Significant Changes to Operator Classification, Registration Requirements, Data Localization Rules, Personal Data Protection, Right to Be Forgotten, and Government Authority to Block Access
An important new regulation on electronic systems has recently been issued, namely, Government Regulation No. 71 of 2019 (“GR 71/2019”, effective 10 October 2019), which revokes Government Regulation No. 82 of 2012.
It is important to note at the outset that the English term “electronic system” in this ABNR Legal Update is the direct translation of the Bahasa Indonesia term sistem elektronik, as used in GR 71/2019 and other relevant Indonesian legislation. In reality, however, what GR 71/2019 is primarily concerned with in this regard are network and information systems, rather than electronic systems as normally understood in English.
This is evident from the definition of “electronic system” provided by GR 71/2019 (as well as other relevant legislation), namely, “an electronic system is a set of electronic devices and procedures that functions to prepare, collect, process, analyze, store, present, publish, transmit and/or disseminate information.”
The key changes introduced by GR 71/2019 relate to the following issues:
- Classification of Electronic System Operators
- Registration of Electronic System Operators
- Data Localization
- Personal Data Protection and Right to Be Forgotten
- Government Authority to Block Access to Negative Content
1. Classification of Electronic System Operators
Article 2 GR 71/2019 differentiates as between two types of electronic system operator (“ESO”), namely a State-sector ESO and a Private ESO:
- A State-sector ESO is a state institution, or an agency designated by a state institution, that operates an electronic system, with the exception of those state institutions that are responsible for regulating and supervising the financial sector.
- A Private ESO is a private individual, business entity or community that operates an electronic system.
A Private ESO includes the following:
- An ESO that is regulated or supervised by a state ministry or institution in accordance with law;
- An ESO that operates a portal, site or online application for the following purposes:
- offering and/or trading of goods and/or services;
- financial transaction services;
- transmission of paid digital material or content via a data network, whether downloadable via a portal or site, email transmission, or via another application to the user’s device;
- communications services, such as short messaging, voice calls, video calls, email, online chat on a digital platform, networking services, and social media;
- search engine services, and the provision of electronic information in the form of text, voice, image, animation, music, video, film or games, or a combination of parts of these; and/or
- processing personal data for operations involving the provision of electronic transaction-related services to the public.
2. Mandatory Registration of ESOs
Prior to the issuance of GR71/2019, State-sector ESOs were required to register with the Ministry of Communications and Informatics (“MCIT”), while Private ESOs were not so required.
Now, both State-sector ESOs and Private ESOs are required to register with MCIT prior to their electronic systems being made accessible to users.
An ESO is required to apply to MCIT for registration using the integrated electronic licensing service operated by MCIT. However, it is unclear how this obligation can currently be applied to foreign ESOs as the MCIT’s online system only accommodates the registration of ESOs that are Indonesian private individuals and entities. We are currently seeking clarification on this issue from MCIT.
3. Data Localization
In a significant change from the now revoked Government Regulation No. 82 of 2012, Article 21 GR 71/2019 specifically permits a Private ESO to locate an electronic system and electronic data outside the territory of Indonesia, subject to the following conditions:
- the location of the electronic system and electronic data outside of Indonesia does not diminish the effectiveness of the supervision conducted by a relevant state ministry or institution and law enforcement agencies; and
- access to the electronic system and electronic data must be provided for the purpose of supervision and law enforcement, in accordance with law.
4. Personal Data Protection and Right to Be Forgotten
4.a. Personal Data Protection
Before discussing the significant changes related to personal data protection that are introduced by GR 71/2019, it is important to note two things:
- Indonesia already has quite detailed legislation in place on personal data protection, namely, Minister of Communications and Informatics Regulation No. 20 of 2016. Under the transitional provisions of GR 71/2019, this regulation remains in effect for the time being. However, as GR 71/2019 incorporates a new set of general principles and requirements related to personal data protection, it is unnecessary to further consider Reg. 20 of 2016 in this ABNR Legal Update.
- Comprehensive new legislation on personal data protection has been under deliberation in Indonesia’s House of Representatives (DPR) for some four years. The Personal Data Protection Bill (the “Bill”) has now been carried over from the previous House and may well be enacted during the term of the current House. The Bill draws heavily on the European Union’s General Data Protection Regulation (“GDPR”) and this is also reflected in the provisions of GR 71/2019 on personal data protection, which are taken virtually verbatim from the Bill. However, as there is as yet no firm timeline for the enactment of the Bill and it may thus undergo further revision, in this ABNR Legal Update we shall merely cross-reference the provisions of GR 71/2019 on personal data protection with the equivalent provisions of the Bill and GDPR.
Under GR 71/2019, personal data protection is primarily governed by Article 14, the provisions of which are virtually identical to Articles 16 and 17 of the Bill. The influence of GDPR is clear to be seen throughout Article 14. Besides being reflected in the substance of Article 14, it is also evident from the introduction of the GDPR concept of “personal data controller” (pengendali data pribadi) for the first time in Indonesian legislation. Unfortunately, no definition or explanation is provided as to what precisely is meant by a “personal data controller.” However, it is defined by the Bill as “ ... a party that determines the purposes of and controls the processing of personal data” (broadly similar to the GDPR definition).
Surprisingly, GR 71/2019 does not refer to the concept of “data processor,” which constitutes an important part of the overall GDPR scheme. However, this concept is covered by the Bill, which defines a “data processor” as a “party that processes personal data on behalf of a personal data controller.”
As to the substance of Article 14, it incorporates the new definition of “personal data” that is provided in the Bill (broadly similar to the GDPR definition), namely, “Personal data are all data related to a person, whether identified or capable of being identified using that data or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means.”
Further, for the first time in Indonesian legislation, Article 14(1) GR 71/2019 refers to a general principle of personal data protection (taken from Article 16(2) of the Bill, broadly similar to Article 5 GDPR), which may be summarized as follows:
Personal data may only be collected on a restrictive, specific and lawful basis with the knowledge and consent of the data subject; personal data may only be processed in accordance with the purpose for which they are collected; the rights of the data subject must be guaranteed; personal data must be accurate, comprehensive, not misleading, up to date, accountable, and have regard to the purposes for which they are processed; processing must ensure the security of personal data from loss, misuse, unauthorized access and disclosure, and changes or damage; notice must be provided of the purpose of personal data collection and processing, and of security breaches; and personal data must be destroyed and/or erased after the expiry of the retention period, save as otherwise required by law.
Article 14(3) GR 71/2019 then replicates Article 17 of the Bill (broadly similar to Article 6 GDPR) on the lawfulness of personal data collection and processing. Under Article 14(3), personal data may only be processed based on the legitimate consent of the data subject for one or more specific purposes that have been informed to the data subject. In addition personal data may be processed where this is necessary:
- for the performance of a contract to which the data subject is party or in order to fulfill a request of the data subject prior to entering into the contract;
- to comply with an obligation that is imposed on the data controller by law;
- to fulfill the vital interests of the data subject;
- for the exercise of authority vested in the data controller by law;
- for the fulfillment of a public service obligation to which the data controller is subject in the public interest; and/or
- for the pursuit of a legitimate interest of the data controller and/or the data subject.
4.b. Right to Be Forgotten (Right to Delisting and Right to Erasure)
Once again drawing on GDPR, GR 71/2019 further develops the general “right to be forgotten” that was first established by the Electronic Information and Transactions Amendment Law. It requires an ESO to delete electronic information and/or an electronic document that is within its control and which is no longer relevant. Such requirement may be based upon a court order or arise at the request of the data subject, depending on whether the specific right being exercised is the Right to Delisting or the Right to Erasure:
- Right to Delisting – this refers to deletion of data from a search engine. In order to exercise the right to delisting, the data subject must obtain a delisting order from the court.
- Right to Erasure – this may be exercised upon request by the data subject in the case of personal data:
- that is collected and processed without the consent of the data subject;the consent for which has been withdrawn by the data subject;
- that consent for which has been withdrawn by the data subject;
- that is collected and processed in an unlawful manner
- that is no longer relevant to the purpose for which it was originally collected, having regard to the pertinent agreement and/or the provisions of the laws and regulations;
- for which the permitted utilization period has expired, as stipulated in the pertinent agreement and/or the provisions of the laws and regulations;
- whose disclosure by the ESO has inflicted loss on the data subject.
5. Government Authority to Block Access to Negative Content
Article 95 GR 71/2019 provides that the Government is authorized to prevent the dissemination and use of electronic information and/or an electronic document by means of:
- blocking of access; and/or
- an instruction to an ESO to block access.
Under Article 96, these measures may be taken in respect of electronic information and/or an electronic document that:
- violates the provisions of the laws and regulations;
- causes public disquiet and disturbs public order; or
- explains how to access, or provides access to, electronic information and/or an electronic document that contains content that is prohibited by law.
The Elucidation of Article 96 explains that prohibited content includes electronic information and/or an electronic document that contains or promotes any of the following elements:
pornography, slander, fraud, hatred against a particular ethnic group, religion, race or group, violence/violence against children; infringement of intellectual property rights; trading of prohibited goods/services; terrorism and/or radicalism; separatism and/or dangerous prohibited organizations; violations of data security; violations of consumer protection; violations in the health field; and violations related to food and drug supervision.
6. Grace Period
Existing ESOs that were operating prior to the issuance of GR 71/2019 must register with MCIT within a period of one year.
GR 71/2019 is to be welcomed for abolishing the data localization requirement for Private ESOs. This requirement appeared doomed from the outset as it failed to take account of an inescapable reality, namely, that the internet industry (in all its permutations) is the most truly globalized of all industries. In reality, rather than promoting foreign investment in Indonesia, the localization requirement actually hampered it.
As regards personal data protection and the right to be forgotten, while the new rules in GR 71/2019 may impose additional burdens on business, they are nevertheless broadly in line with the data privacy requirements of GDPR, whose provisions many Indonesian multinational companies and international companies operating in Indonesia will already be familiar with.
The influence of GDPR on data privacy regimes around the world cannot be overstated at the present time, given that (1) it applies throughout the EU, which includes four of the world’s 10 largest economies and accounts for around 22 percent of global GDP, according to the IMF; and (2) it has extraterritorial effect on companies based outside the EU that offer goods or services to data subjects situated in the EU and/or monitor the behavior of such data subjects.
This has led to a domino effect as an increasing number of countries, such as Japan, Brazil and Thailand, adopt strict personal data protection legislation that is directly modeled on or is similar to GDPR. In addition, the U.S. state of California has adopted the Consumer Privacy Act (CCPA), many of whose provisions overlap with GDPR, while a number of other U.S. states are currently considering tighter data privacy legislation. South Korea also has stringent data privacy legislation, although this predated GDPR by a number of years. Consequently, given this trend, the personal data provisions of GR 71/2019 (as well as the Personal Data Protection Bill) are far from revolutionary by international standards.
As for the Government’s powers to block access to negative content under Article 96 paragraph b GR 71/2019, no guidance is afforded as to the precise scope or extent of “public disquiet” and “public order.” Thus, these terms are clearly open to subjective interpretation by Government. In this regard, it is to be hoped that the authorities will exercise their discretion prudently and sparingly so as to not impose undue burdens and disruption on internet-based companies.