Jakarta July 2018 Authors: Mark Innis Foreign Legal Consultant +62 21 2960 8618 email@example.com Adhika Wiyoso Senior Associate +62 21 2960 8609 firstname.lastname@example.org General Data Localization Requirements in Indonesia Background and Overview Indonesia has had data localization requirements since the enactment of Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions ("GR 82"). GR 82 was enacted on 15 October 2012, with a transitional provision of five years for existing Electronic System Operators (as defined below) to comply with the regulations. Even with the five-year transitional period, Electronic Systems Operators had difficulties fulfilling the data localization requirements, for example, multinational companies tend to have global data center arrangements with their offshore group entities. Electronic System Operators have asked the government, through the Ministry of Communication and Informatics ("MOCI"), to clarify the requirements and provide leniency. As a response, the government is currently working on a draft amendment to GR 82. At the time of writing, there has been no official announcement from the government on when the amendment will be issued; however this is expected shortly. This article covers the general data localization requirements, explores the uncertainties, including the interpretation of "public services" and provides a brief summary of the key points in the upcoming amendment to GR 82. This article also includes information on the current lack of enforcement of the data localization requirements. Definition of Electronic Systems and Electronic Systems Operators Under GR 82: (i) An "Electronic System" is defined as a series of electronic sets and procedures which functions to prepare, collect, process, analyze, store, display, announce, send and/or disseminate electronic information. (ii) An "Electronic System Operator" is defined as any person, state entity, business entity and community that provides, manages and/or operates an Electronic System whether independently or collectively for an Electronic System user for its own use and/or another party's use. Based on the above definitions (which are broad in nature), any person or entity that manages and operates Electronic Systems (such as websites, applications, 2 General Data Localization Requirements in Indonesia July 2018 email, and messenger), and provides those systems to other parties, may be considered as an Electronic System Operator. Data Center and Disaster Recovery Center Under GR 82, Electronic System Operators that provide public services were required by October 2017 to have data centers and disaster recovery centers in Indonesia as part of a business continuity plan. Based on the above provisions, the obligation to have a data center and a disaster recovery center in Indonesia only applies to Electronic Systems Operators that provide public services. However, there is no definition of public services under GR 82 (see the Public Services section below). These data localization requirements are replicated in Minister of Communication and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems ("Data Protection Regulation"), under which Electronic System Operators that provide public services must have a data center and disaster recovery center in Indonesia. Like GR 82, the Data Protection Regulation does not provide a definition of "public services". Public Services Definition and Scope of Public Services The definition and scope of public services are provided under Law No. 25 of 2009 on Public Services ("Public Services Law") and Government Regulation No. 96 of 2012 on the Implementation of the Public Services Law ("GR 96"). The Public Services Law defines: (i) "Public Services" as activities or a series of activities for the purpose of fulfilling goods and services needs for every citizen and resident in accordance with the laws and regulations, and/or administrative services provided by public services providers. (ii) "Public Services Providers" as state institutions, corporations, independent agencies established by law for public services activities and other legal entities established solely for public services activities. The concept of "corporations" above is elaborated in GR 96 as follows: (i) Public Services Providers in the form of "corporations" cover state-owned entities (Badan Usaha Milik Negara), regional government-owned entities (Badan Usaha Milik Daerah) and/or implementation working units (Satuan Kerja Penyelenggara). (ii) Public Services Providers in the form of other legal entities (including private corporations or foundations) implementing a state mission (i.e., services that are meant to be provided by government institutions) cover legal entities 3 General Data Localization Requirements in Indonesia July 2018 providing public services based on: (a) a subsidy and/or other similar support; and (b) norms, standards, procedures and criteria or licenses in accordance with the relevant services as stipulated by laws and regulations (e.g., government-funded hospitals, private schools with government aid). Concept of State Mission The provision of public services refers to state mission and generally refers to services that are deemed as a necessity for all members of society or required by public policy. In the case of the provision of public goods or services, the Public Services Law and GR 96 specify that these services may be provided by (i) the government and funded by the State Budget or (ii) state-owned enterprises whose capital contribution comes from the state or a region or (iii) any other entity, either funded by the State or not, but which bears a state mission. Definition of "Public Services" in Connection to Data Centers and Disaster Recovery Centers GR 96 defines "State Missions" as certain activities, or to achieve certain purposes in relation to public interest and benefit – this is a literal translation of the wording in GR 96, which is still unclear. Accordingly, it appears that "public services" means services provided by government institutions, state/government owned entities or other legal entities engaged for a state mission (as opposed to services of private entities that generally are provided to the public). Although GR 96 indicates that certain activities (e.g., banking services and insurance) are examples of public services, this does not make the position clear. In the absence of the government (especially the MOCI) providing a definition of "public services" there has been lobbying against a broad definition. In particular, businesses and their advisers have sought to limit the definition of public services under the Public Services Law and GR 96 to services effectively funded by the State. In any case, currently there is no restriction on following a "mirroring" approach - that is, replicating data stored in offshore data centers and storing a copy in data centers located in Indonesia. We are aware that companies in Indonesia have implemented this approach to replicate required data in local data centers without significant issues. As long as the data that is being stored in Indonesia is the same as what is stored in the offshore data center, this should not be an issue. The same treatment (i.e., no restriction on mirroring arrangements) is also implemented in other sectors, such as the financial sectors (e.g., banking, insurance, payment and other financial services ). However, these sectors have specific requirements to store data outside of Indonesia (albeit not specifically on mirroring arrangements). 4 General Data Localization Requirements in Indonesia July 2018 Definition of "Public Services" and Registration of Electronic System The narrow interpretation of the "public services" definition as outlined above has not yet been accepted by the MOCI. For example, in the context of electronic system registration. While the MOCI has not released any official statements on the interpretation of "public services" for registration of electronic systems, both in verbal conversations and in practice, the MOCI has taken a broad interpretation of the term "public services" for the purposes of electronic system registration. The MOCI regulation on electronic system registration only requires Electronic System Operators that provide public services to register their electronic systems with the MOCI. Notwithstanding the uncertainty in the definition of "public services", in practice, the MOCI has imposed the registration requirement on any local Electronic System Operators that generally provide their services to the public and/or make their services available to the public (such as social media companies, financial institutions, banking services, insurance companies etc.). Further, the Capital Investment Coordinating Board ("BKPM") will specifically state the electronic system registration requirements under the principle licenses of companies that will offer their electronic system access to the public, e.g., web portal companies. When a web portal company applies for a BKPM business license, BKPM will ask for proof of the registration with the MOCI as an Electronic System Operator. Amendment to GR 82 As mentioned above, near the end of the five-year transitional period of GR 82, the business community extensively lobbied the Government (e.g., the MOCI) to provide greater clarity on the data localization requirements. In October 2017, the MOCI indicated that it would revise GR 82 to introduce data categorization, and lessen, where possible, the requirements for data localization. The draft amendment to GR 82 introduces, among other things: (i) A broad definition of Electronic System Operators that provide a "public services" The list includes Electronic System Operators (a) that are regulated or monitored by sectoral agencies and regulators and (b) that own Electronic Systems that are an online portal, have a facility for online payment, process electronic information containing a deposit of funds, are used to process personal data for operational activities serving the public in connection with electronic transaction activities, are used to deliver paid digital material through a data network, or provide a communication service. So this is still a very broad categorization, and for example this will have an impact on all websites that collect or process information, and does not distinguish between public facing or non-public facing systems, and potentially, given the data categorization issues raised below, might still mean that Indonesian citizens' personal data cannot leave Indonesia. 5 General Data Localization Requirements in Indonesia July 2018 (ii) Leniency on onshore data center and disaster recovery center requirements Under the draft amendment to GR 82, there is no longer a requirement for Electronic System Operators that provide a public services to have data centers and disaster recovery centers in Indonesia in all circumstances. However, Electronic System Operators that provide a public services must effectively process and store Strategic Electronic Data (if any - as defined below) in onshore data centers and have onshore disaster recovery centers. In other words, Electronic System Operators that provide a public services can process and store any electronic data (other than Strategic Electronic Data) offshore. (iii) Data categorization The draft amendment to GR 82 introduces a new concept of data categorization. There are three types of electronic data: (a) Strategic Electronic Data: Data that strategically affects the public interest, public services, the continuity of the State's administration, or the State's defense and security. For example, intelligence data, population data or Indonesian citizens’ data, and state defense and security data. While this is broad, and clarification is required to ensure that there is no misunderstanding, presumably it is not the government's intention that every online application with an Indonesian citizen's identity card is considered strategic nor should large companies which obtain significant amounts of Indonesian citizens' data be caught; rather what should be caught is the centralization of such data by the government. Strategic Electronic Data can be managed, processed and stored through cloud computing (e.g., a cloud server), but the cloud network must use electronic system networks in Indonesia (e.g., managed, processed and stored in a local cloud server). Also, Strategic Electronic Data must not be delivered, exchanged or copied to overseas locations. Further, sectoral agencies and regulators can identify what data should be categorized as Strategic Electronic Data, but whether or not they will (e.g., in the oil and gas sector) is unclear. While it seems that the draft amendment to GR 82 gives sectoral agencies and regulators broad authority to identify (not determine) what data should be categorized as Strategic Electronic Data under their sectoral authorities, the relevant sectoral agencies and regulators must request the MOCI to determine (read confirm) the identified data as Strategic Electronic Data. (b) High Electronic Data: Data that has a limited impact on the interests of electronic data owners and their sectors. For example, data related to a company’s financial records or business data. 6 General Data Localization Requirements in Indonesia July 2018 High Electronic Data can be processed and stored offshore, but must be made accessible and must be able to be processed in Indonesia for supervision and law enforcement purposes. Further, we should note that sectoral agencies and regulators can directly determine (not identify only) what data should be categorized as High Electronic Data under their sectoral authorities. (c) Low Electronic Data: Electronic data that is not categorized as Strategic Electronic Data and High Electronic Data. For example, a company's human resources or manpower administration, and public information. Low Electronic Data can be processed and stored offshore, but must be made accessible and must be able to be processed in Indonesia for supervision and law enforcement purposes. As with the High Electronic Data, sectoral agencies and regulators can directly determine (not identify only) what data should be categorized as Low Electronic Data under their sectoral authorities. Conclusion The implementation of the data localization requirements is not without issue and uncertainty. The government has heard the arguments and complaints from the business community and is currently preparing an amendment to GR 82, which is expected to be more liberal on the data localization requirements and at the same time provide more certainty to the business community. Prior to the enactment of the amendment to GR 82, companies that engage in business lines that fall under the jurisdiction of the MOCI need to register their electronic systems with the MOCI and show proof that they are complying with the data localization requirements (whether by owning data center infrastructure or leasing local infrastructure from a provider). For the upcoming amendment to GR 82, Electronic System Operators must identify the type of data that they control and store. While the amendment to GR 82 would allow Electronic System Operators to store data offshore, Electronic System Operators will need to ensure that there is no Strategic Electronic Data being stored offshore. *** www.hhp.co.id HHP Law Firm Pacific Century Place, Level 35 Sudirman Central Business District Lot. 10 Jl. Jenderal Sudirman Kav. 52-53 Jakarta 12190 Indonesia Tel: +62 21 2960 8888 Fax: +62 21 2960 8999 ©2018 Hadiputranto, Hadinoto & Partners is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes.