Sangat Pedas

Danger Looming Large In Indonesia’s New E-commerce Law?


There has been a discussion about the definition of a “Public Service”. In the context now most agree with my definition of “a service that’s accessible for the public”. But I gotta agree that usually “Public Service” is defined as a government service such as gas, electricity and public transport. So probably they should change it to “Public Accessible Digital Service”.

For people who still disagree with this interpretation please read art 1 par 4:

Penyelenggara Sistem Elektronik adalah setiap Orang, penyelenggara negara, Badan Usaha, dan masyarakat yang menyediakan, mengelola, dan/atau mengoperasikan Sistem Elektronik secara sendiri-sendiri maupun bersamasama kepada Pengguna Sistem Elektronik untuk keperluan dirinya dan/atau keperluan pihak lain.


Electronic System Operator is any person, state officials, business entities, and community provider, manage and / or operate Electronic systems individually or together to Users for Electronic Systems her needs and / or needs of others.

Pretty clear in my opinion.


This week the long awaited and probably feared Indonesian E-commerce law PP 82 became public and even though I’m no longer (directly) involved in any e-commerce business I thought I would take some time to read it. Mind you, this law is just the beginning and will be followed by 10 government regulations which will provide more details.

My friends from Dailysocial already reported on this law yesterday highlighting the part that requires any e-commerce company doing business in Indonesia to register in Indonesia as well as running their platform on a .ID domain name. Already excisting e-commerce companies are excused from the last clause, for now they are allowed to continue running their service on a .com or any other top level domain name.

Though I agree that the need for a .ID domain name is weird to say the least, it seems that the law poses bigger worries for new and existing e-commerce players in Indonesia. I won’t be discussing the whole law but just highlight some things that attracted my attention.

A request to my local friends in the Industry, please correct me where you thing I’m making a wrong translation or interpretation. I realize that since my Bahasa Indonesia is just so so lah I’m on thin ice here so all the help and comments are welcome.

No More Facebook, iTunes, Path?

Mind you, this is not (just) an e-commerce law. This law applies to all digital platforms operating in Indonesia.

(2) Penyelenggara Sistem Elektronik untuk pelayanan publik wajib menempatkan pusat data dan pusat pemulihan bencana di wilayah Indonesia untuk kepentingan penegakan hukum, perlindungan, dan penegakan kedaulatan negara terhadap data warga negaranya.

So, before I give you the translation I will first give you the definition of an “Electronic System” in this context:

1. Electronic Systems is a series of electronic devices and procedures that serve to prepare, collect, process, analyze, store, display, publish, transmit, and / or distribute electronic information.

Thats’s pretty general right? So basically this law sets the following requirements for “Electronic System” used for public services:

(2) Operators of Electronic Systems for public services have to to put the data center and disaster recovery center in Indonesia for the purpose of law enforcement, protection, and enforcement of national sovereignty to the data of its citizens.

Now you might think that this is an e-commerce law and thus doesn’t apply to Facebook. The worst that could happen is that some International platforms like Amazon and are blocked. Well, look again at the the definition of Electronic Systems, this applies to ANY public digital platform!

So I’m curious how the government will enforce this. There are two options. They don’t block sites that operate from abroad which will lead to more and more companies not investing in Indonesia anymore and just operate from abroad. This seems the opposite of what a government eager to see investments come to Indonesia should want. Also from regulation point of view this wouldn’t have the desired effect.

Second option, the Indonesian government HAS TO BLOCK all sites that don’t comply to this regulation. When this is done to the letter it WILL amount in  an isolation of Indonesian Internet users since many big corporates are not very eager to put their servers in Indonesia.

In article 43 it’s explicitly re-confirmed that this also applies to e-commerce sites.

Either way, it’s gonna be interesting to see whether this part of the proposed law will become final and if it will how it will be interpreted and enforced. Insiders tell me this law will only be enforced on platforms using a .ID domain name. Really? So you have to use a .ID domain name but if you don’t this law doesn’t apply to you? Seriously, I don’t get it. I thought it’s in the interest of Indonesia to encourage LOCAL investments but this law seems to do exactly the opposite.

Unreasonable Liability?

Pasal 7
(1) Perangkat Lunak yang digunakan oleh Penyelenggara Sistem Elektronik untuk pelayanan publik wajib:
a. terdaftar pada kementerian yang menyelenggarakan urusan pemerintahan di bidang komunikasi dan informatika;
b. terjamin keamanan dan keandalan operasi sebagaimana mestinya; 

(1) Software used by Electronic System Operators for public services shall:
a. be registered with the ministry that organizes government affairs in the field of communication and informatics;
b. guarantee the safety and reliability of operation as it should be;

Mind you this is a law, so guarantee means just that. It doesn’t say “Should do everything that can be reasonably expected to ensure the safety and reliability”, no siree, it says guarantee, loud and clear.

Well, NO ONE  can guarantee the safety of any system, this has been proven time and time again. For me it’s not yet clear what penalties can imposed when the safety of a platform has been compromised but this is such a general statement and at the same time unreasonable that it can be applied in many circumstances.

The Attack Of The Certificates

Is this where the law will monetize itself? Just an example of new and required certificates being introduced:

- Certificate of Expertise
- Certificate of Airworthiness
- Certificate of Reliability

So far no one has a clue how to obtain these certificates, what the requirements are and what system will be used to ensure these certificates indeed have a purpose.

The End Of Online Classifieds Sites And Facebook?

If I understand correctly from Article 40 in this law, and I’m pretty sure I do, this law also applies to “Inter personal transactions”. If implemented to the letter this means that any private seller selling on any platform such as Facebook, forums and online classifieds sites are subject to this law to a certain extend. The result is that everyone selling online, even though using an external platform, has to have a “Sertifikat Keandalan” which means “Certificate of Reliability”. Now I assume that platforms allowing private persons to sell through their platform will be held responsible for checking this.

Someone pointed out that this law only applies to companies based on article 1 par 4 but that article only applies to “Electronic Systems”. Article 40 par 1 applies to ANY Electronic Transaction. So according to Article 40-42 private persons selling online through any platform need to have a ”Certificate of Reliability”.

When I tweeted this I got into a discussion with some local experts who in the end agreed with my conclusion.

So how can a law like this be enforced on a medium like the Internet? Well, put it simply, it can’t! So my guess is that the responsibility for making sure the rules are followed will be moved to the owners of the “Electronic System”. No I don’t think it will then be actively enforced by the government but as soon as something goes wrong and the seller doesn’t have a ”Certificate of Reliability” the shit will hit the fan for the platform owner.

My experience from the past is that even when you ask members for a copy KTP or passport you run the risk of receiving near perfect Photoshop created “copies” so asking for a copy of ones ”Certificate of Reliability” will surely partially result in the same.

But… there’s one clause that might be the “get out of jail free card”, because what exactly is an “Electronic Transaction”? 

Article 1
2. An Electronic Transaction is a legal act that is done using computers, computer networks, and / or other electronic media.

When people sell on Facebook, Kaskus or Tokobagus on can most definitely argue that it’s NOT an Electronic Transaction since the transaction itself is done off-site using BBM (ahh, isn’t this an electronic media as well?) the phone or in person. But if that’s so then why include private persons in this law in the first place. My guess is that this will become the most discussed and argued paragraph in this law because to me it seems to be open to multiple interpretations.

Perspective And Disclaimer

I AM NOT a legal expert nor do I have any legal title in Indonesia or elsewhere. Everything expressed in this post is a personal interpretation of this law and no rights or claims can be derived from any information in this post. Just to be clear, this post reflects my personal opinion only and doesn’t represent the opinion of any company. For a professional legal opinion/consult you should always contact a licensed lawyer specialised in IT law in Indonesia.

Anyway, this law definitely raises a lot of questions and lacks clarity on vital parts of it. So now we’ll have to wait the soon to be expected 10 ministerial regulations which need to provide more detail. To be honest, for now I’m happy I don’t have any stakes in e-commerce companies in Indonesia because this law will at least give a lot of headaches.

My hope is that the big players and IDEA will step up to the plate helping to make the Internet a saver place for online shoppers so the government can have a slightly more “hands-off” approach.