Hong Kong: E-Commerce
Electronic Transactions Ordinance 2000
The Ordinance was effective from April 7, 2000 and amended in 2004. It authorises the use of electronic and digital signatures, and electronic records. It provides for the legal validity of digital signatures and electronic records, as well as for the retention of electronic records and their admissibility in any legal proceeding. Additionally, the Ordinance delineates the requirements for the formation of an electronic contract, and establishes regulations for the licensure of certification authorities.
The Ordinance enshrines four major principles:
- It removes any legal impediments to the conduct of electronic transactions;
- It provides certainty and security in the conduct of electronic transactions and thereby enhances the confidence and trust of the public in carrying out such transactions;
- It adopts a technology neutral approach to cope with rapid technological changes;
- It adopts a minimalist regulatory approach so as not to unnecessarily constrain the development of electronic commerce in the private sector.
Some of the key language of the Ordinance is as follows:
- Digital Signature: 'Digital signature,' in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine -- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated;
- Effect of Digital Signature: If a rule of law requires the signature of a person or provides for certain consequence if a document is not signed by a person, a digital signature of the person satisfies the requirement but only if the digital signature is supported by a recognized certificate and is generated within the validity of that certificate;
- Electronic Signature: 'Electronic signature' means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authentication or approving the electronic record;
- Electronic Record: 'Electronic record' means a record generated in digital form by an information system, which can be (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium;
- Effect of Electronic Record: If a rule of law requires information to be or given in writing or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference;
- Certification Authority: 'Certification authority' means a person who issues a certificate to a person (who may be another certification authority);
- Certificate: 'Certificate' means a record which (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by a responsible officer of the certification authority issuing it.
The Postmaster General is authorized to be a Recognized Certification Authority under the Ordinance. Additionally, the Secretary for Information Technology and Broadcasting may make regulations governing the application procedures of certification authorities. "A certification authority may apply to the Director [of Information Technology Services] to become a recognized certification authority. “ The applicant must furnish the Director any particulars required by the director, and "(b) a report which (i) contains an assessment as to whether the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice; and (ii) is prepared by a person acceptable to the Director as being qualified to give such a report.
Because of the transitory nature of the current commercial environment, certain exemptions have been included in the Ordinance, to allow time to build trust within the community:
- certain generic items such as wills, trust, statutory declarations, affidavits, power of attorney, court orders, warrant, bills of exchange, documents or instruments concerning land or property transactions, etc. are exempt from the operation of the relevant provisions in the proposed legislation;
- a mechanism is provided to exempt by means of subsidiary legislation specific rules of law from the operation of the relevant provisions in the proposed legislation;
- judicial proceedings are exempt from the operation of the relevant provisions in the proposed legislation and the authorities for making court rules are empowered to apply the relevant provisions to such proceedings when the relevant courts/tribunals are ready; and
- a mechanism is provided to specify format and procedural requirements if necessary in respect of cases whereby electronic information is accepted under a rule of law.
The Electronic Transactions Ordinance provides for the establishment of certification authorities to ensure trust and security in electronic transactions through the use of digital certificates and the use of public and private key technology. Through the establishment of a public key infrastructure to safeguard secure transactions conducted over open networks Hong Kong Post is already operating certification authority services on a non-exclusive basis - but the number of certification authorities to be established in Hong Kong will be determined by market demand.
Supervision Of Internet Banking
Since 1997, the Hong Kong Monetary Authority (HKMA) has been issuing a series of circulars to set out its regulatory approach on e-banking services and to provide authorised institutions with recommendations on the risk management for these activities. While institutions do not need to seek formal approval from the HKMA to offer their e-banking services, they should discuss their plans and risk management measures with the HKMA in advance.
Among the issues discussed, the arrangements adopted by institutions to ensure adequate information security for their services are one of the key focuses of the HKMA. While absolute information security does not exist, institutions are expected to implement information security arrangements that are "fit for purpose", i.e. commensurate with the risks associated with the types and amounts of transactions allowed, the electronic delivery channels adopted and the risk management systems of individual institutions. To provide further recommendations to the senior management of institutions on information security, the HKMA issued in July 2000 a Guidance Note on Management of Security Risks in Electronic Banking Services.
Furthermore, the HKMA expects senior management of institutions to commission periodic independent assessments of the information security aspects of their e-banking services. The HKMA expects such independent assessments to be carried out by trusted independent experts before launch of the services, and thereafter at least once a year, or whenever there are substantial changes to the risk assessment of the services or major security breaches. To this end, the HKMA issued in September 2000 a Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services.
As for other banking services, the HKMA expects institutions to observe the Code of Banking Practice and the principles in it in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services so as to enhance the customers' understanding of what they can reasonably expect of the services, as well as their precautionary actions in enabling adequate information security of the services.
In particular, the HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations between the institutions and customers. Such terms and conditions should be fair and balanced to both the institutions and the customers. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. In this regard, the HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his password, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account.
The HKMA defines a virtual bank as a company which delivers banking services primarily, if not entirely, through the internet or other electronic channels. The term does not refer to existing licensed banks which make use of the internet or other electronic means as an alternative channel to deliver their products or services to customers.
In May 2000, the HKMA issued a Guideline on the Authorisation of Virtual Banks under section 16(10) of the Banking Ordinance. The Guideline sets out the principles that the HKMA takes into account in deciding whether to authorise virtual banks. The main principle is that the HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks. In summary, virtual bank applicants must satisfy the following requirements:
- maintenance of a physical presence in Hong Kong;
- maintenance of a level of security appropriate to their proposed business;
- establishment of appropriate policies and procedures to deal with the risks associated with virtual banking;
- development of a business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity;
- clearly setting out in the terms and conditions for their services the rights and obligations of customers; and
- compliance with the HKMA's guidelines on outsourcing of computer operation.
In line with existing authorisation policies for conventional banks, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorised institution. Furthermore, local virtual banks should be at least 50 percent owned by a well-established bank or other supervised financial institutions. For applicants incorporated overseas, they must come from countries with an established regulatory framework for electronic banking. In addition, they must have total assets of more than USD16 billion and will be subject to the "three-building" condition in respect of its physical offices, but not in respect of its cyber network.
Under the Banking Ordinance, overseas-incorporated institutions (including virtual banks) intending to solicit deposits from members of the public in Hong Kong would not be required to be authorised, provided that the deposits are placed overseas. However, section 92 of the Banking Ordinance makes it an offence for any person, other than an authorised institution, to issue an advertisement or invitation to members of the public in Hong Kong to make a deposit, even if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Banking Ordinance are complied with. They should include a warning in their advertisements that they are not authorised under the Banking Ordinance and hence are not subject to the supervision of the HKMA. The advertisements must also contain certain specified information about the overseas institutions and the deposit scheme being advertised. The objective is to ensure that material facts are available to enable prospective depositors to make their own judgement on whether to place a deposit with the institutions concerned.
The HKMA is of the view that advertisements placed through the internet should be governed by the same principles.
The Unsolicited Electronic Messages Ordinance was launched in two phases from June 1, 2007, by Hong Kong's Commerce, Industry & Technology Bureau.
Phase I of the ordinance prohibits the use of unscrupulous techniques to send a large quantity of commercial electronic messages, as well as fraud and other illicit activities related to their multiple sending.
The ordinance covers electronic messages including pre-recorded promotional voice messages, fax, email, SMS and MMS messages.
The messages covered must be for commercial promotion purposes, and must have a Hong Kong link.
A Hong Kong link means the message should originate from Hong Kong, or be authorised to be sent by a person in Hong Kong or a Hong Kong company; or the message should be received in Hong Kong or sent to a Hong Kong telephone number.
Person-to-person interactive communications will be exempted. Messages sent in response to the recipient's request, invoices or receipts, non-commercial messages, and sound or video broadcasting services will also be exempted.
In Phase I, the section of the ordinance which prohibits the use of unscrupulous techniques to send out large volumes of messages, will be enforced by OFTA. The maximum penalty will be a fine of up to HKD1 million and five years in prison.
Unscrupulous techniques include using electronic address harvesting software to send commercial electronic messages without the consent of recipients, and generating electronic addresses by automated processes to send an unsolicited electronic message. Related activities include accessing a telecommunications device without authorisation to send multiple commercial electronic messages, and falsifying header information in multiple commercial electronic messages.
This section of the legislation will be enforced by the police force, and warrants up to 10 years in jail.
In the second phase of implementation, which came into force in December, 2007, the senders of commercial electronic messages must provide accurate sender information, provide unsubscribe facilities, and honour unsubscribe requests within 10 working days.
Senders are also required to stop sending indiscriminate commercial electronic messages (i.e. spam), to people who list their phone or fax numbers on three do-not-call registers, to not withhold calling line identification information, and to not send electronic mail messages with misleading headings.
Other Government Initiatives
The government is trying to assist development of electronic commerce with the implementation of its Electronic Services Delivery (ESD) programme.
The first phase of the ESD scheme was launched in the latter half of 2000 for the delivery of government services online to the public via the Internet and other possible electronic means. Through ESD, the public can obtain government services 24 hours a day, seven days a week. ESD was to be implemented over an open, common information infrastructure which will be available for use by the private sector at a later stage for the conduct of electronic transactions, thus facilitating the development of electronic commerce in the territory.
Under the first phase of implementation, 10 government departments and public agencies provide a range of services:
- submission of simple tax returns and tax payment
- renewal of driving and vehicle license
- application for business registration certificates
- guides on investment in Hong Kong and advice on business licensing requirements
- payment of rates, government rent and water charges
- job search and matching service
In the long run, the government aims to include all public services amenable to electronic delivery.
Copyright Protection Bill
The Copyright (Amendment) Bill 2011, which enhances protection of copyright works in the digital environment to compete with advances in information technology, was tabled at Hong Kong’s Legislative Council on June 15, 2011. The bill was reintroduced by the Government in June, 2014, as the Copyright (Amendment) Bill 2014 after the previous bill lapsed. Key proposals under the Bill include:
Key proposals under the Bill include:
- introducing a technology-neutral exclusive right for copyright owners to communicate their works through any mode of electronic transmission. The new right will assist copyright owners in exploiting their works in the digital environment and promote the development of digital content;
- introducing corresponding criminal sanctions against unauthorized communication of copyright works to the public. To allay concerns about the possible impact on the free flow of information across the Internet and to provide greater legal certainty, the legislation will clarify the criminal liability of causing prejudice to the copyright owner and provide that the court will examine all the circumstances of a case and in particular the economic prejudice, having regard to whether the infringing copy amounts to a substitution for the work;
- expanding the scope of copyright exception under the existing law to balance copyright protection and reasonable uses of copyright works and to protect users’ freedom of expression, by exempting criminal and civil liabilities for the following purposes in appropriate circumstances:
- parody, satire, caricature and pastiche;
- commenting on current events;
- temporary reproduction of copyright works by Online Service Providers (OSPs), which is technically required for the digital transmission process to function efficiently;
- media shifting of sound recordings;
- giving educational instructions (especially for distance learning) and facilitating daily operations of libraries, archives and museums;
- establishing a statutory "safe harbor" for OSPs so that their liabilities for copyright infringement occurring on their service platforms could be limited, provided OSPs meet certain prescribed conditions, including the taking of reasonable steps to limit or stop copyright infringement when being notified. The proposal aims at facilitating OSPs’ handling of alleged infringements balancing the interests between copyright owners and users; and
- introducing additional factors for the court to consider in assessing damages in civil cases in which infringement has been established.
The Communications Authority (CA) is an independent statutory body established under the Communications Authority Ordinance (Cap. 616) (CAO) on April 1, 2012. Its role is to regulate the broadcasting and telecommunications industries in Hong Kong in accordance with the Broadcasting Ordinance (BO) (Cap. 562), the Telecommunications Ordinance (TO) (Cap. 106), the Unsolicited Electronic Messages Ordinance (UEMO) (Cap. 593), CAO, and the Broadcasting (Miscellaneous Provisions) Ordinance (B(MP)O) (Cap. 391).
The above Ordinances empower the CA to perform the following functions:
- tendering advice to the Secretary for Commerce and Economic Development on any legislation, legislative proposals and regulatory policies relating to telecommunications, broadcasting, anti-spamming or activities connected with the telecommunications or broadcasting sectors;
- making recommendations to the Chief Executive in Council (CE in C) on applications for and renewal of domestic free television program service licenses, domestic pay television program service licenses and sound broadcasting licenses;
- granting and renewing non-domestic television program service licenses and other licensable television program service licenses;
- preparing and revising codes of practice setting program, advertising and technical standards for television and radio;
- dealing with complaints about broadcasting and telecommunications and impose sanctions on the broadcasters and telecommunications operators for contravening the various provisions and requirements;
- handling the licensing, financial monitoring and regulation of telecommunications and broadcasting licensees in Hong Kong;
- managing and administering the radio frequency spectrum and the telecommunications numbers;
- developing technical standards and conducting equipment testing in line with international best practices, and ensuring satisfactory performance of the certification bodies in carrying out certification and testing against the prescribed technical standards;
- facilitating fixed operators to access buildings to install in-building telecommunications facilities for the conveyance of telecommunications and broadcasting services;
- conducting examination and issuing certificates for the operating personnel of radiocommunications systems;
- enforcing the prohibition of misleading or deceptive provisions in the TO (Cap. 106);
- enforcing the competition provisions under the BO (Cap. 562) and TO (Cap. 106); and
- enforcing the UEMO (Cap. 593).