A history of electronic transactions which predates the internet, its evolution in Sri Lanka, and everything you needs to know about digital signatures and the legal implications, were addressed at an insightful online forum recently.
Sri Lanka was among the first countries to ratify a United Nations convention governing digital transactions and already agencies like ICTA and LankaClear with regulatory guidance from the Central Bank have laid the legal framework on which a vibrant digital payments ecosystem can be built. The Electronic Transactions Act of 2005, and amended in 2017, is among the earliest pieces of legislation anywhere in the world and the UN Commission for International Trade holds it up as a case study that several countries are now trying to base their laws on.
LankaSign is Sri Lanka’s only authorised CSP in Sri Lanka, operated by LankaClear and uses military-grade security equipment. It complies with Electronic Transactions Act (ETA) and is ISO 27000:2013 certified. Originally used for payment clearing related functions, LankaSign digital certificates are now offered to any external party who expects to avail themselves of the service. These certificates are already used by over 600 public and private sector organisations across the country with over 600,000 digital certificates being issued.
To raise awareness about digital signatures among the country’s banking fraternity, the ICT Agency of Sri Lanka (ICTA) with the support of the Ministry of Technology, LankaClear together with Sri Lanka Banks’ Association collaborated to organize a webinar ‘Legal Validity of Digital Signatures’ exclusively for the financial services sector. The virtual event was attended by over 300 participants. A synopsis of the webinar follows:
BUILDING THE FOUNDATIONS
As a nation, it has been some time since Sri Lanka embarked on a journey towards a digital economy. While the government, regulators like the Central Bank and the SEC, and agencies such as ICTA and LankaClear have laid the foundation and continue to strengthen the enabling infrastructure, the country’s financial sector must take the initiative to accelerate progress. Without the financial sector’s commitment, Sri Lanka will not be able to achieve the objective of becoming a digital country and a digital commerce platform for the rest of the world. LankaSign is one such initiative that enables the financial sector to accelerate its digital transformations.
The digital signature is of paramount importance in bringing about a high level of trust so crucial to digital commerce and trade and seamlessly linking Sri Lanka will the rest of the world because the country does not have to limit itself to the domestic market. In India, e-commerce transactions totalled $20 billion in 2020, demonstrating the potential Sri Lanka needs to unlock for itself.
LankaClear and ICTA are building a cohesive and enabling environment for banks and other important stakeholders in the economy to unlock the power of digital signatures in building a robust digital payments ecosystem. The combined efforts are guided by the Central Bank and come under the National Payments Council. LankaSign conforms to the highest global standards and uses high-security encryption technology, and it received the recognition and ratification of many other agencies. For example, the U.S. Embassy in Colombo, which has a rigorous process of evaluating and procuring technology, has signed up for LankaSign and is already executing transactions. Many government organizations and several large corporates in the country are already using LankaSign digital signatures. LankaClear is developing mobile compatible formats which will lead to a wider acceptance of digital signatures and elevate digital transactions not only internally but also externally, beyond the borders of Sri Lanka.
SETTING THE AGENDA
Initiatives such as digital signatures must be embraced positively in pursuit of a vision towards transforming Sri Lanka into a digital economy. Financial inclusion is an integral part of the overall strategy towards creating a digitally inclusive Sri Lanka, and the mandate at ICTA is to enable this transformation.
The purpose of a digital inclusive Sri Lanka is all about improving financial inclusion. At the present, even credit card adoption is low: there are two million active credit cards for 23 million debit cards. Therefore, Sri Lanka needs to ensure that the digital journey encompasses strategic KPIs to unlock the transformative potential of a digital economy, e-commerce, and fintechs. In this context, understanding the legal implications of digital signatures is critical for all stakeholders, particularly the banks and financial services providers.
Adopting digital signatures will enable the financial sector to provide an improved user experience in terms of customer onboarding and subsequent digital customer interactions. A circular issued by the Presidential Secretariat made it mandatory for all government institutions to move into electronic documents by 31st December 2021 with a special emphasis on adopting digital signatures. As such, several institutions have been prioritized in terms of implementation, while several government institutions such as Sri Lanka Customs, Central Bank, Telecommunications Regulatory Commission, Ceylon Electricity Board and Colombo Municipal Council are already using them.
ETA 101: ITS EVOLUTION AND SPECIAL FEATURES
In Sri Lanka’s journey towards a digital economy, LankaSign is an important initiative among many that set the foundation for accelerated advancement. To give a historic perspective on how electronic transaction laws came about, the foundation on which legal frameworks governing electronic transactions stand is the UNCITRAL (United Nations Commission on International Trade Law) model law on electronic commerce which pre-dated the internet.
This was in the era of electronic data interchanges and there was a pioneering move to encourage businesses to provide services to consumers electronically and digitally and to create legal certainty in that realm. UNCITRAL established the foundational principles in the form of the UNCITRAL Model Law on Electronic Commerce which were not binding on member countries.
Some countries adopted an identical standard manifested in the e-commerce model law, some adopted a lower standard, some adopted a higher standard which became very prescriptive and had an impact on the way businesses could function especially in providing electronic signatures in a country.
The issue that the global community had with the UNCITRAL model law was that with countries adopting different standards there was no harmonization. The lack of uniformity in the global e-commerce legislative landscape became a barrier for international cross border e-commerce and electronic business.
It was only in 2002 that the UN General Assembly adopted a resolution to appoint a working group within UNCITRAL to formulate an internationally binding legal instrument through a negotiation process between countries. About 60 countries actively participated in the negotiations and Sri Lanka was one of them, and thus, the United Nations Convention on the use of Communications in International Contracts, or UN Electronic Communications Convention for short, was born.
This became a unified global standard that facilitates cross border trade. It binds member countries to adopt similar domestic standards and legal frameworks. Sri Lanka is in line with this international legal instrument now in its second iteration, or Electronic Commerce Law 2.0.
It is the international gold standard governing global digital transactions. Universal adoption among member countries has been slow because it involves making major changes to domestic electronic transactions legislation, but Sri Lanka being a small country was able to do this faster than most.
What is important is that this framework, better known as the UN ECC, also has a unique feature whereby automated messaging systems and contracts formed through those systems have legal recognition as well, provided certain default rules are followed.
In terms of global adoption of this international legal standard, some of the larger countries adopted it earlier on.
Singapore, Sri Lanka, and China were also among the early adopters. Singapore played a pivotal role in this endeavour along with China. They were the first signatories to this international treaty from the Asia Pacific region in July 2006. Over the years Korea has become a party, they are making amendments to their domestic law to fulfil their obligations under this standard.
The Philippines is a signatory and are slowly working towards making amendments to their domestic legal regime to facilitate cross border trade. Thailand has announced accession, and so has Vietnam.
Following Sri Lanka’s Electronic Transaction Act Number 19 of 2006 as a model often cited by the UNCITRAL Secretariat, Fiji and Bahrain are also becoming state parties to this convention. Australia had several changes at the state level. For instance, the State of Victoria has had to significantly modify its state laws. In the US, the 50 states have amended laws governing contract related issues and the White House announced that they would have to seek the permission of the Senate to accede to this convention.
Sri Lanka formally ratified this international binding instrument and is bound legally to the international Gold Standard with effect from February 2016 and as a consequence, Sri Lanka amended its Electronic Transactions Act. The result is that when promoting Sri Lankan knowledge services to other countries, the Sri Lankan legal transactions regime can also be used as a knowledge export service to other countries.
Fiji, Ghana, Ethiopia, and Costa Rica have already engaged Sri Lanka’s full cooperation and Sri Lanka is helping them fast track their journey of establishing enabling legal frameworks. In this context, Lanka Clear has always been a very proactive partner and is another example of a public-private partnership, a model that Sri Lanka can export to other countries as well.
Here are some of the key features of the Electronic Transactions Act: it is a piece of legislation founded on international standards and developed with care and purpose. According to its long title, it is a statute to facilitate and recognize the formation of contracts, the creation and exchange of four classes of instruments namely data messages, electronic documents, electronic records, and other communications in electronic form, and to provide for the appointment of a certification authority, and accreditation of certification service providers who provide authentication services.
All categories of electronic transactions whether B2B, B2C or government to business done electronically are legally enabled, protected and made valid through this Electronic Transactions Act with the only exceptions being those which are excluded under Section 23 of the Act including last wills, power of attorney, and the transfer of immovable property.
The Act contains a foundational principle to say that a data message, electronic document, electronic record, or other communication should not be denied legal recognition, affect validity or enforceability purely because it is in the electronic form.
In a tribunal or court of law, if somebody were to object to the presenting of evidence in the form of a data message, electronic document, electronic record, or a communication that is in electronic form, that objection can be ruled out based on Section 3 of the Act. That foundational principle is a strong statement legally which goes to the very core of the Electronic Transactions Act.
Section 4 is another important section that gives recognition to the electronic equivalent of writing and is referred to as another foundational principle in the law where functional equivalence is given to the manual written form. It is a foundational principle, and all that Section 4 says is that even if there is a requirement under any law for something to be in writing, that requirement can be met in digital form if that digital record is maintained in a manner that is available for subsequent reference.
This concept of subsequent reference requires organizations that are regulated, such as banks, to put in place governance structures and IT policies concerning maintaining records digitally within the system and that would mean that you have security controls and other features built-in.
Once you have those governing structures in place and you can demonstrate that documents are digitally archived and stored in a manner allowing them to be retrieved for subsequent reference by indexing them, classifying them, and methodically storing them for the duration of the archivable period, then legally, those will be valid equal to any requirement of a written document prescribed by law.
Sections 5 and 6 are about ensuring retention of electronic documents and maintaining the originality, it also underlies certain principles based on Section 4. Section 7 of the Electronic Transactions Act is an especially important principle that gives legal recognition to Electronic Signatures and digital signing methods, and it says that where a written law requires something to be signed between the parties, that requirement can be met by using an authentication method that can identify the person and that method has to be reliable for the appropriate purpose.
It must be noted that the Electronic Transactions Act is much broader: it not only covers electronic business, electronic commerce but also covers under Section 8, electronic government related transactions and facilitates a foundational legal framework for the recognition of electronic government activity. Anything done manually in government such as filing of records, issuing of licenses including the payment cycle, as now seen in the Customs process, are covered in this section.
Sections 11 – 17 are specific chapters governing electronic contracts and Section 18 – 20 are those which relate to the governance of service providers who provide electronic signature services and Section 21 covers rules governing electronic evidence.
On electronic signatures, it must be emphasized that the foundational principles through which any manual signature can be given legal recognition through an electronic method, that method has to be as dependable and appropriate for the purpose. However, digital certificates issued by recognized certification service providers will enhance legal validity about that method being reliable to ensure nonrepudiation and integrity, as well as create reliability through the digital transactions conducted.
The Electronic Communications Convention that Sri Lanka has adopted facilitates cross border recognition of electronic signatures as well. Sri Lanka can easily establish mutual legal recognition arrangements with China, Australia, and Singapore to ensure that all those cross-border documents digitally signed become legally accepted at both ends.
The electronic signature regulatory framework is already established through Sri Lanka CERT and there is in place a governing task force hosted by the Central Bank of Sri Lanka appointed under the provisions of the Electronic Transactions Act. Their primary objective is to ensure that the functions associated with issuing electronic signatures or digital signing methods are interoperable to the maximum extent possible and to ensure that they are per international standards. Some of these provisions improved over the years.
The task force governing the certificating authority functions have been in operation since 2011 and works closely with the Central Bank of Sri Lanka and LankaClear became the first authorized certificate service provider in March 2013. This entity is a public-private partnership established by Central Bank with other participating banks being shareholders governing Lanka Clear. Its functions have now extended beyond the banking sector to support the digitalisation of Customs clearance and more. LankaClear has a special license under the Monetary Law Act and is also a sectoral certificate service provider.
When Sri Lanka Root Certificate launched on Valentine’s Day in 2020, after a six-year process of technical evaluation, procurement, and certification under international standards, Sri Lanka became the first in South Asia to adopt an international standard governing the issuance of root certificates. Sri Lanka follows the Web Trust Standard, and many developments have since taken place such as the facilitation of single window paperless trading activities, and online and digital transactions in the public sector, including Customs clearance, using digital certificates authorized by Lanka Clear.
ADMISSIBILITY OF ELECTRONIC EVIDENCE UNDER THE ETA
In Sri Lankan courts, the question arises on how electronic transactions satisfy legal requirements if the law requires a particular document, signature, or evidence to be in writing. The Electronic Transactions Act has made clear provisions in Section 3 that if the law requires an original document, an electronic one can satisfy that requirement. In response to technological and market developments and the challenges that have followed, many jurisdictions have adopted laws governing electronic transactions or e-commerce that if they meet certain conditions, the legal value and the effect of an electronic document or communication can also satisfy the purpose and function of a paper-based document.
The Electronic Transactions Act has not attempted to alter the traditional rules governing paper-based documents. It avoids creating separate rules for electronic communication and electronic transactions. Instead, it has attempted to comply with the law in principle by requesting that parties compare to the minimum standard so that the function and the purpose of a paper-based document can also be satisfied by the electronic document and communication.
In this context, it is important to understand the historic perspective of the admissibility of electronic evidence in this country. Sri Lanka has the Evidence Ordinance which has of course made certain provisions to admit documents that can be classified as oral evidence, documentary evidence, and real evidence. Oral evidence is given in a court of law or inquiry, documentary evidence includes deeds and all documents produced for the inspection of the court and does not include electronic or computer evidence, and real evidence is sometimes interpreted as computer evidence.
Sri Lanka’s Evidence Ordinance has not recognized computer evidence as real evidence as such this legally is evidence such as photographs and objects produced in court for inspection. There are other types of evidence such as direct evidence like testimonies, circumstantial evidence, and hearsay evidence which is a statement other than the one made by a witness and is particularly important for electronic evidence, and opinion evidence. These are the types of evidence that usually apply to Sri Lankan courts.
Electronic or digital evidence relates to evidence in most electronic apparatus or devices. Any evidence that is created, recorded, stored, produced, or transmitted in any electronic form is electronic evidence. Even if someone deletes a file, the information contained in the deleted file is evidence, which may come within the term of information or document. Digital or electronic evidence can be crucial to proving a case and can be relied upon for investigation in tribunals and courts to either establish or dispute a fact.
The introduction of the Special Provisions Act enabled the introduction of a series of statutes, some of which directly deal with electronic evidence, in many forms. The Penal Court Evidence Ordinance was amended, and several new laws were enacted including the Intellectual Property Law, the Computer Crimes Act, the Electronic Transactions Act, and the Payment and Settlement Act. The Evidence Amendment Act was also introduced where the video recording of an interview with a child and bank accounts in electronic form were permissible as evidence.
The Electronic Transactions Act was introduced in 2006 and the amendment to that was introduced in 2017. The key instruments that have legal recognition under the provision of the Electronic Transactions Act and are broadly defined are data messages, electronic records, electronic documents, and other communications which include any statement, declaration, demand, notice or request. However certain other instruments have been excluded from the operation of the Electronic Transactions Act. Having said that, one must consider the rules that are adopted in the Electronic Transactions Act with regard to admissibility. It has to be considered whether a document is relevant or admissible, and if it is, then courts will allow that document to be admitted as evidence.
In admitting a document as evidence, a court will have to consider if it is expert testimony or if the evidence coming from a privileged source of information or is it a confession. Evidence will not be admissible if it is hearsay, but there are exceptions as far as the electronic aspect is considered if the condition for applicability is satisfied. Then, the burden will be on the other party to prove that the conditions have not been met by the person who relies on the provision.
The next question will be whether the evidence has been authenticated. The authentication standard involves reliability and integrity, and if a party can satisfy on the prima facie basis that the evidence is reliable and the standard of integrity is met, then the evidence is admissible. Once the admissibility criteria are met then the next question to consider is the proof of content; that is the value or weight attached to that document. If the document is not admitted, then the question of proof will not arise, but if the document is admitted, the question of proof will arise in court. These are the basic criteria, and among them, the authentication of an electronic document may be relevant in legal proceedings.
As far as admissibility is concerned, the key provision in the Electronic Transactions Act Section 21 refers to four types of instruments, data messages, electronic documents, electronic records, and other electronic communication. Any information contained therein touching any evidence is relevant. The whole idea for the purpose of the Electronic Transactions Act for the admissibility criteria is first there are two types of documents, the traditional and the electronic document. In the traditional document, there is the standard of writing, original signature, and record-keeping that must be considered.
The purpose and function of a traditional document can also be satisfied by any electronic document or communication provided the court is satisfied that certain minimum standards are met. Those are the standards that have been set out in Sections 4, 5, 6 and 7 and apply to electronic signature as well. If the conditions which apply to an electronic signature are satisfied in the digital signature process, that digital signature will enjoy the same level of effect and value as any traditional signature.
The electronic transaction does not in any way remove the paper-based requirements, but it supports and supplements them to be consistent with the minimum standard prescribed by the Electronic Transaction Act, so the banking sector can consider this as an advantage.
There is the more important term ‘regularly conducted activity’ which applies to business transactions conducted regularly. Any transaction made and properly recorded in the course of regularly conducted activity on computerised business equipment, financial ledgers, computerised accounts ledgers, are all considered to be part of the regularly conducted activity. If that activity pertains to a knowledgeable person or under his supervision, then it is easy to satisfy the court that it is a regularly conducted activity and will fall within Section 21.
Authentication is an important criterion, and if an electronic signature is not properly authenticated it may be rejected. Authentication of a document in electronic form can be established in many ways, by electronic signature, by certificate service providers, or by the testimony of a witness who has the knowledge of that particular transaction.
Presumptions also apply in considering the question of authentication. Authentication is intricately linked with presumption. In the case of metadata, which is found in emails and creates certain problems, a service provider may be required if it is challenging court, so it can be authenticated by a forensic examination, or sent to an expert for his opinion with a certificate, and also by IP addresses.
Those are the normal tools of authentication of electronic evidence. but there are also technical standards for which companies and institutions will have to change their policies, manage their documents and communications so that they will be able to satisfy the reliability of their record management services.
Unless there is a proper record, courts may question the management services of a bank or financial institution, or question of reliability and the accuracy of the information contained in such management services. The reliability of the computer system can be satisfied by confirming that the computer system was operating properly at all times or if there was a technical defect, that it did not affect the accuracy of the information and records taken during the usual course of business transactions.
Authentication can be proven with these technical tools. It is also important that the data contained in the information is complete, unaltered though there was a chance it did not affect the entire system.
Those are the technical terms to satisfy the authentication standard in courts. Those are the questions that technical lawyers may pose in courts who are knowledgeable on the record management services systems and the record management policies adopted by the banks and the financial institutions. The integrity of the record management system services is very crucial when called upon to satisfy the standard of authentication.
Hearsay as a general rule is not acceptable. In the electronic world, there have to be some exceptions because there are some paperless transactions that take place. Hearsay applies when there is human intervention but there are many exceptions as far as this topic is concerned, the banker’s book is one exception. Section 19A of the Evidence Ordinance was amended and a new section has now been included, and the concept of the Bankers’ Book has been expanded, which includes the data stored by electronic means so this can be proved with an affidavit.
The more important exception to hearsay is the business record exception. It is important to prove that any private record made by an employee will not come within the business record exception. It has to be kept by a responsible person of that organization and it has to be done in the course of a business trade or profession, and if it is done regularly as a regular practice of that entity and that is what is known as a regular business activity.
Then Section 21 will be applicable, and courts will apply the admissible criteria. The business record can be any original business records such as files, draft letters, agreements, correspondence, financial documents, accounts, bank statements, payment vouchers, provided these documents satisfy the criteria required in the business record exception.
There are exceptions or presumptions to the general rule if there is any data message or communication made by a dead person or mentally not in a fit condition to attend court, or is outside the country, or does not want to give oral evidence through fear or the party is preventing anyone from giving evidence, giving way to that information, may be admissible. This will be applicable to a particular situation and not as a general rule where evidence has to be led that a person is dead, cannot be found or other requirements.
On the basis of the prima facie material. which is presented to court usually by an affidavit, with the certificate, the court will presume the genuineness of this document. The court will decide not on its own but on the material presented during the pre-trial. It is for the other party to prove otherwise. The presumption applies to any distinctive identification mark. Presumption of accuracy and genuineness, contained in any electronic document, record, communication or data message is very crucial for banks and financial institutions when they want to tender a document to the court and invite the court to presume the truth of the information and the fact that the information was sent by the person purported to have sent it.
There is a huge opportunity for the service sector, especially the certificate service providers to expand and support lawyers and law firms who will now be compelled to apply the provisions of this act. There are certain shortcomings that will have to be provided to the legal community and the banks, it is now time for the banks and financial institutions to change their policies and schedules and recruit technical lawyers.
There is a need for technical lawyers and technical law firms in this country if Sri Lanka is to apply the provision of the Special Provisions Act and the Electronic Transactions Act. There is a need for services providers who will provide electronic services to the litigants and the lawyers, only then will Sri Lanka be able to reap the full benefits of the Electronic Transactions Act.