Communications policyRegulatory and institutional structure
Summarise the regulatory framework for the communications sector. Do any foreign ownership restrictions apply to communications services?
The key laws regulating Indonesia’s communications sector are, among others:
- Law No. 36 of 1999 on Telecommunications (the Telco Law);
- Law No. 11 of 2008 on Electronic Information and Transaction as amended by Law No. 19 of 2016 (the EIT Law); and
- Law No. 32 of 2002 on Broadcasting (the Broadcasting Law).
The Telco Law is further administered through a number of implementing regulations, which include:
- Government Regulation No. 52 of 2000 on Provisioning of Telecommunications;
- Government Regulation No. 53 of 2000 on Utilisation of Radio Frequency Spectrum and Satellite Orbit; and
- Government Regulation No. 82 of 2012 on Electronic Transaction and System Operation (GR 82/2012).
The Telco Law emphasises that the telecommunications sector operates under state control. In implementing the Telco Law, the Indonesian government must endeavour to improve the provision of telecommunications networks and services through effective policies and regulations, supervision and control.
The minister is responsible for administering the telecommunication laws and regulations. Currently, the relevant minister is the Minister of Communication and Information Technology (MCIT). The MCIT heads a three-tiered ministry. Below the MCIT, the Directorate General of Provisioning Post and Informatics, the Directorate General of Post and Informatics Equipment Resources, the Directorate General of Application on Information Technology and the Directorate General of Information and Public Communication are the second-tier administrative divisions. A number of subdivisions operate as the third tier, including the Directorate of Telecommunications and the Directorate of Broadcasting.
The MCIT has also established the Indonesian Telecommunications Regulatory Body (BRTI) to assist in the administration of the telecommunications sector. The MCIT specifically delegates its authority to regulate, supervise and control the provision of telecommunications networks and services to the BRTI, while maintaining the authority to formulate policies, regulate, supervise and control other fields of the telecommunications sector.
Foreign investment regulations also apply within the telecommunications sector. Under Law No. 25 of 2007 on Investment, foreign investment may only be undertaken via an Indonesian limited liability company established for the purpose of foreign investment. Such companies are commonly referred to as a Perusahaan Penanaman Modal Asing (PMA company). Depending on the line of business of the PMA company, its shares may be wholly owned by foreign nationals, either individual investors or foreign entities. PMA companies may also arise from a joint venture scheme under the co-ownership of foreign individuals (or entities) and one or more Indonesian partners.
Presidential Regulation No. 44 of 2016 on Lines of Business that are Closed and Lines of Business that are Conditionally Open for Investments (Negative List of Investments) imposes the foreign shareholding restrictions with maximum 67 per cent foreign ownership for a PMA company in the telecommunications sector in general, which shall include those engaging in the following business activities:
- the operator of the telecommunication networks, covering the provision of fixed network and mobile network operations (cellular, satellite or terrestrial);
- the operator of the telecommunication services, covering the:
- basic telephony services providers (telephony, facsimile, short message services, or multimedia messaging services);
- content services providers (ringtone, premium short message services, etc);
- internet services providers;
- data communication system providers;
- telephony internet services providers for the public;
- internet interconnection services (network access point) providers; and
- other multimedia services providers; and
- the operator of the telecommunications network that is integrated with the telecommunication services.
Nevertheless, with regard to the provision of telecommunication network and infrastructure, the Negative List of Investment imposes further restrictions on the provision of telecommunication tower business, in which the telecommunication tower may only be provided and managed by a local (non-PMA) company. The Investment Coordinating Board should be consulted regarding shareholding restrictions applicable to other lines of businesses in the communications and informatics sectors on a case-by-case basis.Authorisation/licensing regime
Describe the authorisation or licensing regime.
The telecommunications licensing regime in Indonesia is divided into three categories for the provision of telecommunication networks, telecommunication services and special telecommunications. Currently, to fully integrate the business licensing process into the Online Single Submission (OSS) system, as required under Government Regulation No. 24 of 2018 on the Electronically Integrated Business Licensing Service (GR No. 24/2018), the MCIT issued MCIT Regulation No. 7 of 2018 on Electronically Integrated Business Licensing Services on Informatics and Communication (MCIT Regulation No. 7/2018). MCIT Regulation No. 7/2018 partially revoked telecommunication network and services provisioning regulations (as described below), specifically on the licensing provisions. Thus, currently all licensing processes are subject to the applicable procedures at the OSS system.
The previous licensing regime that was applicable for the provision of telecommunication networks and services (other than for special telecommunication) which requires a ‘principle licence’, followed by an operational licence, is no longer applicable and is only applicable for broadcasting business. The OSS system has introduced commitment-based licensing concept, in which every business entity is required to obtain a Business Identification Number, a Business Licence and a Commercial/Operational Licence before carrying out its business activity commercially. These requirements are also applicable for the telecommunication network and services business.
An application or a dismissal for licences in the communications and information technology sector will be issued via the OSS system within the same business day. Each licence issued under MCIT Regulation 7/2018 is considered as a ‘Business Licence’ (with conditional effectiveness). Subject to each type of telecommunication network and services, the commitments to fulfil the relevant obligations in writing will need to be submitted. The Business Licence will be considered as an effective commercial or operational licence, upon the satisfaction of commitments for each type of licence, as specifically regulated under MCIT Regulation 7/2018. The commitments must be completed within one year (for telecommunications network provision) or six months (for telecommunications services provision) as of the issuance of the Business Licence (with conditional effectiveness).
With regard to the commitment, the issued Business Licence will not be effective until the applicable commitment has been fulfilled. These commitments also include the obligation to:
- provide minimum construction commitment or network provisions for the first year of operations and for every five years;
- provide minimum services commitment or telecommunication services provisions for the first year of operations and for every five years;
- conduct operational feasibility test;
- obtain landing rights, if applicable; and
- obtain radio frequency spectrum utilisation licence, if applicable.
After all relevant commitments are satisfied, the Business Licence will be effective as a Commercial/Operational Licence and will be valid for an indefinite period, subject to annual evaluation by the MCIT and a comprehensive evaluation once every five years.
The provision of telecommunication networks and services are regulated separately by, respectively:
- MCIT Regulation No. 01/PER/M.KOMINFO/01/2010 as amended by MCIT Regulation No. 38 of 2014 and MCIT Regulation No. 7 of 2015 on the Provision of the Telecommunications Network (the Telecommunications Network Decree); and
- Minister of Transportation Decree No. KM. 21 2001 as amended by Minister of Transportation Decree No. KM. 30 2004, MCIT Regulation No. 07/PER/M.KOMINFO/04/2008, MCIT Regulation No. 31/PER/M.KOMINFO/09/2008 and MCIT Regulation No. 8 of 2015 on the Provisioning of Telecommunication Services (the Telecommunication Services Decree).
Generally, the operator of a telecommunication network is not limited, and permits may be obtained through evaluation by observing, among others, healthy business competition, investment protection, balance of ratio between supply and demand, and national efficiency. One exception is for the operation of networks requiring a certain allocation of radio frequency spectrum, regional code or a network access code. Such networks are limited and the procedure for obtaining a licence is conducted through selection (either comparative evaluation or tender) by the MCIT (except for existing telecommunications network operators that have obtained a licence to use a regional code or network access code, which will be subject to an evaluation).
Further, the telecommunication devices and equipment using 2.4GHz and 5.8 GHz frequency bands are subject to class licence.Flexibility in spectrum use
Do spectrum licences generally specify the permitted use or is permitted use (fully or partly) unrestricted? Is licensed spectrum tradable or assignable?
In Indonesia, licences to use radio frequency spectrum (spectrum licences) cover radio station licences (apparatus licences), radio frequency spectrum bandwidth licences (bandwidth licences) and class licences (attached to the telecommunication devices and equipment certification). Apparatus licences are granted by the MCIT through a technical analysis. Bandwidth licences are granted by the MCIT through a selection process, evaluation or conversion from apparatus licences. The selection process must be done together with the selection of the telecommunications network or service operation and after the issuance of the telecommunication network or service operation licences. The selection process can be conducted in two different forms: comparative evaluation or a tender. Separately, evaluation process is only applicable for the use of radio frequency for national security and defence. Spectrum licences for most of the cellular bands are granted as bandwidth licences. The spectrum licence will specify the radio frequency that is permitted to be used. The spectrum licences are in principle non-transferable, unless the transfer is approved by the MCIT (for bandwidth licences) or the Director General of Post and Informatics Equipment Resources (for apparatus licences). In the event that the ownership of a licence holder is transferred through an acquisition or there has been a merger between two licence holders, the transfer of the apparatus licence may be done after obtaining prior approval from the MCIT or Director General of Posts and Informatics Equipment Resources, as applicable. To date, the notable case on the transfer of licence is that being referred to in the MCIT’s approval on the merger between PT XL Axiata (XL) and PT Axis Telekom Indonesia (Axis), in which XL is the surviving entity. The MCIT approved XL’s acquisition of Axis’ spectrum licences provided that XL, as a surviving entity, returns the bandwidth licences for 2 × 10MHz in the 2.1GHz frequency band to the government so that it can be issued to another telecommunications operator under the selection process. If the spectrum licence is not used anymore, the spectrum licence must be returned to the MCIT.Ex-ante regulatory obligations
Which communications markets and segments are subject to ex-ante regulation? What remedies may be imposed?
The telecommunications network market is subject to ex-ante regulation through MCIT Regulation No. 03/PER/M.KOMINFO/1/2007 on Network Leases (Regulation No. 03/2007). Regulation No. 03/2007 requires the telecommunications network operator to provide a customer access network in end-to-end network lease services.
Further, the operator must not discriminate in providing the types of services or the network lease tariff rates. For the purpose of Regulation No. 03/2007, discrimination may occur through:
- queues, procedures and timing for the provision of network lease services;
- tariff rates and discount patterns on the network lease services;
- quality of the network lease services;
- contract for the provision of network lease services;
- types of network lease service users; and
- provision of additional services.
The operator is required to determine the type of network lease service based on distance, capacity and the type of users. The types of network lease services include, but are not limited to, local network lease services, long-distance network lease services or international network lease services.
The Telecommunications Network Decree further requires all operators to guarantee the availability of the interconnection, recognising the right of all operators to obtain interconnection from other operators.
Ministry of Transportation Decree No. KM. 33 of 2004 on the Supervision of the Fair Competition in the Provisioning of Fixed Network and Basic Telephony Services requires all fixed-network operators and basic telephony service operators to give equal treatment to other operators in providing interconnection and other services. Operators must not act in any way that discriminates against other operators. Furthermore, through MCIT Regulation No. 08/PER/M.KOMINFO/02/2006 on Interconnection, it is stipulated that interconnection must be provided by the network operators based on requests, to ensure that customers can get access to the telecommunication services.
Further to the above, operators of the packet-switched based local fixed network using the radio frequency band of 2.3GHz (the 2.3GHz network) for the purpose of wireless broadband services are subject to ex-ante regulation obliging such operators to lease 20 per cent of their total network capacity.
The selection document attached to MCIT Regulation No. 22/PER/M.KOMINFO/04/2009 on the Selection Document of the Packet-Switched based Fixed Local Network Operation Using 2.3GHz Radio Frequency Band for the purpose of Wireless Broadband Services (Perkominfo 22/2009) provides that the successful tender winner must open its network capacity to other operators. Perkominfo 22/2009 allows other telecommunications operators open access to the successful tender winner’s network to channel signals through a fair tariff division. Open access is granted by leasing the capacity based on a fair and mutually beneficial agreement. In this instance, the successful tender winner is obliged to lease a minimum of 20 per cent of the granted capacity of the 2.3GHz network to the telecommunications operators.Structural or functional separation
Is there a legal basis for requiring structural or functional separation between an operator’s network and service activities? Has structural or functional separation been introduced or is it being contemplated?
From a regulatory perspective, the Telco Law separates telecommunications network provisions from those regulating telecommunications services. Nevertheless, the Telecommunications Network Decree provides that, in general, the telecommunications network provider may operate as a telecommunications service provider using its own telecommunications network. This effectively removes any real structural or functional separation between an operator’s network and service activities.
Alternatively, telecommunication service operators may lease the telecommunication network from another licensed network operator through a written cooperation.Universal service obligations and financing
Outline any universal service obligations. How is provision of these services financed?
The Telco Law obliges telecommunications operators to make a contribution to promote universal services in the telecommunications sector. The universal services obligation (USO) requires telecommunication network and telecommunication service operators to contribute to telecommunications facilities and infrastructure, or to contribute through other compensation. Additional contributions include the interconnection cost for costs of system development. The clarification of the Telco Law affirms that the obligation to develop telecommunication facilities under the USO is only imposed on a fixed-network operator. Other telecommunications operators, including internet service providers, are simply obliged to pay a contribution.
Under Government Regulation No. 80 of 2015 on the Types and Tariffs of the Non-Tax State Income Applied in the Department of Communication and Information Technology, in conjunction with MCIT Regulation No. 10 of 2018 on the Implementation of the Telecommunication USO (the TUSO Decree), every telecommunications network and service provider is charged with contributing to the fund for universal service obligations in the telecommunications sector. The USO contribution is paid as a percentage of the annual gross income of the provider.
Government Regulation No. 80 of 2015 set the USO contribution tariff at the rate of 1.25 per cent of the operator’s gross revenue per financial year. According to the TUSO Decree, the mandatory USO contribution finances telecommunications access services in remote regions, uneconomically feasible regions and other regions that are still in need of telecommunications and information technology facilities and infrastructure. The contributions being made by telecommunication operators will be managed by the Telecommunication and Information Accessibility Agency (Badan Aksesibilitas Telekomunikasi dan Informasi or BAKTI), in which BAKTI will utilise the fund for establishing telecommunication network or services in underdeveloped regions.Number allocation and portability
Describe the number allocation scheme and number portability regime in your jurisdiction.
Number portability allows customers to keep their original phone number when switching to another telecommunications operator. Indonesia’s telecommunication rules and regulations do not require operators to establish mobile phone number portability.
The Telecommunications Network Decree stipulates that the operation of a telecommunications network requiring a certain radio frequency spectrum allocation, or requiring a network access code, must be limited and the licensing procedure thereof is subject to a selection process (either comparative evaluation or tender). The Directorate General determines the numbering, including the network access code, based on a technical basic plan to be decided on by the MCIT.
Consequently, each telecommunications operator is granted its own unique network access code that cannot be shared between telecommunications operators. This feature effectively eliminates the possibility for mobile phone number portability.
In this case, based on an annex of MCIT Regulation No. 14 of 2018 on the Fundamental Technical Plan of National Telecommunications, number allocation is referring to ITU-T recommendation of E.164 on fixed and mobile network, as well as national services. The numbering allocation itself is based on the following categorisation:
- voice-based services:
- free call for national intelligent network services;
- split charging call for national intelligent network services;
- vote call for national intelligent network services;
- uni call for national intelligent network services;
- calling card for national intelligent network services;
- premium call for national intelligent network services;
- community service centre for government institutions, state-owned companies, and fix-local network and mobile network operators;
- emergency number;
- calling card;
- national destination code;
- Asynchronised Data Packet Network Access;
- Synchronised Data Packet Network Access; and
- short messaging service and content provision services:
- short messaging services for public services, government institutions and state-owned companies;
- short messaging services for customers of fix-local network and mobile network;
- premium services and content provision services; and
- reserved slot, for future purposes.
Are customer terms and conditions in the communications sector subject to specific rules?
There are no specific regulations concerning customer terms and conditions in the communications sector. Nevertheless, it is viewed that the communications sector is covered by the general provisions of Law No. 8 of 1999 on Consumer Protection (CPL).
The CPL stipulates that the business or entrepreneur providing goods or services has a general obligation to:
- act in good faith in conducting business activities;
- provide correct, clear and honest information about the condition and guarantee of goods and services, and directions for use, repair and maintenance;
- treat and serve consumers correctly, honestly and indiscriminately;
- guarantee the quality of the goods or services based on prevailing standard provisions on the quality of goods and services;
- provide an opportunity to consumers to test and try certain goods or services and to provide a warranty or guarantee for the goods made and traded;
- provide compensation or refund for the losses caused by the use, application and utilisation of goods supplied or services rendered; and
- provide compensation and or refund if the goods or services received or utilised are not in accordance with the agreement.
Further, the CPL prohibits certain standard clauses in goods and services contracts. Some relevant prohibitions include, but are not limited to:
- provisions that transfer liability away from the goods or services provider;
- provisions stating the goods or services provider may reject returns; and
- provisions stating that the good or services provider may refuse to return money that has been paid by the consumer for the goods or service purchased by the consumer.
The CPL also prohibits standard clauses that are hidden from, unclear or unintelligible to the consumer. A ‘standard clause’ is defined by the CPL as any rule, term or condition that is unilaterally written into a contract by the goods or service provider and is binding on the consumer.Net neutrality
Are there limits on an internet service provider’s freedom to control or prioritise the type or source of data that it delivers? Are there any other specific regulations or guidelines on net neutrality?
The principles and objectives of the Telco Law affirm principles of just and equitable benefit, legal certainty, security, cooperation, ethics and self-confidence. Abiding by the Telco Law’s principles and objectives, telecommunications operators must give equal opportunity and treatment to all relevant parties. However, to date, no specific regulations exist to limit the freedom of internet service providers to prioritise the type or source of data that it delivers or to regulate the net neutrality issue. Although draft regulations and guidelines on this matter have been in circulation, it is not clear when such regulations and guidelines will become effective. In relation to the zero-rating of data transmission by certain services or applications’ practice and bandwidth ‘throttling’ practice, the MCIT has not regulated these practices. At the moment, it is understood that the MCIT has not objected to the zero-rating practice, to the extent that the zero-rating will be offered to all users without discrimination. From the practice, it seemed that the MCIT has not objected to the bandwidth ‘throttling’ practice being imposed by certain operators to their customers for accessing the internet exceeding the agreed bandwidth or data cap.
In addition to the above, the EIT Law clearly prohibits the distribution of electronic contents containing pornography, gambling, offensive or defamatory content, extortion or threats. Contravention of the EIT Law may incur criminal sanctions.
Recently, the Business Competition Supervisory Commission (KPPU) is investigating potential unfair business practice involving PT Telekomunikasi Selular (Telkomsel). As a background, Telkomsel, a telecommunication network and services operator owned by PT Telkom Indonesia (65 per cent), a state-owned telecommunication operator, and Singapore Telecommunication Limited (35 per cent), blocked the access to video on demand streaming services from Netflix. However, Telkomsel allowed access to similar services provided by Telkomsel’s subsidiary. Currently, the allegation is still under investigation and there is no decision or conclusion from KPPU yet.Platform regulation
Is there specific legislation or regulation in place, and have there been any enforcement initiatives relating to digital platforms?
Currently, there is no specified regulation pertaining to digital platforms in Indonesia. Nevertheless, the MCIT has an unwritten policy, which states that the operator of a digital platform must be considered as an electronic systems operator. In brief, as an electronic systems operator, a business actor is required by GR 82/2012 to maintain confidentiality, integrity, authenticity, accessibility, availability and traceability of electronic information and electronic documents that are stored in the electronic system. Further, article 17 of GR 82/2012 also stipulates that an electronic systems operator for public services is obliged to place the data centre and disaster recovery centre in the Indonesian territory for the purpose of law enforcement, protection and upholding the state’s sovereignty against its citizens’ data.
Further to the above, MCIT Regulation No. 36 of 2014 on Registration Procedure for Electronic Systems Operators (Regulation No. 36/2014) provides that an electronic system operator for public services shall cover:
- state or government institutions and their working units;
- state or regional-owned enterprises and their working units;
- independent institutions that have been established based on the law; or
- other legal entities that provide public services in the framework of implementing the mission of the state.
The scope of Regulation No. 36/2014 is limited to points (ii) and (iv). The electronic systems operator for public services conducts registration by way of the director general of information technology application, while the electronic system operator for non-public services may conduct voluntary registration.
However, the term ‘public services’ and ‘mission of the state’ under GR 82/2012 on Regulation No. 36/2015 is often interpreted broadly by the authority, in which the MCIT attempts to enforce such requirements to all electronic systems operators, to register their electronic systems, as well as placing the data centre and disaster recovery centre in the Indonesian territory.
Currently, the operation of digital platform is subject to Circular Letter of the MCIT No. 3 of 2016 on Provision of Over-The-Top (OTT) Applications or Content Services via the Internet (Circular Letter 3/2016). Circular Letter 3/2016, defines OTT Services as:
- OTT Application Services, the use of telecommunications services via an internet protocol-based telecommunications network that enables the creation of communication services in the form of short text messages, voice calls, video calls, online chatting, financial and commercial transactions, data storage and collection, games, social networking and media and their derivatives; and
- OTT Content Services, the provision of all forms of digital information consisting of text, sound, images, animation, music, video, films, games or combination of part or all of the above, including those that are streamed or downloaded, by using telecommunications services via an internet protocol-based telecommunications network.
Circular Letter 3/2016 stipulates that an OTT service provider may be in the form of an Indonesian individual or business entity, or a foreign individual or business entity. If the OTT service provider is a foreign individual or business entity, Circular Letter 3/2016 requires the provider to register as a permanent establishment (PE), which would then be subject to the laws and regulations on taxation.
Currently, the MCIT is preparing a draft regulation on digital platforms. Based on the current draft MCIT regulation on digital platform services (where the term ‘digital platform services’ is used to replace ‘OTT services’), a foreign digital platform service provider that: (i) provides commercial services; (ii) manages personal data of Indonesian citizens; and (iii) provides services to at least 1 million accounts is required to appoint a representative (which is a local digital platform service provider) that will act for and on behalf of the foreign digital platform service provider, by entering into a cooperation agreement. However, this draft MCIT regulation concerning digital platform services is not in effect yet.Next-Generation-Access (NGA) networks
Are there specific regulatory obligations applicable to NGA networks? Is there a government financial scheme to promote basic broadband or NGA broadband penetration?
The government is aware of NGA technology; however, there is no specific regulation regarding NGA, nor are there specific regulatory obligations applicable to NGA networks.
Further, MCIT Regulation No. 10 of 2018 on the Implementation of the Telecommunication USO has provided a legal basis for a government financing scheme to promote basic broadband.Data protection
Is there a specific data protection regime applicable to the communications sector?
Yes, there are specific rules regarding data protection that are applicable to the communications sector. For example:
- under the Telco Law, a telecommunications service operator must protect the confidentiality of all information transmitted and received by a services subscriber through the operator’s networks and services, except for the purpose of criminal proceedings; and
- the EIT Law stipulates that unless provided otherwise by relevant laws and regulations, the use of any information through electronic media that involves personal data must be made with the consent of the person concerned. The EIT Law also provides that any person whose rights are infringed may lodge a claim for damages incurred under the law. The EIT Law further states that the protection of personal data is part of one’s privacy rights. One’s right to privacy includes:
- the right to enjoy a personal life, free from any disturbance;
- the right to communicate with others without being monitored; and
- the right to supervise information access concerning one’s personal life or data.
In furtherance to the EIT Law, there is MCIT Regulation No. 20 of 2016 concerning Protection of Personal Data in the Electronic System (Regulation No. 20/2016), which is now generally considered as the umbrella provision on the protection of personal data. Regulation No. 20/2016 stipulates certain requirements for the implementation of various activities related to the management of personal data, including those listed below.
Collection of personal data
- The collection must be based on the consent (either physically or electronically) of the personal data owner;
- the collection must be limited to the information that is relevant to and within the purpose of the collection thereof, and conducted in an accurate manner;
- the users must be informed that the data being collected may be transmitted to or hosted by another party;
- the electronic system operator must provide the option to the personal data owner: to determine whether the collected personal data remains confidential; and to change, supplement, or update the personal data; and
- the personal data that are directly obtained and collected must be verified with the personal data owner, or, in the event that the personal data are obtained and collected indirectly, it must be verified with various legitimate data sources through which the data is processed.
Processing and analysis of personal data
- Personal data, which have been verified for accuracy, may only be processed and analysed for the purposes of the electronic system operator that was explicitly stated during the original collection. This rule does not apply to the personal data that has been shown or published openly by the electronic system for public services.
- The processing and analysis must be conducted based on consent.
Personal data storage
- The accuracy of the personal data to be stored must have been verified.
- The personal data must be stored in encrypted form.
- The personal data must be stored for at least a period required by relevant regulations for each sector, or at least five years if there is no applicable specific regulation.
Personal data presentation, publication, transmission, dissemination or the provision of access
- The presentation, publication, transmission, dissemination and provision of access to personal data: must be based on the consent of the personal data owner, unless stipulated otherwise by laws and regulation; and may only be conducted after its accuracy and conformity with the purpose of data collection have been verified.
- The electronic system operator must give an option to the personal data owner, to determine whether or not the relevant personal data to be managed can be used by or disclosed to a third party, on the basis of consent of the personal data owner, to the extent that it still relates to the purpose of the personal data collection.
Destruction or deletion of personal data
The personal data may be destroyed or deleted: after the lapse of data storage period as required by the relevant regulation or Regulation No. 20/2016; or upon the request of the personal data owner, unless stipulated otherwise by laws and regulation.
From the above, it can be concluded that the overarching principle of Regulation No. 20/2016 is the emphasis on the obtaining of the personal data owner’s consent for the personal data handling or management and verification of personal data being handled. In addition to that, Regulation No. 20/2016 also requires the electronic system being used for the data collection to be certified. However, currently, according to the MCIT, the provisions concerning the certificates related to electronic system operator are still not yet effectively enforced owing to the absence of implementing regulations.
Currently the government is preparing the bill on personal data protection. However, there is no indication on when the bill will be enacted as a law.Cybersecurity
Is there specific legislation or regulation in place concerning cybersecurity or network security in your jurisdiction?
In general, through the MCIT the government of Indonesia has issued MCIT Regulation No. 26/PER/M.KOMINFO/5/2007 concerning Security on the Utilisation of Internet Protocol-based Telecommunication Network, as amended several times, lastly by MCIT Regulation No. 5 of 2017 (MCIT Regulation No. 26/2007), in which are provided the basic provisions on cybersecurity. Under MCIT Regulation No. 26/2007, monitoring of cybersecurity is under the authority of ID-SIRTII (Indonesia-Security Incident Responses Team on Internet Infrastructure). In this case, the responsibility of ID-SIRTII in relation with cybersecurity shall include:
- socialisation to all relevant parties to implement security efforts over the use of the internet protocol-based telecommunication network and infrastructure;
- coordination on prevention, monitoring, detection, and early warning towards threat and disruption and incident handling at national internet protocol-based telecommunication network, especially for strategic infrastructure;
- establishment or provision, operation, maintenance and development of database system, analysis, monitoring and securing of the use of internet protocol-based telecommunication network, which functions are, inter alia: to support the coordination mentioned above, to store the log file and to support the law enforcement process;
- implementation of information service function towards the security threats and disruption in the utilisation of internet protocol-based telecommunication network and provision of consultation service and technical assistance;
- laboratory training activity, simulation, research, and development in the internet protocol-based telecommunication network security sector;
- data and information analysis and processing activities, resulting from the security implementation and incident handling, laboratory, simulation, research and development;
- presentation, exchange and reporting of analysis and data and information processing activities; and
- acting as the national coordination centre for incident handling related to the security threats and disruption on the use of internet protocol-based telecommunication network in Indonesia.
Further, the EIT Law and article 39 of GR 82/2012 stipulate the requirement of the electronic agent to have and implement a policy and procedure to take any necessary action in the event there is an indication of data hacking or theft. GR 82/2012 defines ‘electronic agent’ as a device of an electronic system that is made to perform an action automatically on certain electronic information that is organised by a person or legal entity.Big data
Is there specific legislation or regulation in place, and have there been any enforcement initiatives in your jurisdiction, addressing the legal challenges raised by big data?
Currently, there is no specific legislation or regulation concerning big data. Based on MCIT press release No. 84/PIH/KOMINFO/10/2015 dated 26 October 2015, the big data technology is free to be used provided that the application of the big data technology complies with the provision on data protection in Indonesia, which includes the Telco Law; the EIT Law; Law No. 14 of 2008 on Disclosure of Public Information, as partially revoked by Decision of the Constitutional Court No. 77/PUUXIV/2016; and Law No. 7 of 1992, as amended by Law No. 10 of 1998 on Banking and CPL to protect the rights of Indonesian citizens.Data localisation
Are there any laws or regulations that require data to be stored locally in the jurisdiction?
GR 82/2012 requires electronic system operators, especially for public services, to place the data centre and disaster recovery centre in the Indonesian territory for the purpose of law enforcement, protection and upholding the state’s sovereignty on its citizens’ data. However, according to the MCIT, the provisions related to the placement of data centres and disaster recovery centres in Indonesia are currently not yet effectively enforced owing to the absence of implementing regulations. Therefore, the MCIT has so far not imposed any sanctions on business entities that do not or cannot fulfil these requirements.
Further, pursuant to article 22 of MCIT Regulation No. 20 of 2016 concerning Protection of Personal Data in the Electronic System, the transfer of the personal data to the territory outside the territory of the Republic of Indonesia, that is managed by an electronic system operator at government agencies and the regional government agencies as well as all sectors of society or private parties domiciled within the territory of the Republic of Indonesia, must:
- coordinate with the Minister or the authorised official or agency. The coordination is implemented in the following form: reporting the personal data transfer plan specifying at least the full name of the country of destination, the full name of the recipient, the date of transfer, and the reasons or purposes for which the personal data are transferred; seeking advocacy, if necessary; and reporting the results of such activity; and
- apply the provisions of the laws and regulations concerning cross-border personal data exchange. However, to date, no laws and regulations pertaining to such provision have been enacted.
Summarise the key emerging trends and hot topics in communications regulation in your jurisdiction.
Of particular interest in the Indonesian communications sector is the expected change of the use of certain radio frequency bands following the implementation of long-term evolution technology and the rollout of free-to-air digital terrestrial television.
Further, we note with interest the recent MCIT preliminary review relating to cybercrime. The review is the first step towards establishing a Cybercrime Law in Indonesia.