Electronic Signature Law of the People’s Republic of China

By Todd KuhnsLast Updated on Apr 23, 2019
Electronic Signature Law of the People’s Republic of China

Effective Date: 4-23-2019

Source: Website

Chinese Title: 中华人民共和国电子签名法

(Revised on 24 April 2015 pursuant to the Decision of the Standing Committee of the National People’s Congress on Revision of Six Laws Including the Electric Power Law of the People’s Republic of China

Revised on 23 April 2019 pursuant to the Decision of the Standing Committee of the National People’s Congress on Revision of Eight Laws Including the “Construction Law of the People’s Republic of China)

Chapter 1 General Principle

Article 1 The Law is formulated for the purposes of standardizing the conduct of electronic signature, confirming the legal validity of electronic signature, and safeguarding the legitimate rights and interests of the relevant parties.

Article 2 “Electronic signature” referred to in this Law shall mean data contained in or attached to a data message in electronic form, which is used to identify the signatory and indicate the signatory’s approval of the content therein. “Data message” referred to in this Law shall mean information generated, sent, received or stored by electronic, optical, magnetic or similar means.

Article 3 For contracts or other documents and instruments in civil activities, the parties involved may agree to use or not to use electronic signature and data message. Documents for which the parties involved agree to the use of electronic signature or data message shall not be denied of legal validity on the ground of electronic signature or data message being used.

The provisions of the preceding paragraphs shall not apply to the following documents:

(1) relating to personal relationships such as marriage, adoption and inheritance;

(2) involving suspension of public utilities such as water supply, heating supply, gas supply etc; or

(3) any other circumstances where electronic documents are not applicable as stipulated by laws and administrative regulations

Chapter 2 Data Message

Article 4 Data message which can tangibly express the content it contained and can be retrieved, checked and used at any time shall be deemed to be compliant with the written format required by laws and regulations.

Article 5 Data message which satisfy the following criteria shall be deemed to satisfy the requirements for original form provided by laws and regulations:

(1) can effectively express the contents contained, and can be retrieved, checked and used at any time; and

(2) can reliably guarantee that the content remains intact and unchanged from the time of its ultimate formation. However, endorsement on the data message, as well as changes in format during the exchange, storage and display of data message, does not affect the integrity of the data message.

Article 6 Data message which satisfies the following criteria shall be deemed to satisfy the document storage requirements stipulated by laws and regulations:

(1) can effectively express the contents contained, and can be retrieved, checked and used at any time;

(2) the format of the data message is identical to that of the data message at the time of generation, sending and receiving, or despite that the format is different, the data message can accurately express the content of the message that was originally generated, sent or received; and

(3) can identify the sender and recipient of the data message as well as the time of sending and receiving.

Article 7 Data message shall not be rejected as evidence solely on the ground that it was generated, sent, received or stored by way of electric, optical, magnetic or similar means.

Article 8 The following factors shall be considered when examining the veracity of data message to be used as evidence:

(1) reliability of the means of generation, storage and transfer of data message;

(2) reliability of the means of maintaining the integrity of the content;

(3) reliability of the means of distinguishing the sender; and

(4) other related factors.

Article 9 Data message which satisfy any of the following criteria shall be deemed sent by the sender:

(1) sent with authorization of the sender;

(2) sent automatically from the information system of the sender; or

(3) the recipient gets a matching result upon verification of the data message using a method acknowledged by the sender.Where the parties agree otherwise on the preceding matters, such agreement shall prevail.

Article 10 Where receipt acknowledgement of the data message is stipulated by laws and administrative regulations or agreed between the parties, the recipient shall acknowledge receipt of the data message. When the sender receives the receipt acknowledgement from the recipient, the data message shall be deemed received.

Article 11 The time of entry of a data message into an information system outside the control of the sender shall be the time of sending the data message. Where the recipient specify a specific system to receive the data message, the time of entry of the data message into the system shall be the time of receipt of the data message; where there is no specification of specific system, the time of entry of the data message into any of the recipient’s systems shall be the time of receiving the data message.

Where the parties agree otherwise on the time of sending and receiving data message, such agreement shall prevail.

Article 12 The principal business venue of the sender shall be deemed as the place of sending data message; the principal business venue of the recipient shall be deemed as the place of receiving data message. Where there is no principal business venue, the permanent residence shall be deemed as the place of sending or receiving. Where the parties agree otherwise on the place of sending and receiving data message, such agreement shall prevail.

Chapter 3 Electronic Signature and Authentication

Article 13 An electronic signature shall be deemed as reliable electronic signature if it satisfies all the following criteria:

(1) when the electronic signature creation data is used for electronic signature, it is exclusively proprietary to the electronic signatory;

(2) the electronic signature creation data is exclusively controlled by the electronic signatory at the time of signing;

(3) any subsequent alteration to the electronic signature after the signature can be detectable; and

(4) any subsequent alteration to the content and form of the data message after the signature can be detectable.The parties may choose an electronic signature which complies with their agreement on reliability requirements.

Article 14 Reliable electronic signatures shall have the same legal validity as handwritten signature or affixation of seal.

Article 15 Electronic signatory shall keep electronic signature creation data properly. If an electronic signatory is aware that the signature creation data is or may be compromised, the signatory shall promptly inform the relevant parties and terminate the use of such electronic signature creation data.

Article 16 Authentication service shall be offered by a lawful electronic authentication service provider if a third party’s authentication is required for electronic signature.

Article 17 Electronic authentication service providers shall satisfy the following criteria:

(1) qualify as enterprise legal person;

(2) have professional technicians and managers appropriate for provision of electronic authentication service;

(3) have assets and business premises appropriate for provision of electronic authentication service;

(4) have technology and equipment which comply with safety standards of the State;

(5) obtained the certificate of approved use of code issued by the national code administration body; and

(6) satisfy any other criteria stipulated by laws and administrative regulations.

Article 18 Proposed electronic authentication service providers shall apply to the information industry department of the State Council, and submit the relevant materials stipulated by the provisions of Article 17 of this Law. The information industry department of the State Council shall, upon receipt of the application and examination pursuant to the law, seek comments from the commerce administration department of the State Council etc, and decide whether to issue the electronic authentication licence or not within 45 days from receipt of the application. If the approval is granted, an electronic authentication license shall be issued; if the approval is not granted, the applicant shall be notified in writing and the reason shall be given.Electronic authentication service providers which have obtained authentication qualification shall publish their name, license number and other relevant information on the Internet pursuant to the provisions of the information industry department of the State Council.

Article 19 Electronic authentication service providers shall formulate and promulgate electronic authentication service rules which comply with the relevant provisions of the State, and file record with the information industry department of the State Council.The electronic authentication service rules shall cover the scope of liability, operational norms and information security protection measures etc.

Article 20 For application of an electronic signature certificate from electronic authentication service provider, electronic signatories shall provide true, complete and accurate information.Electronic authentication service providers shall verify the identity of the applicant and review the relevant materials, upon receipt of an application for electronic signature certification.

Article 21 An electronic signature certificate issued by an electronic authentication service provider shall be accurate and error-free, and state the following contents:

(1) name of the electronic authentication service provider;

(2) name of the certificate holder;

(3) serial number of the certificate;

(4) validity period of the certificate;

(5) electronic signature authentication data of the certificate holder;

(6) electronic signature of the electronic authentication service provider; and

(7) any other contents provided by the information industry department of the State Council.

Article 22 Electronic authentication service providers shall guarantee the integrity and accuracy of the contents of the electronic signature certificate within the validity period of the certificate, and that the party(ies) relying on the electronic signature can verify and understand the contents and other relevant matters recorded on the electronic signature certificate.

Article 23 Electronic authentication service providers proposing to suspend or terminate electronic authentication service shall inform the relevant parties of the service takeover and other matters at least 90 days prior to the suspension or termination of the service.An electronic authentication service provider proposing to suspend or terminate its electronic authentication service shall report to the information industry department of the State Council at least 60 days prior to the suspension or termination of the service, and shall discuss with another electronic authentication service provider on takeover of the service, and make proper arrangements.

Where the electronic authentication service provider fails to agree with another electronic authentication service provider on takeover of the service, it shall apply to the information industry department of the State Council to arrange for takeover of the service by another electronic authentication service provider.

In the event that the electronic authentication permit of an electronic authentication service provider is revoked pursuant to the law, the takeover of its service shall be handled pursuant to the provisions of the information industry department of the State Council.

Article 24 Electronic authentication service providers shall retain authentication information properly for at least five years from the date of expiry of an electronic signature certificate.

Article 25 The information industry department of the State Council shall formulate detailed administrative measures on electronic authentication service industry pursuant to this Law, and implement supervision and administration for electronic authentication service providers.

Article 26 Upon verification by the information industry department of the State Council in accordance with the relevant agreement or reciprocity, electronic signature certificates issued overseas by foreign electronic authentication service providers shall have the same legal validity as electronic signature certificates issued by electronic authentication service providers established pursuant to this Law.

Article 27 Electronic signatories who are aware that the signature creation data is or may be compromised but fail to promptly inform the relevant parties and to terminate the use of such electronic signature creation data, or fail to provide authentic, complete and accurate information to electronic authentication service providers, or commit other fault which causes the party(ies) relying on the electronic signatory and the electronic authentication service providers to suffer losses, shall be liable for compensation.

Article 28 Where an electronic signatory or the party(ies) relying on the electronic signature suffers losses in civil activities which rely on the electronic signature authentication service offered by an electronic authentication service provider, the electronic authentication service provider shall be liable for compensation if it is unable to prove that it is not at fault.

Article 29 For provision of electronic authentication service without licence, the information industry department of the State Council shall order to stop the illegal act; illegal income (if any) shall be confiscated; where the amount of illegal income is more than RMB300,000, a fine ranging from one to three times of the amount of illegal gains shall be imposed; where there is no illegal income or the amount of illegal income is less than RMB300,000, a fine ranging from RMB100,000 to RMB300,000 shall be imposed.

Article 30 Where an electronic authentication service provider suspends or terminates its electronic authentication service without reporting to the information industry department of the State Council at least 60 days prior to the suspension or termination of the service, the information industry department of the State Council shall impose a fine ranging from RMB10,000 to RMB50,000 on the directly accountable person-in-charge.

Article 31 Electronic authentication service providers which do not comply with the authentication service rules, or fail to maintain authentication information properly, or committed other violations shall be ordered by the information industry department of the State Council to make correction within a stipulated period; where correction is not made within the stipulated period, the electronic authentication permit shall be revoked, and the directly accountable person-in-charge and other accountable personnel shall be prohibited from engaging in electronic authentication service within the next 10 years. Revocation of electronic authentication permit shall be announced and the administration for industry and commerce shall be notified.

Article 32 Where a forgery, fraudulent or unauthorized use of other’s electronic signature constitutes a criminal offense, the criminal liability of the offender shall be pursued in accordance with the law; the offender shall bear civil liability pursuant to the law for losses suffered by others thereto.

Article 33 Personnel of the authority in charge of supervision and administration of electronic authentication service pursuant to the law, who do not perform administrative licensing and supervision and administration duties, shall be subject to administrative punishment pursuant to the law; where the case constitutes a criminal offence, criminal liability shall be pursued in accordance with the law.

Chapter 5 Supplementary Provisions

Article 34 The following terms used herein shall be defined as follows:

(1) “electronic signatory” shall refer to the person who holds signature creation data and implements electronic signature on his/her own or on behalf of the person he/she represents;

(2) “party(ies) relying on electronic signature” shall refer to the party(ies) engaging in the relevant activities based on the trust of an electronic signature certificate or electronic signature.

(3) “electronic signature certificate” shall refer to the data message or other electronic record which can confirm the connection between an electronic signatory and electronic signature creation data;

(4) “electronic signature creation data” shall refer to data such as symbols and codes etc which are used in the course of electronic signature to establish a reliable connection between the electronic signature and the electronic signatory; and

(5) “electronic signature authentication data” shall refer to the data used to certify an electronic signature, including the code, password, arithmetic or public key etc.

Article 35 The State Council or the departments stipulated by the State Council may formulate detailed measures pursuant to this Law on the use of electronic signature and data message in political activities and other social activities.

Article 36 This Law shall be implemented with effect from 1 April 2005.