peru’s legal framework for electronic commerce and some implications for consumer protection hugo...
TRANSCRIPT
Peru’s legal framework for electronic commerce and some implications for consumer protection
HUGO GALLEGOS C.
General Manager
Peruvian Institute
for Electronic Commerce
PublicFTAA.ecom/inf/124February 14 , 2002
Original: SpanishTranslation: FTAA Secretariat
I. General consumer protection issues
A. CONSUMER PROTECTION
Potential threats faced by consumers:Fraud and deceit: The consumer does
not have direct contact with the producer and is unable to verify the quality of the product or the trustworthiness of the producer.
Contract terms: Information both prior and subsequent to the conclusion of an on-line contract must be clear and accurate.
Contract terms: Must include the legal identity and physical location of the merchant, the total price of the products, provisions on the method of payment, any condition governing the purchase, including warranties, refund terms, duration, validity of the offer, and how to lodge complaints and receive compensation.
Privacy: The ease with which personal information can be collected and shared.
Jurisdiction and dispute resolution: Cross-border transactions cause greater difficulties than those within a given country. This is a significant problem with transactions involving small amounts.
B. PRIVACY
What are the potential threats?:– The growing capacity to gather and
distribute personal information.– By comparing information from
several sources it is possible to obtain a picture of a person’s lifestyle.
– Database sharing may cause errors to spread from one computer to another before they can be corrected.
C. DISPUTE RESOLUTION
– Devise an instrument to help resolve disputes that occur in the use of the Internet.
– Support the security system that protects electronic transactions and communication.
D. E-CONTRACTS.
• Recognizing the validity of e-documents.• Allowing expression of intent via electronic means.• There should be no discrimination based on whether
contracts are on paper or electronic. • Allowing contracts to be made over the Internet.• They are the foundation for e-business.
E. DIGITAL SIGNATURES AND CERTIFICATES.
• Creating a functional equivalent of handwritten signatures.
• Making electronic communications and transactions secure.
• The four principles of security must be guaranteed: authenticity, integrity, confidentiality and non-repudiation.
• Does not make the contents legal or guarantee the agent’s capacity (analyze role of notary public).
II. Peru’s regulatory framework for e-commerce
and its link to consumer protection
Key aspects:– Allows the use of electronic media to communicate
one’s expression of intent, and electronic signatures where required by law.
– With Article 141, the use of electronic or similar media is added as a means of expressing intent (previously consent could only be given orally, in writing, or through any other direct means).
– If the law requires an express declaration of intent, such declaration may be given electronically.
A. LAW PERMITTING ELECTRONIC CONTRACTS (LAW 27291)
Key aspects:• Internet contracts are accepted. When contracts are
made electronically, acceptance and any other contractual representation addressed to a given individual is deemed received when the sender receives acknowledgment of receipt.
• This will facilitate and speed up negotiations and contracts, and, more importantly, it will be the platform for B2B relationships.
Key aspects:• This is an improvement over microforms, as it gives
legal value to e-documents.• The Law on Electronic Contracts will complement it,
specifying how e-documents are to be received (acknowledgment of receipt, information backup, etc.). It is expected to be passed this year or early next year.
Key aspects:• This law gives consumers legal security when
conducting on-line transactions in which they express intent by clicking on the “I AGREE/I ACCEPT” button.
• The granting of legal validity to the expression of intent by electronic means consumers are forced to exercise caution when proceeding with or concluding on-line transactions, since they cannot later deny having made the transaction.
• Consumers may use electronic records as evidence in the litigation and judges may not refuse to admit such records.
B. LAW ON COMPUTER-RELATED CRIMES (LAW 27309)
• This Law adds new articles to the Criminal Code (Legislative Decree 635) and includes a chapter on computer-related crimes.
• Article 207 A.- Any person who wrongfully uses or logs on to a database or a computer system or network or any part thereof with the purpose of designing, running, or altering a program or device with intent to commit fraud or obtain money, goods or information will be sentenced to incarceration for up to two years or to performing community services for between 52 and 104 days.
• Under this law hackers and sniffers are held criminally liable for their actions.
• Article 207 B.- Any person who wrongfully interferes with, receives, uses, alters, damages or destroys a computer program or support-device or the data contained thereon or in the database, system, or network shall be sentenced to incarceration for up to two years.
• This law allows crackers and virus authors to be held criminally liable for their actions.
• This law is especially important in terms of protecting the information systems of private and public organizations.
• Most tangibly, home Internet users could be protected from unauthorized entries while on-line, particularly when would-be intruders are within Peru.
• It can be used against persons who write destructive viruses and who are within Peruvian jurisdiction.
• It could also be used to prevent unauthorized entry by government agents conducting investigations.
• Elements:– Certification Body: A legal entity that issues and
cancels or performs other services involved in digital certification. A certification body may also perform duties of a registration or verification body.
– Registration or Verification Body: A natural person or legal entity that is responsible for gathering and verifying information regarding a person applying for a digital certificate and whose services are used by certification bodies.
C. LAW ON DIGITAL SIGNATURES AND CERTIFICATES (LAW 27269)
• Elements:– Competent Administrative Authority: A
government agency responsible for registering certification and registration or verification bodies, for recognizing the technological standards in the Official Electronic Signature Infrastructure, and for overseeing that Infrastructure, as well as for performing the other duties indicated in these regulations.
• Throughout the world, digital certification services operate within a framework of free competition and are provided in accordance with international standards and certification policies determined by each certification body. The policies are set out in the bodies’ respective statements of certification practices.
• The importance of digital signatures varies according to the type of e-business; although they do play an important role in B2C relations they are vital for B2B transactions, since they are the means through which e-contracts are entered into and they provide a means for expressing intent.
Digital Signature Regulations – Initial Considerations
• Although digital signatures are technologically designed to provide technical security for data messages, they must go hand in hand with a sound legal framework. In the case of Peru, the soundness of the legal framework lies in the legal validity ascribed to digital signatures.
• Such legal security must be based on creating conditions whereby digital signatures become the functional equivalent of handwritten signatures and to be acknowledged as a form of evidence.
• It must be consistent with the legal requirements for certification of certain acts defined by current regulations or when so requested by agents.
• Since this is a technology-based service, regulation should not interfere with the processes followed by certification bodies in delivering the service.
• Otherwise the ability to provide this service might be compromised, leading to extra costs for users or to the creation of entry or exit barriers.
• The idea behind regulating agencies is to guarantee continuity in the service (by ensuring the fulfillment of the Statement of Certification Practices of each certification body); they also attempt to ensure that users and third parties acting in good faith are not affected in communications based on data messages (whether or not these messages constitute contracts).
OBJECTIVES OF THE REGULATIONS
• To define the Official Electronic Signature Infrastructure.
• To provide the framework for the use and application of digital signatures in Peru, giving legal validity and force to digitally signed data messages.
• To permit the use of another type of electronic signatures, as well as the provision of the certification service by domestic and foreign entities.
Validity and legal effects of electronic signatures
• For purposes of expressing intent, e-signatures attached to or logically associated with a data message have the same validity and legal force as handwritten signatures, as long as they bind and identify the signer and ensure the authenticity and integrity of e-documents. E-signatures constitute valid judicial evidence in judicial and administrative proceedings as long as they demonstrate this equivalence of functions (Article 5).
• Barring evidence to the contrary, all electronic signatures attached to or logically associated with a data message and generated in accordance with the Official Electronic Signature Infrastructure are presumed to comply with the requirement that they bind and identify the signer and that they ensure the authenticity and integrity of e-documents (Article 6).
• Hence, they have a role vis-à-vis both users (by guaranteeing their identification and that they are legally bound and preventing them from later repudiating the transaction) and e-documents.
• These regulations do not preclude compliance with additional formalities required under other legal regulations governing acts having legal effects, and hence do not affect the function of persons empowered to attest to signatures in documents and to convert them to public documents (Article 8).
• Hence, the role of notaries public and certifying public officers is recognized, as far as their work, as defined in the current legal framework, is concerned.
Key Concepts• How to distinguish between electronic signatures
that conform to the law and the respective regulations and those that do not?
• Official Electronic Signature Infrastructure: A reliable system that is regulated and overseen by the competent administrative authorities and that is made up of programs, equipment, standards, policies, procedures and other resources that make it possible to generate electronic signatures that bind and identify the signer and guarantee the authenticity and integrity of e-documents.
• Official Electronic Signature Infrastructure.- Official Electronic Signature Infrastructure based on digital signature technology. Certification and registration or verification bodies registered with the Competent Administrative Authority, which regulates and supervises them, also play a role.
de
Electronic signature Z
Electronic signature Y
Official Electronic Signature Infrastructure
Digital signatures
Electronic signature X
Other electronic signatures
Official Electronic Signature Infrastructure
OFFICIAL ELECTRONIC SIGNATURE INFRASTRUCTURE--A FLOWCHART
Regulator:• Competent administrative authorityRegulated Parties:• Certification bodies• Registration or verification bodiesOthers:• Digital certificate holders (individuals
and legal entities)
Competent Administrative Authoritiy
Registration or Verification Bodies
Certification Bodies
Digital Certificate
Holders
Flow-Chart of Responsibilities
Competent Administrative Authority
Certification Bodies
1 2
1. Certification bodies register with the CAA, and facilitate its auditing tasks.
2. The CAA registers the CB and ensures that it complies with the CCA’s statement of certification practices.
Competent AdministrativeAuthority
3 4
4. The CAA registers and oversees RVBs.
Registration or Verification Bodies
3. RVBs register with the CAA and facilitate its oversight tasks.
Registration or Verification Bodies
Certifying Bodies
5
6
6. The RVB verifies and validates an applicant’s information and then instructs that a digital certificate be issued to the CB.
5. The CB delegates the task of analyzing information from RVB applicants.
Once a contractual outsourcing relationship has been established between one or more certification body(ies) and RVB(s).
Registration or VerificationBodies
CertifyingBodies
Digital Certificate
Holders
7 8
7. The applicant goes in person to a CB or an RVB and applies for a digital certificate, providing reliable, factual information.
8. The CB, whether directly or through an RVB, verifies and validates the applicant's information, and issues a digital certificate to it.
• How to create a framework for certificate holders that takes into account issues such as representation and powers-of-attorney specific to legal entities
• Objectives of the differentiation between certificate and digital signature holders:– To create a framework for individuals.– To create a framework for legal entities that takes into
account the fact that they hold certificates and, moreover, that allows them to manage their certificates and to respond to any changes in the powers-of-attorney of their legal representatives and thus avoid falling prey to them.
• Digital certificate holder.- Person to whom a digital certificate is exclusively assigned.
• Digital signature holder.- Individual with whom a digitally signed data message is exclusively associated, through his use of a private key.
Exceptionally, in the case of digital signatures generated through automated agents, the individual or legal entity that holds the digital certificate from which the digital signatures are generated is considered to be the holder of the digital signature.
• The American Bar Association (ABA) makes a similar distinction:
ABA Peruvian Proposal
– Subscriber = Digital certificate holder
– Signer = Digital signature holder
Digital Signature Holders
• Within the Official Electronic Signature Infrastructure, responsibility for the legal consequences stemming from the use of digital signatures falls to the digital certificate holder.
Individuals Legal Entities
Digital certificate holder
Same Same
Digital signature holder
Same, even when automated agents are used.
Representatives who are duly accredited and who also generate private keys of digital certificates (except in the case of automated agents).
.
Issue Individuals Legal Entities
Digital certificate applicant
Strictly personal.
Through duly accredited legal representatives.
Requirements for holding a digital certificate
Must have full capacity to exercise their civil rights.
Must be duly registered before the public registry.
Digital Certificates
• For legal entities, the representative who will generate and use the private key (the holders of the digital signature) must be clearly specified in every case, as well as the corresponding powers-of-attorney and authorizations.
Competent Administrative Authority
• The regulation of digital certification services must be pegged to existing technology, so as to avoid regulatory requirements that may interfere with or disrupt certification services.
• The set of rules must be able to regulate the market without creating barriers to the entry of foreign competitors.
• The Competent Administrative Authority has the following responsibilities:– Registering certification bodies.– Registering registration or verification bodies.– Overseeing registered certification and registration or
verification bodies, and, where applicable, establishing the corresponding penalties.
– Canceling the registration of certification and registration or verification bodies, pursuant to these regulations.
– Publishing a list of registered entities, on an on-going and continuous basis.
– Approving the use of international technical standards under the Official Electronic Signature Infrastructure and determining the degree to which other technical standards are consistent with international standards.
• The Competent Administrative Authority has the following responsibilities:– Establishing minimum requirements for providing certification
and registration or verification services that shape the policies and procedures of registered entities.
– Determining criteria for evaluating the sufficiency of the financial backing that registered entities are required to have.
– Approving the use of electronic signature technologies other than digital signatures, subject to verification that the requirements set forth in Article 2 of the Law have been fulfilled, and regulating the use of such technologies in accordance with an Official Electronic Signature Infrastructure.
– Signing mutual recognition agreements with foreign administrative authorities having similar responsibilities, for the purpose of recognizing digital certificates issued by foreign certification bodies.
• The Competent Administrative Authority will determine the procedure and timeframe for the registration process.
• The Authority is to ensure that the procedure provides the opportunity to correct problems arising during the registration process.
• Registrations will remain in effect for 10 years and may be renewed. During this period, annual inspections will be conducted.
• Evaluations made abroad may be accepted as long as findings are made under conditions comparable to those in Peru.
• Registration costs will be borne by the entities requesting registration.
LAW AND REGULATIONS GOVERNING DIGITAL SIGNATURES AND CERTIFICATES AND THEIR
RELATIONSHIP WITH THE CONSUMER
• The authenticity principle allows for clearer identification of consumers who use digital signatures while conducting transactions on the Internet. Moreover, consumers will feel safe when conducting transactions with companies who also use them.
• Under the principles of integrity and non-repudiation, neither party may disavow its actions during a transaction in which one or both has used digital signatures.
• The use of digital signatures should be viewed as a mechanism that is becoming an explicit expression of intent by electronic means and the functional equivalent of handwritten signatures.
• Therefore, digital signatures may be used as a form of immediate proof in legal disputes, provided they have been used in accordance with the Official Electronic Signature Infrastructure. When digital signatures are not used in this manner, judges may not refuse them, although they may request additional proof.
• This means that the guarantee of the identity of the parties and the existence of a record of expression of intent and of exchange of information can be used by the consumer in a consumer protection proceeding, pursuant to the relevant law.
• Although in setting forth these entities’ obligations the regulatory framework protects the consumer’s relationship with participating entities within the Official Electronic Signature Infrastructure, it also creates a series of obligations with which the consumer must comply.
