ELECTRONIC TRANSACTIONS ACT, 2001

(Act 8 of 2001)

Part VI
Regulation of Certifying Authorities

16(1) The Minister may, by notification in the Official Gazette, appoint a Controller of certifying Authorities for the purposes of this Act and such number of Deputy Controllers and Assistant Controllers as the Minister deems fit.

(2) The Controller shall discharge the functions of the Controller under this Act subject to the general control and directions of the Minister.

(3) The Deputy Controller and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller.

17.The Controller may perform all or any of the following functions. namely—

(a) exercising supervision over the activities of the Certifying Authorities;

(b) laying down the standards to be maintained by the Certifying Authorities;

(c) specifying the qualifications and experience which employees of the Certifying Authorities should possess;

(d) specifying the conditions subject to which the Certifying Authorities shall conduct their business;

(e) specifying the content of written, printed or visual material and advertisements that

may be distributed or used in respect of a Digital Signature Certificate and the Public Key;

(f) specifying the form and content of a Digital Signature Certificate and the public key;

(g) Specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;

(Ii) Specifying the terms and conditions subject

to which auditors may be appointed and the remuneration to be paid to them;

(i) Facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and the regulation of such system;

(J) Specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers;

(k) Resolving any conflict of interests between the Certifying Authorities and the subscribers;

(l) Laying down the duties of the Certifying Authorities;

(m) Maintaining a data-base containing a disclosure record in respect of every Certifying Authority containing such particulars as may be specified by regulations, which record shall be accessible to public.

18. (1) The Controller shall be the repository of all Digital Signature Certificates issued under this Act.

(2) The Controller shall —

(a) Make use of hardware and procedures that are secure from instrusion and misuse;

(b) Observe such other standards as may be prescribed to ensure that the secrecy and security of digital signatures are assured.

(3) The Controller shall maintain a computerised database of all public keys in such a manner that the database and the public keys are available to any member of the public.

19.The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any other officer to exercise any of the powers of the Controller under this Part.

20. The Controller or any officer authorised by him in that behalf may investigate any contravention of the provisions of this Act or regulations made thereunder.

21.(1) The Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act or regulations made thereunder has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system.

(2) For the purposes of subsection (I), the Controller or any person authorised by him, may by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data, apparatus or material, to provide the Controller or the person authorised with such reasonable technical and other assistance as he may consider necessary.

22. (1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may, with the previous approval of the Minister and by notification in the Official Gazette, recognise any foreign Certifying Authority for the purposes of this Act.

(2) Where any Certifying Authority is recognised under subsection (I), the Digital Signature Certificates issued by such Certifying Authority shall be valid for the purposes of this Act.

(3) The Controller may, if he is satisfied that any Certifying Authority has contravened any of the conditions and restrictions subject to which it was granted recognition under subsection

(I) for reasons to be recorded in writing, by notification in the Official Gazette, revoke such recognition

23.(I) Subject to the provisions of subsection (2). any person may make an application to the Controller for a licence to issue Digital Signature Certificates.

(2) No licence shall be granted unless the applicant fulfils such requirements with respect to qualifications, expertise, manpower, financial resources and other infrastructure facilities as may be prescribed by regulations.

(3) A licence granted under this section shall —

(a) be valid for such period as may be prescribed;

(b) not be transferable or heritable;

(c) be subject to such terms and conditions as may be prescribed.

24(1) Every application for a licence shall be in prescribed form.

(2) Every such application shall be accompanied by

(a) a certification practice statement;

(b) a statement outlining the procedures with respect to identification of the applicant;

{c) proof of payment of such Fee as may be prescribed;

(c) such other documents as may be prescribed.

25. An application for renewal of a licence shall be--

(a) in prescribed form; and

(b) accompanied by such fee as may be prescribed and shall be made not less than forty-five days before the date of expiry of the period of validity of the licences

Provided that an application for renewal of licence made after the expiry of the licence may be entertained on payment of such late fee as may be prescribed.

26. The Controller may, on receipt of an application under section 23(l), after considering the documents accompanying the application and such other matters as he deems fit, grant the licence or reject the application:

Provided that no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case.

27. (I) The Controller may, if he is satisfied after making such inquiry as he may think fit that a Certifying Authority has—

(a) made in, or in relation to, the application for the issue or renewal of the licence, a statement which is incorrect or false in material particulars;

(b) failed to comply with the terms and conditions subject to which the licence was granted;

(c) failed to maintain standards prescribed under section 18 (2)(b);

(d) has contravened any provisions of this Act or any regulation made thereunder.

revoke the licence after giving the Certifying Authority a reasonable opportunity of showing cause against the proposed revocation.

(2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking a licence under subsection (l), by order suspend such licence pending the completion of any inquiry ordered by him:

Provided that, no licence shall be suspended for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension

(3) No Certifying Authority whose licence has been suspended shall issue any Digital Signature Certificate during the period of suspension.

28. (I) Where the licence of a Certifying Authority is suspended or revoked, the Controller shall publish a notice of such suspension or revocation, as the case may be, in the database maintained by him.

(2) Where one or more repositories are specified, the Controller shall publish the notice of such suspension or revocation, as the case may be, in all such repositories.

29. Every Certifying Authority shall —

(a) make use of hardware, software and procedures that are secure from instrusion and misuse;

(b) provide a reasonable level of reliability in its services;

(c) adhere to security procedures to ensure that the secrecy and privacy of the digital signatures are assured; and

(d) observe such other standards as may be prescribed

30. Every Certifying Authority shall ensure that every person employed or otherwise engaged by it complies, in the course of that person's employment or engagement, with the provisions of this Act and regulations made thereunder.

31.Every Certifying Authority shall display its licence at a conspicuous place of the premises in which it carries on its business.

32. Every Certifying Authority whose licence is suspended or revoked shall, immediately after such suspension or revocation, surrender the licence to the Controller.

33. (I) Every Certifying Authority shall disclose in the manner specified by regulations-

(a) its Digital Signature Certificate which contains the public key corresponding to the private key used by that Certifying Authority to digitally sign another Digital Signature Certificate:

(b) any certification practice statement relevant thereto:

(c) notice of the revocation or suspension of its Certifying Authority certificate, if any: and

(d) any other fact that materially and adversely affects either the reliability of a Digital Signature Certificate which that Certifying Authority has issued, or the Certifying Authority's ability to perform its services.

(2) Where in the opinion of the Certifying Authority any event has occurred of any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a Digital Signature Certificate was granted, then the Certifying Authority shall—

(a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or

(b) act in accordance with the procedure specified in the certification practice statement to deal with such event or situation.