Reviewing Revision of Data Center Regulations in Indonesia

"We can more aggressively to encourage the digital economy through startups. Many startups are also running, while there is a policy in PP No. 82 of 2012 (PP 82/2012) that data center must be in Indonesia. If data center For startups, everything is in Indonesia, it can't be optimal either process later." say Rudiantara after the Coordination Meeting for Revision of Government Regulation Number 82 of 2018 at the Office of the Coordinating Ministry for Economic Affairs, in Jakarta, Thursday (27/9) afternoon.

The Minister of Communication and Information considers there is a need to use the platform cloud foreigners who do not have a data center in Indonesia. Not to mention the plans of the big players to stick their nails in Indonesia.

After Alibaba Cloud targeted the Indonesian market, Google confirmed that it would invest in the form of cloud regions. While Amazon Web Services, which promises an entry fee of $1 billion in 10 years forward, but no plan build a data center in Indonesia.

Menggunakan tools provided by Bulitwith.com, it appears that there is a tendency for a number of digital services in Indonesia to prefer data center services provided by foreign services.

Information Dedicated server usually refers to data centers that the company builds independently or from local service providers. From the picture above, IDN Times and Traveloka take advantage of Cloudflare Hosting, this is a mechanism proxy to hide laying cloud server them and are generally used because companies use more than one cloud server. However, all of Cloudflare's existing integration partners are mostly foreign services such as IBM Cloud, AWS, Azure etc.

"Ideal" conditions based on PP 82/2012

Beleid which consists of 90 chapters In general, the regulation regulates many things, regulates the provisions of electronic transaction operators, software mechanisms, hardware, to administrative sanctions for violations that occur. From these points, chapter 17 verse 2 contains the things that are the current reference. It reads as follows:

"Electronic System Operators for public services are required to place data centers and disaster recovery centers in the territory of Indonesia for the benefit of law enforcement, protection, and enforcement of state sovereignty over the data of their citizens."

In the explanation section, it is stated that the operator is required to obtain an Electronic System Eligibility Certification from the Minister and must be registered at Kemenkominfo. Data center (data center) defined as a facility used to house electronic systems and related components for the purposes of placing, storing and processing data.

While the disaster recovery center (disaster recovery center) defined as a facility used to recover data or information as well as important functions of electronic systems that are disrupted or damaged due to disasters caused by nature or humans.

Revised draft points

In revising, Kemenkominfo synergize with several other ministries to harmonize regulations. It is hoped that the new regulations that will be born will be able to accommodate and embrace the needs in accordance with existing developments. From the drafts that have been submitted, there are several interesting things, one of which is described in chapter 1 verse 27. The main discussion is about the classification of electronic data into 3 parts, namely strategic, high risk, and low risk.

Menurut exposure Director General of the Directorate General of Informatics Applications Semuel Abrijani Pangerapan, data storage will be arranged based on this classification. Each has subsections and explanations. For example, strategic data is divided into high, medium, and low levels. Only high-level strategic data whose data center is required to be in Indonesia.

On the same occasion, Samuel gave an explanation about data classification. Strategic data is sensitive data stored and managed by the government, for example intelligence data, food security data, and others. Even high-level strategic data access is not via the internet, but the intranet is limited. Meanwhile, mid-level strategic data may be connected to the internet on the pretext that it needs to be known by the public. While the low one can be placed anywhere for the sake of information disclosure.

High risk data defined as sensitive data relating to the user. The placement of a data center is not mandatory in Indonesia, but the government must obtain an access point for certain purposes. The obligation for providers is only to add access points (eg in the form of a Cloud Delivery Network) in Indonesia, so there is no need to request authorization from other countries' governments for data access.

Low-risk data tends to contain low-sensitivity data, so it can be managed anywhere more freely.

Apart from dealing with data, the revision also regulates several other things. In Article 5 concerning Electronic System Operators, the revision confirms that every operator is obliged to register. This can be interpreted as a data center service provider must be registered or have a legal business entity.

Industry response

Chairman of the Indonesian Cloud and Hosting Association (ACHI) Rendy Maulana said, "Initially we almost agreed with the proposal provided that the government could classify the data. However, after we discussed it again with association members and several law enforcement colleagues, it's not good if we agree."

According to him, data is a "gold mine" in today's digital era. Armed with data, various actions can be taken, even in the realm of law enforcement. Uncontrolled data management can pose a threat to sovereignty, especially threats from outside.

"For example, data on spending, it can be used by others. For example, data taken from marketplace, armed with this data, foreign players can imitate our SME products and make similar products white label, then sell at a lower price. Can destroy the development of SMEs."

"Data Browsing We (logs/timestamps) can also have a lot of influence if the police want to find out who the perpetrators are cyber, or cases of suicide, or murder or theft. At an advanced level, service user logs such as Google can record daily activities," explained Rendy.

According to ACHI's presentation, basically data is something very sensitive. There needs to be very strict management. Regulatory leniency regarding data can be manipulated and exploited for something that will harm us.

ACHI is a non-profit organization whose vision is to develop the industry cloud and hosting in Indonesia. Members of ACHI are industrial companies cloud and hosting in Indonesia, as well as organizations related to industry participants. Some of its members include Qwords, Rumahweb, BiznetGio, CBNCloud, Jogjacamp, Infinys and Masterweb.

Other countries are getting stricter in regulating data

A statement of disapproval was also issued by the Indonesia Data Center Provider Organization (IDPRO). In official release, IDPRO warns the government that the sovereignty of national data is fully held by local authorities. The organization also provides examples of case studies, how other countries provide strict rules regarding data.

"In September 2017, Facebook was fined by the Spanish Government through the AEPD (Agencia Espanola de Proteccion de Datos/Spanish Data Protection Agency) of USD 1.44 million for violating the use of personal information data from Facebook users in Spain for advertising purposes. AEPD found Facebook was collecting detailed data on gender, religion, individual preferences, and website data for pages that are browsed by millions of Spanish users without the permission of the owners of these data.Besides Spain, Hong Kong also implements strict policies regarding the data of its citizens through the Personal Data Privacy Ordinance. ”

For the policy of placing data centers in the country for public services or services that store strategic data, Indonesia is not alone. According to a report by Oxford University, Russia and China have implemented similar policies. Brazil plans to implement a similar policy. Germany also has very strict Privacy Laws and rigid, causing Microsoft in November 2105 to decide to put the service data center cloud they are in Germany.

Biznet CEO Gio Dondy Bappedyanto said that before this report was ratified, there were several fundamental questions that remained unanswered. First, has the previous PP 82/2012 been implemented 100%? So far he sees nothing yet enforcement for enforcement of these regulations. Now the revision will become more complex, the implementation mechanism has not been explained by the regulator.

Then Dondy's second question relates to data classification. How do we assess the data as personal data, what is the mechanism, who does the audit? Without clear and measurable technical procedures, it is considered that there will be many gaps that can be exploited by interested parties. Indeed, to assess the classification of data there must be strict standardization, considering that data types evolve rapidly.

Dondy emphasized that effectiveness must also be measured from several aspects, such as internet speed and internet speed bandwidth.

"Everything on the internet is data. Video, for example, if it's considered strategic data or not, I think it's for sure no yes for entertainment. Videos are cash that eats bandwidth at most, if the videos produced from here are placed outside, don't expect the internet to be cheap and fast. If all the content is outside, it is not certain that the service provider will want it bandwidth exchange come here,” said Dondy.

Revision to support the industry

Met on the sidelines of the IMF-WB Annual Meeting in Bali, the Minister of Communication and Information gave another explanation regarding the planned revision of PP 82/2012. One of them is to give local digital startups the flexibility to grow. According to him, if all data is required to be placed domestically, it will be difficult if later there is a need for expansion or the like.

On the same occasion, Rudiantara also emphasized that the revision of this rule had nothing to do with the dynamics of the cloud computing industry, for example, regarding the planned presence of foreign players in Indonesia. Purely as an improvement based on existing conditions and needs.

"Be realistic Of course, now how many local startups are already serving the regional market. Just mention it, only GO-JEK and Traveloka are massive," Dondy said in response to the statement by the Minister of Communication and Informatics.

Rendy added that currently there are many local data centers. For the public class and neutral carrier, already in over 50 locations. As for the private classes, there are hundreds of them and the locations are scattered in many places.

"This public means the location of the placement" data center, such as in Cyber, Duren Tiga, Cibitung, Bogor, etc. While the private even more. For example Qwords has private data center in the Cyber ​​Building, as well as Telkom has in its own building. Spread from Tier 1 to Tier 4. Not only in Jabodetabek, but even in Papua and Ternate. Many government institutions themselves have also built data center, said Randy.

Rendy and Dondy confidently hint that local players with their data centers here are very ready to facilitate the needs of local digital startups.