Financial transaction

E-Commerce Regulations in Indonesia – Lexology

This article will focus on the main regulatory requirements for foreign ESOs seeking to operate in Indonesia.

Since the myriad of laws and regulations (at governmental and ministerial level) on electronic transactions make it difficult to navigate the regulatory framework in Indonesia, this summary attempts to present the applicable regulations as of the date of publication. This notice should not be considered as legal advice and consultation with a qualified adviser is necessary.

Regulatory Regime for Electronic Service Operators (“ESO”)

At the time of writing, the main laws/regulations relevant to ESO are:

  • Law No. 19 of 2016 amending Law No. 11 of 2008 on the Electronic Information and Transactions Law (“EIT Law”)
  • Government Regulation No. 71 of 2019 on the Organization of Electronic System and Transactions (“GR 71”)
  • Government Regulation No. 80 of 2019 on Commerce through Electronic Systems (“GR 80”)
  • Regulation No. 5 of 2020 of the Ministry of Communication and Information Technology on the Private Scope of the Electronic System Operator (“MOCI 5/2020”)
  • Regulation No. 20 of 2016 of the Ministry of Communication and Informatics on the protection of personal data in electronic systems (“MOCI 20/2016”)
  • Ministry of Commerce Regulations No. 50 of 2020 on Provisions for Trade Licensing, Advertising, Counting and Supervision of Trade Acceptors in Trade through Electronic Systems (“CT 50/2020”)
  • Consumer Protection Act No. 8 of 1999 (“Consumer Protection Act”)

Operating in Indonesia

ESOs wishing to establish a presence in Indonesia must first register with the Ministry of Communication and Information Technology (“MOCI”) to start operations. The establishment of a local representative office is only required if the number of transactions or deliveries made by the ESO exceeds 1000 per year. In this case, the ESO must set up a local representative office. Their contact details must be passed on to the representative of a foreign commercial operator in accordance with local regulatory requirements.

Note that the ESO Terms and Conditions, Privacy Policy, and Registration pages must be translated into the local language (i.e. Bahasa). However, the English language may be used in other contractual clauses provided that a bilingual version is provided in the Bahasa language.

Consumer Protection Regulations

The Consumer Protection Act is the main source of consumer protection legislation in Indonesia. The law specifies a set of general rules applicable when companies or businesses offer goods or services to Indonesian end consumers. Some of them are rules requiring businesses to provide clear and correct information about goods or services and to serve consumers appropriately and fairly.

Key things to note under consumer protection law include prohibited terms in a subscription agreement (under Section 18) as well as regulations on free trials, auto-renewal and changing terms. Along with the aforementioned regulations, note that these are permitted subject to end-user notification obligations.

Data protection

There is currently no general data protection regime in Indonesia. What exists is a set of laws that collectively regulate the protection of personal data collected in an electronic system.

Article 1(29) of GR71 defines personal data as “All data relating to a person, identified or likely to be identified using this data […] through the use of electronic and/or non-electronic means.” (Article 1(29) of GR 71). When the ESO collects, processes, analyses, maintains or publishes the personal data of its users, it must obtain the consent of the owner of the data as to the purpose of these activities (article 14, paragraph 2, RG 71).

With regard to content management, note GR 71 distinguishes between public and private OENs. For ESOs of public scope, he must store his electronic system in Indonesia (unless this technology is not available in the country). For ESOs in the private domain, there is more flexibility for data centers to be located outside of Indonesia. However, ESOs must ensure that this system and its data are accessible to local authorities for monitoring and law enforcement.

When data is transferred across borders, ESOs must submit to MOCI prior and post notification of such transfer (Article 22, MOCI 20/2016). There are also data retention policies. For data related to financial transactions, they must be kept for a minimum of 10 years. For non-financial transactions, a minimum of 5 years (Article 25(1) of RG 80). Data may be deleted or erased in accordance with Article 16(1) of GR 71/2019. In the event of a personal data leak, note that ESOs are additionally required to issue a notification within 14 days of the leak (Article 28(4)(c), MOCI 20/2016).

Obligations relating to the content of ESOs

Consent is required in the use of personal contact information for marketing activities. Also note the requirement of Article 17 of the Consumer Protection Act, which obliges all advertisers to comply with the Advertising Code of Ethics (ACE) issued by the Indonesian Advertising Council.

Along with online advertisements, ESOs are permitted to run online advertisements provided they comply with applicable laws and regulations in Indonesia. These mainly refer to obligations of faithful representation in advertising, among others.

Private sector ESOs should be aware of user-generated content (“UGC”) regulations. UGC are content shared, exchanged and downloaded between users. ESOs should stipulate the governance conditions for the publication of UGC, including complaints procedures and the facility for resolving complaints (Article 10, MOCI 5/2020).

Also note that there are unique content regulation laws in Indonesia, including requirements of “taste and decency” in depicting acts of violence and violation of decency (which includes sports-related content) .

Penalties for non-compliance

The relevant penalties can be found under MOT 50/2020 under Articles 40 and 45. The penalties include up to 2 years imprisonment and a fine of up to IDR 500 million (approximately USD 36,000), among others. In addition, MOCI may order ESOs to remove prohibited content from its platforms following reports from relevant government authorities. Failure to respond may result in the temporary or permanent blocking of ESOs by the MOCI.

Other risks at the local level include local ESO employees being summoned for questioning by authorities, government fines imposed on the foreign ESO’s local entity, or even the arrest of employees (if is authorized by the local ESO entity to manage and make decisions on its behalf).

Please refer to Indonesia E-Commerce Regulatory Guide for more details on laws and regulations (at governmental and ministerial level) on electronic transactions.