Indonesia to Change Data Localization Rules, Require Startups to be Registered, and Cement Right to be Forgotten

Entering into the new year the Indonesian government has taken strides in developing Indonesia’s technology law by circulating the draft amendment to Government Regulation No. 82 of 2012 on Application of Electronic Systems and Transactions (Draft Amendment)[1] as follow-up to the recent amendment to Law No. 11 of 2008 on Electronic Information and Transactions by Law No. 19 of 2016 (EIT Law).[2]

The recent amendment to the EIT Law introduced the right to be forgotten under Indonesian law, which will be further elaborated in the Draft Amendment. In addition, the Draft Amendment changes the data localization rules under Government Regulation No. 82 of 2012 on Application of Electronic Systems and Transactions (Electronic Systems Regulation) by revising the definition of public services.

Current Understanding of Public Services and Data Localization Rules

The data localization rule under the Electronic Systems Regulation is a much-debated provision stemming from the obligation of electronic system providers that operate public services are required to place their data centre[3] and disaster recovery centre[4] in Indonesia.[5]

However, public services is not defined under the Electronic Systems Regulation and was generally understood to refer to Law No. 25 of 2009 on Public Services (Public Services Law) and Government Regulation No. 96 of 2012 on Implementation of Law No. 25 of 2009 on Public Services (Public Services Regulation), which defines public services as “an activity or a series of activities conducted for the purpose of providing services in accordance with the provisions of prevailing laws and regulations for each citizen and population of goods, services, and/or administrative services provided by public service operators”.[6]

From this definition, the Public Services Law and Public Services Regulation breaks down the scope of public services that cover public goods and public services that are:[7]

  1. Provided by the government funded by the state revenue and expenditure budget or regional government revenue and expenditure budget;

  2. Provided by a state-owned business entity or regional-owned business entity; or

  3. To carry out state missions.

Public services also cover administrative services, which include public service providers that produces official documents issued by the government needed by the public and administrative actions taken by the government pursuant to prevailing laws and regulations.[8]

State missions is defined as “policies to overcome certain issues, certain activities, or to achieve certain goals related to the interests and benefit of a majority of people[9] under the Public Services Regulation.[10] The Public Services Regulation elaborates public service providers that are considered to be carrying out state missions include:[11]

  1. Public service providers that operate on subsidies or other similar support; or

  2. Public service providers that operate based on norms, standard, procedure, and criteria or based on licensing in accordance with the public service being provided by the public service provider in question, provided that the public service provider has assets valued 50 times the amount of income per capita per year in the regional government administrative area where the public service provider is located and the service networks is not limited within a regional government administrative area.

Such public service providers refer to privately owned entities in the form of a corporation or limited liability company and foundation that are carrying out public services to fulfil state missions that should be conducted by the government but, because of the government’s limited capabilities, is conducted by the said privately owned entities subsidized by government funding sourced from the state revenue and expenditure budget or regional government revenue and expenditure budget.[12]

To be clear regarding the definition of public services conducted to carry out state missions, the Public Services Law states the following examples of state missions:[13]

  1. Health services for the underprivileged by privately owned hospitals;

  2. Education services provided by privately owned educational institutions, which must follow provisions on national education;

  3. Intercity or local bus transportation services, of which the routes and tariffs are determined by the government;

  4. Economy class air transportation services, of which the upper limit tariffs are set by the government;

  5. Services for the establishment of social institutions; and

  6. Security services.

Notwithstanding the clear definition and examples under the Public Services Law and Public Services Regulation, Minister of Communication and Information Technology Regulation No. 36 of 2014 on Registration Procedure for Electronic System Providers (Registration Regulation) provides its own definition of what is considered as public services.

Under the Registration Regulation, electronic system providers operating public services must register with the Director General of Information Technology Application under the Minister of Communication and Information Technology. The Registration Regulation considers the following to be public services:[14]

  1. Government agencies;

  2. State-owned companies, regional government-owned companies, and/or the relevant working units of such companies;

  3. Independent institutions established by law (for example, the Financial Services Authority and Bank Indonesia) and their relevant working units;

  4. Legal entities that carry out public services in the context of state missions.

In regard to state-owned companies, regional government-owned companies, and legal entities that carry out public services in the context of state missions, the Registration Regulation causes confusion by not being faithful to the Public Services Law and Public Services Regulation because the Registration Regulation considers such companies and legal entities to provide public services if they operate:[15]

  1. Online portal, website, or application through the internet that is used to facilitate offering or trading of goods or services;

  2. Electronic systems that contain payment facilities and/or other online financial transactions through the internet;

  3. Electronic systems that are used to process electronic information that contains or requires deposit of funds or its equivalent;

  4. Electronic systems that are used to process or store customer data for operational activities in relation to financial transaction and trade; and

  5. Electronic systems that are used to send paid digital material through data network either by downloading via a portal or website, delivery via email, or through other applications to the customer’s device.

This extension of what is considered as public services in the Registration Regulation is not stipulated under the Public Services Law and Public Services Regulation, which has sparked the debate on whether the data localization rules under the Electronic Systems Regulation for electronic system providers that provide public services should refer to the Registration Regulation or the Public Services Law and Public Services Regulation.

Even though the Electronic Systems Registration Regulation could be considered as being in the same ballpark as the Electronic Systems Regulation, the Public Services Law and Public Services Regulation are on a higher level compared to the Electronic Systems Registration Regulation in terms of their place in the Indonesian legislation hierarchy. This has in the past caused uncertainty as to which definition of public services the Electronic Systems Regulation is referring to that even government officials have differing opinions on the matter.

Mandatory Registration for Startups

From the current version of the Draft Amendment, the Draft Amendment no longer makes reference to the Public Services Law and Public Services Regulation, but asserts that public services include electronic system providers that:[16]

  1. Are governed and supervised by a sectoral government institution based on prevailing laws and regulations;

  2. Are for the operations of a government institution;

  3. Provide a portal, website, or application used to facilitate trade of goods and services;

  4. Operate an electronic system that provides payment facilities to enable financial transactions through the internet;

  5. Operate an electronic system that processes electronic information that contains or requires the deposit of funds or equivalent to funds;

  6. Operate an electronic system that is used to process or store data, including personal data, for electronic transaction services available to the public;

  7. Operate an electronic system that is used to deliver paid digital products; and

  8. Operate an electronic system that provides, manages, and/or implements communication services in the form of short messages, voice calls, video calls, e-mails, and online conversations, search engine, networking, and social media, as well as services providing digital information in the form of text, sound, picture, animation, music, video, film, or game, whether downloadable or streamed.

These electronic system providers that are considered to be operating public services are not required to place their data centre and disaster recovery centre in Indonesia but are required to be registered with the Minister of Communication and Information Technology before being able to provide their services to the public. When the Draft Amendment is enacted, such electronic system providers will be given one year to comply with this registration requirement.[17]

Essentially from this provision the Indonesian government is requiring all startups to be registered before they are able to commence operations in Indonesia. Although this is quite clear from the current version of the Draft Amendment, it remains to be seen whether it is practical in enforcing this registration obligation as most startups looking to establish their business in Indonesia are mostly operating from overseas.

Also, it is also unclear whether with this registration requirement, all electronic system providers that provide such public services will be required to establish a local presence in Indonesia as currently in practice only those that have a local presence are able to register with the Director General of Information Technology Application under the Minister of Communication and Information Technology.

Much Needed Revision to Data Localization Rules

Under the Electronic Systems Regulation, electronic system providers that operate public services are required to place their data centre and disaster recovery centre in Indonesia.[18] This will be changed in the Draft Amendment to strategic electronic data that has to be placed in local data centres and disaster recovery centres.[19] The Draft Amendment also asserts that strategic electronic data must be managed, processed, and stored in Indonesia using networks and electronic systems located in Indonesia, and prohibits strategic electronic data to be transferred, traded, and/or copied overseas.[20]

Strategic electronic data is defined as “electronic data that has strategical impacts to the effectiveness of state organizations, including state defence and security”. The Draft Amendment does not elaborate further this definition other than that strategic electronic data is “any electronic data for which any threats and/or interference which are directed at such data will result in the obstruction of state organizations, defence and security”.[21]

However, the government seems to acknowledge the long-lived misunderstanding of the definition of public services in relation to the data localization rules under the Electronic Systems Regulation and has opted to stipulate under the Draft Amendment that the government will determine which government institutions are in possession of strategic electronic data and the President will determine further what is considered as strategic electronic data pursuant to the definition and criteria of strategic electronic data under the Draft Amendment.[22]

Although what is considered as strategic electronic will still be unclear when the Draft Amendment is enacted, this at least will provide some degree of certainty that what is considered as strategic electronic data will be comprehensively defined by the government and President as mandated by the Draft Amendment.

The Right to be Forgotten

The EIT Law introduces the right to be forgotten to Indonesian law. One of the main provisions is that every electronic system provider must dispose of personal data under their control that are no longer relevant upon receiving a request to do so from the personal data subject based on a court order.[23]

Not Relevant

Not relevant is explained in the Draft Amendment as personal data:[24]

  1. That is obtained and processed without the consent of the personal data subject;

  2. Of which the consent has been withdrawn by the personal data subject;

  3. That is illegally obtained and processed;

  4. That is no longer appropriate for what it was intended;

  5. Of which is used exceeding the time limit that was agreed or based on prevailing laws and regulations; or

  6. That is displayed by electronic system provider which has caused damages to the personal data subject.

If a personal data subject feels that any of his/her personal data fulfils any of the above criteria, the personal data subject in question may apply for a court order to compel the relevant electronic system provider to delete the personal data that is no longer relevant. The court will then examine whether the personal data applied to be disposed is no longer relevant in accordance with the criteria stated above.[25]

Court Order and Administrative Sanctions

If the relevant court approves the right to be forgotten application filed by the personal data subject and issues the court order for the electronic system provider to dispose of the no longer relevant personal data, the electronic system provider in question is obliged to abide by such court order.[26]

From the current version of the Draft Amendment, the Draft Amendment solely mandates Indonesian courts to examine right to be forgotten requests as opposed to what is practiced in the European Union, in which such right to be forgotten requests are sent directly to the relevant electronic system provider. As such, the Draft Amendment does not stipulate any mandatory form of internal procedure to examine right to be forgotten requests for electronic system providers but focuses more on making sure that electronic system providers have the necessary internal procedure to dispose not relevant personal data.

Internal Procedure for Disposing Not Relevant Personal Data

Electronic system providers under the Draft Amendment must establish an internal procedure to dispose personal data that are no longer relevant based on a court order. This internal procedure must at least include guidelines on:[27]

  1. Establishing communication means between electronic system providers and personal data subjects;

  2. How to record and process right to be forgotten requests, including on how to delete the not relevant personal data;

  3. Timeline for completing a right to be forgotten requests; and

  4. Who is authorized to carry out right to be forgotten requests.

Administrative Sanctions

Any electronic system provider failing to adhere to any obligations under the Draft Amendment, such as the new data localization rules, mandatory registration, and provisions related to right to be forgotten, will be subject to the following administrative sanctions:[28]

  1. Written warning;

  2. Administrative fine;

  3. Temporary suspension of activities;

  4. Access block; and/or

  5. Revocation of registration as an electronic system provider, electronic agent, electronic certification provider, and/or reliability certification provider.

In regard to access block, the Indonesian government will request internet service providers, telecommunication service and network providers, and other relevant service providers to block access to the violating electronic system provider.[29]

Current Progress of the Draft Amendment

Based on current publicly available information, the Minister of Communication and Information Technology has stated that the Draft Amendment is being finalized by the Indonesian State Secretary and is awaiting to be signed by the President, after which it will be affixed with a number and year by the State Secretary and officially enacted by the Minister of Law and Human Rights.[30]


FOOTNOTES

[1] For a previous discussion on the Draft Amendment, see: Andin Aditya Rahman, “Mandatory Registration for Startups in Indonesia and Right to be Forgotten Implementation,” 16 July 2018.

[2] For a discussion on the recent amendment to the EIT Law, see: Andin Aditya Rahman, “Indonesia enacts Personal Data Regulation,” Privacy Laws & Business International Report, Issue No. 145, February 2017.

[3] Data centre is defined as “a facility used to place electronic systems and relevant components for the purpose of data placement, storage, and processing”. See: Electronic Systems Regulation, Official Elucidation, Article 17 paragraph (2).

[4] Disaster recovery centre is defined as “a facility used to recover data or information, as well as the critical functions of electronic systems that are compromised or damaged as a result of natural or man-made disaster”. See: Electronic Systems Regulation, Official Elucidation, Article 17 paragraph (2).

[5] Electronic Systems Regulation, Article 17 paragraph (2).

[6] Public Services Law, Article 1 number 1; Public Services Regulation, Article 1 number 1.

[7] Public Services Law, Article 5 paragraph (1), Article 5 paragraph (3), and Article 5 paragraph (4); Public Services Regulation, Article 4 and Article 5.

[8] Public Services Law, Article 5; Public Services Regulation, Article 3, Article 4, Article 5, and Article 6.

[9] Public Services Regulation, Article 1 number 7.

[10] Public Services Law, Article 1 number 1; Public Services Regulation, Article 1 number 1.

[11] Public Services Regulation, Article 9 letter d and Article 10.

[12] Public Services Regulation, Official Elucidation, Article 9 letter d.

[13] Public Services Law, Official Elucidation, Article 5 paragraph (3) letter c.

[14] Registration Regulation, Article 3 paragraph (1) and Article 4 paragraph (1).

[15] Registration Regulation, Article 5 paragraph (1).

[16] Draft Amendment, Article 5 paragraph (1a).

[17] Draft Amendment, Article 5 paragraph (2), Article 5 paragraph (3), Article 5 paragraph (4), and Article II.

[18] Electronic Systems Regulation, Article 17 paragraph (2).

[19] Draft Amendment, Article 17 paragraph (2).

[20] Draft Amendment, Article 83K paragraph (4), paragraph (5), and paragraph (6).

[21] Draft Amendment, Article 1 number 27b and Article 83K paragraph (1).

[22] Draft Amendment, Article 83A letter d, Article 83J paragraph (1), and Article 83K paragraph (2).

[23] Draft Amendment, Article 15A paragraph (1) and paragraph (2).

[24] Draft Amendment, Article 15B.

[25] Draft Amendment, Article 15C paragraph (1), paragraph (4), and paragraph (5).

[26] Draft Amendment, Article 15C paragraph (4).

[27] Draft Amendment, Article 15D paragraph (1) and paragraph (2).

[28] Draft Amendment, Article 84 paragraph (1) and paragraph (2).

[29] Draft Amendment, Article 83I.

[30] Ministry of Communication and Information Technology, “Revisi PP 82/2012 Wujudkan Keadilan dan Penindakan Kasus Hoaks,” 11 December 2018.


DISCLAIMER

The information contained in this website is for general information purposes only, and is not intended to be taken as legal advice or opinion or replace a formal consultation with a legal counsel.

The views and opinions expressed in this website, unless expressly stated otherwise, are my own and written by me. They do not represent the views or opinions of my current workplace nor any other parties that I may have connections with.

The information contained in this website is compiled from various reliable sources. However, despite best intentions to keep the information updated and correct, I do not make any representations or warranties of any kind whatsoever, express or implied, regarding the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under my control, whether with respect to their nature, content or availability. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website online and running smoothly. However, I shall not be responsible or liable for the website being temporarily unavailable due to technical issues beyond my control.


Leave a Reply

Your email address will not be published. Required fields are marked *