**Now Path : PKI >> Electronic Signatures Act
Electronic Signatures Act Electronic Signatures Act
Note: This translation is prepared solely for reference purposes. In the event of any discrepancy with the English translation, the original stipulations in the Chinese -
language version shall govern.

Article 1
This Act is enacted to encourage the usageuse of electronic transactions, ensure the security of electronic transactions, and facilitate the development of electronic government and electronic commerce.
For matters not provided in this Act, the provisions of other applicable laws shall govern.

Article 2
The terms of this Act are defined as follows:
  1. "electronic record" means a record in electronic form, which is made of any text, sound, picture, image, symbol, or other information generated by electronic or other means not directly recognizable by human perceptions, and which is capable of conveying its intended information.
  2. "electronic signature" means data attached to and associated with an electronic record, and executed with the intention of identifying and verifying the identity or qualification of the signatory of the electronic record and authenticating the electronic record.
  3. "digital signature" means an electronic signature generated by the use of mathematic algorithm or other means to create a certain length of digital data encrypted by the signatory’s private key, and capable of being verified by the public key.
  4. "encrypt" means to cipher an electronic document by mathematic algorithm or other means.
  5. "certification service provider" means a government agency or a juristic person that issues certificates.
  6. "certificate" means an electronic attestation which links signature-verification data to a person and confirms the identity and attribute of that person.
  7. "certification practice statement" means a practice statement published by a certification service provider to specify the practices that the certification service provider employs in issuing certificates and managing other certification-related services.
  8. "information system" means a system that generates, sends, receives, stores, or otherwise processes information or data in electronic form.
Article 3
The competent authority of this Act shall be the Ministry of Economic Affairs.

Article 4
With the consent of the other party, an electronic record can be employed as a declaration of intent.
Where a law or regulation requires that information be provided in writing, if the content of the information can be presented in its integrity and remains accessible for subsequent reference, with the consent of the other party, the requirement is satisfied by providing an electronic record.
By stipulation of a law or regulation or prescription of a government agency, the application of the two preceding paragraphs may be exempted, or otherwise require that particular technology or procedure be followed. In the event that particular technology or procedure is required, the stipulation or prescription shall be fair and reasonable, and shall not provide preferential treatment without proper justifications.

Article 5
Where a law or regulation requires a document to be presented in its original form or exemplification, the requirement is satisfied by providing an electronic record, provided that the document is generated in electronic form, and that the content of the document can be presented in its integrity and remains accessible for subsequent reference. The preceding rule shall not apply in the situation where verification of handwriting, seals, or other methods for authenticating the integrity of a document is required, or where a law or regulation provides otherwise.
The requirement for the content of a document to be presented in its integrity in accordance with the first paragraph does not apply to the additional information in the electronic form arising in the course of sending, receiving, storing, and displaying in the electronic form.

Article 6
Where a law or regulation requires a document to be retained, if the content of the document can be presented in its integrity and remains accessible for subsequent reference, the requirement is satisfied by retaining an electronic record.
In all cases, the electronic record stipulated in the preceding paragraph shall be limited to the one which is capable of retaining, along with its main content, the information regarding its dispatch place, receiving place, date, and information or data to verify or authenticate the integrity of the electronic record.
By stipulation of a law or regulation or prescription of a government agency, the application of the first paragraph may be exempted, or otherwise require that particular technology or procedure be followed. In the event that particular technology or procedure is required, the stipulation or prescription shall be fair and reasonable, and shall not authorizeprovide preferential treatment without proper justifications.

Article 7
Unless otherwise agreed between the originator and the addressee or prescribed by government agencies, the time of dispatch of an electronic record occurs when it enters the information system outside the control of the originator or the person who sent the electronic record on behalf of the originator.
Unless otherwise agreed between the originator and the addressee or prescribed by government agencies, the time of receipt of an electronic record is determined as follows:
1.if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs at the time when the electronic record enters the designated information system; or if the electronic record is sent to an information system that is not the designated information system, at the time when the electronic record is retrieved by the addressee.
2.if the addressee has not designated an information system, receipt occurs at the time when the electronic record enters an information system of the addressee.

Article 8
An electronic record is deemed to be dispatched at the place where the originator has its place of business, and is deemed to be received at the place where the addressee has its place of business.
If the originator or the addressee has more than one place of business, the place of businessdispatch or receipt is the place that has the closest relationship to the underlying transaction or communication, or where there is no underlying transaction or communication, the principal place of business.
If the originator or addressee does not have a place of business, the domicile shall be deemed to be the place of dispatch or receipt.

Article 9
Where a law or regulation requires a signature or seal, with the consent of the other party, the requirement is satisfied by using an electronic signature.
By stipulation of a law or regulation or prescription of a government agency, the application of the preceding paragraph may be exempted, or otherwise require that particular technology or procedure be followed. In the event that particular technology or procedure is required, the stipulation or prescription shall be fair and reasonable, and shall not authorizeprovide preferential treatment without proper justifications.

Article 10
Where a digital signature is employed in an electronic record, for the first paragraph of Article 9 to be applicable, the digital signature shall meet the following requirements:
1.it shall be supported by a certificate issued by a certification service provider whose certification practice statement is approved in accordance with Article 11 or which is permitted in accordance with Article 15; and
2.the certificate is still valid and is not used contrary to its limitation of usageuse.

Article 11
Prior to providing services for issuing certificates to the public, a certification service provider shall file the certification practice statement stating its operational processes related to the practice or certification services of the certification service provider to the competent authority for approval. After the approval, the certification service provider shall publish the approved certification practice statement on its Internet website to the general public for reference. The preceding rule shall also apply in the event that there is any modification in the certification practice statement.
A certification practice statement shall include the following information:
  1.  significant information that could affect the trustworthiness of a certificate issued by the certification service provider or athe certification service provider's operation;
  2.  grounds for the certification service provider to revoke a certificate without being requested;
  3.  retention of the information related to the verification of the content of a certificate;
  4.  methods and procedures implemented to protect the personal information; and
  5.  other important information mandated by the competent authority.
A certification service provider that has been providing services for issuing certificates prior to the effective date of this Act shall file a certification practice statement to the competent authority for approval within six months after the effective date of this Act. In such case, the certification service provider may continue providing services for issuing certificates before obtaining the competent authority’s approval.
The competent authority shall publish a list of the certification service providers whose certification practice statements have been approved.

Article 12
A certification service provider that fails to comply with the preceding article may be fined, subject to the discretion of the competent authority, at a minimum of NTD 1 million but not exceeding NTD 5 million. The competent authority may also require that the certification service provider cure the non-compliance within a specified period. The fine may be imposed repeatedly in the case of persisting non-compliance after the specified period. Should the non-compliance of the certification service provider be severe, the competent authority may also suspend its operation in part or in whole.

Article 13
Prior to termination of its services, a certification service provider shall complete the following measures:
  1.  notice shall be given to the competent authority at least thirty days prior to the termination.
  2.  any service relevant to a certificate that is still valid at the time of termination shall be assigned to other another certification service providers to take over.
  3.  notice of termination of services and the assignment of valid certificates to another certification service provider shall be given to the parties at least thirty days prior to the termination.
  4.  the certification service provider shall transfer its archives and records to the assigned certification service provider.

In the event that no other certification service provider is willing to take over the services pursuant to the second subparagraph in the first paragraph of this article , the competent authority shall may appoint a certification authorities service provider to take over. If necessary, the competent authority may revoke any certificate that is still valid at the time by public announcement.
The preceding paragraph is also applicable to the certification service provider whose operation has been suspended pursuant to this Act or otherwise.

Article 14
A certification service provider shall be liable for any damage caused by its operation or other certification-related process to the parties, or to a bona fide person who relies on the certificate, unless the certification service provider proves that it has not acted negligently.
Where a certification service provider clearly specifies the limitation for the use of the certificate, it shall not be liable for any damage arising from a contrary use.

Article 15
Under the principles of reciprocity and equivalent secure requirements, a certificate issued by a certification service provider organized or registered pursuant to foreign law shall be equivalent to the one issued by a domestic certification service provider in the Republic of China, provided that the foreign certification service provider has been permitted by the competent authority.
The regulation for permitting the certification service providers specified in the preceding paragraph shall be prescribed by the competent authority.
The competent authority shall publish a list of the certification service providers approvedpermitted pursuant to the first paragraph.

Article 16
The enforcement rules of this Act shall be prescribed by the competent authority.

Article 17
The effective date of this Act shall be determined by the Executive Yuan.