Republic of the Philippines

DEPARTMENT OF TRADE AND INDUSTRY

DEPARTMENT OF SCIENCE AND TECHNOLOGY

JOINT DEPARTMENT ADMINISTRATIVE ORDER NO. 02

Series of 2001

SUBJECT: PROVIDING IMPLEMENTING RULES AND REGULATIONS

ON ELECTRONIC AUTHENTICATION AND ELECTRONIC SIGNATURES

Whereas, the State recognizes the vital role of information and communications technology
in nation building as well s its own obligation to ensure network security, connectivity and
neutrality of technology for the national benefit;

Whereas, section 29 of R.A. 8792 (Electronic Commerce Act of 2000) mandates the

Department of Trade and Industry (DTI) to direct and supervise the promotion and
development of electronic commerce in the Philippines with relevant government agencies,
without prejudice to the provisions of Republic Act 7653 (Charter of Bangko Sentral ng
Pilipinas) and Republic Act 8791 (General Banking Law of 2000);

Whereas, the issuance of clear, transparent, predictable and enforceable rules to clarify and
ensure the legal validity and enforceability of electronic signatures and contracts will
encourage and promote the development of electronic commerce in the Philippines, enhance
its competitiveness in the new economy, protect the consumer, and encourage efficiency and
transparency in commercial transactions;

Whereas, technological developments in electronic authentication and modes of generating

electronic signatures are rapid, ongoing and market-led;

Whereas, rules and guidelines on electronic signatures and contracts that are technology-
neutral will help ensure continued private sector initiative and innovation and encourage
consumer trust in these new technologies;

And finally, recognizing that where appropriate, market-driven, rather than government-

imposed standards, contractual arrangements and codes of practice are better tools for
validating electronic transactions and developing user confidence in global electronic
commerce;

Now, therefore, pursuant to the provisions of sections 24 and 29 of Republic Act No. 8792,
otherwise known as the Electronic Commerce Act 2000 (hereinafter referred to as the "Act"),
the following Implementing Rules and Regulations on Electronic Authentication and
promulgated for the compliance of all concerned:

Section 1. General Rule of Validity. – As a general rule, and subject to the provisions of the
Electronic Commerce Act of 2000 and these Rules,

(a) a signature, contract or other record relating to such transaction may not be denied
legal effect, validity or enforceability solely because it is in electronic form; and

(b) A contract relating to such transaction may not be denied legal effect, validity, or
enforceability solely because an electronic signature or electronic document was used
in its formation.
Section 2. Scope of Application. – These Rules apply where electronic signatures and/or
electronic documents are used in the context of any commercial and noncommercial
transaction, activity or dealings, whether public or private, occurring between and among
parties. These include, and are not limited to, the following transactions: the sale, supply,
procurement or exchange of goods or services, including the manufacture, processing,
purchase, sale, supply, distribution or transacting in any manner, of tangible and intangible
property of all kinds such as commodities, goods, merchandise, financial and banking
products, patents, participations, shares of stocks, software, books, works of art and other
intellectual property; distribution agreement; commercial representation or agency; the filing
and payment of taxes; factoring; leasing; construction of works; consulting; engineering;
licensing; investment; financing; banking; insurance; exploitation agreement or concession;
joint venture and other forms of industrial or business cooperation; and carriage of goods and
passengers by air, sea, rail or road.

Section 3. Definitions. – For the purposes of these Rules:

(a) "Asymmetric or public cryptosystem" is the type of signature creation

technology and refers to a system capable of generating a secure key pair, consisting
of a private key for creating a digital signature, and a public key for verifying the
digital signature.

(b) "Certificate" means an electronic document issued to support a secure electronic

signature which purports to confirm the identity or other significant characteristics of
the person who, in the case of digital signatures, holds a particular key pair or, in
other cases, such signature creation or verification device or method as may be
applicable under the circumstance.

(c) "Certification authority" is a type of information certifier which, in the course

of its business, engages in issuing certificates in relations to cryptographic keys used
for the purposes of digital signatures.

(d) "Digital Signature" is a type of secure electronic signature consisting of a

transformation of an electronic document or an electronic data message using
asymmetric or public cryptosystem such that a person having the initial
untransformed electronic document and the signer’s public key can accurately
determine;

(i) whether the transformation was created using the private key that
corresponds to the signer’s public key; and

(ii) whether the initial electronic document had been altered after the
transformation was made.

(e) "Electronic agent" means a computer program or an electronic or other

automated means used independently to initiate an action or respond to electronic
messages or documents, in whole or in part, without review or action by an individual
at the time of action or response.

(f) "Electronic authority signature" refers to an electronic signature that establishes

the authority, position or attribute of the signer as the duly authorized proxy, agent or
representative of another person, and therefore, by such signature to bind the latter as
if he had created and/or issued the electronic signature himself.

(g) "Electronic data message" refers to information generated, sent, received or

stored by electronic, optical or similar means.
(h) "Electronic document" refers to information or the representation of
information, data, figures, symbols or other modes of written expression, described or
however represented by which a right is established or an obligation extinguished or
by which a fact may be proved and affirmed, which is received, recorded, transmitted,
stored, processed, retrieved or produced electronically. It includes documents signed
with secure electronic signatures and any printout or output, readable by sight or other
means, which accurately reflects the electronic data message or electronic document.
For purposes of these Rules, the term "electronic document" may be used
interchangeably with "electronic data message."

(i) "Electronic signature" refers to any distinctive mark, characteristic and/or sound

in electronic form, representing the identity of a person, and attached to or logically
associated with the electronic data message or electronic document or any
methodology or procedures employed or adopted by a person and executed or adopted
by such person with the intention of authenticating or approving an electronic data
message or electronic document. For purposes of these Rules, electronic signatures
include digital signatures and secure electronic signatures.

(j) "Information and communication system" refers to a system intended for and

capable of generating, sending, receiving, storing or otherwise processing electronic
data message or electronic documents and includes the computer system or other
similar device by or in which data is recorded or stored and any procedures related to
the recording or storage of electronic data message or electronic document.

(k) "Information Certifier" means any person who, or entity which in curse of its

business, issues certificates as means of providing identification services and/or
certifying information which are used to support the use of and trust in secure
electronic signatures. For purposes of these Rules, the term "information certifier"
includes but is not necessarily limited to certification authorities.

(l) "Key pair" in an asymmetric cryptosystem refers to the private key and its
mathematically related public key such that the latter can verify the digital signature
that the former creates.

(m) "Person" means any natural or juridical person including, but not limited to, an
individual, corporation, partnership, joint venture, unincorporated association, trust or
other juridical entity, or any governmental authority.

(n) "Private Key" refers to the key of a key pair used to create a digital signature.

(o) "Public Key" refers to the key of a pair used to verify a digital signature.

(p) "Secure Electronic Signature" means an electronic signature which is created

and can be verified through the application of a security procedure or combination of
security procedures that ensures such electronic signature:

a. is unique to the signer;

b. can be used to identify objectively the signer of the data message

c. was created and affixed to the date message by the signer or using a means
under the sole control of the signer; and

d. was created and is linked to the data message to which it relates in a manner
such that any change in the data message would be revealed.
 For purposes of these Rules, secure electronic signatures include but is not necessarily
limited to digital signatures.

(q) "Signature creation device, method or technology" refers to any device,

method or technology used to create an electronic signature in respect of which it can
be shown, through the use of a security procedure or method, that such signature (a) is
unique to the signer for the purpose for which it is used; (b) was created and affixed
to the data message by the signer or using a means under the sole control of the
signer; and (c) was created and is linked to the electronic data message to which it
relates in a manner which provides reliable assurance as to the integrity of the
message.

(r) "Signer" means the person who uses, creates and affixes an electronic signature to
an electronic data message.

Section 4. Technology Neutrality. – None of the provisions of these Rules shall be applied so
as to exclude, restrict, or deprive of legal effect any method of electronic signature that
satisfies the requirements referred to in Section 8 of the Act, or in Rule 5 of these Rules
which is as reliable as was appropriate for the purpose for which the data message was
generated or communicated, in the light of all the circumstances, including any relevant
agreement.

Section 5. Legal Recognition of Electronic Signatures. – An electronic signature on the

electronic document shall be equivalent to the signature of a person on a written document if
that signature is proved by showing that a prescribed procedure, not alterable by the parties
interested in the electronic document, existed under which:

(a) A method is used to identify the party sought to be bound and to indicate said
party’s access to the electronic document necessary for his consent or approval
through the electronic signature;

(b) Said method is reliable and appropriate for the purpose for which the electronic
document was generated and communicated, in the light of all circumstances,
including any relevant agreement;

(c) It is necessary for the party sought to be bound, in order to proceed further with
the transaction, to have executed or provided the electronic signature; and

(d) The other party is authorized and enabled to verify the electronic signature, and to
make the decision to proceed with the transaction authenticated by the same.

The parties may agree to adopt supplementary or alternative procedures provided that the
same are not contrary to law or public policy.

Section 6. Authority Signatures. – None of the provisions of these Rules shall be applied so
as to exclude, disallow, or deprive electronic authority signatures, as defined in Section 3
above, or legal effect and validity.

Section 7. Electronic Agents. – A contract or other record relating to a transaction may not
be denied legal effect, validity, or enforceability solely because its formation, creation, or
delivery involved the action or operation of one or more electronic agents so long as such
electronic agent is under the control of, or its action or operation is legally attributable to the
person sought to be bound.
Section 8. Liability for unauthorized use of secure electronic signatures. – Where the use of
a secure electronic signature was unauthorized and the purported signer did not exercise
reasonable care to avoid the unauthorized use of the signature or to prevent the addressee
from replying on such a signature, the signature shall nevertheless be regarded as that of the
purported signer, unless the relying party knew or should have known that the signature was
not that of the purported signer.

Section 9. Responsibilities of an information certifier. – An information certifier shall:

(a) act in accordance with the representations it makes with respect to its practices;

(b) exercise due diligence to ensure the accuracy and completeness of all material
representations it makes that are relevant to the life-cycle of its certificates or which
are included in its certificates;

(c) provide reasonably accessible means which enable a relying party to ascertain:

i. the identify of the information certifier;

ii. that the person who is identified in the certificate holds, at the relevant time,
the signature device referred to in the certificate;

iii. the method used to identify the signer, provided however, the information
certifier shall not be required to reveal any of its trade or industrial secrets;

iv. any limitations on the purposes or value for which the signature device may
be used; and

v. whether the signature device is valid and has not been compromised;

(d) provide reasonably accessible means for signers to give notice that a signature
device has been compromised and ensure the operation of a timely and secure
revocation service; and

(e) utilize trustworthy systems, and procedures in performing is services.

(f) engage trustworthy personnel who possess the expert knowledge, experience and
qualifications necessary for its services, in particular, but not limited to, expertise in
electronic signature technology and familiarity with proper security procedures;

(g) maintain sufficient financial resources to operate as an information certifier and to

bear the risk of potential liability for damages;

(h) Record, whether electronically or not, for an appropriate period of time all
relevant information concerning issued certificates for, but not limited to, the purpose
of providing evidence of certification in legal proceedings;

(i) for purposes of issuing and maintaining a certificate, collect and utilize personal
data only insofar as it is necessary for the purposes of issuing and maintaining the
certificate. Such data may not be collected, sold, distributed, processed or used for
any other purpose without the express consent of the data subject.

An information certifier shall be liable for damages caused by its failure to satisfy the
requirements provided under this and the following Rules.
Section 10. Certificate Requirements. – At a minimum, certificates shall state:

(a) the identity of the information certifier;

(b) that the person who is identified in the certificate holds, at the relevant time, the
signature device referred to in the certificate;

(c) that the signature device was effective on the date when the certificate was issued;

(d) an indication of the beginning and end of the period of validity of the certificate;

(e) where applicable, any limitation on the purposes or value for which the certificate
may be used; and

(f) any limitation on the scope or extent of liability that the information certifier
accepts, or alternatively, information on where such limitations on the scope or extent
of liability, if any, may be found.

Section 11. Liability for incorrect or defective certificates. – If damage has been caused as a
result of the certificate being incorrect or defective, the information certifier shall be liable
for damage suffered by either:

(a) the party who has contracted with the information certifier for the provision of a
certificate; or

(b) any person who reasonably relies on a certificate issued by the information
certifier as regards the fact that the certificate complies with all the requirements for a
certificate, and as regards the truth and accuracy, at the time of the issuance of the
certificate, of all information and representations contained in the certificate.

In assessing the loss, regard shall had to the following factors:

(a) the amount of damages caused by the incorrect or defective certificate;

(b) the cost of obtaining the certificate;

(c) the nature of the information being certified;

(d) the existence and extent of any limitation on the purpose for which the certificate
may be used;

(e) the existence of any statement limiting the scope or extent of the liability of the
information certifier;

(f) any contributory conduct by the relying party; and

(g) any other relevant factor.

Section 12. Voluntary accreditation. – A certificate shall be presumed to bind a secure

electronic signature to the signer’s identity if the certificate was issued by an information
certifier duly accredited by the Department of Trade and Industry (DTI), in coordination with
the Department of Science and Technology (DOST), which shall apply commercially
appropriate and internationally recognized standards covering the trustworthiness of the
information certifier’s technology, practices and other relevant characteristics. A non-
exhaustive list of bodies or standards that comply with this paragraph may be published from
time to time by the DTI jointly with the DOST.

This Rule shall not be applied so as to exclude or prevent the validity of a certificate issued
by a nonaccredited information certifier where such certificate is shown to have otherwise
been issued in accordance with commercially appropriate and international recognized
standards, or where sufficient evidence indicates that the certificate accurately binds the
secure electronic signature to the signer’s identify.

Section 13. Responsibilities of the signer. – Each signer shall:

(a) Exercise reasonable care to avoid unauthorized use of his electronic signature
and/or signature creation device;

(b) Notify appropriate persons, including the concerned information certifier, without
undue delay if:

i. The signer knows that the private key or other signature creation device has
been exposed or revealed to unauthorized persons, or that his electronic
signature has been compromised; or

ii. the circumstances known to the signer give rise to a substantial risk that his
electronic signature may have been compromised;

(c) A signer shall be liable for damages caused by failure to satisfy the requirements
provided under this Rule.

Section 14. Reliance on electronic signatures. -

(a) A person shall rely on an electronic signature only to the extent that it is
reasonable to do so. If reliance on the electronic signature is not reasonable in the
circumstances having regard to the factors enumerated below,

(b) In determining whether it was reasonable for a person to have relied on the
electronic signature, regard shall be had, if appropriate to:

i. the nature of the underlying transaction that the electronic signature was
intended to support;

ii. whether the relying party, where warranted, has taken appropriate steps to
determine the reliability of the electronic signature;

iii. whether the relying party took steps to ascertain whether the electronic
signature was supported by a certificate;

iv. whether the relying party knew or ought to have known that the electronic
signature device had been compromised or revoked;

v. any agreement or course of dealing which the relying party has with the
signatory or subscriber, or any trade usage or practice which may be
applicable;

vi. any other relevant factor.

Section 15. Recognition of foreign certificates and electronic signatures. –

 (a) In determining whether, or the extent to which, a certificate or an electronic
signature is legally effective, no regard shall be had to the place where the certificate
or the electronic signature was issued, nor to the country in which the issuer had its
place of business.

(b) Parties to commercial and other transactions may specify that a particular
information certifier or supplier or supplier of certification services, class of suppliers
of certification services or class of certificates must be used in connection with
messages or signatures submitted to them.

(c) Where parties agree, as between themselves, to the use of certain types of
electronic signatures and certificates, that agreement shall be recognized as sufficient
for the purpose of cross-border recognition.

Section 16. Reciprocity. – All benefits, privileges, advantages or statutory rules established

under these Rules shall be enjoyed only by parties whose country origin grants the same
benefits and privileges and advantages to Filipino citizens.

Section 17. Variation by agreement. – Unless otherwise provided by law, contracting parties

may derogate from or modify these Rules by agreement.

Section 18. Interpretation. – Unless otherwise expressly provided for, in the interpretation of

these Rules, due regard is to be given to their international origin and to the need to promote
uniformity in their application and the observance of good faith in international trade
relations. The generally accepted principles of international law and convention on electronic
commerce shall likewise be considered.

Section 19. Separability. – If any provision in these Rules or application of such provision to

any circumstance is held invalid, the remainder of these Rules shall not be affected thereby.

Section 20. Effectivity. – These Rules shall take effect after fifteen (15) days following the
completion of their publication in the Official Gazette or in a newspaper of general
circulation in the Philippines.

Done this 28th day of September 2001 in Metro Manila, Republic of the Philippines.

(Sgd.) MAR ROXAS
Secretary
Department of Trade and Industry

(Sgd.) ESTRELLA F. ALABASTRO
Secretary
Department of Science and Technology