A New Regulatory Framework for Indonesia’s E-Commerce Sector: Licensing Requirement and Threshold of Foreign E-commerce Business

Recognizing the rapid development of e-commerce sector in Indonesia, the Indonesian Government issued the Government Regulation No. 80 of 2019 on Trading through Electronic System (“GR 80/2019”) on November 20, 2019, with the intention to improve the governance of e-commerce sector. GR 80/2019 regulates broad aspects of the e-commerce business in Indonesia -- from general requirement of e-commerce, operational aspect of the e-commerce players, contract processing, to protection of personal data. Please see our brief overview on GR 80/2019 here.

To further implement certain provisions referred in the GR 80/2019, on May 19, 2020, the Ministry of Trade (MoT) subsequently issued Regulation No. 50 of 2020 on Business Licensing, Advertisement, Development, and Supervision of Business Actors in Trading through Electronic System (“MoT 50/2020”). This regulation will become effective 6 (six) months after its promulgation date (i.e., by November 2020).

MoT 50/2020 sets forth further clarification relating to (i) the threshold of foreign e-commerce business to be deemed to have presence in Indonesia, (ii) requirement to have Indonesian representative, and (iii) general licensing requirement for e-commerce business, previously more generally regulated under GR 80/2019.

Below we highlight some notable provisions under GR 80/2019 and MoT 50/2020 (both GR 80/2019 and MoT 50/2020 hereinafter shall be jointly referred as the “E-Commerce Regulation”).

  • Broad Scope of “Trading”

Based on the E-Commerce Regulation, the term “trading” is defined broadly so as to cover both the offering of goods and services. Furthermore, Trading through Electronic System (“PMSE”) is also defined broadly as it covers any Trading activity in which the transaction is carried out through electronic system.

  • E-Commerce Players, according to Indonesian E-Commerce Regulatory Regime

The E-Commerce Regulation covers all players involved within an e-commerce trading ecosystem offering their goods or services to the Indonesian territory.

  1. Merchant includes any party who sells product or offers services through electronic system -- unless they offer the goods and/or services temporarily and non-commercially. This term also covers merchant offering its goods/services regularly through social media platforms which provide PMSE facility.
  2. Platform providers (“PPMSE”) are e-commerce players which provide a platform to facilitate the electronic communication/transaction used in PMSE. PPMSE, in this regard, includes a broad range of platform providers with the following models (non-exhaustive list): (i) merchant’s own e-commerce platform; (ii) online marketplace; (iii) online classified advertisements; (iv) price comparison platform; (v) daily deals.
  3. Intermediary Service Provider (“PSP”) covers those who facilitate electronic communication (except telecommunication operator). PSP merely serves as an intermediary, which includes the like of search engine, hosting or caching provider.
  • “Deemed Presence” and Indonesian Representative Requirement for Foreign E-Commerce Platform Providers

GR 80/2019 introduced a “Deemed Presence” concept to regulate and supervise foreign PPMSE’s activities in Indonesia. Article 7 of GR 80/2019 stipulates that any foreign PPMSE which actively offers and/or carries out PMSE to customers within the Indonesian jurisdiction, which has met certain criteria, shall be deemed to have a physical presence in Indonesia. MoT 50/2020 then complements the foregoing provision by giving a much-needed elaboration on the criteria to determine foreign PPMSE’s “deemed presence”, which are as follows:

  1. the foreign PPMSE has concluded transactions with more than 1,000 (one thousand) customers within the Indonesian jurisdiction within a period of 1 (one) year; and/or
  2. the foreign PPMSE has delivered more than 1,000 (one thousand) packages to customers within the Indonesian jurisdiction within a period of 1 (one) year.

Any foreign PPMSE meeting such criteria, consequently, is required to appoint a representative in Indonesia. In this regard, such representative shall be in the form of a Foreign Trade Company Representative Office for PMSE, called “KP3A PMSE”.

  • Licensing Requirements

Please see below the summary of licensing requirements for each E-Commerce players as identified by the E-Commerce Regulations:

Licensing Requirement Remarks
Domestic Merchant 1.      Trading Business License (SIUP); or

2.      Sector-specific business license (if relevant).

 If a Domestic Merchant only carries out business activity of retail through media or internet (online), then, its SIUP shall accommodate KBLI Business code 4791.
Foreign Merchant No licensing requirement. Obliged to submit its registered business license (issued by its country of origin) to the Domestic PPMSE where such Foreign Merchant offers its goods/services to Indonesian jurisdiction.
Domestic PPMSE PMSE Trading Business License (SIUPMSE). This license is also applicable to Domestic Merchant which carries out its PMSE through its own platform, under Article 8 paragraph (2) of MoT 50/2020.
Foreign PPMSE Trading Business License of Foreign Trade Representative Office for PMSE (SIUP3A PMSE), if the foreign PPMSE is deemed to have presence within Indonesian jurisdiction. This license is also applicable to Foreign Merchant which carries out its PMSE through its own platform since it is also considered as PPMSE business model.
PSP SIUPMSE, where a PSP is:

-         a beneficiary party to the PMSE transaction; or

-         directly involved in the contractual relation between parties conducting PMSE.

 Applicable to both domestic and foreign PSP.

All license applications shall be submitted through Online Single Submission (OSS) System by attaching the required documents, as provided in MoT 50/2020.

***

June 29, 2020

Copyright © 2020 AKSET. All rights reserved.

by Adho Fadillah Putera

Supervision of Food and Drugs Distributed Online

The National Agency of Drug and Food Control (Badan Pengawas Obat dan Makanan or “BPOM”) issued its Regulation No. 8 of 2020 dated April 7, 2020 on the Supervision of Drugs and Food Distributed Online (“BPOM Reg. 8/2020”) as an implementing regulation as referred to in Article 35 paragraph (3) of Government Regulation No. 71 of 2019 dated October 10, 2019 on the Organization of Electronic Systems and Transactions.

As mandated under Presidential Regulation No. 80 of 2017 dated August 9, 2017, on the National Agency of Drug and Food Control (BPOM), BPOM is authorized to supervise food and drugs in Indonesia. Through tthe BPOM Reg. 8/2020, BPOM intends to protect consumers from the risk of unsafe food and drugs that may be available in the online market.

Previously, on October 17, 2019, BPOM signed a Memorandum of Understanding (MoU) with the Indonesian E-Commerce Association (idEA) and several online marketplace platforms (Bukalapak, Tokopedia, Gojek, Grab, Klikdokter, and Halodoc) to cooperate in the supervision, delivery, and marketing of food and drugs. BPOM Reg. 8/2020 is the first regulation to provide comprehensive provisions on the supervision of food and drugs that are accessible online.

Pertinent provisions in the BPOM Reg. 8/2020 are as set forth below.

  • Online Distribution of Food and Drugs

BPOM requires that all drugs, traditional medicines, health supplements, cosmetics, processed foods (except (i) ready-to-serve foodstuffs; and (ii) foodstuffs that are to be used as raw materials by business actors which are not sold directly to end consumers) and processed food for special medical purposes (pangan olahan untuk keperluan medis khusus or PKMK) that are distributed online to obtain distribution licenses and to meet the proper manufacturing methods. A more elaborate information regarding the online distribution of these products is stated in the following table.

Allowed Products Sellers Buyers Means of Distribution Obligations
1.     Drugs, including:

a.      Over-the-counter (“OTC”) drugs (obat bebas);

b.      Limited OTC drugs (obat bebas terbatas); and

c.      Prescription drugs (obat keras).

 Pharmacies or pharmacies in collaboration with other legal entities. Patients Electronic systems owned by pharmacies and/or provided by the Pharmacy’s Electronic System Provider (“PSEF”).

It is to be noted that the data retention requirement of all drug transactions online is at least 5 (five) years.

 Business actors carrying out drug distribution activities online must:

1.    Guarantee that the electronic systems utilized meet certain criteria, i.e., provision of electronic data backup system, accessible by BPOM at any time, and information that users must submit original prescriptions prior to drug purchase;

2.    Conduct supervision and evaluation of all drug distribution; and

3.    Submit regular reports which include several information, i.e., list of drugs distributed online, names of PSEF, and transaction data.
2.     PKMK Pharmacies Business actors carrying out PKMK distribution activities online must:

1.      Guarantee that the electronic systems utilized meet certain criteria, i.e., provision of electronic data backup system, accessible by BPOM at any time, and information that users must submit original prescriptions prior to drug purchase; and

2.      Conduct supervision and evaluation of all drug distribution.
3.     Traditional medicines, health supplements and/or cosmetics Business actors or business actors in collaboration with other legal entities. Consumers Electronic systems owned and operated by sellers and/or provided by any Electronic System Provider (an “ESP”).

 

 Business actors carrying out the online distribution of traditional medicines, health supplements and/or cosmetics must:

1.      Guarantee that the electronic systems utilized meet certain criteria, i.e., accessibility of certain information and provision of mechanism for the recordation of distribution;

2.      Guarantee that the condition of the traditional medicines, health supplements and/or cosmetics up to the delivery;

3.      Deliver the traditional medicines, health supplements and/or cosmetics in a closed container;

4.      Guarantee that the traditional medicines, health supplements and/or cosmetics is delivered to the designated address;and

5.      Document the handover of the products.

 
4.     Processed Food Business actors carrying out processed food distribution activities online must:

1.      Provide certain information, i.e., name and address of the seller and other relevant data;

2.      Guarantee that the condition of the processed food up to the delivery;

3.      Deliver the processed food in a closed container; and

4.      Maintain the condition of the delivery in accordance with the characteristics of the product.

 

  • BPOM Supervision and Guidance

BPOM supervises the online distribution of food and drugs by carrying out inspection of the products as well as the online advertisements and examination of related means or means that are suspected to be conducting distribution activities of food and drugs online.

BPOM also provides guidance to business actors that distribute food and drugs online through communication, information, and education, and/or assistance in order to fulfill the standards and requirements of the relevant products distributed. In addition, BPOM provides guidance to consumers through communication, information, and education, and/or the formation of food safety facilitator.

  • Prohibited Products

BPOM prohibits several food, drugs, and cosmetics from being distributed online, as set forth in the table below.

Prohibited Products Classifications
1. Drugs a.      Certain prescription drugs (obat keras tertentu or OKT);

b.      Drugs that contain pharmaceutical precursor;

c.      Drugs for erectile dysfunction;

d.      Injections other than insulin for personal use;

e.      Implants which use requires the assistance of health workers; and

f.       Narcotic drugs and psychotropic substances.
2. Cosmetics a.      Skin care products that contain alpha-hydroxy acids (AHA) greater than 10% (ten percent); and

b.      Teeth whitening products that contain hydrogen peroxide greater than 6% (six percent).
3. Alcohol

Further, BPOM prohibits the promotion and marketing of drugs and the distribution of drugs and PKMK through social media, daily deals, and classified ads.

  • Imposition of Sanction

Business actors that violate BPOM Reg. 8/2020 may be subject to administrative sanctions in the form of warnings, recommendations to close or restrict the relevant electronic systems, recommendations to revoke pharmaceutical service facility licenses, temporary prohibition of distribution, and/or order to recall relevant food and drugs.

 

***

June 5, 2020

Copyright © 2020 AKSET. All rights reserved.

by Adho Fadillah Putera

E-Signature in the COVID-19 Crisis: Adapting to the (Not So) New Normal

As the COVID-19 pandemic forces people to adopt homeworking and physical distancing, digital transformation is no longer a mere option. In the past few months, we have witnessed how most businesses have departed from the traditional in-person meetings to virtual meetings, working through online collaborations, and hosting seminars and forums through digital means.

The signing of legal, commercial, and transactional documents is no exception. While gathering all relevant parties in the same room for signing is unfeasible, it is also considered out of fashion and impractical to rely on delayed postal service to circulate hard copy originals to obtain a wet ink signature. Therefore, one of the ways to overcome this issue is for businesses, governmental agencies, and legal practitioners to adapt by transforming or replacing the conventional use of wet ink signature with technology having similar legal robustness to the traditional signing mechanism, while still ensuring that legal documents are executed properly and in a timely manner.

This is where e-signature presents a welcome solution to the challenges of being bound to work from home, which certainly will remain part of our (not so) new normal lives.

Although regulations governing implementation e-signature have been in effect for several years, until the beginning of the pandemic, the use of e-signature is still not commonly adopted in our day-to-day course of business. Now, with a drastic shift to a remote working environment, the use of e-signatures provides a way to enhance efficiency and simplify work. But what is an e-signature and how legitimate is it? Are we to embrace the use of e-signature in every legal document and business transaction?

We have compiled below frequent questions commonly arising on the implementation of e-signature in Indonesia.

  • What is the difference between e-signature and the traditional handwritten (wet ink) signature? Will e-signature be legally binding?

E-signature is generally regulated under Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transaction (the “EIT Law”) and Government Regulation No. 71 of 2019 on the Implementation of Electronic System and Transaction (“GR 71/2019”).

E-signature is defined as Electronic Information which is attached, associated, or related to another electronic information utilized as a means of verification and authentication. The current prevailing regulation recognizes various forms of e-signature, from electronically scanned signature, electronic handwriting font in the execution block or using a certified e-signature platform.

Despite its form, e-signature has the same legal standing as regular manual wet ink signature, provided that (i) e-signature data is related only to the signatory party; (ii) e-signature data is under the control of the signatory party during the signature process; (iii) all changes towards the e-signature occurred after the signing can be traced; (iv) all changes towards electronic information related to the e-signature occurred after the signing can be traced; (v) there are means to identify the signatory party; and (vi) there are means to demonstrate that the signatory party has consented to the relevant electronic information.

If all the conditions presented are met, e-signature is legally binding and has the same legal standing as regular manual wet ink signature, with its legal force and legal consequences.

  • What types of e-signature are governed under Indonesian Law?

There are two types of e-signature, namely certified and non-certified e-signatures.

Certified e-signature is an e-signature through a process of unique code generation as generated and certified by an Indonesian electronic certification provider. E-signature certification system can detect any change to the document, assuring both the validity of the signature as well as the integrity of the document.

Meanwhile, non-certified e-signature is rendered without using the services of any Indonesian electronic certification provider. This category includes digitalized version of a wet ink signature (e.g. through scanning process).

Both types of e-signatures are valid and legally binding. However, certified e-signature has stronger legal enforceability in the eye of the Indonesian court, compared to a non-certified e-signature.

  • Is it admissible in legal proceedings?

Yes, e-signature is admissible in legal proceeding. In fact, pursuant to Article 59 (3) GR 71/2019 in conjunction with Article 11 of the EIT Law, a document signed with a certified e-signature has valid legal force and legal consequences– equivalent to an authentic deed – when submitted as an evidence before a court. Meanwhile, submission of documents signed with non-certified e-signature as an evidence will require an authentication process through digital forensic examination. Once examined, the result will be conveyed in a forensic report and a digital forensic expert may also be called before the court to explain the result of the examination. Nonetheless, both types of e-signature are legally recognized by Indonesian courts.

As per July 2018, the Indonesian Supreme Court has also launched an e-Court application as an implementation of the Supreme Court Regulation No. 3 of 2018 on the Case Administrative Guidelines at Electronic Courts enacted in April 2018. The e-Court application accommodates parties to do e-Filing, e-Payment, e-Summons, and e-Litigation electronically. The Supreme Court has also collaborated with the Electronic Certification Agency (Balai Sertifikasi Elektronik – BsrE) of the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara – BSSN) to secure the legality of the  documents used in the proceedings, including in providing e-signature services.

  • What documents can be signed electronically?

In general, any document can be signed electronically, and the signature will be deemed valid if it fulfills certain legal requirements. However, the foregoing may not apply in certain cases where certain formal requirements are needed. Pursuant to the provision of Article 5 (4) of the EIT Law, generally there are 2 (two) types of document that cannot be executed electronically, as follows:

  1. documents that, by law, should be made in a written form (hardcopy), for instance, commercial papers, marriage and birth certificates, etc.; and
  2. documents that, by law, shall be made in the form of notarial deed or by deed-granting officials, for instance, company’s acquisition deed or pledge of shares deed – both of which are required to be made in the form of notarial deed.
  • If the other party is from a different jurisdiction, can they sign electronically?

In general, if a document is not subject to any specific regulatory requirements, it is possible for a party from another jurisdiction to sign such document electronically. Please note, even if the e-signature is generated by a foreign certified e-signature provider, it will still be recognized in Indonesia as “uncertified e-signature”.  An e-signature will only be considered as a “certified e-signature” under Indonesian law if it is certified by an Indonesian electronic certification provider by using a certified e-signature producing device. However, the lack of certification thereof does not affect the validity of the e-signature itself.

One important note, e-signature may not be applicable for document that needs to be notarized and consularized in foreign countries.

  • Would a legal document governed under a foreign jurisdiction be valid if it is electronically signed using an Indonesian e-signature provider?

It varies over different jurisdictions. The validity of e-signature on legal document will depend on the laws and regulation respective to e-signature applicable in the relevant jurisdiction.

In Indonesia, for instance, while all e-signatures are legally valid, an e-signature will only be considered as a “certified e-signature” if it is particularly certified by an Indonesian certification company. On the other hand, in the United States, this will depend on the laws of each state. To the best of our knowledge, while some state laws in the United States acknowledge the validity of any type of e-signature, others require some form of security, and some will only acknowledge the validity of e-signature that uses encryption, depending on the types of transactions covered.

  • Is express language by the parties that consents to electronic transacting and acknowledges intent for the electronic signature to be binding necessary for the e-signature to be valid?

There is nothing in the current prevailing Indonesian laws and regulations that requires party to expressly state their intent to be bound by the provisions contained in a document signed electronically. The stipulation of Article 11 of the EIT Law is deemed to have provided sufficient ground for such e-signature to have the same legal force and consequences as wet ink signature and therefore will equally bind the parties in the transaction, regardless the existence of specific language in the document expressing the parties’ consent to be bound by the e-signature.

  • How does e-signature affect the meterai (stamp duty) requirement for certain legal documents?

E-signature can co-exist with meterai requirement. In essence, the obligation to affix meterai is related to a tax obligation, as opposed to the validity of such document. The signature in the document will still be legally enforceable and valid as long as it fulfills the requirement set forth by EIT Law and GR 71/2019. One may affix the meterai at a later stage in case the document is going to be submitted as an evidence in a court proceeding (Nazegeling).

The above, however, only applies when there is no formal procedure which requires affixation of meterai to conclude the document – for instance, submission of statement letter/document for certain license/application purposes.

  • The rise of e-signature certification amidst the COVID-19 pandemic

We have witnessed the pandemic to have served as a wake-up call for government and businesses to embrace digital transformation in carrying out their activities. It has brought a drastic shift to our way of doing business and we are seeing such changes becoming the “new normal”. We have seen various business associations pleading regulatory agencies to adopt e-signature, and in response, more initiatives have been launched by several governmental institutions to embrace the use of e-signature to minimize disruption in the course of business during the pandemic.  The Financial Services Authority (Otoritas Jasa Keuangan – OJK), for instance, now allows e-signature to replace wet ink signature on insurance products. We are hopeful that the current situation will encourage more and more parties, from lawmakers to business players, to adopt the use of e-signatures.

The following is the list of current certified e-signature providers in Indonesia registered with the Ministry of Communication and Informatics:

  1. Digisign – PT Solusi Net Internusa (certified);
  2. PrivyID – PT Privy Identitas Digital (certified);
  3. Perusahaan Umum Percetakan Uang Republik Indonesia (Peruri) (certified);
  4. VIDA – PT Indonesia Digital Identity (certified);
  5. BSrE BSSN (registered);
  6. Badan Pengkajian dan Penerapan Teknologi (BPPT) (registered).

 

***

May 29, 2020

Copyright © 2020 AKSET. All rights reserved.

by Adho Fadillah Putera

Personal Data Protection and Privacy: Indonesian Government Turns to Technology to Help Stop the COVID-19 Outbreak

As the number of COVID-19 cases keeps growing, many governments around the world turn to technology to press down the spread of the virus. These technologies serve various purposes, from digital health services to online community management.

The Indonesian government has also been using technology as part of the effort to fight COVID-19. For instance, the Executive Office of the President of Indonesia developed “10 Rumah Aman” Application as a tool to manage the public to stay at home or the modification of “Lancang Kuning Nusantara” Application by the Regional Police of Riau, which previously used to track wildfires and is now altered to track assistance distribution for people affected by COVID-19.

Another use of technology by governments to flatten the COVID-19 curve is the development of a digital contact tracing application. China and Singapore are two of the first countries to launch these contact tracing applications using big data on the movement of people by way of Bluetooth signal to trace if someone has been in close contact within the last 14 (fourteen) days with someone contracted by or suspected to have the COVID-19 virus. Not only the governments, Apple and Google as tech giants are also designing a similar tracking system for their mobile devices.

Learning from other jurisdictions’ experience that has successfully launched digital tracking application, the Indonesian government has recently launched a digital contact tracing application called PeduliLindungi.

  • How Digital Contact Tracing Application Works

In general, digital contact tracing applications will only work between users who have installed the application on their mobile phone. The application generally utilizes proximity data using Bluetooth technology. It often uses a randomly generated ID based on the device information as well as the registered name and active phone number (“Device ID”). If a user has been in close contact with COVID-19 patients or patients suspected to have the virus, the application will notify the user. Some applications will forward the information of the COVID-19 patients to health officials.

In collecting and processing the data, there are 2 (two) common models of digital contact tracing applications as follows:

  1. Centralized models. This model attempts to collect and centralize data by generating and keeping track of the users’ identifiers to construct the contact graph of a user in case they are infected. The generation of identifiers and generation of contact graphs are done on a server which will be controlled by the responsible institution(s). Thus, in the event that someone is tested positive for COVID-19, the application will upload the contact history log of such user, in which the authorized party would be able to match the identifiers with user records and contact people who had been in close contact with the patient.
  2. Decentralized models. In this model, the data will be kept on the devices as much as possible. It is aimed to strictly control data flows to avoid accumulating and collecting too much data on a centralized server. This means that a server exists but only to enable people to use their own devices to trace contacts. The server is not authorized to collect and store personal data, and it cannot use any identifiers to single out an individual, nor does it provide identifiers for users to broadcast. The key difference here is that the decentralized model will keep as much as data exclusively on the users’ device.

In some cases, a digital contact tracing application can also be equipped with a Past Movement Tracking feature. This feature collects and processes mobile location data generated by a phone’s interaction with cell towers, WiFi, Satelite, or be found in the form of metadata of call log or text log.

  • An Ideal Digital Contact Tracing Application from the Perspective of Indonesian Personal Data Protection Regime

Personal data, in essence, is any data relating to an identified or identifiable natural person – directly or indirectly.

Digital contact tracing application often uses the Device ID, in which it relates to one particular user as it was generated from the submitted name and active phone number. In addition, in the event that the application provides a past movement tracking feature or other feature with similar nature, the application will also collect and process mobile location data – which in itself relates to the users’ registered phone number as well as their location.

As digital contact tracing application uses and processes personal data, its operation shall comply and adhere to the personal data protection regime.

The utilization of a digital contact-tracing application to stop the spread of COVID-19 ideally should still consider and implement the following points:

  1. Use the safest and most appropriate model of digital contact tracing application by considering the prevailing data protection regulatory framework.
  • The centralized model can be more effective by nature, since it collects and analyzes more data centrally. However, in order for this model to safely secure the personal data, it would require a more matured and developed data protection regulatory framework to safeguard the security of the personal data – including its enforceability. This is in particular due to the high risk of unwanted misuse of data or even unlawful external breach when all of the data are pooled in a centralized server.
  • The decentralized model may be the safest approach for the protection of users’ personal data – from a technical standpoint. Using this model, there is no entity that can access a centralized/pooled personal data since the model will keep as much data on the users’ device as possible. This model, in a way, has built-in technical measures within the design of the application to safeguard the users’ data. In addition, it will also help to ensure that any collected data cannot be used for purposes other than to trace and track the spread of COVID-19.
  1. Comply with the rules and principles of the prevailing personal data protection regulatory framework. The following are several key provisions that must be taken into account when it comes to personal data processing activities:
  • Use the appropriate and available lawful grounds, e.g., consent, public interest, legitimate interest, or other grounds as provided by GR 71/2019 (lawfulness principle). Further, when using users’ consent, it must be noted that lawful consent must fulfill the criteria of unambiguous, freely given, specific, and informed.
  • Ensure that the application will only collect and process the personal data that are strictly necessary to achieve the purposes (data minimization principle).
  • Ensure that the personal data are only processed for the purposes which have been initially informed to the users (purpose limitation principle).
  • The responsible institutions must provide clear and sufficient information relating to the processing activities. For instance:
    • identify the responsible party in the operation of the application.
    • inform the purposes of processing and the scope of processing activities in a clear and sufficient manner.
    • provide sufficient detail and assurance on how the data will be adequately protected when it is shared with any third party.
    • provide a sufficient explanation and clarification on how the application actually works, e.g., whether the application strictly processes proximity data utilizing Bluetooth, or also track past movement based on mobile location data.
  • Ensure the accountability of the processing operation carried out by the application, inter alia, by keeping a record of every personal data processing activities (accountability principle).
  • Keep the collected personal data only for the necessary period of time, and store such data using the state of the art encryption technology to maintain its confidentiality. Further, since the application is dealing with sensitive information (i.e., health data), the responsible controller(s) of the data shall store it in a format which does not allow any direct identification during the retention period to prevent any unwanted leakage or misuse.
  1. Lastly, during the processing timeframe, it might also be necessary to periodically evaluate whether or not the proposed measure to use the application shall contribute to mitigate and limit the spread of COVID-19.

 

***

 

A digital contact tracing application may give an edge to the Indonesian Government in managing, preventing, and subsequently, stopping the spread of COVID-19 in Indonesia. However, while processing data plays a major role in formulating the right approach to manage the virus containment, it is paramount for the parties involved in this operation to ensure the adequacy of the protection towards individuals’ Personal Data by complying with relevant Personal Data protection rules and principles.

The assurance on complete compliance with the Personal Data protection regime will certainly help the Government to promote and urge our citizens to utilize a digital contact tracing application. The more users of the application, the more effective this application will be.

 

May 18, 2020

Copyright © 2020 AKSET. All rights reserved.

by Adho Fadillah Putera

KPPU: Law Enforcement Through Electronic Means

On April 6, 2020, the Indonesia Business Competition Supervisory Commission (Komisi Pengawasan Persaingan Usaha or “KPPU”) issued the (i) KPPU Regulation No. 1 of 2020 dated April 6, 2020 on Case Handling Electronically (“KPPU Reg. 1/2020”); and (ii) KPPU Decree No. 12/KPPU/Kep.1/IV/2020 dated April 6, 2020 on Case Handling in the event of an Emergency Disaster due to the COVID-19 Outbreak in Indonesia (“KPPU Decree 12/2020”). These two policies are issued by KPPU in relation to the Large-scale Social Restrictions (Pembatasan Sosial Berskala Besar or “PSBB Policy”) ordered by the Indonesian Government due to the COVID-19 outbreak in Indonesia.

These two policies aim to address concern over limitations for KPPU in conducting supervision and law enforcement duties due to  the issuance of  the PSBB Policy. Pursuant to KPPU Reg. 1/2020 and KPPU Decree 12/2020,  KPPU has the ability to implement supervision and law enforcement through Electronic Media. KPPU Reg. 1/2020 defines Electronic Media as all electronic interaction facilities used by KPPU, not limited to the visual teleconference and electronic mail (e-mail).

We also note that while KPPU Reg. 1/2020 is indeed issued during the COVID-19 outbreak in Indonesia, this regulation enables KPPU to further conduct its law enforcement effort through electronic means outside the context of this pandemic, which allows more efficiency in the competition law sector.

Important issue contained in KPPU Decree 12/2020 is as follows:

  • Recommencement of Law Enforcement Activities by KPPU while Prioritizing the Use of Electronic Media

The KPPU Decree 12/2020 revokes two previous decrees: KPPU Decree 10/2020 and KPPU Decree 11/2020, which were issued to suspend the law enforcement activities by KPPU from March 17 to April 6, 2020. The revocation of these two Decrees recommences all previously suspended law proceeding at KPPU upon the issuance of KPPU Decree 12/2020 on April 6, 2020.

In conjunction with the recommencement of law enforcement activities, KPPU Decree 12/2020 further mandates for law enforcement activities to prioritize the use of electronic media. While the use of electronic means is in line with the PSBB Policy for physical distancing, because the mandate under this KPPU Decree 12/2020 is only to prioritize but not migrate all law enforcement activities to electronic media, KPPU may still be able to conduct face-to-face legal proceedings.

Meanwhile, key policies contained in KPPU Reg. 1/2020 are as follows:

  • Notification Assessment and Partnership Supervision

Through KPPU Reg. 1/2020, all written notification to be submitted to KPPU may be conducted by way of Electronic Media. These notifications consist of written consultation notification, assessment, KPPU opinion, notice stipulation, as well as partnership supervision. All rules concerning these written notifications will still refer to the KPPU regulations on assessment for post-acquisition/merger notification obligation as well as regulations on partnership supervision currently in force.

  • Implementation of Legal Proceedings for Anti-Trust Matters through Electronic Media

KPPU Reg. 1/2020 further provides mechanisms to conduct legal proceedings for examination of late submission for mergers and acquisition notification requirement, examination of alleged violation of partnership agreements, and other anti-trust cases through Electronic Media. In conducting these legal proceedings, KPPU introduces Electronic Domicile, where KPPU regards an e-mail address as official domicile for parties involved in legal proceedings with KPPU. This determination of Electronic Domicile allows KPPU to send hearing summons and conduct other hearing correspondences to and using this Electronic Domicile. Further, hearings will be conducted through the Electronic Media.

Although KPPU Reg. 1/2020 does not specify the Electronic Domicile of KPPU in conducting examination of late submission for M&A notification requirement, examination for alleged violation of partnership agreement, as well as other anti-trust cases, KPPU website does provide guidance that submission of report for alleged violations to be submitted through ‘pengaduan@kppu.go.id’, while clarification and consultation to be submitted through ‘infokom@kppu.go.id’.

KPPU Reg. 1/2020 also provides that the panel of judges in a legal proceeding may render its decision through Electronic Media, and that any decision rendered using this method is legally deemed to have been read in a public hearing that is attended by the parties. After announcement of KPPU decision for a particular proceeding, KPPU may publish the copy of its decision and conduct enforcement of such decision through Electronic Media as well.

  • Issues

The KPPU Reg. 1/2020 is a highly appreciated initiative from KPPU to allow a more efficient conduct of its authorities and the process of its law enforcement activities especially during this pandemic situation. However, as in many other new systems being developed, there will be questions from both practical and theoretical aspects in performing legal proceedings through electronic means. One of them, for example, is the procedure for cross-examinations during the proceedings. For this reason, it will be crucial for KPPU at this stage to provide further guidance on the procedures as well as good communication to ease the legal enforcement process using the Electronic Media, so that the intention of the KPPU Reg. 1/2020 can be well delivered.

 

***

 

April 15, 2020

Copyright © 2020 AKSET. All rights reserved.

by Adho Fadillah Putera

KSEI Introduces the Requirements and Mechanism of E-Proxy for E-GMS

On March 26, 2020, the Indonesian Financial Service Authority (“OJK”) has issued Circular Letter No. S-92/D.04/2020 dated March 18, 2020 on the Relaxation on the Report Obligation and the Implementation of General Meeting of Shareholders (“GMS”) (such letter, “OJK Letter 92/2020”) which governs, among others, the implementation of the electronic GMS (“e-GMS”). We have previously discussed such letter in our previous newsflash on OJK Letter 92/2020.

As a follow up to OJK Letter 92/2020, on April 3, 2020, the Indonesia Central Securities Depository (Kustodian Sentral Efek Indonesia or “KSEI”) issued Letter No. KSEI-4164/DIR/0420 on the Enforcement of the KSEI Electronic General Meeting System (eASY.KSEI) Facility as a Mechanism for Electronic Authorization in the Process of GMS for Issuers Which Are Public Companies Whom Shares Are Stored in the Collective Depository of KSEI (“KSEI Letter No. 4164”). In KSEI Letter No. 4164, KSEI elaborated several points related to the technical implementation of e-GMS and electronic authorization (“e-Proxy”).

Below are the key points from KSEI Letter No. 4164 on the implementation of e-GMS and e-Proxy.

  • KSEI System for E-GMS

KSEI has provided a system in order to facilitate the holding of the e-GMS under the name of “eASY.KSEI” which consists of 2 (two) stages of implementation, namely:

  1. E-Proxy, is a system that facilitates and integrates the power of attorney from the shareholders to the authorized recipients electronically; and
  2. E-Voting, is a system that facilitates the attendance and voting process of voting in a e-GMS to enable the shareholders to participate in the GMS without the need for physical presence.
  • E-Proxy Mechanism

Public Companies are required to provide alternative for the provision of power of attorney for its shareholders so that it can be carried out electronically by using e-Proxy in eASY.KSEI, with the following conditions:

  • Public Companies that intend to hold a GMS after the date of this KSEI Letter No. 4164 (April 3, 2020) with the date of GMS invitation after April 20, 2020, must note the following:
    • In the event that the GMS announcement has been made to the shareholders through a Public Company’s website, Indonesian Stock Exchange (“IDX”), or mass media before April 20, 2020 and the GMS invitation is scheduled between April 21, 2020 and May 13, 2020 – such GMS announcement that has been announced must be put into eASY.KSEI no later than 1 (one) day before the date of the said GMS announcement; and
    • In the event that the GMS announcement is made on April 20, 2020 and onwards, then a Public Company is required to input the GMS announcement into eASY.KSEI on the same day with the GMS announcement.
  • Public Companies that intend to hold a GMS after the date of this KSEI Letter No. 4164 (April 3, 2020) with the date of GMS invitation before April 20, 2020 (along with the 2nd and 3rd GMS, as applicable) are only required to use e-Proxy in the eASY.KSEI for the next GMS.
  • Required Document and Information for E-Proxy

Public Companies are required to carry out the following actions and to submit certain information and documents, in order to use eASY.KSEI:

  • Filling out and submitting the form of power of attorney/appointment of an authorized official (using the format provided in the Attachment 2 of KSEI Letter No. 4164) to update the information of the following proxies:
    • Who will represent the said Public Company in signing the Equity-Type Securities Registration Agreement between the said Public Company and KSEI including any of its amendments (categorized as Group A in the form); and
    • Who will represent the said Public Company in signing any documents, provide instructions, and carry out other activities relating to the registration of Equity-Type Securities to KSEI, the implementation of Corporate Actions of the said Public Company, as well as who will be responsible over the access to the KSEI system, including eASY.KSEI (categorized as Group B in the form).

If the individuals mentioned in the Group A in the form is the individuals appointed based on the power of attorney from the board of directors of the said Public Company, a copy of such power of attorney must be submitted to KSEI.

  • Submitting corporate deeds stipulating: (i) the latest management (board of directors and board of commissioners) composition along with its evidence of notification to the Ministry of Law and Human Rights (MOLHR) and (ii) the current articles of association along with the evidence of approval for its amendments by MOLHR;
  • Providing information on the nearest intended GMS including the date of the relevant GMS announcement and invitation;
  • Signing Equity-Type Securities Registration Agreement with KSEI (using the format provided in the Attachment 3 of KSEI Letter No. 4164), by the authorized individual in accordance with the power of attorney/appointment as mentioned in point (a) above;

The documents/information as mentioned in point (a) to point (d) above shall be submitted to KSEI with the following manners:

  1. Scanned documents for point (a) to point (c) shall be delivered via email to KSEI on: peksei.co.id and ubakum@ksei.co.id no later than April 17, 2020;
  2. The original document for point (a) shall be delivered to KSEI at the latest every Friday until 11:00 West Indonesian Time Zone (WIB) before the date of the RUPS, addressed to Securities Management Unit of KSEI; and
  3. For Equity-Type Securities Registration Agreement, it shall be delivered to the said Public Company in physical form, and to be signed and returned to KSEI in the form of a scanned file no later than 5 (five) business days before the said Public Company holds the relevant GMS. The physical form of the said agreement must be returned to KSEI no later than 11.00 WIB of the next Friday after the said GMS being held.

KSEI will issue a separate letter or announcement stipulating the requirements and mechanism of the use of e-Voting in eASY.KSEI system.

 

***

April 9, 2020

Copyright © 2020 AKSET. All rights reserved.

by Adho Fadillah Putera

Indonesian Government introduces a More Developed E-Commerce Regulation

The  Indonesian Government has responded to  the rapid growth of E-commerce sector in Indonesia by issuing an implementing regulation on E-Commerce business as mandated under  Article 66 of Law No. 7 of 2014 dated March 11, 2014, on Trade, On November 20, 2019, the Indonesian Government finally issued Government Regulation No. 80 of 2019 on Trading through Electronic System (“GR on E-Commerce”).

The primary purpose of RG on E-Commerce is to regulate broad aspects of the e-commerce business, which will apply on the 2nd anniversary after its promulgation date, GR on E-Commerce. We will briefly elaborate some of the key provisions relating to the provisions of e-commerce business under GR on E-Commerce.

  • Operational aspect

First, Article 15 (1) of GR on E-Commerce now requires all Business Players to obtain a business license in conducting e-commerce. Business Players include domestic and foreign merchants, electronic platforms (Penyelenggara Perdagangan Melalu Sistem Elektronik - “PPMSE”), as well as intermediary services providers. While merchants offering goods and/or services temporarily and non-commercially are exempted from the classification, no strict threshold is stipulated to determine the temporary and commercial nature of such merchants. This means that every merchant, both in the formal and informal sectors, regardless of its size and business, is now required to obtain a business license.

Second, Business Players, particularly platform providers, are now prohibited from accepting neither domestic nor foreign Merchants that is incompliance with the requirements , among others, the licensing requirement.

The GR on E-Commerce now reimposes possible taxation towards e-commerce. Further, foreign Business Players actively offering and/or conducting e-commerce services towards Indonesian consumers that have met a certain threshold of (i) number of transaction; (ii) value of transaction; (iii) number of shipping; and/or (iv) number traffic or access would be deemed to have established a physical presence and conduct a permanent business in Indonesia. Such businesses now must appoint a representative domiciled in Indonesia that will act as and on behalf of the business owner.

Business Players now must also maintain the records of data and information on their e-commerce businesses. Data and information related to financial transactions shall be kept at least for 10 (ten) years, while data and information unrelated to financial transactions shall be kept for a minimum of 5 (five) years from the obtainment of such data or information.

  • Contract Processing

Article 28 of GR on E-Commerce requires Business Players to provide and maintain receipts of e-commerce transactions. The receipt will be legal and binding evidence towards the parties involved. Further, receipt of e-commerce transactions is now treated as valid evidence in procedural law, whereby written verifiable e-signed receipts of e-commerce transactions may even be acknowledged as authentic evidence. Electronic receipts of transactions shall no longer be rejected as evidence before the court merely for its electronic form.

GR on E-Commerce also specifically regulates electronic offer, acceptance, confirmation, as well as contract. An electronic offer shall include at least the following information:

  1. Specification of goods and/or services;
  2. Prices of goods and/or services offered;
  3. Terms and conditions;
  4. Mechanism and system of payment and payment period;
  5. Mechanism and system of shipping;
  6. Risks and unforeseeable conditions; and
  7. Limitation of liability.

An electronic offer is deemed valid and binding if it contains a clear and specific statement of intent of offer conducted in an honest and fair manner, and provides time limitation. Once an electronic offer is accepted, it shall not be withdrawn unless such withdrawal is agreed upon by the accepting party. Business Players are also required to respond to electronic acceptance by a consumer within a certain time period, in the form of electronic or non-electronic confirmation that may be used as evidence of agreement.

Meanwhile, Electronic Contracts may be in the form of sales and purchase agreement or licensing agreement, including end-user license agreement; amendment/development/modification of license agreement; public license agreement; creative common license agreement; and relicensing agreement. An Electronic Contract shall include at least:

  1. Identity of the parties;
  2. Specification of goods and/or services agreed;
  3. Legality of goods and/or services;
  4. Value of the transaction;
  5. Terms and conditions and payment period;
  6. Operational procedure of shipping;
  7. Return procedure;
  8. Cancellation procedure; and
  9. Choice of law for dispute resolution.

Business Players are also required to provide downloadable Electronic Contract.

  • Consumer Protection

Article 13 (1) of GR on E-Commerce requires Business Players to inform correct, clear, and honest information regarding the condition and assurance on the goods and/or services offered and the Electronic System used. Business Players must protect consumers’ rights in every aspect of e-commerce transaction, among others by accommodating a customer service which shall at least comprises:

  1. Address and contact number of customer service;
  2. Procedure of consumer complaint;
  3. Mechanism of complaint handling process;
  4. Competent officers to process consumer complaint; and
  5. Period of complaint settlement.

GR on E-Commerce further stipulates that Business Players must ensure that any advertisement is in accordance with the ethical standards of advertisement and consumer protection as governed under the applicable laws and regulations. This requirement is not only limited to the owner of such advertisement, but also to the parties who produce, provide any means for, and/or propagate the advertisement. Substance and material of any electronic advertisement that contradicts with consumer rights must be stopped, and relevant institutions have the authority to stop such marketing activities should Business Players fail to do so. Consumer protection is not only supervised under advertisement but also in Electronic Contracts where Article 53 (2) of GR on E-Commerce prohibits any standard clauses that may disadvantage consumers.

Business Players must also ensure customer protection to the extent of the delivery and return of goods and/or services. GR on E-Commerce emphasizes that in the event of there is an acceptance of the purchase of goods and/or services, the seller must deliver such goods and/or services to the buyer accordingly. The delivery must also ensure:

  1. Safety of the goods and/or services;
  2. Conditions of the goods and/or services;
  3. Confidentiality of the goods and/or services;
  4. Conformity of the goods and/or services; and/or
  5. Punctuality of the delivery of goods and/or services;

In addition, Business Players must inform the buyer about the delivery of the goods. In the event the delivery is done by PPMSEs, they must inform periodically to the buyer upon the delivery status. Besides goods, Digital Services is acknowledged in GR on E-Commerce. According to Article 68 of GR on E-Commerce, Business Players which distribute free or paid Digital Goods and/or Services must ensure that such goods and/or services can be operated. In the event such Digital Goods and/or Services incur any loss to the user, such loss shall be borne by the Business Players.

Exchange of goods and/or services is also provided under GR on E-Commerce in which sellers are required to provide a period of at least 2 (two) business days for an exchange of goods and/or services, if:

  1. There is an error and/or non-conformity of the goods and/or services;
  2. There is an error and/or non-conformity of the actual period delivery of the goods and/or services;
  3. There is a hidden defect;
  4. The product is broken; and/or
  5. The product is expired.

Provided that any of the above conditions have been met, consumers shall not bear the cost of the shipping fees. In connection with such provision, all PPMSEs are now required to have a mechanism that can ensure a refund for the consumers in case of an exchange. With regard to any dispute that may arise between the PPMSEs and/or sellers with consumers, such dispute may be settled through a new dispute resolution mechanism, an online dispute resolution. However, no further explanation or regulation is provided regarding the process.

  • Personal Data Protection

Pursuant to Article 59 (1) of GR on E-Commerce, Business Players must ensure data protection in accordance with data protection standards or developing business practices. According to GR on E-Commerce, the standards itself shall at least comply with the following data protection principles:

  1. Personal data must be obtained lawfully from the owner, accompanied by the choice and guarantee of safeguarding and preventing loss of the data owner;
  2. Personal data must be kept for only one purpose or more specifically described and may not be further processed in any other way;
  3. Personal data obtained must be appropriate, relevant and not too broad in relation to the goals as previously informed to the data owner;
  4. Personal data must be accurate and must always be up-to-date by giving the data owner an opportunity to update his/her personal data;
  5. Personal data must be processed according to the purpose of obtainment and may not be maintained longer than the period required;
  6. Personal data must be processed according to the subject's rights as governed under the applicable laws and regulations;
  7. The party storing personal data must have a security system that is appropriate for preventing leakage or prevent any activities of the processing or utilization of personal data against the law, as well as being responsible for unexpected loss or damage towards the personal data; and
  8. Personal data must not be sent to any countries or regions outside Indonesia except if such countries or regions have been declared by the Minister to have the same standard and protection level as Indonesia.

Notwithstanding the abovementioned, the implemented data protection standards must also take into account the data protection standards as set out in Europe and/or APEC Privacy Frameworks. Given the adoption of that international standards, it remains to be seen whether there may be further regulations (i.e., personal data protection law) to be issued in the context of personal data protection.

Furthermore, it is now regulated that PPMSEs must store financial transaction-related data and information in a period of at least 10 years and non-financial transaction-related data and information in a period of at least 5 years, that at least include data and information in relation to:

  1. Customer;
  2. Electronic offers and electronic acceptance;
  3. Electronic confirmation;
  4. Payment confirmation;
  5. Delivery status of goods;
  6. Trade complaints and disputes;
  7. Electronic Contracts; and
  8. Types of Goods and/or Services traded.

Nevertheless, in the event that data owners have stopped subscribing to or using the services in the E-Commerce transactions before the required period of data storage, such data owners have the right to request the Business Players to erase all relevant data.

  • Conclusion

GR on E-Commerce raises many questions that will be the subject of further debate as the implementing rules are yet to be seen. Some of the provisions are clearly having a stringent approach than ever. Whilst numbers of implementing regulations are expected to be issued, e-commerce businesses should seek advice on the effect of this regulation on their business operations to ensure its compliance with the regulation by the time in which GR on E-Commerce will enter into force.

***

December 12, 2019

Copyright © 2019 AKSET. All rights reserved.

by Adho Fadillah Putera