Representatives of Indonesia's digital infrastructure operators are protesting an amendment to the country's data sovereignty laws, expressing concerns that it would be detrimental to local businesses and jeopardize data security.

The proposed reform to the Implementation of Electronic Transactions and Systems law, which dates back to 2012, would force all so-called electronic system providers to store “strategic” data in Indonesia, without detailing what would fall under this category.

Setting priorities straight

GettyImages-628708152.jpg
Jakarta skyline, Indonesia – Getty Images

The original text, designed to benefit “law enforcement, protection and enforcement of national sovereignty to the data of its citizens,” did not specify the type of data, merely requiring that all providers build their data centers in the country. The new proposal is hoped to attract investment in Indonesia.

In a joint press release issued on Tuesday, providers warned that not only would the revision threaten national data sovereignty; it would tip the balance in favor of international service providers, to the detriment of Indonesian companies that have so far been sheltered from competition.

Signatories included the following industry bodies: the ACCI (Indonesian Cloud Computing Association), APJII (Association of Indonesian Internet Service Providers), IDPRO (Indonesian Data Center Provider Organization), and the ABDI (Association of Big Data & AI).

The group warned that in discussions regarding data localization, it is "not enough to merely consider technical and security aspects, but [they] must integrate a broader perspective including sovereignty aspects, national industrial growth, data protection, socio-economic impacts, and so on.”

The consortium called for an “in-depth, thorough and transparent evaluation of the effectiveness of implementation of existing regulations after several years,” a process which they said should involve more stakeholders.

The world has seen a number of data sovereignty laws come into force in the past five years, presented as a means of ensuring data security and personal privacy by some, and as protecting local businesses by others. Examples include GDPR in Europe – though Germany implemented its own set of rules several years ago, on which the text was largely based – but countries like Russia, Vietnam and China have also introduced their own.