The regulatory regime in Indonesia is very much a work in progress in terms of reaching the Government’s intended goals.
The concern with the current framework is its overly prescriptive slant - this includes requirements to certify websites according to prescribed standards, register websites with the communication ministry and situate data centers within Indonesia.
Revision to the 2008 Electronic Transaction and Information Law
The 2008 Electronic Transaction and Information Law (‘ITE’) Law was amended in October 2016. The key changes are below.
The 2016 ITE Law now expressly provides for the government to block access to "unlawful materials". This is a newly added power that was not in the previous ITE Law, probably a realisation that criminal sanctions are futile in taking foreign website operators to task. In any case, the government has been using an earlier ministerial regulation to block websites with negative contents - principally pornographic and other illegal content, including copyright piracy. It is thought that the provision in the 2016 ITE Law was to remove any doubt on the source of the government's power to block access.
The data protection provisions are added with a provision for the data owner to ask for his or her data to be removed. This right can be exercised when supported by a court order. With the court order requirement, this new addition may only be cosmetic instead of giving real control to data subjects over their data since it is impractical to get a court order to effect this.
The provisions dealing with online defamation have been streamlined with their equivalent in the criminal code. The provision in the ITE Law references the criminal code rather than creating its own definition of defamation.
Ministerial regulation on data protection
On 1 December 2016, the Ministry of Communication and Informatics (“Ministry”) issued Regulation No. 20 of 2016 on Personal-Data Protection Within Electronic Systems (2016 Ministerial Regulation).
The noteworthy provisions from the 2016 Ministerial Regulation are discussed below.
- Consent - electronic system operators are required to seek consent from data subjects through consent forms provided by the operators. The regulation states that a consent can be expressed in writing, either manually or electronically.
- Certification - article 4 provides that electronic systems handling personal data need to be certified. It is provided that the certification will be in accordance with the regulations but we are not aware of any having been issued yet.
- Minimum period for holding data - although an electronic system operator is required to remove the data when it is no longer relevant, article 15 provides for a minimum holding period of 5 years before such data can be purged.
- Locating data centres in Indonesia - this requirement is already found in the 2012 Government regulation but could not be implemented then while awaiting implementing regulations. The 2016 Ministerial Regulation did not seem to add much - it contemplates that there would be further regulations from the "sector monitoring and regulation department".
- Transfer of data - any proposed transfer of data from local storage out of the country requires compliance with the regulation on "cross border personal data exchange”, "coordinates" with the Ministry by reporting to it, providing the plan for implementation and details including destination country and recipient details.
There is still no "regulation on cross border personal data exchange". One would have to assume that this provision is still in limbo.
Although regulations at the ministerial level are meant to implement higher level government regulations and parliament legislation, this latest round of ministerial regulation still contains references to further "regulations" that have not been issued yet.
Registration of websites (electronic system operations)
The registration is provided under 2014 ministerial regulation (Ministerial Regulation Number 36 of 2014 regarding Procedures of Electronic System Operator Registration (2014 Ministerial Regulation). It stipulated requirements for registration and certification against certain security standards depending on the risk impact presented by the Electronic System.
The weakness in the 2014 regulation is demonstrated by the fact that electronic system operators that have signed up are mostly local websites of local interest serving the Indonesian market. There are about 270 websites registered. There is no known enforcement against the many unregistered websites that can be accessed by the Indonesian public.
This regulation if enforced will stifle many nascent internet businesses
It is hoped that the Ministry will rethink this mandatory registration requirement which is somewhat of a white elephant.
Draft Data Protection Law
Lending further uncertainty is the Parliament's plan to pass data protection legislation. The draft legislation was circulated last year, but nothing further was heard of it as when a bill will be tabled in Parliament.
Tax on foreign business online
In its bid to rein in tax revenue from foreign online businesses, the Indonesian tax authority issued Circular Letter No. SE-04/PJ/2017 on the Determination of Permanent Establishments for Foreign Tax Subjects Which Are Providers of Applications and/or Content Services Through the Internet (“Circular Letter 4/2017”).
The circular was addressed to Over-the-Top (‘OTT’) Services (application or content services through the internet).
Under the circular, foreign OTT Services that come within the meaning of a permanent establishment under the circular will be subject to Indonesian tax.
Permanent establishments within Indonesia include the following that could be owned, leased or used by Foreign OTT Providers for the operation of their businesses or activities:
- Place for management activities;
- Branch office;
- Representative office;
- Office building;
- Garage or workshop;
- Physical space for promotional and sales activities;
- Computers, including servers and data centers;
- Electronic apparatus (i.e. devices which contain computer programs that may perform activities or which may respond based on automatic inputs); and
- Other automatic devices.
Entities are also considered as permanent establishments where the same provides any form of services for period of 60 days or more within any given 12 month period.
There are still several aspects of the circular that require clarification, namely:
- Online businesses that do not have any physical assets or activities in Indonesia may not be caught by the first definition of permanent establishment.
- As for the meaning of “60 days or more”, it is not clear if this is calculated in terms of accumulative hours of service on a 24-hour day.
It is hoped that the Government will help to clarify this for foreign online businesses that deliver OTT services without the need for any permanent establishment.
In coming up with an overly prescriptive framework, the Government did not seem to be ready to implement or enforce the provisions requiring registration, certification and locating of data centre within Indonesia. This may explain lack of follow-up in passing a complete implementing framework.
Even though some of the requirements have still not been put into effect, it is still no comfort to website operators who may find the uncertainty difficult to plan for.
The overly prescriptive model requires a rethink considering that the digital economy requires participation by startups who are likely to find the costs of compliance prohibitive.
Until we get greater clarity from the Government, foreign businesses with online platforms should consider the following:
- Reviewing the extent of Indonesian traffic they receive and data they hold which originated in Indonesia;
- Businesses with internet traffic from Indonesia ought to assess the impact of compliance with the regulations on their digital service.
This is not meant to be legal advice and readers should consult qualified practitioners to advise on their specific situations.
If you have any questions, please contact the author Kin Wah Chow.