As a direct result of Oman’s enlarged presence in the global economy, it became essential for Oman to develop a reliable and controlled medium for transactions to be carried out through electronic means. Accordingly, in 2008, the legislature in Oman passed the Electronic Transactions Law (the “Law”), promulgated by Royal Decree 69/2008.
In sum, two of the Law’s primary objectives were (i) to help streamline efficiency as regards the process by which e-transactions are conducted, and (ii) to create a safe “environment” for e-transactions to take place, such as protecting e-signature confidentiality and data integrity. In doing so, the Law provides a list of procedural requirements and safety nets to be implemented by “Authentication Service Providers” who manage and provide electronic transaction services.
Protective measures as required by the Law
Article 18 specifies that “coding” is to be used as a means by a company to protect electronic transactions. Additionally, Article 19 requires a company to implement one of the following security mechanisms in protecting a company’s information database:
- coding through the general key;
- fire walls;
- information filters;
- set of means for prevention of denial;
- code technology in respect of data and files;
- measures for protection of the stored backup copies;
- worms & virus added programs; or
- any other method permitted by the competent authority (i.e., governmental clearance).
- if it is determined that the device used for creating the signature is within the scope of its use and confined to the signatory exclusively;
- if the device used for creation of the signature is exclusively under the control of the signer at the time of signing;
- if no changes are detected as having taken place to the e-signature after the signature’s time stamp was created; and
- if no changes are detected as having taken place with respect to the transaction itself after the signature’s time stamp was created.
Oman has certainly taken substantial and proactive measures to ensure that all companies falling under the purview of the Law comply with its requirements.
Article 25(d) and Article 26 provide that the Competent Authority has jurisdiction to “monitor, supervise and inspect” Authentication Service Providers to ensure that they have complied with the requirements of the Law. Further, Article 27 provides that the Minister of the Competent Authority may execute “judicial seizure.” Based on its inspections, if the Competent Authority determines that an Authentication Service Provider has failed to comply with any technical and/or procedural protocols as required by the Law, it may cancel the Provider’s licence, thereby prohibiting the Provider from further engaging in electronic transactions.