The Royal Government
No……………
SUB-DECREE
on
ELECTRONIC TRANSACTIONS
************
- Having seen the constitution of the Kingdom of Cambodia,
-
Having seen Reach Kret No. NS/RNT/1198/72 of November 30, 1998 on the
Appointment of the Royal Government of Cambodia,
- Having seen Reach Kram No. NS/RKM/94/02, dated July 20, 1994, promulgating the Law on the Organization and Functioning of the council of Ministers,
- Having seen Reach Kram No.NS/RKM/0196/20, dated January 24, 1996, regarding the Law on the Establishment of the Ministry of Posts and Telecommunications,
- Having seen the Sub-decree No. 66/GNRBK, dated October 22, 1997 on the Organization and Conduct of the Ministry of Posts and Telecommunications,
-
Pursuant to the request of Minister
of Posts and Telecommunications,
HEREBY DECIDES
PART I
PRELIMINARY
Interpretation
Article
1. In this Sub-Decree, unless the context
otherwise requires —
"symmetric cryptosystem" means a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key to verify the digital signature;
"authorised officer" means a person authorised by the Minister or the Controller;
"certificate" means a record issued for the purpose of supporting digital signatures which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair;
"certification authority" means a person who or an organisation that issues a certificate;
"certification practice statement" means a statement issued by a certification authority to specify the practices that the certification authority employs in issuing certificates;
"Controller" means the Controller of Certification Authorities appointed under section 29 (1) and includes a Deputy or an Assistant Controller of Certification Authorities appointed under section 29 (2);
"digital signature" means an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can accurately determine —
(a) whether the transformation was created using the private key that corresponds to the signer's public key; and
(b) whether the initial electronic record has been altered since the transformation was made;
"electronic record" means a record generated, communicated, received or stored by electronic, magnetic, optical or other means in an information system or for transmission from one information system to another;
"electronic signature" means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record;
"hash function" means an algorithm mapping or translating one sequence of bits into another, generally smaller, set (the hash result) such that —
(a) a record yields the same hash result every time the algorithm is executed using the same record as input;
(b) it is computationally infeasible that a record can be derived or reconstituted from the hash result produced by the algorithm; and
(c) it is computationally infeasible that 2 records can be found that produce the same hash result using the algorithm;
"information" includes data, text, images, sound, codes, computer programs, software and databases;
"key pair" in an asymmetric cryptosystem, means a private key and its mathematically related public key, having the property that the public key can verify a digital signature that the private key creates;
"private key" means the key of a key pair used to create a digital signature;
"public key" means the key of a key pair used to verify a digital signature;
"record" means information that is inscribed, stored or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;
"repository" means a system for storing and retrieving certificates or other information relevant to certificates;
"revoke a certificate" means to permanently end the operational period of a certificate from a specified time;
"rule of law" includes written law;
"security procedure" means a procedure for the purpose of —
(a) verifying that an electronic record is that of a specific person; or
(b) detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time,
which may require the use of algorithms or codes, identifying words or numbers, encryption, answerback or acknowledgement procedures, or similar security devices;
“signed” or “signature” and its grammatical variations include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating a record, including electronic or digital methods;
"subscriber" means a person who is the subject named or identified in a certificate issued to him and who holds a private key that corresponds to a public key listed in that certificate;
"suspend a certificate" means to temporarily suspend the operational period of a certificate from a specified time;
"trustworthy system" means computer hardware, software and procedures that —
(a) are reasonably secure from intrusion and misuse;
(b) provide a reasonable level of availability, reliability and correct operation;
(c) are reasonably suited to performing their intended functions; and
(d) adhere to generally accepted security procedures;
"valid certificate" means a certificate that a certification authority has issued and which the subscriber listed in it has accepted;
"verify a digital signature" , in relation to a given digital signature, record and public key, means to determine accurately that —
(a) the digital signature was created using the private key corresponding to the public key listed in the certificate; and
(b) the record has not been altered since its digital signature was created.
Purposes
and construction
Article 2.
This Sub-Decree shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes:
(a) to facilitate electronic communications by means of reliable electronic records;
(b) to facilitate electronic commerce, eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce;
(c) to facilitate electronic filing of documents with government agencies and statutory corporations, and to promote efficient delivery of government services by means of reliable electronic records;
(d) to minimise the incidence of forged electronic records, intentional and unintentional alteration of records, and fraud in electronic commerce and other electronic transactions;
(e) to help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; and
(f) to promote public confidence in the integrity and reliability of electronic records and electronic commerce, and to foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium.
PART
II
ELECTRONIC RECORDS AND SIGNATURES GENERALLY
Legal
recognition of electronic records
Article 3.
For the avoidance of doubt, it is
declared that information shall not be denied legal effect, validity or
enforceability solely on the ground that it is in the form of an electronic
record.
Requirement
for writing
Article 4.
Where a rule of law requires information to be written, in writing, to be presented in writing or provides for certain consequences if it is not, an electronic record satisfies that rule of law if the information contained therein is accessible so as to be usable for subsequent reference.
Electronic
signatures
Article 5.
(1) Where a rule of law requires a signature, or provides for certain consequences if a document is not signed, an electronic signature satisfies that rule of law.
(2) An electronic signature may be proved in any manner, including by showing that a procedure existed by which it is necessary for a party, in order to proceed further with a transaction, to have executed a symbol or security procedure for the purpose of verifying that an electronic record is that of such party.
Retention
of electronic records
Article 6.
Where a rule of law requires that certain documents, records or information be retained, that requirement is satisfied by retaining them in the form of electronic records if the following conditions are satisfied:
(a) the information contained therein remains accessible so as to be usable for subsequent reference;
(b) the electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
(c)
such information, if any, as enables the identification of the origin and
destination of an electronic record and the date and time when it was sent or
received, is retained.
PART
III
LIABILITY OF NETWORK SERVICE PROVIDERS
Liability
of network service providers
Article 7.
(1) A network service provider shall not be subject to any civil or criminal liability under any rule of law in respect of third-party material in the form of electronic records to which he merely provides access if such liability is founded on the making, publication, dissemination or distribution of such materials or any statement made in such material;
(2) Nothing in this section shall affect —
(a) any obligation founded on contract;
(b) the obligation of a network service provider as such under a licensing or other regulatory regime established under any written law; or
(3) For the purposes of this section "third-party" , in relation to a network service provider, means a person over whom the provider has no effective control.
PART
IV
ELECTRONIC CONTRACTS
Formation
and validity of contracts
Article 8.
For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of electronic records.
Effectiveness
between parties
Article 9.
As between the originator and the addressee of an electronic record, a declaration of intent or other statement shall not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record.
Attribution
Article 10.
(1) An electronic record is that of the originator if it was sent by the originator himself.
(2) As between the originator and the addressee, an electronic record is deemed to be that of the originator if it was sent —
(a) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or
(b) by an information system programmed by or on behalf of the originator to operate automatically.
(3) As between the originator and the addressee, an addressee is entitled to regard an electronic record as being that of the originator and to act on that assumption if —
(a) in order to ascertain whether the electronic record was that of the originator, the addressee properly applied a procedure previously agreed to by the originator for that purpose; or
(b) the data message as received by the addressee resulted from the actions of a person whose relationship with the originator or with any agent of the originator enabled that person to gain access to a method used by the originator to identify electronic records as its own.
(4) Subsection (3) shall not apply —
(a) from the time when the addressee has both received notice from the originator that the electronic record is not that of the originator, and had reasonable time to act accordingly;
(b) in a case within subsection (3) (b) , at any time when the addressee knew or ought to have known, had it exercised reasonable care or used any agreed procedure, that the electronic record was not that of the originator; or
(5) Where an electronic record is that of the originator or is deemed to be that of the originator, or the addressee is entitled to act on that assumption, then, as between the originator and the addressee, the addressee is entitled to regard the electronic record received as being what the originator intended to send, and to act on that assumption.
(6) The addressee is not so entitled when the addressee knew or should have known, had the addressee exercised reasonable care or used any agreed procedure, that the transmission resulted in any error in the electronic record as received.
(7) The addressee is entitled to regard each electronic record received as a separate electronic record and to act on that assumption, except to the extent that the addressee duplicates another electronic record and the addressee knew or should have known, had the addressee exercised reasonable care or used any agreed procedure, that the electronic record was a duplicate.
(8) Nothing in this section shall affect the law of agency or the law on the formation of contracts.
Acknowledgment
of receipt
Article 11.
(1) Subsections (2), (3) and (4) shall apply where, on or before sending an electronic record, or by means of that electronic record, the originator has requested or has agreed with the addressee that receipt of the electronic record be acknowledged.
(2) Where the originator has not agreed with the addressee that the acknowledgment be given in a particular form or by a particular method, an acknowledgment may be given by —
(a) any communication by the addressee, automated or otherwise; or
(b) any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received.
(3) Where the originator has stated that the electronic record is conditional on receipt of the acknowledgment, the electronic record is treated as though it had never been sent, until the acknowledgment is received.
(4) Where the originator has not stated that the electronic record is conditional on receipt of the acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed within a reasonable time, the originator —
(a) may give notice to the addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and
(b) if the acknowledgment is not received within the time specified in paragraph (a), may, upon notice to the addressee, treat the electronic record as though it has never been sent.
Time
and place of despatch and receipt
Article 12.
(1) Unless otherwise agreed to between the originator and the addressee, the despatch of an electronic record occurs when it enters an information system outside the control of the originator or the person who sent the electronic record on behalf of the originator.
(2) Unless otherwise agreed to between the originator and the addressee, the time of receipt of an electronic record is determined as follows:
(a) if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs —
(i) at the time when the electronic record enters the designated
information system; or
(ii) if the electronic record is sent to an information system of the
addressee that is not the designated information system, at the time when the electronic record is retrieved by the addressee; or
(b) if the addressee has not designated an information system, receipt occurs when the electronic record enters an information system of the addressee.
(3) Unless otherwise agreed to between the originator and the addressee, an electronic record is deemed to be despatched at the place where the originator has its place of business, and is deemed to be received at the place where the addressee has its place of business.
(4) Subsection (2) shall apply notwithstanding that the place where the information system is located may be different from the place where the electronic record is deemed to be received under subsection (4).
PART V
SECURE ELECTRONIC RECORDS AND SIGNATURES
Secure
electronic record
Article 13.
If a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved has been properly applied to an electronic record to verify that the electronic record has not been altered since a specific point in time, such record shall be treated as a secure electronic record from such specific point in time to the time of verification.
Secure
electronic signature
Article 14.
If, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, it can be verified that an electronic signature was, at the time it was made —
(a) unique to the person using it;
(b) capable of identifying such person;
(c) created in a manner or using a means under the sole control of the person using it; and
(d) linked to the electronic record to which it relates in a manner such that if the record was changed the electronic signature would be invalidated, such signature shall be treated as a secure electronic signature.
PART
VI
EFFECT OF DIGITAL SIGNATURES
Secure
electronic record with digital signature
Article 15.
The portion of an electronic record that is signed with a digital signature shall be treated as a secure electronic record if the digital signature is a secure electronic signature by virtue of section 16.
Secure
digital signature
Article 16.
When any portion of an electronic record is signed with a digital signature, the digital signature shall be treated as a secure electronic signature with respect to such portion of the record, if —
(a) the digital signature was created during the operational period of a valid certificate and is verified by reference to the public key listed in such certificate; and
(b) the certificate is considered trustworthy, in that it is an accurate binding of a public key to a person’s identity because —
(i) the certificate was issued by a licensed certification authority.
(ii) the certificate was issued by a certification authority outside
Cambodia recognised for this purpose by the Controller pursuant to regulations
made under section 30; or
(iii) the parties have expressly agreed between themselves (sender and
recipient) to use digital signatures as a security procedure, and the digital signature
was properly verified by reference to the sender’s public key.
Presumptions
regarding certificates
Article 17.
It shall be presumed, unless evidence to the contrary is adduced, that the information (except for information identified as subscriber information which has not been verified) listed in a certificate issued by a licensed certification authority is correct if the certificate was accepted by the subscriber.
PART
VII
GENERAL DUTIES RELATING TO DIGITAL SIGNATURES
Prerequisites
to publication of certificate
Article 18.
No person may publish a certificate or otherwise make it available to a person known by that person to be in a position to rely on the certificate or on a digital signature that is verifiable with reference to a public key listed in the certificate, if that person knows that —
(a) the certification authority listed in the certificate has not issued it;
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been suspended or revoked, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation.
Publication
for fraudulent or unlawful purpose
Article 19.
Any person who knowingly creates, publishes or otherwise makes available a certificate for any fraudulent or unlawful purpose shall be guilty of an offence and shall be liable on conviction to a fine not exceeding 80,000,000 Riel or to imprisonment for a term not exceeding 2 years or to both.
False
or unauthorised request
Article 20.
Any person who knowingly misrepresents to a certification authority his identity or authorisation for the purpose of requesting for a certificate or for suspension or revocation of a certificate shall be guilty of an offence and shall be liable on conviction to a fine not exceeding 40,000,000 Riel or to imprisonment for a term not exceeding 6 months or to both.
PART
VIII
DUTIES OF CERTIFICATION AUTHORITIES
Disclosure
Article 21.
(1) A certification authority shall disclose —
(a) its certificate that contains the public key corresponding to the private key used by that certification authority to digitally sign another certificate (referred to in this section as a certification authority certificate);
(b) any relevant certification practice statement;
(c) notice of the revocation or suspension of its certification authority certificate; and
(d) any other fact that materially and adversely affects either the reliability of a certificate that the authority has issued or the authority's ability to perform its services.
(2) In the event of an occurrence that materially and adversely affects a certification authority’s trustworthy system or its certification authority certificate, the certification authority shall —
(a) use reasonable efforts to notify any person who is known to be or foreseeably will be affected by that occurrence; or
(b) act in accordance with procedures governing such an occurrence specified in its certification practice statement.
Suspension
of certificate
Article 22.
Unless the certification authority and the subscriber agree otherwise, the certification authority that issued a certificate shall suspend the certificate as soon as possible after receiving such request by a person whom the certification authority reasonably believes to be —
(a) the subscriber listed in the certificate;
(b) a person duly authorised to act for that subscriber; or
(c) a person acting on behalf of that subscriber, who is unavailable.
Revocation
of certificate
Article 23.
A certification authority shall revoke a certificate that it issued —
(a) after receiving a request for revocation by the subscriber named in the certificate; and confirming that the person requesting the revocation is the subscriber, or is an agent of the subscriber with authority to request the revocation;
(b) after receiving a certified copy of the subscriber’s death certificate, or upon confirming by other evidence that the subscriber is dead; or
(c) upon presentation of documents effecting a dissolution of the subscriber, or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist.
Revocation
without subscriber’s consent
Article 24.
(1) A certification authority shall revoke a certificate, regardless of whether the subscriber listed in the certificate consents, if the certification authority confirms that —
(a) a material fact represented in the certificate is false;
(b) a requirement for issuance of the certificate was not satisfied;
(c) the certification authority’s private key or trustworthy system was compromised in a manner materially affecting the certificate's reliability;
(2) Upon effecting such a revocation, other than under subsection (1) (d) or (e), the certification authority shall immediately notify the subscriber listed in the revoked certificate.
Notice
of suspension or revocation
Article 25.
Immediately upon suspension or revocation of a certificate by a certification authority, the certification authority shall publish a signed notice of the suspension in all repositories specified in the certificate for publication of notice of suspension.
PART
IX
DUTIES OF SUBSCRIBERS
Obtaining
certificate.
Article 26.
All material representations made by the subscriber to a certification authority for purposes of obtaining a certificate, including all information known to the subscriber and represented in the certificate, shall be accurate and complete to the best of the subscriber's knowledge and belief, regardless of whether such representations are confirmed by the certification authority.
Acceptance
of certificate
Article 27.
A subscriber shall be deemed to have accepted a certificate if he publishes or authorises the publication of a certificate —
(i) to one or more persons; or
(ii) in a repository.
Initiating
suspension or revocation of certificate
Article 28.
A subscriber who has accepted a certificate shall as soon as possible request the issuing certification authority to suspend or revoke the certificate if the private key corresponding to the public key listed in the certificate has been compromised.
PART X
REGULATION ON CERTIFICATION AUTHORITIES
Appointment
of Controller and other officers
Article 29.
(1) The Minister shall appoint a Controller of Certification Authorities for the purposes of this Sub-Decree and, in particular, for the purposes of licensing, certifying, monitoring and overseeing the activities of certification authorities.
(2) The Controller may, after consultation with the Minister, appoint such number of Deputy and Assistant Controllers of Certification Authorities and officers as the Controller considers necessary to exercise and perform all or any of the powers and duties of the Controller under this Sub-Decree or any regulations made thereunder.
(3) The Controller, the Deputy and Assistant Controllers and officers appointed by the Controller under subsection (2) shall exercise, discharge and perform the powers, duties and functions conferred on the Controller under this Sub-Decree or any regulations made thereunder subject to such directions as may be issued by the Minister.
(4) The Controller shall maintain a publicly accessible database containing a certification authority disclosure record for each licensed certification authority which shall contain all the particulars required under the regulations made under this Sub-Decree.
(5) In the application of the provisions of this Sub-Decree to certificates issued by the Controller and digital signatures verified by reference to those certificates, the Controller shall be deemed to be a licensed certification authority.
Recognition
of foreign certification authorities
Article 30.
The Controller may issue statements of recognition on certification authorities outside Cambodia which may include a statement on the extent of the recognition.
Liability
limits for licensed certification authorities
Article 31.
Unless a licensed certification authority waives the application of this section, a licensed certification authority shall not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the licensed certification authority complied with the requirements of this Sub-Decree.
PART
XI
GENERAL
Obligation
of confidentiality
Article 32.
(1) Except for the purposes of this Sub-Decree or for any prosecution for an offence under any written law or pursuant to an order of court, no person who has, pursuant to any powers conferred under this Part, obtained access to any electronic record, book, register, correspondence, information, document or other material shall disclose such electronic record, book, register, correspondence, information, document or other material to any other person.
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding 40,000,000 Riel or to imprisonment for a term not exceeding 12 months or to both.
Offence
by body corporate
Article 33.
Where an offence under this Sub-Decree or any regulations made thereunder is committed by a body corporate, and it is proved to have been committed with the consent or connivance of, or to be attributable to any act or default on the part of, any director, manager, secretary or other similar officer of the body corporate, or any person who was purporting to act in any such capacity, he, as well as the body corporate, shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.
Authorised
officer
Article 34.
(1) The Controller may in writing authorise any officer or employee to exercise any of the powers of the Controller under this Part.
(2) In exercising any of the powers of enforcement under this Sub-Decree, an authorised officer shall on demand produce to the person against whom he is acting the authority issued to him by the Controller.
Controller
may give directions for compliance
Article 35.
(1) The Controller may, by notice in writing, direct a certification authority or any officer or employee thereof to take such measures or stop carrying on such activities as are specified in the notice if they are necessary to ensure compliance with the provisions of this Sub-Decree or any regulations made thereunder.
(2) Any person who fails to comply with any direction specified in a notice issued under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding 200,000,000 Riel or to imprisonment for a term not exceeding 12 months or to both.
Access
to computers and data
Article 36.
(1) The Controller or an authorised officer shall be entitled at any time to —
(a) have access to and inspect and check the operation of any computer system and any associated apparatus or material which he has reasonable cause to suspect is or has been in use in connection with any offence under this Sub-Decree; and
(b) use or caused to be used any such computer system to search any data contained in or available to such computer system.
(2) The Controller or an authorised officer shall be entitled to require —
(a) the person by whom or on whose behalf the Controller or authorised officer has reasonable cause to suspect the computer is or has been so used; or
(b) any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material,
to provide him with such reasonable technical and other assistance as he may require for the purposes of subsection (1).
(3) Any person who —
(a) obstructs the lawful exercise of the powers under subsection (1); or
(b) fails to comply with a request under subsection (2),
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding 80,000,000 Riel or to imprisonment for a term not exceeding 12 months or to both.
Production
of documents, data, etc.
Article 37.
The Controller or an authorised officer shall, for the purposes of the execution of this Sub-Decree, have power to do all or any of the following:
(a) require the production of records, accounts, data and documents kept by a licensed certification authority and to inspect, examine and copy any of them;
(b) require the production of any identification document from any person in relation to any offence under this Sub-Decree or any regulations made thereunder;
(c) make such inquiry as may be necessary to ascertain whether the provisions of this Sub-decree or any regulations made thereunder have been complied with.
General
penalties
Article 38.
Any person guilty of an offence under this Sub-Decree or any regulations made thereunder for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding 80,000,000 Riel or to imprisonment for a term not exceeding 6 months or to both.
Sanction
of Public Prosecutor
Article 39.
No prosecution in respect of any offence under this Sub-Decree or any regulations made thereunder shall be instituted except by or with the sanction of the State Prosecutor.
Regulations
Article 40
Any previous regulations having the meaning contrary to this Sub-Decree shall be void.
Article 41
The Ministry of Posts and Telecommunications shall implement this sub-decree.
Article 42
All ministries and state institutions shall abide by the rules set in this sub-decree.
Phnom
Penh
Dated :
(To be signed)
Prime Minister
Submitted
to the Prime Minister
for signature
So Khun
Minister