The Electronic Transactions Act, 2063 (2008)

The Electronic Transactions Act, 2063 (2008)

Date of Authentication and Publication : 22 Mansir 2063 ( december 8, 2006)

 

The law ensures the authentication, security, and reliability of electronic records and transactions while preventing unauthorized use or alterations. It establishes legal provisions for regulating electronic data and combating cyber-related offenses.

Chapter – 2

Provisions Relating to Electronic Record and Digital Signature

3. Authenticity of Electronic Record:

1. A subscriber may authenticate an electronic record using their personal digital signature.
2. Authentication involves transforming the record using an asymmetric crypto system and a hash function.
• Explanation: A hash function maps data into a unique hash result, ensuring integrity and making it computationally infeasible to reverse-engineer or produce identical hashes for different records.
3. Any person can verify an electronic record using the subscriber’s public key.

4. Legal Recognition of Electronic Record:

• Any information, document, or record required by law to be in written or printed form is legally valid if maintained in electronic form, following the prescribed procedures.

5. Legal Recognition of Digital Signature:

• If a signature is legally required for certification, a digital signature fulfilling the stipulated procedures holds the same legal validity.

6. Electronic Records to be Kept Safely:

• Electronic records legally fulfill storage requirements if they:
  (a) Remain accessible for future reference.
  (b) Are preserved in their original format, ensuring accurate reproduction.
  (c) Include details of origin, destination, and transmission/receipt timestamps.
  Exception: Automatically generated transmission details are exempt.

·         7. Electronic Record as an Original Document:
An electronic record satisfies the requirement of an original document if:
(a) It is ensured that no changes have been made since its initial electronic generation.
(b) It can be clearly presented to the concerned person when required.

·         8. Secured Electronic Records:
An electronic record is deemed secure if verified under prescribed security procedures to ensure no unauthorized changes have been made.

·         9. Secured Digital Signature:
A digital signature is considered secure if examined under prescribed security procedures to confirm its authenticity and integrity.

 

Chapter 3:

Provisions Relating to Dispatch, Receipt, and Acknowledgement of Electronic Records

10. Attribution of Electronic Records to the Originator:

1. An electronic record is attributed to the originator if:
   (a) It was transmitted by the originator.
   (b) It was transmitted by an authorized person acting on behalf of the originator.
   (c) It was sent through an automated system programmed by or on behalf of the originator.
2. If prescribed conditions are met, the addressee may assume the record is from the originator and act accordingly.

11. Procedure for Receipt and Acknowledgement of Electronic Records:

1. If the originator requests an acknowledgment of receipt or there is an agreement for acknowledgment, the following provisions apply:
2. If no specific format or method is agreed upon, acknowledgment may be given:
   (a) Through automated or other communication means.
   (b) By any action of the addressee indicating receipt.
3. If the originator specifies that the record is binding only upon receipt of acknowledgment, it is not considered transmitted until acknowledgment is received.
4. If no such condition is set, acknowledgment must be received within the prescribed time; otherwise, the record is deemed not transmitted.
5. Other acknowledgment procedures shall be as prescribed.

12. Time and Place of Dispatch and Receipt of Electronic Records

1. Time of Dispatch:
• An electronic record is considered dispatched when it enters an information system beyond the control of the originator, unless otherwise agreed.
2. Time of Receipt:
• The time of receipt shall be determined as prescribed, unless otherwise agreed between the originator and addressee.
3. Place of Dispatch and Receipt:
• An electronic record is deemed to be dispatched from the originator's place of business and received at the addressee's place of business, unless otherwise agreed.

Explanation:

• If an originator or addressee has multiple places of business, the relevant place is where the business operates.
• If there is no business location, their residence shall be considered the place of business.

Chapter 4:

Provisions Relating to Controller and Certifying Authority

13. Appointment of the Controller and Other Employees

1. The Government of Nepal may appoint or designate a qualified officer as the Controller through a notification in the Nepal Gazette.
2. To assist the Controller, the Government may appoint a Deputy Controller and other necessary employees who will work under the direction and control of the Controller.

14. Functions, Duties, and Powers of the Controller

The Controller has the following responsibilities:
(a) Issuing licenses to Certifying Authorities.
(b) Supervising and monitoring Certifying Authorities.
(c) Setting standards for verifying digital signatures.
(d) Specifying operational conditions for Certifying Authorities.
(e) Determining the format and contents of digital certificates.
(f) Defining procedures for Certifying Authorities in their dealings with subscribers.
(g) Maintaining public records of Certifying Authorities and updating a public-accessible computer database.
(h) Performing additional functions as prescribed.

15. Requirement of a License

• No person shall function as a Certifying Authority without obtaining a valid license under this Act.

16. Application for a License

1. Any person meeting the prescribed qualifications and wishing to act as a Certifying Authority must submit an application to the Controller in a prescribed format, along with the required fee.
2. The application must include:
   (a) Details of the certification process.
   (b) Identification and verification documents of the applicant.
   (c) Statements of financial resources, human resources, and necessary infrastructure.
   (d) Other prescribed documents.
3. The Controller may request additional documents to assess the applicant’s suitability. No action will be taken on the application until the required documents are submitted.

17. Other Functions and Duties of the Certifying Authority

Certifying Authorities must perform functions beyond issuing, suspending, or revoking certificates, as prescribed.

18. Procedure for Granting a License

1. The Controller decides within two months whether to issue a license after reviewing the application and documents.
2. The Controller may inspect the applicant’s resources.
3. If granted, a license with validity and terms will be issued.
4. Additional procedures for issuing a license will be prescribed.

19. Renewal of License

1. Certifying Authorities must renew their licenses annually.
2. Applications for renewal must be submitted two months before expiration, with a prescribed fee.
3. The Controller will decide on renewal one month before the license expires.
4. If renewal is denied, the Certifying Authority will have a chance to present its case.

20. License May Be Suspended

1. The Controller can suspend a license if documents or resources are found false or conditions are violated, after providing an opportunity for defense.
2. Other suspension procedures will be prescribed.

21. License May Be Revoked

1. The Controller can revoke a license if the Certifying Authority violates the Act, submits false documents, harms public interest, or commits an offense, after providing a defense opportunity.
2. Other revocation procedures will be prescribed.

22. Notice of Suspension or Revocation of a License

1. The Controller will notify the Certifying Authority of the suspension or revocation and publish it electronically and in two newspapers.
2. The decision remains valid even if the notice is not published.

23. Recognition of Foreign Certifying Authority

1. With government approval, the Controller may recognize foreign Certifying Authorities, allowing them to issue certificates in Nepal.
2. Procedures for recognition will be prescribed.

24. The Controller May Issue Orders

The Controller can issue directives for Certifying Authorities to comply with their responsibilities.

25. The Controller May Delegate Power

The Controller may delegate powers to subordinate officers to perform functions under the Act.

26. The Controller May Investigate

1. The Controller may investigate non-compliance with the Act or Rules.
2. Certifying Authorities must assist in investigations.
3. Procedures for investigations will be prescribed.

27. Performance Audit of Certifying Authority

1. The Controller may conduct an annual performance audit of Certifying Authorities.
2. A recognized auditor with expertise in computer security may be appointed.
3. The audit report will be published electronically.
4. Audit procedures and remuneration will be prescribed.
5. The Controller will set and publicly announce service standards for Certifying Authorities.

28. Controller’s Access to Computers and Data:

(1) The Controller can access any computer system, device, or data if there’s reasonable suspicion of violation of the Act.

(2) The Controller can issue directives to the owner or responsible person for technical cooperation.

(3) The concerned person must comply with the directives.

29. Record Maintenance:

(1) The Controller will maintain records of all certificates issued.

(2) To ensure digital signature security, the Controller will:

• Use computer security systems,
• Apply security procedures,
• Follow prescribed standards.

(3) The Controller will maintain and update a public key database.

(4) The Controller will provide public keys for digital signature verification upon request.

 

Chapter 5:

Provisions Relating to Digital Signature and Certificates

30. Certifying Authority to Issue Certificate:
Only a licensed or recognized Certifying Authority can issue a Digital Signature Certificate.

31. Application for Certificate:
(1) A person seeking a Digital Signature Certificate must apply to the Certifying Authority with the required fee and statements.
(2) The Certifying Authority must decide within one month whether to issue the certificate.
(3) If approved, the certificate will be issued within seven days; if rejected, reasons will be provided within seven days.

32. Suspension of Certificate:
(1) The Certifying Authority may suspend a certificate in the following cases:

• Upon subscriber’s request,
• If it contravenes public interest,
• If it may cause loss to others due to non-compliance with the Act.
  (2) Grounds and procedures for suspension will be prescribed.

33. Revocation of Certificate:
(1) The Certifying Authority or Controller may revoke a certificate under these conditions:

• Upon subscriber’s request,
• If it contravenes public interest,
• On the subscriber’s death, insolvency, or dissolution of the company,
• If the certificate was issued based on incorrect information,
• If the key used for the certificate was compromised.
  (2) Procedures for revocation will be prescribed.

34. Notice of Suspension or Revocation:
(1) When a certificate is suspended or revoked, a public notice will be published and recorded.
(2) The Certifying Authority or Controller must communicate with the subscriber as soon as possible regarding the suspension or revocation.

 

Chapter 6:

Functions, Duties, and Rights of Subscriber

35. Generating Key Pair:
(1) The subscriber must generate the key pair using a secured asymmetric crypto system, as listed in the certificate.
(2) If an agreement exists between the Certifying Authority and the subscriber regarding the security system for key pair generation, the subscriber must follow the agreed security system.

36. Accepting a Certificate:
(1) The certificate is deemed accepted if the subscriber publishes it or authorizes its publication.
(2) By accepting the certificate, the subscriber guarantees:

• Holding the private key corresponding to the public key,
• All information provided to the Certifying Authority is true,
• All information in the certificate is true to the best of the subscriber’s knowledge.

37. Retaining Private Key Securely:
(1) The subscriber must keep the private key secure and prevent unauthorized access.
(2) If the private key is compromised, the subscriber must inform the Certifying Authority immediately, which will suspend the certificate.
(3) The subscriber must keep the private key secure during the suspension of the certificate.

38. Depositing Private Key with the Controller:
(1) The Controller may order the subscriber to deposit the private key if necessary for national security, law and order, or other prescribed reasons.
(2) The Controller must keep the deposited private key confidential and not disclose it to unauthorized persons.

 

Chapter 7:

Electronic Record and Government Use of Digital Signature

·         Government Documents in Electronic Form:
(1) Government of Nepal can publish documents such as ordinances, Acts, and notifications electronically, with legal validity.
(2) Forms, documents, licenses, payments, etc., can be filed, issued, or made electronically, and their legality will not be denied based on electronic form.

·         Acceptance of Electronic Documents:
(1) Government agencies, public entities, and financial institutions may accept documents and payments electronically, and they will have legal recognition.
(2) Agencies are not compelled to accept electronic documents unless prescribed by law.

·         Use of Digital Signature in Government Offices:
(1) The Government may allow digital signatures for verification in place of physical signatures.
(2) Additional security procedures may be prescribed for verifying digital signatures.
(3) Provisions related to Certifying Authorities and Digital Signature Certificates for government use will be prescribed.

 

Chapter 8:

Provisions Relating to Network Service

• Liability of Network Service Providers:
• Providers must meet liabilities outlined in agreements, licenses, and other prescribed liabilities.
• Network Service Provider not Liable:
• Providers are not liable for third-party content unless they knowingly provide access to illegal content.

Chapter 9:

Offenses Related to Computers

• Piracy, Destruction, or Alteration of Source Code:
• Punishment: Up to 3 years imprisonment, fine of up to 200,000 Rupees, or both.
• Unauthorized Access to Computer Materials:
• Punishment: Fine of up to 200,000 Rupees, imprisonment up to 3 years, or both.
• Damage to Computer/Information System:
• Punishment: Fine up to 2,000 Rupees, imprisonment up to 3 years, or both.
• Publication of Illegal Materials:
• Punishment: Fine up to 100,000 Rupees, imprisonment up to 5 years, or both.
• Divulging Confidentiality:
• Punishment: Fine up to 10,000 Rupees, imprisonment up to 2 years, or both.
• False Statements to Obtain License:
• Punishment: Fine up to 100,000 Rupees, imprisonment up to 2 years, or both.
• Submission of False Licenses or Certificates:
• Punishment: Fine up to 100,000 Rupees, imprisonment up to 2 years, or both.
• Non-Submission of Documents/Statements:
• Punishment: Fine up to 50,000 Rupees.
• Computer Fraud:
• Punishment: Fine up to 100,000 Rupees, imprisonment up to 2 years, or both.
• Abetment of Computer-related Offenses:
• Punishment: Fine up to 50,000 Rupees, imprisonment up to 6 months, or both.
• Accomplice Punishment:
• Accomplices face half the punishment of the principal offender.
• Offenses Committed Outside Nepal:
• Offenders outside Nepal, committing crimes involving Nepalese systems, can be prosecuted.
• Confiscation:
• Confiscation of equipment used in committing computer-related offenses.

57. Offenses Committed by a Corporate Body:

• If a corporate body commits an offense, the person responsible for its operation at the time of the offense will be deemed responsible.
• The responsible person may avoid liability if they prove the offense occurred without their knowledge or they took reasonable steps to prevent it.
• If an offense is committed with the consent, knowledge, or negligence of a director, manager, or other responsible person, both the corporate body and the individual will be held liable.

58. Other Punishment:

• If a violation occurs without a specific penalty provided, the violator may be fined up to 50,000 Rupees, imprisoned for up to 6 months, or both.

59. No Hindrance to Punishment Under Other Laws:

• If an act is an offense under this Act and another law, both cases can be pursued separately for punishment.

Chapter-10: Provisions Relating to Information Technology Tribunal

60. Constitution of a Tribunal:

• The Government of Nepal shall establish a three-member Information Technology Tribunal to handle offenses concerning computers.
• The Tribunal will include members from law, IT, and commerce backgrounds.
• The Law Member will act as the Chairperson.
• Any person dissatisfied with the Tribunal's decision can appeal to the Appellate Tribunal within 35 days.

 

 

61. Qualification of Tribunal Members:

• Law Member: Must have knowledge in IT and be eligible or a current judge of a District Court.
• IT Member: Must have a master's degree in computer science/IT and at least three years of experience in related fields.
• Commerce Member: Must have a master's degree in management/commerce, specialization in electronic transactions, and at least three years of relevant experience.

62. Terms of Office, Remuneration, and Conditions of Service:

• Tribunal members serve for five years, eligible for reappointment.
• Remuneration and terms of service are as prescribed.
• Before assuming office, members must take an oath before the Chief Judge of the Appellate Court.

63. Vacancy and Filling of Vacancy:

• Vacancies can occur due to term expiration, age (63 years), death, resignation, criminal conviction, or misbehavior/incompetence.
• A person under inquiry for misbehavior has the right to defend their case.
• The law member's inquiry will follow prevailing law if they are a sitting judge.
• Vacancies will be filled according to Section 61 from qualified individuals.

64. Staff of the Tribunal:

• The Government will provide necessary staff for the Tribunal.
• Additional staff provisions will be as prescribed.

65. Procedures of the Tribunal:

• The Tribunal will follow prescribed procedures for initiating proceedings and adjudicating cases.

 

Chapter-11:

Provisions Relating to Information Technology Appellate Tribunal

66. Establishment and Formation of the Appellate Tribunal:

• The Government will establish a three-member Appellate Tribunal to hear appeals against decisions/orders from the Tribunal or other authorities.
• The Appellate Tribunal will consist of members from law, IT, and commerce backgrounds, similar to the Tribunal.
• The Law Member will act as Chairperson.
• The Appellate Tribunal will exercise jurisdiction as prescribed.

67. Qualification of Appellate Tribunal Members:

• Law Member: Must have IT knowledge and be eligible or a current judge of the Appellate Court.
• IT Member: Must hold a master's degree in IT and have at least five years of experience in related fields.
• Commerce Member: Must hold a master's degree in management/commerce with specialization in electronic transactions and have at least five years of relevant experience.

68. Terms of Office, Remuneration, and Conditions of Service:

• Appellate Tribunal members serve for five years, eligible for reappointment.
• Remuneration and terms of service are as prescribed.
• Before assuming office, members must take an oath before the Chief Justice of the Supreme Court.

69. Vacancy and Filling of Vacancy:

• Vacancies in the Appellate Tribunal can occur due to term expiration, age (63 years), death, resignation, criminal conviction, or misbehavior/incompetence.
• A member charged with misbehavior will be given the opportunity to defend themselves.
• The law member’s inquiry will follow prevailing law if they are a sitting judge.
• Vacancies will be filled according to Section 67 from qualified individuals.

70. Staff of the Appellate Tribunal:

• The Government will provide necessary staff for the Appellate Tribunal.
• Additional staff provisions will be as prescribed.

71. Procedures of the Appellate Tribunal:

• The Appellate Tribunal will follow prescribed procedures for initiating proceedings and adjudicating appeals.

Chapter-12: Miscellaneous

72. Provision by Agreement: Parties involved in electronic records can agree not to apply or alter provisions of Chapter 3 in their business activities.

  73. Government Directives: The Government of Nepal can issue directives for implementing this Act, which the Controller or Certifying Authority must follow.

74. Time Limitation to File a Complaint: A complaint for a violation or offence under this Act must be filed within 35 days of the incident.

 75. Government as Plaintiff: The Government of Nepal initiates cases under this Act, with assistance from the Controller or experts during investigations.

76. Compensation: Any loss or damage caused by offences under this Act must be compensated by the offender.

77. Exceptions: This Act does not apply to certain documents such as negotiable instruments, deeds related to immovable property, and court documents, but the Government may amend this.

78. Power to Frame Rules: The Government of Nepal can create necessary rules to achieve the objectives of this Act.

79. Directives: The Government can frame and enforce directives to meet the objectives of this Act.

80. Effect of Inoperativeness of the Electronic Transactions Ordinance, 2063 (2008): The inoperativeness of the Ordinance does not revive, affect existing matters, rights, obligations, penalties, or legal proceedings.