The regulatory regime in Indonesia is very much a work in progress in terms of reaching the Government’s intended goals.
The concern with the current framework is its overly prescriptive slant - this includes requirements to certify websites according to prescribed standards, register websites with the communication ministry and situate data centers within Indonesia.
Revision to the 2008 Electronic Transaction and Information Law
The 2008 Electronic Transaction and Information Law (‘ITE’) Law was amended in October 2016. The key changes are below.
The 2016 ITE Law now expressly provides for the government to block access to "unlawful materials". This is a newly added power that was not in the previous ITE Law, probably a realisation that criminal sanctions are futile in taking foreign website operators to task. In any case, the government has been using an earlier ministerial regulation to block websites with negative contents - principally pornographic and other illegal content, including copyright piracy. It is thought that the provision in the 2016 ITE Law was to remove any doubt on the source of the government's power to block access.
The data protection provisions are added with a provision for the data owner to ask for his or her data to be removed. This right can be exercised when supported by a court order. With the court order requirement, this new addition may only be cosmetic instead of giving real control to data subjects over their data since it is impractical to get a court order to effect this.
The provisions dealing with online defamation have been streamlined with their equivalent in the criminal code. The provision in the ITE Law references the criminal code rather than creating its own definition of defamation.
Ministerial regulation on data protection
On 1 December 2016, the Ministry of Communication and Informatics (“Ministry”) issued Regulation No. 20 of 2016 on Personal-Data Protection Within Electronic Systems (2016 Ministerial Regulation).
The noteworthy provisions from the 2016 Ministerial Regulation are discussed below.
There is still no "regulation on cross border personal data exchange". One would have to assume that this provision is still in limbo.
Uncertainty
Although regulations at the ministerial level are meant to implement higher level government regulations and parliament legislation, this latest round of ministerial regulation still contains references to further "regulations" that have not been issued yet.
Registration of websites (electronic system operations)
The registration is provided under 2014 ministerial regulation (Ministerial Regulation Number 36 of 2014 regarding Procedures of Electronic System Operator Registration (2014 Ministerial Regulation). It stipulated requirements for registration and certification against certain security standards depending on the risk impact presented by the Electronic System.
The weakness in the 2014 regulation is demonstrated by the fact that electronic system operators that have signed up are mostly local websites of local interest serving the Indonesian market. There are about 270 websites registered. There is no known enforcement against the many unregistered websites that can be accessed by the Indonesian public.
This regulation if enforced will stifle many nascent internet businesses
It is hoped that the Ministry will rethink this mandatory registration requirement which is somewhat of a white elephant.
Draft Data Protection Law
Lending further uncertainty is the Parliament's plan to pass data protection legislation. The draft legislation was circulated last year, but nothing further was heard of it as when a bill will be tabled in Parliament.
Tax on foreign business online
In its bid to rein in tax revenue from foreign online businesses, the Indonesian tax authority issued Circular Letter No. SE-04/PJ/2017 on the Determination of Permanent Establishments for Foreign Tax Subjects Which Are Providers of Applications and/or Content Services Through the Internet (“Circular Letter 4/2017”).
The circular was addressed to Over-the-Top (‘OTT’) Services (application or content services through the internet).
Under the circular, foreign OTT Services that come within the meaning of a permanent establishment under the circular will be subject to Indonesian tax.
Permanent establishments within Indonesia include the following that could be owned, leased or used by Foreign OTT Providers for the operation of their businesses or activities:
Entities are also considered as permanent establishments where the same provides any form of services for period of 60 days or more within any given 12 month period.
There are still several aspects of the circular that require clarification, namely:
It is hoped that the Government will help to clarify this for foreign online businesses that deliver OTT services without the need for any permanent establishment.
Conclusion
In coming up with an overly prescriptive framework, the Government did not seem to be ready to implement or enforce the provisions requiring registration, certification and locating of data centre within Indonesia. This may explain lack of follow-up in passing a complete implementing framework.
Even though some of the requirements have still not been put into effect, it is still no comfort to website operators who may find the uncertainty difficult to plan for.
The overly prescriptive model requires a rethink considering that the digital economy requires participation by startups who are likely to find the costs of compliance prohibitive.
Until we get greater clarity from the Government, foreign businesses with online platforms should consider the following:
This is not meant to be legal advice and readers should consult qualified practitioners to advise on their specific situations.
If you have any questions, please contact the author Kin Wah Chow.