The removal of data-flow restrictions stipulated under Government Regulation no. 71/2019 improves efficiency and incentivizes innovation. However, such improvement can be rolled-back if the proposed Minister of Communication and Informatics Regulation (Permenkominfo) on the “Management of Private Electronic Services Providers (ESP)” is introduced.
The proposed ministerial bylaw (as a technical regulation to the PP no. 71/2019) regulates the management and requirements for private ESPs, and sets rules for content removal (takedown). There are four concerns and implications to this proposed regulation:
First Implication: Broad Definition of Private ESPs (Article 1, 2, 3)
The ESPs defined under this regulation includes not only entities with ESP as their core business, but also other businesses that use electronic means to communicating with their customers. This can be impossible if not highly restrictive to business environment as most businesses including SMEs now relies on ESP services for day-to-day operations. This regulation should instead be directed to ESP-core businesses in order to keep certainty in business environment.
Second Implication: Extra Licensing Requirement for the Management/Use of Data Outside of Indonesian Jurisdiction (Article 6)
Article 6 of the proposed regulation states that private entities must have the permit issued by the Minister in order to store/manage their data abroad. This adds to the bureaucratic red tape and is contrary to the bureaucratic reform as intended by the issuance of Government Regulation no. 71/2019.
Third Implication: Obligations for Cloud Services Businesses (Article 17)
Article 17 of the proposed ministerial regulation states that “Private ESPs that organizes cloud computing must have policies regarding electronic information and/or electronic data and ensures the system does not facilitate the transmission of prohibited information/data”. Furthermore, article 30 stipulates the obligation for cloud computing services to grant access to law enforcement.
 The law has not been put in place but the draft is publicly accessible.
Fourth Implication: The (lack of) Clarity in the Content-Removal Provisions (Article 13)
Provisions on Content Removal must be clarified further in order to avoid uncertainty. The definition of content that causes ‘public disruption’ is too subjective and arbitrary, hence enforcing such content removal does not have strong legal basis. Furthermore, the two-hour time period given to ESP providers is deemed too short, as not all ESPs has the resources to monitor their whole content throughout the day.
We propose several recommendations to the future policy. Private ESP should be defined specifically for business entities that have ESP as their core business. The government also need to reconsider the mandatory ministerial permit for private ESPs that stores/process their data abroad. On the other hand, ESPs should not be held accountable for contents stored/processed within their system as they run on the principle of consumer confidentiality while the definition of ‘illicit contents’ must be further clarified to avoid uncertainty.
Our policy brief on PP no. 71/2019 can be found here.