This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Indonesia.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes, communications networks and services are regulated in Indonesia. Law No. 36 of 1999 regarding Telecommunications (September 8, 1999) divides telecommunications operations into three areas:
a. telecommunications networks:
- Fixed-line networks consisting of local, domestic long-distance, international and closed fixed networks; and
- Mobile networks consisting of mobile terrestrial networks, mobile cellular networks and mobile satellite networks.
b. telecommunications services:
- Basic telephone services using circuit-switched technology or other technology to provide telephone, facsimile, telex, telegraph and data transmission services;
- Value-added telephone services including premium calls, calling cards, virtual private phone numbers, store and forward, and call centres; and
- Multimedia services including internet service providers, network access points, internet telephony and data communication system services.
c. special telecommunications for individual purposes, security and defence.
The license required would ultimately depend on the field of telecommunication in which the business entity is engaged. Generally, the license or approval to engage in the telecommunication business will have to be obtained from the Ministry of Communication and Informatics (“MOCI”) or one of its Directorates General.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
In Indonesia, the regulator for the provision of communications-related services is the MOCI and the Directorate General of Post and Telecommunication (“DGPT”). Aside from the MOCI and DGPT, there is also the Indonesian Telecommunication Regulatory Body (Badan Regulasi Telekomunikasi Indonesia), which consists of the DGPT and the Telecommunication Regulation Committee. The Telecommunication Regulation Committee is made up of individuals drawn from the government and the public. These regulators are not independent of government control.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
Yes, telecoms operators need to be in the form of an entity domiciled in Indonesia in order to conduct business. There is a foreign ownership restriction of 67% for telecoms operators, i.e.:
a. fixed telecommunication network provider;
b. moving telecommunication network provider;
c. service-integrated telecommunication network provider;
d. telecommunication content service provider;
e. information service (call centre) and other value-added telephone service provider;
f. internet service provider;
g. data communication system provider;
h. internet telephone provider (for public purposes); and
i. internet interconnection services (NAP) and other multimedia services.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Interconnection between operators is regulated under MOCI Regulation No. 09/Per/M.KOMINF/02/2006 regarding Interconnection (February 8, 2006). There are no other regulations specifically regulating operators with market power.
What are the principal consumer protection regulations that apply specifically to telecoms services?
Aside from Law No. 8 of 1999 regarding Consumer Protection (April 20, 1999), which provides the general framework for consumer protection, there are no consumer protection regulations that apply specifically to telecoms services.
What legal protections are offered in relation to the creators of computer software?
The legal protections offered to creators of computer software are in relation to intellectual property. Under Law No. 28 of 2014 regarding Copyright (October 16, 2014), computer programs (inclusive of software) are granted the same type of protections as more conventional creations (e.g., books, art, music). These protections include imprisonment and/or fines in varying lengths and amounts, depending on the severity of the violation, for any violation of a copyright holder’s economic rights.
Do you recognise specific intellectual property rights in respect of data/databases?
No specific intellectual property rights exist under Indonesian law in respect of data/databases.
What key protections exist for personal data?
The key protections for personal data under Indonesian law are:
a. the requirement of consent for any electronic system provider to handle personal data (e.g., collecting, processing, distributing);
b. the requirement of data-onshoring for any electronic system provider providing “public services” (as explained below);
c. the requirement of full disclosure for any use of personal data;
d. the deletion of personal data after a certain period of time or at the request of the personal data owner.
Are there restrictions on the transfer of personal data overseas?
Yes. Under MOCI Regulation No. 20 of 2016 regarding Protection of Personal Data in Electronic Systems (December 1, 2016) (“MOCI Reg”), the transfer of personal data overseas requires the local transferor to satisfy a coordination requirement with the MOCI and to fulfil any regulatory provision regarding the cross-border transfer of personal data (i.e., consent). The coordination requirement consists of:
a. reporting any plan to transfer personal data, which must contain at least the name of the receiving country, the full name of the receiver, date of implementation, and the reason/purpose of the transfer;
b. requesting advocacy, if necessary; and
c. reporting the result of the transfer.
What is the maximum fine that can be applied for breach of data protection laws?
The maximum fine that can be applied for breach of data protection laws is contained in Law No. 11 of 2008 regarding Electronic Information and Transactions (April 21, 2008), as amended (“ITE Law, as amended”), namely IDR12 billion (approximately USD820,000 at current exchange rates).
Are there any restrictions applicable to cloud-based services?
A possible restriction imposed on cloud-based services is data onshoring (i.e., having a local data centre and disaster recovery centre). This requirement is contained in Government Regulation No. 82 of 2012 regarding the Provision of Electronic Systems and Transactions (October 15, 2012) (“GR 82/2012”) and its implementing regulation on electronic system providers that provide a public service. The MOCI further elaborates that “public service” shall mean any activity in the fulfilment of services for the public. The MOCI does not refer to any particular regulation as the legal definition of “public service.” The plain understanding of “public service” makes it unlikely that the data-onshoring requirement would be imposed on cloud-based services. In practice, however, all electronic service providers are obliged by the institution issuing their license to establish a data centre in Indonesia.
In addition, the MOCI is currently undertaking a public information campaign regarding content monitoring, as regulated under MOCI Regulation No. 19 of 2014 regarding the Handling of Websites with Negative Content (“MOCI Reg 19/2014”). The handling of such websites with negative content involves blocking the sites to prohibit any access by the public. Pursuant to Articles 7 and 8 of MOCI Reg 19/2014, only two types of entities are required to conduct content monitoring, i.e. Internet Access Service Providers and Site-Blocking Service Providers. Therefore, the determining factor in whether a provider must monitor content is whether the provider is classified as either an Internet Access Service Provider or a Site-Blocking Service Provider. However, MOCI Reg 19/2014 does not provide a clear definition of either type of provider.
Other than data-onshoring and content-filtering, Indonesian law provides various guidelines on such matters as registration, hardware, software (which is only pertinent for an electronic system provider for public service, aside from the general obligation to ensure the secrecy of the source code of the software used), expert workforce, electronic system management procedures, security measures, electronic system feasibility certificate, and supervision.
Are there specific requirements for the validity of an electronic signature?
Under the ITE Law, as amended and GR 82/2012, the following are the minimum validity requirements for an electronic signature:
a. the data creation of the electronic signature is relevant to the signatory;
b. the data creation of the electronic signature during the signing is only within the possession of the signatory;
c. all changes to the electronic signature that occur after signing can be known;
d. all changes to electronic information related to the electronic signature after signing can be known;
e. there are certain methods used to identify the signatory; and
f. there are certain methods to show that the signatory has given consent for the relevant electronic information.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No. The employees, assets or third-party contracts remain with the outsourcing company unless otherwise regulated under the outsourcing contract or are transferred under a separate transaction.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
As Indonesian law has yet to regulate artificial intelligence, reference must be made to Law No. 8 of 1999 regarding Consumer Protection (April 20, 1999) (the “Consumer Protection Law”). Under the Consumer Protection Law, an entrepreneur shall be liable for any damages sustained by the consumer due to the goods and/or services produced or traded by the entrepreneur. As such, in the event of an A.I. malfunction, the entrepreneur shall be liable for all damages suffered by the consumer of such A.I.
What key laws exist in terms of obligations as to the maintenance of cyber security?
Cybersecurity maintenance obligations are not contained in one specific regulation. Instead, they are scattered within several regulations, namely:
a. the ITE Law, as amended;
b. GR 82/2012; and
c. MOCI Reg.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Indonesian law does not have any specific regulation on hacking/DDOS attacks. Instead, such actions are covered under the broad scope of the ITE Law, as amended and its implementing regulations.
First, the ITE Law, as amended covers hacking through a prohibition for any person to purposefully, illegally and without any rights:
a. access another person’s computer and/or electronic system using any method;
b. access a computer and/or electronic system using any method in order to obtain electronic information and/or electronic documents;
c. access a computer and/or electronic system using any method by violating, trespassing, surpassing or penetrating the security system.
The conduct of the above actions is subject to imprisonment of six to eight years and/or fines of IDR600 million to IDR800 million (approximately USD41,000 to USD55,000 at current exchange rates).
There is no tailored provision in the ITE Law for DDOS attacks. Such attacks fall under the general prohibition on “causing disruption of an electronic system and/or causing an electronic system not to function as it should.” The failure to abide by such prohibition is subject to maximum imprisonment of 10 years and/or a maximum penalty of IDR10 billion (approximately USD685,000 at current exchange rates).
What technology development will create the most legal change in your jurisdiction?
The most recent legal changes concerning technology development in Indonesia concern the growth and progression of e-commerce, as represented by companies such as Lazada, Tokopedia and Shopee. To enter the e-commerce sector in Indonesia, investors must first decide what role they will play, i.e. online retailer and/or web portal provider.
The Indonesian government issued Presidential Regulation No. 74 of 2017 on E-Commerce Roadmap for 2017-2019 (the “E-Commerce Roadmap”). This roadmap aims to provide direction and strategic guidance to various government agencies to support and accelerate the development of e-commerce in Indonesia. The roadmap covers funding, taxation, consumer protection, education and human resources, logistics, communication infrastructure, cybersecurity and the implementation and management of e-commerce activities.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
The impediments to economic development mainly relate to the lack of clarity in the e-commerce regulations, specifically the definition of web portal for commercial purposes. The Negative Investment List (Daftar Negatif Investasi or "DNI"), which stipulates the business fields that are closed for investment or open with requirements, requires a web portal for commercial purposes with over 49% foreign ownership to have an investment value of at least IDRl00 billion (approximately USD6.8 million at current exchange rates). However, the DNI does not provide a definition of “investment value.” Consequently, there is uncertainty about what is considered “investment value” – on one hand, some government officials have interpreted “investment value” to mean issued and paid-up capital, while others are of the view that “investment value,” in the context of a web portal for commercial purposes, only encompasses the fixed assets of the company. Foreign investors required to invest such a large amount of money are likely to rely on loans as opposed to just capital, and this uncertainty is a hindrance that could drive them from Indonesia.
Do you believe your legal system specifically encourages or hinders digital services?
We view that the Indonesian legal system is trying to accommodate digital services while providing adequate regulation for e-commerce. In principle, despite some continuing regulatory uncertainty, business players should have some level of comfort entering Indonesian’s e-commerce sector knowing that their presence is acknowledged and sufficiently protected by the law. That level of comfort should contribute to the continued growth of the e-commerce sector as more local and foreign investors enter Indonesia, attracted by the large domestic market.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
As discussed above, Indonesian does not as yet have any specific regulation for artificial intelligence; there is only the general Consumer Protection Law. We believe that more specific regulations concerning A.I. (e.g., whether A.I. can, on its own, be considered a legal subject equivalent to individuals and entities; what rights and obligations must be conferred upon an A.I.) must be issued by the Indonesian government to fully deal with the legal issues associated with A.I.