[Guest Post] Danger Looming Large In Indonesia’s New E-commerce Law?

Editor’s note: This guest post was written by Remco Lupker, co-founder and ex-director of TokoBagus, a popular e-commerce site in Indonesia. He wrote about his opinion on the newly proposed and soon-to-launch government regulation on Indonesian e-commerce companies. Remco originally wrote this article on his blog on March 23rd, 2013, we have permission to repost this article.

This week the long awaited and probably feared Indonesian E-commerce law PP 82 became public and even though I’m no longer (directly) involved in any e-commerce business I thought I would take some time to read it. Mind you, this law is just the beginning and will be followed by 10 government regulations which will provide more details.

My friends from DailySocial already reported on this law yesterday highlighting the part that requires any e-commerce company doing business in Indonesia to register in Indonesia as well as running their platform on a .ID domain name. Already existing e-commerce companies are excused from the last clause, for now they are allowed to continue running their service on a .com or any other top level domain name.

Though I agree that the need for a .ID domain name is weird to say the least, it seems that the law poses bigger worries for new and existing e-commerce players in Indonesia. I won’t be discussing the whole law but just highlight some things that attracted my attention.

A request to my local friends in the Industry, please correct me where you think I’m making a wrong translation or interpretation. I realize that since my Indonesian is just so so lah, I’m on thin ice here so all the help and comments are welcome.

No More Facebook, iTunes, Path?

Mind you, this is not (just) an e-commerce law. This law applies to all digital platforms operating in Indonesia.

(2) Penyelenggara Sistem Elektronik untuk pelayanan publik wajib menempatkan pusat data dan pusat pemulihan bencana di wilayah Indonesia untuk kepentingan penegakan hukum, perlindungan, dan penegakan kedaulatan negara terhadap data warga negaranya.

So, before I give you the translation I will first give you the definition of an “Electronic System” in this context:

1. Electronic Systems is a series of electronic devices and procedures that serve to prepare, collect, process, analyze, store, display, publish, transmit, and / or distribute electronic information.

Thats’s pretty general right? So basically this law sets the following requirements for “Electronic System” used for public services:

(2) Operators of Electronic Systems for public services have to have a data center and a disaster recovery center in Indonesia for the purpose of law enforcement, protection, and enforcement of national sovereignty to the data of its citizens.

Now you might think that this is an e-commerce law and thus doesn’t apply to Facebook. The worst that could happen is that some International platforms like Amazon and Booking.com are blocked. Well, look again at the the definition of Electronic Systems, this applies to ANY public digital platform!

So I’m curious how the government will enforce this. There are two options. They don’t block sites that operate from abroad which will lead to more and more companies not investing in Indonesia anymore and just operate from abroad. This seems the opposite of what a government eager to see investments come to Indonesia should want. Also from regulation point of view this wouldn’t have the desired effect.

Second option, the Indonesian government HAS TO BLOCK all sites that don’t comply to this regulation. When this is done to the letter it WILL amount in an isolation of Indonesian Internet users since many big corporates are not very eager to put their servers in Indonesia.

In article 43 it’s explicitly re-confirmed that this also applies to e-commerce sites.

Either way, it’s gonna be interesting to see whether this part of the proposed law will become final and if it will how it will be interpreted and enforced. Insiders tell me this law will only be enforced on platforms using a .ID domain name. Really? So you have to use a .ID domain name but if you don’t this law doesn’t apply to you? Seriously, I don’t get it. I thought it’s in the interest of Indonesia to encourage LOCAL investments but this law seems to do exactly the opposite.

Unreasonable Liability?

Pasal 7
(1) Perangkat Lunak yang digunakan oleh Penyelenggara Sistem Elektronik untuk pelayanan publik wajib:
a. terdaftar pada kementerian yang menyelenggarakan urusan pemerintahan di bidang komunikasi dan informatika;
b. terjamin keamanan dan keandalan operasi sebagaimana mestinya;

(1) Software used by Electronic System Operators for public services shall:
a. be registered with the ministry that organizes government affairs in the field of communication and informatics;
b. guarantee the safety and reliability of operation as it should be;

Mind you this is a law, so guarantee means just that. It doesn’t say “Should do everything that can be reasonably expected to ensure the safety and reliability”, no siree, it says guarantee, loud and clear.

Well, NO ONE can guarantee the safety of any system, this has been proven time and time again. For me it’s not yet clear what penalties can imposed when the safety of a platform has been compromised but this is such a general statement and at the same time unreasonable that it can be applied on many circumstances.

The Attack Of The Certificates

Is this where the law will monetize itself? Just an example of new and required certificates being introduced:

– Certificate of Expertise
– Certificate of Airworthiness
– Certificate of Reliability

So far no one has a clue how to obtain these certificates, what the requirements are and what system will be used to ensure these certificates indeed have a purpose.

The End Of Online Classified Sites And Facebook?

If I understand correctly from Article 40 in this law, and I’m pretty sure I do, this law also applies to “Interpersonal transactions”. If implemented to the letter this means that any private seller selling on any platform such as Facebook, forums and online classifieds sites are subject to this law to a certain extent. The result is that everyone selling online, even though using an external platform, has to have a “Sertifikat Keandalan” which means “Certificate of Reliability”. Now I assume that platforms allowing private persons to sell through their platform will be held responsible for checking this.

Someone pointed out that this law only applies to companies based on article 1 par 4 but that article only applies to “Electronic Systems”. Article 40 par 1 applies to ANY Electronic Transaction. So according to Article 40-42 private persons selling online through any platform need to have a ”Certificate of Reliability”.

When I tweeted this I got into a discussion with some local experts who in the end agreed with my conclusion.

So how can a law like this be enforced on a medium like the Internet? Well, put it simply, it can’t! So my guess is that the responsibility for making sure the rules are followed will be moved to the owners of the “Electronic System”. No I don’t think it will then be actively enforced by the government but as soon as something goes wrong and the seller doesn’t have a ”Certificate of Reliability” the shit will hit the fan for the platform owner.

My experience from the past is that even when you ask members for a copy of their KTP (ID card) or passport you run the risk of receiving near perfect Photoshop created “copies” so asking for a copy of ones ”Certificate of Reliability” will surely partially result in the same.

But… there’s one clause that might be the “get out of jail free card”, because what exactly is an “Electronic Transaction”?

Article 1
2. An Electronic Transaction is a legal act that is done using computers, computer networks, and / or other electronic media.

When people sell on Facebook, Kaskus or Tokobagus one can most definitely argue that it’s NOT an Electronic Transaction since the transaction itself is done off-site using BBM (ahh, isn’t this an electronic media as well?) the phone or in person. But if that’s so then why include private persons in this law in the first place. My guess is that this will become the most discussed and argued paragraph in this law because to me it seems to be open to multiple interpretations.

Perspective And Disclaimer

I AM NOT a legal expert nor do I have any legal title in Indonesia or elsewhere. Everything expressed in this post is a personal interpretation of this law and no rights or claims can be derived from any information in this post. Just to be clear, this post reflects my personal opinion only and doesn’t represent the opinion of any company. For a professional legal opinion/consult you should always contact a licensed lawyer specialised in IT law in Indonesia.

Anyway, this law definitely raises a lot of questions and lacks clarity on vital parts of it. So now we’ll have to wait the soon to be expected 10 ministerial regulations which need to provide more detail. To be honest, for now I’m happy I don’t have any stakes in e-commerce companies in Indonesia because this law will at least give a lot of headaches.

My hope is that the big players and IDEA will step up to the plate helping to make the Internet a safer place for online shoppers so the government can have a slightly more “hands-off” approach.


Remco founded Trustcon Network Solutions in 2001 which was specialized in connectivity & security and active for the leading telco’s in the Netherlands. After having sold the company he founded Soltria Europe and shifted his focus on e-commerce solution. The same time he joined forces with his current business partner Arno Egg to launch Tokobagus.com where he left the e-commerce company late 2012. Living as an immigrants in Indonesia he regularly share his thoughts and opinion on the developments in this emerging market. Follow him @remco_l.

Leave a Reply

Your email address will not be published.