Director General of Information Application on updating the GR82 revision and the Data Protection Law
Nov 26, 2018 | Yanuar Wibisana
When President Joko Widodo said Indonesia would become the largest digital economy in Southeast Asia, he encouraged all stakeholders to join efforts to maximize the nation’s potential in this field.
As one of the most important stakeholders, the regulator’s role is crucial in providing a legal foundation for the development of the digital economy. Regulations need to accommodate the rapid advancement of technology in order to accelerate the growth of Indonesia’s digital economy.
Speaking on behalf of the Ministry of Communication and Informatics, Director General of Information Application Semuel Abrijani Pangerapan sat down with AmCham Indonesia to talk about updates of important regulations such as the revision of Government Regulation No 82 of 2012 (GR82) which implemented various aspects of the Electronic Information Law; the Data Protection Law; and the importance of these regulations to support Indonesia’s digital economy.
AmCham Indonesia: What are the latest insights into the GR82 Revision?
Semuel Abrijani Pangerapan: Let me explain the background of the revision of GR82. Triggered by digitalization and rapid technological development, the government of Indonesia wants to embrace the changes by transforming the nation. Our president has stated that Indonesia will be the “Energy of Asia” in terms of the digital economy. This means that we need to prepare adequate infrastructure that can support the development of the digital economy in Indonesia.
The vision is there, but to make the vision a reality is not that easy. Transformation needs time. We need to understand what is being transformed and the shifting role and function of the ministry to embrace the changes. There are many obstacles that our nation faces to achieve positive transformation, and one of them is GR82. When I was appointed to my position, one of my first tasks was to review GR82. I believe that GR82 is an obstacle to many digital players.
We conducted meetings after meetings, and finally we decided to revise the regulation, particularly regarding the placement of data centers. In this new digitalization era, it is not about physical data centers, but what’s important is the access to the data itself. This is why we changed the mandatory physical data center localization.
For now, the revision is in the process of harmonization at the upper-level. Content-wise, the revision is already complete. There will be harmonization on two levels, with the Ministry of Law and Human Rights and the State Secretary. We will be able to distribute the regulation after it has been approved and legalized by the law ministry.
The revision is in the form of a Government Regulation or Peraturan Pemerintah (PP). Further provisions will be regulated by the president. The only change in the final draft of the revision [compared to the last draft in February] is that we deleted Article 43 on Domestic Data Transaction.
What about data classification?
We classified data into three area: strategic data, high-risk data, and low-risk data. And for now we are going to focus on strategic data and high-risk data.
What is classified as strategic data? Data is classified as strategic if the data affects the system of government, the security and law enforcement of our nation. This is why we demand strategic data to be physically stored and processed within Indonesian territory. No bargaining. We also work with international organizations such as Interpol on securing important strategic data such as data about terrorist arrests or big bank fraud.
What is classified as high-risk data? Data that can affect many important sectors such as the financial system or banks. High-risk data should be managed carefully, and still be under the laws of Indonesia. For instance, our Electronic Information and Transaction Law (Law No. 11 2008) is extra-territorial, which means that the law applies outside Indonesian territory.
High-risk data must also be monitored by the related government agencies. The owners of high-risk data must provide access to the data to relevant government agencies. For example, banking data must be monitored by the Financial Services Authority (OJK). The point is that for high-risk data, the inspectors should be able to access the data in Indonesia through the cloud.
Does this mean that the physical location of the data is not important? And what matters is that the related government officials can access the data?
Yes. Even though the data center is physically outside Indonesia, the rules of data storing and data processing still follow Indonesian laws. This means that no matter where the data is stored, it is still under Indonesian laws and the players should comply with existing laws.
One important thing to be noted is that the inspectors from Indonesia should be able to easily monitor the data and get access to the cloud. I have told my friends in Bank Indonesia and the OJK about this, and they need to understand this as part of technological change. This is a new approach that the regulators should understand. It is impossible for us to maintain the old-fashioned ways in this era.
I must admit that the process of transition is not that easy and it takes time. Many of our regulators are very new to this kind of monitoring, and they need to adapt to this new way. We want to transform the way the government works. Soon we will have a law about personal data protection. We already have personal data protection regulations, but only at the ministerial level. When the law is passed, the government will have more jurisdiction to protect citizens’ personal data. These developments in our regulations are necessary for Indonesia to embrace rapid changes in technology.
What kind of data is classified as strategic data and low-risk data?
Data classified as strategic data could be in the form of the private data of citizens. For example, data about population and civil registration should be stored locally or in Indonesian territory because it is considered strategic data. This means that banks need to store their customers’ personal data in Indonesia.
For low-risk data, we provide some flexibility on the classification. We trust each of the data holders to be responsible for what they store. For startups, we will give some flexibility on this because we do not want to discourage their development. For example, most of the fintech players are still in sandbox-based data, which is classified as low-risk. However, the players should make the data accessible when the inspectors need it.
What is the impact of this regulation on local and multinational companies?
I think the biggest role of this regulation is to create an equal playing field between local and multinational companies. No matter who is the player, either local or multinational, the regulation applies the same set of rules. No discrimination.
I hope that with this regulation, more and more people will recognize Indonesia as a country that embraces the digital economy. In other words, tech players will invest more in Indonesia. Our target is crystal clear from the president, to be the “Energy of Asia” in the field of the digital economy. It should be noted that we are not hampering businesses; we only want to provide an equal playing field.
We also hope that this regulation can positively impact the development of startups and new tech companies that are going to invest in Indonesia. Through the provisions of business permits, the regulation has been proven effective in making the permitting process efficient, and the Online Single Submission (OSS) system is proof. We believe that innovative ideas in business should be realized quickly, and therefore we pay attention to business permit efficiency.
Does the banking industry welcome this regulation?
Every change must have a process, and inevitably the actors involved in it should undergo the process. Some can adapt, and some need more time to adapt. But in the end, they will eventually follow the process and accept the change.
Actually, we try to make our regulations as flexible as possible so that we are not hampering businesses. If we compare ourselves with Europe’s General Data Protection Regulation [GDPR], our regulation is less strict. If companies comply with Europe’s GDPR, they should also comply with our regulation.
We realize that companies provide jobs, and providing jobs is one of our government’s priorities. This is why we try our best not to hamper businesses with our regulations
Speaking of the data protection law, how is its development?
Our Data Protection Law will have 90 percent resemblance with its European counterpart. However, our GDPR will be better because we learned from their mistakes, which is that we have tried to make the law more flexible and business friendly.
We are working together with the European Union [EU], and we will send a team somewhere in October to observe and learn the lawmaking process of the European GDPR. This whole trip is funded by the EU.
The draft law has been made, but unfortunately it has not been included in the National Legislation Program or Prolegnas to be further discussed by the House of Representatives [DPR]. Thankfully, because of the Facebook data privacy issue, the DPR has finally agreed to discuss the possibility of passing this law. Now the draft law is currently in the harmonization process, and will ultimately be included in the Prolegnas.
Additional reporting by Karmila Bain and Peter Sean Lie