The Indonesian government recently issued Regulation No. 82 of 2012 on the Operation of Electronic Systems and Transactions. The regulation is the first relating to Law No. 11 of 2008 on Electronic Information and Transactions. There are various requirements relating to areas such as:
- registration/certification: the registration and certification of public electronic systems, registration of software for public services and electronic agents, and certification of all hardware;
- data centres: data centres and disaster recovery centres for public services having to be in Indonesia;
- source code: the provision or escrow of source code by providers of bespoke software;
- information and features: the provision of information and features and data protection;
- SLAs, policies, reporting and monitoring: certain service level and other agreements and policies being in pace as well as requiring mandatory reporting and monitoring;
- employment: the employment of Indonesian citizens in certain cases; and
- transactions, signatures and domains: electronic transactions, electronic signatures and domain names.
Law No. 11 of 2008 on Electronic Information and Transactions largely reflected the model law on e-commerce issued by the United Nations Commission on International Trade Law and dealt with cybercrime and data security as well as recognising the legitimacy of electronic transactions. The law, itself the subject of much debate prior to it being passed, has been used to bring a number of high-profile charges but has also been the subject of judicial review.
Regulation No. 82 of 2012 (the “Regulation”) now sets out a number of very significant requirements in relation to electronic certification, electronic systems, electronic transactions, electronic agents, electronic signatures and domain names. The Regulation applies broadly to individuals, government bodies or companies that provide and/or operate, for the purpose of providing services to users, devices and electronic procedures used for the purpose of preparing, collating, processing, analysing, storing, displaying and disseminating electronic data that are capable of being understood by any relevant person (“Electronic Systems Providers”).
Electronic System Providers are required to comply with the provisions of the Regulation. However, further regulations will need to be adopted to govern many of the requirements and those further regulations are expected to come into effect by 15 October 2017.
Failure to comply with the provisions contained in the Regulation will result in written warnings, administrative fines (the subject of future regulations), services having to be temporarily suspended and/or being removed from the register where registration is required.
Registration and certification
The Regulation refers to two categories of services provided by Electronic System Providers: (1) the provision of services for public use; and (2) the provision of services for non-public use. The Regulation is silent on exactly what amounts to public use and non-public use and it is likely that the distinction will be clarified by subsequent regulation.
The Regulation requires Electronic Systems Providers, which provide services for public use, to register with the Ministry of Communication and Information Technology (Menteri Komunikasi dan Informatika) (“MCIT/Kominfo”).
Registration is required prior to the provision of such services or, for companies providing such services at the date of the Regulation by 15 October 2013. Electronic Systems Providers that provide services for public use must also:
- obtain a certificate of worthiness (Sertifikat Kelaikan Sistem Elektronik); and
- register the software used by them in the provision of those services.
Providers of systems designed to carry out certain automated functions in relation to electronic information (electronic agents) are also required to register with the MCIT/Kominfo.
A number of requirements apply in relation to hardware used by Electronic Systems Providers, including a requirement to obtain from the MCIT/Kominfo a certificate which confirms that the hardware is fit for purpose. There is also a general requirement for Electronic Systems Providers to ensure systems are fit for purpose.
Requirement to have data centres and disaster recovery centres in Indonesia
The Regulation obliges Electronic Systems Providers that provide services to the public to have their data centres and disaster recovery centres in Indonesia. It is envisaged that further regulations will be issued in due course relating to such requirement.
Requirements relating to source code
Software providers which develop software specifically for use by an institution (i.e. companies or government bodies) are required to provide the source code for such software to the relevant institution or, if it is not possible to do so, the source code can be deposited with a third party/escrow agent.
There is also a requirement for Electronic Systems Providers to protect the confidentiality of source code for software they use.
The Regulation also permits inspection of such source code for investigation purposes.
Information, features and data protection
Electronic Systems Providers are required to communicate to users of their service certain minimum information and protect users and others against losses, for example by setting out the identity of the Electronic Systems Provider, terms and conditions and acceptance procedure for relevant contracts, privacy and data protection policies, rights, obligations and responsibilities of the parties and procedures for lodging complaints.
Additional information must be provided if an electronic agent (a system designed to carry out certain automated functions in relation to electronic information) is used.
Certain minimum features must also be provided, such as for correction, cancelation, confirmation, cessation and status checking.
The Regulation requires Electronic Systems Providers to ensure the protection of any personal data that they process. Such protection includes:
- obtaining the necessary consent from the data subject prior to the processing of personal data;
- ensuring that personal data are only used in accordance with the purpose communicated to data subjects at the time such consent is obtained; and
- notifying data subjects in writing in the event that there is any unauthorized disclosure or processing of such data.
“Personal data” is not limited to information which by itself enables the identification of individuals and is broadly defined under the Regulation as any information of individuals that is kept, stored and protected as confidential information.
SLAs, policies, reporting and monitoring
Electronic System Provider must ensure that (i) a service level agreement (regarding the quality of service of electronic systems provided to users) and (ii) information safety agreement for IT services are in place. The Electronic System Provider must also have in place a governance policy, an operational working procedure and a mechanism to carry out regular audits.
In the event of system failures caused by a third party which have serious implications, Electronic Systems Providers must secure all data and immediately report such failure to the relevant monitoring body.
Electronic Systems Providers must also retain an audit record of all their activities (for inspection, dispute resolution, verification, testing and monitoring purposes) and put in place disaster prevention, disaster recovery and business continuity procedures and systems.
The MCIT/Kominfo and other relevant authorities (e.g. regulators) also have the power to monitor the systems used by Electronic Systems Providers.
Requirements relating to employment and the employment of Indonesian citizens
There is a requirement for the Electronic Systems Providers to employ competent human resources.
In addition, Electronic Systems Providers are also required to employ Indonesian citizens to operate strategic electronic systems, such as electronic systems for defence and national security, and are only permitted to employ expatriates for these positions if there are no Indonesian citizens with the necessary skills set.
Electronic transactions, electronic signatures and domain names
Providers of services which can be carried out through the use of a computer, computer network and/or other electronic media (“Electronic Transactions”) for public use must obtain a certificate of reliability (Sertifikat Keandalan) from an independent professional institution authorised by the Government to audit providers of Electronic Transactions.
The Regulation requires that any data relating to Electronic Transactions must be stored in Indonesia. Additionally, providers must use networks and gateways in Indonesia for Electronic Transactions involving more than one provider or, if it is not possible to do so, overseas systems and facilities only with required approvals from the relevant regulator(s).
The Regulation recognises the use of “electronic contracts” (or similar contracts) in Electronic Transactions. The Regulation also specifies information to be provided in respect of such contracts, i.e. identity of relevant parties, prices and fees, cancellation procedures, right to refund and/or return products (and time limits for doing so) and applicable law governing the Electronic Transaction.
Providers of Electronic Transactions must also obtain an electronic certificate in relation to its use of electronic signatures in electronic contracts. The electronic certificate must be issued by a certification provider (domestic or foreign) approved by the MCIT/Kominfo. Users may, however, use certified or uncertified electronic signatures. All relevant information must be known to a signatory using an electronic signature, and the burden of proof rests on the provider in the case of misuse of electronic signatures. Therefore an additional acknowledgement of the signatory is generally recommended.
Registration of domain names is on a “first come first served” basis by way of an application to the Domain Names Registry, or alternatively to a domain names registrar (a company or individual providing a domain name registration service). It is expected that further requirements relating to domain names will be issued.
While the Regulation clarifies some areas in relation to electronic certification, electronic systems, electronic transactions, electronic agents, electronic signatures and domain names, many organisations will face significant additional compliance requirements as a result.
In association with Hiswara Bunjamin & Tandjung