41. Appointment of Controller and Other Officers

(a) The Central Government shall appoint a Controller of Certification Authorities for the purpose of this Act and, in particular, for the purposes of licensing, certifying, monitoring and overseeing the activities of certification authorities.

(b) The Controller may, after consultation with the Central Government, appoint such number of Deputy and Assistant Controllers of Certification Authorities and officers as the Controller considers necessary to exercise and perform all or any of the powers and duties of the Controller under this Act or rules made under this Act, except for the Controller’s power to direct compliance as set forth in Section 54 of this Act.

(c) The Controller, the Deputy and Assistant Controllers and officers appointed by the Controller under Section 41 shall exercise, discharge and perform the powers, duties and functions conferred on the Controller under this Act or any rules made under this Act, subject to such written directions as may be issued by the Central Government to the Controller and subject to Section 54 of this Act.

(d) The Controller shall maintain a publicly accessible database containing a certification authority disclosure record for each certification authority which shall contain all the particulars required under the rules made under this Act.

(e) The Controller may investigate complaints or other information indicating violations of rules adopted under this Act, and may refer for prosecution any suspected or alleged violations to the appropriate government agency.

(f) In the application of the provisions of this Act to certificates issued by the Controller and digital signatures verified by reference to those certificates, the Controller shall be deemed to be a certification authority.

(g) The Controller, the Deputy, Assistant Controller and officers appointed by the Controller shall be deemed to be public servants for the purposes of the Penal Code.

(h) In exercising any of the powers under this Act, any officer appointed by the Controller shall on demand produce to the person against whom he is acting the authority issued to him by the Controller.

Source: Singapore Electronic Transactions Act §§41 and 50.

42. Recognition of Foreign Certification Authorities

(a) Certificates issued by a foreign certification authority, and signatures and records complying with the laws of another jurisdiction relating to digital or other electronic signatures, are recognized as legally equivalent to certificates issued by certification authorities operating under this Act, and to the signatures and records complying with this Act, if the laws of the other jurisdiction and the practices of the foreign certification authority require a level of reliability at least equivalent to that required for such certificates, records and signatures under this Act.

(b) Notwithstanding the preceding paragraph, the Controller and parties to commercial and other transactions may specify that a particular certification authority, class of certification authorities or class of certificates must be used in connection with messages or signatures submitted to them.

(c) The determination of equivalence described in subsection (a) may be made by a published determination of the Controller in the Official Gazette or through bilateral or multilateral agreement with other jurisdictions. The determination of equivalence, shall be made with regard to the following factors:

(i) financial and human resources, including existence of assets within jurisdiction;

(ii) trustworthiness of hardware and software systems;

(iii) procedures for processing of certificates and applications for certificates and retention of records;

(iv) availability of information to subscribers identified in certificates and to potential relying parties;

(v) regularity and extent of audit by an independent body;

(vi) the existence of a declaration by the jurisdiction, an accreditation body or the certification authority regarding compliance with or existence of the foregoing;

(vii) susceptibility to the jurisdiction of the courts of the enacting jurisdiction; and

(viii) the degree of discrepancy between the law applicable to the liability of the certification authority and the law of the enacting jurisdiction.

Source: UNCITRAL Draft Rules, Chapter III, Article 19.

Comments: This section provides maximum flexibility to the Controller to determine which foreign regulatory schemes to recognize, and provides guidelines and criteria to be used in making that determination.

43. Recommended Reliance Limit

(a) A certification authority may, in issuing a certificate to a subscriber, specify a recommended reliance limit in the certificate.

(b) The certification authority may specify different limits in different certificates as it deems appropriate.

Source: Singapore Electronic Transactions Act §44.

Comments: This section provides maximum flexibility to the Controller in setting reliance limits for different certificates issued.

44. Liability Limits for Certification Authorities. Unless a certification authority expressly waives the application of this section, a certification authority shall not be liable for the following:

(a) For any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the false or forged digital signature, the certification authority complied with the requirements of this Act and applicable regulations; and

(b) For an amount in excess of the amount specified in the certificate as its recommended reliance limit for either:

(i) a loss caused by reliance on a misrepresentation in the certificate of any fact that the certification authority is required to confirm; or

(ii) intentional or knowing failure to comply with any provisions of this Act in issuing the certificate, unless such failure to comply was done intentionally or knowingly.

Source: Singapore Electronic Transactions Act §45.

Comments: This section limits certification authorities’ potential exposure to liability in connection with any losses associated with the use of digital signatures. In particular, it eliminates liability in cases where a false or forged digital signature is executed and relied upon, notwithstanding the certification authorities’ compliance with the requirements of this Act.

45. Recognition of Repositories.

(a) The Controller may recognize one or more repositories after determining that a repository to be recognized satisfies the requirements prescribed in the regulations made under this Act.

(b) The Controller shall publish a list of recognized repositories in such form and manner as he may determine.

Source: Malaysia Digital Signature Act §68.

46. Liability of Repositories.

(a) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository and a certification authority or a subscriber, a repository shall be liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate, if loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation, and the repository had failed to publish the notice when the person relied on the digital signature.

(b) Unless waived, a recognized repository or the owner or operator of a recognized repository:

(i) shall not be liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;

(ii) shall not be liable under subsection (a) in excess of the amount specified in the certificate as the recommended reliance limit;

(iii) shall not be liable under subsection (a) for:

(A) punitive or exemplary damages; or

(B) damages for pain or suffering;

(iv) shall not be liable for misrepresentation in a certificate published by a certification authority;

(v) shall not be liable for accurately recording or reporting information which a certification authority, a court or the Controller has published as required or permitted under this Act, including information about the suspension or revocation of a certificate; and

(vi) shall not be liable for reporting information about a certification authority, a certificate or a subscriber, if such information is published as required or permitted under this Act or is published by order of the Controller in the exercise of his powers under this Act.