After long discussion and the preparation of several drafts, the government has finally issued Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions ("GR 71"), which revokes Government Regulation No. 82 of 2012 on the same subject ("GR 82").
GR 71 was initially intended only as an amendment to GR 82; however, over time the work was escalated and eventually the end product is a new regulation that revokes and replaces GR 82 altogether.
GR 71 became effective on 10 October (though it was only circulated to the public on 21 October).
GR 71 includes more extensive provisions such as:
- a new concept of Public and Private Electronic System Operators
- new data localization requirements for Public Electronic System Operators
- further elaboration on the deletion of electronic data
- provisions on electronic certificates and electronic reliability certificates
- a new scope of electronic certification services
1. Electronic System Operators
GR 71 classifies electronic system operators into public and private. Public Electronic System Operators are state institutions or other institutions appointed by a state institution that operate an electronic system. Private Electronic System Operators are persons, business entities or communities that operate an electronic system.
The above definition does not include financial sector regulator and supervisor authorities.
Private Electronic System Operators include:
1. Electronic system operators that are supervised by ministers or institutions in accordance with laws and regulations.
2. Electronic system operators that have an online portal, site or application through internet to:
(a) provide, manage, and/or operate offer and/or trade of goods and/or services
(b) provide, manage and/or operate financial transaction services
(c) deliver paid digital material or content through a data network either by way of downloading in a portal/site or email delivery, or through another application to the user’s device
(d) provide, manage, and/or operate communication services in the form of short messages, voice calls, video calls, electronic mail, and online chat in the form of digital platform, networking and social media services
(e) manage search engine, provide electronic information in the form of text, sound, picture, animation, music, video, movie and games or a combination of any and/or all of them
(f) process personal data for operational activity serving society in relation to electronic transactions
The definition of Private Electronic System Operators and its elucidation is very broad and covers any electronic system operator other than government institutions.
Public and Private Electronic System Operators must register their electronic systems with the Ministry of Communication and Informatics. Unfortunately, there is not yet a clear position on the registration of offshore electronic system operators. GR 71 mandates that there will be a ministerial regulation (to be issued by the Ministry of Communications and Informatics) to further regulate this obligation for electronic system operators to register.
2. Data Localization Requirements
There is no longer the concept of “public services” under GR 71. Based on GR 71, only Public Electronic System Operators must place their electronic systems and data in Indonesia.
Private Electronic System Operators can place their electronic systems and data in or outside of Indonesia, unless otherwise regulated. However, Private Electronic System Operators must allow "supervision" by government agencies, including granting access to the electronic systems and data for monitoring and law enforcement purposes (all of which will be subject to further implementing regulations).
There is no longer a concept of “data categorization” under GR 71, as once included in the working draft of GR 71 to determine the data localization requirements. Consequently, under GR 71, the applicability of the data localization requirements depends on the type of electronic system operators.
Having said that, the term "strategic electronic data" is still mentioned in GR 71 although it is not defined. GR 71 states that as one of the government's roles on the implementation of electronic systems and transaction, the government stipulates the institutions (a very broad term that can include private companies) that have strategic electronic data that must be protected, including those in the following sectors:
- government administrative
- energy and mineral resources
- health care
- information technology and communication
- other sectors as stipulated by the President
Institutions that are deemed to have strategic electronic data must connect their electronic documents and electronic backup records to a certain data center in the event of an incident that must be reported to the cyber security authority.
There is no definition of "certain data center", and further clarification is required.
Further provisions on the connectivity obligation are to be regulated by the cyber security authority.
3. Deletion of Electronic Data
GR 71 emphasizes the right to be forgotten provisions that have been stipulated in the EIT Law (i.e., Law No. 11 of 2008 on Electronic Information and Transactions), whereby electronic data that is no longer relevant is deleted. Data deletion consist of (i) electronic data erasure, and (ii) delisting of information from search engine results.
GR 71 further stipulates that electronic data that is deemed to be no longer relevant is personal data:
- that is collected and used without consent from the personal data owner
- of which the consent to use it has been retracted by the personal data owner
- that is unlawfully collected and used
- that is no longer relevant to the purposes
- that has reached the end of its retention period
- of which the disclosure causes a loss to the personal data owner
In line with the EIT Law, the deletion request must be supported by a court order. GR 71 goes further, and stipulates that the application for a court order must be submitted directly by the personal data owner, stating the identity of the personal data owner, the electronic system operators involved and information on the electronic data that is no longer relevant, and the reason behind the deletion request.
4. Electronic Certificates
All electronic transactions must use an electronic certificate issued by a certified Indonesian electronic certification operator. In addition, electronic transactions may use a reliability certificate issued by a registered Indonesian reliability certification institution. These requirements were stated in GR 82, which stated that those requirements would be subject to implementing regulations that were to be subsequently issued, but no implementing regulations have been issued. We expect that with the issuance of GR 71, further steps will be taken to ensure that the necessary framework is in place to authenticate and validate electronic transactions.
5. Electronic Certification Services
Under GR 71, electronic certification services cover:
- electronic signatures
- electronic seals
- electronic time makers
- recorded electronic delivery services
- website authentication
- preservation of electronic signatures or electronic seals
Further implementing regulations on the above matters are required.
GR 71 includes several provisions on personal data protection. Unfortunately, with the personal data protection law still being drafted and finalized by the government, the provisions seem to be premature, in the following senses:
1. The data privacy provisions under GR 71 seem to have been taken from an outdated version of the draft personal data protection law. For example, GR 71 provides a list of additional requirements to process personal data, apart from the consent requirement. In September 2019, the list in the draft personal data protection law was changed, whereby the list is treated as an exception to the consent requirement rather than as an additional requirement.
Consequently, depending on the final content of the personal data protection law, there may be a mismatch of provisions.
2. Certain provisions mention the term "personal data controller", without a proper explanation of what that term covers.
Again, this is one result of the copy pasting of the provisions from the draft personal data protection law.
From past discussions and socialization of the draft personal data protection law, it appears that the government's intent is actually to make GR 71 and the personal data protection law (once the latter is issued) in line with each other when it comes to personal data protection.
However, it is now difficult to foresee the final outcome of the draft personal data protection law, e.g., whether the government has changed the position it was taking in prior drafts of the draft personal data protection law, or if GR 71 will be amended once the personal data protection law is enacted. Further, several news reports indicate that certain industry observers are speculating that GR 71 is only a temporary measure to provide a legal basis for personal data protection while the draft personal data protection law is being finalized.
Violation of the provisions of GR 71 would lead to administrative sanctions, in the form of:
- warning letters
- administrative fines (the amount is not stipulated)
- temporary suspension of activities
- blocking of access
- removal from the list of registered electronic system operators
The imposition of the administrative sanctions above does not eliminate any civil or criminal responsibility.
As mentioned above, GR 71 became effective on 10 October.
There is a one-year transitional period under the regulation, but this is only applicable for the obligation of electronic system operators to register with the Ministry of Communication and Informatics.
In addition, there is a two-year transitional period for Public Electronic System Operators to comply with the onshore processing and storing of their electronic systems and data.
Be Alert on Market Development and Enforcement
While GR 71 has clarified the data localization requirements and removes uncertainty about the “public services” definition under GR 82, the implementation of the provisions will need further clarifications or will be subject to further sectorial regulations. These issues will likely be dealt with by unwritten policies of the Ministry of Communications and Informatics.
Clients should stay alert to how the enforcement will be done, how the market practice will develop following the issuance of GR 71, and when the sectorial authorities issue implementing regulations.