The Government finally issued Government Regulation No. 82 of 2012 regarding the Implementation of Electronic Systems and Electronic Transactions ("Regulation 82") for Law No. 11 of 2008 regarding Electronic Information and Electronic Transactions ("Law No.11"). Regulation 82 sets out significant requirements in relation to electronic registration/certification, electronic systems, electronic transactions, electronics agents, electronic signatures and domain names. The new regulation applies broadly to individuals, government bodies and companies which, in order to provide services to users, provide and/or operate devices and electronic procedures used for preparing, collating, processing, analyzing, storing, displaying and disseminating electronic data capable of being understood by any relevant person ("Electronic System Providers").
Regulation 82 came into effect on 15 October 2012 and Electronic Systems Providers are required to comply with the Regulation by 14 October 2017. Even though Regulation 82 imposes significant requirements, many of these requirements remain unclear and await a further implementing ministerial regulation to be issued by the Minister of Communications and Informatics (Menteri Komunikasi dan Informatika or "Menkominfo"). We set out below the principal requirements under Regulation 82.
Registration and Certification
Regulation No. 82 provides two categories of services which may be provided by Electronic Systems Providers: (i) services for public use and (ii) services for non-public use. "Services for public use" means those governed under the relevant laws and regulations which is a very broad definition. Electronic Systems Providers providing services for public use are required under Regulation 82 to register with Menkominfo. In addition, they must also (a) obtain a certificate of reliability; and (b) register the software they use to deliver the services. Electronic agents (providers of systems designated to carry out certain automated functions in relations to electronic information) are also required to register with Menkominfo.
Data Center and Disaster Recovery Center in Indonesia
Another requirement under Regulation 82 is that Electronic Systems Providers providing services for public use are required to have a data center and disaster recovery center in Indonesia. Regulation 82 indicates that a further ministerial regulation will be issued governing these requirements.
Software providers which develop software specifically to be used by an institution are required to provide the source code for the software to the relevant institution or, if this is not possible, the source code can be deposited with a third party/escrow agent. Further, Electronic Systems Providers are required to maintain the confidentiality of the source code for the software they use.
Information and Data Protection
Regulation 82 requires Electronic Systems Providers to convey to their users certain minimum information and to protect their users and others against losses, for example, by providing the identity of the Electronic Systems Provider, the terms and conditions and acceptance procedure for relevant contracts, privacy and data protection policies, the rights, obligations and responsibilities of the parties and the procedure for lodging complains.
Electronic Systems Providers are also required to ensure the protection of any personal data they process. "Personal data" is defined very broadly as any information about individuals that is kept, stored and protected as confidential information. (In specific sectors, like the banking sector, Bank Indonesia, as the Indonesian central bank, may have a specific regulation governing personal data and their protection).
SLAs, Policies and Reporting
Electronic Systems Providers are required to ensure that a service level agreement ("SLA") regarding the quality of the services provided to the users and an information safety agreement for IT services are in place.
Electronic Systems Providers must also keep an audit record. The audit record is to cover all of the activities of the Electronic Systems Provider and put in place disaster prevention, disaster recovery and business continuity procedures and systems.
Electronic Transactions, Electronic Signatures and Domain Name
Providers of Electronic Transactions as defined for "public use" require a certificate of reliability from an authorized independent professional institution. Data related to Electronic Transactions must be stored in Indonesia.
Regulation 82 also recognizes "electronic contracts" in Electronic Transactions. These must be drawn up in Bahasa Indonesia and must contain certain provisions.
Electronic Systems Providers require an electronic certificate for their use of electronic signatures in electric contracts. These electronic certificates must be issued by a certification provider (domestic or foreign) approved to do so by the Menkominfo.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.