Some of the key takeaways from MOCI Regulation 5 are:
- Who are private ESOs? MOCI Regulation 5 defines private ESOs as persons, business entities or communities that operate an electronic system. This definition is the same as the broad definition under GR 71.
Private ESOs include:
- ESOs that are supervised by ministers or institutions in accordance with laws and regulations.
- ESOs that have an online portal, site or application through internet to:
- provide, manage, and/or operate offer and/or trade of goods and/or services
- provide, manage and/or operate financial transaction services
- deliver paid digital material or content through a data network, either by way of downloading from a portal/site or by email delivery, or through another application to the user’s device
- provide, manage, and/or operate communication services in the form of short messages, voice calls, video calls, electronic mail, and online chat in the form of digital platform, networking and social media services
- manage a search engine, provide electronic information in the form of text, sound, picture, animation, music, video, movie and games or a combination of any and/or all of them
- process personal data for operational activity serving society in relation to electronic transactions
The above definition covers any ESO other than government institutions. In addition, MOCI Regulation 5 defines cloud computing operators as private ESOs that provide, conduct, manage and/or operate cloud computing services.
- Registration Obligation: Private ESOs must register their electronic systems with the MOCI. The registration obligation also applies to private ESOs that are established based on foreign laws (or domiciled in another county) and fulfil one of the following criteria:
- They provide services in Indonesian territory.
- They conduct business activity in Indonesia
- Their electronic systems are used and/or offered in Indonesian territory.
There is no further elaboration on how to determine whether a foreign entity is providing services, conducting business, or using and offering electronic systems in Indonesia. This can cover most foreign private ESOs whose platforms can be accessed and used in Indonesia.
In the past, the MOCI explained that the MOCI would focus on foreign private ESOs that “intentionally” target the Indonesian market. MOCI officials have given several parameters such as having a presence in Indonesia, placing equipment or employees in Indonesia, conducting marketing and promotion activities in Indonesia (including having ads in the Indonesian language), having localized websites, having a substantial number of Indonesian users, or receiving a substantial amount of revenue from Indonesia. Unfortunately, none of these parameters is included in MOCI Regulation 5. So we still have to wait and see how the MOCI will enforce this requirement for offshore private ESOs.
An ESO registration application is submitted to the Online Single Submission (“OSS”) system. The last time we checked with the OSS agency, only local individuals and entities could access the OSS system and register their electronic systems. Clients need to monitor whether the OSS system is ready to cater for ESO registration of foreign private ESOs. The OSS system should be ready before the end of the six-month transitional period.
- Content management and safe harbor concept: Private ESOs must ensure that their electronic systems do not (i) contain prohibited electronic information or documents and (ii) facilitate dissemination of prohibited electronic information or documents. They also must take down prohibited content within 24 hours or four hours (the latter is for urgent prohibited content, such as child pornography content, terrorism content and content that causes public unrest, which is very broad) after receiving the takedown notice.
MOCI Regulation 5 classifies prohibited content into content that:
- is in violation of laws and regulations
- causes anxiety for society and disturbs public order based on the government’s assessment
- posts or provides access to prohibited content
There is no explanation of each category above.
Private ESOs hosting user-generated content must (i) have governance on electronic content and (ii) provide a public reporting mechanism. Private ESOs hosting user-generated content must have governance on electronic information or documents, which at minimum comprises the following:
- rights and obligations of users in using the services of the electronic systems
- rights and obligations of the platform operator in operating the electronic systems
- responsibility over electronic documents or information that is uploaded by users
- availability of mechanism to file claims or report any part of the services
Indonesia has adopted a “safe harbor” concept under MOCI Circular Letter No. 5 of 2016 on Limitations and Responsibilities of User Generated Content Platform Providers and Merchant Trading through E-Commerce. However, the concept was introduced in the form of a circular letter and not a regulation. MOCI Regulation 5 now provides that private ESOs hosting user-generated content may be exempted from legal liability for prohibited content transmitted or distributed on their electronic systems as long as they have fulfilled their governance obligations, shared information on subscribers who uploaded the prohibited content for monitoring and law enforcement purposes, and taken down the prohibited content as regulated under MOCI Regulation 5.
- Cloud computing operators: Similar with private ESOs hosting user-generated content, cloud computing operators must have governance on electronic content. The operators must also provide electronic information or data of their users for monitoring and law enforcement purposes (see our elaboration below).
- Access to the government and liaison officer: Indonesian ministries, other government institutions or law enforcers can request access to electronic systems and data of private ESOs for monitoring and law enforcement purposes. The relevant government authority or law enforcer will submit the access request (in a written form) to the private ESO.
Each private ESO must appoint a liaison officer, who must be domiciled in Indonesia. The duty of the liaison officer is to facilitate any access request by government authorities and takedown request. Based on MOCI Regulation 5, we understand that the liaison officer must be an individual.
However, the MOCI needs to elaborate this matter further, especially on how this obligation is expected to be fulfilled by foreign private ESOs (e.g., whether a representative office is required), as placing someone in Indonesia without any presence may give raise to other issues (e.g., tax).
Further, private ESOs must have an audit trail on the use of access by the government authorities and law enforcers.
- Specific personal data: Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (“EIT Law”) and GR 71 do not include a definition of specific personal data. MOCI Regulation 5 now provides a definition of specific personal data, which is health data and information, biometric data, genetic data, sexual life or orientation, political views, child data, personal financial data and other data based on prevailing laws and regulations.
There are no extensive provisions on how to protect specific personal data under MOCI Regulation 5. However, this definition is similar with the definition of specific personal data under the latest draft data privacy law, which is currently being discussed and finalized by the government.
- Sanctions: MOCI Regulation 5 was drafted so that there is enforcement, and the possibility of sanctions, for foreign private ESOs. The sanctions were designed so that the MOCI does not have the burden to liaise with law enforcers or authorities in other jurisdictions in order to impose sanctions on foreign private ESOs.
The ultimate sanction in MOCI Regulation 5 is the blocking of access to the private ESOs’ electronic systems in Indonesia. Access can be granted again once the private ESO has fulfilled its obligations.
Other sanctions that are included in MOCI Regulation 5 are warning letters, temporary suspension, administrative penalty (there are no details of the amount under the regulation), and revocation of an ESO registration certificate. All sanctions in MOCI Regulation 5 are administrative sanctions.
Actions to consider
Private ESOs should consider taking the following actions (noting the need for clarification from the MOCI and the six-month transitional period of the ESO registration obligation):
- register their electronic systems, and, for foreign privates ESOs, monitor the process for the ESO registration in the OSS system (as the OSS system may not be ready to cater for applications by foreign entities)
- appoint a liaison officer and comply with any access request by government authorities (for foreign private ESOs, this will need to be further discussed with the MOCI)
- establish a procedure for governance regarding prohibited content based on MOCI Regulation 5
- comply with any takedown request in a timely manner (we appreciate that the time given is very short, and if a private ESO has foreseen that it cannot meet the deadline, it should at least engage the MOCI officials and discuss possible approaches)