30 Oct 2019
Indonesia Issues Important New Regulation on Electronic (Network and Information) Systems
Significant Changes to Operator Classification, Registration Requirements, Data Localization Rules, Personal Data Protection, Right to Be Forgotten, and Government Authority to Block Access
An important new regulation on electronic systems has recently been issued, namely, Government Regulation No. 71 of 2019 (“GR 71/2019”, effective 10 October 2019), which revokes Government Regulation No. 82 of 2012.
It is important to note at the outset that the English term “electronic system” in this ABNR Legal Update is the direct translation of the Bahasa Indonesia term sistem elektronik, as used in GR 71/2019 and other relevant Indonesian legislation. In reality, however, what GR 71/2019 is primarily concerned with in this regard are network and information systems, rather than electronic systems as normally understood in English.
This is evident from the definition of “electronic system” provided by GR 71/2019 (as well as other relevant legislation), namely, “an electronic system is a set of electronic devices and procedures that functions to prepare, collect, process, analyze, store, present, publish, transmit and/or disseminate information.”
The key changes introduced by GR 71/2019 relate to the following issues:
1. Classification of Electronic System Operators
Article 2 GR 71/2019 differentiates as between two types of electronic system operator (“ESO”), namely a State-sector ESO and a Private ESO:
A Private ESO includes the following:
2. Mandatory Registration of ESOs
Prior to the issuance of GR71/2019, State-sector ESOs were required to register with the Ministry of Communications and Informatics (“MCIT”), while Private ESOs were not so required.
Now, both State-sector ESOs and Private ESOs are required to register with MCIT prior to their electronic systems being made accessible to users.
An ESO is required to apply to MCIT for registration using the integrated electronic licensing service operated by MCIT. However, it is unclear how this obligation can currently be applied to foreign ESOs as the MCIT’s online system only accommodates the registration of ESOs that are Indonesian private individuals and entities. We are currently seeking clarification on this issue from MCIT.
3. Data Localization
In a significant change from the now revoked Government Regulation No. 82 of 2012, Article 21 GR 71/2019 specifically permits a Private ESO to locate an electronic system and electronic data outside the territory of Indonesia, subject to the following conditions:
4. Personal Data Protection and Right to Be Forgotten
4.a. Personal Data Protection
Before discussing the significant changes related to personal data protection that are introduced by GR 71/2019, it is important to note two things:
Under GR 71/2019, personal data protection is primarily governed by Article 14, the provisions of which are virtually identical to Articles 16 and 17 of the Bill. The influence of GDPR is clear to be seen throughout Article 14. Besides being reflected in the substance of Article 14, it is also evident from the introduction of the GDPR concept of “personal data controller” (pengendali data pribadi) for the first time in Indonesian legislation. Unfortunately, no definition or explanation is provided as to what precisely is meant by a “personal data controller.” However, it is defined by the Bill as “ ... a party that determines the purposes of and controls the processing of personal data” (broadly similar to the GDPR definition).
Surprisingly, GR 71/2019 does not refer to the concept of “data processor,” which constitutes an important part of the overall GDPR scheme. However, this concept is covered by the Bill, which defines a “data processor” as a “party that processes personal data on behalf of a personal data controller.”
As to the substance of Article 14, it incorporates the new definition of “personal data” that is provided in the Bill (broadly similar to the GDPR definition), namely, “Personal data are all data related to a person, whether identified or capable of being identified using that data or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means.”
Further, for the first time in Indonesian legislation, Article 14(1) GR 71/2019 refers to a general principle of personal data protection (taken from Article 16(2) of the Bill, broadly similar to Article 5 GDPR), which may be summarized as follows:
Personal data may only be collected on a restrictive, specific and lawful basis with the knowledge and consent of the data subject; personal data may only be processed in accordance with the purpose for which they are collected; the rights of the data subject must be guaranteed; personal data must be accurate, comprehensive, not misleading, up to date, accountable, and have regard to the purposes for which they are processed; processing must ensure the security of personal data from loss, misuse, unauthorized access and disclosure, and changes or damage; notice must be provided of the purpose of personal data collection and processing, and of security breaches; and personal data must be destroyed and/or erased after the expiry of the retention period, save as otherwise required by law.
Article 14(3) GR 71/2019 then replicates Article 17 of the Bill (broadly similar to Article 6 GDPR) on the lawfulness of personal data collection and processing. Under Article 14(3), personal data may only be processed based on the legitimate consent of the data subject for one or more specific purposes that have been informed to the data subject. In addition personal data may be processed where this is necessary:
4.b. Right to Be Forgotten (Right to Delisting and Right to Erasure)
Once again drawing on GDPR, GR 71/2019 further develops the general “right to be forgotten” that was first established by the Electronic Information and Transactions Amendment Law. It requires an ESO to delete electronic information and/or an electronic document that is within its control and which is no longer relevant. Such requirement may be based upon a court order or arise at the request of the data subject, depending on whether the specific right being exercised is the Right to Delisting or the Right to Erasure:
5. Government Authority to Block Access to Negative Content
Article 95 GR 71/2019 provides that the Government is authorized to prevent the dissemination and use of electronic information and/or an electronic document by means of:
Under Article 96, these measures may be taken in respect of electronic information and/or an electronic document that:
The Elucidation of Article 96 explains that prohibited content includes electronic information and/or an electronic document that contains or promotes any of the following elements:
pornography, slander, fraud, hatred against a particular ethnic group, religion, race or group, violence/violence against children; infringement of intellectual property rights; trading of prohibited goods/services; terrorism and/or radicalism; separatism and/or dangerous prohibited organizations; violations of data security; violations of consumer protection; violations in the health field; and violations related to food and drug supervision.
6. Grace Period
Existing ESOs that were operating prior to the issuance of GR 71/2019 must register with MCIT within a period of one year.
GR 71/2019 is to be welcomed for abolishing the data localization requirement for Private ESOs. This requirement appeared doomed from the outset as it failed to take account of an inescapable reality, namely, that the internet industry (in all its permutations) is the most truly globalized of all industries. In reality, rather than promoting foreign investment in Indonesia, the localization requirement actually hampered it.
As regards personal data protection and the right to be forgotten, while the new rules in GR 71/2019 may impose additional burdens on business, they are nevertheless broadly in line with the data privacy requirements of GDPR, whose provisions many Indonesian multinational companies and international companies operating in Indonesia will already be familiar with.
The influence of GDPR on data privacy regimes around the world cannot be overstated at the present time, given that (1) it applies throughout the EU, which includes four of the world’s 10 largest economies and accounts for around 22 percent of global GDP, according to the IMF; and (2) it has extraterritorial effect on companies based outside the EU that offer goods or services to data subjects situated in the EU and/or monitor the behavior of such data subjects.
This has led to a domino effect as an increasing number of countries, such as Japan, Brazil and Thailand, adopt strict personal data protection legislation that is directly modeled on or is similar to GDPR. In addition, the U.S. state of California has adopted the Consumer Privacy Act (CCPA), many of whose provisions overlap with GDPR, while a number of other U.S. states are currently considering tighter data privacy legislation. South Korea also has stringent data privacy legislation, although this predated GDPR by a number of years. Consequently, given this trend, the personal data provisions of GR 71/2019 (as well as the Personal Data Protection Bill) are far from revolutionary by international standards.
As for the Government’s powers to block access to negative content under Article 96 paragraph b GR 71/2019, no guidance is afforded as to the precise scope or extent of “public disquiet” and “public order.” Thus, these terms are clearly open to subjective interpretation by Government. In this regard, it is to be hoped that the authorities will exercise their discretion prudently and sparingly so as to not impose undue burdens and disruption on internet-based companies.
 Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (Peraturan Pemerintah Nomor 71 Tahun 2019 Tentang Penyelenggaraan Sistem dan Transaksi Elektronik).
 Government Regulation No. 82 of 2012 on Electronic Systems and Transactions (Peraturan Pemerintah Nomor 82 Tahun 2012 Tentang Penyelenggaraan Sistem dan Transaksi Elektronik).
 Minister of Communications and Informatics Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems (Peraturan Menteri Komunikasi dan Informatika No. 20 Tahun 2016 Tentang Perlindungan Data Pribadi Dalam Sistem Elektronik).
 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
 Law No. 19 of 2016 on the Amendment of Law No. 11 of 2008 on Electronic Information and Transactions (Undang-undang No. 19 Tahun 2016 Tentang Perubahan atas Undang-undang Nomor 11 Tahun 2008 Tentang Informasi dan Transaksi Elektronik).
This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.