26 Mar 2020 Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial Regulation for Private Scope for Government Regulation 71/2019 (GR 71 summary https://siplawfirm.id/key-points-of-government-regulation-no-71-of-2019-on-organization-of-electronic-systems-and-transactions/)
Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial Regulation for Private Scope for Government Regulation 71/2019
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 1 of 5
Ministry of Communication and Information Technology
Jl. Medan Merdeka Barat no. 9
Submitted via email to email@example.com
26 March 2020
Re: Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial
Regulation for Private Scope for Government Regulation 71/2019
The Asia Cloud Computing Association (ACCA) would first like to acknowledge the difficult
circumstances facing Indonesia in light of the COVID-19 outbreak. We stand ready to support the
government in its response and extend any assistance where needed.
We thank the Ministry of Communication and Information Technology (KOMINFO) for the
opportunity to submit feedback on the draft Ministerial Regulation for private scope electronic
service providers (ESPs) for Government Regulation (GR) 71/2019 on the operation of electronic
transactions and systems (the “draft MR”). We commend KOMINFO for soliciting public feedback on
the draft MR to clarify the environment for those in the electronic information ecosystem, which has
become increasingly important during this time.
As the apex industry association for Asia Pacific stakeholders in the cloud computing ecosystem, the
ACCA represents a vendor-neutral voice of the private sector to government and other stakeholders.
Representing cloud computing companies including AWS, Digital Realty, Equinix, Google Cloud,
HSBC, Microsoft, and Salesforce, our mission is to accelerate the adoption of cloud computing
throughout Asia Pacific by helping to create a trusted and compelling market environment, and a
safe and consistent regulatory environment for cloud computing products and services. We are
committed to strengthening digital resilience, and developing a robust technology ecosystem which
supports a vibrant digital economy.
Following discussions with our member companies, we are submitting the following comments on
the draft MR. We would also like to offer to co-host a virtual roundtable with KOMINFO to discuss
the draft MR. We will send a separate program proposal following this email.
I look forward to hearing from you, and welcome your response on the issues raised.
Asia Cloud Computing Association
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 2 of 5
Asia Cloud Computing Association’s (ACCA)
Response to the Draft Ministerial Regulation for Private Scope ESPs for GR 71/2019
Comment 1: General comment on the draft MR regarding Cloud Service Providers
We appreciate KOMINFO’s efforts to create a stronger framework for ESPs operating in Indonesia.
However, in its current form, the draft MR does not take into consideration the burden that the
regulations will impose on business, nor the fundamental differences of Cloud Service Providers
(CSPs) compared to other ESPs.
CSPs provide very different services (e.g. file storage, communication tools, or high-performance
computing services) compared to other ESPs (e.g. social networks or video-sharing platforms, and
other types of User-Generated Content (UGC) services) and therefore provide users with
fundamentally different expectations and applications. We recommend the Indonesia government
to differentiate the requirements for CSPs (e.g. registration, content liability, access to user data) for
the regulations to be implementable.
CSPs work in tandem with their customers to assure data security, privacy, and reliability in a
“shared responsibility model” delineating responsibilities of the customer and the CSP, as the
customer’s applications are built on top of the CSP’s infrastructure. In the shared model, customers
maintain governance over the entire IT control environment. Through this approach, the customer
retains control and ownership over the content when using a CSP’s services and is also responsible
for determining the levels of security they wish to adopt for data processing. When a customer
retains control of security processes to protect their own content, applications, systems and
networks, the level of oversight and control that they exercise is no different from applications run
by an entity in an on-site data centre.
As a result, the customer is defined as the data controller which “determines the purposes and
means of the processing of personal data”, while the CSP would fall into the category of a data
processor, “which processes personal data on behalf of the controller”, per definitions from the EU
General Data Protection Regulation (GDPR).1 The CSP does not have access to customer data and
does not have visibility over the content of customer data, meaning that several of the provisions
stipulated in the draft MR should not be applicable to CSPs, as described in further detail below.
Recommendation 1: Alignment with international best practices
We also strongly urge KOMINFO and the Indonesian government to refer to best practices from the
EU GDPR and the APEC Privacy Framework to help promote safe and secure cross-border data
transfers which will allow Indonesian businesses to tap into regional and global markets and ride the
wave of digital innovation.
Recommendation 2: Article 1 - Definitions
1.1. Clarification that CSPs are not equivalent to private scope ESPs: Given the shared responsibility
model as described above, we believe that the draft MR should clarify in Article 1 that references to
private scope ESPs do not apply to CSPs except where the regulation explicitly refers to “Private
Scope ESP that operates cloud computing services”.
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 3 of 5
1.2. Avoiding repetition of previously defined terms: We also suggest that terms that have been
defined in GR 71/2019 not be re-defined again in the draft MR to avoid discrepancy and uncertainty
in understanding the respective definition. The draft MR should only contain definitions that have
not been defined in GR 71/2019 or where the definitions are deliberately changed from GR 71/2019.
Recommendation 3: Article 3 - Applicability to CSPs
In line with our suggestion in Comment 1, we also recommend that Article 3(1) be amended to
remove subsection 6, which stipulates processing of personal data as a category for private scope
ESP registration, given that CSPs are not generally data controllers and instead act as agents of the
data controller (i.e. the customer) in processing data.
Recommendation 4: Articles 1 and 5 - Extraterritoriality
As it is not practicable or enforceable for Indonesia to exercise extraterritorial effect of Indonesian
laws on foreign/offshore ESPs, Article 1 should be amended to refer specifically to persons or
entities residing in or incorporated in Indonesia and Article 5 should be removed altogether. This
would be in line with global laws on privacy or electronic transactions where regulations are only
applicable to entities formed or recognized under the laws of that jurisdiction.
Comment 2: Article 6 - Data localization
The requirement in Article 6 to seek Minister approval to manage, store, and process data outside of
Indonesia is contrary to the language of Article 21 of GR 71/2019, which states that a private scope
ESP may manage, process, and/or store electronic system and electronic data both in the territory of
Indonesia or outside of Indonesia, without imposing a requirement for ministerial approval.
In its current form, Article 6 would be burdensome to businesses and may restrict Indonesian
businesses from taking advantage of innovative, cost-saving cloud services which are supporting
business continuity and resilience, as seen in the current COVID-19 situation. Data localization
requirements would negatively impact Indonesians’ capability to work remotely and develop the
digital economy, thereby affecting the country’s ability to partake in the global digital economy. In
addition, the requirement is burdensome to KOMINFO to approve every single request.
Recommendation 5: Removal of Article 6
We recommend that the draft MR be aligned with Article 21 of GR 71/2019 and that Article 6 should
be removed. Rather than imposing requirements on cross-border data transfer, the movement of
data across borders should be facilitated through aligning Indonesia’s regulations with those from
recognized international frameworks such as the EU GDPR and APEC Privacy Framework.
Recommendation 6: Article 7 - Change notifications
The notification requirements stipulated in Article 7 for any changes to the registration form of a
private scope ESP and any information referred to in Articles 4 and 6 are onerous for business and
add to compliance costs. The requirements would also impact Indonesian companies, including small
and medium enterprises, from growing regionally and/or globally because they need to access
service platforms that rely on cross-border data flows to conduct business effectively. We therefore
recommend that Article 7 be removed.
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 4 of 5
Recommendation 7: Articles 13-17 - Content regulation
7.1. Content regulations for private scope ESPs should not apply to CSPs: The regulations proposed
in Articles 13-16 should not apply to CSPs because CSPs do not control, manage, or have oversight
over the data of their customers. By design, the confidentiality, privacy and control of customer
records is solely within the domain of the customer, and the CSP is unable to access or see customer
data and content.
7.2. CSP-specific content regulations should be directed to customers, not CSPs: On Articles 17-18
which refer specifically to CSPs, we reiterate that CSPs are not privy to the specific information
stored in the cloud. CSPs are therefore not able to prevent the loading or dissemination of
prohibited electronic information/document, and cannot reasonably be expected to monitor data
processed using their services. Any responsibilities on content should rest with the customer, and
requests to remove unlawful content should be directed to the customer.
Recommendation 8: Articles 21-24 - Termination of access
The penalties provided in Articles 21-24 to terminate access to an ESP by an internet service provider
should not be applicable to CSPs as CSPs do not have oversight of a customer’s data. We also believe
that terminating access to a CSP would be a disproportionate measure as it could result in
termination of access to the CSP’s services for all customers in Indonesia.
Recommendation 9: Articles 29-30 - Data access rights
9.1. Data access requirements should not be directed to CSPs: Because CSPs do not have visibility
over their customers’ data, they should not be required to access data processed using their
services, as stated in Articles 29-30.
The responsibility to respond to law enforcement requests relating to CSPs’ customers lies with
those customers, and not with the CSPs. Experience in other jurisdictions also shows that enterprise
customers of CSPs are, in almost all cases, very responsive to requests from law enforcement for
data, meaning that data can be provided without compromising law enforcement investigations.
Requests for access should therefore be directed to the customer rather than the CSP.
9.2. Obtaining legal documentation and following established legal procedure: In line with this, we
also recommend that the Indonesian government and law enforcement obtain legal documentation
by following due procedures under applicable laws for requesting customer data from CSPs, if it
becomes necessary to obtain information directly from the CSP. Having the proper documentation
and complying with the proper legal procedures will allow CSPs to appropriately address and
facilitate these information requests through available legal channels.
Recommendation 10: Article 30 - Compliance time frames
As contemplated in Article 30, the timeline of 1x24 hours to provide systems and data access to
government authorities is unrealistic and creates a business burden for private scope ESPs. We
recommend that a private scope ESP be given reasonable notice with a court order or the
customer’s explicit consent.
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 5 of 5
Recommendation 11: Article 34 - Transition period
Article 34 states that the draft MR would come into force on the date of promulgation. As business
would require lead time to make necessary business and operational adjustments, we suggest that
KOMINFO allow a grace period of 12 months for industry to respond to the changes in the draft MR.