Contemporary approaches to cross-border M&A and rapid new innovations in technology-based services make Indonesia a catalyst for change
With the fast advancement of technology across the world, Indonesia has found itself with quite a number of the “hottest and most funded” Asian tech companies, such as Go-Jek, Tokopedia, Traveloka and Bukalapak. Looking at how technology transformation trends are growing, Indonesia has entered a new phase by enacting regulations and guidelines for financial technology (fintech) and cryptocurrencies. There has also been a spurt of impending new regulations or amendments on cybersecurity, data protection, internet of things (IoT) and Over the Top (OTT) services.
Under Indonesia’s legal framework, there are no specific regulations on cybersecurity. This issue is, however, implicitly addressed mainly in Law No. 11 of 2008 regarding Information and Electronic Transactions, as last amended by Law No. 19 of 2016 (EIT Law), which came into force on 21 April 2018. While the EIT Law does not provide a specific definition on cybersecurity, there are several cyber activities that are considered a criminal offence in Indonesia, such as hacking, system interference, phishing, infection of IT systems with malware, possession or use of hacking tools, and identity and electronic theft.
Cybersecurity is explained further in Government Regulation 82/2012 regarding Implementation of Electronic Systems and Transactions, in which it has classified certain levels of protection for electronic systems. For instance, electronic systems for public services will be subject to various regulations including: (1) registration to the Ministry of Communication and Informatics (MCI); (2) obtaining information electronic system certification; and (3) data localization requirements within the territory of Indonesia. In addition to that, personal data is protected by MCI Regulation No. 20 of 2016 regarding personal data protection (PDP). The PDP regulation covers various aspects including an internal policy requirement in managing personal data, a notification requirement on a data breach, and reporting obligations for cross-border personal data transfer.
There is flurry of regulatory discussion regarding the current legal framework for cybersecurity and PDP. The lack of comprehensive regulation and missing provisions in relation with classification of data, electronic system certification, cross-border transfer, right to be forgotten mechanism, etc., has hindered certain companies in starting their business in Indonesia. Clarifications are needed in this absence of information. For instance, currently all data that are collected and processed by electronic systems for public services must be stored within Indonesian territory, which can create obstacles for cloud companies in Indonesia.
The MCI has come up with drafts of regulations including the draft of Personal Data Protection Law and an amendment to the GR 82/2012 in order to keep up with the rapid development of tech-based business activities. Based on the current drafts, the MCI proposed to enhance the scope of protection in regard to cyber threats by providing further definition and guidance on novel compliance provisions for Electronic System Operators (ESO). The draft framework is expected to focus on a definition of data, internal governance and criminal sanctions related to personal data collection. While the draft may only provide general information and guidelines, it is likely that future regulations will be referenced in the draft.
Fintech activities are regulated by either Otoritas Jasa Keuangan (OJK) or Bank Indonesia (BI) . There are several varieties of fintech services including settlement of transactions, accumulation of capital, investment management, market supporter, peer-to-peer (P2P) lending, crowdfunding and other financial services activity including fintech companies where services are related to payment systems. The most popular form of fintech companies in Indonesia is P2P lenders. As of February 2019, OJK had registered over 99 P2P lending companies.
Regarding lending activities, OJK has issued two regulations. The first one is POJK 77 on Money Lending Services Based on Information Technology, which accommodates P2P lending activities. Recently, OJK issued a more advanced regulation, i.e. POJK 37, which accommodates equity crowdfunding activities in Indonesia. These regulations have clearly set out the scope of lending activities, registration and/or licensing procedures, minimum foreign investment, capital requirements, change of ownership, information technology system requirements, mitigation risk, data localization and agreements between service provider-lender and lender-borrower. In respect to security measures for electronic systems of fintech companies, OJK expects fintech companies to follow the general requirement on cybersecurity. The increasing use of P2P lending as one way to obtain funding by individuals has led to certain illegal activities.
Recently, the authors understand that illegal P2P companies have been able to collect personal data of users and process it for unlawful purposes. In response, the MCI has blocked certain illegal P2P apps and websites. The authors believe the absence of heavy sanctions in the PDP regulations may affect these issues since the regulations only have administrative sanctions.
BI has an important role in regulating fintech that may affect payment systems. For instance, electronic money that has been an integral part of several fintech companies has been regulated under BI Regulation 20. Electronic money is issued based on a certain value of money that is deposited in advance to the electronic money service provider and stored electronically through server or chip-based media, and will not be seen as saving under banking laws.
Aside from that, relevant provisions regarding the licensing of electronic money issuers, composition of shareholdings, the organization of electronic money, risk management, standard security of electronic information, consumer protection principles and anti-money laundering principles have been adopted within the regulation. Finally, BI also accommodates the business activity of payment system service providers including switching providers, payment gateway, clearing, settlement organizer, fund transfer provider, and electronic wallet provider under BI Regulation 18.
Finally, in order to accommodate the innovative product provided by fintech companies, which may have not been specifically regulated and covered by the above regulations, both OJK and BI have their own regulatory sandbox in which fintech start-ups are able to operate under special exemptions for a limited time determined in the absence of regulation. With the sandbox, the authorities can monitor the product and provide comprehensive regulations based on this. Based on our practice, the authors understand that all innovative products that are connected to payment systems are under BI’s jurisdiction, while others such as robot advisory and credit scoring activities will be under OJK jurisdiction.
IoT and OTT
In relation to the development of IoT, the MCI has just issued MCI Regulation No. 1 of 2019 on Utilization of Radio Frequency Spectrum Based on Class License. MCI Regulation No.1 accommodates the operation of IoT services by providing class license where users and/or providers are able to operate devices by using certain radio frequency spectrums. Class License is being given to the usage of hardware and/or telecoms devices of WLAN, SRD, DSRC, LAA, LWA non-cellular, and any other devices operated on a radio frequency and utilized based on similar class license in accordance with its level of technology and characteristics. Any IoT device that seeks to be commercialized in Indonesia must fulfil certain technical requirements and obtain certification.
For OTT services, the MCI has issued a Circular Letter No. 3 of 2016 regarding Provision of Application and/or Content Services through Internet. Within the circular letter, the MCI attempts to stretch the applicability of upcoming regulations to apply to foreign OTT services providers. Although not binding in nature, under the circular letter, any foreign OTT service providers who want to provide their services in Indonesia are required to have a permanent establishment. OTT service providers also have to comply with the regulations in Indonesia, including but not limited to tax, competition, intellectual property, broadcasting, film, advertisement, pornography, and anti-terrorism. An OTT service provider is required to conduct proper data protection, content filtering and censoring mechanisms in accordance with regulations.
Indonesia has vast potential to attract tech companies and investors and there will be the rise of new tech business models. While the regulatory framework may not completely accommodate various business models, it is likely in the future that relevant authorities will issue more regulations.
BAGUS ENRICO & PARTNERS
DBS Bank Tower, 17th floor
Jl Prof Dr Satrio Kav 3-5 , Jakarta 12940, Indonesia
Tel: +62 21 2988 5959
Fax: +62 21 2988 5958