This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Indonesia.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
The regulatory regime for technology in Indonesia covers matters relating to the technology infrastructure as well as the contents transmitted through the infrastructure. On the infrastructure side, Indonesia has enacted laws and regulation on telecommunication, broadcasting, internet service provider, and satellite communication. Each regulation typically governs the provisions of the service through the infrastructure, requirements of a provider, and licensing regime.
The umbrella law for content-related matter is Law No. 11 of 2008 concerning Electronic and Information Transaction (as amended by Law No. 19 of 2016) (“Law 11/2008”). Over the past few years the Indonesian government has been active in formulating laws and regulations to regulate internet/electronic content. Among those regulations are Personal Data Protection Act, regulation on e-Commerce, and regulation on Over-The-Top (OTT). Some of them are expected to be enacted soon within this year.
The primary government institution in this sector is Ministry of Communication and Informatics ("MCI"). MCI has a key role in implementing, supervising, and issuing technology-related regulations in Indonesia. MCI also plays consultative role where it is usually asked by regulatory bodies from other sectors to advise and give input in formulating policy in that sector.
Other regulatory bodies may also issue and implement regulations in its respective sector. For example, the Indonesian Financial Service Authority and Bank of Indonesia have the authority to supervise and issue regulations pertaining to financial technology sector in Indonesia. Likewise, other ministries such as Ministry of Health and Ministry of Transportation may also regulate and supervise the services offered through technology in health and transportation sector.
Lastly, as an intellectual creation, technology may enjoy protection from the Indonesian intellectual property laws. Intellectual property matters are generally under the authority of Ministry of Law and Human Rights.
Are communications networks or services regulated?
Yes, the provision of communication networks and services are mainly regulated under Law No. 36 of 1999 on Telecommunication (“Law 36/1999”) and its implementing regulations.
If so, what activities are covered and what licences or authorisations are required?
Activities covered under Law 36/1999
Generally, there are three type of activities covered under the Law 36/1999. These activities are as follows:
a. Provision of telecommunication network
The telecommunication network may be provided through fixed line or mobile. Provision of fixed line network include the provision of local fixed-line network, domestic long-distance network, international connection, or closed-fixed line network. On the other hand, the provision of mobile network includes the provision of terrestrial mobile network, cellular network, or mobile satellite network.
b. Provision of telecommunication service
In providing its service, the telecommunication service provider will utilise the network owned by telecommunication network provider. There are three types of telecommunication service provisions i.e. provisions of basic telephony service, value-added telephony service, and multimedia service.
Provision of basic telephony service covers, among others, telephone service (mobile and fixed-line), telegraph, telex, and facsimile. Value-added telephone service is provided in the form of, among others, premium calls, calling cards, virtual private phone number, call centre, etc. As for multimedia service, it includes internet service provider, network access point, internet telephony for public purpose, and data communication system.
c. Provision of special telecommunication
Special telecommunication is understood as telecommunication which has special purpose and operation. Special telecommunication is provided if the telecommunication provider and service telecommunication provider cannot fulfil the need of a special telecommunication, cannot reach the location, or if it needs a separate and independent network.
Every party which carries out the above activities must generally obtain license from the MCI. The telecommunication licenses are divided into two type of license based on the stage of the activity. At the preparation stage, the telecommunication provider must obtain principal telecommunication license. Once the telecommunication provider is ready to operate, it may obtain the telecommunication business license.
Exemption may apply for certain type of provision of special telecommunication. Provision of special telecommunication for individual and special agency does not require principal telecommunication license. Principal and telecommunication business license are also not required if the provision of special telecommunication is for national defence and security purpose.
Additional licenses might also be required for any telecommunication-related activities. For example, to distribute telecommunication equipment in Indonesia, a company must obtain type approval. Or if a company uses foreign satellite operations, a landing right is required.
Is there any specific regulator for the provisions of communications-related services?
The primary regulator for the communications-related service is the MCI. Within the MCI there are several directorates which are responsible for different matters. Matters relating to telecommunication would be under the responsibility of Directorate General of Postal and Telecommunication.
In addition to MCI, Indonesian Telecommunication Regulatory Agency/Badan Regulasi Telekomunikasi Indonesia (“BRTI”) also has authority over the telecommunication matters, although its authority is not as broad as the authority held by MCI. BRTI consists of MCI officials and member of public society representing the interest of relevant stakeholders of the telecommunication industries.
Are they independent of the government control?
Legally speaking, BRTI is an independent body. This is despite the fact that high-level officials of MCI also sit as ex-officio member of the BRTI. Currently the Head of BRTI is the Directorate General of Informatic and Post Resources and Equipment of MCI.
Are platform providers (social media, content sharing, information search engines) regulated?
Platform providers might be subject to varieties of laws and regulations depending on in which type activities it engages. Laws such as consumer protection law, copyright law, competition law, Indonesian Criminal Code might apply to platform providers. However, generally, the law which has the most correlation with platform providers is Law 11/2008 and its implementing regulations.
Law 11/2008 and its implementing regulations specifically apply to all Electronic System Provider (“ESP”) (in which all platform providers shall fit under ESP definition) and any activities conducted in electronic system. Law 11/2008 sets out general rules on electronic system certification, privacy, domain name, as well as prohibition on certain acts committed electronically (cybercrime).
In addition to the above, MCI has also issued Circular Letter of Minister of Communication and Informatics No. 3 of 2016 on the Provision of App-based Service and/or Internet-based content (OTT) (“Circular Letter 3/2016”). The Circular Letter 3/2016 does not have legally binding power to the public. However, it must be perceived as formal position of MCI in matters relating OTT in Indonesia. To provide legal certainty to OTT players in Indonesia, the MCI is currently preparing regulation on OTT which further regulates the OTT activities in Indonesia.
If so, does the reach of the regulator extend outside your jurisdiction?
Law 11/2008 may apply to person located outside Indonesia provided that such person conducts any actions specified in Law 11/2008 and that the action brings legal impact in Indonesia and/or outside Indonesia provided that it affects the interest of among others the Indonesian citizen.
Does a telecoms operator need to be domiciled in the country?
Telecom network provider and telecom service provider must be domiciled in Indonesia. According to Government Regulation No. 52 of 2000 concerning Telecommunication (“GR 52/2000”) in order to apply for telecommunication license, an applicant must satisfy certain requirement which includes the obligation of being formed as Indonesian company with the purpose to engage in telecommunication sector.
Are there any restrictions on foreign ownership of telecoms operators?
There are foreign ownership restrictions for certain lines of business in telecommunication sector. Pursuant to Presidential Regulation No. 44 of 2016 on Negative List of Investment, the following lines of business is subject to maximum 67% foreign ownership restriction:
a. Fixed-line telecommunication network provider;
b. Mobile telecommunication network provider;
c. Integrated telecommunication service and network provider;
d. Call centre and other telephony added-value service;
e. Telecommunication content service provider;
f. Internet service provider;
g. Data communication system;
h. Internet telephony service for public; and
i. Network access point/interconnected internet and other multimedia services.
Are there any regulations covering interconnection between operators?
There is special chapter regarding interconnection in Law 36/1999 and GR 52/2000. In addition that, the MCI has also issued a specific regulation addressing the interconnection issues namely the Minister of Communication and Informatics Regulation No. 8/Per/M.KOMINFO/02/2006 on Interconnection.
If so are these different for operators with market power?
When it comes to interconnection, the applicable laws and regulations do not differentiate between operators with market power and operators without market power. The provisions regarding interconnection apply to any operator regardless whether or not it holds market power.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The primary law for consumer protection in Indonesia is Law No. 8 of 1999 on Consumer Protection (“Law 8/1999”). Law 8/1999 applies to provision of telecoms service.
In addition to Law 8/1999, the Law 36/1999 also stipulates provisions regarding consumer protection such as right to file a legal claim to telecommunication provider if the consumer suffers loss and right to request record of use of telecommunication to telecommunication providers. Furthermore, the implementing regulations of Law 36/1999 may also provide additional consumer protection rights in telecommunication service.
MCI and the National Consumer Protection Agency have signed a Memorandum of Understanding (MoU) No. 1676/MoU/M.KOMINFO/HK.03.02/12/2017 on Consumer Protection on Communication and Informatics Sector. The purpose of signing this MoU is to improve coordination and cooperation between these two institutions for the purpose of enhancing consumer protection in telecommunication and IT sector.
What legal protections are offered in relation to the creators of computer software?
Computer program/software is recognized as copyrightable object under Law No. 28 of 2014 on Copyright (“Copyright Law”). The creator of computer program/software shall hold moral and economic rights. Copyright protection for computer program is valid for 50 years since it is first published.
Do you recognise specific intellectual property rights in respect of data/databases?
Yes, Copyright Law stipulates database as copyrightable object. However, as a general rule, in order for database to enjoy copyright protection, it must satisfy the requirements of a copyrightable work, that is:
- creation in the field of science, art, and literature;
- resulted from inspiration, ability, idea, imagination, dexterity, skill or expertise; and
- expressed in tangible form.
What key protections exist for personal data?
During the processing of personal, the Electronic System Provider (“ESP”), as the entity collecting and processing personal data, is responsible to protect the personal data. The protection of personal data shall be made by ESP through ensuring that any action taken toward the personal data is made based on the data subject’s consent. Consent must be obtained during the collection personal data, which must be made in form written in Indonesian language. Consent must be obtained after the data subject has received a full explanation regarding the activity that will be conducted toward the personal data as well as the purpose of personal data collection.
Rights of personal data owner
Personal data owner has the following rights in relation to his personal data:
1. right to confidentiality of his personal data;
2. right to submit complaint to MCI to settle personal data dispute for any breach of personal data by ESP;
3. right to access or to have the opportunity to change or update his personal data without interfering the personal data management, unless stipulated otherwise by laws and regulations;
4. right to access or have the opportunity to obtain personal data history that is once provided to ESP as long as it is in accordance with the applicable laws and regulations;
5. right to request for obliteration of certain personal data in the electronic system managed by the ESP, unless stipulated otherwise by other laws and regulations.
Are there restrictions on the transfer of personal data overseas?
There is no restriction to transfer personal data from Indonesia to abroad. However, Article 22 (1) of MCI 20/2016 requires any personal data transferred outside Indonesia made by government and/or regional government institution, citizen and/or private entity having its domicile in Indonesia to undergo coordination process with the MCI. This coordination process is conducted by:
a. submitting a transfer of personal data implementation plan and
b. filing report of the implementation of personal data transfer plan to the MCI;
c. requesting for advocacy (only if necessary).
What is the maximum fine that can be applied for breach of data protection laws?
In general, Indonesian regulatory framework recognizes different type of sentences/sanction as sanction toward any violation to the laws, namely criminal fines, imprisonment, and administrative fines. Specific for criminal fines and imprisonment, its imposition is required to be regulated under a law. For administrative fines, the provision governing the fine may be stipulated under implementing regulation of certain law.
It is important to note that Indonesia does not have its own personal data protection law. Therefore there is no specific imposable criminal sanction against breach of data protection laws. However, the law enforcement agency has seen Law 11/2008 as the legal basis for imposing criminal sanctions against illegitimate action of accessing and/or transferring electronic document/information containing personal data. This is evidenced through the arrest that the police made in 2017 against organized criminal group that illegitimately transferred and sell personal data of bank customers. Nonetheless, such approach, we believe is subject to case-by-case basis.
The EIT sets the following sanctions as follow:
a. Maximum fines of IDR 2.000.000.000 and imprisonment of 8 years may be imposed against any individual that intentionally and illegitimately or unlawfully with any means modifying, increasing, decreasing, transmitting, destroying, deleting, transferring, hiding electronic information (which may include personal data) and/or electronic document of other individuals or public;
b. Maximum fines of IDR 3.000.000.000 and imprisonment of 9 years may be imposed against any individual that intentionally and illegitimately or unlawfully with any means transferring, or relocating electronic information (which may include personal data) and/or document to other unauthorized electronic system; and
c. Maximum fines of IDR 5.000.000.000 and imprisonment of 10 years may be imposed against any individual that intentionally and illegitimately or unlawfully with any means modifying, increasing, decreasing, transmitting, destroying, deleting, transferring, hiding electronic information (which may include personal data) and/or electronic document which shall be protected its confidentiality becomes accessible to public without protecting the integrity of the data.
In addition to the criminal sanction, the GR 82/2012 stipulates administrative sanction on violation to its provisions (including provisions regarding personal data protection). The administrative sanctions may made in the form of:
a. Written warning;
b. Administrative fines;
c. Temporal suspension activities; and/or
d. Expulsion from list of which ESP is registered (i.e. registered ESP, etc).
What additional protections have been implemented, over and above the GDPR requirements?
As a non-EU country, Indonesia is not a direct subject to GDPR. Accordingly, Indonesia is not legally bound to adjust and/or to apply GDPR to its domestic law.
The Indonesian personal data protection regime is different compared to GDPR. Although some key principles in GDPR are adopted in personal data protection rules in Indonesia, the current laws and regulations on personal data protection in Indonesia is still not as comprehensive as GDPR.
The apparent difference between them is that in Indonesia, the current general personal data protection regime only applies to electronic processing of personal data. Unlike in GDPR, it does not cover manual processing of personal data. In addition, Indonesian personal data protection rules also do not recognize the distinction between controller of personal data and processor of personal data.
However, this likely to change in the near future as Indonesia is preparing its first Personal Data Protection Act (“PDP Act”). The latest draft of PDP Act shows that the content of the future Indonesian PDP Act will be closer to GDPR. The PDP Act is very likely to apply to both manual and electronic processing of personal data. Also, PDP Act will recognize the concept of data processor and data controller as in GDPR.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
There is no explicit regulatory guideline or restriction to the operation of cloud-based services. However, perhaps the regulatory challenge will come from the requirement to locate data centre in Indonesia as stipulated in Government Regulation No. 82 of 2012 on Electronic Information and Transaction (“GR 82/2012”).
GR 82/2012 stipulates that if an ESP provides a “public service”, the ESP has the obligation to locate their data centre and disaster recovery centre in Indonesia. Nevertheless, the scope of definition of ESP for public service or ESP for non-public service in private sector remains vague until now.
If the term “public service” is interpreted in a very broad way, the obligation to locate data centre and data recovery centre in Indonesia will apply to many companies within and outside Indonesia. Consequently, it will prevent these companies from using service that use data centre in multiple countries such as cloud-based service.
Are there specific requirements for the validity of an electronic signature?
Pursuant to Law 11/2008 and GR 82/2012, the minimum requirements for an electronic signature to be considered valid are as follows:
1. the data creation of the electronic signature is relevant to the signatory;
2. the data creation of the electronic signature during the signing is only within the possession of the signatory;
3. all changes to the electronic signature that occur after signing can be known;
4. all changes to electronic information related to the electronic signature after signing can be known;
5. there are certain methods used to identify the signatory; and
6. there are certain methods to show
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
There is no automatic transfers or assignments of employees, assets or third-party contracts in the event of an outsourcing of IT services, unless otherwise agreed by the relevant parties.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
There is no specific provision under Indonesian law regarding the liability in case of AI malfunctions. However, the other existing laws might apply. For example, Indonesian tort law under Article 1365 of Indonesian Civil Code (ICC) might apply. Article 1365 of ICC in essence stipulates that any individual who illegitimately causes loss to others must provide compensation for such loss.
If someone suffers loss because of the AI malfunction, the person who suffers loss because of the malfunction may file civil lawsuit against the party who creates or operates the AI. It is important to note that the party who suffers the loss must be able to establish a correlation between the loss and the fault/negligence of the party who operates or owns the malfunctioned AI.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) obligations as to the maintenance of cybersecurity; and
In principle the Law 11/2008 provides general provision in the operation of secure electronic activities. While it does not lay out greater details on the cybersecurity requirements, the Law 11/2008 stipulates sanction to any action that affects/possesses danger to security of electronic system, information, and transaction.
Provisions on the security measure of electronic system and transaction are dealt further under GR 82/2012 primarily. This regulation consequently deals with the operation as well security to any electronic system carrying out transaction. Despite of the absence on “cybersecurity” terms on its provision, the GR 82/2012 includes provision stipulating requirement relevant to security of electronic system that must be adhered by any ESP in operating its electronic system.
When personal data is involved, MCI 20/2016 shall apply. MCI 20/2016 stipulates additional cybersecurity measure when processing personal data in electronic system.
b) the criminality of hacking/DDOS attacks?
Pursuant to Law 11/2008 any unlawful access, transmission, interception to other’s electronic system by any means including breaching, infringing, surpassing, or penetrating security system of an electronic system is considered as criminal offence.
Under Law 11/2008, DDOS attack can be considered as an act of knowingly and without right causing interreference to electronic system and/or causing the electronic system not to work properly. This act is prohibited under Law 11/2008.
The above criminal offenses are subject to maximum 6-10 years imprisonment and/or maximum fine of IDR 600 million to IDR 10 billion.
What technology development will create the most legal change in your jurisdiction?
Every new technology such as AI, blockchain, cloud-based service, virtual reality, over-the top service platform as well as the deployment of deep learning system, will certainly pose legal challenge in Indonesia.
The recent technology development that has become the focus of the Indonesian government over the past of few years is the existence of foreign OTT in Indonesia. This is mainly due to jurisdictional issue. The government is having hard time to enforce its local law to the foreign OTT and to collect tax for the revenue generated from the Indonesian market.
Another legal challenge posed by OTT is to classify the service offered by the OTT. Because the service is offered through internet, it sometimes difficult to determine whether particular service fits with the existing regulatory regime e.g. whether Voice over IP (VoIP) service is subject to telecommunication law; whether video streaming service should be subject to broadcasting law.
Nevertheless, a new OTT regulation is currently prepared by the government to tackle this issue.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
Some laws that currently apply to digital industry were prepared and enacted before the arrival of new technologies. The regulators might not envisage the technologies and business model that are currently adopted by the company nowadays. Consequently, because the laws are lagging behind the development of technologies and business model in IT sector, it becomes difficult to companies to comply with these laws and regulations.
For example, the requirement to locate data centre and data recovery centre in Indonesia as stipulated in GR 82/2012 has become the subject to criticism by players in IT industry over the past few years. Some view that this requirement is no longer relevant because of increased need of cloud-based service in IT industry.
One issue that might hamper the development of digital business in Indonesia is the absence of certain laws and lack of clarity of the laws. This creates legal uncertainty for business players in carrying out their business in Indonesia. Nevertheless, the Indonesian regulators are working hard in preparing and issuing regulation/policy to respond to the development of technology.
Do you believe your legal system specifically encourages or hinders digital services?
The government realises that Indonesia contains great economic potential in digital sector. To respond to challenge in this sector, the government in 2017 has issued the President’s Regulation No. 74 of 2017 on Roadmap on National Trading System Electronic-Based or also known as e-Commerce Roadmap.
The e-Commerce Roadmap is perceived as an official statement from the government that it supports the development of e-commerce and digital sectors. The e-Commerce Roadmap serves as a set of guidelines for the government in executing government programs with the purpose to foster growth in e-commerce and digital sectors. The e-Commerce Roadmap sets out details regarding the implementation of each program such as the type of program, output, the responsible government institution, and timeline for execution. It also covers many aspects of e-commerce and digital business such as funding, taxation, consumer protection, human resources, communication infrastructure, logistic, and cyber security.
The implementation of e-Commerce Roadmap is aimed to ensure that Indonesian regulatory environment is ready to embrace the growth in e-commerce and digital sectors.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
The use of Artificial Intelligence AI undoubtedly raises legal questions in many fields of law such as IP and consumer protection. Since a specific law on AI is yet to exist, we must rely on the existing laws and regulations to answer to these legal challenges.
Most laws and regulations were designed without having AI in mind. Therefore, the legal issues with the use of AI are not properly addressed. For example, the issue of IP ownership over work created by AI. In some other jurisdiction, this question may have been answered through judicial decision. However, the current copyright regime in Indonesia may not provide a clear-cut answer to this issue.
Another field of law that needs to be improved is consumer protection particularly relating to personal data protection. Some types of AI require a big chunk of data to function. Some of this data may include personal data. The absence of strong personal data protection regulation in Indonesia is a big hole in Indonesian consumer protection regulatory regime. Without the existence of this piece of law, the consumers who utilize or become the object of the AI technology will not receive a proper protection.