As the myriad of laws and regulations (at the Government and Ministerial level) on electronic transactions makes it difficult to navigate the regulatory framework in Indonesia, this summary attempts to lay out the applicable regulations as at the date of publication. This note should not be regarded as legal advice and consultation with qualified adviser is necessary.
Regulatory Regime of Electronic Service Operators ("ESO's")
As at the time of writing, the main legislation/regulations relevant to ESO are:
Operating in Indonesia
ESOs seeking to establish a presence in Indonesia must first register with the Ministry of Communication and Informatics (“MOCI”) to begin operations. Setting up a local representative office is not required unless the number of transactions or deliveries made by the ESO exceed 1000 per year. In that case, the ESO must set up a local representative office. Its details must be forwarded representative of a foreign Trade Operators in line with local regulatory requirements.
Consumer Protection Regulations
The Consumer Protection Law is the primary source of legislation on consumer protection in Indonesia. The law specifies a set of general rules applicable when companies or undertakings offering goods or services to Indonesian end consumers. Some of them are rules requiring companies to provide clear and correct information on the goods or services and serve consumers in a proper and fair manner.
Key things to note under Consumer Protection Law include prohibited terms in a subscription contract (found under Article 18) as well as regulations on free-trials, auto-renews and change of terms. With the aforementioned regulations, note these are permitted subject to notification obligations to the end-user.
There is currently no general data protection regime in Indonesia. What exists is a collection of laws that collectively regulate the protection of personal data collected in an electronic system.
Article 1(29) of GR71 defines personal data as “All data related to a person, whether identified or capable of being identified using that data […] through the use of an electronic system and/or non-electronic means.” (Article 1(29) of GR 71). When ESOs are collecting, processing, analysing, retaining or publishing the personal data of its users, it must obtain the consent of the data owner as to the purpose of such activities (Article 14(2), GR 71).
With content management, note GR 71 distinguishes between ESOs for public and for private scope. For ESOs in the public scope, it must store its electronic system in Indonesia (unless that tech is unavailable in the country). For ESOs in the private scope, there is more flexibility for data centres to be located outside of Indonesia. However, ESOs must ensure this system and its data is accessible to the local authorities for supervision and law enforcement.
When data is transferred across borders, ESOs must submit to the MOCI pre- and post- notification of such a transfer (Article 22, MOCI 20/2016). There are also policies as to data retention. For data related to financial transactions, it must be stored for a minimum of 10 years. For non-financial transactions, a minimum of 5 years (Article 25(1) GR 80). Data may be deleted or erased pursuant to Article 16(1) of GR 71/2019. In the event of a personal data leak, note ESOs are additionally obliged to issue notification within 14 days of the leak (Article 28(4)(c), MOCI 20/2016).
Content-related obligations of ESOs
Consent is required in the use of personal contact information for marketing activities. Note also the requirement under Article 17 of Consumer Protection Law, which requires all advertisers to comply with the advertisement code of ethics (ACE) as issued by the Indonesian Advertising Council.
With online advertisements, ESOs are permitted to distribute online advertisements provided they comply to applicable laws and regulations in Indonesia. These mostly refer to obligations for accurate representation in advertisement, amongst others.
ESOs in the private sector should be aware of regulations in User Generated Content (“UGC”). UGCs are content that is shared, exchanged and uploaded between users. ESOs should stipulate governance terms and conditions for posting UGCs, including complaint procedures and facility for settling complaints (Article 10, MOCI 5/2020).
Note also that there are unique content regulation laws in Indonesia, including ‘taste and decency’ requirements in the portrayal acts of violence and violation of decency (which include sports-related content).
Sanctions for non-compliance
The relevant sanctions can be found under MOT 50/2020 under Article 40 and 45. Sanctions include up to 2 years of imprisonment and a fine of up to IDR 500 million (approx. USD 36,000), amongst others. In addition, the MOCI may order ESOs to take down prohibited content from its platforms following reports from the relevant governmental authorities. Failure to respond may be met with ESOs being temporarily or permanently blocked by MOCI.
Other risks at a local level include local ESO employees being summoned for questioning by the authorities, governmental fines levied against the local entity of the foreign ESO, or even the arrest of employees (if he or she is authorised by the ESO’s local entity to manage and make decisions on behalf of it).
Please refer to the E-commerce Regulations Guide Indonesia for more details on laws and regulations (at the Government and Ministerial level) on electronic transactions.
The guide is authored by Kin Wah Chow and the legal team at Rouse network firm Suryomurcito & Co to help businesses navigate the regulatory framework by laying out the applicable regulations as at the date of publication.