TRPC Pte. Ltd.

Indonesia’s Regulatory Ecosystem

Indonesia wants to be Southeast Asia’s largest digital economy by 2020. To achieve this, the government has launched several national plans – including the Roadmap for the National E-commerce System (2017-2019) and the National Broadband Plan (2014-2019) – to improve connectivity and stimulate the start-up scene.

A number of regulations are also in the pipeline to structure and streamline key enablers of the digital economy. From privacy to cybersecurity, these regulations aim to address specific challenges created by the digital economy. Below is a quick overview of five of the main regulations being prepared, as well as their potential impact on Indonesia’s budding digital economy.

1. GR82

What is it? The revised Government Regulation No. 82 of 2012 on Electronic Systems and Transactions (GR82) is expected to change the requirements that made it compulsory for all data (user data, transaction data, etc.) to be stored in Indonesia.

Instead, a data classification framework will be implemented, making it possible for different types of data to be handled in different manners. ‘Strategic electronic data’, for instance, will be required to be stored and processed in data centres and disaster recovery centres in Indonesia. Meanwhile, data classified as ‘higher priority electronic data’ or ‘lower priority electronic data’ does not need to be managed or stored in Indonesia.

Why is it important? The data classification framework implemented through GR82 enables data to flow across borders, which is central to businesses’ ability to leverage global ICT, participate in cross-border trade, and develop new products, services, and business models. A key priority for the government, this revised approach to data localisation will guide other major regulations – including the draft e-commerce regulation, the draft personal data protection law, and even the recently released FinTech regulation.

When will it launch? The long-awaited amendment to GR82 is the Ministry of Communication and Informatics (Kominfo)’s number one priority and should be released at the earliest by the end of October 2018.

2. OTT

What is it? The revised draft Over-The-Top (OTT) regulation will bring all digital platform service providers – both domestic and foreign – under Kominfo’s supervision.

This move will placate traditional telco players who often argue OTT players are not subject to the same requirements governing their operations and content. This version of the regulation is set to take a more light-touch approach, as onerous requirements present in previous iterations have been stripped out. For example, in-country presence or permanent establishment requirements will no longer be imposed on foreign digital platform service providers. Instead, they will have to cooperate with domestic telco players.

Why is it important? Indonesia sets the scene for regulatory approaches within the ASEAN region. Other ASEAN member states, such as Vietnam, Thailand, and even Myanmar are likely to adopt similar regulatory approaches without necessarily considering the nature of the market the OTT operates in, how their business models work, and how they differ from traditional service providers.

When will it launch? The draft OTT regulation has been floating around since 2017, with a Circular first issued in 2016. It is unlikely to be ready before the end of 2018, as the priority right now is the amendment to GR82.

3. E-commerce

What is it? The forthcoming government regulation on e-commerce is set to apply to all e-commerce service providers, both domestic and foreign, requiring local registration.

It focuses heavily on the extent to which platforms should be held liable. For example, if a transaction is settled online, through an e-commerce application or platform, then the e-commerce platform operator would be held responsible for the delivery of goods and services. For Indonesia, extending platform liability is not only about defining clear roles and responsibilities, it is also about levelling the playing field for e-commerce providers.

Why is it important? This extension of platform liability is out of step with international practices, as the majority of jurisdictions do not impose liability on e-commerce platform operators (who merely act as an intermediary between merchant and consumer). It could also clash with GR82’s data classification framework by requiring e-commerce companies to use local domain names, have a local IP address, and use local servers to store data.

When will it launch? President Jokowi is personally committed to getting the e-commerce regulation released, indicating it may be out in time before the Indonesian general elections in April 2019.

4. FinTech

What is it? POJK No. 13 of 2018 on Digital Financial Innovation is the Financial Services Authority (OJK)’s umbrella regulation setting out the legal framework for FinTech companies.

The regulation applies to all players in the FinTech ecosystem and covers a wide range of digital services within the financial sector. It requires all operators of digital financial services to register with OJK and to provide a complete breakdown of their activities. The FinTech regulation also sets out the principles for OJK’s regulatory sandbox, defining the terms under which FinTech companies can test and assess their products and services in a controlled environment. Interestingly, OJK is adopting a ‘non-discriminatory’ scope of coverage, allowing both traditional financial institutions and FinTech start-ups to be considered part of the ecosystem.

Why is it important? The regulatory sandbox will effectively act as a filter that identifies which FinTech operators must register with OJK. Sandbox participants must be testing a new business model and have wide market coverage to qualify, which means companies that share these characteristics must play by the same rules.

When will it launch? Although POJK No. 13 was released in August 2018, it may have to be modified to align with forthcoming regulations. OJK currently mandates that data centres and disaster recovery centres be located in Indonesia, an approach that is largely out of step with the forthcoming amendment to GR82.

5. Data Protection

What is it? Indonesia’s draft personal data protection law, prepared in response to recent big-profile data breaches (Facebook and Cambridge Analytica), as well as to strengthen the protection of individuals’ personal data.

The framework sets out the roles and responsibilities for data controllers and data processors, including data breach notification requirements. It requires explicit written consent for use of personal data, sets up a Privacy Commission, and introduces the ‘right to be forgotten’ principle.

Why is it important? A comprehensive personal data protection framework is an essential part of a strong, resilient digital economy, yet Indonesia does not currently have one in place. It currently relies on a ministerial regulation from Kominfo to regulate personal data protection in electronic systems.

When will it launch? Despite mounting pressure for the draft personal data protection law to be discussed and passed, it has yet to be added to the 2018 National Legislation Program (the list of priority bills has not yet been discussed).

Clearly, a lot of thought and effort is being put into a wide range of regulations designed to enable and sustain Indonesia’s budding digital economy. A major question for the next few months is whether the upcoming general elections (to be held in April 2019) will have an impact on the way these regulations progress. Will they be rushed to before the end of 2018 to ensure they receive adequate political support? Or will they be delayed to early 2019, once the dust has settled on the political front?

This is far from just a simple scheduling matter. As the recent elections in Malaysia have shown, surprise victories can and do happen – and they have the power to sway regulatory priorities and agendas alike.

Photo by rawpixel

Filter articles by