Hong Kong: E-Commerce
Electronic Transactions Ordinance 2000
Effective from 7 April 2000, the Ordinance authorises the use of electronic records and electronic and digital signatures. It provides for the legal validity of digital signatures and electronic records, as well as for the retention of electronic records and their admissibility in any legal proceeding. Additionally, the Ordinance delineates the requirements for the formation of an electronic contract, and establishes regulations for the licensure of certification authorities.
The Ordinance enshrines four major principles:
- It removes any legal impediments to the conduct of electronic transactions;
- It provides certainty and security in the conduct of electronic transactions and thereby raises the confidence and trust of the public in carrying out such transactions;
- It adopts a technology neutral approach to cope with rapid technological changes;
- It adopts a minimalist regulatory approach so as not to unnecessarily constrain the development of electronic commerce in the private sector.
Some of the key language of the Ordinance is as follows:
- Digital Signature: 'Digital signature,' in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine -- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated;
- Effect of Digital Signature: If a rule of law requires the signature of a person or provides for certain consequence if a document is not signed by a person, a digital signature of the person satisfies the requirement but only if the digital signature is supported by a recognized certificate and is generated within the validity of that certificate;
- Electronic Signature: 'Electronic signature' means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authentication or approving the electronic record;
- Electronic Record: 'Electronic record' means a record generated in digital form by an information system, which can be -- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium;
- Effect of Electronic Record: If a rule of law requires information to be or given in writing or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference;
- Certification Authority: 'Certification authority' means a person who issues a certificate to a person (who may be another certification authority);
- Certificate: 'Certificate' means a record which -- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by a responsible officer of the certification authority issuing it.
The Postmaster General is authorized to be a Recognized Certification Authority under the Ordinance. Additionally, the Secretary for Information Technology and Broadcasting may make regulations governing the application procedures of certification authorities. "A certification authority may apply to the Director [of Information Technology Services] to become a recognized certification authority.” The applicant must furnish the Director any particulars required by the director, and "(b) a report which -- (i) contains an assessment as to whether the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice; and (ii) is prepared by a person acceptable to the Director as being qualified to give such a report.
Because of the transitionary nature of the current commercial environment, certain exemptions have been included in the Ordinance, so as to allow time to build trust within the community:
- certain generic items such as wills, trust, statutory declarations, affidavits, power of attorney, court orders, warrant, bills of exchange, documents or instruments concerning land or property transactions, etc. are exempt from the operation of the relevant provisions in the proposed legislation;
- a mechanism is provided to exempt by means of subsidiary legislation specific rules of law from the operation of the relevant provisions in the proposed legislation;
- judicial proceedings are exempt from the operation of the relevant provisions in the proposed legislation and the authorities for making court rules are empowered to apply the relevant provisions to such proceedings when the relevant courts/tribunals are ready; and
- a mechanism is provided to specify format and procedural requirements if necessary in respect of cases whereby electronic information is accepted under a rule of law.
The Electronic Transactions Ordinance provides for the establishment of certification authorities to ensure trust and security in electronic transactions through the use of digital certificates and the use of public and private key technology. Through the establishment of a public key infrastructure to safeguard secure transactions conducted over open networks Hongkong Post is already operating certification authority services on a non-exclusive basis - but the number of certification authorities to be established in Hong Kong will be determined by market demand.
Supervision of Internet Banking
Since 1997, the Hong Kong Monetary Authority (HKMA) has been issuing a series of circulars to set out its regulatory approach on e-banking services and to provide authorised institutions with recommendations on the risk management for these activities. While institutions do not need to seek formal approval from the HKMA to offer their e-banking services, they should discuss their plans and risk management measures with the HKMA in advance.
Among the issues discussed, the arrangements adopted by institutions to ensure adequate information security for their services are one of the key focuses of the HKMA. While absolute information security does not exist, institutions are expected to implement information security arrangements that are "fit for purpose", i.e. commensurate with the risks associated with the types and amounts of transactions allowed, the electronic delivery channels adopted and the risk management systems of individual institutions. To provide further recommendations to the senior management of institutions on information security, the HKMA issued in July 2000 a Guidance Note on Management of Security Risks in Electronic Banking Services.
Furthermore, the HKMA expects senior management of institutions to commission periodic independent assessments of the information security aspects of their e-banking services. The HKMA expects such independent assessments to be carried out by trusted independent experts before launch of the services, and thereafter at least once a year, or whenever there are substantial changes to the risk assessment of the services or major security breaches.
As for other banking services, the HKMA expects institutions to observe the Code of Banking Practice and the principles in it in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services so as to enhance the customers' understanding of what they can reasonably expect of the services, as well as their precautionary actions in enabling adequate information security of the services.
In particular, the HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations between the institutions and customers. Such terms and conditions should be fair and balanced to both the institutions and the customers. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. In this regard, the HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his password, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account.
The HKMA defines a virtual bank as a company which delivers banking services primarily, if not entirely, through the internet or other electronic channels. The term does not refer to existing licensed banks which make use of the internet or other electronic means as an alternative channel to deliver their products or services to customers.
In May 2000, the HKMA issued a Guideline on the Authorisation of Virtual Banks under section 16(10) of the Banking Ordinance. The Guideline sets out the principles that the HKMA takes into account in deciding whether to authorise virtual banks. The main principle is that the HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks. In summary, virtual bank applicants must satisfy the following requirements:
- maintenance of a physical presence in Hong Kong;
- maintenance of a level of security appropriate to their proposed business;
- establishment of appropriate policies and procedures to deal with the risks associated with virtual banking;
- development of a business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity;
- clearly setting out in the terms and conditions for their services the rights and obligations of customers; and
- compliance with the HKMA's guidelines on outsourcing of computer operation.
In line with existing authorisation policies for conventional banks, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorised institution. Furthermore, local virtual banks should be at least 50% owned by a well-established bank or other supervised financial institutions. For applicants incorporated overseas, they must come from countries with an established regulatory framework for electronic banking. In addition, they must have total assets of more than US$16 billion and will be subject to the "three-building" condition in respect of its physical offices, but not in respect of its cyber network.
Under the Banking Ordinance, overseas-incorporated institutions (including virtual banks) intending to solicit deposits from members of the public in Hong Kong would not be required to be authorised, provided that the deposits are placed overseas. However, section 92 of the Banking Ordinance makes it an offence for any person, other than an authorised institution, to issue an advertisement or invitation to members of the public in Hong Kong to make a deposit, even if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Banking Ordinance are complied with.
They should also include a warning in their advertisements that they are not authorised under the Banking Ordinance and hence are not subject to the supervision of the HKMA. The advertisements must also contain certain specified information about the overseas institutions and the deposit scheme being advertised. The objective is to ensure that material facts are available to enable prospective depositors to make their own judgement on whether to place a deposit with the institutions concerned.
The HKMA is of the view that advertisements placed through the internet should be governed by the same principles. The Unsolicited Electronic Messages Ordinance was launched in two phases from 1 June 2007, by Hong Kong's Commerce, Industry & Technology Bureau.
Phase I of the ordinance prohibits the use of unscrupulous techniques to send a large quantity of commercial electronic messages, as well as fraud and other illicit activities related to their multiple sending. The ordinance covers electronic messages including pre-recorded promotional voice messages, fax, email, SMS and MMS messages.
The messages covered must be for commercial promotion purposes, and must have a Hong Kong link, the Deputy Secretary for Commerce, Industry & Technology Marion Lai and the Office of the Telecommunications Authority (OFTA) Assistant Director So Tat-foon explained. A Hong Kong link means the message should originate from Hong Kong, or be authorised to be sent by a person in Hong Kong or a Hong Kong company; or the message should be received in Hong Kong or sent to a Hong Kong telephone number.
Person-to-person interactive communications will be exempted. Messages sent in response to the recipient's request, invoices or receipts, non-commercial messages, and sound or video broadcasting services will also be exempted. In Phase I, the section of the ordinance which prohibits the use of unscrupulous techniques to send out large volumes of messages, will be enforced by OFTA. The maximum penalty will be a fine of up to $1 million and five years in prison.
Unscrupulous techniques include using electronic address harvesting software to send commercial electronic messages without the consent of recipients, and generating electronic addresses by automated processes to send an unsolicited electronic message. Related activities include accessing a telecommunications device without authorisation to send multiple commercial electronic messages, and falsifying header information in multiple commercial electronic messages. This section of the legislation will be enforced by the police force, and warrants up to 10 years in jail.
In the second phase of implementation, which came into force in December, 2007, the senders of commercial electronic messages must provide accurate sender information, provide unsubscribe facilities, and honour unsubscribe requests within 10 working days.
Senders are also required to stop sending commercial electronic messages, also known as spam, to people who list their phone or fax numbers on three do-not-call registers, to not withhold calling line identification information, and to not send electronic mail messages with misleading headings.
Other Government Initiatives
The government is trying to assist development of electronic commerce with the implementation of its Electronic Services Delivery (ESD) programme.
The first phase of the ESD scheme was launched in the latter half of 2000 for the delivery of government services online to the public via the Internet and other possible electronic means. Through ESD, the public can obtain government services 24 hours a day, seven days a week. ESD was to be implemented over an open, common information infrastructure which will be available for use by the private sector at a later stage for the conduct of electronic transactions, thus facilitating the development of electronic commerce in the territory. Under the first phase of implementation, 10 government departments and public agencies provide a range of services:
- submission of simple tax returns and tax payment
- renewal of driving and vehicle license
- application for business registration certificates
- guides on investment in Hong Kong and advice on business licensing requirements
- payment of rates, government rent and water charges
- job search and matching service
Subsequent phases are to be implemented on an on-going basis. In the long run, the government aims to include all public services amenable to electronic delivery. Through the Interactive Government Services Directory web site (www.igsd.gov.hk), members of the public can access the web sites of the participating organizations under the scheme to apply for free electronic mail service.
Copyright Protection Bill
The Copyright (Amendment) Bill 2011, which enhances protection of copyright works in the digital environment to compete with advances in information technology, was tabled at Hong Kong’s Legislative Council on 15 June.
The bill enables co-operation between copyright owners and internet service providers (ISPs) in the fight against online infringement, and facilitates the reasonable use of copyright works in the digital environment, including e-learning.
Major proposals under the bill include introducing a technology-neutral exclusive right for copyright owners to communicate their works through any mode of electronic transmission, with ancillary criminal liability against the unauthorized communication of copyright works to the public made in the course of business, or to such an extent as to affect prejudicially the copyright owners.
It also proposes to establish a statutory “safe harbour” for ISPs so that their liability for copyright infringement occurring on their service platforms can be limited, provided they meet certain prescribed conditions, including the taking of reasonable steps to limit or stop copyright infringement when being notified.
Hong Kong Cooperates With Canada
In December, 2006, Hong Kong and Canada renewed a memorandum of understanding to bolster co-operation in information and communications technology.
Hong Kong's Permanent Secretary for Commerce, Industry & Technology (Communications & Technology) Francis Ho and Canada's Department of Industry Communications Research Centre President, Veena Rawat signed the renewed memorandum at the ITU Telecom World 2006 Hong Kong pavilion. Canada, Hong Kong's first information and communications technology MoU partner, signed the original memorandum in 1998. Both places have extended it twice since then.
Under the renewed MoU, the two places will seek co-operation in the areas of: Software applications, products and policy, including multimedia and digital entertainment; Internet, e-Government, information technology security and e-Health; and, Information and communications infrastructure and related policy, including electronic commerce, current and future issues in telecoms policy, broadband networks and applications, and wireless technologies and services.
"Rapid advancement in technology has led to the increasing convergence of the two sectors. Hong Kong needs to review its overall regulatory regimes to meet the challenges arising from such changes effectively. As the first step of this review, we propose to restructure the regulatory institutional arrangements by merging the two existing regulators, the Broadcasting Authority (BA) and the Telecommunications Authority (TA)," a spokesman for the Commerce and Economic Development Bureau said.
Under the Bill, the CA will administer and enforce the existing Broadcasting Ordinance (BO), the Broadcasting Authority Ordinance which is to be renamed, the Telecommunications Ordinance (TO) and the Unsolicited Electronic Messages Ordinance. The existing statutory powers and functions of the BA and the TA will be transferred to the CA.
The CA will be a governing board and comprise no fewer than five and no more than ten non-official Members (including a non-official Chairperson), a public officer and the Director-General of Communications (DG Com) as an ex-officio Member. Except the DG Com, all other Members of the CA will be appointed by the Chief Executive.
"We originally proposed to appoint only five non-official Members to the CA. In response to the views received in rounds of public consultation, we propose to allow flexibility to increase the number of non-official Members," said the spokesman.
The Government proposes to form the executive arm of the CA by merging the Broadcasting Division of the Television and Entertainment Licensing Authority (TELA) and the Office of the Telecommunications Authority. The executive arm will be a government department named the Office of the Communications Authority (OFCA) which will operate as a trading fund. The department will be headed by DG Com. On review, the Administration also proposes to disband the TELA and transfer its functions in respect of the control of indecent and obscene articles, film censorship and newspaper registration to the OFCA. These activities will be funded by the Government under a new General Revenue Head. The TELA's functions relating to issuing entertainment licences will be taken up by the Home Affairs Department.