>
Information Transactions in Trade
and Customs Facilitation
25th International Trade Law Conference
Mark Sneddon
Partner, Clayton Utz
22 October 2003
Data Flows
are Crucial to International Trade
Creation, Collection,
Use, Disclosure and Reliance on Data by all parties in international
trade
Traders, Suppliers,
Customers, Agents, Carriers, Banks, Government Agencies
The Difference
Digital Networks Make
An increasing amount
of this data is electronic not paper-based
More data is available
and accessible (e.g. supply chain data)
That data can be sent
and assessed faster than paper
Legal Systems
and Business and Government Implications
Integrity and confidentiality
of electronic data
Authentication of sender
/ author / owner of data
"Non-repudiation"
of electronic messages
Admissibility and weight
of electronic data in evidence
Achieving these cross-border
Compliance with other
laws e.g. privacy, secrecy and anti-terrorism laws
Cooperation between
states in investigation, evidence-gathering, recognition of foreign
evidence and judgments
Legal Systems
and Business and Government Implications
(cont)
Data Flows
Bank
Trader
Trader
Carriers
Bank
Suppliers
Customers
Agent
Agent
Customs
Customs
OGAs
OGAs
Agreements
of All Kinds Need to be Put in Place
Data Sets
Communications Protocols
Methods for Authentication,
Integrity, Confidentiality
Delivery, Back-Up,
Recovery
Liability Allocation
Agreement on:
Agreements
of All Kinds Need to be Put in Place (cont)
Agreements may be within
a group e.g. Bolero, Identrus, Customs-clients (Gatekeeper PKI), Express
Carrier Groups
May be Government to
Government e.g. Netherlands and Sweden MOU or by formal intergovernmental
agreements e.g. APEC BluePrint for Action on E-Commerce includes Paperless
Trading
Agreements
of All Kinds Need to be Put in Place (cont)
May be Government to
Business e.g. US CTPAT and Australian Customs MOUs with accredited clients
Need to manage domestic
privacy / confidentiality / data protection law compliance
WCO Draft Guidelines
for the Development of National Laws for the Collection and Transmission
of Customs Information
Electronic
Records
Converting Paper to Electronic Records
Potential obstacles
Legislative document
retention requirements
Non-legislative requirements
(eg. industry codes of practice)
Contractual obligations
(especially under government contracts)
Privacy legislation
Evidentiary requirements
Electronic Transactions
Legislation
Electronic
Records (cont)
Issues which need to
be managed:
Data security and integrity
Reliable chain of evidence
Searchability
Backward compatibility
of retrieval devices
Degradation of storage
medium and protection mechanisms
Electronic
Records (cont)
Practical strategies
to manage issues:
Access controls and
encryption
Date and time stamping
Metadata and search
engines
Encryption (and re-encryption)
Be able to change some
metadata but not core data
Contracts with vendors
and service providers
Solutions to
Authentication
PKI is a robust but
higher cost solution to providing authentication, confidentiality and
integrity in electronic communications
ACS Cargo Management
Reengineering using PKI
CEOs IT Determination
Client Registration
Agreement
Certification Services
Agreement with Certification Authority
Solutions to
Authentication (cont)
Range of Gatekeeper
evaluated Certificate Policies and Certificate Practice statements
Licence of Secure EDI
messaging software
Bolero is based on
messages using PKI
Identrus (60+ of world's
largest bank) have a PKI solution can be used for trade contracts and
payments
ANZ's Identrus solution
recognised by Gatekeeper
PKI Issues
PKI key pairs provide
sender authentication, message integrity and encryption (passwords don't
offer the last two)
Strong solution to
these issues for insecure comms networks, eg. Internet
But requires CA/RA
infrastructure and management or outsourcing of these
PKI Issues (cont)
Involves Gatekeeper
regulation by NOIE
End user insecure platforms
for key storage a problem
Value of a certificate
for non-repudiation is a function of transactional context:
EOI standards
certificate validity
checking and revocation service levels
Liability / risk allocation
between agency, CA / RA and client - a network of contracts and NOIE's
liability policy
Authentication Technology/Service
Provider
eg. CA
Agency
Service Provider #2
eg. BAF
IT Service Provider
Regulator
(eg. NOIE)
Clients
Contract
Contract
Contract
Contract
Contract
Contracts/
Statute
Contract
Statute
International
Cross-Recognition of PKI Domains
The issue
Free Trade Agreements
Australia - Taiwan
discussions
International
Cross-Recognition of PKI Domains (cont)
Australia CA
certificate
certificate
USA CA
Key Generation
C/T Practices
Liability Arrangements
Key Generation
C/T Practices
Liability Arrangements
International
Cross-Recognition of PKI Domains (cont)
International PKI structure
(e.g. Bolero, Identrus) - may need domestic government approval in some
countries
Private sector agreements
or MOUs - CA to CA
Government to Government
MOUs for regulator cross-recognition
Requires one or more of:
International
Trade in Digital Goods
Internet enables import
/ export without intermediation or inspection e.g. software, music,
video, books, pictures
Business importers
need to declare and pay withholding tax in order to deduct costs of
inputs
Consumers - no such
incentive to declare
Currently, no cost-effective
way to track consumer imports or impose duty / GST or monitor copyright
infringing works at the digital "border"
Information Transactions in Trade
and Customs Facilitation
25th International Trade Law Conference
Mark Sneddon
Partner, Clayton Utz
22 October 2003
Trader
Agents (Forwarders)
Carriers
Finance (letter of Credit/Documentary
Collection)
Customs at the border
Trade Facilitation CMR,
MOUs re supply chain
Advance Cargo Information
and Mutual Assessment
Single Window
Certification Authorities (CA) provide
certificates which certify that a particular public key is owned by
an identified person or entity
The CA or RA (Registration Authority)
will verify the identity of the person and their ownership of the public
key before issuing the certificate to the person
The certificate is digitally signed
by the CA
Notes
Note network of contracts
Need for compatibility
with statute/regulation
Need for interoperation
of providers and IT service provider
Risk prevention by technical
and operational means - reflect these requirements in system design
and contracts/regulation
Risk mitigation by system
design and contracts (eg. transaction limits, 3 failed attempts - lock
out)
Risk transfer by contracts
with providers and clients subject to regulation. Liability allocation
is often a difficult issue to negotiate but very important
download Information Transactions in Trade and Customs Facilitation 25th ...
