Indonesia – First regulation on e-commerce

A regulation relating to Indonesia’s Law No. 11 of 2008 on Electronic Information and Transactions was recently issued for the first time (the “Regulation“). The Regulation sets out a number of significant requirements in relation to electronic certification, electronic systems, electronic transactions, electronic agents, electronic signatures and domain names. Many organisations will face significant additional compliance requirements as a result of the Regulation.

The Regulation targets both individuals and organisations that provide services via electronic devices and systems (“Electronic Systems Providers“), which are divided into those that provide services for (i) public use and (ii) non-public use.

Key features of the Regulation include:

• Registration and certification requirements: Electronic Systems Providers providing services for public use must register with the Indonesian Ministry of Communication and Information Technology (“MCIT“) before providing such services, and obtain certification from the MCIT that their services and hardware are fit for use;
• Location of data centres and disaster recovery centres: Electronic Systems Providers that provide services for public use must have data centres and disaster recovery centres located in Indonesia;
• Confidentiality of source codes: Electronic Systems Providers shall protect the confidentiality of source codes for software which they use;
• Electronic Systems Providers must also comply with a minimum level of data protection requirements set out in the Regulation, including obtaining consent from data subjects prior to processing of personal data and notifying data subjects in writing in the event that there is any unauthorised disclosure or processing of such data;
• SLAs and reporting: Electronic Service Providers must ensure that (i) service level agreement and (ii) information safety agreement for IT services are in place, and report system failures and information breaches to the relevant authority;
• Employment of Indonesian citizens: Electronic Service Providers are required to employ Indonesian citizens to operate strategic electronic systems, e.g. those for defence and national security, unless there is no suitable candidate available; and
• Additional requirements for electronic transactions: there are further certification and reporting requirements for providers of electronic transactions regarding electronic contracts and electronic signatures; also, any data relating to electronic transactions must be stored in Indonesia; additionally transactions involving more than one provider must use networks and gateways in Indonesia unless otherwise approved by the regulator.

There are areas which need to be clarified by further regulations, such as the definition of “public use” and details for the requirements for data centres and the registration of domain names. Further regulations to govern many of the requirements in the Regulation are expected to come into effect by 2017.