Blog: Indonesia’s intermediary regulation imperils internet freedom

This article originally appeared on Tech Policy Press.

Internet freedom in Indonesia is teetering on a razor’s edge.

Last year, Indonesia’s Ministry of Communication and Information Technology issued the Regulation of the Minister of Communication and Informatics Number 5 of 2020 on Private Electronic System Operators (MR5). While ‘electronic systems operators’—which include most of the social media platforms and apps that people use every day—were required to register under the law by 24 May 2021 or be blocked in Indonesia, on the day of the deadline the Ministry announced a six-month postponement.

The new deadline is looming. But based on a new legal analysis, my organization—ARTICLE 19, which campaigns for internet freedom and internet rights in Asia Pacific—argues that Indonesia should immediately revoke MR5.

What is the new regulation, and why is it so problematic?

MR5 governs all ‘Private Electronic Systems Operators’ (Private ESOs) doing business in Indonesia, including both Indonesian services and platforms as well as multinational companies such as Facebook, Twitter, or Google. It grants the government overbroad authority to regulate their activity and to have direct access to user data and the contents of communications, and establishes excessive penalties for noncompliance. By introducing such a strict liability model in Indonesia, the regulation would strike a blow to internet freedom in the country and arguably risks inspiring copycat legislation elsewhere in Southeast Asia.

Here are the six most problematic aspects of MR5:

1. Overbroad Scope

The regulation governs a broad range of digital services provided by Private ESOs, broadly defined as ‘any individual, business entity, or community’ that operates an ‘Electronic System’ involved in the ‘preparing, collecting, processing, analysing, saving, displaying, announcing, sharing and/or distributing’ of electronic information. Individuals and companies connected to websites, social media platforms, email services, search engines, messaging services, mobile applications, and nearly any other online service or application fall within the scope of the definition. As such, the regulation extends the government’s regulatory powers to virtually any actor engaged in any online activity.

In his 2018 report on content regulation, the United Nations Special Rapporteur on the Freedom of Expression noted that ‘smart’ regulation should be compatible with international human rights law if it is narrowly defined, focused on transparency and due process obligations, and falls under the supervision of an independent regulator with circumscribed powers. This is plainly not the case with this regulation.

2. Prohibited Content

The definition of ‘prohibited’ content is likewise overbroad in listing any content that ‘disturbs the community and public order,’ or ‘informs others how to access or provides access to’ prohibited content.

Furthermore, the regulation extends to content that violates any Indonesian law, and not just those activities explicitly noted under the resolution. As such, it makes it extremely difficult for an individual to regulate their conduct online according to the law, as required by international standards on the restrictions of the freedom of expression.

The meaning of ‘providing access to’ also raises questions about the potential criminalization of circumvention tools, such as VPNs, despite the fact these tools can be used for perfectly legitimate, and sometimes necessary, reasons.

The Special Rapporteur has also noted the importance of circumvention tools and encryption in certain environments to ‘exercise the right to seek, receive and impart information’ and emphasized that any restrictions on their use must meet the requirements of legality, necessity, proportionality, and legitimacy.

3. Intermediary obligations and liability

The regulation establishes obligations for Private ESOs concerning the removal of prohibited content in a way that does not comply with international standards concerning intermediary liability, such as the Manila Principles. It sets out a sweeping notice-and-takedown regime that gives broad powers to the government to order the swift removal of content.

Private ESOs are required to comply with most content removal orders within 24 hours for most content and, shockingly, within 4 hours for ‘urgent’ take down requests, such as those involving terrorism, child sexual abuse images, or ‘content that disturbs the community or public order.’ However, MR5 provides no further clarity on the definition of ‘public order.’ The Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights offer guidance on permissible derogations in the name of ‘public order.’ Article 22 emphasizes ‘respect for human rights is part of public order,’ and that public order ‘shall be interpreted in the context of the purpose of the particular human right which is limited on this ground.’

Extremely short removal timeframes, such as 4 and 24 hours, make it virtually impossible to carefully review notices. It increases the risk of restricting legitimate and lawful expression.

That the regulation requires intermediaries to proactively monitor and filter content and to comply with takedown orders from the Ministry violates international human rights standards. The Manila Principles state that Internet intermediaries should never be required to proactively monitor content and that orders to restrict content should come from judicial authorities. The Special Rapporteur has also noted that failure to protect intermediary liability ‘creates a strong incentive to censor.’

4. Access to user data

Private ESOs are required to grant authorities access to their electronic system data, which includes any text and voice data, email records, and ‘access codes,’ which could mean private passwords, passphrases, or PIN numbers.

The blanket obligation to provide government authorities data access may be incompatible with the national laws of most ESO home countries and is certainly at odds with international privacy rights norms. The UN Human Rights Committee, in its General Comment on the Right to Privacy, holds that ‘even with regard to interferences that conform to [the ICCPR], relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted.’ In the 2018 Right to Privacy in the Digital Age report presented to the UN Human Rights Council, the High Commissioner for Human Rights recommended all States adopt strong and comprehensive privacy legislation, including on data privacy, in accordance with international human rights law covering safeguards, oversight, and remedy.

5. Local contact person(s)

MR5 requires Private ESOs to obtain a registration certificate and designate at least one local ‘Contact Person’ in Indonesia. It is worth noting that registration requirements constitute an interference with the right to freedom of expression, and as such must be provided by law, pursue a legitimate aim, and be necessary and proportionate to that aim.

The contact person(s) will be responsible for facilitating access requests from the Ministry and other institutions, within the short timeframe of five days. Under MR5, the local contact person(s) shall provide law enforcement with access to traffic data and subscriber information for criminal investigations into offenses carrying a penalty of at least two years. However, law enforcement is not required to obtain a court order for such requests when the penalty is more than five years. The requirement to designate a local contact person puts that individual at risk of pressure or arbitrary reprisal for failure to comply with overbroad requests.

Such localization requirements also raise the risk of administrative or economic challenges, which may privilege larger companies with the financial resources to comply, disadvantaging smaller firms. Such practices decrease competition and introduce risks to net neutrality.

6. Excessive penalties for failure to comply

Failure to comply can lead to heavy penalties. ESOs who fail to grant access to their electronic data are at risk of administrative sanctions by the Ministry, from a written warning to temporary termination, blocking of their services, or full revocation of their operating license. Cloud computing operators who fail to grant access face only the administrative sanction of a written warning or revocation of their license.

ESOs who fail to respond to notice and takedown orders on prohibited content will first receive a written warning, either once every 24 hours or 4 hours depending on the takedown window, and after three written warnings a fine will be issued. The fine amount is not explicitly established under the regulation but is based on Indonesian Non-Tax State Revenue Law. It is highly concerning, however, that the exact amount does not appear in the law and that the only guidance is provided by statements from the regulator reported in official media, as between 100 and 500 million IDR per piece of content (6,950 – 34,740 USD).

ARTICLE 19 has previously warned that online content blocking and filtering can restrict the right to freedom of expression. ARTICLE 19 advanced recommendations to protect the right, including that blanket filtering must be prohibited by law; filtering should be user-controlled and transparent; any requirement to block content must be provided by law; blocking should only be ordered by an independent and impartial court or adjudicatory body; and blocking orders must be strictly proportionate to the aim pursued.

There’s more to be concerned with by this regulation than just these six challenges, which is precisely why Indonesian civil society has been campaigning fiercely for it to be revoked. This is also why ARTICLE 19 reaffirms the call for this restrictive intermediary regulation to be revoked. The rights of all Indonesians are at stake.