Our Ref: 3.1.25.

Fourth Draft

26^th May, 2000

THE ELECTRONIC COMMERCE ORDINANCE 2000

1. Title and Commencement

PART I - INFORMATION SOCIETY SERVICES

2. Interpretation

3. General requirements for service providers

4. Commercial Communications

5. Contracts concluded by electronic means

6. Information in relation to and conclusion of electronic contract

7. Law applicable

8. Liability of intermediary service providers

9. Procedure for dealing with unlawful, defamatory etc. information

10. Approved codes of conduct and prescribed standards

PART II

ISSUE OF ACCREDITATION CERTIFICATES FOR ELECTRONIC SIGNATURES

11. Interpretation

12. Approved providers of accreditation certificates.

13. Grant, refusal and revocation of approval.

14. Recognition of overseas providers of certificates.

15. Pseudonyms.

16. Civil liability of approved certification services providers.

PART III

GENERAL

17. Offences by bodies corporate.

18. Regulations.

19. Restrictions on service providers.

20. Consequential amendments.

21. Application to Crown.

BILL FOR

AN ORDINANCE to facilitate the use of electronic means to transmit and store information, to provide for agreements concluded by electronic means to be binding, and to provide the framework within which electronic service providers operate.

ENACTED by the Legislature of Gibraltar .

1. This Ordinance may be cited as the Electronic Commerce Ordinance 2000 and comes into operation on the day appointed by the Minister by notice in the Gazette.

PART I - INFORMATION SOCIETY SERVICES

2. In this Part-

"commercial communication" means any form of communication intended to advertise or promote the goods or services of a person or undertaking, but does not include information about addresses or web-site names or information about the goods and services which is the result of separate, independent research;

"established service provider" means a service provider who uses a fixed and continuing establishment in Gibraltar for providing information society services;

"information society services" means any service normally provided at a distance by electronic means at the individual request of the recipient of the service;

"intermediary service provider" means a service provider which acts as a conduit for information society services (whether for remuneration or otherwise) and does not provide any other specific information society service;

"the Minister" means the Minister with responsibility for Trade and Industry;

"service provider" means any person providing information society services;

3. An established service provider shall ensure that the following information is readily available (including electronically) to recipients of the services-

(a) the name and address (including e-mail address) of the service provider;

(b) the particulars of any approval scheme which the service provider has obtained and details of the activities covered by that approval;

(c) full details of all costs and charges levied by the service provider.

 

4. A commercial communication provided by a service provider directly or as part of the service shall satisfy the following conditions-

(a) the person sending it must be clearly identifiable and the fact that it is a commercial communication must be clear;

(b) all conditions relating to the goods or services offered must be presented clearly;

(c) any unsolicited commercial communication must be clearly identifiable as such upon receipt.

5.(1) Subject to subsection (2) and any agreement by the parties to the contrary, a contract may be concluded by electronic means, that is to say by transmission of offer and acceptance through data interchange.

(2) Subsection (1) does not apply to any contract in connection with-

(a) conveying or transferring land or any interest in real property;

(b) rights of succession under a will or other testamentary instrument;

(c) categories excluded by regulations made by the Minister.

6.(1) A service provider shall ensure (unless agreed otherwise with a prospective party to the contract who is not a consumer) that the following information is available clearly and in full before conclusion of the contract-

(a) the steps to follow to conclude the contract;

(b) whether the contract, when concluded, will be accessible and, if so, where;

(c) the steps to follow to correct any errors made in input by the recipient of the service; further, such steps must be effective and accessible allowing the recipient to identify and correct any errors without difficulty;

(d) any general terms and conditions imposed by the service provider; further, such general terms and conditions must be accessible to the recipient of the service for him to store and retrieve them.

(2) A service provider shall ensure (unless agreed otherwise with a party to the contract who is not a consumer) that any order for goods and services made by electronic means is acknowledged without undue delay by electronic means.

(3) Subsections (1) and (2) do not apply to contracts concluded exclusively by individual communications such as electronic mail.

7. A contract entered into through an established service provider shall be considered to have been entered into in Gibraltar and the law of Gibraltar shall apply to that contract unless otherwise agreed by a recipient of the service who is not a consumer.

8.(1) If the conditions in subsection (2) are fulfilled, an intermediary service provider shall not be the subject of any civil or criminal liability in respect of information contained in communications made through the service.

(2) Those conditions are that the intermediary service provider-

(a) was not himself the originator of the communication;

(b) has no actual knowledge that the information in the comunication gives (or may give) rise to civil or criminal liability;

(c) has not modified the information in any way

(d) follows the procedure in section 9 if he discovers that information in the communication does or may give rise to civil or criminal liability.

(3) An intermediary service provider is not required to monitor communications using the service to discover whether any communication may give rise to civil or criminal liability; the intermediary service provider shall, however, comply with any directions given by the Minister or a court, and with his contractual obligations, in respect of any communications using the service.

PART II - ISSUE OF ACCREDITATION CERTIFICATES FOR ELECTRONIC SIGNATURES

9.(1) If an intermediary service provider has or acquires actual knowledge that information in a communication in respect of which he provides services gives rise to civil or criminal liability, he shall, as soon as possible, -

(a) remove the information from any information processing system within his control and cease to provide or offer to provide services in respect of that information; and

(b) notify the Minister of the relevant facts and, if the service provider knows it, the identity of the person for whom he was supplying services in respect of the information.

(2) If an intermediary service provider is or becomes aware of facts or circumstances from which it might reasonably be inferred that there is a likelihood of civil or criminal liability in respect of information in a communication in respect of which he provides services, he shall notify' the Minister of –

(a) the information and those facts or circumstances; and,

(b) if he knows it, the identity of the person for whom the service provider was supplying services in respect of the information.

(3) Where an intermediary service provider notifies the Minister as mentioned in subsection (2), then, as the Minister may direct, the intermediary service provider shall do all or any of the following -

(a) remove the communication concerned from any information processing system within his control;

(b) cease to provide services to the person to whom he was supplying services in respect of that communication;

(c) cease to provide services in respect of that communication.

(4) An intermediary service provider shall not be liable to any person (whether or not a person for whom the intermediary service provider provides services), at common law or by virtue of any statutory provision, in respect of any action which

(a) he takes in good faith by virtue of subsection (1); or

(b) he takes pursuant to a direction of the Minister under subsection (3).

10.(1) In accordance with the provisions of this section, the Minister may approve codes of conduct or prescribe standards for service providers.

(2) The codes of conduct which may be approved and the standards which may be prescribed may relate to all or any of the following -

(a) the descriptions of services that may be provided by service providers and the descriptions of customers to whom the services may be provided;

(b) the descriptions of information that may be contained in communications for which services are provided by service providers;

(c) the contractual application of codes of conduct and standards to customers of service providers;

(d) the disclosure of information by service providers;

(e) the actions to be taken in the event of customers of service providers sending bulk, unsolicited communications;

(f) the prohibition of publication of obscene material;

(g) the procedure for dealing with complaints and for the resolution of disputes; and

(h) such other matters as the Minister considers appropriate.

(3) If the Minister is satisfied that a body or organisation represents service providers (whether generally or those operating in Gibraltar) and that that body or organisation (whether or not pursuant to a request from him) has developed a code of conduct -

(a) that applies to service providers and deals with one or more specified matters relating to the provision of services by them, and

(b) that appears to the Minister to deal with those matters in a satisfactory manner,

he may, by notice in the Gazette, approve that code of conduct; and when a code of conduct is so approved, the code shall apply, in accordance with that notice, either to service providers generally or to such of them as are of a description specified in that notice.

(4) If the Minister considers that there is no such body or organisation as is referred to in subsection (3) or that, with respect to any matter which appears to him to be relevant, no such body or organisation has developed a code of conduct meeting the requirements of paragraphs (a) and (b) of that subsection, he may prescribe a standard applicable to service providers generally or to such of them as are of a prescribed description.

(5) Without prejudice to the power of the Minster to vary any prescribed standard if, after the Minister has approved a code of conduct under subsection (3), -

(a) the body or organisation by which it was developed propose amendments to the approved code of conduct, or

(b) the Minister ceases to be satisfied as mentioned in subsection (3)(b),

the Minister may by notice in the Gazette either approve the code as proposed to be amended or withdraw the approval previously given.

(6) If it appears to the Minister that a service provider is failing to comply with any provision of an approved code of conduct or prescribed standard which is for the time being applicable to him, the Minister may, for the purposes of securing compliance with the code or standard, serve on the service provider a notice requiring him, within such period as is specified in the notice, to take such action as is so specified.

(7) If a service provider on whom a notice has been served under subsection (6) fails, within the time specified in the notice to take the action so specified, he is guilty of an offence and liable on summary conviction to a fine at level 5 on the standard scale and to a further fine not exceeding £1,000 for every day on which the failure continues after conviction.

PART II - ISSUE OF ACCREDITATION CERTIFICATES FOR ELECTRONIC SIGNATURES

11.(1) In this Part, unless the context otherwise requires, –

"accreditation certificate" means a communication which -

(a) associates a signature verification device to a person;

(b) confirms the identity of that person; and

(c) is provided by an approved certification service provider;

"certification service provider" means a person who issues identity certificates for the purpose of electronic signatures or provides other services to the public in relation to electronic signatures;

"electronic signature" means a signature in electronic form which -

(a) is in, attached to or logically associated with, information;

(b) is used by a person ("the signatory") to indicate his adoption of that information;

(c) is uniquely linked to the signatory and capable of identifying him;

(d) is created using means that the signatory can maintain under his sole control; and

(e) is linked to the information to which it relates in such a manner that any subsequent alteration of the information is revealed;

"the Minister" means the Minister with responsibility for Trade and Industry;

"signature creation device" means unique data, including codes or cryptographic keys, or a uniquely configured physical device which is used by the signatory in creating an electronic signature;

"signature verification device" means unique data, including codes or cryptographic keys, or a uniquely configured physical device which is used in verifying an electronic signature.

12.(1) On an application by a certification services provider and on payment of the prescribed fee, the Minister may approve the applicant to issue accreditation certificates for electronic signatures.

(2) An application under subsection (1) shall be made in such form as may be prescribed and, in connection with the application, the applicant -

(a) shall provide the Minister with such information as the Minister may reasonably require for the purposes of reaching a decision on the application; and

(b) if so required by the Minister, shall give notice of the application in the prescribed form by publication in the Gazette and in a daily or weekly newspaper published in Gibraltar.

(3) The Minister shall not give an approval under this section unless he is satisfied that the applicant meets such criteria as may be prescribed for the purposes of this Part; and the criteria so prescribed may include criteria in respect of electronic signature products.

(4) Nothing in this section requires a certification service provider to obtain approval.

13.(1) Not later than [three months] after the receipt of an application under subsection (1) of section 12 and of any information required under subsection (2) of that section, the Minister shall either grant the approval or serve notice on the applicant that the application is refused.

(2) If at any time the Minister considers that a certification service provider who is for the time being approved under section 12 no longer meets the criteria prescribed for the purposes of this Part, he shall give notice to the service provider of his intention to revoke the approval, indicating his reasons for doing so.

(3) A notice under subsection (2) shall invite the certification service provider concerned, within 14 days of the notice, to submit representations in writing to the Minister as to why the approval should not be revoked and the Minster shall consider any representations so made.

(4) After the expiry of the period for the making of representations under subsection (3) and after considering any representations so made, the Minster shall give notice to the service provider either -

(a) revoking the approval; or

(b) informing the service provider concerned that he no longer intends to revoke the approval;

but the service of a notice under paragraph (b) shall not prejudice the taking of further action under subsection (2) if at any time the Minister considers it appropriate.

14.(1) The Minister may, by notice in the Gazette, recognise for the purposes of this Ordinance certification service providers or classes of such provider who -

(a) are established in a territory outside Gibraltar; and

(b) are approved by a body or authority in that territory to provide in that territory electronic records corresponding to accreditation certificates issued by approved certification providers;

and in the following provisions of this section such a certification service provider is referred to as an "overseas provider".

(2) The Minister shall not under subsection (1) recognise an overseas provider or class of such provider unless -

(a) the territory concerned is that of the United Kingdom or another member State and the body or authority giving the approval to the overseas provider is designated (howsoever the designation is described) for the purpose of that approval in accordance with the law of the United Kingdom or that other member State, as the case may be; or

(b) the territory and the body or authority giving the approval are for the time being prescribed for the purposes of this Part.

(3) If at any time after an overseas provider has been recognised by virtue of subsection (2)(b), the territory or body or authority concerned ceases to be prescribed for the purposes of this Part, the Minister shall by notice in the Gazette withdraw recognition under this section from the overseas providers concerned.

(4) In determining whether to prescribe a territory or a body or authority for the purposes of this Part (and, accordingly, whether to cease so to prescribe a territory, body or authority) the Minister shall have regard to whether the body or authority requires the overseas providers to meet criteria equivalent to those prescribed by virtue of section 12(3) in relation to approved certification service providers.

15.(1) At the request of a signatory, an approved certification service provider may indicate in the signatory's accreditation certificate a pseudonym instead of the signatory's name.

(2) If, in a case where a pseudonym is indicated in an accreditation certificate as mentioned in subsection (1), -

(a) it is necessary for the investigation of an offence involving electronic signatures, or

(b) it is otherwise required under any statutory provision,

the approved certification service provider concerned shall transfer personal data relating to the signatory to the police or, as the case may be, in accordance with the requirement.

(3) Where, by virtue of subsection (2), personal data is transferred, the approved certification service provider shall notify the signatory as soon as possible and shall make and retain a record of the transfer and of the notification.

(4) In this section "personal data", in relation to a signatory, means information which relates to the signatory and enables him to be identified.

16.(1) Subject to the following provisions of this section, where an approved certification service provider has issued an accreditation certificate he shall owe a duty to any person who reasonably relies on the certificate for -

(a) the accuracy of all information in the accreditation certificate, except in so far as the certificate otherwise provides;

(b) assurance that, at the time the certificate was issued, the person identified in the accreditation certificate held the signature creation device corresponding to the signature verification device given or identified in the certificate; and

(c) if the approved certification service provider generates both the signature creation device and the signature verification device, assurance that the two devices function together in a complementary manner.

(2) The duty in subsection (1) is not owed to a person who, at the time he purported to rely on an accreditation certificate, knew or ought reasonably to have known that the certification services provider by whom the certificate was issued was no longer approved under section 12 or, as the case may be, recognised under section 14.

(3) Subject to subsections (4) and (5), an action in damages shall lie against an approved certification services provider in respect of any loss or damage suffered by any person by reason of a breach of the duty imposed by subsection (1).

(4) An approved certification services provider shall not be liable for errors in information in an accreditation certificate to the extent that -

(a) the information was provided by or on behalf of the person identified in the certificate; and

(b) it is shown that the certification service provider took all measures which were reasonably practicable to verify the information.

(5) Where an approved certification services provider -

(a) indicates in an accreditation certificate limits on the use to which the certificate may be put, and

(b) takes all reasonable steps to make those limits known to third parties,

he shall not be liable in accordance with subsection (3) for loss or damage arising from the use of the certificate outside those limits.

(6) The limits referred to in subsection (5) may include limits on the value of transactions for or in connection with which the certificate may be used.

PART III - GENERAL

17. Where an offence under this Ordinance committed by a body corporate is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, -

(a) any director, manager, secretary or other similar officer of that body, or any person who was purporting to act in that capacity, or

(b) any other person in accordance with whose directions or instructions the directors of that body are accustomed to act,

he, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

18.(1) The Minister may make regulations prescribing anything which by this Ordinance is authorised or required to be prescribed.

(2) Regulations under this section may make different provision for different cases and may contain such incidental, supplemental, consequential and transitional provisions as appear to the Minister to be appropriate. 

19.(1) The Minister may, by notice in writing to a service provider, require that service provider to remove information from any information system under his control if it appears to the Minister that the removal of information is necessary for –

(a) public policy, in particular the prevention, investigation, detection and prosecution of criminal offences, including the protection of minors and the fight against any incitement to hatred on grounds of race, sex, religion or nationality, and violations of human dignity concerning individual persons;

(b) the protection of public health;

(c) public security; or

(d) the protection of consumers, including investors.

(2) A service provider which does not comply with the direction of the Minister under subsection (1) is guilty of an offence and liable to imprisonment or a fine up to level 5 on the standard scale, or both, and to a continuing fine of up to level 1 on the standard scale for each day on which the information concerned remains accessible after receipt of the Minister’s notice under subsection (1).

20. The Government may by regulations make such amendments of statutory provisions (not contained in this Ordinance) as appear to them to be necessary or appropriate in consequence of the provisions of this Ordinance.

21. This Ordinance binds the Crown.