Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 1 of 5
Ministr...
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 2 of 5
Asia Cl...
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 3 of 5
1.2. Av...
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 4 of 5
Recomme...
Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 5 of 5
Recomme...
Upcoming SlideShare
Loading in …5
×

Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial Regulation for Private Scope for Government Regulation 71/2019

12 views

Published on

26 Mar 2020 Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial Regulation for Private Scope for Government Regulation 71/2019 (GR 71 summary https://siplawfirm.id/key-points-of-government-regulation-no-71-of-2019-on-organization-of-electronic-systems-and-transactions/)

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial Regulation for Private Scope for Government Regulation 71/2019

  1. 1. Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 1 of 5 Ministry of Communication and Information Technology KOMINFO Jl. Medan Merdeka Barat no. 9 Jakarta 10110 Indonesia Submitted via email to takel.aptika@kominfo.go.id 26 March 2020 Dear Sir/Madam, Re: Asia Cloud Computing Association’s (ACCA) Response to the Draft Indonesian Ministerial Regulation for Private Scope for Government Regulation 71/2019 The Asia Cloud Computing Association (ACCA) would first like to acknowledge the difficult circumstances facing Indonesia in light of the COVID-19 outbreak. We stand ready to support the government in its response and extend any assistance where needed. We thank the Ministry of Communication and Information Technology (KOMINFO) for the opportunity to submit feedback on the draft Ministerial Regulation for private scope electronic service providers (ESPs) for Government Regulation (GR) 71/2019 on the operation of electronic transactions and systems (the “draft MR”). We commend KOMINFO for soliciting public feedback on the draft MR to clarify the environment for those in the electronic information ecosystem, which has become increasingly important during this time. As the apex industry association for Asia Pacific stakeholders in the cloud computing ecosystem, the ACCA represents a vendor-neutral voice of the private sector to government and other stakeholders. Representing cloud computing companies including AWS, Digital Realty, Equinix, Google Cloud, HSBC, Microsoft, and Salesforce, our mission is to accelerate the adoption of cloud computing throughout Asia Pacific by helping to create a trusted and compelling market environment, and a safe and consistent regulatory environment for cloud computing products and services. We are committed to strengthening digital resilience, and developing a robust technology ecosystem which supports a vibrant digital economy. Following discussions with our member companies, we are submitting the following comments on the draft MR. We would also like to offer to co-host a virtual roundtable with KOMINFO to discuss the draft MR. We will send a separate program proposal following this email. I look forward to hearing from you, and welcome your response on the issues raised. Yours sincerely, Lim May-Ann Executive Director Asia Cloud Computing Association mayann@asiacloudcomputing.org
  2. 2. Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 2 of 5 Asia Cloud Computing Association’s (ACCA) Response to the Draft Ministerial Regulation for Private Scope ESPs for GR 71/2019 Comment 1: General comment on the draft MR regarding Cloud Service Providers We appreciate KOMINFO’s efforts to create a stronger framework for ESPs operating in Indonesia. However, in its current form, the draft MR does not take into consideration the burden that the regulations will impose on business, nor the fundamental differences of Cloud Service Providers (CSPs) compared to other ESPs. CSPs provide very different services (e.g. file storage, communication tools, or high-performance computing services) compared to other ESPs (e.g. social networks or video-sharing platforms, and other types of User-Generated Content (UGC) services) and therefore provide users with fundamentally different expectations and applications. We recommend the Indonesia government to differentiate the requirements for CSPs (e.g. registration, content liability, access to user data) for the regulations to be implementable. CSPs work in tandem with their customers to assure data security, privacy, and reliability in a “shared responsibility model” delineating responsibilities of the customer and the CSP, as the customer’s applications are built on top of the CSP’s infrastructure. In the shared model, customers maintain governance over the entire IT control environment. Through this approach, the customer retains control and ownership over the content when using a CSP’s services and is also responsible for determining the levels of security they wish to adopt for data processing. When a customer retains control of security processes to protect their own content, applications, systems and networks, the level of oversight and control that they exercise is no different from applications run by an entity in an on-site data centre. As a result, the customer is defined as the data controller which “determines the purposes and means of the processing of personal data”, while the CSP would fall into the category of a data processor, “which processes personal data on behalf of the controller”, per definitions from the EU General Data Protection Regulation (GDPR).1 The CSP does not have access to customer data and does not have visibility over the content of customer data, meaning that several of the provisions stipulated in the draft MR should not be applicable to CSPs, as described in further detail below. Recommendation 1: Alignment with international best practices We also strongly urge KOMINFO and the Indonesian government to refer to best practices from the EU GDPR and the APEC Privacy Framework to help promote safe and secure cross-border data transfers which will allow Indonesian businesses to tap into regional and global markets and ride the wave of digital innovation. Recommendation 2: Article 1 - Definitions 1.1. Clarification that CSPs are not equivalent to private scope ESPs: Given the shared responsibility model as described above, we believe that the draft MR should clarify in Article 1 that references to private scope ESPs do not apply to CSPs except where the regulation explicitly refers to “Private Scope ESP that operates cloud computing services”. 1 https://gdpr-info.eu/art-4-gdpr/
  3. 3. Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 3 of 5 1.2. Avoiding repetition of previously defined terms: We also suggest that terms that have been defined in GR 71/2019 not be re-defined again in the draft MR to avoid discrepancy and uncertainty in understanding the respective definition. The draft MR should only contain definitions that have not been defined in GR 71/2019 or where the definitions are deliberately changed from GR 71/2019. Recommendation 3: Article 3 - Applicability to CSPs In line with our suggestion in Comment 1, we also recommend that Article 3(1) be amended to remove subsection 6, which stipulates processing of personal data as a category for private scope ESP registration, given that CSPs are not generally data controllers and instead act as agents of the data controller (i.e. the customer) in processing data. Recommendation 4: Articles 1 and 5 - Extraterritoriality As it is not practicable or enforceable for Indonesia to exercise extraterritorial effect of Indonesian laws on foreign/offshore ESPs, Article 1 should be amended to refer specifically to persons or entities residing in or incorporated in Indonesia and Article 5 should be removed altogether. This would be in line with global laws on privacy or electronic transactions where regulations are only applicable to entities formed or recognized under the laws of that jurisdiction. Comment 2: Article 6 - Data localization The requirement in Article 6 to seek Minister approval to manage, store, and process data outside of Indonesia is contrary to the language of Article 21 of GR 71/2019, which states that a private scope ESP may manage, process, and/or store electronic system and electronic data both in the territory of Indonesia or outside of Indonesia, without imposing a requirement for ministerial approval. In its current form, Article 6 would be burdensome to businesses and may restrict Indonesian businesses from taking advantage of innovative, cost-saving cloud services which are supporting business continuity and resilience, as seen in the current COVID-19 situation. Data localization requirements would negatively impact Indonesians’ capability to work remotely and develop the digital economy, thereby affecting the country’s ability to partake in the global digital economy. In addition, the requirement is burdensome to KOMINFO to approve every single request. Recommendation 5: Removal of Article 6 We recommend that the draft MR be aligned with Article 21 of GR 71/2019 and that Article 6 should be removed. Rather than imposing requirements on cross-border data transfer, the movement of data across borders should be facilitated through aligning Indonesia’s regulations with those from recognized international frameworks such as the EU GDPR and APEC Privacy Framework. Recommendation 6: Article 7 - Change notifications The notification requirements stipulated in Article 7 for any changes to the registration form of a private scope ESP and any information referred to in Articles 4 and 6 are onerous for business and add to compliance costs. The requirements would also impact Indonesian companies, including small and medium enterprises, from growing regionally and/or globally because they need to access service platforms that rely on cross-border data flows to conduct business effectively. We therefore recommend that Article 7 be removed.
  4. 4. Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 4 of 5 Recommendation 7: Articles 13-17 - Content regulation 7.1. Content regulations for private scope ESPs should not apply to CSPs: The regulations proposed in Articles 13-16 should not apply to CSPs because CSPs do not control, manage, or have oversight over the data of their customers. By design, the confidentiality, privacy and control of customer records is solely within the domain of the customer, and the CSP is unable to access or see customer data and content. 7.2. CSP-specific content regulations should be directed to customers, not CSPs: On Articles 17-18 which refer specifically to CSPs, we reiterate that CSPs are not privy to the specific information stored in the cloud. CSPs are therefore not able to prevent the loading or dissemination of prohibited electronic information/document, and cannot reasonably be expected to monitor data processed using their services. Any responsibilities on content should rest with the customer, and requests to remove unlawful content should be directed to the customer. Recommendation 8: Articles 21-24 - Termination of access The penalties provided in Articles 21-24 to terminate access to an ESP by an internet service provider should not be applicable to CSPs as CSPs do not have oversight of a customer’s data. We also believe that terminating access to a CSP would be a disproportionate measure as it could result in termination of access to the CSP’s services for all customers in Indonesia. Recommendation 9: Articles 29-30 - Data access rights 9.1. Data access requirements should not be directed to CSPs: Because CSPs do not have visibility over their customers’ data, they should not be required to access data processed using their services, as stated in Articles 29-30. The responsibility to respond to law enforcement requests relating to CSPs’ customers lies with those customers, and not with the CSPs. Experience in other jurisdictions also shows that enterprise customers of CSPs are, in almost all cases, very responsive to requests from law enforcement for data, meaning that data can be provided without compromising law enforcement investigations. Requests for access should therefore be directed to the customer rather than the CSP. 9.2. Obtaining legal documentation and following established legal procedure: In line with this, we also recommend that the Indonesian government and law enforcement obtain legal documentation by following due procedures under applicable laws for requesting customer data from CSPs, if it becomes necessary to obtain information directly from the CSP. Having the proper documentation and complying with the proper legal procedures will allow CSPs to appropriately address and facilitate these information requests through available legal channels. Recommendation 10: Article 30 - Compliance time frames As contemplated in Article 30, the timeline of 1x24 hours to provide systems and data access to government authorities is unrealistic and creates a business burden for private scope ESPs. We recommend that a private scope ESP be given reasonable notice with a court order or the customer’s explicit consent.
  5. 5. Asia Cloud Computing Association | Response to Draft MR for Private Scope on GR 71/2019 | March 2020 | Page 5 of 5 Recommendation 11: Article 34 - Transition period Article 34 states that the draft MR would come into force on the date of promulgation. As business would require lead time to make necessary business and operational adjustments, we suggest that KOMINFO allow a grace period of 12 months for industry to respond to the changes in the draft MR.

×