A New Regulatory Framework for the Operation of Electronic System within the Territory of Indonesia

November 25, 2020
|By Pilanita Silaen

On October 10. 2019, the Indonesian Government issued Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”). This regulation is intended to be one of the key-implementing regulations of Law No. 11 of 2008, last amended by Law No. 19 of 2016 on the Electronic Information and Transaction (the “EIT Law”), revoking the outdated regime of Government Regulation No. 82 of 2012.

GR 71/2019 provides a breath of fresh air to the Indonesian EIT regulatory framework in facing challenges presented by the rapid growth of information technology. GR 71/2019 introduced myriad of new concepts in relation to the operation of electronic system and data governance, such as the classification of electronic system operator, conditional data localization requirement, a more-modern set of personal data protection rules, so on and so forth.

To further implement certain provisions referred in the GR 71/2019, the Ministry of Communication and Informatics (MOCI) subsequently issued Regulation No. 5 of 2020 on Private Electronic System Operator (“MOCI 5/2020”). This regulation went into effect on  November 24, 2020, the date of its promulgation.

Below we highlight some notable provisions under GR 71/2019 and MOCI 5/2020.

  • DEFINITION OF KEY-TERMINOLOGIES STIPULATED BY GR 71/2019 AND MOCI 5/2020

First and foremost, it is important to note that both GR 71/2019 and MOCI 5/2020 provide relatively broad definition on several key-terminologies.  Consequently, the regulations may be applicable to the operation of almost all type of electronic system and information commonly used in this day and age.

Electronic System Operator (the “ESO”) is defined as anyone that provides, manages, or operates an Electronic System, whether individually or jointly. Further, the term Electronic System itself is defined as series of devices and electronic procedures used to prepare, collect, process, analyze, store, display, announce, deliver, or disseminate electronic information.

  • THE CLASSIFICATION OF ESO, AS PROVIDED BY GR 71/2019 AND MOCI 5/2020

As the operator of Electronic System, there are 2 (two) types of ESO, as follows:

  1. Public ESO

Public ESOs are government institutions and other agencies which are appointed by government institutions to operate electronic systems for them and on their behalf, excluding regulatory and supervisory authorities within the financial sector (e.g., Bank Indonesia and the Financial Services Authority).

  1. Private ESO

Contrarily, Private ESOs are individuals (whether Indonesian or international residents) and business entities, that operate Electronic Systems, and fall under the following categorization:

  1. Private ESOs which are subject to the regulation or supervision of a ministry or governmental institution based on the prevailing laws and regulations; and
  2. Private ESOs which own internet-based portals, sites, or applications within Internet network with the purposes of:
  • providing, managing, and/or operating goods and/or services trading and/or offering;
  • providing, managing, and/or operating financial transaction services;
  • delivery of materials or paid digital content through data networks, by way of downloading via websites, sending of emails or through applications to customers’ devices;
  • providing, managing, and/or operating communication services which include but not limited to short text messages, voice calls, video calls, emails, digital chatrooms, networking services and social media;
  • search engine and electronic information provider services in the form of text, audiovisual data, animations, music, video, films and games or any combination of the above; and/or
  • processing of personal data in accordance with the organization of public services that address electronic transaction activities.

In addition to the above, MOCI 5/2020 also added 2 (two) specific classes of Private ESO, as follows:

  1. User Generated Content (UGC) Private ESOs, are those who provide Electronic System whereby the provision, display, upload, and/or exchange of electronic information and/or documents are carried out by the user.
  2. Cloud operator Private ESOs, are those who provide, operate, and/or manage cloud services.
  • REGISTRATION REQUIREMENT AND ITS EXTRATERRITORIAL REACH

Both Public and Private ESOs are required to register itself to the MOCI. The registration shall be carried out through the Online Single Submission System (“OSS”) by completing the necessary documentation, such as technical specification, brief elaboration on the operation of the Electronic System, and so on.

This registration requirement, further, is also applicable to foreign Private ESOs which (i) provide its services within the territory of Indonesia; (ii) carry out its business in Indonesia; and/or (iii) its Electronic System is used and/or offered within the territory of Indonesia. In addition to the documentation required for the Private ESO registration, foreign Private ESO must provide the following information for ESO registration (along with its Indonesian translated version by a sworn translator):

  1. The identity of the foreign Private ESO;
  2. The identity of the head of organization and/or person-in-charge;
  3. Domicile certificate and/or certificate of incorporation;
  4. Numbers of Indonesian users; and
  5. The amount of transaction generated from Indonesia.
  • COMPLIANCE CHECKLIST FOR PRIVATE ESO

In general, both regulations establish a set of rules that must be followed by ESOs (including Private ESO), among others:

  1. the Electronic System shall fulfill minimum operational requirement, such as able to redisplay information, protect the integrity, has a sustainable mechanism to maintain the accountability, so on and so forth;
  2. the Electronic System shall not contain, and facilitate the dissemination of, illegal content (i.e., information which violate laws and regulations, disrupt the society and public order, etc.);
  3. the use of appropriate hardware and software, in accordance with laws and regulations;
  4. ensure the security of the Electronic System, implement appropriate and accountable governance policy and procedure;
  5. provide information governance policy as appropriate (e.g., terms and conditions as well as privacy policy).

In addition to the above, there are specific requirements set forth by MOCI 5/2020 for UGC Private ESOs, as follows:

  1. provide information governance policy, consisting of (i) provisions of rights and obligations of the user and the Private ESO within the use and the operational of the Electronic System, (ii) clear stipulation of responsibility towards the electronic information uploaded by users.
  2. provide a complaint facility, which must be accessible to the public; and
  3. Respond, assess, and inform the user in regard to the lodged complaint.

As a safe harbor policy mechanism, Article 11 of MOCI 5/2020 further stipulates that the UGC Private ESO shall be indemnified from the liability of the illegal electronic information, under the condition that (i) it has already in compliance with the rules set forth by GR 71/2019 and MOCI 5/2020, (ii) provide necessary information on the user who disseminate/upload the illegal electronic information, for the purpose of supervisory and/or law enforcement, and (iii) take down the illegal electronic information.

  • PERSONAL DATA PROTECTION PROVISIONS WITHIN THE EIT REGULATORY FRAMEWORK

The issuance of GR 71/2019 marks another milestone for Indonesia in its effort to protect individuals’ personal data. Despite the fact that it only consists of a few articles, the regime is jam-packed with new ideas and concepts that correspond to the international standard of personal data protection regulation.

GR 71/2019 introduces several new principles that must be followed at every step of personal data processing activity within the electronic system, such as data minimization and purpose limitation, as well as lawfulness, fairness and transparency principles.  It also added several conditions for consent to be considered lawful when compared to the previous regime.

For further elaboration on this, please see our Data Protection & Privacy Recent Regulatory Development and AKSET’s latest GTDT on Data Protection & Privacy.

  • TAKE DOWN MECHANISM

In relation to the obligation of ensuring that the Electronic System does not contain illegal electronic information, MOCI 5/2020 specifies a relatively detailed rules on take down mechanism.

Under MOCI 5/2020, the take down request can be submitted by public, ministry/institutions, law enforcement, and/or courts via website and/or application, written letter, and/or e-mail. A lodged take down request shall be considered urgent/emergency if the illegal information are relating to terrorism, child pornography, or content which disrupt the society and public order.

In this case, Private ESOs shall take down the illegal electronic information within 1×24 hours after receiving the take down order from the relevant institution, and within at the latest 4 hours timeframe for an urgent/emergency take down request.

  • DATA DISCLOSURE AND ACCESS FOR THE PURPOSE OF REGULATORY SUPERVISION AND LAW ENFORCEMENT

Lastly, MOCI 5/2020 elaborates on the obligation of ESOs in relation to data disclosure and access for the law enforcement as stipulated by Article 22 of GR 71/2019.

The data disclosure and access, in this regard, shall be carried out in response to the written request from the relevant institutions or law enforcement, along with necessary explanation/documentation, such as the scope of the access, purposes, type of access, personal data protection mechanism, period of access, etc. The access is provided in the form of a URL, specific application made by the Private ESO, or other means agreed by the relevant parties.

MOCI 5/2020 stipulates a relatively stringent safeguard in relation to the data disclosure and access mechanism, such as the limitation of access, confidentiality e of access, and so on.

 

November 25, 2020

AKSET

Please contact Abadi Abi Tisnadisastra (atisnadisastra@aksetlaw.com) and Noor Prayoga Mokoginta (nmokoginta@aksetlaw.com) for further information.

 

Disclaimer:

The foregoing material is the property of AKSET and may not be used by any other party without prior written consent.  The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance.  Specific legal advice should be sought by interested parties to address their particular circumstances.

Any links contained in this document are for informational purposes and are available and relevant at time this publication is made.  We provide no liability whatsoever in respect of any information or content in such links.

 

Icon

A New Regulatory Framework for the Operation of Electronic System within the Territory of Indonesia

1 file(s) 162.19 KB
Download