written by: R. Yudha Triarianto W., S.H., M.H, & M. Ihsan Abdurrahman, S.H.
Indonesia has issued a government regulation in the scope of information and electronic transactions namely Government Regulation No. 71 of 2019 on Organization of Electronic Systems and Transactions (GR 71/2019). This regulation comes to substitute for the previous regulation, Government Regulation Number 82 of 2012 on Organization of Electronic Systems and Transactions (GR 82/2012). In its transitional provision, the Private ESP that has been in operation before the promulgation of GR 71/2019, must adjust to the provisions in Article 6 (regarding registration obligation) within 1 year. The GR 71/2019 became effective on 10 October 2019, so the deadline for Private ESP to adjust is until 10 October 2020.
There are several important points for Electronic System Providers (ESP) in the GR 71/2019, as follows:
A. Classification of Electronic System Operators.
GR 71/2019 identifies two ESPs. The division is as follows:
- Public ESP – the state administering agency and the institution designated by the agency.
- Private ESP – providers overseen by ministries/agencies and providers that have portals, sites, or online applications including offering/trading goods/services, financial transaction services, paid digital cargo delivery, operating communications services, search engine services, and processing of personal data.
B. Electronic System Operator Registration
Same as GR 82/2012 before, each ESP is required to register. However, the registration procedure has been regulated by the Minister of Communication and Informatics.
C. Electronic System Governance
In managing electronic systems, the following are important points that ESP must fulfill:
- ESP guarantees the availability of service level agreements, the availability of information security agreements for the Information Technology services used, and the security of information and internal communication facilities organized.
- ESP must apply risk management to damage or loss.
- ESP must have an Electronic System policy, Standard Operational Procedure, and periodic audit mechanism.
D. Data Center Placement
Concern over the obscurity of Data Center placement on GR 82/2012 has now been given legal certainty, that is:
- For the Public ESP is required to manage, process, and/or store Electronic Systems and Electronic Data in the territory of the Republic of Indonesia, but it is excluded if it is not yet available.
- Private ESP can manage, process, and/or store Electronic Systems and Electronic Data in the Republic of Indonesia and/or outside Indonesia. If management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc. The financial sector will be regulated further by BI and OJK.
E. Obligations to Safeguard Electronic System Organization
In carrying out its practice, ESP must guarantee security in the following manner:
- ESP must provide a track record of all phases of the implementation audit;
- ESP must display the full electronic information and/or Electronic Document under the format and retention period;
- ESP must maintain the confidentiality, integrity, authenticity, accessibility, availability, and traceability of Electronic Information and/or Electronic Documents;
- For the criminal proceding, the Electronic System Provider is required to provide Electronic Information and/or Electronic Data contained in the Electronic System or Electronic Information and/or Electronic Data generated by the Electronic System upon the legitimate request of the investigator for certain criminal acts following the authority stipulated in the law.
F. Electronic System Worthiness
To carry out its activities the ESP is required to conduct an electronic system feasibility test. This obligation can be applied to all components or some components in the electronic system in accordance with the characteristics of the electronic system and protection requirements.
The Minister of Communications and Informatics supervises the administration of the Electronic System. This supervision by the Minister includes monitoring, controlling, examining, searching & security.
H. Personal Data Protection
ESP must protect personal data in processing and request approval in processing. Processing of Personal Data must be based on the valid approval from the Data Owner. ESP must implement the principle of Personal Data Protection in conducting processing includes:
- acquisition & collection;
- processing & analyzing;
- revision & update
- display, announcement, transfer, distribution or disclosure; and
- deletion or removal.
Failure to protect personal data must be notified in writing to the data owner.
I. Right to Erasure & Right to Delisting (Right to be Forgotten)
ESP must delete the irrelevant Electronic Information and/or Electronic Documents under its control at the request of the Data Owner. The deletion consist of: right to erasure and right to delisting from the list of search engine.
J. Electronic Signatures
GR 71/2019 specifically regulates electronic signatures in administering electronic systems. Electronic Signature used in Electronic Transactions can be generated through various signing procedures. In the case of using an Electronic Signature representing a Business Entity, the Electronic Signature is referred to as an electronic seal. Electronic Signature Making Data must uniquely refer only to Signatories and can be used to identify Signatories. In the signing process, a mechanism must be made to ensure the Electronic Signature verification data related to the Electronic Signature Making Data is still valid or not revoked.
K. Competence of the Electronic System Provider
Each ESP must be competent in its field. Business Entity that conduct Electronic Transactions can be certified by the Reliability Certification Agency. Professionals who make up the Reliability Certification Agency include at least the following professions:
- Information Technology consultant;
- Information Technology auditor; and
- legal consultant in Information Technology.
Reliability certification agencies produce reliability certificates aimed at protecting consumers in Electronic Transactions. Reliability Certificates issued by the Reliability Certification Agency include the following categories:
- Identity registration;
- Electronic System security;
- Guarantee statement on the goods/services; and
Violation of the GR 71/2019 would lead to administrative sanctions, in the form of:
- warning letters;
- administrative fines;
- temporary suspension of activities;
- termination of access; and/or
- removal from the list.
M. Transitional Provisions
In carrying out this regulation, ESPs are given time to make adjustments:
- After enactment of GR 71/2019, the Private ESP that has been in operation before the promulgation of GR 71/2019, must adjust to the provisions in Article 6 (regarding registration obligation) within 1 year. The GR 71/2019 became effective on 10 October 2019, so the deadline for Private ESP to adjust is until 10 October 2020.
- After enactment of GR 71/2019, the Public ESP that has been in operation before the promulgation of GR 71/2019, must adjust to the provisions in Article 20 : (2) (regarding placement of data storage in Indonesia) within 2 years.
GR 71/2019 is the legal basis for ESP to officially register its electronic system. Through this regulation, ESPs are also required to implement personal data protection, which until the middle of 2020, Indonesian Government is still discussing the Personal Data Protection Bill with the parliament. Hopefully with the enactment of GR 71/2019, the Indonesian Government can monitor ESPs effectively since the mandate of officially registered is in force on October 2020.
Any information contained in this Article is provided for informational purposes only and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this Legal Update without seeking legal or other professional advice. This document is copyright protected. No part of this document may be disclosed, distributed, reproduced or transmitted in any form or by any means, including photocopying and recording or stored in retrieval system of any nature without the prior written consent of SIP Law Firm.