Draft regulation may require all local and foreign websites and apps to register with MOCI

A new draft regulation on electronic system operators in the private sector will, if passed in its current form, require any local and foreign business with a web portal, website or online application that satisfies certain criteria, to register their electronic system with Indonesia’s Ministry of Communication and Informatics (MOCI).

Given the COVID-19 outbreak, it is currently unclear when the draft regulation will be issued. However, given the proliferation of electronic platforms across all industries, companies should assess the likely impact now.

BACKGROUND

MOCI published a draft regulation on the Management of Electronic System Operators in the Private Sector for public consultation in a 12 March 2020 press release.

The draft regulation is intended to be an implementing regulation of Government Regulation Number 71 of 2019 on Management of Electronic Systems and Transactions (GR 71/2019) (see this e-bulletin for more information).

The draft regulation covers:

1. the procedure for registering electronic systems by private electronic system operators (Private ESOs);
2. rules on prohibited electronic information and documents; and
3. regulatory approval required to store electronic systems and data outside Indonesia.

REGISTRATION OF LOCAL AND FOREIGN PRIVATE ESOS

Consistent with GR 71/2019, the draft regulation provides that a Private ESO (ie, any person, legal entity or community in the private sector) must be registered on the Online Single Submission (OSS) system if it satisfies one of the following criteria:

1. it is regulated or supervised by an Indonesian ministry or agency based on applicable laws and regulations; or
2. it owns a web portal, website, or online application used for any of the following activities:

• providing, managing or operating offers and/or trades in goods or services;
• providing, managing or operating financial transaction services;
• delivering paid digital content through a data network;
• providing, managing or operating communication services;
• search engine services and providers of electronic information in the form of text, sound, images, animation, music, videos, films and games or any combination thereof; and/or
• processing personal data for operational activities serving the community involved in electronic transaction activities.

Considering these broad criteria, it appears that the registration requirement will apply to most (if not all) businesses in Indonesia that have a web portal, website or online application.

The registration requirement also applies to foreign Private ESOs that meet any of these criteria and conduct business or activities in Indonesia. 

While there is no express guidance on the meaning of “conducting business or activities in Indonesia”, based on informal discussions with MOCI officials, we understand that deriving revenue from the provision of goods or services to Indonesian customers would likely be considered as conducting business or activities in Indonesia.

A Private ESO must register its electronic system before it can be rolled out to users. For existing Private ESOs, the registration must be completed by 10 October 2020. We expect the OSS system to be updated to include the registration certificate (Tanda Daftar) as a “commitment” associated with the business or commercial licence of the Private ESO.

The registration certificate will be valid for five years and be renewable. Private ESOs with a registration certificate will be included in the list of Private ESOs maintained by MOCI on its website. 

It is likely that this certificate would essentially be the same as the “Electronic System Operator Registration Certificate” (Tanda Daftar Penyelenggaraan Sistem Elektronik) that is currently regulated under MOCI Regulation No. 36 of 2014, which the draft regulation replaces.

Failure to register and failure to renew a registration may subject the Private ESO to an administrative sanction in the form of a written warning, followed by termination of access to the Private ESO’s electronic system.

REGULATORY APPROVAL TO STORE ELECTRONIC SYSTEMS AND DATA OUTSIDE INDONESIA

Under GR 71/2019, the data localisation requirement only applies to public scope electronic system operators, which must locate their data centres and disaster recovery centres in Indonesia unless the storage technology is not yet available in Indonesia (as confirmed by a special MOCI committee). In contrast, Private ESOs can locate their data centres and recovery centres outside Indonesia.

The draft regulation requires Private ESOs to obtain approval from MOCI if they wish to manage, process or store their electronic systems and electronic data outside Indonesia (and subsequent changes thereof). 

In making its decision, MOCI will take into account national interests (including the effectiveness of law supervision and enforcement). The draft regulation does not contain any express sanctions for failure to obtain this regulatory approval.

PROHIBITED ELECTRONIC INFORMATION AND DOCUMENTS

A Private ESO must ensure that its electronic system does not contain or facilitate the dissemination of any prohibited electronic information or document (including pornography, gambling and terrorism). Prohibited content is classified broadly as follows:

1. content that contravenes applicable regulations;
2. content that unsettles the community and disturbs public order; and
3. content which informs people about or provides access to prohibited content.

A Private ESO must terminate access to prohibited content on its electronic system. Internet service providers are also required to terminate access to sites containing prohibited content as determined by MOCI. 

A request for termination of access may also be made by the public, a government ministry or institution, a law enforcement agency or a judicial institution.

The draft regulation will replace MOCI Regulation No. 19 of 2014, which currently regulates negative content.

Additional requirements apply to certain types of Private ESOs:

• User-generated content platforms and cloud computing service providers must have a policy in place to ensure that their electronic systems do not contain or facilitate the dissemination of any prohibited content.
• User-generated content platforms must have a reporting system allowing their users to make complaints about prohibited content.

Private ESOs that fail to terminate access to prohibited content in accordance with the draft regulation may face administrative sanctions in the form of a fine or termination of access to their electronic system.