Nature of Lawful Access in Electronic Commerce
Lawful access under the Electronic Commerce Act is the legal authority to reach, view, use, retrieve, decrypt, copy, authenticate, or otherwise deal with an electronic data message, electronic document, electronic signature, electronic key, or related file. It is not created by technical ability alone, because a person may be able to open a device, enter a system, intercept a message, or copy a file while having no legal right to do so.
The rule is anchored on control over digital information. Electronic records may be duplicated instantly, stored remotely, encrypted, routed through intermediaries, and accessed by system administrators without the knowledge of the person to whom the information legally belongs. For that reason, the law distinguishes between physical or technical access and legally justified access.
The lawful-access rule is closely connected with Section 32 on confidentiality. Once access is obtained under a lawful ground, the person who gained access does not acquire a free right to disclose, exploit, alter, or circulate the information. Authority to access is limited by the right that justified the access and by the purpose for which access was allowed.
Legal Right to Possession or Use
Access must be in favor of a person or entity having a legal right to possess or use the plaintext, electronic signature, or file. The controlling inquiry is not who can technically reach the data, but who has a recognized legal interest in the data or in the act to be performed with it.
A legal right may arise from ownership, agency, contract, consent, fiduciary authority, employment rules, corporate authorization, regulatory power, lawful investigation, court order, or another source recognized by law. The right must relate to the specific electronic information or credential being accessed, not merely to the device, account, server, or platform where the information is stored.
The reference to plaintext is important in encrypted communications. Plaintext is the intelligible form of data after decryption. A person may have custody of ciphertext, backups, or transmitted packets without having the legal right to obtain or use the readable content. Lawful access to the file does not automatically include authority to compel or use the key if the requester has no legal right to the underlying information.
The same principle applies to electronic signatures and electronic keys. An electronic signature is legally significant because it identifies a person, indicates approval, or authenticates a transaction. A key, password, token, certificate, biometric template, or other signature-creation data is more than a tool of access; it is a means by which legal acts may be attributed to a person. Unauthorized access to it threatens identity, consent, integrity, and non-repudiation.
Purpose Limitation
Lawful access must be exercised solely for authorized purposes. A person who is allowed to access a file for maintenance, audit, litigation, regulatory review, payment verification, cybersecurity response, or contract performance may not use the same access for personal curiosity, commercial advantage, harassment, unauthorized surveillance, or unrelated investigation.
Purpose limitation has two effects. First, it narrows the scope of access to the data reasonably necessary for the authorized purpose. Second, it turns a later misuse into an unlawful act even if the initial entry into the system was permitted. A system administrator, for example, may have authority to preserve network security but not to read private content unrelated to the security incident.
Authorized access is therefore measured by identity, object, and purpose. The authorized person must be the person entitled to access; the object must be the particular data, document, signature, key, or file covered by the right; and the use must remain within the purpose that the law, order, consent, contract, or duty permits.
| Source of authority | Permitted access | Continuing limit |
|---|---|---|
| Consent of the data owner, account holder, principal, or authorized user | Access within the scope, duration, and purpose of the consent | Consent cannot justify access to information the consenting person has no authority to disclose |
| Contract or employment authority | Access needed to perform assigned functions, protect business systems, or enforce agreed policies | Technical custody of a device or system does not eliminate privacy and confidentiality limits |
| Court order or compulsory legal process | Access to the specific data or credential directed by the order | The order must be obeyed according to its terms and cannot be expanded by the recipient |
| Regulatory or public authority | Access allowed by the enabling law and official function | Information obtained remains subject to secrecy, privacy, and official-use restrictions |
| Cybersecurity, maintenance, or network operations | Access necessary to keep systems functioning, secure, and compliant | Operational access does not create a right to read, copy, or disclose content unrelated to the task |
Obligation of Confidentiality Under Section 32
Section 32 imposes confidentiality as the legal consequence of obtaining access to electronic information or credentials. A person who gains access by reason of law, contract, office, employment, technical function, or authorized process must keep confidential the information, document, message, signature, key, or file accessed.
Confidentiality covers both content and access-enabling material. The content includes the electronic data message, electronic document, record, correspondence, transaction detail, account information, metadata when it reveals protected facts, and other information obtained from the file. Access-enabling material includes passwords, private keys, tokens, certificates, authentication codes, recovery phrases, and other means used to identify a person or preserve integrity.
The duty is not limited to the person who first opened the file. It extends to officers, employees, agents, contractors, service providers, experts, custodians, auditors, and other persons who obtain knowledge because of authorized access. The obligation follows the information, because the harm addressed by the rule is unauthorized use or disclosure after access has already been obtained.
Confidentiality means that the person with access must not reveal, transmit, publish, sell, trade, alter for unauthorized use, allow unauthorized inspection of, or otherwise make the information available to persons who have no legal right to receive it. It also requires reasonable safeguards against accidental disclosure, because negligent exposure can defeat the protection as effectively as intentional disclosure.
Lawful Access Does Not Mean Ownership of the Information
Access is often functional rather than proprietary. A courier of electronic communications, cloud host, payment processor, network service provider, records custodian, or platform administrator may control infrastructure through which information passes. That role may justify processing, routing, storing, filtering for malware, or preserving logs, but it does not make the intermediary the owner of the user's content.
The same is true in corporate and professional settings. A lawyer, accountant, broker, bank officer, compliance officer, or employee may receive electronic documents in the course of work. The documents may be necessary for service, review, or reporting, but the recipient remains bound by the purpose of the relationship and by confidentiality duties imposed by law, contract, office, or professional responsibility.
Because electronic information can be copied without depriving the owner of the original, unlawful access may be less visible than physical theft. The legal injury lies in the unauthorized intrusion, copying, use, disclosure, or impairment of integrity, not merely in the loss of possession.
Court Orders, Legal Requests, and Consent
Confidentiality is not an absolute shield against lawful compulsion. Electronic records, accounts, devices, keys, or files may be reached through a valid court order, warrant, subpoena, discovery directive, regulatory demand, or other process authorized by law. The demand must be grounded on legal authority and must identify with sufficient clarity the information or access required.
A custodian who receives a lawful order should disclose only what the order requires. Production of a document does not authorize disclosure of unrelated communications in the same account. Access to transaction logs does not automatically authorize release of message content. Authority to verify an electronic signature does not necessarily authorize use of the signatory's private signing credentials.
Consent is also a recognized basis for access, but consent must be tied to the person who can lawfully give it and to the purpose for which it is given. Consent by one user may authorize inspection of shared records within that user's authority, but it does not necessarily waive the rights of other users, principals, clients, customers, or correspondents whose information appears in the same electronic environment.
Connection With Privacy and Data Protection
Lawful access under the Electronic Commerce Act operates with the constitutional protection of privacy of communication and correspondence, the rule against unreasonable searches and seizures, the Data Privacy Act, cybercrime legislation, and rules on electronic evidence. These related regimes do not replace Section 32; they help determine whether access is authorized, proportionate, secure, and usable in proceedings.
Where personal information is involved, access must have a legitimate purpose and must be proportionate to that purpose. Even a person with authority to process data must limit collection, viewing, retention, sharing, and disposal to what is necessary. Confidentiality under Section 32 therefore reinforces the privacy principles of purpose, proportionality, security, and accountability.
In government and law-enforcement contexts, digital access must observe the same basic limits that govern state intrusion into private affairs. A general desire to inspect a device, account, server, or database is not equivalent to authority to search all its contents. The digital character of the record does not dilute the need for lawful basis, particularity, relevance, and respect for privileged or confidential matter.
Effect on Electronic Evidence
Lawful access is relevant to authenticity, integrity, chain of custody, and admissibility. Electronic evidence is not strengthened merely by printing it or by showing that it came from a device. The proponent must be able to explain how the record was obtained, preserved, and connected to the person or transaction involved.
Unauthorized access may weaken or defeat the evidentiary value of electronic records. If a file, message, or signature was obtained through intrusion, misuse of credentials, or breach of confidentiality, the opposing party may question its admissibility, reliability, integrity, and provenance. If state action is involved, constitutional exclusionary principles may also become relevant.
Lawful access also protects the probative value of electronic signatures. A signature attributed to a person depends on the integrity of the method used to create or verify it. If a private key, password, token, or certificate was compromised through unauthorized disclosure, the evidentiary link between the electronic signature and the alleged signatory becomes weaker.
Consequences of Breach
A breach may occur through unauthorized access, excessive access, disclosure beyond the authorized recipient, use for an unauthorized purpose, failure to safeguard credentials, alteration of electronic records, or knowing reliance on improperly obtained information. The breach may give rise to civil liability, contractual liability, administrative sanctions, professional discipline, exclusion or reduced weight of evidence, and criminal liability when the facts satisfy penal provisions on unauthorized access, interference, identity misuse, data misuse, or related offenses.
The person who discloses protected electronic information cannot defend the disclosure merely by showing that the information was already technically accessible. The decisive question is whether the person had legal authority to disclose it to that recipient for that purpose. The same rule applies to forwarding screenshots, exporting databases, sharing private keys, using another person's login, or publishing electronic records obtained through an authorized role.
For institutions, breach of Section 32 is also a governance failure. Organizations that handle electronic documents, signatures, and keys must adopt access controls, authentication rules, audit trails, confidentiality undertakings, segregation of duties, retention limits, incident-response procedures, and secure disposal methods. These controls are practical expressions of the legal duty to limit access and preserve confidentiality.
Operational Rules to Remember
- Lawful access requires legal authority, not mere technical ability.
- The right must relate to the specific plaintext, electronic signature, electronic key, file, document, or message accessed.
- Access must be confined to the authorized purpose, and use beyond that purpose is unauthorized.
- Confidentiality attaches after lawful access and binds every person who obtains the information through the authorized channel.
- Electronic keys and signature-creation data require special protection because their misuse can falsely attribute identity, consent, and legal effect.
- Intermediaries and system operators may have operational access without ownership of content or freedom to disclose it.
- Court orders and legal processes can require access or production, but disclosure must remain limited to what the process authorizes.
- Privacy, data protection, cybersecurity, and evidentiary rules shape the legality, scope, safeguards, and consequences of access.