Regulatory changes in Indonesia
In the third quarter of 2016, the Indonesian Parliament amended the 2008 Electronic Transaction and Information Law (ITE Law)
In addition, in this update is the Ministry of Telecommunication's regulation on data protection issued in November.
2016 Amendments to ITE Law
The 2008 ITE Law was amended in October 2016. The key changes to the 2008 ITE Law are set out below.
The 2016 ITE Law now expressly provides for the government to block access to "unlawful materials". This is a newly added power that was not in the previous ITE Law, probably a realisation that criminal sanctions are futile in taking foreign website operators to task. In any case, the government has been using an earlier ministerial regulation to block websites with negative contents - principally pornographic and copyright piracy. It is thought that the provision in the 2016 ITE Law was to remove any doubt on the source of the government's power to block access.
The data protection provisions are added with a provision for the data owner to ask for his data to be removed. This right can be exercised when supported by a court order. With the court order requirement, this new addition may only be cosmetic instead of giving real control to data subjects over their data since it is impractical to get a court order to give effect to this each time.
The provisions dealing with online defamation has been streamlined with their equivalent in the criminal code. The provision in the ITE Law reference to the criminal code rather than creating its own definition of defamation.
Ministerial Regulation on Data Protection
On 7 November 2016, the Ministry of Communication and Informatics (“Ministry”) issued Regulation No. 20 of 2016 on Personal-Data Protection Within Electronic Systems (The Ministerial Regulation).
This regulation was meant to give effect to certain provisions in Government Regulation 82 of 2012 on ELECTRONIC SYSTEM AND TRANSACTION OPERATION.
The noteworthy provisions from the Ministerial Regulation are discussed below.
a. Consent - Electronic system operators are required to seek consent from data subjects through consent forms provided by the operators. Further clarification is needed whether such forms are to be in print which would make procuring of consent unwieldy.
b. Certification - article 4 provides that electronic systems handing personal data need to be certified. It is said that the certification will be in accordance with the regulations but we are not aware of any having been issued yet.
c. Minimal period for holding data - although an electronic system operator is required to remove the data when any such data is no longer relevant, article 15 provides for a minimal holding period of 5 years before such data can be purged.
d. Locating data centers in Indonesia - this requirement is already found in the 2008 Government regulation. The Ministerial Regulation provides that implementation will be conducted by the "sector monitoring and regulation department" in accordance with regulations but we are not aware of any implementing regulation having been issued yet.
e. Transfer of data - Any proposed transfer of data from local storage out of the country requires "coordination" with the Ministry by reporting to the Ministry, providing the plan for implementation and details including destination country and recipient details.
Although regulations at the ministerial level are meant to implement higher level government regulations and parliament legislation, this latest round of ministerial regulation still contains gaps in areas that are said to be implemented "pursuant to regulations" that do not appear to be issued yet. Certain key areas are still unclear, such as whether the consent is required to be in writing or can still be done electronically; and also the requirements upon which electronic systems are to be certified.
Lending further uncertainty is the parliament's plan to pass a data protection legislation. This naturally creates uncertainty as to how the Ministerial Regulation will sit with the proposed data protection legislation.
Until we get greater clarity from the government, foreign businesses with online platforms should consider the following:
a. Reviewing the extent of Indonesian traffic and data originated in Indonesia;
b. Assessing the impact of compliance with the regulations on their digital service.
We understand that various industry groups and chambers have made representations to the government expressing concern over the overly prescriptive approach taken in this latest ministerial regulation and will continue to monitor the situation.