Official Translation No: 7, 13 – 1/99
National Federation of
Colombian Coffee Growers
BILL NUMBER 527, 1998 HOUSE OF REPRESENTATIVES,
NUMBER 95, 1998 SENATE
"THIS BILL DEFINES AND REGULATES THE ACCESS AND USE OF DATA MESSAGE, ELECTRONIC TRADE AND DIGITAL SIGNATURES, AND ESTABLISHES THE CERTIFICATION ENTITIES, AND SET FORTH SOME OTHER PROVISIONS".
The Congress of Colombia
DECREES:
PART I
GENERAL PART
CHAPTER I
General Provisions
Article 1st. Application Scope. This law shall apply to every kind of information in the form of data message, except in the following cases:
The obligations contracted by the Colombian State as a result of International Covenants or Treaties.
Written warnings, which by legal provision should be necessarily printed on a certain kind of products due to the risk implied in their marketing, use or consumption.
Article 2nd. Definitions. For the purposes of this law the terms below shall have the following meanings:
Data Message. The information generated, sent, received, stored or communicated by electronic, optical or similar means, as they could be, among others, Data Electronic Exchange (DEE), Internet, electronic mail, telegram, telex or telefacsimile.
Electronic Trade. Includes subjects arising from every relation of commercial nature, whether contractual or not, structured on the basis of using one or more data message or any other similar mean. Commercial kind relations include but are not limited to the following operations: every commercial operation for the supply or exchange of goods or services; every distribution agreement; every representation or commercial mandate operation; every kind of financial, stock exchange and insurance transactions; work construction operations; advisory; engineering; license granting; every utility service concession or exploitation; joint companies or other forms of industrial and commercial cooperation; goods or passengers transportation by air, sea and train or road.
Digital Signature. It shall be understood as a numerical value adhered or attached to a data message and which, using a known mathematical procedure, linked to initiator password and to message text allows to determine that such value has been exclusively obtained through initiator password and the initial message has not been amended after effecting the respective transformation.
Certifying Entity. Is the person who authorized in accordance with this Law is empowered to issue certificates related to digital signatures of persons, offer or facilitate recording and chronological stamping services for the transmission and reception of data messages, as well as to perform some other duties related to communications based on digital signatures.
Data Electronic Exchange (DEE). Data electronic transmission from a computer to another one, structured under technical regulations agreed for such purpose.
Information System. Every system used to generate, send, receive, file or process data messages in any way.
Article 3rd. Interpretation. The international origin of this law, the need of promoting uniformity in its application and the observance of good faith shall have to be taken into account for the interpretation of this law.
The subjects related to matters governed by this law and which are not expressly resolved herein shall be settled in accordance with the general principles on which this law is grounded.
Article 4th. Amendment by agreement. Except otherwise provided regarding the relations among the parties who generate, send, receive, file or process data messages in any way, the provisions in Chapter III, Part I may be amended by agreement.
Article 5th. Juridical recognition of data messages. No juridical effects, validity or obligatory force shall be denied to any kind of information just for being in the form of a data message.
CHAPTER II
Application of data message juridical requirements
Article 6th. Written. Whenever any regulation requires the information to be in writing, such requirement will be satisfied by a data message; if the information such message contains is accessible for its later consultation.
The provisions in this article will apply both, if the requirement established in any regulation constitutes an obligation, and if the regulations anticipate consequences in case the information is not in writing.
Article 7th. Signature. Whenever any regulation requires the appearance of a signature or anticipates certain consequences in the case of absence thereof, in relation to a data message, said requirement shall be understood met if:
A method has been used that allows to identify the initiator of a data message and indicates its content has been approved by the initiator.
The method is both reliable as suitable for the purpose to which the message was generated or communicated.
The provisions in this article shall apply both if the requirement established in any regulation constitutes an obligation, and if the regulations just anticipates consequences in case no signature exists.
Article 8th. Original. Whenever any regulation requires the information to be presented and maintained in its original form, such requirement shall be met by a data message, if:
Any reliable guarantee exists that the integrity of its information has been maintained, from the moment it was generated for the first time in its definitive form, as a data message or in any other form;
Information is required to be presented, in case said information can be showed to the person to whom it has to be presented.
The provisions in this article shall apply both if the requirement established in any regulation constitutes an obligation, and if the regulations simply anticipate consequences in case the information is not presented or maintained in its original form.
Article 9th. Integrity of a data message. For the purposes of previous article, the information included in a data message shall be considered complete if it has remained complete and not altered, except the addition of any endorsement or any change inherent to a communication, file or presentation process. The reliability degree required shall be determined under the light of the purposes for which such information is generated and all relevant circumstances of the case.
Article 10th. Admissibility and probative force of data messages. Data messages shall be admissible as proof means and their probative force is the one granted in the provisions of Chapter VIII, Title XIII, Third Section, Second Book of the Code of Civil Procedure.
In every administrative or judicial performance, no efficacy, validity or obligatory force can be denied to any kind of information in the form of a data message, just for the fact of dealing with a data message or having not presented it in its original form.
Article 11th. Criterion for the probative appraisal of a data message. For the appraisal of the probative strength of data messages referred to in this law, healthy criticism regulations and other legally recognized criteria for proof appreciation shall be taken into account. Therefore, the following criteria should be taken into account: reliability of the form in which data messages were generated, filed or communicated; reliability of the form in which information integrity has been maintained; the form in which its initiator is identified and any other pertinent factor.
Article 12. Maintenance of data messages and documents. Whenever the Law requires certain documents, records or information to be maintained, such requirement shall be met provided the following conditions are observed:
The information contained is accessible for its later consultation;
Data message or document is maintained in the format in which it was generated, sent or received, or in any format that allows to prove it accurately reproduces the information generated, sent or received, and
Maintain, if any, every information that allows to determine the origin, destination of the message, the date and time in which the message was delivered or received, or the document was produced.
Such information which only purpose is to facilitate the sending or receipt of data messages shall not be subject to maintenance obligation.
The books and papers belonging to traders may be maintained in any technical mean, which guarantees their accurate reproduction.
Article 13. Data messages and document files maintained by third parties. The observance of the obligation of maintaining documents, records or information in data messages, may be performed directly or through third parties, provided the conditions stated in foregoing article are met.
ARTICLE III
Communication of data messages
Article 14. Preparation and validity of agreements. For the purposes of preparing a contract, except an explicit agreement between the parties, the offer and its acceptance may be expressed by a data message. A contract validity or obligatory force shall not be denied for the only reason of having used one or more data messages in its preparation.
Article 15. Data message recognition by the parties. In the relations between the initiator and the addressee of a data message, no juridical effects, validity or obligatory force shall be denied to any expression of will or other statement, for the only reason of having made the same in the form of a data message.
Article 16. Attribution of a data message. A data message is presumed to have been delivered by the initiator, when it has been delivered by:
The initiator itself
Any person empowered to act on behalf of the initiator with respect of that message, or
An information system programmed by the initiator or on its behalf for it to operate automatically.
Article 17. Presumption of the origin of a data message. A data message is presumed to have been sent by the initiator when:
The procedure previously agreed with the initiator in order to establish that a data message effectively came from the initiator is suitably applied, or
A data message received by the addressee is the result of the acts of a person whose relation with the initiator or with any initiator's attorney has given such person or attorney access to any method used by the initiator, in order to identify a data message as its own.
Article 18. Agreement between a sent data message with a received data message. Whenever a data message comes from the initiator or it is understood as coming from the initiator, or whenever an addressee is entitled to act in accordance with this assumption, in respect to the relationships between the initiator and the addressee, the latter is entitled to consider the data message received corresponds to the one the initiator wanted to send, and may proceed in consequence.
The addressee shall not have this right if he knew or had known that having acted with due diligence or having applied any agreed method, such transmission had given rise to an error in the received data message.
Article 19. Duplicated data messages. Each data message received is presumed to be different data message, except in the extent it duplicates another data message, and the addressee knows or should know, if he had acted with due diligence or applied any agreed method, that the new data message was a duplicate.
Article 20. Acknowledgment of receipt. If at the time of sending or before sending a data message, the initiator requests or agrees with the addressee on the acknowledgment of data message receipt, but they have not agreed a determined form or method in order to effect it, such acknowledgment of receipt may be done by:
Any communication from the addressee, automated or not, or
Any act of the addressee, sufficient to indicate the initiator that the data message has been received.
If the initiator has requested or agreed with the addressee on the acknowledgment of receipt of data messages, and the initiator has expressly indicated that the effects of the data message will be conditioned to the reception of an acknowledgment of receipt, the data message shall not be considered delivered until the acknowledgment of receipt is received.
Article 21. Presumption of reception of a data message. When the initiator receives an acknowledgment or receipt from the addressee, it shall be presumed that the latter has received the data message.
That presumption shall not imply the data message corresponds to the received data message. When the acknowledgment of receipt indicates that the data message received meets the technical requirements agreed or stated in any applicable technical regulation, such observance shall be presumed.
Article 22. Juridical effect. Articles 20 and 21 only governs the effects related to the acknowledgment of receipt. Juridical consequences of a data message shall be governed in accordance with regulations applicable to the juridical act or business contained in such data message.
Article 23. Time of sending a data message. If no otherwise agreed by initiator and addressee, a data message shall be considered issued when it enters an information system not under the control of the initiator, or of the person who sent such data message on behalf of the initiator.
Article 24. Time of reception of a data message. If no otherwise agreed by initiator and addressee, the time of reception of a data message shall be determined as follows:
If the addressee has designated an information system for data message reception, such reception will occur:
At the time the data message enters the designated information system; or
If the data message is sent to an information system of the addressee, different from the designated information system, at the time the addressee recovers that data message.
If the addressee has not designated an information system, the reception of a data message shall occur when it enters an information system of the addressee.
The provisions in this article shall apply even when the information system is located in a place different from the place where the data message is considered received in accordance with next article.
Article 25. Place of delivery and reception of data messages. If not otherwise agreed by initiator and addressee, a data message shall be considered issued in the place or location where the initiator has its establishment, and received in the place or location where the addressee has its establishment. For the purposes of this article:
If the initiator or the addressee has more than one establishment, its establishment shall be the one having a closest relation with its underlying operation or, if there is not an underlying operation, its main establishment.
If the initiator or the addressee has not an establishment, its customary residence shall be taken into account.
PART II
ELECTRONIC TRADE AS FOR MERCHANDISE TRANSPORTATION
Article 26. Acts related with merchandise transportation agreements. Without damage of the provisions in Part I of this law, this chapter shall apply to any of the following acts related to any merchandise transportation agreement, or its performance, and this list is not restrictive:
I. Indication of brand, number, quantity or weight of merchandise.
II. Statement of nature or price of merchandise.
III. Issuance of merchandise receipt.
IV. Confirmation of the completion of merchandise shipment.
I. Notification to any person on the clauses and conditions in the agreement.
II. Communication of instructions to the carrier.
I. Request of merchandise delivery.
II. Authorization to deliver merchandise.
III. Notification of merchandise loss or damages suffered.
Any other notification or statement related to the performance of the respective agreement;
Promise of delivering the goods to a person designated or to a person authorized to receive this delivery;
Concession, acquisition, waiver, restitution, transfer or negotiation of any right on merchandise;
Acquisition or transfer of rights or obligations in accordance with the agreement.
Article 27. Transportation documents. Subject to the provisions in third (3rd) paragraph of this article, in the cases in which the law requires that any of the acts stated in Article 26 must be carried out in writing, or through a document issued in paper, such requirement shall be met when such act is carried out by one or more data messages.
Above paragraph shall apply both, if the requirement therein provided is expressed as an obligation or if the law just anticipates consequences in case the act is not carried out in writing or through a document issued in paper.
When any right is granted to a determined person and not to any other, or when such person acquires an obligation and the law requires that for such act to be effective, the right or obligation had to be transferred to that person by means of the delivery or use of a document issued in paper, such requirement shall be met if such right or obligation is transferred through the use of one or more data messages, provided a reliable method is used to guarantee the singularity of such data message or messages.
For the purposes of third paragraph, the required level of reliability shall be determined in accordance with the purposes for which the right or obligation was transferred and all the circumstances of the case, including any pertinent agreement.
When one or more data messages are used in order to carry out any of the acts stated in paragraphs f) and g) in Article 26 herein, no document issued in paper shall be valid to carry out any of such acts, except the use of data messages has ended in order to substitute it by the use of documents issued in paper. Any document supported in paper and issued under such circumstances shall include a statement in such sense. The substitution of data messages by documents issued in paper shall not affect the rights or obligations of the parties.
When a juridical regulation has to be obligatorily applied to a merchandise transportation agreement stated in, or evidenced by a document written in paper, such regulation shall continue being applied to said merchandise transportation agreement stated in one or more data messages, notwithstanding that such agreement has been stated in that data message or messages, instead of being stated in documents issued in paper.
PART III
DIGITAL SIGNATURES, CERTIFICATES AND CERTIFICATION ENTITIES
CHAPTER I
Digital Signatures
Article 28. Juridical attributes of a digital signature. When a digital signature has been fixed to a data message, it is presumed that the signatory of such signature had the intention of crediting such data message and be linked to its content.
Paragraph. The use of a digital signature shall have the same force and effects than the use of a handwritten signature, if the digital one includes the following attributes:
Is unique for the person who uses it
Is susceptible of being verified
Is under the exclusive control of the person who uses it
Is linked to the information or message in such a way that if they are changed, the digital signature becomes invalid
Agrees with the regulations adopted by the National Government.
CHAPTER II
Certification Entities
Article 29. Characteristics and requirements of certification entities. The following can be certification entities: public or private corporations of national or foreign origin, and the chambers of commerce previously authorized by the Superintendency of Industry and Trade, and which observe the requirements set forth by the National Government on the basis of the following conditions:
Having sufficient economic and financial capacity to render the services authorized to them as certification entities.
Having technical capacity and elements needed to generate digital signatures, the issuance of certificates on the authenticity of the same and the maintenance of data messages in the terms provided in this law.
Legal representatives or administrators may not be persons who had been condemned to jail, except due to political crimes or crimes committed through negligence.
Article 30. Activities of certification entities. The certification entities authorized by the Superintendency of Industry and Trade to render their services in the country can carry out the following activities, among others:
Issue certificates in relation to digital signatures of individuals or corporations.
Issue certificates regarding verification in respect of any alteration between sending and reception of a data message.
Issue certificates in respect of a person who possesses a right or obligation regarding the documents listed in paragraphs f) and g) of article 26 of this law.
Offer or facilitate services for the creation of certified digital signatures.
Offer or facilitate chronological registration or stamping services addressed to the generation, transmission and reception of data messages.
Offer file and maintenance services of data messages.
Article 31. Remuneration for service rendering. The remuneration for the services rendered by certification entities, shall be established by the same.
Article 32. Duties of the certification entities. The certification entities shall have the following duties among others:
Issue certificates in accordance with whatever is requested by or agreed with the subscriber.
Implement security systems in order to guarantee the issuance and creation of digital signatures, maintenance and file of certificates and support documents of data messages.
Guarantee the protection, confidentiality and due use of the information provided by the subscriber.
Guarantee a permanent rendering of services by certification entity.
Timely attend the requests and claims made by the subscribers.
Effect advertisements and publications in accordance with the provisions of the law.
Provide the information required by competent administrative or judicial entities regarding digital signatures and certificates issued, and in general on any data message under their custody and administration.
Allow and facilitate the performance of audits by the Superintendency of Industry and Trade.
Prepare a regulation defining their relation with subscribers and the way in which the services are rendered.
Keep a registry of certificates.
Article 33. Unilateral termination. Except otherwise agreed by the parties, the certification entity may terminate any linking agreement with a subscriber, giving the subscriber a notice with not less than ninety (90) days in advance. Once this term expires, the certification entity shall revoke those certificates pending of expiration.
In addition, a subscriber may terminate any linking agreement with a certification entity, by giving the latter a notice with not less than thirty (30) days in advance.
Article 34. Activity discontinuance by certification entities. Authorized certification entities may suspend their performance of activities provided they have been authorized to do so by the Superintendency of Industry and Trade.
CHAPTER III
Certificates
Article 35. Certificate content. A certificate issued by an authorized certification authority, in addition of being digitally signed by the same, shall at least include the following:
Name, address and domicile of subscriber
Identity number of the subscriber who appears in the certificate
Name, address and location where the certification entity performs its activities
Public password of the user
The methodology used to verify the digital signature of subscriber appearing in a data message
Series number of certificate
Issuance and expiration dates of respective certificate.
Article 36. Acceptance of a certificate. Except otherwise agreed by the parties, it is understood that a subscriber has accepted a certificate when the certification entity, upon request of the subscriber or of any person on behalf of the same, has kept it in a repository.
Article 37. Certificate revoking. The subscriber of a certified digital signature may request to the certification entity that issued a certificate to revoke the same. In any case, the subscriber shall be obliged to request a certificate revocation in the following events:
Loss of private password
Private password has been exposed to, or is in risk of being unduly used
If a subscriber does not request a certificate revocation in case any of the cases above exists, he shall be responsible for the losses or damages in which third parties may incur in good faith exempt of guilt, who trusted on the content of such certificate.
A certification entity shall revoke an issued certificate due to the following reasons:
Upon petition of its subscriber or a third party on behalf and representation of the subscriber
Death of subscriber
Liquidation of the subscriber, if a corporation
Confirmation that any information or fact contained in the certificate is false
Private password of certification entity or its security system has been substantially placed in risk, affecting the reliability of the certificate
Suspension of activities of certification entity, and
Judicial order or an order from a competent administrative entity
Article 38. Term of registry maintenance. The registries of certificates issued by a certification entity shall be maintained for the term required by the law governing that juridical act or business in particular.
CHAPTER IV
Subscribers of Digital Signatures
Article 39. Duties of subscribers. The duties of the subscribers are as follows:
Receive a digital signature from a certification entity or generate it using a method authorized by such entity
Provide the information required by a certification entity
Maintain control of digital signature
Timely request the revocation of certificates
Article 40. Responsibility of subscribers. The subscribers shall be responsible for falsity, error or omission in the information provided to the certification entity and failure of their duties as subscribers.
CHAPTER V
Superintendency of Industry and Trade
Article 41. Duties of the Superintendency. The Superintendency of Industry and Trade shall be in charge of the duties legally assigned to it regarding the certification entities, and in addition shall have the following responsibilities:
Authorize the activity of certification entities in the national territory
Monitor the operation and efficient rendering of services by the certification entities
Perform audit visits to the certification entities
Revoke or suspend authorization to operate as a certification entity
Request pertinent information for the performance of its duties
Impose sanctions to certification entities in case of failure of the obligations arising from the rendering of services.
Order the revocation of certifications when the certification entity issues them without observing legal formalities
Designate repositories and certification entities in the cases provided in the law
Issue certificates regarding digital signatures of certification entities
Watch for the observance of constitutional and legal provisions on the promotion of competence and restrictive commercial practices, disloyal competence and consumer protection, in the markets attended by certification entities
Give instructions on the suitable observance of the regulations to which the certification entities shall be submitted
Article 42. Sanctions. The Superintendency of Industry and Trade in accordance with the due process and the right of defense may impose, in accordance with the nature and seriousness of the fault, the following sanctions to the certification entities:
Admonition
Institutional penalties up to the equivalent of two thousand (2,000) minimum monthly legal wages in effect, and personal penalties to administrators and legal representatives of the certification entities, up to three hundred (300) minimum monthly legal wages in effect, if it is proved that they have authorized, performed or agreed with behaviors infringing the law.
Suspend immediately all or some activities of the infringing entity
Prohibit the infringing certification entity directly or indirectly render its services up for a term of five (5) years
Definitively revoke the authorization to operate as a certification entity.
CHAPTER VI
Sundry Provisions
Article 43. Reciprocal certifications. The digital signature certificates issued by foreign certification entities can be recognized in the same terms and conditions required by the law for the issuance of local certificates by national certification entities; provided said certificates are recognized by an authorized certification entity who guarantees equally as it does with its own certificates, the regularity of the details in the foreign certificate, as well as its validity and effect.
Article 44. Incorporation by remittance. Except otherwise agreed by the parties, when total or partial remittance is made in a data message to easily accessible guidelines, regulations, standards, agreements, clauses, conditions or terms with the intention of incorporating them as part of a data message content, or make them juridically linking, it is presumed that such terms are incorporated by remittance to that data message. Between the parties and in accordance with the law, those terms shall be juridically valid as if they had been fully incorporated in the respective data message.
PART IV
Regulation and Effect
Article 45. The Superintendency of Industry and Trade shall have an additional term of twelve (12) months from the date of the publication of this law, in order to organize and assign to one of its dependencies the duty of inspection, control and vigilance of the activities performed by the certification entities, without damage of the creation by the National Government of a specialized unit within said Superintendency for such purpose.
Article 46. Prevalence of consumer protection laws. This Law shall apply without damage of the regulations in effect as for the protection of consumers.
Article 47. Effect and annulments. This Law is in effect from the date of its publication and annuls all provisions in contrary.
(((((
Translator's Note: The above is a complete translation of the attached Bill Number 527, 1998, and a copy of same is kept on this file for its confrontation.
Maria del Pilar Mejia de Restrepo
Official Translator, Interpreter
Resolution No. 958 of the Colombian
Ministry of Justice.
Tel: 2530032