More Details on the New Electronic Systems and Transactions Regulation

Following up on our previous alert on the relaxation of data localisation requirement under Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (“Regulation“) (click here to read), below are other key requirements that electronic system operators must comply with, including mandatory registration and obligation to remove prohibited contents from their platform.

Mandatory Registration

Unlike previous regulation that only requires mandatory registration for electronic system operators (“operators“) providing public services, under the Regulation, both public and private operators must register themselves to the Ministry of Communications and Informatics (“Ministry“). It is important to note that the latter category of private operators is quite broad and covers foreign operators who use or operate an electronic system within the Indonesian jurisdiction. But the Ministry has verbally confirmed that not all foreign operators are required to register. Mandatory registration only applies to foreign operators with a significant number of customers or which conduct active marketing efforts in Indonesia.

While registration is free, an operator must also obtain an IT security certificate, e.g. 27001 ISO certificate, ‘KAMI’ Index Ranking (Pemeringkatan Indeks Keamanan Informasi), or a similar certificate. The absence of an IT security certificate would not prevent an operator from registering, but such operator will have to submit a letter to the Ministry stating its commitment to obtain the necessary certificates within one year as of the registration date.

Registration must be done prior to operating the electronic system. However, for existing operators that are already operating their electronic systems but have yet to register with the Ministry, the Regulation requires them to register themselves within one year as of 10 October 2019. Pending the transfer of the registration to the OSS portal, the registration is still carried out online via the Ministry’s website.

Removal of Prohibited Contents

Besides registration, the Regulation requires an operator to ensure that its platform is free from prohibited contents. Under the Regulation, prohibited contents are classified into three major groups:

1. contents that are prohibited under the prevailing laws and regulations;
2. contents that are unsettling for the public and disturb the public order; and
3. contents that allow access to other prohibited contents.

Under the Regulation, an operator is expressly required to immediately ‘terminate access’ to any prohibited content on its platform upon becoming aware of its existence. ‘Terminate access’ could mean blocking of access, closing of the account that posted the prohibited content and/or removing content (takedown). This removal obligation only applies to operators who provide internet service, telecommunication network or service, content and web hosting service.

While an operator is responsible to take certain measures against prohibited contents, it is also required to terminate access to prohibited contents if requested by the Ministry. The Ministry could base its request on a report from the public, another ministry and/or institution and law enforcement officers. Until the Ministry issues follow-up implementing regulations, we have to rely on the previous implementing regulations, especially on the timeline for termination of access, where internet service providers are required to block access to websites listed in TRUST+¹ within one week or even 24 hours in urgent situations.

In parallel, adopting the approach from the European Union’s E-Commerce Directive, operators can utilise the safe harbour provision under the new e-commerce regulation (click here to read our alert on the e-commerce regulation, which expressly exempts an operator from legal consequences of disseminating or storing prohibited contents if such operator only acts as a mere conduit).

Sanctions

If an operator fails to register or take down the prohibited content, it may be subject to various administrative penalties, ranging from fines to termination of access.

Although not specifically mentioned in the Regulation, a senior officer of the Ministry has verbally indicated that the amount of fine for failure to terminate access to prohibited contents may be as high as IDR 100 million per each prohibited content that has not been removed from an operator’s platform if an operator has become aware of the existence of the prohibited content or has received a takedown instruction from the Ministry.

Conclusion

Through the Regulation, the government has finally laid to rest the debate on registration. Nevertheless, and despite the Ministry’s verbal confirmation, there is still some debate on which foreign operators are subject to this registration requirement. Further, although registration can be done for free, the requirement to obtain an IT security certificate may create a financial burden for small operators.

Meanwhile, the clarity provided under the Regulation on the responsibility of operators with regards to prohibited contents in their platforms is certainly welcomed.

As the Regulation does not address the technical aspects of both the registration process and the termination of access to prohibited contents, we expect that the government would issue further implementing regulations in the near future.

1. TRUST+ is a list maintained by the Ministry of websites containing negative contents.