The Indonesian Minister of Communication and Informatics ("MOCI") is working on a draft regulation on the governance of private scope electronic system organizers (the "Draft Regulation").

If enacted, the Draft Regulation would have a significant impact on how electronic system organizers ("ESOs"), specifically private scope ESOs ("Private ESOs"), implement their activities in Indonesia. It could also be a cornerstone for the emerging regulatory regime for electronic systems and electronic system organizers, in that it is the first time the MOCI has clearly imposed the requirement that foreign parties outside Indonesia register with the MOCI.

The Draft Regulation is an implementing regulation for Law No. 11 of 2008 dated April 21, 2008, as amended by Law No. 19 of 2016 dated November 25, 2016, regarding Electronic Information and Transactions, and Government Regulation No. 71 of 2019 regarding Organization of Electronic Systems and Transactions, dated October 10, 2019.

According to the version we have seen, the Draft Regulation covers three main items:

  1. Registration process for Private ESOs.
  2. Obligations and responsibilities of Private ESOs in handling prohibited Electronic Information ("EI") and/or Electronic Documents ("EDs").
  3. Imposition of sanctions and normalization of electronic systems that contain prohibited EI/EDs.

Private Electronic System Organizers

A Private ESO is defined as an electronic system that is organized by a person, business entity or community. As stipulated in the Draft Regulation, certain Private ESOs must register with the MOCI before the electronic system is used by electronic system users. Registration with the MOCI is conducted through the Indonesian Online Single Submission ("OSS") system.

The Draft Regulation specifies that a Private ESO is required to register with the MOCI if it meets the following criteria:

  1. regulated and supervised by the relevant ministry or institution according to the provisions of laws and regulations; or
  2. has an online portal, site, or application through the internet that is used for:
    1. providing, managing, and/or operating the offering and/or trading of goods and/or services;
    2. providing, managing, and/or operating financial transaction services;
    3. delivery of paid digital materials or content through a data network either by way of downloads through a portal or site, delivery through electronic mail, or through other applications to user devices;
    4. providing, managing, and/or operating communication services including but not limited to short messages, audio calls, video calls, electronic mail, and online conversation in the form of a digital platform, network service, or social media;
    5. search engine service, service for the provision of electronic information in the form of writing, audio, drawing, animation, music, video, film, or game, or a combination of part and/or all of them; and/or
    6. personal data processing for the operational activities of public services related to electronic transaction activities.

A Private ESO is registered by completing a registration form that includes:

  1. general description of the electronic system operation;
  2. statement of willingness to ensure information security is in accordance with the provisions of laws and regulations;
  3. statement of willingness to conduct personal data protection in accordance with the provisions of laws and regulations.

The general description of the electronic system operation as mentioned above will consist of:

  1. name of the electronic system;
  2. sector of the electronic system;
  3. URL website;
  4. domain name system and/or IP server address;
  5. description of the business model;
  6. brief description of the electronic system function and business process;
  7. explanation of the personal data processed; and
  8. explanation of hosting location.

Registration of Foreign Private Electronic System Organizers

One of the major changes introduced by the Draft Regulation is the express requirement that Foreign Private ESOs (Penyelenggara Sistem Elektronik Lingkup Privat Asing) that meet the criteria above, and the additional criteria of "conducting business and/or activity in Indonesia," register with the MOCI. The Draft Regulation does not provide further explanation of the scope of activity a Private ESP must meet to be considered as "conducting business and/or activity in Indonesia".

It is possible the threshold of 1,000 transactions in one year and/or the delivery of 1,000 or more packages in a year will be used. These thresholds are stipulated in Minister of Trade (MOT) Regulation No. 50 of 2020 regarding Provisions on Business Licensing, Advertisements, Guidance and Supervision of Business Practitioners in Trade Through Electronic System, dated May 19, 2020 ("MOT Reg. 50/2020"). MOT Reg. 50/2020 requires e-commerce marketplace platforms outside Indonesia that meet the above threshold to have a representative office in Indonesia. However, it remains to be seen whether the MOCI will use the threshold set by MOT Reg. 50/2020 or set its own threshold or other limitations.

A Foreign Private ESO that is required to register with the MOCI under the Draft Regulation, in addition to completing the registration form and providing information as with the case of Private ESOs in general as discussed above, must also provide the following information:

  1. identity of the Foreign Private ESO;
  2. identity of the company management and/or identity of the person in charge; and
  3. certificate of domicile and/or certificate of incorporation.

Despite the criteria and additional criteria discussed above for Foreign Private ESOs that are required to register with the MOCI, the Draft Regulation does not actually provide a definition of a Foreign Private ESO.

New Requirement - MOCI Approval

The Draft Regulation states that the management, processing, and/or retention of an electronic system or electronic data outside of the territory of Indonesia will require the Private ESO to obtain the approval of the MOCI. This MOCI approval is in light of the requirements and considerations of Indonesian national interests, including the effectiveness of the supervision and enforcement of Indonesian law. This MOCI approval is a new concept under Indonesian laws and regulations. The Draft Regulation does not contain an exemption for Foreign Private ESOs, so it can be interpreted that Foreign Private ESOs that are required to register with the MOCI will also require the approval of the MOCI for the management, processing, and/or retention of an electronic system or electronic data outside Indonesia.

Evidence of Registration

A Private ESO that has successfully registered with the MOCI will be given a Private ESO Evidence of Registration that is valid for five years and must be extended afterward. Any change of information that was submitted during the registration process must be reported to the MOCI. A Private ESO registration application that fails to provide all the information required by the MOCI will be rejected. There does not appear to be a limit on the number of times a Private ESO can submit a registration application or a minimum time threshold for re-submission following a rejected application.

Prohibited Electronic Information and Electronic Documents

Private ESOs are obligated to ensure that their electronic system does not contain prohibited EI/EDs. Prohibited EI/EDs are categorized as follows:

  1. violating the provisions of laws and regulations;
  2. troubling the community and disturbing public order; and
  3. informing the method of or providing access to prohibited EI/EDs.

Private ESOs must ensure their electronic system does not facilitate the dissemination of prohibited EI/EDs. A Private ESO that facilitates the broadcasting, uploading, and/or exchange of EI and/or EDs by electronic system users (user-generated content) is obligated to have procedures in place regarding EI and/or EDs. Such procedures must at least cover the following points:

  1. rights and obligations of electronic system users in using the electronic system services;
  2. rights and obligations of the Private ESO in implementing the operation of the electronic system;
  3. provisions regarding liabilities related to EI and/or EDs uploaded by electronic system users; and
  4. availability of facilities and services for and resolution of complaints.

Private ESOs that facilitate user-generated content may be exempted from legal responsibilities resulting from the omission and/or error of its electronic system users to the extent that the Private ESOs have fulfilled all their obligations under the Draft Regulation.

Cloud Computing Services

A Private ESO that organizes cloud computing services is required to have procedures in place for EI and/or EDs to ensure its electronic system does not contain and/or facilitate the dissemination of prohibited EI/EDs. These procedures must at least cover the following points:

  1. rights and obligations of electronic system users in using the electronic system services;
  2. rights and obligations of the Private ESO in implementing the operation of the electronic system; and
  3. provisions regarding the liabilities of electronic system users in the context of storing EI and/or EDs on the cloud computing services.

The Draft Regulation allows various parties to request the termination of access to Prohibited IE/EDs found in a Private ESO's electronic system. Such parties are the community, government ministries or institutions, law enforcement bodies, and/or judicial courts.

Private ESOs are obligated to provide access to their electronic systems and/or EDs to:

  1. government ministries or institutions in the framework of supervision;
  2. law enforcement bodies in the framework of law enforcement, according to laws and regulations.

Sanctions

Failure to comply with the provisions in the Draft Regulation may subject Private ESOs to administrative sanctions in the form of written warnings, fines and/or termination of access to the Private ESO's electronic system. The Draft Regulation introduces the role of internet service providers (ISPs) in assisting the MOCI in terminating access to a Private ESO's electronic system in certain cases. The Draft Regulation also introduces a new term, "normalization" (normalisasi), for the return of access for sites that have had their access terminated. An application for normalization may be submitted to the MOCI by the relevant Private ESO.

The Draft Regulation is still a working draft and it is possible there will be additional amendments before it is finalized and enacted. There is no confirmed timeline for the enactment of the regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.