Policy Changes Coming to Indonesia's Digital Economy
The Government of Indonesia (GoI) hopes revising a key government regulation will boost foreign investment and grow the country’s digital economy.
GoI is in the process of revising Government Regulation No. 82 Year 2012 (GR82). GR82 regulates electronic system and transactions, data storage/centers, collecting, recording, sharing, and supervision of data.
We sat down with the man behind the new revision, Semuel Abrijani, the Director General of Information and Applications at the Ministry of Communication and Information to get the latest update and what the business community can expect. Links to the Indonesia In-depth podcast are included below. Here are the key takeaways from our discussions:
· GR82 required all parties that conduct electronic system and transactions to store and process their data onshore, regardless of the type of data. For many companies and organisations handling Indonesian user data, this requirement is burdensome, inflexible, costly and difficult to implement. For Indonesia overall, this requirement has been an obstacle to the country’s efforts to transition to a digital economy.
· GoI hopes to address this issue and a new revision that will act as an umbrella framework for data regulation which is part of Widodo's effort to create an “ecosystem” to support the country’s digital economy. The president aims to increase the country's competitiveness when it comes to data management and processing.
· The draft revision is currently in the hands of the State Secretariat to be harmonised with other regulations before being signed by the President by the end of 2018. Although the GoI has been claiming that the draft is fully complete and ready to be sign, it appears that more work needs to be done even at this stage. Mr. Semuel Abrijani admitted that some fine-tuning remains to be done and the closing of the year may slow the revision progress and push the finalization and signing to 2019.
· Although the revision to GR82 is scheduled to be signed in the near future, it’s important to note that individual regulatory bodies under the relevant ministries will issue the final data guidelines once the new revision is official.
Details of the Revision
· The revised GR will focus on regulating activities of data controllers, which are the organisations or companies that manages and in some instances, collect personal data from data owners (e.g. citizens). Some examples of data controllers include banks and merchants.
· The revised GR will classify data into three categories: (1) strategic, (2) high-risk (3) low-risk. From the three types, only strategic data is required to be stored locally.
Strategic data entails all data that is critical or sensitive national information and must be stored onshore. The list includes 8 categories: governance, defence, finance, health, energy and mineral resources, technology /informatics, and food security. International strategic data sharing will be limited and be subject to strict agreements and procedures.
High-risk data entails only those data relevant between the owner and the data collector. It’s important to note that the current draft does not provide further details elaborating what high-risk electronic data is or provide examples.
Low-risk data entails data other than strategic and high-risk electronic data. Again, the current draft does not provide further details elaborating what low-risk electronic data is or provide examples.
· When the data is mixed from strategic, high and low risk data, only the strategic data will be required to be stored and processed onshore while other data can be offshore. However, this raises several uncertainties:
It is unclear how the government would treat and separate hybrid data, a data which is both strategic and high/low-risk in nature or how would data controllers maintain multiple data centres for the same users.
Officials state that the President will issue a decree which will delegate all coordinating ministries to classify data for their sectors however, it is questionable whether these sectors can ensure the consistency of classification across sectors.
· Although the GoI will only require strategic data to be stored onshore, they will have the right to access high and low risk data in times of evidence gathering with the consent of the controller. However, this could be problematic since the GoI requires to be granted access to the data rather than the data controller providing or presenting the relevant data itself to the GoI. If this request was not granted, the GoI has the power to block the data controller in question.
· The type of data may not be the only deciding factor for onshore or offshore data storage. Further implementing regulations (in the form of a Presidential Decree) will set further qualifications and exceptions to which data should be stored onshore, such as the size of business or number of local customers, for example.
· Each sectoral regulatory bodies will further decide the details and technicalities of data storage requirement, as the GoI believes they know best. For example, the Financial Services Authority (the OJK) which oversees banking and financial service industry, plans to relax its data storage requirements for foreign banks. However, it is unclear if all of these sectoral bodies are ready to take on this task and what kind of requirements they will impose.
· Currently, most major data players that collect data from Indonesian users, such as Facebook, Amazon, Gojek, Traveloka, Google among many others, have established their data centres in Singapore due to its advanced infrastructure, stable economy, submarine transmission cables and landing stations. Mr. Semuel said the GoI is aware of this but aims to improve Indonesia’s data storage competitiveness and that the revision to GR82 is one step to slowly create an ecosystem that is more attractive to data players.