Indonesian Cyber Law in Brief:
Cybercrime and Cybersecurity Policy

In an era of rapid development and advancement of technology and communication, the government of Indonesia has made significant efforts to protect against the threat of cybercrime, such as enacting laws, regulations, and policies. Cyber law in Indonesia serves a variety of purposes and accounts for all of the ways in which people use technology to interact and communicate. In general, the Indonesian Criminal Code and the Electronic Information and Transactions Law encompass the major pieces of legislation regarding cyber law.

With regard to the particular scope of cyber law in Indonesia, it can be categorized into specific areas of law, such as public and private. Public law covers a wide range of consumer protection, data protection, and cybercrime. Meanwhile, private law includes intellectual property, e-commerce, electronic contracts, and cybersquatting (domain name related case), among others.

Customer Protection
• Consumer Rights
Indonesian consumer protection law balances protection between consumers and business actors. This law (in addition to others) protect consumers’ rights to obtain correct, clear, and honest information, as well as to receive compensation, redress, and/or substitution if the goods and/or services are not in accordance with the agreement or are not received as requested.¹ Likewise, business actors must comply with the law’s provisions, such as providing correct, clear, and honest information and compensating consumers if the goods and/or services received or used do not accord with the agreement.² Business actors who violate provisions under the current consumer protection law face criminal penalty; additional penalties may include the revocation of their business permit.³
• Electronic Contract
Despite the absence of a comprehensive cyber law in the current customer protection law, there are some specific rules related to electronic contracts. By definition, an electronic contract is an agreement made through an electronic system.⁴ Pursuant to the regulation, an online transaction is recognized as an electronic transaction through an express agreement identifying it as such. The acceptance action is usually preceded by an electronic contract, which states the terms and conditions of the online transaction.⁵ The electronic contract must contain the following information: (i) the identities of the parties, (ii) the object and specification, (iii) the terms and conditions , (iv) the price and cost, (v) a procedure in the event of cancelation by the parties, (vi) provisions detailing the rights of the aggrieved party to return goods and/or request product substitution if there are hidden defects; and (vii) the choice of law in an electronic transaction dispute settlement.⁶
• Financial Services Sector
Financial services providers are entitled to ensure that consumers have good faith and receive relevant information and/or documents that are accurate, honest, clear, and not misleading.⁷ In this regard, financial services providers are commercial banks, rural banks, securities companies, investment advisors, custodian banks, pension funds, insurance companies, reinsurance companies, multi-finance institutions, pawn companies, and guarantee companies which conduct their business operations under either a conventional agreement or a sharia agreement.⁸ Financial services providers are prohibited from disclosing customer data and/or information to third parties, except with the customer’s written consent.⁹ In the event of a dispute between a financial service provider and a consumer, the consumer can file a complaint to the financial service authority.¹⁰

Data Protection and Privacy
In terms of the protection of personal data, Indonesia currently lacks a comprehensive data protection law¹¹, but there are several sectoral laws governing data privacy:
• Employment
There is no defined rule regarding employee data privacy; however, in practice, employment agreements, company regulations, and collective labor agreements regulate data privacy and the confidentiality of employees. This regulation is required under the Freedom of Contract principle of the Indonesian Civil Code.
• Human Rights
Under Indonesian Human Rights Law, each individual has the right to privacy. Specifically, the law stipulates that no one’s correspondence – including electronic communication – shall be subjected to arbitrary interference, except upon the instruction of a judge or other lawful authority.¹²
• Medical Record
According to the current applicable Health Law, every person has the right to obtain information on his/her medical records, including actions, treatments, and data that is received by health workers.¹³ Furthermore, every person is entitled to the confidentiality of personal health information that is provided to or collected by health care providers.¹⁴
• Personal Data Protection – Rights to be Forgotten
Electronic Information and Transactions Law includes the right to be forgotten, whereby a person has the right to request the deletion of irrelevant electronic information or documents to electronic system provider.¹⁵ Every owner and an electronic system provider can submit complaints to the Minister of Communications and Information if there is a failure to protect the confidentiality of personal data.¹⁶

Domain Name
Any state administrator, person, business entity, and the public is entitled to hold a domain name on the basis of the First Applicant Principle. This principle is distinguished from another principle that may apply under Intellectual Property Rights, which does not require a substantive examination if it is in the registration for a trademark or patent.¹⁷ Holding and using a domain name requires a basis of good faith, which involves upholding fair business competition and respecting the rights of other persons.¹⁸ Unauthorized use of domain names (for instance, cybersquatting) can lead to their cancellation.¹⁹

Defamation
Defamation is regulated under Article 310 of the Criminal Code of Indonesia and the Electronic Information and Transactions Law. Defamation carried out in internet is punishable by up to six years of imprisonment and a fine of up to IDR 1 billion.²⁰

Funds Transfers
A Funds Transfer is defined as a series of actions commencing with an order to issue a funds transfer from one party to a beneficiary with receipt.²¹ A funds transfer order issued by the originating provider may take the form of electronic data.²² In this case, electronic information, electronic documents, and printouts constitute valid legal evidence.²³ Any person who causes unlawful damage to a fund transfer system will be sentenced to imprisonment for 20 years and fined up to IDR 20 billion.²⁴

Fraud
Identity fraud is the unlawful misrepresentation of another’s identity through the manipulation of his/her personal data. This criminal act is punishable by a maximum imprisonment of 12 years and/or a maximum fine of IDR 12 billion.²⁵

Hacking
Any unlawful transfer of electronic information and/or electronic records (such as breaching, hacking, trespassing, or breaking through a security system) is punishable by a maximum imprisonment of eight years and/or a maximum fine of IDR 800 million.²⁶

Intellectual Property Laws (IP Laws)
Indonesia has IP Laws related to cyber law including regulations on copyright, marks, patents, and trade secret. As an important part of cyber law, IP Laws include the areas of literature, innovation, creativity, and business. IP rights related to cyber law can be categorized into the following specific sectoral laws:
• Copyright
The Indonesian Government passed Copyright Law No. 28 of 2014 on September 16, 2014, which replaced the previous Copyright Law No. 19 of 2002. There are special provisions governing copyrighted content and related rights in information and communication technology. Production and/or storage based on information technology and/or high technology include optical discs, servers, cloud computing, secret codes, passwords, barcodes, serial numbers, technology descriptions, and encryption.²⁷ To prevent copyright infringement and protect rights related to information technology-based facilities, this new law authorizes the Government to oversee the creation and dissemination of content, to cooperate and coordinate with various parties (both at home and abroad), and to supervise any media-based recording.²⁸
• Marks
Law No. 20 of 2016 on Marks and Geographical Indications was enacted on November 25, 2016. The Marks Law comprises Trademarks and Service Marks.²⁹ Furthermore, the new Mark Law increases criminal sanctions for trade mark infringements and imposes greater punishments for counterfeits.
• Patents
The Patents Law No. 13 of 2016 defines a “patent” as the exclusive rights granted by the State to an inventor which protect an invention in the field of technology for a certain period of time. This period of time allows the inventor to execute or consent to use by third parties.³⁰ There are two types of protection for technical inventions under Indonesian patent law, namely patents and simple patents (or utility models).³¹ To have exclusive rights of an invention, the inventor must register with the Directorate General of Intellectual Property.³² Criminal actions must be filed with relevant authorities.³³
• Trade Secret
Trade Secret Law No. 30 of 2000 was enacted on December 20, 2000. A trade secret is defined as information in the field of technology and/or business that is not known by the public and has economic value. A trade secret is useful in business activities, and its confidentiality is maintained by its owner.³⁴ One can infringe on a trade secret by deliberately disclosing it or breaching a contract (written or unwritten), or by acting in a manner that is contrary to the prevailing laws and regulations in Indonesia.³⁵

In 2017, the Indonesian Government established the National Cyber and Crypto Agency, a body that marshals an integrated cyber defense.³⁶ One of the agency’s tasks is to monitor all online activity for indications of an attack, such as hacking. The agency’s long-term mission is to build and implement comprehensive cyber security and password management.

Indonesia’s legal framework on cybercrime and cybersecurity is encompasses various regulations, depending on specific incidents and areas of law. Among its series of efforts, one of the most important cybercrime and cybersecurity policies relates to information and electronic transactions and regulates cyberspace.

1. Law of the Republic of Indonesia Number 8 of 1999 on Consumer Protection, Article 4 letter (c) and letter (h).
2. Id. Article 7 letter (b) and letter (g).
3. Id. Article 62 and Article 63.
4. Government Regulation Number 82 of 2012 on Implementation of Electronic Systems and Transactions, Article 1 number (15).
5. Id. Article 47.
6. Id. Article 48 paragraph (3).
7. Financial Services Authority (Otoritas Jasa Keuangan – OJK) Regulation No. 1/POJK.07/2013 on Consumer Protection in Financial Services Sector (“OJK Regulation”), Article 3.
8. Id., Article 1 number (1).
9. Id., Article 31 paragraph (3) and paragraph (4).
10. Id., Article 40 paragraph (1).
11. Indonesia currently has Regulation on Protection of Personal Data in the form of Ministerial Regulation Number 20 of 2006 which was effective from December 1, 2006. Until this date, the Protection of Personal Data Bills is still under discussion in Parliament.
12. Law of the Republic of Indonesia Number 39 of 1999 on Human Rights, Article 32.
13. Law of the Republic of Indonesia Number 36 of 2009 on Health, Article 8.
14. Id., Article 8. Article 57 paragraph (1).
15. Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law Number 19 of 2006 (“Electronic Information and Transactions Law”), Article 26 paragraph (3).
16. Minister of Communications and Information Regulation Number 20 of 2016 on the Protection Data in Electronic System, Article 29.
17. Electronic Information and Transactions Law, Article 23 paragraph (1).
18. Id., Article 23 paragraph (2).
19. Id., Article 23 paragraph (3).
20. Id., Article 27 paragraph (3) and Article 45 paragraph (1).
21. Law of the Republic of Indonesia Number 3 of 2011 on Funds Transfer, Article 1 number (1) and Article 1 number (7).
22. Id., elucidation of Article 17 Paragraph 1 letter (b).
23. Id., Article 76 paragraph 1.
24. Id., Article 84.
25. Electronic Information and Transactions Law, Article 35 and Article 51 paragraph 1.
26. Id., Article 30 paragraph (3), and Article 46 paragraph (3).
27. Law of the Republic of Indonesia Number 28 of 2014 on Copyright, Elucidation of Article 53.
28. Id. Article 54.
29. Law of the Republic of Indonesia Number 20 0f 2016 on Marks and Geographical Indications (Mark Law), Article 2 paragraph (2).
30. Law of the Republic of Indonesia Number 13 0f 2016 on Patents, Article 1 (1).
31. Id. Article 2.
32. Id. Article 96.
33. Id. Article 165.
34. Law of the Republic of Indonesia Number 30 0f 2000 on Trade Secret, Article 1.
35. Law of the Republic of Indonesia Number 30 of 2000 on Trade Secret, Article 13 and Article 14.
36. Presidential Regulation of the Republic of Indonesia Number 53 of 2017 on National Cyber and Crypto Agency as amended by Presidential Regulation Number 133 of 2017.