Contributed By ABNR Counsellors at Law
In an increasingly digital world, countries such as Indonesia have been trying to adapt their regulatory environments to embrace this, including the metaverse – a digital space using virtual reality and augmented reality, which emerged owing to market dependency on social media (particularly during the COVID-19 pandemic). The nation is also a big player in the adoption of other digital products – for example, non-fungible tokens (NFTs) and crypto-assets (digital assets depending primarily on cryptography and distributed ledger technology).
However, Indonesia has yet to introduce a law/regulation that specifically addresses the metaverse. Nevertheless, it is subject to general laws and regulations, as follows.
General Operation of Electronic Systems
The operation of electronic systems in Indonesia is regulated under the following laws and regulations:
Operation of the metaverse would be subject to the obligations on an electronic system operator (ESO), such as:
Personal Data Protection
Law No 27 of 2022 on Personal Data Protection (the “PDP Law”) is the main regulation governing personal data protection and applies generally to any personal data processing, including in the metaverse. One of the concerns raised in the context of the metaverse is identity theft, in respect of which the PDP Law provides criminal sanctions towards any person that illegally obtains, collects, displays, uses or falsifies other individuals’ personal data.
Digital Assets
The metaverse is closely tied to digital assets such as NFTs, which are not yet specifically covered and acknowledged by Indonesian law. However, an NFT would still be considered “property” under the Indonesian Civil Code (specifically, as intangible, movable property).
It is also noteworthy that – under Commodity Futures Trading Regulatory Agency (Bappebti) Regulation No 8 of 2021 on Guidelines for the Implementation of Physical Crypto-Assets Market Trading in the Futures Exchange, as amended by Bappebti Regulation No 13 of 2022 ‒ crypto-assets are defined as “intangible, digital commodities that rely on cryptography, an IT network and distributed ledger technology to create new units, and verify and secure transactions without the involvement of other parties”. As such, NFTs may fall under such definition. However, Bappebti previously clarified that NFTs have yet to be regulated, meaning they are currently unregulated.
Given the rapid growth of NFT transactions (many aspects of which may raise concerns), it is expected that the Indonesian government will establish clear NFT regulations.
As in other parts of the world, the digital economy plays a pivotal role in shaping Indonesia, particularly as a developing country that is heavily reliant on various types of inbound investment. The Indonesian government has been quite aggressive in introducing new regulations (or, in some cases, updates to current regulatory regimes) in order to accommodate digital economy-related trends.
The Indonesian digital economy is mainly regulated under the following laws and regulations.
E-Commerce
Government Regulation No 80 of 2019 on E-Commerce (“GR 80”) serves as the umbrella law for e-commerce transactions. GR 80 governs the main aspects of e-commerce, including licensing requirements, obligations for e-commerce providers, content liability, consumer protection, and data protection.
GR 80 generally defines “e-commerce” as a form of commerce in which transactions are conducted using electronic equipment and procedures, whereas an “e-commerce undertaking” is “an individual or undertaking, whether incorporated or unincorporated and whether domestic or non-domestic, that engages in commercial operations in the e-commerce field”. Considering the broad definition of e-commerce, many electronic platforms would qualify as an e-commerce undertaking and should comply with e-commerce regulations provisions.
E-commerce undertakings are further classified into three categories:
E-commerce undertakings are required to obtain the relevant licences via the Online Single Submission system. The exceptions are ISPs that do not directly benefit from e-commerce transactions and are not a party to contracts between parties conducting e-commerce transactions.
Recently, in an attempt to regulate the aggressive foreign e-commerce platforms, the Indonesian government issued Ministry of Trade (MOT) Regulation No 31 of 2023 on Licensing, Advertising, Development and Supervision of Business Undertakings in the E-Commerce Sector (“MR 31”) as an amendment to the previous implementing regulation of GR 80.
Notable provisions governing the obligations of e-commerce undertakings under GR 80 and MR 31 include the following.
The newly issued MR 31 tries to capture platforms that provide both social media and e-commerce within the same application by introducing the term “social commerce”, which is defined as a “social media operator that provides certain features, menus or facilities that enable merchants to offer goods or services”. The regulation imposes an e-commerce licensing obligation on an undertaking that falls within the definition of social commerce, which was previously not clear. Social commerce platforms are also prohibited from acting as a manufacturer and facilitating payment transactions.
Other than social commerce, MR 31 also provides for specific business models that are subject to the e-commerce regulations ‒ namely, online retail, marketplace, online classified advertising, price comparison platforms, and daily deals.
Payment Service Providers
The payment system industry is also a major contributor to the growth of Indonesia’s digital economy. However, this industry is considered a highly regulated sector under the authority of Indonesia’s central bank, Bank Indonesia (BI). The two regulatory frameworks regulating payment services activities are BI Regulation No 22/23/PBI/2020 on Payment Systems and BI Regulation No 23/6/PBI/2021 on Payment Service Providers (“PBI 23”).
Under PBI 23, the main activities of payment service providers (PSPs) include account issuance services, account information services, payment initiation and/or acquiring services and money remittance services. PSPs may be required to obtain different licences depending on the types of business activities they provide, which are categorised into three types under PBI 23:
The categorisation is designated to compartmentalise various types of payments services, relative to the degree of their involvement in payment processing and attributed risks. A business model with inherently greater risk would be subject to higher scrutiny and licensing requirements.
The ever-evolving digital payment ecosystem poses a practical challenge. Business undertakings often find it quite difficult to determine the appropriate licences under PBI 23 for their business models.
Business undertakings have learnt that efficiency is key. This necessarily involves the adoption of cloud services. By using cloud storage and cloud computing, advanced technology is now more accessible and cost-effective. However, there is a possible security downside when using cloud technology, as business undertakings often collaborate with third-party cloud computing providers and share their data with them.
In Indonesia, a specific set of regulations on cloud and edge computing does not yet exist. However, some general compliance related to the EIT Law, the PDP Law, and consumer protection law is applicable to the use of cloud computing – with greater restrictions applying to certain industries, such as the financial sector and healthcare.
Financial Sector
Banks are generally allowed to co-operate with third-party IT providers in implementing their IT (including the use of cloud computing). However, the co-operation must comply with the requirements under OJK Regulation No 11/POJK.03/2022 on Implementation of Information Technology by Commercial Bank (“POJK 11”), such as:
If a bank intends to co-operate with a foreign IT service provider for any IT-based transaction processing, it must obtain approval from the Financial Services Authority (Otoritas Jasa Keuangan, or OJK). The regulation also requires banks to place their data centre and/or disaster recovery centres in Indonesia, unless the OJK grants an approval to place their data centers offshore.
Similar to banks, Non-Bank Financial Institutions (NBFIs) are also subject to data localisation requirements under OJK Regulation No 4/POJK.05/2021 on the Implementation of Risk Management in Using Information Technology by Non-Bank Financial Services Institutions, as partially revoked by OJK Regulation No 10/POJK.05/2022 on Peer-to-Peer Lending (“POJK 4”). They may place their data centres and/or disaster recovery centres offshore only upon obtaining an approval from the OJK.
Healthcare
Under Ministry of Health (MOH) Regulation No 24 of 2022 on Medical Records, medical records can be stored on digital-based storage media at health service facilities, which includes server, certified cloud computing and any other certified digital-based storage media. The healthcare facilities can co-operate with an ESO that has onshore data storage facilities and the ESO must obtain recommendation from the relevant MOH department. The co-operation itself must be based on an integrity pact or non-disclosure agreement.
Processing of Personal Data in the Context of Cloud Computing
In many instances, cloud computing services would be procured from a third-party provider. In such case, the third-party provider must confirm their role in the personal data processing (eg, whether they act as the data processor of the data controller). This is crucial for the third-party cloud computing provider, as the PDP Law differentiates between the liability of a data controller and data processor. A data controller is fully accountable and liable to the data subject for the processing of their personal data, whereas the liability of the data processor is limited ‒ ie, they should only be independently liable if they are processing personal data in a manner that deviates from the data controller’s instruction, order or purpose. Thus, the third-party cloud computing provider and the user should establish a set of clear provisions on the role, obligations and liability of each party in the context of personal data processing.
Artificial Intelligence (AI) has also reached Indonesia. The popularity of generative AI (eg, ChatGPT) has led to its rapid increase in usage and integration in a variety of sectors. This has resulted in concerns about compliance, as Indonesian regulations do not yet specifically encompass this particular technology. However, AI is still subject to sectoral regulations such as the EIT Law, the PDP Law, copyright law, and consumer protection law.
As a response to the rapid utilisation of AI, the MCIT issued Circular Letter No 9 of 2023 on Ethics of Artificial Intelligence (“CL 9”) on 19 December 2023. CL 9 is essentially a guideline, rather than a binding regulation per se. The measures taken are focused more on supervision and governance in order to reduce potential risks. CL 9 is intended as a pointer to ethical values for business actors that use AI-based software.
Some of the noteworthy provisions of CL 9 shall be examined here.
The scope of CL 9 includes general definitions and general guidelines for values, ethics, and control of consulting, analysis and programming activities with an AI basis by business actors and electronic systems operators. This circular letter applies to the following parties:
Ethical values of AI introduced under CL 9 are – among others ‒ inclusivity, humanity, safety, accessibility, transparency, credibility and accountability, personal data protection, sustainable development and environment, and IP rights.
There are three ways for the business actors, public ESOs and private ESOs to honour their ethical responsibilities when it comes to AI ‒ namely, by:
In addition to the CL 9, the OJK has set a Code of Ethics for Responsible and Trustworthy AI in the Financial Technology Industry (the “OJK Code of Ethics”). The basic principles set under this Code of Ethics are that, among other things, AI should be:
The current government’s approach allows for flexibility in the development of AI-based technology in Indonesia, while allowing it to take a “wait and see” approach to determining the appropriate measures to govern this technology.
Internet of things (IoT) applications continue to rapidly evolve in this increasingly technology-reliant era. From smart homes that optimise energy consumption to industrial applications that streamline production processes, IoT offers substantial transformation and increased operational efficiency.
In Indonesia, IoT is starting to be acknowledged, as indicated by the inclusion of KBLI 62024 – IoT Consultation and Design Activities as an Indonesian Standard Business Classification, along with the following description.
“This group includes consulting service activities, designing and manufacturing integrated system solutions based on orders (not ready-to-use) by modifying existing hardware, such as sensors, micro-controllers and other hardware. These modifications are made to the IoT hardware and/or software embedded in it. This group excludes chip manufacturing activities (26120) and IoT software publishing/development activities (58200 and 62019).”
In addition to the foregoing, the elements that can be relevant to the operation of IoT have been included in several laws and regulations, as follows.
Provision of IoT Services
The provision of IoT services heavily relies on stable and adequate telecommunications connectivity, as one of the main elements of IoT services. MR 5 stipulates that the provider of IoT services must either:
Connectivity providers are also required to implement a unique addressing system, including (but not limited to):
Electronic Agent
Although not being specifically regulated, the characteristics of IoT in automating information processing render it comparable to an “electronic agent” under Indonesian law. The EIT Law essentially defines an electronic agent as “a device of an electronic system that is made to perform an action on certain electronic information automatically by a person”. The phrase “automatically by a person” refers to natural persons or legal entities (both Indonesian citizens and foreign nationals).
In addition, electronic agents are required to provide features that allow users to make changes to an existing information transaction process.
Data Protection
Many of the data processing activities involved in the operation of IoT will fall within the material scope of the PDP Law, given that IoT devices may involve the processing of personal data. The key challenges of data protection that can be relevant to the use of IoT are as follows.
Difficulty in determining the responsibility upon failure to protect personal data
IoT services typically involve more parties than simply mobile operators – for example, device manufacturers, telecommunications services operators, online platforms, third-party applications, and software licensing. Given the multitude of components involved, it is essential to conduct an assessment of the data processing activities in order to determine the applicable data protection roles (ie, data controller or data processor) and the obligations that follow. Under the PDP Law, the data controller determines the purpose and controls the personal data processing. Meanwhile, the data processor is the party who processes the personal data on behalf of the data controller.
Obligation to protect the continuously recorded data
As IoT devices continuously record and process user data, the use of IoT must comply with the data storing, collection and processing provisions under the PDP Law. Further, in the event that the IoT devices handle vast amounts of specific personal data (eg, data and information on health, children’s data, biometric data) will lead to the obligation to implement a Data Protection Impact Assessment (DPIA) and appoint Data Protection Officer (DPO) should the main operations of the data controller involve large-scale processing of sensitive personal data.
Abuse of data collection purposes
Private entities that provide IoT devices or services that can access IoT data may use or disclose personal information for additional purposes, such as for profiling, targeted advertising or sale of the data-to-data brokers. The PDP Law requires that the collection of personal data should be limited and specific, legally valid, appropriate, and transparent. Furthermore, the processing of personal data must be conducted in accordance with its purposes. Thus, the data controller must inform the data subject regarding the purpose of processing.
The audio-visual media industry has witnessed unprecedented growth during the past few years, followed by technological advancements and an increasing demand for enhanced user experiences. The regulatory frameworks for audio-visual media services and video-sharing platform services in Indonesia would depend on whether they are broadcasting companies or internet-based video-sharing platforms.
Broadcasting Companies
Broadcasting companies are generally subject to Law No 32 of 2022 on Broadcasting as amended by Law No 6 of 2023 on Ratification of Government Regulation in Lieu of Law No 2 of 2022 on Job Creation as a Law (the “Broadcasting Law”) and its implementing regulations. The Broadcasting Law applies to the activity of broadcasting through transmitting facilities and/or transmission facilities using the radio frequency spectrum; this covers radio and television broadcasts.
Prior to conducting broadcasting activities, the broadcasting companies must obtain a broadcasting operational licence (Izin Penyelenggaraan Penyiaran) from the MCIT.
As regards broadcast content, the Indonesian Broadcasting Commission (Komisi Penyiaran Indonesia, or KPI) ‒ an independent state institution – has the authority to regulate and supervise broadcasting matters. In practice, the KPI actively monitors broadcasting content and enforces against non-compliance.
Aside from the Broadcasting Law, broadcasting companies must also comply with the content-related provisions under Law No 33 of 2009 on Film, as amended by Law No 11 of 2020 on Job Creation (eg, on censorship), as well as with the EIT Law (eg, on distribution or transmission of prohibited electronic information/electronic documents).
Internet-Based Video-Sharing Platforms
Business undertakings that provide video-sharing platform services are deemed ESOs under the supervision of the MCIT and hence are subject to the laws and regulations on electronic systems (ie, the EIT Law, GR 71, MR 20 and MR 5). The providers of internet-based video-sharing platforms must comply with the obligations of an ESO, including the mandatory requirement to obtain an ESO registration certificate.
Takedown Requests
One of the most substantial issues related to video-sharing platforms concerns content compliance, particularly on how this business model should be governed. There were several attempts to bring online video-sharing platforms within the ambit of the Broadcasting Law, meaning they would be subject to the KPI. However, the Constitutional Court has clearly established that internet-based video-sharing platforms are beyond the scope of the Broadcasting Law. Accordingly, the operation of video-sharing platforms remains independent of the Broadcasting Law.
Nevertheless, the operation of internet-based video-sharing platforms is still subject to regulations on ESO, including MR 5, GR 71 and the EIT Law, under the authority of the MCIT. In an effort to regulate internet-based video-sharing platforms, these regulations require platform operators to ensure that their platforms do not contain or facilitate the distribution of prohibited content. Further, these operators are also required to comply with takedown requests (TDRs) issued by the MCIT.
The MCIT usually issues a TDR after receiving a report flagging allegedly unlawful content from the public, ministries and government institutions, or law enforcement/judiciary institutions. Intermediaries must delete or block prohibited content within 24 hours of receiving a report of the unlawful content and, if deemed to be urgent prohibited content, the intermediary must delete or block such content within four hours of receiving a report of the unlawful content.
The MCIT tries to establish strict compliance by platform operators through establishing a mechanism that allows the MCIT to impose a monetary fine for non-compliance with TDR, which is calculated based on a certain formula. The calculation variable would be determined by several variables, including business scale, types of content, severity of violation, compliance level, etc.
Telecommunications is a highly regulated industry in Indonesia and is under strict supervision by the MCIT. Specifically, the MCIT scrutinise the operation of telecommunications networks (including those that are based on copper cable, fibre optics, satellite, and radio frequency spectrum) and telecommunications services (such as mobile services, internet, data communication systems, VoIP, and network access points). Further, as a response to the emerging of telecommunications services alternatives, the MCIT has been increasing their focus on Mobile Virtual Network Operators (MVNOs) and over-the-top (OTT) services providers.
The telecommunications industry is governed under the following regulations:
Pursuant to the Telco Law, telecommunication is defined as “the transmission, delivery, and/or receipt of information in the form of signs, signals, text, images, sounds, or noises through wire, optical, radio, or other electromagnetic systems”.
Telecommunications Services
Under the Telco Law, telecommunications services are divided into three implementing services, as follows.
The operation of telecommunications in Indonesia may only be performed by a licensed Indonesian legal entity.
While the government acknowledge that the MVNO business model is inevitable, it is imperative for them to protect conventional telecommunications operators that have spent resources to build the infrastructure. As a response to this development, the MCIT tries to frame MVNO businesses as re-sellers of telecommunications services.
Radio Frequency Spectrum Use
Radio frequency spectrum is considered a finite resource in Indonesia. Its use in telecommunications services is therefore regulated under MCIT Regulation No 7 of 2021 on the Use of Radio Frequency Spectrum, as partially revoked by MCIT Regulation No 9 of 2023 (“MR 7”), which stipulates three licences that must be obtained by businesses:
MR 7 stipulates a number of obligations to be fulfilled by business undertakings intending to use radio frequency spectrum in Indonesia for the purpose of obtaining the above-mentioned licences. Further, as an effort to boost the development of telecommunications technology in Indonesia, the government allows a spectrum-sharing arrangement, which is subject to contractual agreement between telecommunications operators.
Certification of Telecommunications Equipment and/or Device
Pursuant to MCIT Regulation No 16 of 2018 on Operational Provisions for the Certification of Telecommunications Equipment and/or Devices, telecommunications devices must be certified in order to prove they are up to the technical specification and/or standards set out in the regulation. The regulation specifies that all telecommunications equipment or devices manufactured, assembled or imported to be traded and/or used in Indonesia must be certified.
Internet Business Undertaking
GR 46/2021 refers to OTT services as business activities via the internet in the form of telecommunications services substitutes, audio and/or visual content services platforms, and/or other services as determined by the MCIT. Further, GR 46/2021 defines a telecommunications services substitute as “a service that can replace telecommunications services, including communications in the form of short messages, voice calls, video calls, video conferences, online conversations, and/or sending and receiving data”.
While this business model is not prohibited, business undertakings that carry out activities through the internet to users in Indonesia (ie, OTT services providers) must co-operate with local telecommunications operators, pursuant to GR 46/2021 and MR 5/2021. The obligation is set for business undertakings that fulfil the following criterion in relation to significant usage:
Although the regulations do not provide sanctions for non-compliance with the co-operation requirement, GR 46/2021 and MR 5/2021 authorise local telecommunications operators to enforce traffic management so as to limit connectivity to a certain service. This could be broadly interpreted to include bandwidth throttling.
The advance of technology has continued to break down barriers and diminish physical jurisdictional borders. However, this has proved to be a challenge, owing to the State’s interest in safeguarding the nation’s cybersovereignty. This highlights a need for a balance between upholding national interests in relation to cybersecurity while also maintaining the principle of technological neutrality in order to promote innovation and advancements.
In navigating this complex landscape, it has become imperative to carefully weigh the need for sovereignty with the need to facilitate technological advancement. Thus, the Indonesian government has attempted to do so by allowing freedom of use of foreign data centres as stipulated in GR 71, provided that there is a guarantee of data accessibility to facilitate supervision and law enforcement.
When entering into a technology agreement with a local organisation, the “freedom of contract” and data protection principle from the PDP Law apply. However, should a technology agreement include cross-border data transfer, the parties may be subject to greater restrictions in certain industries such as the financial and health sectors.
Cross-Border Data Transfer Requirements
The PDP Law and the MCIT regulations stipulate certain obligations in relation to cross-border data transfer and/or in relation to data localisation. Cross-border data transfer obligations include establishing a basis for the transfer of personal data, as follows.
Further to establishing at least one basis, cross-border data transfers must be reported to the MCIT pursuant to MR 20. The obligations mentioned apply in a general sense to any organisations engaging in data transfer outside of Indonesia.
Restrictions for Financial and Health Sectors
There are greater restrictions and obligations in relation to data localisation for the financial and health sectors. Pursuant to POJK 11, POJK 4 and MOH Regulation No 24 of 2022, there is an obligation for data localisation. In order to store data offshore or engage in activities that require cross-border data transfer, the organisation must obtain approval from certain governmental authorities such as the OJK or Ministry of Health (as applicable) if they engage with organisations in the financial and health sectors.
Restrictions Under EIT Law
There are further restrictions on entering into technology agreements with local organisations under the EIT Law. It stipulates that parties to an international electronic transaction that contains standardised clauses made by an ESO must be governed by Indonesian law, in event of the following:
Based on the language of this provision, the criteria provided are not cumulative and therefore may cause restriction in the freedom of contract for the parties to a technology agreement that fulfils one of the above-mentioned criterions.
Trust Services
Under Indonesian laws and regulations, trust services are managed by Certification Authorities. The EIT Law stipulates that a Certification Authority may provide the following:
The EIT Law and MCIT Regulation No 11 of 2022 on Implementation of Electronic Certification Governance require Certification Authorities offering electronic certification and providing services that use electronic certificates in Indonesia to be Indonesian legal entities domiciled in Indonesia. The EIT Law further provides that a foreign Certification Authority may provide electronic certification services only if the services are not available in Indonesia. Although this requirement is mainly intended to promote local Certification Authorities, this would raise a question as to the validity of certificates issued by foreign Certification Authorities, which could be a substantial legal issue in cross-border transactions.
Electronic Signatures/Digital Identity Schemes
E-signatures are regulated under the EIT Law and GR 71. They are considered a form of electronic certification and must be issued by a Certification Authority. The Certification Authority for electronic certification may either be an Indonesian Certification Authority or a foreign Certification Authority.
However, the classification of e-signatures produced by the two differ in evidentiary value before the Indonesian court. An Indonesian Certification Authority is able to produce a “certified e-signature”, whereas a foreign Certification Authority is only able to produce a “non-certified e-signature”. (A non-certified e-signature has lesser evidentiary value in court.)
Currently, several Certification Authorities have been registered with the MCIT, which indicates the MCIT’s efforts in promoting the use of e-signatures in Indonesia.
Graha CIMB Niaga
24th Floor
Jl Jenderal Sudirman Kav 58
Jakarta 12190
Indonesia
+62 21 250 5125/5136
+62 21 250 5001
info@abnrlaw.com www.abnrlaw.com