52. Confidentiality.

(i) Except where compelled by any court of law or pursuant to any law for the time being in force, no certification authority, Controller or network service provider, or their respective agents or employees, that have obtained access to any material, shall disclose such material to any other person without the prior consent of the owner of such material, except in cases where such disclosure is being made for the purpose of protecting his interest or for such other purpose as may be prescribed.

(ii)Except where compelled by any court of law or pursuant to any law for the time being in force, no person who has obtained unauthorized access to any electronic record shall intentionally or knowingly disclose such record or its contents to any other person. The provisions of this section shall be without prejudice to any liability which such person may have incurred by reason of the unauthorized access.

(i) Any network service provider who intentionally, knowingly or negligently contravenes subsections (a) shall be (A) enjoined by a court from acting as a network service provider for a period not to exceed three (3) months, or (B) liable in damages sustained by the owner, such damages to amount to no less than Rs. 10,000, or (C) both.

(ii) Any person other than a network service provider who intentionally contravenes subsection (a) shall be guilty of an offense and shall be liable upon conviction to imprisonment not to exceed 6 months or fines not to exceed Rs. 50,000 or to both.

Explanation: In this section, "material" includes any electronic record, book, register, correspondence, information or document.

Source: Singapore Electronic Transactions Act §48.

Comments: This section protects the confidentiality of electronic records and related materials obtained pursuant to this Act, and provides for penalties in cases where confidentiality is breached.

53. Offense by Body Corporate. Where an offense under this Act or any rules made under this Act is committed by a body corporate and such offense is proved to have been committed with the consent or connivance of, or is proved to be attributable to, any act or default on the part of any director, manager, secretary or other similar officer of the body corporate, he as well as the body corporate, shall be guilty of that offense and shall be liable to be proceeded against and punished accordingly.

Source: Singapore Electronic Transactions Act §49.

Comments: This section provides for the criminal liability of corporations and their officers in cases where corporate officers contravene provisions of this Act.

54. Controller May Give Directions for Compliance.

(a) The Controller may direct, by notice in writing, a certification authority or any officer or employee thereof to take such measures or stop carrying on such activities as are specified in the notice, if such action is necessary to ensure compliance with the provisions of this Act or any rules made under this Act.

(b) Any person who fails to comply with any direction specified in a notice issued under subsection(a) shall be guilty of an offense and shall be liable on conviction to imprisonment for a term not exceeding 1 year or a fine not exceeding Rs. 1,00,000 or both.

Source: Singapore Electronic Transactions Act §51.

Comments: This section is designed to provide enforcement authority to the Controller over certification authorities and provide penalties in cases of noncompliance with issued orders.

55. Power to Investigate.

(a) The Controller or an authorized officer may investigate, pursuant to a written order issued by the Controller or the officer, the activities of a certification authority in relation to its compliance with this Act and any rules made under this Act.

(b) For the purposes of subsection (a), the Controller may in writing issue an order to a certification authority to further its investigation.

(c) The Controller or an authorized officer may make reasonable inquiry, pursuant to a written order, of any person reasonably believed to have relevant information in connection with the commission of any offense under this Act.

Source: Singapore Electronic Transactions Act §52.

Comments: This section provides power to the Controller to investigate the activities of certification authorities, essentially for the purpose of compliance auditing.

56. Access to Computers and Data. The Controller or an authorized officer shall:

(i) have access to, inspect and check the operation of any information system and any associated apparatus or material which he has reasonable cause to suspect is or has been in use in connection with any offense under this Act;

(ii) use or caused to be used any such information system to search any data contained in or available to such information system; or

(b) be entitled to require:

(i) the person by whom or on whose behalf the Controller or authorized officer has reasonable cause to suspect the computer is or has been so used; or

(ii) any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material, to provide him with such reasonable technical and other assistance as he may require for the purposes of subsection (a).

Comments: This section empowers the Controller or his agent to have access to and inspect any information system or associated apparatus that is reasonably suspected of having been used in connection with any offenses under this Act. Additionally, it requires technical cooperation from persons having charge of such information system or associated apparatus.

57. Production of Documents, Data, etc. The Controller shall, for the purposes of the implementation of this Act, have power to do all or any of the following:

(a) require, by a written order, the production of records, accounts, data and documents kept by a certification authority and to inspect, examine and copy any of them;

(b) require, by a written order, the production of any document from any person reasonably in relation to any offense under this Act or any regulations promulgated under this Act.

Source: Singapore Electronic Transactions Act §55.

Comments: This section empowers the Controller to request the production of documents for the purpose of auditing a certification authority for compliance, as well as for the purpose of making reasonable inquiry in connection with any offense under this Act.

58. General Penalty. Any person who (a) contravenes any provision of this Act or (b) fails to comply with any notice or written order lawfully issued under this Act, shall be guilty of an offense and, if no penalty is provided in this Act for such offense, shall be punished with imprisonment for a term not exceeding 6 months or a fine not exceeding 1,00,000 or both.

Source: Singapore Electronic Transactions Act §56.

Comments: This section provides for penalties in cases where no penalties otherwise have been provided in this Act or the Penal Code.

59. Sanction for prosecution. No prosecution in respect of any offense under this Act or any rule made under this Act shall be instituted except by or with the previous sanction of the Central Government.

Source: Singapore Electronic Transactions Act §57.

60. Power to Exempt. The Central Government may by notification published in the Official Gazette, exempt, in the public interest, any person or class of persons from all or any of the provisions of this Act or any rules made under this Act.

Source: Singapore Electronic Transactions Act §60.

Comments: This provision allows the Central Government to exempt persons from the Act in cases of public interest.

61. Power of Central Government to make rules.

(b) Without prejudice to the generality of the power conferred by clause (a), the rules made thereunder may provide for all or any of the following matters:

(i) to define when a digital signature qualifies as a secure electronic signature consistent with the provisions of this Act;

(ii) to ensure the quality of repositories and the services they provide;

(iii) licensing of certification authorities and their authorized representatives and matters incidental thereto;

the activities of certification authorities, including the manner, method and place of soliciting business, and the conduct of such solicitation, if any.

(v) the standards to be maintained by certification authorities;

(vi) prescribing the appropriate standards with respect to the qualifications, experience and training of applicants for any certification authority or for their employees;

(vii) prescribing the conditions for the conduct of business by a certification authority;

(viii) providing for the content and distribution of written, printed or visual material and advertisements that may be distributed or used by a person in respect of a digital certificate or key;

(ix) prescribing the form and content of a digital certificate or key;

(x) prescribing the particulars to be recorded in, or in respect of, accounts kept by certification authorities;

(xi) providing for the appointment and remuneration of an auditor appointed under the regulations and for the costs of an audit carried out under the regulations;

(xii) providing for the establishment and regulation of any electronic system by a certification authority, whether by itself or in conjunction with other certification authorities, and for the imposition and modification of such requirements, conditions or restrictions as the Controller may deem appropriate;

(xiii) the manner in which a certification authority conducts its dealings with its customers, conflicts of interest involving the certification authority and its customers, and the duties of the certification authority to its customers with respect to digital certificates;

(xiv) prescribing any forms for the purposes of the rules; and

(xv) prescribing fees to be paid in respect of any matter or thing required for the purposes of this Act or the rules.

(a) Rules made under this section may provide that a contravention of a specified provision shall be an offense and may provide penalties not exceeding a fine of Rs. 50,000.

(d) All rules made by the Central Government under this Act shall be published in the Official Gazette.

Source: Singapore Electronic Transactions Act §42.

Comments: This section authorizes the Central Government to adopt rules necessary and appropriate to implement the provisions of this Act. In drafting such rules, appropriate consideration should be given to the goal of this Act to be flexible and technologically neutral. Given the rapid pace at which technology develops, overly prescriptive rules are inappropriate. For example, a requirement that Certification Authorities’ employees receive training in the use of specific technologies may not be appropriate, and broader language that permits flexibility in training requirements based upon the available state of technology would be preferred.

In developing rules regarding when a digital signature qualifies as a secure electronic signature, due consideration should be given to making such rules as flexible and technologically neutral as possible in order to accommodate rapidly evolving digital signature technologies.

In developing rules regarding the quality of repositories and their services, due consideration should be given to ensuring that the repositories maintain secure and reliable record management systems. The ISO 9000 guidelines for quality management may be a useful guideline for establishing quality control procedures for repositories.

In developing rules for licensing Certification Authorities, care should be taken to avoid, where possible, imposing specific technical requirements upon applicants. Some key factors, however, that should be considered in licensing Certification Authorities are: the financial capabilities of the applicant, the familiarity of the applicant with digital signatures, the capabilities of the applicant to manage volumes of information (i.e, certificates and related information) effectively, and the integrity of the applicant as a potential fiduciary for subscribers.

In developing rules governing the activities of certification authorities, particularly in regard to solicitation of business, due regard should be given to the provisions in the Advocates Act, 1961 and the Medical Council Act, 1956 regarding solicitation by advocates and members of the medical profession. In general, rules governing the activities and conduct of business of certification authorities should require certification authorities to at all times engage in ethical conduct.

In developing rules governing the standards to be maintained by certification authorities, due consideration should be given to establishing quality control guidelines for all activities of such authorities. The ISO 9000 quality assurance guidelines may be a source of reference.

In developing rules for the content and distribution of materials that may be distributed by a person in respect of a digital certificate or key, due consideration should be given to the need for keeping private keys confidential.

In developing rules prescribing the form and content of a digital certificate or key, consideration should be given to providing flexibility for the use of a variety of available digital signature technologies.

In developing rules for the appointment and remuneration of an auditor, due consideration should be given to the qualifications of an auditor, including the auditor’s familiarity with digital signature technology and the need for keeping audited information confidential as appropriate.

In developing rules providing for the establishment and regulation of any electronic system by a certification authority, and for the imposition and modification of such requirements, conditions or restrictions as the Controller may deem appropriate, due consideration should be given to permitting maximum flexibility to the certification authorities so long as basic rules regarding the conduct of certification authorities are followed.

In developing rules prescribing the manner in which a certification authority conducts its dealings with customers, due consideration should be given to the fact that the certification authority will have a fiduciary duty to subscribers with respect to its retention of private keys.

Of course, in the development of other rules, the Central Government should consider those issues that it deems necessary and appropriate. An area in which additional rules may be appropriate relates to the development of licensing requirements for network service providers.