First published in East Asia Forum (12/11/2022)
Indonesian lawmakers have been alarmed by the freedom of data flows and opinions in the quickly emerging digital sphere. They issued a law on electronic information and transactions in 2008. Its 2016 revision, criminalising online immorality, defamation and hate speech, was widely seen as undermining free speech.
The digital boom also goes against Jakarta’s preference for key economic resources to be under the control of state-owned enterprises. While private companies dominated the digital revolution, the Indonesian government embraced domestic champions but curbed the freedom of online platforms.
Jakarta’s power over the private sector is evident in policy discussions concerning the expansion of digital infrastructure, the planned cybersecurity law and digital taxation. But policy decisions affecting the freedom to engage in a borderless internet will have the biggest impact on Indonesian democracy.
Indonesian authorities can either regulate the internet by setting rules and standards, which incentivise or sanction online practices, or they can autocratically control online behaviour. Those two approaches competed in campaigns by the US and Russian candidates for Secretary-General of the International Telecommunications Union, an agency of the United Nations responsible for governing information and communication technologies.
Russia and China advocate for so-called ‘internet sovereignty’, requiring individuals to sign up for internet access and allowing governments to shut down parts of the internet. Western countries want privacy standards and aim to consult non-government organisations on internet regulations.
The Indonesian government has taken an ambiguous approach by observing the standards of the European Union General Data Protection Regulation (EU GDPR) while tightening controls on content and access to data. Jakarta has a history of shutting down the internet on the grounds of preventing misinformation and unrest. The 2019 internet shutdown in West Papua ended with the judiciary ruling the government’s action as unlawful.
Certain types of content have been declared illegal in Indonesia. The Ministry of Communication and Informatics (MOCI) Regulation No. 5/2020 requires private electronic systems organisers to take illegal content down within 24 hours or within four hours for child pornography, terrorist activities or content considered to ‘agitate society and disturb public order’.
The short timeframe creates a dilemma for private electronic systems organisers. If they comply quickly and without proper evaluation, they stand accused of violating individual rights. If they do not comply immediately, they face government sanctions.
The Personal Data Protection Law passed by the Indonesian parliament in September 2022 prohibits the unlawful collection and use of data. That aligns with the standards of the EU GDPR, but private data controllers that have allegedly violated the law have only three days to erase data. The EU GDPR grants controllers one to three months. Decisions will be adjudicated by the yet-to-be-established Personal Data Protection Agency — but there will be no time for investigations, due process or appeals.
The MOCI’s plans to cement its central role in Indonesia’s digital governance system by becoming the supervisor of the Personal Data Protection Agency were thwarted by Indonesia’s parliament and civil society. Centralising the authority to control the internet comes with significant risks to democratic rights and freedom of expression.
The Russian government agency Roskamnadzor oversaw radio signals, telecoms and postal delivery when it was founded in 2008. It has since become part of an authoritarian regime, which has banned more than 1.2 million websites and blocked and fined large internet platforms.
The MOCI already has significant authority. All private electronic systems organisers register with the MOCI prior to commencing operations and must provide a statement guaranteeing government and law enforcement access to their electronic systems and data. When PayPal, Yahoo and several online gaming sites failed to comply, the MOCI instructed internet service providers to block their internet access, ignoring softer penalties such as a warning letter or fine. The platforms complied immediately despite the lack of proper, transparent review and independent appeal mechanisms.
Indonesian policymakers generally view the government’s ability to access private data as part of the country’s internet and data sovereignty. Jakarta does not force private companies to maintain onshore data centres, but the Indonesian Minister for Communication and Informatics stated in June 2022 that ‘data is related to the sovereignty of a country, [and] it is geostrategic in nature’.
Offshore data transfers are expected to become further complicated to facilitate government access to data that originates in Indonesia. Without sufficient time and due process, this will expand government power at the expense of individual data privacy and freedom.
After 25 years of democratic reforms, experts generally think Indonesian democracy is in decline. With executive and parliamentary elections in 2024, negative campaigns and hoaxes could trigger more restrictive internet policies. The incoming administration will then decide whether to continue controlling online content and data or to follow a more indirect and regulatory approach.