2019 was a pivotal year in Indonesia’s digital business landscape as the government issued, among others, Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (click here to read our alert on the 2019 Regulation). The 2019 regulation mandates all electronic system operators to register themselves with the Ministry of Communications and Informatics (“Ministry“).
The 2019 regulation only contains the broad principles on the registration obligation, but mandates that this obligation be further regulated in a Ministerial-level regulation. As a follow-up to such mandate, towards the end of 2020, the Ministry issued a new regulation1 to give more colour on the registration obligation, specifically for private electronic system operators.2
Interestingly, the new regulation does not exclusively deal with the registration obligation and consequences arising from failure to oblige. Instead, a big chunk of the regulation deals with illegal content, notice and takedowns, and the government’s ability to request data and access to electronic systems in specific situations (e.g. law enforcement purposes).
In the upcoming weeks, we will be issuing a series of alerts on this topic. This first alert will look at the rules on registration.
Why the Registration Obligation?
Before we get into the relevant key provisions in the new regulation, we believe that it is worth noting why this registration obligation exists in the first place. Based on publicly available information, the Ministry’s objective in requiring registration is to establish a database of electronic system operators that provide products and services to users in Indonesia.
As the old saying goes, “information is power,” and by establishing this database, the Ministry will have the information to effectively exercise its supervisory and enforcement powers on electronic system operators as and when required.
The Different Registration Regimes
Registration of electronic system operators with the Ministry is not a new concept. In fact, registration obligation goes back to 2012, when the government enacted Government Regulation No. 82 of 2012 on Electronic Systems and Transactions (which was later succeeded and replaced by the 2019 regulation). The 2012 regulation introduced the registration requirement, albeit making it mandatory only for public electronic system operators.
Before 2020, the Ministry also has issued multiple regulations to regulate the registration of electronic system operators. Based on our observation, the registration of electronic system operators can be broadly divided into three phases:
Later in this alert, we will touch upon the impact of the registration obligation under this new regulation to electronic system operators registered with the Ministry before the new regulation.
Registration for all
As mentioned earlier, the 2019 regulation clarified that all electronic system operators (be it public operators, onshore private operators, or offshore private operators) have to register themselves.
Despite the universal application, this regulation exempts offshore electronic system operators from the registration obligation if they do not:
The prerequisites for an electronic system operator’s registration vary from one regime to another. Before the new regulation phase, a notable registration prerequisite that many operators are concerned with was the requirement to furnish a certificate of information security management system (ISMS), specifically the SNI ISO/IEC 27001 certificate.
The ISMS certificate requirement has now been removed. Now, operators only need to make a representation that they will put in place the necessary information security measures as required by the prevailing law. This representation is made simply by ticking a check box on the Ministry’s registration portal.
Registration certificate validity
Upon successful registration, an operator will receive a registration certificate (tanda daftar) and have the name of their organisation and electronic systems published in the Ministry’s online directory of registered electronic system operators.
Previously, a registration certificate is valid for five years and operators must re-register upon the expiry of the registration certificate. Based on information that we obtained from the Ministry, going forward, registration certificates will remain valid indefinitely subject to the operators’ compliance with the new regulation.
Offshore electronic system operators
Under the new regulation, offshore electronic system operators have a six-month grace period from 24 November 2020 before they must register themselves. But considering that the new regulation is already effective from 24 November 2020 onwards, these offshore operators should already be able to register themselves.
However, up to the date of this alert, the necessary infrastructure for registration of offshore operators is not yet operational. Consequently, these operators will not be able to register themselves for now.
Registered onshore system operators
This regulation provides the much-needed clarity surrounding the registration of electronic system providers. Still, more detail is needed to fully understand the impact of registration, especially for onshore electronic system operators that are already registered with the Ministry during the pre-OSS phase and the post-OSS phase. This regulation is silent about these operators’ status, but based on a consultation with the Ministry, they must re-register themselves via the OSS portal.
This regulation is very much in line with the government’s theme of licensing and registration simplification and marks another milestone in Indonesia’s digital business landscape. While there are still some open items, we expect that the Ministry will close the loop in its socialisation of the new regulation, which we understand is expected to occur in the near future.
Zacky Zainal Husein
Muhammad Iqsan Sirie