By : M. Arie Armand, Hana Monica, Cindy Rachel Jessica
Government of Republic Indonesia has recently enacted Government Regulation No. 71 of 2019 concerning Implementation of Electronics Systems and Transactions (“GR 71/2019”).
GR 71/2019 revoked Government Regulation No. 82/2012 (“GR 82/2012”) on 4 October 2019, which has come into effect as of 10 October 2019.
The issuance of GR 71/2019 presents substantial changes that may affect current practice, among others, (i) new distinction between public-scope and private-scope electronic system operators (“ESO”); (ii) provisions on data storage location; (iii) acknowledgement of “right to erasure” and “right to delisting”; and (iv) new form of sanctions.
I. New Distinction between Public-Scope and PrivateScope ESO
We have highlighted below some key points under GR 71/2019. New Distinction between Public-Scope and PrivateScope ESO GR 71/2019 classifies the implementation of electronic systems into 2 (two) categories, namely:
Some intricacy arises from the elucidation of the GR 71/2019 that states “ESO having portals, sites, or applications operated through internet network” includes ESO whose electronic system being used in the territory of Indonesia and/or offered in the territory of Indonesia.
It is unclear from the phrase “offered in the territory of Indonesia” whether the implied intention of the regulator is to include the imposition of this provision toward over-the-top (OTT) companies providing its services in Indonesia. If so, then such OTT companies can be regarded as “ESO” which then must comply with various obligations under the GR 71/2019, such as ensuring its system will not contain prohibited electronic information and/or documents as well as registering its electronic system to Minister of Communication and Information of the Republic of Indonesia (“MOCI”) before implementing such electronic system for Indonesian users.
II. Provisions on Data Storage Location
Under GR 71/2019, public-scope ESO must conduct management, processing and/or storage of its electronic systems and electronic data within the territory of Indonesia. In contrary, private-scope ESO can conduct its management, processing and/or storage of its electronic systems either within or outside of the territory of Indonesia. Should they choose the latter, they must ascertain the effective supervision by the relevant ministries, institutions and/or law enforcement in Indonesia.
Previously, GR 82/2012 did not clearly distinguish data storage rule that is applicable to public-scope and private-scope ESO. It only requires ESO that provides public service to locate its data centre and disaster recovery centre in the territory of Indonesia for the interest of legal enforcement, protection and enforcement of the state sovereignty towards its citizen.
III. Acknowledgement of “Right to Erasure” and “Right to Delisting”
Broadly speaking, GR 71/2019 provides more elaboration to the area of “processing of personal data”, as GR 71/2019 determines the principles of personal data protection that must be adhered to during the processing, for instance the specific limitation and purpose needed when collecting personal data and assurance that the processing must be conducted accurately, in full, not misleading, updated, in line with its
intended purpose and accountable.
Not only that, GR 71/2019 also emphasizes the concept of (i) “right to erasure” and (ii) right to delisting, which are globally
known as “right to be forgotten”, a concept brought under European General Data Protection Regulation (GDPR). Any ESO is obliged to erase irrelevant electronic information and/or electronic documents under its control upon request from the relevant party. The “irrelevant electronic information and/or electronic documents” consists personal data:
The personal data owners can pursue their right to delisting [from the search engine list] by submitting the request to a local court, in order to obtain a court stipulation.
IV. New Form of Sanctions
In addition to the previous administrative sanction under GR 82/2012 (i.e. written admonition, administrative penalty, temporary suspension and removal from the list of registered electronic system organized by MOCI), GR 71/2019 adds
“termination of access” as another form of sanction.
The termination of access can be imposed toward electronic information and/or electronic documents that (i) violates the law, (ii) causes social unrest and disturb public order, and (iii) gives the access toward electronic information and/or electronic documents that contains prohibited contents. This termination of access can be requested by public (to be further processed through a coordination of relevant agencies and MOCI), by law enforcers, or through the order of court.
Termination of access includes blocking of access, closure of accounts, and/or deletion of contents. Once enjoined, the ESO must terminate its access to its users, or else, be further imposed with legal responsibility under prevailing laws. Given the expansive coverage and consequential effect of this sanction, any ESO should keep a watchful operation toward its system and surrounding contents within their users.