The Indonesian government should suspend and substantially revise a regulation on online content to meet international human rights standards, Human Rights Watch said in a May 17, 2021 letter to Indonesia's minister of communication and information technology.
Ministerial Regulation 5 (MR5), which came into force in November 2020 with little consultation, requires all private digital services and platforms to register with the Ministry of Communication and Information Technology and agree to provide access to their systems and data as specified in the regulation. Those that fail to register by May 24 will be blocked in Indonesia. The minister should suspend the regulation before this deadline.
"Ministerial Regulation 5 is a tool for censorship that imposes unrealistic burdens on the many digital services and platforms that are used in Indonesia," said Linda Lakhdhir, Asia legal advisor at Human Rights Watch. "It poses serious risks to the privacy, freedom of speech, and access to information of Indonesian internet users."
MR5 governs all private "electronic systems operators" that are accessible in Indonesia, broadly defined to include social media and other content-sharing platforms, digital marketplaces, search engines, financial services, data processing services, and communications services providing messaging or video calls and games. The new regulation will affect national and regional digital services and platforms, as well as multinational companies like Google, Facebook, Twitter, and TikTok.
These companies are required to "ensure" that their platform does not contain or facilitate the distribution of "prohibited content," which implies that they have an obligation to monitor content. Failure to do so can lead to blocking of the entire platform. The regulation's requirement the companies proactively monitor or filter content is both inconsistent with the right to privacy and likely to amount to prepublication censorship, Human Rights Watch said.
The regulation's definition of prohibited content is extremely broad, including not only content in violation of Indonesia's already overly broad laws restricting speech, but also any material "causing public unrest or public disorder" or information on how to provide access to, or actually providing access to, prohibited material. The latter includes Virtual Private Networks, which allow a user access to blocked content but are also routinely used by businesses and individuals to ensure privacy for legal activities.
For "urgent" requests, the regulation requires the company to take down content within four hours. For all other prohibited content, they must do so within 24 hours of being notified by the ministry. If they fail to do so, regulators can block the service or, in the case of service providers that facilitate user-generated content, impose substantial fines.
The time allocated for response is unrealistically short, particularly for companies that work in multiple time zones, and will impose onerous burdens on smaller companies with limited staff. Unreasonably short time frames for removing content would most likely lead service providers to pre-emptively take down content to ensure compliance and could force the shutdown of smaller providers that do not have adequate staff available to respond to such requests, Human Rights Watch said.
The regulation appears to provide no mechanism for either the company or the person who posted the content to challenge the ministry's order, either before or after the content is taken down. The lack of procedural safeguards and channels to appeal decisions only exacerbates the risk that regulators will abuse the provisions for taking down content.
Under the regulation, companies must also provide access to both their "systems" and their "data" for "supervision" purposes whenever requested to do so by the authorities. Companies must also allow law enforcement authorities to access electronic data for criminal investigations into any offense carrying a penalty of at least two years in prison. Requirements that authorities be given direct access to systems or massive amounts of information collected and stored by private companies are of serious concern. Such requirements are particularly prone to abuse, tend to circumvent key procedural safeguards, and can easily exceed the limits of what can be considered necessary and proportionate, Human Rights Watch said.
To facilitate access requests, the regulation requires each company to appoint a local contact person to receive and act on those requests. A company that fails to provide access for regulators and law enforcement faces penalties ranging from a written warning to revocation of their registration. The requirement to appoint a local contact person in Indonesia will make companies much more susceptible to pressure to comply with overbroad requests to remove content, and will inevitably lead to an increase in unnecessary censorship and compromise people's privacy and their right of access to information.
"MR5 is a human rights disaster that will devastate freedom of expression in Indonesia, and should not be used in its current form," Lakhdhir said. "The Indonesian government should immediately suspend the regulation, and start a consultation process with stakeholders and civil society groups based on the premise that any new or revised regulation must comply with international standards for privacy and free expression."