Under Government Regulation No. 82 of 2012 (GR 82), electronic system operators that provide a "public service" were required to have onshore data centres and disaster recovery centres by 15 October 2017.
The definition and scope of the term "public service" was never clarified. Extensive lobbying from cloud service providers and the business community (the latter on costs for business) and different approaches taken by sectoral regulators have all followed. As a result, in October 2017, the Ministry of Communication and Informatics (MOCI) indicated that it would revise GR 82 to introduce data categorization and lessen, where possible, the requirements for data localization.
In February 2018 MOCI issued a draft amendment to GR82 (Draft Amendment) for public comment and feedback. The Draft Amendment whilst helpful in some respects in clarifying that the data localization requirements only apply to Strategic Electronic Data (see below), also requires further clarification in many other areas such as the coverage of "Indonesian citizens' data" and the definition of public service.
The Draft Amendment introduces:
A broad definition of electronic system operators that provide a "public service"
The definition of electronic system operators that provide a "public service" is still very broad and basically can cover all websites that collect or process information. In addition, the definition does not distinguish between public facing and non-public facing systems and potentially, given the data categorization issues (see below), this absence of a separation might mean that Indonesian citizens' personal data cannot leave Indonesia.
Mandatory Registration Requirements
The Draft Amendment emphasizes the existing electronic system registration requirements, that require electronic system operators that provide a public service to register with MOCI; although it implies that registration may be voluntary for electronic system operators that provide a non-public service. Note that currently the MOCI online system for the registration of electronic system operators can only accommodate on-shore electronic system operators.
A brand new concept of data categorization
There are 3 types of electronic data as follows:
- Strategic Electronic Data - Data that strategically affects public interests, public services, the continuity of the State's administration, or the State's defence and security, eg, intelligence data, population data or Indonesian citizens' data.
While broad, and further clarification is needed, presumably it is not the Government's intention that every online application with an Indonesian citizen's identity card is considered strategic nor should large companies which obtain significant amounts of Indonesian citizens' data be caught; rather what should be caught is the centralization of such data by the Government.
Strategic Electronic Data can be managed, processed and stored using cloud computing but the cloud network must be located in Indonesia. Strategic Electronic Data must not be delivered, exchanged or copied to overseas locations.
- High Electronic Data - Data that has a limited impact on the interests of electronic data owners and their sectors, eg, data related to a company's financial records or business data. High Electronic Data can be processed and stored offshore, but must be made accessible and be able to be processed in Indonesia for supervision and law enforcement purposes.
- Low Electronic Data - Electronic Data that is not categorized as Strategic Electronic Data or High Electronic Data, eg, a company's human resources or manpower administration, and public information. Low Electronic Data can be processed and stored offshore, but must be made accessible and able to be processed in Indonesia for supervision and law enforcement purposes.
Onshore data centre and disaster recovery centre requirements
There is no longer a requirement for electronic system operators that provide a public service to have data centres and disaster recovery centres in Indonesia. So, treatment will depend on the type of data that is collected and processed.
Implementing provisions for the right to be forgotten
The Draft Amendment enforces the right to be forgotten provisions under the EIT Law (ie, Law No. 11 of 2008 on Electronic Information and Transaction), namely:
- The right to be forgotten can only be exercised based on a court decision.
- Electronic system operators must have a deletion mechanism and delete irrelevant electronic information and/or documents within their control at the request of the relevant data owner when such request is accompanied by the relevant court order; and
- An electronic system operator that operates a search engine must delete irrelevant electronic information and/or documents, when notified of a court decision requiring deletion.
The Draft Amendment also contains implementing provisions for the Government's right to terminate access to unlawful online content.
The Draft Amendment only provides administrative sanctions, ie, warning letters, fines, temporary suspension of operations and ultimately termination of access.
Status of Amendment
The Draft Amendment has not yet been enacted nor is there a formal announcement when the draft will enter into force.