Electronic System Organizers (“ESO”) in the private sector, that include foreign private ESOs, which have been registered with th Minister of Communication and Informatics Regulation (“MOCI”) are subject to a number of obligations under MOCI Regulation No.

5 of 2020 on ESOs in the Private Sector as amended by MOCI Regulation No. 10 of 2021 (“MOCI Regulation 5/2020”), as the implementing regulation of Government Regulation No. 71 of 2019 on the Organization of Electronic Systems and Transactions (as summarized below).

Foreign private ESOs referred above mean private ESO operators that are established under the laws of another country or permanently domiciled in another country and meet the following criteria (i) they provide services within the territory of Indonesia; (ii) they do business in Indonesia, and/or (iii) their electronic systems are used or offered in Indonesia.

A foreign private ESO that has successfully registered with the MOCI will be listed in the MOCI’s official website (https://pse.kominfo.go.id/home/pse-asing).

Handling Prohibited Electronic Information or Documents

Under MOCI Regulation 5/2020, foreign private ESOs are responsible for the organization of their electronic systems and the management of electronic information and electronic documents in their electronic systems in a manner that is reliable, safe and responsible.

Further, foreign private ESOs must ensure that their electronic systems do not contain or facilitate the dissemination of prohibited electronic information or documents. Prohibited electronic information or documents are classified as electronic information or documents that:

1. violate the prevailing laws and regulations;

2. are unsettling for the public or threaten public order; or

3. provides ways or access to distribute illegal electronic information or documents.

If a foreign private ESO does not comply with the above obligations, its access to the electronic system in Indonesia will be blocked by the MOCI.

Private User Generated Content ESOs

A private user generated content ESO (that is, a foreign private ESO in which the provision, broadcasting, uploading and/or exchange of electronic information or documents is conducted by the electronic system users, eg applications such as Twitter, TikTok and Instagram), must ensure that their electronic systems do not contain or facilitate the dissemination of prohibited electronic information or documents. To do so, private user generated content ESOs must:

1. have procedures in place regarding electronic information or documents that cover the following:

a. the obligations and rights of electronic system users regarding the use of the electronic system’s services;
b. the obligations and rights of the foreign private ESO regarding the operation of the electronic system;
c. liability related to the electronic information or documents uploaded by the electronic system’s users; and
d. the availability of facilities and services and the settlement of complaints;

2. provide a reporting mechanism accessible to the public and foreign private ESOs must:

a. respond to any complaint/report;
b. conduct an independent examination of a complaint/report or request the verification of the complaint/report it to the MOCI or the related ministry or institution;
c. notify its electronic system’s users of the complaint/report about electronic information or documents uploaded by an electronic system user; and
d. reject any complaint/report if the reported electronic information or document is not prohibited.

If a foreign private ESO does not comply with the above obligations, its access to the electronic system in Indonesia will be blocked by the MOCI.

A private user generated content ESO may be exempted from legal liability regarding electronic information and documents that are prohibited from being transmitted and distributed through its electronic system if the private user generated content ESO:

1. has complied with all its obligations explained above;

2. provides information about the subscriber (whose electronic data is controlled or managed by the foreign private ESO) that uploaded the prohibited electronic information or document; and

3. blocks access to the prohibited electronic information or document.

Cloud Computing Organizers

A cloud computing organizer is a foreign private ESO that provides, organizes, manages and/or operates cloud computing. For example, parties that can be categorized as cloud computing organizers may include Dropbox and Google Drive.

Cloud computing organizers must ensure that their electronic systems do not contain or facilitate the dissemination of prohibited electronic information or documents. To do so, cloud computing organizers must have procedures in place regarding electronic information and documents, that cover the following:

1. the obligations and rights of cloud computing organizer users that are using their cloud computing;

2. the obligations and rights of cloud computing organizers regarding the operation of their cloud computing; and

3. the liability of the cloud computing organizer’s users regarding storing electronic information and documents in their cloud computing.

Cloud computing organizers must also provide electronic information and documents regarding their cloud computing organizer users that they own for the purpose of supervision and law enforcement.

Access to Electronic Systems and Electronic Data for Government Authorities

For the purpose of supervision and law enforcement, Indonesian ministries, institutions and law enforcement agencies can request access to a foreign private ESOs’ electronic system and electronic data, and the foreign private ESO must provide them access upon receipt of a request from the government authority.

For this, foreign private ESOs must appoint at least one liaison officer (an individual) who is domiciled in Indonesia to be in charge of handling requests for access from the Indonesian government authorities.

Personal Data

Foreign private ESOs must comply with the relevant personal data regulations, including to protect against personal data if they wish to process the personal data (which includes acquiring, collecting, processing, analysing, storing, displaying, publishing, transmitting, distributing or deleting personal data). In brief, according to MOCI Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI Regulation 20/2016”), any personal data can only be processed after a prior consent of the data owner has been obtained and that must be in the Indonesian language.

MOCI Regulation 5/2020 defines personal data as certain individual data (whether identified or identifiable or combined with other information directly or indirectly through an electronic system or non-electronic system). Meanwhile, according to MOCI Regulation 20/2016, it is defined as certain individual data that is stored, maintained, the veracity of which is sustained, and the confidentiality of which must be protected.

Further, MOCI Regulation 5/2020 also defines specific personal data, which is health data and information, biometric data, genetic data, sexual life or orientation, political views, child data, personal financial data and other data according to the prevailing laws and regulations. This specific personal data must be provided to law enforcement agencies (as explained above) upon their request for law enforcement purposes for crimes committed in Indonesia for which the prison sentence is at least 2 years.

Click here for more

Fanissa Runalita
Associate
fanissa.runalita@makarim.com

Maria Sagrado
Partner
maria.sagrado@makarim.com