An Ordinance to facilitate the use of electronic transactions for commercial and other purposes, to provide for matters arising from and related to such use, to enable the Postmaster General to provide the services of a certification authority and to provide for connected purposes.
(Enacting provision omitted—E.R. 3 of 2017)
[7 January 2000]
(Format changes—E.R. 3 of 2017)
This Ordinance may be cited as the Electronic Transactions Ordinance.
(Omitted as spent—E.R. 3 of 2017)
In this Ordinance, unless the context otherwise requires—
accept (接受), in relation to a certificate— (a)in the case of a person named or identified in the certificate as the person to whom the certificate is issued, means to—(i)confirm the accuracy of the information on the person as contained in the certificate;(ii)authorize the publication of the certificate to any other person or in a repository;(iii)use the certificate; or(iv)otherwise demonstrate the approval of the certificate; or (b)in the case of a person to be named or identified in the certificate as the person to whom the certificate is issued, means to—(i)confirm the accuracy of the information on the person that is to be contained in the certificate;(ii)authorize the publication of the certificate to any other person or in a repository; or(iii)otherwise demonstrate the approval of the certificate; (Added 14 of 2004 s. 2) addressee (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary; asymmetric cryptosystem (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature; certificate (證書) means a record which— (a)is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b)identifies the certification authority issuing it; (c)names or identifies the person to whom it is issued; (d)contains the public key of the person to whom it is issued; and (e)is signed by the certification authority issuing it; (Amended 14 of 2004 s. 2) certification authority (核證機關) means a person who issues a certificate to a person (who may be another certification authority); certification authority disclosure record (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority; certification practice statement (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates; code of practice (業務守則) means the code of practice published under section 33; (Amended 14 of 2004 s. 2) consent (同意), in relation to a person, includes consent that can be reasonably inferred from the conduct of the person; (Added 14 of 2004 s. 2) correspond (對應), in relation to private or public keys, means to belong to the same key pair; digital signature (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can determine— (a)whether the transformation was generated using the private key that corresponds to the signer’s public key; and (b)whether the initial electronic record has been altered since the transformation was generated; electronic record (電子紀錄) means a record generated in digital form by an information system, which can be— (a)transmitted within an information system or from one information system to another; and (b)stored in an information system or other medium; electronic signature (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record; government entity (政府單位) means a public officer or a public body; (Added 14 of 2004 s. 2) hash function (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that— (a)a record yields the same hash result every time the algorithm is executed using the same record as input; (b)it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and (c)it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm; information (資訊) includes data, text, images, sound codes, computer programmes, software and databases; information system (資訊系統) means a system which— (a)processes information; (b)records information; (c)can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and (d)can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated); intermediary (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record; issue (發出), in relation to a certificate, means to— (a)create the certificate, and then notify the person named or identified in the certificate as the person to whom the certificate is issued of the information on the person as contained in the certificate; or (b)notify the person to be named or identified in the certificate as the person to whom the certificate is issued of the information on the person that is to be contained in the certificate, and then create the certificate, and then make the certificate available for use by the person; (Replaced 14 of 2004 s. 2) key pair (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates; originator (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary; Permanent Secretary (常任秘書長) means the Permanent Secretary for Innovation, Technology and Industry; (Added 14 of 2004 s. 2. Amended L.N. 130 of 2007; L.N. 120 of 2015; L.N. 143 of 2022) Postmaster General (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap. 98); private key (私人密碼匙) means the key of a key pair used to generate a digital signature; public key (公開密碼匙) means the key of a key pair used to verify a digital signature; recognized certificate (認可證書) means— (a)a certificate recognized under section 22; (b)a certificate of a type, class or description of certificate recognized under section 22; or (c)a certificate designated as a recognized certificate issued by the certification authority referred to in section 34; recognized certification authority (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34; record (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form; reliance limit (倚據限額) means the monetary limit specified for reliance on a recognized certificate; repository (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates; responsible officer (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance; rule of law (法律規則) means— (a)an Ordinance; (b)a rule of common law or a rule of equity; or (c)customary law; Secretary (局長) means the Secretary for Innovation, Technology and Industry; (Amended L.N. 106 of 2002; L.N. 130 of 2007; L.N. 120 of 2015; L.N. 143 of 2022) sign and signature (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record; subscriber (登記人) means a person (who may be a certification authority) who— (a)is named or identified in a certificate as the person to whom the certificate is issued; (b)has accepted that certificate; and (c)holds a private key which corresponds to a public key listed in that certificate; trustworthy system (穩當系統) means computer hardware, software and procedures that— (a)are reasonably secure from intrusion and misuse; (b)are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time; (c)are reasonably suitable for performing their intended function; and (d)adhere to generally accepted security principles; verify a digital signature (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that— (a)the digital signature was generated using the private key corresponding to the public key listed in a certificate; and (b)the electronic record has not been altered since its digital signature was generated, and any reference to a digital signature being verifiable is to be construed accordingly.For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer.
(Amended 14 of 2004 s. 2; L.N. 131 of 2004)
(Format changes—E.R. 3 of 2017)
Sections 5, 5A, 6, 7, 8 and 17 do not apply to any— (Amended 14 of 2004 s. 3)
requirement or permission for information to be, or to be given, in writing; (Amended 2 of 2024 s. 3)
requirement or permission for a document to be served on a person; (Added 14 of 2004 s. 3. Amended 2 of 2024 s. 3)
requirement for the signature of a person;
requirement for information to be presented or retained in its original form;
requirement for information to be retained,
under a rule of law in a matter or for an act set out in Schedule 1, unless that rule of law expressly provides otherwise.
This section applies if a provision of this Ordinance applies in relation to a rule of law that requires or permits a document to be served on a person.
A reference to “serve” in the provision is to be construed as including a reference in the rule of law to, as the case requires, any of the following—
“file”, “lodge”, “send”, “give”, “notify”, “serve”, “deliver”, “submit” and “furnish” (including their grammatical variations and cognate expressions);
any other expression that signifies or suggests serving a document on a person.
(Added 2 of 2024 s. 4)
This Ordinance binds the Government.
(Format changes—E.R. 3 of 2017)
If a rule of law requires information to be, or to be given, in writing or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference.
If a rule of law permits information to be, or to be given, in writing, an electronic record satisfies that rule of law if the information contained in the electronic record is accessible so as to be usable for subsequent reference.
(Amended 2 of 2024 s. 5)
Without limiting section 5, if a provision set out in Schedule 3 requires a document to be served on a person, the provision is to be construed as also providing that service of the document in the form of an electronic record to an information system designated by the person satisfies the requirement under the provision if the information contained in the electronic record is accessible so as to be usable for subsequent reference. (Amended 2 of 2024 s. 6)
Without limiting section 5, if a provision set out in Schedule 3 permits a document to be served on a person, the provision is to be construed as also providing that service of the document in the form of an electronic record to an information system designated by the person is permitted under the provision if the information contained in the electronic record is accessible so as to be usable for subsequent reference. (Amended 2 of 2024 s. 6)
Subsections (1) and (2) apply regardless of whether there is any specification as to the mode of service of a document in the provision. (Added 2 of 2024 s. 6)
For the purposes of subsections (1) and (2), even if the provision requires, or permits, more than one copy of the document to be served on the person, the provision is to be construed as also providing that service of a single copy of the document in such form satisfies the requirement, or is permitted, under the provision. (Added 2 of 2024 s. 6)
(Added 14 of 2004 s. 4)
Where—
a rule of law requires the signature of a person (the first mentioned person) on a document or provides for certain consequences if the document is not signed by the first mentioned person; and
neither the first mentioned person nor the person to whom the signature is to be given (the second mentioned person) is or is acting on behalf of a government entity,
an electronic signature of the first mentioned person satisfies the requirement if—
the first mentioned person uses a method to attach the electronic signature to or logically associate the electronic signature with an electronic record for the purpose of identifying himself and indicating his authentication or approval of the information contained in the document in the form of the electronic record;
having regard to all the relevant circumstances, the method used is reliable, and is appropriate, for the purpose for which the information contained in the document is communicated; and
the second mentioned person consents to the use of the method by the first mentioned person. (Replaced 14 of 2004 s. 5)
Where—
a rule of law requires the signature of a person on a document or provides for certain consequences if the document is not signed by the person; and
either or both of the person mentioned in paragraph (a) and the person to whom the signature is to be given is or are or is or are acting on behalf of a government entity or government entities,
a digital signature of the person mentioned in paragraph (a) satisfies the requirement if the digital signature is—
supported by a recognized certificate;
generated within the validity of that certificate; and
used in accordance with the terms of that certificate. (Added 14 of 2004 s. 5)
Where a rule of law requires that certain information be presented or retained in its original form, the requirement is satisfied by presenting or retaining the information in the form of electronic records if—
there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form; and
where it is required that information be presented, the information is capable of being displayed in a legible form to the person to whom it is to be presented.
For the purposes of subsection (1)(a)—
the criterion for assessing the integrity of the information is whether the information has remained complete and unaltered, apart from the addition of any endorsement or any change which arises in the normal course of communication, storage or display; and
the standard for reliability of the assurance is to be assessed having regard to the purpose for which the information was generated and all the other relevant circumstances.
This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being presented or retained in its original form.
Where a rule of law requires certain information to be retained, whether in writing or otherwise, the requirement is satisfied by retaining electronic records, if—
the information contained in the electronic record remains accessible so as to be usable for subsequent reference;
the relevant electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and
the information which enables the identification of the origin and destination of the electronic record and the date and time when it was sent or received, is retained.
This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being retained.
Without prejudice to any rules of evidence, an electronic record shall not be denied admissibility in evidence in any legal proceeding on the sole ground that it is an electronic record.
This Part is to be construed subject to Part IV.
(Amended 14 of 2004 s. 6)
(Format changes—E.R. 3 of 2017)
The Permanent Secretary may by order published in the Gazette exclude an Ordinance or a particular requirement or permission in an Ordinance or a class or description of requirements or permissions in an Ordinance, to which this Ordinance would otherwise apply, from the application of section 5, 6, 7 or 8. (Amended 14 of 2004 s. 7)
The Permanent Secretary may, in relation to an Ordinance to which section 5, 5A, 6, 7 or 8 applies, specify by notice published in the Gazette— (Amended 14 of 2004 s. 7)
the manner and format in which information in the form of an electronic record is to be given, presented or retained or a document in the form of an electronic record is to be served for the purposes of that Ordinance or a particular requirement or permission in that Ordinance or a class or description of requirements or permissions in that Ordinance; and (Amended 14 of 2004 s. 7)
the procedure and criteria for verification of the receipt of that information and for ensuring the integrity and confidentiality of the information.
The Permanent Secretary may specify different requirements under subsection (2)(a) or (b) in relation to persons or cases of different classes or descriptions. (Amended 14 of 2004 s. 7)
An order under subsection (1) is subsidiary legislation.
A notice under subsection (2) is not subsidiary legislation.
If the Permanent Secretary has specified any requirement under section 11(2) in relation to an Ordinance, the information given, presented or retained, the document served or the signature made, as the case may require, for the purpose of that Ordinance does not satisfy that Ordinance unless it complies with the specified requirements.
(Amended 14 of 2004 s. 8)
Section 5, 5A, 6, 7 or 8 does not apply in relation to information given, presented or retained, documents served or signatures required for the purposes of any proceedings set out in Schedule 2, unless any rule of law relating to those proceedings provide for its application.
Subsection (1) is not to be construed as affecting any provision in a rule of law referred to in that subsection, requiring or permitting, otherwise than by reference to this Ordinance, the use of electronic records or electronic signatures for the purposes of the proceedings to which the rule of law relates.
Any authority given by a rule of law to make rules (however described) for the purpose of any proceedings set out in Schedule 2 is to be construed as including a power to provide for—
the application of section 5, 5A, 6, 7 or 8; and
the specification of the matters referred to in section 11(2)(a) and (b), by subsidiary legislation or otherwise, consequent to such application.
(Amended 14 of 2004 s. 9)
If an Ordinance requires or permits giving, presenting or retaining information in the form of an electronic record or the authentication of information by an electronic signature for the purposes of that Ordinance, but contains an express provision which—
specifies requirements, procedures or other specifications for that purpose;
requires the use of a specified service; or
confers a discretion on a person whether or when to accept electronic records or electronic signatures for that purpose,
section 5, 6, 7 or 8 is not to be construed as affecting that express provision.
If an Ordinance requires information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(1) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record.
If an Ordinance permits information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(2) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record.
If an Ordinance requires a document to be served by a person on another and neither person is or is acting on behalf of a government entity, section 5A(1) applies only if the person on whom the document is to be served consents to it being served in the form of an electronic record. (Added 14 of 2004 s. 10. Amended 2 of 2024 s. 7)
If an Ordinance permits a document to be served by a person on another and neither person is or is acting on behalf of a government entity, section 5A(2) applies only if the person on whom the document is to be served consents to it being served in the form of an electronic record. (Added 14 of 2004 s. 10. Amended 2 of 2024 s. 7)
(Repealed 14 of 2004 s. 10)
If an Ordinance requires information to be presented in its original form and neither the person presenting it nor the person to whom it is to be presented (the second mentioned person) is or is acting on behalf of a government entity, section 7(1) applies only if the second mentioned person consents to it being presented in the form of an electronic record.
(Repealed 14 of 2004 s. 10)
If the effect of section 5 on a requirement or permission in an Ordinance for information to be, or to be given, in writing (requirement for writing) is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for writing) cannot be complied with due to the operation of that section, section 5 does not apply to the requirement for writing. (Amended 2 of 2024 s. 8)
If the effect of section 6 on a requirement in an Ordinance for the signature of a person is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for the signature of a person) cannot be complied with due to the operation of that section, section 6 does not apply to the requirement for the signature of a person.
If the effect of section 7 on a requirement in an Ordinance for information to be presented or retained in its original form (requirement for original form) is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for original form) cannot be complied with due to the operation of that section, section 7 does not apply to the requirement for original form.
If the effect of section 8 on a requirement in an Ordinance for information to be retained (requirement for retention) is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for retention) cannot be complied with due to the operation of that section, section 8 does not apply to the requirement for retention.
(Format changes—E.R. 3 of 2017)
For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records.
Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose.
For the avoidance of doubt, it is declared that in the context of the formation of contracts, if an offer or the acceptance of an offer is in whole or in part expressed by means of an electronic record, an electronic signature attached to or logically associated with the electronic record shall not be denied legal effect on the sole ground that it is an electronic signature. (Added 14 of 2004 s. 11)
For the avoidance of doubt, it is stated that this section does not affect any rule of common law to the effect that the offeror may prescribe the method of communicating acceptance.
(Format changes—E.R. 3 of 2017)
Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is that of the originator if it was—
sent by the originator;
sent with the authority of the originator; or
sent by an information system programmed by or on behalf of the originator to operate and to send the electronic record automatically.
Nothing in subsection (1) is to affect the law of agency or the law on the formation of contracts.
Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is sent when it is accepted by an information system outside the control of the originator or of the person who sent the electronic record on behalf of the originator.
Unless otherwise agreed between the originator and the addressee of an electronic record, the time of receipt of an electronic record is determined as follows—
if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs—
at the time when the electronic record is accepted by the designated information system; or
if the electronic record is sent to an information system of the addressee that is not the designated information system, at the time when the electronic record comes to the knowledge of the addressee;
if the addressee has not designated an information system, receipt occurs when the electronic record comes to the knowledge of the addressee.
Subsections (1) and (2) apply notwithstanding that the place where the information system is located is different from the place where the electronic record is taken to have been sent or received under subsection (4).
Unless otherwise agreed between the originator and the addressee, an electronic record is taken to have been—
sent at the place of business of the originator; and
received at the place of business of the addressee.
For the purposes of subsection (4)—
if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction, or where there is no underlying transaction, the principal place of business of the originator or the addressee, as the case may be;
if the originator or the addressee does not have a place of business, the place of business is the place where the originator or the addressee ordinarily resides.
Where the originator and the addressee are in different time zones, time refers to Universal Standard Time.
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Format changes—E.R. 3 of 2017)
(Amended L.N. 101 of 2024)
A certification authority may apply to the Commissioner for Digital Policy to become a recognized certification authority for the purposes of this Ordinance. (Amended L.N. 101 of 2024)
Subject to subsection (4) and section 21(3), an application under subsection (1) must be made in the prescribed manner and in a form specified by the Commissioner for Digital Policy and the applicant must pay the prescribed fee in respect of the application. (Amended L.N. 101 of 2024)
An applicant must furnish to the Commissioner for Digital Policy— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
the relevant particulars and documents specified under section 30; (Amended 14 of 2004 s. 12)
a report which—
contains an assessment as to whether the applicant is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a person approved by the Commissioner for Digital Policy as being qualified to make such a report; and (Replaced 14 of 2004 s. 12. Amended L.N. 101 of 2024)
a statutory declaration which—
states whether the applicant is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a responsible officer of the applicant. (Added 14 of 2004 s. 12)
Any report or statutory declaration required to be furnished under subsection (3) must be made at the expense of the applicant. (Added 14 of 2004 s. 12)
The Commissioner for Digital Policy may waive— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
the requirements as to manner and form of making the application in subsection (2); or
the requirement of a report or statutory declaration under subsection (3), (Amended 14 of 2004 s. 12)
in relation to a certification authority, in the circumstances specified in subsection (5).
The Commissioner for Digital Policy may waive the requirements referred to in subsection (4) only if— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
the applicant is a certification authority with a status in a place outside Hong Kong comparable to that of a recognized certification authority (comparable status); and
the competent authority of that place accords to a recognized certification authority a comparable status on the basis of it being a recognized certification authority.
(Amended L.N. 131 of 2004)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy may— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
recognize an applicant under section 20 as a recognized certification authority if the Commissioner for Digital Policy is satisfied that the applicant is suitable for such recognition; or (Amended L.N. 131 of 2004; L.N. 101 of 2024)
refuse the application for recognition.
The Commissioner for Digital Policy must give reasons in writing to the applicant for refusing an application under subsection (1)(b). (Amended L.N. 131 of 2004; L.N. 101 of 2024)
The Commissioner for Digital Policy may, in recognizing a certification authority referred to in section 20(4), waive the whole or part of the prescribed fee as the Commissioner for Digital Policy may decide in relation to a particular case. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
In determining whether an applicant is suitable for recognition under subsection (1), the Commissioner for Digital Policy shall, in addition to any other matter the Commissioner for Digital Policy considers relevant, take into account the following— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
whether the applicant has the appropriate financial status for operating as a recognized certification authority in accordance with this Ordinance and the code of practice;
the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of this Ordinance;
the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers;
any report or statutory declaration furnished by the applicant under section 20(3); (Replaced 14 of 2004 s. 13)
whether the applicant and the responsible officers are fit and proper persons; and
the reliance limits set or proposed to be set by the applicant for its certificates.
In determining whether a person referred to in subsection (4)(e) is a fit and proper person, the Commissioner for Digital Policy shall, in addition to any other matter the Commissioner for Digital Policy considers relevant, have regard to the following— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
the fact that the person has a conviction in Hong Kong or elsewhere for an offence for which it was necessary to find that the person had acted fraudulently, corruptly or dishonestly;
the fact that the person has been convicted of an offence against this Ordinance;
if the person is an individual, the fact that the person is an undischarged bankrupt or has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap. 6) within the 5 years preceding the date of the application; and
if the person is a body corporate, the fact that the person is in liquidation, is the subject of a winding-up order or there is a receiver appointed in relation to it or it has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap. 6) within the 5 years preceding the date of the application.
In recognizing a certification authority under subsection (1), the Commissioner for Digital Policy may— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
attach conditions to the recognition; or
specify a period of validity for the recognition.
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy may recognize certificates issued by a recognized certification authority as recognized certificates, upon application by that authority.
An applicant under subsection (1) must make the application in the prescribed manner and in a form specified by the Commissioner for Digital Policy and furnish to the Commissioner for Digital Policy the relevant particulars and documents specified under section 30.
A recognition under subsection (1) may relate to—
all certificates issued by the recognized certification authority;
certificates of a type, class or description; or
particular certificates.
An applicant must pay the prescribed fee (if any) in respect of an application under subsection (1) unless the Commissioner for Digital Policy waives it in whole or in part.
In recognizing certificates under this section, the Commissioner for Digital Policy shall in addition to any other matter the Commissioner for Digital Policy considers relevant take into account the following— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
whether the certificates are issued in accordance with the certification practice statement;
whether the certificates are issued in accordance with the code of practice;
the reliance limit set or proposed to be set for that type, class or description or the particular certificate, as the case may require; and
the arrangements put in place or proposed to be put in place by the certification authority to cover any liability that may arise from the issue of that type, class or description or the particular certificate, as the case may be.
The Commissioner for Digital Policy may refuse an application under subsection (1).
The Commissioner for Digital Policy must give reasons in writing to the applicant for refusing an application under subsection (6).
The Commissioner for Digital Policy may specify a period of validity for a recognition under this section.
The Commissioner for Digital Policy may upon application renew a recognition under this section.
Subsections (2), (3), (4), (5), (6), (7) and (8) apply to a renewal under subsection (9) as they apply to an application for recognition, subject to necessary modifications. (Amended 14 of 2004 s. 14)
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy may revoke a recognition granted under section 21 or 22 or renewed under section 22 or 27.
Before revoking a recognition, the Commissioner for Digital Policy must give the certification authority a notice of intention to revoke the recognition specifying the reasons for the intended revocation.
In a notice under subsection (2), the Commissioner for Digital Policy must invite the certification authority to make representations as to why the recognition should not be revoked and specify a period for making the representations.
If the Commissioner for Digital Policy decides to revoke a recognition, the Commissioner for Digital Policy must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made.
A revocation of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate.
Subject to subsection (7), a revocation takes effect on the expiry of 7 days from the date on which the decision to revoke the recognition is made.
If the certification authority appeals under section 28 against the revocation, the revocation does not take effect until the expiry of 7 days from the date on which the Secretary confirms the revocation on appeal.
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy may suspend a recognition granted under section 21 or 22 or renewed under section 22 or 27 for a period not exceeding 14 days. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
If the Commissioner for Digital Policy decides to suspend a recognition, the Commissioner for Digital Policy must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
A suspension of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate.
Subject to subsection (5), a suspension takes effect on the expiry of 7 days from the date on which the decision to suspend the recognition is made.
If the certification authority appeals under section 28 against the suspension, the suspension does not take effect until the expiry of 7 days from the date on which the Secretary confirms the suspension on appeal.
If the period of suspension expires during the validity of a recognition and the recognition is not revoked, the recognition is taken to be reinstated.
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy may, in revoking or suspending a recognition under section 23 or 24, in addition to any other matter that the Commissioner for Digital Policy considers relevant, take into account the following— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
any matter set out in section 21(4);
whether the certification authority has failed—
to operate in accordance with the certification practice statement;
to comply with the code of practice;
to use a trustworthy system; or
to comply with any provision of this Ordinance; and
any report or statutory declaration furnished by the certification authority under section 43(1) or 43A(1). (Replaced 14 of 2004 s. 15)
Where the revocation or suspension of a recognition of a certification authority has taken effect or the period of validity of a recognition specified under section 21(6)(b) has expired, the provisions of this Ordinance relating to—
a recognized certification authority do not apply to that certification authority;
recognized certificates issued by a recognized certification authority do not apply to the certificates issued by that certification authority; and
digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the digital signatures supported by the certificates issued by that certification authority.
Where the revocation or suspension of the recognition of a recognized certificate has taken effect, the provisions of this Ordinance relating to a recognized certificate or digital signatures supported by a recognized certificate do not apply to—
the certificate of which the recognition is revoked or suspended;
any certificate of the type, class or description of certificate the recognition of which is revoked or suspended;
digital signatures supported by that certificate or a certificate of that type, class or description,
as the case may be.
Where the validity of a recognized certificate or the period of validity of a recognition specified under section 22(8) has expired, the provisions of this Ordinance relating to recognized certificates issued by a recognized certification authority and digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the certificate and the digital signatures supported by the certificate.
The revocation or suspension of the recognition of a certification authority does not affect the valid use of a recognized certificate issued by that certification authority before the revocation or suspension took effect or after the reinstatement of the recognition.
The revocation or suspension of the recognition of a certificate does not affect the valid use of the certificate concerned before the revocation or suspension took effect or after the reinstatement of the recognition.
The expiry of the period of validity of the recognition of a certificate specified under section 22(8) or the expiry of the period of validity of a recognized certificate does not affect the valid use of the certificate concerned before the expiry of the period of validity of the recognition or the certificate, as the case may be.
The expiry of the period of validity of the recognition of a certification authority specified under section 21(6)(b) does not affect the valid use of a recognized certificate issued by that certification authority during the period of validity of its recognition.
(Amended L.N. 101 of 2024)
A certification authority recognized under section 21 may apply to the Commissioner for Digital Policy for renewal of a recognition.
An application for renewal must be made at least 30 days before but not earlier than 60 days before the expiry of the period of validity of the recognition.
An application for renewal must be sent to the Commissioner for Digital Policy as an electronic record or delivered by hand to the Commissioner for Digital Policy or left at the office of the Commissioner for Digital Policy during the ordinary business hours of that office.
Subject to subsections (2), (3) and (6), an application for renewal must be made in the prescribed manner and in a form specified by the Commissioner for Digital Policy. (Amended 14 of 2004 s. 16)
Subject to subsection (6), an applicant must pay the prescribed fee in respect of an application for renewal.
An applicant must furnish to the Commissioner for Digital Policy— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
the relevant particulars and documents specified under section 30;
a report which—
contains an assessment as to whether the applicant is and is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a person approved by the Commissioner for Digital Policy as being qualified to make such a report; and
a statutory declaration which—
states whether the applicant is and is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a responsible officer of the applicant. (Added 14 of 2004 s. 16)
Any report or statutory declaration required to be furnished under subsection (5A) must be made at the expense of the applicant. (Added 14 of 2004 s. 16)
The Commissioner for Digital Policy may, in the circumstances specified in section 20(5), waive the requirements in subsection (4) or (5A) or the whole or part of the prescribed fee as the Commissioner for Digital Policy may decide in relation to a particular case. (Amended 14 of 2004 s. 16)
In determining an application for renewal, the Commissioner for Digital Policy shall, in addition to any other matter the Commissioner for Digital Policy considers relevant, take into account— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
any matter set out in section 21(4)(a), (b), (c), (e) or (f) which applies to the application for renewal as it applies to an application for recognition, subject to necessary modifications; and
any report or statutory declaration furnished by the applicant under subsection (5A). (Added 14 of 2004 s. 16)
Where—
an applicant has furnished to the Commissioner for Digital Policy a report for the purpose of complying with the requirements referred to in section 43(1)(a) or 43A(1)(c); and
the Commissioner for Digital Policy considers that had the report been furnished for the purpose of complying with the requirements referred to in subsection (5A)(b), it would have satisfied those requirements,
the Commissioner for Digital Policy may accept the report, and the report shall, for all purposes, be regarded as a report that is furnished under subsection (5A)(b) and that satisfies the requirements referred to in that subsection. (Added 14 of 2004 s. 16)
Where—
an applicant has furnished to the Commissioner for Digital Policy a statutory declaration for the purpose of complying with the requirements referred to in section 43(1)(b) or 43A(1)(d); and
the Commissioner for Digital Policy considers that had the statutory declaration been furnished for the purpose of complying with the requirements referred to in subsection (5A)(c), it would have satisfied those requirements,
the Commissioner for Digital Policy may accept the statutory declaration, and the statutory declaration shall, for all purposes, be regarded as a statutory declaration that is furnished under subsection (5A)(c) and that satisfies the requirements referred to in that subsection. (Added 14 of 2004 s. 16)
In renewing the recognition of a certification authority, the Commissioner for Digital Policy may— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
attach conditions to the renewal of the recognition; or
specify a period of validity for the renewed recognition. (Replaced 14 of 2004 s. 16)
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
A certification authority aggrieved by a decision of the Commissioner for Digital Policy— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
refusing an application for recognition under section 21 or 22;
refusing an application for renewal of a recognition under section 22 or 27; or
revoking or suspending a recognition under section 23 or 24,
may appeal to the Secretary against the decision within 7 days from the date on which the relevant decision is made.
An appeal under subsection (1) must be commenced by sending a notice of appeal to the Secretary as an electronic record or delivering the notice by hand to the Secretary or leaving the notice at the office of the Secretary during the ordinary business hours of that office.
A certification authority who appeals to the Secretary under this section must also give notice of the appeal to the Commissioner for Digital Policy as soon as practicable. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
On appeal under subsection (1), the Secretary may confirm, vary or reverse the decision of the Commissioner for Digital Policy. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
The Secretary must give the appellant notice of the decision on appeal, together with reasons—
by sending it to the appellant as an electronic record; or
by sending it by post or registered post to the last known address of the appellant.
If in a particular case it is not reasonably practicable to give the notice of the decision on appeal by either of the means specified in subsection (5), the notice is taken to have been given if the Secretary publishes it in the certification authority disclosure record maintained under section 31 for the appellant.
(Amended L.N. 101 of 2024)
A notice or other document the Commissioner for Digital Policy is required to give to a certification authority under this Part is taken to have been given if it is— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
sent to the certification authority as an electronic record; or
sent by post or registered post to the last known address of the certification authority.
If in a particular case it is not reasonably practicable to give a notice or other document under this Part by either of the means specified in subsection (1), the notice or document is taken to have been given if the Commissioner for Digital Policy publishes it in the relevant certification authority disclosure record. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy must specify by notice published in the Gazette any particulars and documents to be furnished under sections 20(3)(a), 22(2) and (10) and 27(5A). (Amended 14 of 2004 s. 17; L.N. 131 of 2004; L.N. 101 of 2024)
A notice under subsection (1) is not subsidiary legislation.
(Format changes—E.R. 3 of 2017)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy must maintain for each recognized certification authority an on-line and publicly accessible record.
The Commissioner for Digital Policy must publish in the certification authority disclosure record information regarding that certification authority relevant for the purposes of this Ordinance (in addition to the information required to be given in it under other provisions of this Ordinance).
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy must give notice in the relevant certification authority disclosure record, immediately— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
when the Commissioner for Digital Policy makes a decision to revoke a recognition under section 23(4);
when a revocation has taken effect under section 23(6) or (7);
when the Commissioner for Digital Policy makes a decision to suspend a recognition under section 24(2);
when a suspension has taken effect under section 24(4) or (5);
when the recognition of a suspended recognition is reinstated;
when the Commissioner for Digital Policy receives a notice of appeal under section 28(3); or
on becoming aware that the Secretary has confirmed, varied or reversed the decision of the Commissioner for Digital Policy to revoke or suspend a recognition.
Where the revocation or suspension of a recognition has taken effect, the Commissioner for Digital Policy must, as soon as practicable, give notice of the revocation or suspension for at least 3 consecutive days in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong.
If a recognized certification authority does not apply for renewal before the end of the period during which an application for renewal can be made under section 27(2), the Commissioner for Digital Policy must, at least 21 days before the expiry of the period of validity of the recognition, give notice— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
for at least 3 consecutive days in one English language daily newspaper and one Chinese language daily newspaper in circulation in Hong Kong; and
in the certification authority disclosure record maintained for the certification authority,
of the date of the expiry of the validity and that the certification authority has not applied for renewal.
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
The Commissioner for Digital Policy may publish in the Gazette a code of practice— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
specifying standards and procedures for carrying out the functions of recognized certification authorities;
specifying the provisions of this Ordinance and of the code of practice for the purposes of—
section 20(3)(b)(i) and (c)(i);
section 27(5A)(b)(i) and (c)(i);
section 43(1)(a)(i) and (b)(i); and
section 43A(1)(c)(i) and (d)(i).
The code of practice published under subsection (1) may make different provisions for different circumstances and provide for different cases or classes of cases.
The Commissioner for Digital Policy may from time to time amend the whole or any part of the code of practice published under subsection (1) in a manner consistent with the power to publish the code under subsection (1), and any reference in this Ordinance to the code shall, unless the context otherwise requires, be construed as a reference to the code as so amended. (Amended L.N. 131 of 2004; L.N. 101 of 2024)
Any code of practice published under subsection (1) is not subsidiary legislation.
(Replaced 14 of 2004 s. 18)
(Format changes—E.R. 3 of 2017)
The Postmaster General is a recognized certification authority for the purposes of this Ordinance.
Part VII does not apply to the Postmaster General as a certification authority.
For the purposes of section 34, the Postmaster General may by himself or by the officers of the Post Office—
perform the functions and provide the services of a certification authority and services incidental or related to the functions or services of a certification authority; and
do anything that is necessary or expedient for the purposes of paragraph (a) and for complying with any provision of this Ordinance relating to a recognized certification authority.
The Postmaster General may determine and charge fees for providing the services of a certification authority or services incidental or related to the functions or services of a certification authority.
The fees determined and charged under subsection (2) shall not be limited by reference to the administrative or other costs incurred or likely to be incurred or recovery of expenditure in the provision of the services of a certification authority or services incidental or related to the functions or services of a certification authority.
The Postmaster General may give particulars of any fees determined under subsection (2) in such manner as the Postmaster General thinks fit.
(Format changes—E.R. 3 of 2017)
Where a person named or identified, or to be named or identified, in a recognized certificate as the person to whom the certificate is issued—
accepts the certificate, the recognized certification authority concerned must publish the certificate in a repository as soon as reasonably practicable after it issues the certificate;
does not accept the certificate, the recognized certification authority concerned must not publish the certificate.
(Replaced 14 of 2004 s. 19)
A recognized certification authority must use a trustworthy system in performing its services—
to issue, revoke or suspend a recognized certificate; or
to publish in a repository or give notice of the issue, revocation or suspension of a recognized certificate.
(Amended 14 of 2004 s. 20)
It shall be presumed, unless there is evidence to the contrary, that the information contained in a recognized certificate issued by a recognized certification authority (except information identified as subscriber’s information which has not been verified by the recognized certification authority) is correct if the certificate was published in a repository.
By issuing a recognized certificate, a recognized certification authority represents to any person who reasonably relies on the information contained in the certificate or a digital signature verifiable by the public key listed in the certificate, that the recognized certification authority has issued the certificate in accordance with any applicable certification practice statement incorporated by reference in the certificate, or of which the relying person has notice.
By publishing a recognized certificate, a recognized certification authority represents to any person who reasonably relies on the information contained in the certificate, that the recognized certification authority has issued the certificate to the subscriber concerned.
A recognized certification authority may, in issuing a recognized certificate, specify a reliance limit in the certificate.
The recognized certification authority may specify different limits in different recognized certificates or in different types, classes or description of certificates.
Unless a recognized certification authority waives the application of this subsection, the recognized certification authority is not liable for any loss caused by reliance on a false or forged digital signature of a subscriber supported by a recognized certificate issued by that certification authority, if the recognized certification authority has complied with the requirements of this Ordinance and the code of practice with respect to that certificate.
Unless a recognized certification authority waives the application of this subsection, the recognized certification authority is not liable in excess of the amount specified in the certificate as its reliance limit, for a loss caused by reliance on any information—
that the recognized certification authority is required to confirm according to the certification practice statement and the code of practice; and
which is misrepresented on that recognized certificate or in a repository,
if the recognized certification authority has, in relation to that certificate, complied with the requirements of this Ordinance and the code of practice.
The limitation of liability under subsection (2) does not apply if the fact was misrepresented due to the negligence of the recognized certification authority or it was intentionally or recklessly misrepresented by the recognized certification authority.
At least once in every 12 months, a recognized certification authority must furnish to the Commissioner for Digital Policy— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
a report which—
contains an assessment as to whether the certification authority has, from the specified date until the last day of the period to which the report relates, complied with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a person approved by the Commissioner for Digital Policy as being qualified to make such a report; and
a statutory declaration which—
states whether the certification authority has, from the specified date until the last day of the period to which the statutory declaration relates, complied with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a responsible officer of the certification authority. (Replaced 14 of 2004 s. 21)
Any report or statutory declaration required to be furnished under subsection (1) must be made at the expense of the certification authority. (Replaced 14 of 2004 s. 21)
The Commissioner for Digital Policy must publish in the certification authority disclosure record for the certification authority the respective dates of the report and statutory declaration and the material information in the report and statutory declaration. (Amended 14 of 2004 s. 21)
Where—
the certification authority has furnished to the Commissioner for Digital Policy a report for the purpose of complying with the requirements referred to in section 27(5A)(b) or 43A(1)(c); and
the Commissioner for Digital Policy considers that had the report been furnished for the purpose of complying with the requirements referred to in subsection (1)(a), it would have satisfied those requirements,
the Commissioner for Digital Policy may accept the report, and the report shall, for all purposes, be regarded as a report that is furnished under subsection (1)(a) and that satisfies the requirements referred to in that subsection. (Added 14 of 2004 s. 21)
Where—
the certification authority has furnished to the Commissioner for Digital Policy a statutory declaration for the purpose of complying with the requirements referred to in section 27(5A)(c) or 43A(1)(d); and
the Commissioner for Digital Policy considers that had the statutory declaration been furnished for the purpose of complying with the requirements referred to in subsection (1)(b), it would have satisfied those requirements,
the Commissioner for Digital Policy may accept the statutory declaration, and the statutory declaration shall, for all purposes, be regarded as a statutory declaration that is furnished under subsection (1)(b) and that satisfies the requirements referred to in that subsection. (Added 14 of 2004 s. 21)
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
(Amended L.N. 101 of 2024)
Where the Commissioner for Digital Policy considers that there have been or will be— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
major changes in—
the financial status of a recognized certification authority for operating as such in accordance with this Ordinance and the code of practice;
the arrangements put in place by a recognized certification authority to cover any liability that may arise from its activities relevant for the purposes of this Ordinance; or
the system, procedure, security arrangements and standards used by a recognized certification authority to issue recognized certificates; or
any other major changes that may affect the determination of the Commissioner for Digital Policy as to whether to— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
revoke under section 23(1) the recognition of any certification authority or the recognition of any certificate issued by a recognized certification authority; or
suspend under section 24(1) the recognition of any certification authority or the recognition of any certificate issued by a recognized certification authority,
the Commissioner for Digital Policy may, by notice given to the certification authority, specify the major changes and require the certification authority to furnish to the Commissioner for Digital Policy within the period specified in such notice all or any of the following— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
a report which—
contains an assessment as to—
whether, having regard to the major changes that have occurred, the certification authority is and is capable of complying;
whether, having regard to the major changes that will occur, the certification authority is capable of complying,
with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a person approved by the Commissioner for Digital Policy as being qualified to make such a report; and
a statutory declaration which—
states—
whether, having regard to the major changes that have occurred, the certification authority is and is capable of complying;
whether, having regard to the major changes that will occur, the certification authority is capable of complying,
with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and
is made by a responsible officer of the certification authority.
Any report or statutory declaration required to be furnished under subsection (1) must be made at the expense of the certification authority.
The Commissioner for Digital Policy must publish in the certification authority disclosure record for the certification authority the date of any of the report and statutory declaration and the material information in any of the report and statutory declaration.
Where—
the certification authority has furnished to the Commissioner for Digital Policy a report for the purpose of complying with the requirements referred to in section 27(5A)(b) or 43(1)(a); and
the Commissioner for Digital Policy considers that had the report been furnished for the purpose of complying with the requirements referred to in subsection (1)(c), it would have satisfied those requirements,
the Commissioner for Digital Policy may accept the report, and the report shall, for all purposes, be regarded as a report that is furnished under subsection (1)(c) and that satisfies the requirements referred to in that subsection.
Where—
the certification authority has furnished to the Commissioner for Digital Policy a statutory declaration for the purpose of complying with the requirements referred to in section 27(5A)(c) or 43(1)(b); and
the Commissioner for Digital Policy considers that had the statutory declaration been furnished for the purpose of complying with the requirements referred to in subsection (1)(d), it would have satisfied those requirements,
the Commissioner for Digital Policy may accept the statutory declaration, and the statutory declaration shall, for all purposes, be regarded as a statutory declaration that is furnished under subsection (1)(d) and that satisfies the requirements referred to in that subsection.
A notice under subsection (1) is taken to have been given by the Commissioner for Digital Policy to a recognized certification authority if it is— (Amended L.N. 131 of 2004; L.N. 101 of 2024)
sent to the certification authority as an electronic record; or
sent by post or registered post to the last known address of the certification authority.
If in a particular case it is not reasonably practicable to give a notice under subsection (1) by either of the means specified in subsection (6), the notice is taken to have been given if the Commissioner for Digital Policy publishes it in the relevant certification authority disclosure record.
(Added 14 of 2004 s. 22. Amended L.N. 131 of 2004; L.N. 101 of 2024)
A recognized certification authority must issue and maintain an up to date certification practice statement and notify the Commissioner for Digital Policy of changes to the practices of the certification authority as set out in that statement.
(Amended L.N. 131 of 2004; L.N. 101 of 2024)
A recognized certification authority must maintain or cause to be maintained an on-line and publicly accessible repository.
The Commissioner for Digital Policy must publish in the Gazette a list of the repositories maintained under subsection (1). (Amended L.N. 131 of 2004; L.N. 101 of 2024)
Any list of repositories published under subsection (2) is not subsidiary legislation. (Added 14 of 2004 s. 23)
(Format changes—E.R. 3 of 2017)
Subject to subsection (2), a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Ordinance shall not disclose or permit or suffer to be disclosed any information relating to another person as contained in such record, book, register, correspondence, information, document or other material to any other person. (Amended 14 of 2004 s. 24)
Subsection (1) does not apply to disclosure—
which is necessary for performing or assisting in the performance of a function under or for the purposes of this Ordinance;
for the purpose of any criminal proceedings in Hong Kong;
for the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Hong Kong; or
under the direction or order of a magistrate or court.
A person who contravenes subsection (1) commits an offence and is liable to a fine at level 6 and in the case of an individual also to imprisonment for 6 months.
A person who knowingly or recklessly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Ordinance which is untrue, inaccurate or misleading commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.
A person who makes a false claim that a person is a recognized certification authority commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.
(Format changes—E.R. 3 of 2017)
The Secretary may make regulations for all or any of the following—
to prescribe the manner of applying to the Commissioner for Digital Policy for recognition or renewal of recognition as a recognized certification authority or for recognition or renewal of recognition of certificates and the manner of recognition; (Amended L.N. 131 of 2004; L.N. 101 of 2024)
to prescribe the fees payable in respect of applications for the recognition of certification authorities, the recognition of certificates or the renewal of such recognition;
to prescribe the form of certification practice statements;
to provide for the manner of appealing against a decision of the Commissioner for Digital Policy and the procedure for determining appeals; (Amended L.N. 131 of 2004; L.N. 101 of 2024)
to provide for such other matters as are necessary or expedient to give effect to the provisions of this Ordinance.
The Secretary may by order published in the Gazette amend Schedules 1, 2 and 3.
(Amended 14 of 2004 s. 25)
No liability is incurred by the Government or a public officer by reason only of the fact that a recognition is granted, renewed, revoked, suspended or reinstated under Part VII.
Without prejudice to subsection (1), no civil liability is incurred by a public officer in respect of anything done or omitted to be done by the public officer in good faith in the performance or purported performance of any function under a Part other than Part VII.
The protection conferred under subsection (2) does not in any way affect the liability, if any, of the Government for the act or omission of the public officer in the performance or purported performance of the relevant function.
(Amended 14 of 2004 s. 26)
(Format changes—E.R. 1 of 2013)
The creation, execution, variation, revocation, revival or rectification of a will, codicil or any other testamentary document.
The creation, execution, variation or revocation of a trust (other than resulting, implied or constructive trusts).
The creation, execution, variation or revocation of a power of attorney.
The making, execution or making and execution of any instrument which is required to be stamped or endorsed under the Stamp Duty Ordinance (Cap. 117) other than a contract note to which an agreement under section 5A of that Ordinance relates.
Government conditions of grant and Government leases.
Any deed, conveyance or other document or instrument in writing, judgments, and lis pendens referred to in the Land Registration Ordinance (Cap. 128) by which any parcels of ground tenements or premises in Hong Kong may be affected.
Any assignment, mortgage or legal charge within the meaning of the Conveyancing and Property Ordinance (Cap. 219) or any other contract relating to or effecting the disposition of immovable property or an interest in immovable property.
A document effecting a floating charge referred to in section 2A of the Land Registration Ordinance (Cap. 128).
Oaths and affidavits.
Statutory declarations.
Judgments (in addition to those referred to in section 6) or orders of court.
A warrant issued by a court or a magistrate.
Negotiable instruments (but excluding cheques that bear the words “not negotiable”). (Replaced L.N. 141 of 2014)
(Amended 14 of 2004 s. 27)
(Format changes—E.R. 1 of 2013)
Proceedings before any of the following—
the Court of Final Appeal;
the Court of Appeal;
the Court of First Instance;
the Competition Tribunal established by the Competition Ordinance (Cap. 619); (Added 15 of 2014 s. 16)
the District Court;
the Mental Health Review Tribunal established under the Mental Health Ordinance (Cap. 136);
the Lands Tribunal;
a coroner appointed under section 3 of the Coroners Ordinance (Cap. 504);
the Labour Tribunal;
the Obscene Articles Tribunal established under the Control of Obscene and Indecent Articles Ordinance (Cap. 390);
the Small Claims Tribunal;
a magistrate; (Amended L.N. 59 of 2000)
the Municipal Services Appeals Board established under the Municipal Services Appeals Board Ordinance (Cap. 220); (Added L.N. 59 of 2000)
the Insider Dealing Tribunal established under the Securities (Insider Dealing) Ordinance (Cap. 395) repealed under the Securities and Futures Ordinance (Cap. 571); (Added L.N. 59 of 2000. Amended 5 of 2002 s. 407)
the Securities and Futures Appeals Tribunal or the Market Misconduct Tribunal established under Part XI or XIII of the Securities and Futures Ordinance (Cap. 571); (Added 5 of 2002 s. 407)
any person arbitrating disputes in accordance with rules made under section 118(2) of the Securities and Futures Ordinance (Cap. 571); (Added 5 of 2002 s. 407)
the Resolution Compensation Tribunal established by section 127(1) of the Financial Institutions (Resolution) Ordinance (Cap. 628) or an additional tribunal established under section 128(1) of that Ordinance; (Added 23 of 2016 s. 214. Amended E.R. 2 of 2017)
the Resolvability Review Tribunal established by section 110(1) of the Financial Institutions (Resolution) Ordinance (Cap. 628) or an additional tribunal established under section 111(1) of that Ordinance; (Added 23 of 2016 s. 214. Amended E.R. 2 of 2017)
the Administrative Appeals Board established under the Administrative Appeals Board Ordinance (Cap. 442); (Added L.N. 59 of 2000)
the Appeal Tribunal established under the Buildings Ordinance (Cap. 123); (Added L.N. 59 of 2000)
an Appeal Board established under the Town Planning Ordinance (Cap. 131); (Added L.N. 59 of 2000)
a Drainage Appeal Board established under the Land Drainage Ordinance (Cap. 446); (Added L.N. 59 of 2000)
the Minor Employment Claims Adjudication Board established under the Minor Employment Claims Adjudication Board Ordinance (Cap. 453); (Added L.N. 59 of 2000)
the panel and a tribunal established under the Housing Ordinance (Cap. 283); (Added L.N. 59 of 2000)
an appeal board constituted or formed under the Hotel and Guesthouse Accommodation Ordinance (Cap. 349); (Replaced 6 of 2020 s. 52)
the Appeal Board established under the Clubs (Safety of Premises) Ordinance (Cap. 376); (Added L.N. 59 of 2000)
the Appeal Board established under the Bedspace Apartments Ordinance (Cap. 447); (Added L.N. 59 of 2000)
the Appeal Board established under the Amusement Game Centres Ordinance (Cap. 435); (Added L.N. 59 of 2000)
an appeal board established under the Amusement Rides (Safety) Ordinance (Cap. 449); (Added L.N. 59 of 2000)
an Appeal Board established under the Air Pollution Control Ordinance (Cap. 311); (Added L.N. 59 of 2000)
the Appeal Board established under the Noise Control Ordinance (Cap. 400); (Added L.N. 59 of 2000)
an Appeal Board established under the Dumping at Sea Ordinance (Cap. 466); (Added L.N. 59 of 2000)
an Appeal Board established under the Environmental Impact Assessment Ordinance (Cap. 499); (Added L.N. 59 of 2000)
an Appeal Board established under the Waste Disposal Ordinance (Cap. 354); (Added L.N. 59 of 2000)
an Appeal Board established under the Water Pollution Control Ordinance (Cap. 358); (Added L.N. 59 of 2000)
the Immigration Tribunal established under the Immigration Ordinance (Cap. 115); (Added L.N. 59 of 2000)
the Registration of Persons Tribunal established under the Registration of Persons Ordinance (Cap. 177); (Added L.N. 59 of 2000)
the Hong Kong Special Administrative Region Passports Appeal Board established under the Hong Kong Special Administrative Region Passports (Appeal Board) Regulation (Cap. 539 sub. leg. A); (Added L.N. 59 of 2000)
the Copyright Tribunal established under the Copyright Ordinance (Cap. 528); (Added L.N. 59 of 2000)
an arbitration tribunal established under the Labour Relations Ordinance (Cap. 55); (Added L.N. 59 of 2000)
a board of inquiry established under the Labour Relations Ordinance (Cap. 55); (Added L.N. 59 of 2000)
(Repealed 5 of 2002 s. 407)
a Solicitors Disciplinary Tribunal established under the Legal Practitioners Ordinance (Cap. 159); (Added L.N. 59 of 2000. Amended 7 of 2004 s. 55)
the Deposit Protection Appeals Tribunal established by the Deposit Protection Scheme Ordinance (Cap. 581); (Added 7 of 2004 s. 55. Amended 18 of 2004 s. 69)
the Construction Workers Appeal Board appointed under the Construction Workers Registration Ordinance (Cap. 583); (Added 18 of 2004 s. 69. Amended 20 of 2004 s. 59)
the Payment Systems and Stored Value Facilities Appeals Tribunal established under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584); (Replaced 18 of 2015 s. 66)
the Banking Review Tribunal established under the Banking Ordinance (Cap. 155); (Added 19 of 2005 s. 7. Amended 23 of 2005 s. 28; 3 of 2012 s. 22)
the Civil Celebrant of Marriages Appointment Appeal Board established under the Marriage Ordinance (Cap. 181); (Added 23 of 2005 s. 28. Amended 9 of 2007 s. 63)
the Unsolicited Electronic Messages (Enforcement Notices) Appeal Board established under the Unsolicited Electronic Messages Ordinance (Cap. 593). (Added 9 of 2007 s. 63)
(Format changes—E.R. 1 of 2013)
| Item | | |
|---|---|---|
| 1. | Landlord and Tenant (Consolidation) Ordinance (Cap. 7) (Amended 36 of 2021 s. 17) | Sections 119Y(1)(a) and (b) and 120AAZZH(1)(a) and (b) |
| 2. | Rating Ordinance (Cap. 116) | Section 50(1) |
| 3. | Government Rent (Assessment and Collection) Ordinance (Cap. 515) | Section 45(1) |
| 4. | Mass Transit Railway (Land Resumption and Related Provisions) Ordinance (Cap. 276) (Added L.N. 151 of 2006) | Section 21(1) |
| 5. | Roads (Works, Use and Compensation) Ordinance (Cap. 370) (Added L.N. 151 of 2006. Amended 25 of 2023 s. 121) | Section 29(1) |
| 6. | Railways Ordinance (Cap. 519) (Added L.N. 151 of 2006. Amended 25 of 2023 s. 121) | Sections 27(6) and (7) and 34(1) |
| 7. | Electricity Ordinance (Cap. 406) (Added L.N. 214 of 2007) | Section 52 |
| 8. | Inland Revenue Ordinance (Cap. 112) (Added L.N. 214 of 2007) | Section 58(2) |
| 9. | Waterworks Regulations (Cap. 102 sub. leg. A) (Added L.N. 249 of 2008) | Regulation 49(1)(a) and (b) |
| 10. | Census and Statistics Ordinance (Cap. 316) (Added L.N. 83 of 2009) | Section 12(3)(a) and (b) |
| 11. | Business Registration Ordinance (Cap. 310) (Added 13 of 2010 s. 30) | Section 20 |
| 12. | Ferry Services Ordinance (Cap. 104) (Added L.N. 213 of 2021) | Section 28(3) |
| 13. | Buildings Ordinance (Cap. 123) (Added L.N. 225 of 2021) | Sections 3(11), (11A)(b) and (11C), 8C(6)(b) and 35(1)(a) and (b) |
| 14. | Building (Administration) Regulations (Cap. 123 sub. leg. A) (Added L.N. 225 of 2021. Amended L.N. 225 of 2021) | Regulation 6(1) |
| 15. | Building (Minor Works) Regulation (Cap. 123 sub. leg. N) (Added L.N. 225 of 2021) | Section 46(2)(a) |
| 16. | Commercial Bathhouses Regulation (Cap. 132 sub. leg. I) (Added 2 of 2024 s. 9) | Section 5(1) |
| 17. | Food Business Regulation (Cap. 132 sub. leg. X) (Added 2 of 2024 s. 9) | Section 32(1) |
| 18. | Frozen Confections Regulation (Cap. 132 sub. leg. AC) (Added 2 of 2024 s. 9) | Section 18(1) |
| 19. | Milk Regulation (Cap. 132 sub. leg. AQ) (Added 2 of 2024 s. 9) | Section 15(1) |
| 20. | Offensive Trades Regulation (Cap. 132 sub. leg. AX) (Added 2 of 2024 s. 9) | Section 9(2) |
| 21. | Aerial Ropeways (Safety) Ordinance (Cap. 211) (Added 2 of 2024 s. 9) | Section 7 |
| 22. | News Agencies Registration Regulations (Cap. 268 sub. leg. A) (Added 2 of 2024 s. 9) | Regulation 12 |
| 23. | Newspapers Registration and Distribution Regulations (Cap. 268 sub. leg. B) (Added 2 of 2024 s. 9) | Regulation 11 |
| 24. | Road Traffic Ordinance (Cap. 374) (Added 2 of 2024 s. 9) | Sections 79, 84(1)(d) and 85(1)(c) |
| 25. | Film Censorship Ordinance (Cap. 392) (Added 2 of 2024 s. 9) | Sections 8A(3), 9(4), 14A(2), 15B(9), 15I(1), 15K(12), 17(2)(c) and (4), 18(2), (3)(c) and (5) and 19(3), (4)(c) and (6) |
| 26. | Film Censorship Regulations (Cap. 392 sub. leg. A) (Added 2 of 2024 s. 9) | Regulation 8(a) |
| 27. | Land Drainage Ordinance (Cap. 446) (Added 2 of 2024 s. 9) | Section 45(1) |
| 28. | Slaughterhouses Regulation (Cap. 132 sub. leg. BU) (Added L.N. 80 of 2024) | Section 10(1) |
| 29. | Swimming Pools Regulation (Cap. 132 sub. leg. CA) (Added L.N. 80 of 2024) | Section 5(1) |
| 30. | Places of Public Entertainment Regulations (Cap. 172 sub. leg. A) (Added L.N. 80 of 2024) | Regulations 3(1)(a), 5(1) and (2) and 162(1), (3), (4) and (9)(b) |
| 31. | Human Reproductive Technology Ordinance (Cap. 561) (Added L.N. 80 of 2024) | Section 43 |
| 32. | Limited Partnerships Ordinance (Cap. 37) (Added L.N. 143 of 2024) | Section 12 |
| 33. | Gas Safety (Gas Supply) Regulations (Cap. 51 sub. leg. B) (Added L.N. 143 of 2024) | Regulation 4(2) and (3) |
(Schedule 3 added 14 of 2004 s. 28)