Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations (ASEAN) [UNCTAD/DTL/STICT/2013/1]
- In Brief
- Electronic transactions law
- Consumer protection
- Privacy and data protection
- Online content regulation
- Cybercrime and cybersecurity
- Online dispute resolution and domain-name regulation
In Indonesia, the legal infrastructure for e-commerce is built around the Electronic Information and Transactions Act 2008, an omnibus law which includes e-commerce, cybercrime, domain names and other issues. This act was complemented in 2012 by more detailed regulations concerning electronic system and transaction operation.6
Indonesia is going through a process of significant legal and regulatory reform in the sector, as they implement plans to converge laws, licensing and regulation across areas that were previously separately regulated (i.e., telecommunications, broadcasting and the Internet).
Indonesia has a high rate of mobile phone penetration and has started to take advantage of mobile commerce, particularly in the banking sector. The country’s low level of fixed broadband connectivity represents a challenge to e-commerce and overall Internet use in the population is still relatively low compared with some of the other ASEAN member countries.
Electronic transactions law
The Law on Information and Electronic Transactions 2008 is an omnibus Act that includes general e-commerce provisions, along with more specific provisions on privacy, cybercrime and content issues.
Article 11 of the Law on Information and Electronic Transactions 2008 provides legal recognition for electronic signatures that meet certain requirements. Recent regulations (Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation) have established a more detailed regulatory system relating to digital signatures, including the licensing of signature providers.
The new Regulation also introduces some unique and onerous security and registration requirements for electronic service providers (which include cloud providers). For example article 17(2) requires operators to place their data centres in Indonesia. Other provisions require firms to hire local Indonesian staff when dealing with sensitive public-sector data.
There are very few details available about the new audit requirements contained in the Indonesian Regulation, but article 18 appears to require providers to supply regular audit records on “all provision of electronic systems activities” to a government agency. The law is very new and has not yet been tested in practice.
Overall, Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation appears to introduce onerous requirements that are likely to act as barriers to many cloud service providers. For example, providers will have to register with a Government agency and comply with requirements to establish data centres in Indonesia. There is also a requirement to provide source code (or to place source code in escrow) for certain types of applications in Indonesia. The full impact of these new policies is difficult to assess at this early stage.
Indonesia’s Law on Consumers’ Protection 1999 is not expressly designed to regulate electronic commerce transactions; however, the official Elucidation on Law on Consumers’ Protection contemplates the relevance of the Act to electronic and cross-border transactions. Where the provisions of the Law permit, the consumer protections offered within the Act can be applied to electronic transactions.
Some protection may be offered to consumers engaging in an electronic transaction under the Law on Electronic Information and Transactions. Several sections provide that consumers have the right to obtain accurate and complete information with respect to contract requirements and manufacturer and product details for goods that are offered electronically.
Privacy and data protection
The Law on Information and Electronic Transactions 2008 contains a very brief section on privacy (article 26). However, it is expected that this section will be complemented or even replaced by more detailed privacy legislation in the future. Indonesia is yet to establish a data protection regulator. While the legislation is silent on the establishment of a regulator, this may be covered in future regulations.
The Indonesian approach is not based on any international model, although the future regulations are likely to be influenced by the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and perhaps the APEC Privacy Framework. (Indonesia is an active member of the APEC Data Privacy Subgroup).
Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation provides more detailed privacy requirements, including:
“Electronic Systems Providers must ensure the protection of any personal data that they process. Such protection broadly includes obtaining necessary consent and ensuring that personal data are only used in accordance with the purpose communicated to data subjects.”
The new Regulation also includes a requirement that providers must notify data subjects in writing in the event that there is any unauthorized disclosure or processing of personal data. “Personal data” is not limited to information which by itself enables the identification of individuals and is broadly defined under the Regulation as any information of individuals that is kept, stored and protected as confidential information.
Online content regulation
Articles 27 and 28 of the Law on Information and Electronic Transactions 2008 prohibit the publication and distribution of certain categories of material, including “immoral” material and material that promotes gambling. However, the detailed regulations necessary to implement these censorship requirements have not yet been developed. In practice, no comprehensive filtering currently occurs.
The Pornography Law No. 44/2008 (Undang-undang No. 44/2008 ttg Pornografi) is also relevant for some content providers, and there have been recent attempts to impose restrictions on online content using this legislation.7
Cybercrime and cybersecurity
The Law on Information and Electronic Transactions 2008 contains a number of key cybercrime provisions (articles 29–37). Those provisions are almost an exact mirror of the key provisions in the Convention on Cybercrime. However, the law only provides limited details relating to enforcement and international cooperation.
Online dispute resolution and domain-name regulation
The Law on Electronic Information and Transactions contains some restrictions on the acquisition of a domain name. It recognizes that domain names are to be registered on a first come first served basis. The Law does not allow a domain name to be registered in bad faith, in a manner that trespasses on competition law or in a manner that infringes the rights of others in the name.
Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation now includes more detailed rules for domain-name registration and domain-name disputes.
Indonesia has not yet developed any law or regulation on online dispute resolution.
 Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation, http://rulebook-jica.ekon.go.id/english/4902_PP_82_2012_e.html.