To close 2019, the Indonesian government enacted the much-anticipated e-commerce regulation1 ("Regulation") in late November. Being an implementing regulation to the Trade Law,2 the Regulation regulates not only the typical actors in e-commerce transaction (i.e. merchants and consumers), but also e-commerce service providers (penyelenggara perdagangan melalui sistem elektronik) and intermediary service providers (penyelenggara sarana perantara). In addition, the Regulation, among others, regulates e-contracts, online advertisements and personal data protection.
While the Regulation is undoubtedly welcomed, especially in clarifying the many existing uncertainties in the market, some provisions raise issues as it overlaps and contradicts the regulation on electronic systems and transactions,3 which was issued shortly before the Regulation.
Below we provide a snapshot of the Regulation and highlight the provisions that may potentially be a stumbling block to parties in the e-commerce industry.
Parties Targeted by the Regulation
The subjects regulated by the Regulation can be categorised into three groups:
Merchants, which are individuals or corporate entities that make an offer through their own electronic system or that of an e-commerce service provider. A party who sells goods and/or services on a 'temporary and not on a commercial basis' would not be deemed as a merchant.
E-commerce service providers, which are individuals, corporate entities or public bodies that provide a service and/or electronic system platform for utilisation by individuals, corporate entities or public bodies to perform e-commerce transactions. These include e-retailers (e.g. Bhinneka), marketplace providers (e.g. Tokopedia, Lazada, Shopee), classified advertisement providers (e.g. Craiglist), price comparison providers (e.g. PriceArea, Telunjuk) and daily deals providers (e.g. Groupon, Fave).
Intermediary service providers, which are individuals or corporate entities that facilitate electronic communications4 between senders and recipients. These include search engine providers (e.g. Google, Yahoo, Bing), hosting service providers (e.g. GoDaddy, Hostinger), caching service providers (typically, these are also provided by hosting service providers) and payment gateway providers (Midtrans, Doku, Xendit). Telecommunications service provider is excluded.
Impact on Foreign Businesses
Foreign businesses that are actively engaging (e.g. making offers from offshore) with consumers in Indonesia and satisfy the applicable thresholds will be subject to the Regulation. The threshold will depend on the number of transactions, transaction value, number of delivery of packages and/or amount of traffic. Strikingly, the Regulation does not elaborate the actual threshold numbers. As such, we expect that these thresholds will be further regulated in an implementing regulation.
Once the thresholds are satisfied, the Regulation will deem a foreign business as:
having a physical presence in Indonesia; and
conducting a permanent business activity within the Indonesian jurisdiction.
As a consequence, a foreign business must appoint a representative domiciled in Indonesia. While the Regulation does not elaborate the requirements for appointing the representative, the Regulation expressly states that e-commerce transactions conducted by a foreign business will be subject to Indonesian tax. The concept of 'Indonesian presence' seems similar to the concept of 'permanent establishment' for foreign businesses under Indonesian tax laws. While there might still be some uncertainties, the underlying message of the Regulation is clear; the government intends to tap into the fiscal potential of revenue sourced and received by foreign businesses from e-commerce transactions in Indonesia.
Recognising the fact that the services provided by an e-commerce service provider or an intermediary service provider can be used by other parties to engage in unlawful conducts, these providers can be protected under the safe harbour rules. Similar to the safe harbour rules under the US' Digital Millennium Copyright Act and the EU's E-Commerce Directive, the Regulation gives a broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content.
As for intermediary service providers, the Regulation also discharges them from any liability for illegal content provided that such providers are acting as mere conduit. This will be evidenced by, among others, the provider's lack of control over the transmission (including to modify the information). In addition, the Regulation also requires the providers to comply with the law, act in good faith and act expeditiously to remove or disable access to the illegal content upon knowing of its existence. If an intermediary service provider provides an 'interactive computer service' (layanan komputer interaktif), such as a social media platform, they will be discharged from any liability for restricting or removing access to a content if such action was carried out in good faith and based on a report that such content is illegal.
Cross-Border Personal Data Transfer
The Regulation also regulates personal data protection. Although these provisions are largely consistent with the rules imposed by other laws and regulations (i.e. the Electronic Information and Transactions Law5 and the electronic systems and transactions regulation), the Regulation does contain a provision on cross-border personal data transfer, which might be controversial.
Under the Regulation, a cross-border transfer of personal data can only be made to a country that is considered to have standard personal data protection at par with that of Indonesia. Whether another country's personal data protection is at par will depend on the discretion of the Minister of Trade. This is unusual and as the Regulation has only been issued, it remains to be seen how the Minister will handle this and the consequences (if any) that may arise if one fails to observe such requirement.
Similar to the electronic systems and transactions regulation, the Regulation provides for certain administrative sanctions and the relevant regulator, in this case the Ministry of Trade (in cooperation with the relevant parties), can also temporarily block the services of an e-commerce service provider that has breached the Regulation.
With the enactment of the Regulation, it is clear that the prodigious growth of Indonesia's e-commerce industry has finally pushed the government to act and explore a new source of fiscal revenue. We see this act most clearly through the thresholds and presence requirements.
Potential issues may arise with respect to the discretion afforded to the Minister of Trade for cross-border personal data transfer and to temporarily block the services of an e-commerce service provider. The assignment of a wide discretion to the Minister of Trade for a role that has traditionally been the domain of the Minister of Communications and Informatics, may open a pandora's box of issues, particularly with regard to coordination and execution.
But at the end of the day, it will all boil down to enforcement. For now, the Regulation allows the government to put one foot at the door and it is finally time that e-commerce players in Indonesia start being vigilant and play by the rules.
1. Government Regulation No. 80 of 2019 on Commerce through Electronic Systems.
2. Law No. 7 of 2014 on Trade
3. Government Regulation No. 71 of 2019 on Electronic Systems and Transactions.
4. An electronic communications facility means a facility that can be utilised as an information medium, communication platform, a platform to close a transaction, payment system and/or system to deliver goods.
5. Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on Amendment to Law No. 11 of 2008 on Electronic Information and Transactions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.