by law.
A government agency may otherwise announce the application technology and procedure in Article 5 and Article 8. Such announcement shall be fair and reasonable, and shall not provide
preferential treatment without proper justifications.
Chapter 3: Management of digital signature certification authorities
12.
Prior to providing services for issuing certificates, a certification authority shall file
the certification practice statement stating its operational processes related to the practice or certification services of the certification authority to the competent authority for approval. The same rule shall also apply in the event that there is any modification
in the certification practice statement.
The certification authority shall publish the approved certification practice statement on its website to the general public for reference. The same rule shall also apply in the event
that there is any modification in the certification practice statement.
The competent authority shall announce a list of certification authorities whose certification practice statements have been
approved, and the versions and the approval numbers of their certification practice statements.
A certification practice statement under Paragraph 1 shall state the following matters, of which specific contents of the following matters shall be announced by the competent authority.
(1)
significant information that could affect the trustworthiness of a certificate issued by the certification authority or the certification authority's operation;
(2)
grounds for the certification authority to revoke a certificate without being requested;
(3)
retention of the information related to the verification of the content of a certificate;
(4)
methods and procedures implemented to protect the personal data; and
(5)
other important information mandated by the competent authority.
13.
Prior to termination of its services, a certification authority shall complete the following
measures:
(1)
notice shall be given to the competent authority at least thirty days prior to the termination.
(2)
any service relevant to a certificate that is still valid at the time of termination shall be assigned to another certification authority to take over.
(3)
notice of termination of services and the assignment of valid certificates to another certification authority shall be given to the parties at least thirty days
prior to the termination.
(4)
the certification authority shall transfer its archives and records to the assigned certification authority.
In the event that no other certification authority is willing to take over the services pursuant to the second subparagraph in the first paragraph of this article, the competent authority may appoint a certification authority to take over. If necessary,
the competent authority may revoke any certificate that is still valid at the time by public announcement.
The preceding paragraph is also applicable to the certification authority whose operation has been suspended pursuant to this Act or otherwise.
14.
A certification authority shall be liable for any damage caused by its operation or other
certification-related process to the parties, or to a bona fide person who relies on the certificate, unless the certification authority proves that it has not acted negligently.
Where a certification authority clearly specifies the limitation for the use of the certificate, it shall not be liable for any damage arising from a contrary use.
15.
Under the principles of equivalent secure requirements and conforming to international reciprocity
or technical interoperability and cooperation, a certificate issued by a certification authority organized or registered pursuant to foreign law shall be equivalent to the one issued by a domestic certification authority, provided that the foreign certification
authority has been approved by the competent authority.
In respect of permission under the preceding paragraph, the regulations on application procedure, examination method, approval conditions, cause for revocation of approval, and other
relevant matters shall be prescribed by the competent authority.
The competent authority shall announce a list of the certification authorities approved pursuant to the first paragraph.
Chapter 4: Penalty provisions
16.
If a certification authority whose certification practice statement has not been approved
by the competent authority provide the service of issuing certificates in violation of the requirement of the first half of Paragraph 1 of Article 12, the competent authority may order it to make correction within a time limit, and may impose a fine at a minimum
of NT$1 million but not exceeding NT$5 million; if the correction has not been made upon expiration of such time limit, the fine may be imposed for each violation. If violation of the certification authority is severe, the competent authority may also suspend
its operation in part or in whole.
17.
If a certification authority has any of the following circumstances, the competent authority
may order it to make correction within a time limit, and may impose a fine at a minimum of NT$ 50 thousand but not exceeding NT$500 thousand; if the correction has not been made upon expiration of such time limit, the fine may be imposed for each violation:
(1)
it provides the service not in compliance with the approved certification practice statement.
(2)
it provides the service of issuing certificates according to contents of the modified certification practice statement, which has not been filed for approval in
accordance with the requirement of the second half of the Paragraph 1 of Article 12.
18.
If a certification authority has any of the following circumstances, the competent authority
may order it for correction within a time limit, and may impose a fine at a minimum of NT$20 thousand but not exceeding NT$200 thousand; if the correction has not been made upon expiration of such time limit, the fine may be imposed for each violation:
(1)
if fails to publish the approved certification practice statement or the approved modification thereof on its website in accordance with the requirement of Paragraph
2 of Article 12.
(2)
it fails to give a notice within the prescribed period, fails to provide a notice or to process the transfer within the prescribed period before termination of
its service in accordance with requirement of Subparagraph 1, Subparagraph 3 or Subparagraph 4 of Paragraph 1 of Article 13.
Chapter 5: Supplementary provisions
19.
The competent authority shall periodically collect the status of application of electronic
signatures in our country, and conduct the investigation or research relating to international laws and regulations and market demands, and shall publish them annually.
20.
In respect of the exemption of application of this Act announced by a government agency
before the enforcement of amendment to this Act in accordance with the former Paragraph 3 of Article 4, Paragraph 3 of Article 6, or Paragraph 2 of Article 9, such announcement ceases to apply one year after the date of enforcement of amendment to this Act.
However, if agreed by the competent authority, it may be extended one time for a maximum of two years.
21.
The enforcement rules of this Act shall be prescribed by the competent authority.
22.
This Act shall be enforced from the date of its announcement.
|