For further guidance on laws and regulations that can address digital harms while enhancing and protecting freedom of expression and privacy, see GNI’s Content Regulation and Human Rights Policy Brief.
On November 24, the Indonesian Ministry of Communication and Information Technology (“Ministry”) issued Regulation No. 5/2020 (“MR5 regulation”). The MR5 regulation, which was developed without adequate public consultation, sets out a wide range of provisions regulating various aspects and activities of electronic system operators (ESOs).
For the reasons set out below, the Global Network Initiative (GNI) is concerned that a number of provisions in the MR5 regulation appear to be inconsistent with international human rights principles and could create significant negative impacts for covered services, as well as users of those services. GNI calls on the Government of Indonesia to further suspend implementation of this law in order to conduct a review in collaboration with ESOs, civil society, and other relevant stakeholders to ensure its laws and regulations are consistent with Indonesia’s international human rights commitments and domestic legal framework.
GNI is the world’s preeminent multistakeholder collaboration in support of freedom of expression and privacy in the information and communications technology (ICT) sector. GNI’s members include leading academics, civil society organizations, ICT companies, and investors from across the world. All GNI members adhere to the GNI Principles on Freedom of Expression and Privacy, which provide guidance on how to navigate government demands and restrictions consistent with international human rights law and the UN Guiding Principles on Business and Human Rights.
GNI brings a unique set of perspectives and experiences to bear on the issues addressed in MR5. Last year, GNI conducted wide-ranging research and global consultation on legal and regulatory efforts to address online harms around the world. GNI engaged in a detailed analysis of two dozen such content regulation efforts, convening six events targeting government officials and other stakeholders in Africa, the EU, India, Pakistan, and the U.K. This work culminated in GNI’s Content Regulation and Human Rights Policy Brief (Policy Brief), which identifies helpful and problematic elements of emerging approaches and includes specific recommendations for how governments can address digital content-focused concerns consistent with human rights principles.
Concerns about the MR5 Regulation
I. Overly Broad Application + Registration Requirement
MR5 governs all private ESOs, which includes a broad grouping of services, including social media and other content-sharing platforms, digital marketplaces, search engines, financial services, data processing services, and messaging, video, and gaming services. All ESOs who 1) provide services in Indonesia, 2) have a business in Indonesia, or 3) have electronic systems used or offered in Indonesia are required to register and obtain an ID certificate with the Ministry before Indonesians can even access their services. Initially, the deadline was May 24, 2021, but it has been postponed from this date until 6 months after the Single Sign-On (SSO) is implemented. The Ministry has the power to block access to the platform if a company fails to register. This registration requirement may create administrative challenges for some companies, and it is unclear how the government intends to enforce it.
Contrary to the emphasis in our Policy Brief on “tailored, effective, and fit for purpose” laws, the MR5 regulation does not specify obligations based on the size, capacity, or risk exposure of particular services (while separate provisions for “Cloud Computing” are set out, these are confusing and the distinctions in approach are largely without explanation or justification). Insufficient consideration of the appropriate type of service, risk, resources, and capabilities to be covered by regulation can pose significant burdens to smaller and early stage companies, as well as have a chilling effect on speech by encouraging over-enforcement. Going forward, we call on the government to use (and extend if necessary) this period of postponed implementation to consult with stakeholders on how best to narrow the application of any laws or regulations intended to address ESOs.
II. Personnel Localization
Article 25(1) of the MR5 regulation compels ESOs whose digital content is used or accessed within Indonesia to appoint a local point of contact based in Indonesia. This person will be held responsible for responding to content removal or personal data access orders. Where other countries are exploring similar requirements, GNI has consistently expressed concern with these types of provisions, especially to the extent that they make such representatives personally liable for company actions. While in-country expertise can help a company better navigate the local context, without sufficient safeguards and protections for local representatives, such requirements unnecessarily expose local staff to harm and make it less likely that companies will push back on overbroad government approaches or unlawful requests. GNI encourages the government to clarify that local representatives of ESOs will not be held personally liable for company conduct under MR5.
III. Lack of Definitional Clarity
Article 9(4) defines prohibited information and content as any that is: a) in violation of the law and regulation, b) causing public unrest and disturbance of public order, and c) providing info on the method or access to prohibited content. The use of the conjunctive “and” (dan) in this Article would appear to indicate that content has to satisfy all three of these classifications in order to be prohibited under the MR5 regulation. However, if instead each type of content listed in Article 9(4) is meant to be prohibited, the second and third categories would by definition prohibit content that is not “in violation of the law,” which would be in tension with the principle of “legality” and contradict international best practice.
The Ministry has given itself the power to define what constitutes content that causes “public unrest and disturbance of public order.” This gives entity charged with enforcing the law power to dictate the legality of speech, which should instead be the judgement of a court or other independent authority. We are also concerned that Article 9(4)c suggests that ESOs will not be allowed to disseminate or facilitate dissemination of any information providing access to prohibited electronic information. This could potentially include information regarding the use of Virtual Private Networks (VPNs), which are widely used for legitimate privacy and security reasons by many Indonesian businesses and individuals.
Moreover, as our Policy Brief emphasizes, vague definitions can foster the over-removal of content, self-censorship, and a degradation of trust among users. This risk is even higher for intermediaries who are only exempt from liability for their user-generated content if they agree to help monitor the content of communication in various ways specified by the Indonesian Government (Articles 11, 16(11) and 16(12)). Failure to comply can result in an “administrative sanction.”
Finally, not only will companies be responsible for responding to and complying with government requests, they must also “ensure” that their services do not contain or facilitate the distribution of prohibited content (Article 9(3)). In order to fulfill this obligation, ESOs will likely have to actively and invasively monitor user activity and increase their reliance on upload filters. These filters can be helpful but are not a panacea, as they can mis-detect and lead to the removal of lawful content. They can also be cost prohibitive and impractical for smaller ESOs. A greater reliance on automated tools will further obscure the removal process from policymakers and users, and companies will likely err on the side of removing even legal content to avoid liability. As international human rights law counsels, and our Policy Brief outlines, governments should adopt approaches by the “least restrictive means” that are “proportionate to” the interests being protected. This criteria does not appear to be met by the current regulation.
IV. Unreasonable Timelines
The Ministry has granted itself the authority to require any business entity that operates ESOs to restrict or remove any content deemed to be in violation of Indonesia’s laws within 24 hours. ESOs are also expected to respond within four hours to “urgent requests,” including to content related to terrorism, child exploitation, and any content causing “unsettling situations for the public and disturbing public order.” If an ESO does not respond within that time frame, a newly designated official, who will go by the title “Minister for the request of Access Termination,” can order an ISP to block access to the service “after considering the reasons provided by the private ESO” (Article 15(7)). Notwithstanding the unrealistic timeline and severe penalties for noncompliance, the MR5 regulation does not provide any mechanism for ESOs or impacted users to challenge or appeal such orders.
As we noted in our Policy Brief, short and inflexible timelines do not allow service providers to adequately review government demands. By requiring service providers to prioritize particular categories of content, regardless of the actual urgency or risk presented in each order, they can unnecessarily limit providers’ ability to mitigate harm on their services.
Moreover, the “emergency” situations set out in the MR5 regulation are very broad. “Public unrest” and “disturbance of public order” can have multiple interpretations, and ‘terrorism’ is defined quite broadly by the 2018 Eradication of Criminal Acts of Terrorism Law (“CT Law”). Overly broad definitions of restricted speech combined with inflexible deadlines are usually a recipe for overbroad content removal and other unintended consequences. Instead, as we have explained, “lawmakers and regulators would be best served identifying and targeting those services, scenarios, and types of content that pose the greatest risk to users.”
V. Government Demands + Access to Data
The MR5 regulation requires ESOs to grant access to their “systems” and/or any “data” for “supervision” purposes whenever the authorities request it (Part Two). Companies must also allow access to data for the purpose of law enforcement and criminal investigations for offences that carry a penalty of at least two years in prison (Part Three). While the regulation requires law enforcement to obtain a court order in the course of their investigation into offenses that carry sentences between two and five years, this safeguard is omitted for more serious cases (those involving crimes with sentences over five years). The regulation does not specify the necessity or reasoning behind this counterintuitive distinction. While we have a number of concerns with the provisions in Parts Two and Three of the regulations, we note positively the requirements for ESOs to maintain detailed audit trails around government access to Electronic Systems and suggest making it clear that information about such access can be reported publicly by ESOs.
Under the MR5 regulation, these provisions on access also apply to ESOs who store their “data” and “systems” outside of Indonesia, as long as they relate to Indonesian residents and business entities in Indonesia (Article 34). This provision is likely to create conflicts with laws in other countries that prohibit intermediaries from providing information stored in their jurisdiction to other governments outside of a mutual legal assistance process. To the extent these provisions are enforced to require access to such Electronic Systems abroad, they are also likely to raise significantly sovereignty concerns.
In the case of criminal investigations, the government is not only allowed to request access to “Traffic Data” and “Electronic Systems User Information,” but also “Specific Personal Data” and “Communications Content” (Article 36). This may include financial data, biometric data, health data, and any data on a user’s political views and sexual orientation. While we appreciate the provisions specifying the requirements the government must fulfill in connection with such orders, we note with concern that the MR5 regulation appears to only require prior judicial approval for orders related to content. It is unclear if orders for other forms of data or information would require judicial approval separately under Article 33, and even if they do that would appear to only apply if the crimes at issue carry a sentence between two and five years.
Unfortunately, there are no provisions in the MR5 regulation allowing intermediaries to provide individuals with notice when their information is demanded, or for those individuals to have access to remedy if their information is improperly accessed or used. Moreover, the ESO is only given five calendar days to respond to an official request, which may often be an inadequate amount of time for an ESO to appropriately assess the lawfulness of a request. Taken together, this level of access to personally identifiable information without proper oversight or remedy may be inconsistent with the right to privacy, as it is understood in international law, including under Article 17 of the ICCPR.
Finally, Article 39 of the regulation indicates that ESOs must provide “access to electronic systems” for law enforcement purposes, upon request. GNI has raised concerns about “direct access” arrangements that give government authorities unfettered access to user data, in the process removing the ability of intermediaries to review, scrutinize, and provide transparency around such access. Given the potential for such access to result in abuse, we are somewhat reassured that the regulation appears to indicate that such access can instead be satisfied by providing audit results. However, the wording of Article 39(4) still seems to contemplate the possibility of more invasive and direct access and so we call on the government to provide further clarification.
We are pleased to see the detailed list of information that must be provided in connection with any access order per Article 39(2), including among other things its basis in law, the crimes that are being investigated, and “a letter of determination” from the head of a district court. We also applaud the provisions in Article 40 requiring that such access be limited. We nevertheless encourage the government to also specify in clear language strict time limits for such access. In addition, while we appreciate the need to respect data protection principles, we note that making such requests “confidential” could end up limiting transparency, including the ability for users to be notified when their data is accessed, effectively limiting their rights to due process and remedy. We are also concerned by the vague language in Article 39(3) authorizing law enforcement to “request technical assistance or other assistance . . . in the use of access to Electronic Systems.”
Under the MR5 regulation, companies that do not provide access to the required data and/or systems could face a range of penalties, including a written warning, temporary suspension of the service, termination of access, or the revocation of their registration. With the exception of the first option, all of the enforcement actions contemplated here are extremely significant and would likely be disproportionate in response to many instances of alleged non-compliance. Furthermore, Articles 45 and 46 do not specify at what time or phase in their response to a request that a company would face any one of these particular consequences, whether these sanctions should apply in an escalating manner, or under what circumstances each form of sanction should apply. This lack of clarity creates unpredictability and invites the possibility of arbitrary or discriminatory enforcement.
Compounding these concerns, MR5 allows the Minister to adjudicate enforcement unilaterally and provides no right for ESOs or Cloud Computing Operators to contest, or even be informed of their alleged infractions prior to enforcement. Nor is there provision for any mechanism to appeal an enforcement determination.
Similar penalties will also be imposed on companies for not complying with content takedown requests, and for failing to register their company in Indonesia. The threat of heavy penalties for poor compliance without transparency, accountability, or remedy is a significant shortfall of the regulation.
Given the substantial uncertainty and confusion created by the MR5 regulation, GNI calls on the Indonesian Government to suspend their implementation and engage in an open dialogue with ESOs, civil society, and other stakeholders about the Government’s intended objectives and how those can best be achieved consistent with Indonesia’s international commitments and domestic legal architecture.