Already an IBA member? Sign in for a better website experience
Indonesia looks to regulate private electronic system organisers
Michael S Carl
SSEK Legal Consultants, Jakarta
The Indonesian Minister of Communication and Informatics (MOCI) is working on a draft regulation on the governance of private scope electronic system organisers ('Draft Regulation').
If enacted, the Draft Regulation would have a significant impact on how electronic system organisers (ESOs), specifically private scope ESOs ('Private ESOs'), conduct their activities in Indonesia. It could also be a cornerstone for the emerging regulatory regime for electronic systems and electronic system organisers, in that it is the first time the MOCI has clearly imposed the requirement that foreign parties outside Indonesia register with the MOCI.
The Draft Regulation is an implementing regulation for Law No 11 of 2008 dated 21 April 2008, as amended by Law No 19 of 2016 dated 25 November 2016, regarding Electronic Information and Transactions, and Government Regulation No 71 of 2019 regarding Organisation of Electronic Systems and Transactions, dated 10 October 2019.
According to the version we have seen, the Draft Regulation covers three main items:
- the registration process for Private ESOs;
- obligations and responsibilities of Private ESOs in handling prohibited Electronic Information (EI) and/or Electronic Documents (EDs); and
- the imposition of sanctions and normalisation of electronic systems that contain prohibited EI/EDs.
Private electronic system organisers
A Private ESO is an electronic system that is organised by a person, business entity or community. As stipulated in the Draft Regulation, certain Private ESOs must register with the MOCI before the electronic system can be used by electronic system users. Registration with the MOCI is conducted through the Indonesian Online Single Submission (OSS) system.
The Draft Regulation specifies that a Private ESO is required to register with the MOCI if it meets the following criteria:
- regulated and supervised by the relevant ministry or institution according to the provisions of laws and regulations; or
- has an online portal, site, or application through the internet that is used for:
- providing, managing and/or operating the offering and/or trading of goods and/or services;
- providing, managing and/or operating financial transaction services;
- delivery of paid digital materials or content through a data network either by way of downloads through a portal or site, delivery through electronic mail, or through other applications to user devices;
- providing, managing and/or operating communication services including but not limited to short messages, audio calls, video calls, electronic mail and online conversation in the form of a digital platform, network service, or social media;
- search engine service, service for the provision of electronic information in the form of writing, audio, drawing, animation, music, video, film, or game, or a combination of part and/or all of them; and/or
- personal data processing for the operational activities of public services related to electronic transaction activities.
A Private ESO is registered by completing a registration form that includes:
- general description of the electronic system operation;
- statement of willingness to ensure information security is in accordance with the provisions of laws and regulations; and
- statement of willingness to conduct personal data protection in accordance with the provisions of laws and regulations.
Registration of foreign private electronic system organisers
One of the major changes introduced by the Draft Regulation is the express requirement that Foreign Private ESOs (Penyelenggara Sistem Elektronik Lingkup Privat Asing) that meet the criteria above, and the additional criteria of ‘conducting business and/or activity in Indonesia’, register with the MOCI. The Draft Regulation does not provide further explanation of the scope of activity a Private ESP must meet to be considered as ‘conducting business and/or activity in Indonesia’.
It is possible the threshold of 1,000 transactions per year and/or the delivery of 1,000 or more packages per year will be used. These thresholds are stipulated in Minister of Trade (MOT) Regulation No 50 of 2020 regarding Provisions on Business Licensing, Advertisements, Guidance and Supervision of Business Practitioners in Trade through Electronic System, dated 19 May 2020 (MOT Reg 50/2020). This requires e-commerce marketplace platforms outside Indonesia that meet the above threshold to have a representative office in Indonesia. However, it remains to be seen whether the MOCI will use the threshold set by MOT Reg 50/2020 or set its own specifications and limitations.
A Foreign Private ESO that is required to register with the MOCI under the Draft Regulation, in addition to completing the registration form and providing information as with the case of Private ESOs as discussed above, must also provide the following information:
- the identity of the Foreign Private ESO;
- the identity of the company management and/or identity of the person in charge; and
- the certificate of domicile and/or certificate of incorporation.
Despite the criteria and additional criteria discussed above for Foreign Private ESOs that are required to register with the MOCI, the Draft Regulation does not actually provide a definition of a Foreign Private ESO.
New requirement: MOCI approval
The Draft Regulation states that the management, processing, and/or retention of an electronic system or electronic data outside of the territory of Indonesia will require the Private ESO to obtain the approval of the MOCI. This approval is in light of the requirements and considerations of Indonesian national interests, including the effectiveness of the supervision and enforcement of Indonesian law. This MOCI approval is a new concept under Indonesian laws and regulations. The Draft Regulation does not contain an exemption for Foreign Private ESOs, so it can be interpreted that Foreign Private ESOs that are required to register with the MOCI will also require the approval of the MOCI for the management, processing, and/or retention of an electronic system or electronic data outside Indonesia.
Evidence of registration
A Private ESO which has successfully registered with the MOCI will be given a Private ESO Evidence of Registration valid for five years and must be extended afterward. Any change of information that was submitted during the registration process must be reported to the MOCI. A Private ESO registration application that fails to provide all the information required by the MOCI will be rejected. There does not appear to be a limit on the number of times a Private ESO can submit a registration application or a minimum time threshold for re-submission following a rejected application.
Prohibited electronic information and electronic documents
Private ESOs are obligated to ensure that their electronic system does not contain banned EI/EDs. Prohibited EI/EDs are categorised as:
- violating the provisions of laws and regulations;
- troubling the community and disturbing public order; and
- informing the method of or providing access to prohibited EI/EDs.
Private ESOs must ensure their electronic system does not facilitate the dissemination of prohibited EI/EDs. A Private ESO that facilitates the broadcasting, uploading, and/or exchange of EI and/or EDs by electronic system users (user-generated content) is required to have procedures in place regarding EI and/or EDs. Such procedures must at least cover the following points:
- rights and obligations of electronic system users in using the electronic system services;
- rights and obligations of the Private ESO in implementing the operation of the electronic system;
- provisions regarding liabilities related to EI and/or EDs uploaded by electronic system users; and
- availability of facilities and services for and resolution of complaints.
Private ESOs that facilitate user-generated content may be exempted from legal responsibilities resulting from the omission and/or error of its electronic system users to the extent that the Private ESOs have fulfilled all their obligations under the Draft Regulation.
Cloud computing services
A Private ESO that organises cloud computing services is required to have procedures in place for EI and/or EDs to ensure its electronic system does not contain and/or facilitate the dissemination of banned EI/EDs. These procedures must at least cover the following points:
• rights and obligations of electronic system users in using the electronic system services;
• rights and obligations of the Private ESO in implementing the operation of the electronic system; and
• provisions regarding the liabilities of electronic system users in the context of storing EI and/or EDs on the cloud computing services.
The Draft Regulation allows various parties to request the termination of access to prohibited IE/EDs found in a Private ESO’s electronic system. Such parties are the community, government ministries or institutions, law enforcement bodies, and/or judicial courts.
Private ESOs are obligated to provide access to their electronic systems and/or EDs to: government ministries or institutions in the framework of supervision; and law enforcement bodies in the framework of law enforcement, according to laws and regulations.
Failure to comply with the provisions in the Draft Regulation may subject Private ESOs to administrative sanctions in the form of written warnings, fines and/or termination of access to the Private ESO’s electronic system. The Draft Regulation introduces the role of internet service providers (ISPs) in assisting the MOCI in terminating access to a Private ESO’s electronic system in certain cases. The Draft Regulation also introduces a new term, ‘normalisation’ (normalisasi), for the return of access for sites that have had their access terminated. An application for normalisation may be submitted to the MOCI by the relevant Private ESO.
The Draft Regulation is still a working draft and it is possible there will be additional amendments before it is finalised and enacted. There is no confirmed timeline for the enactment of the regulation.