AYMP Atelier Of Law - Armand Yapsunto Muharamsyah & Partners

publications

New Government Regulation on Implementation of Electronic Systems and Transactions

By : M. Arie Armand, Hana Monica, Cindy Rachel Jessica

05-Dec-2019

Government of Republic Indonesia has recently enacted Government Regulation No. 71 of 2019 concerning Implementation of Electronics Systems and Transactions (“GR 71/2019”).

GR 71/2019 revoked Government Regulation No. 82/2012 (“GR 82/2012”) on 4 October 2019, which has come into effect as of 10 October 2019.

The issuance of GR 71/2019 presents substantial changes that may affect current practice, among others, (i) new distinction between public-scope and private-scope electronic system operators (“ESO”); (ii) provisions on data storage location; (iii) acknowledgement of “right to erasure” and “right to delisting”; and (iv) new form of sanctions.

I. New Distinction between Public-Scope and PrivateScope ESO
We have highlighted below some key points under GR 71/2019. New Distinction between Public-Scope and PrivateScope ESO GR 71/2019 classifies the implementation of electronic systems into 2 (two) categories, namely:

Public-scope ESO, which include government
implementing agencies (legislative, executive, and
judicative in the central and regional levels and other
agencies established under laws and regulations) and
other institutions that carry out public-scope electronic
system operation on behalf of the appointing agency; and
Private-scope ESO, which broadly include:
(a) ESO being governed and supervised by ministries
and agencies having mandates to supervise and
enact regulations in its respective sectors; and
(b) ESO having portals, sites, or applications operated
through internet network, which are utilized to:

provide, manage, and/or operate the offer and/or
trade of goods and/or services,
provide, manage, and/or operate financial
transactions services;
deliver paid digital materials and contents through
data networks, either by downloading through
portals or sites, delivering through e-mail, or
through other applications to users’ devices;
provide, manage, and/or operate communication
services, including but not limited to, short
messages, calls, video calls, e-mails, and chats
online in the form of digital platform, networking
services, and social media;
search engine services, service providers of
electronic information in the form of writings,
voices, images, animations, music, videos,
movies, and games or the partial and/or entire
combinations thereof; and/or
personal data processing for operational activities
to serve the society in relation to electronic
transactions activities.

Some intricacy arises from the elucidation of the GR 71/2019 that states “ESO having portals, sites, or applications operated through internet network” includes ESO whose electronic system being used in the territory of Indonesia and/or offered in the territory of Indonesia.

It is unclear from the phrase “offered in the territory of Indonesia” whether the implied intention of the regulator is to include the imposition of this provision toward over-the-top (OTT) companies providing its services in Indonesia. If so, then such OTT companies can be regarded as “ESO” which then must comply with various obligations under the GR 71/2019, such as ensuring its system will not contain prohibited electronic information and/or documents as well as registering its electronic system to Minister of Communication and Information of the Republic of Indonesia (“MOCI”) before implementing such electronic system for Indonesian users.

II. Provisions on Data Storage Location
Under GR 71/2019, public-scope ESO must conduct management, processing and/or storage of its electronic systems and electronic data within the territory of Indonesia. In contrary, private-scope ESO can conduct its management, processing and/or storage of its electronic systems either within or outside of the territory of Indonesia. Should they choose the latter, they must ascertain the effective supervision by the relevant ministries, institutions and/or law enforcement in Indonesia.
Previously, GR 82/2012 did not clearly distinguish data storage rule that is applicable to public-scope and private-scope ESO. It only requires ESO that provides public service to locate its data centre and disaster recovery centre in the territory of Indonesia for the interest of legal enforcement, protection and enforcement of the state sovereignty towards its citizen.

III. Acknowledgement of “Right to Erasure” and “Right to Delisting”

Broadly speaking, GR 71/2019 provides more elaboration to the area of “processing of personal data”, as GR 71/2019 determines the principles of personal data protection that must be adhered to during the processing, for instance the specific limitation and purpose needed when collecting personal data and assurance that the processing must be conducted accurately, in full, not misleading, updated, in line with its
intended purpose and accountable.
Not only that, GR 71/2019 also emphasizes the concept of (i) “right to erasure” and (ii) right to delisting, which are globally
known as “right to be forgotten”, a concept brought under European General Data Protection Regulation (GDPR). Any ESO is obliged to erase irrelevant electronic information and/or electronic documents under its control upon request from the relevant party. The “irrelevant electronic information and/or electronic documents” consists personal data:

which are obtained and processed without the personal data’s consent;
of which consent have been withdrawn;
which are obtained and processed against the law;
which are no longer in accordance with the intended purpose under the agreement and/prevailing laws;
of which use has exceeded the time limit set in the agreement and/prevailing laws; and/or
which are provided by the ESO resulting loss to the personal data owner.

The personal data owners can pursue their right to delisting [from the search engine list] by submitting the request to a local court, in order to obtain a court stipulation.

IV. New Form of Sanctions

In addition to the previous administrative sanction under GR 82/2012 (i.e. written admonition, administrative penalty, temporary suspension and removal from the list of registered electronic system organized by MOCI), GR 71/2019 adds
“termination of access” as another form of sanction.

The termination of access can be imposed toward electronic information and/or electronic documents that (i) violates the law, (ii) causes social unrest and disturb public order, and (iii) gives the access toward electronic information and/or electronic documents that contains prohibited contents. This termination of access can be requested by public (to be further processed through a coordination of relevant agencies and MOCI), by law enforcers, or through the order of court.

Termination of access includes blocking of access, closure of accounts, and/or deletion of contents. Once enjoined, the ESO must terminate its access to its users, or else, be further imposed with legal responsibility under prevailing laws. Given the expansive coverage and consequential effect of this sanction, any ESO should keep a watchful operation toward its system and surrounding contents within their users.