For years, Indonesia has been plagued by so-called “elastic laws” – a set of bills that can see a person indicted for violating poorly defined provisions, such as defaming an individual or group, religious blasphemy, committing treason, or inciting public disorder. Activists have pointed out how the immensely vague boundaries of what constitutes “damaging someone’s reputation” or “threatening public decorum” have made these laws blunt instruments for criminalising critics and minorities. The notorious Electronic Transaction and Information Law (UU ITE), for example, has been used multiple times by politicians and police authorities to counter accusations of corruption and misconduct, while expressing opposition to human rights abuses in West Papua carries the risk of being accused of pro-separation propaganda.

This list has now expanded. The latest entry to Indonesia’s ensemble of draconian legislation involves mandating online service providers – from social media and financial services to digital marketplaces and search engines – to remove or block content on their platforms at the behest of the government. The provision applies not only to Indonesian companies, but to any platform (referred to as private electronic system operators, or “private ESOs”) that collects and analyses data from users within Indonesia. Simply put: not only Gojek and Tokopedia, but Google and Tik-Tok, as well.

At first glance, the move might not sound all that extreme. Nearly every country has its own policy on which digital content should be moderated or banned outright. Indonesia already established the precedent of threatening to ban the messaging app Telegram in 2017 over concerns of facilitating terrorist activities. The latter was not without its share of criticism, however, with analysts claiming that banning Telegram would push terrorists to even more obscure, subterranean channels. Meanwhile, others pointed out that blocking access to an entire digital platform is a direct violation of the UN International Covenant of Civil and Political Rights.

While the issue of data protection in Indonesia has been more closely understood as a safeguard from hackers and loan sharks, a coherent policy would also regulate how much power the government has over peoples’ data.

Yet the current Ministerial Regulation 5 (MR5) issued by the Ministry of Communications and Informatics goes even further than these previous iterations: it obliges private ESOs to register themselves in Indonesia, with failure to acquire a license from the ministry by December 2021 resulting in a complete block of services (an initial deadline had been set for 24 May). To gain such a permit, platforms must consent to several terms within Indonesia’s updated internet policy – including provisions with clear authoritarian undertones.

First, MR5 requires private ESOs to ensure that their platforms do not facilitate the spread of prohibited documents and information – classified as content which “violates Indonesian law”, “promotes social anxiety and disrupts public order” or “informs methods or provides access towards prohibited electronic information and/or documents”. Typically, this involves blocking specific content per order of the Communications Ministry under the set limit of 24 hours; failure to comply will gradually result in warnings, fines, and a complete block of services. Individuals may also submit blocking requests, with the interpretation of what is unlawful or might lead to social unrest falling solely within the jurisdiction of the ministry as its bureaucratic arbiter.

MR5 also threatens private ESOs with legal liability if they fail to sufficiently monitor prohibited content, effectively encouraging self-censorship by platform providers. The “elastic laws” problem makes this a highly confusing obligation, as information might be deemed to violate existing regulations due to its potential to disrupt public order: those convicted under Indonesia’s blasphemy law, for example, were almost exclusively charged for denigrating Islam, the country’s majority religion. On the other hand, a reverse scenario – such as religious minorities claiming blasphemy committed by those of the majority faith – might end up being left uncatered out of fears of backlash and political instability.

Jalan Jendral Sudirman, Jakarta (Sulthan Auliya/Unsplash)

Eventually, this ambiguity might lead private ESOs to independently take down content that fits the government’s pattern, just to avoid dealing with such an unrealistic time frame for takedowns. Several issues fit squarely within this framework, such as Indonesia’s recent labelling of the West Papua Liberation Army as a terrorist group. Terrorism-promoting content is classified “urgent”, and platforms operate under a stricter deadline of four hours to block content instead of the regular 24 hours. Failure to do so within four hours will result in a fine that can be imposed up to three times, and platforms that do not comply within 12 hours will be banned by Indonesia’s internet service providers.

On top of this, MR5 does not provide a clear means for content holders to contest their takedowns, giving it a more repressive nature even compared to other controversial internet policies, such as the Singaporean “Fake News” law or Germany’s NetzDG, the original regulation that inspired similar policies in a multitude of countries. Virtual Private Networks (VPNs), too, might be considered unlawful – not because they fall into the category of prohibited content per se, but because they can enable access to websites and platforms blocked in Indonesia.

Finally, by consenting to the provisions of MR5, private ESOs also agree to provide law enforcement access to their systems and user information for “surveillance purposes” and criminal investigations that carries the minimum penalty of two years in prison. Many of the elastic laws fall into these categories: defamation charges can lead to four years of imprisonment; five years for blasphemy and promotion of atheism; and six years for inciting public hatred and hostility towards a group or community.

This provision not only enables authorities to track down and dig up further information to criminalise a person, stacking further charges in the event of newfound “prohibited content” based on the data collected by digital platforms, but it might also bypass relevant procedures in protecting private data.

After the controversy of several massive data leaks, Indonesians are further demanding government actions to ensure their digital privacy. While the issue of data protection in Indonesia has been more closely understood as a safeguard from hackers and loan sharks, a coherent policy would also regulate how much power the government has over peoples’ data. The Southeast Asian Freedom of Expression Network (SAFEnet), for example, has pointed out that MR5 might subvert provisions in the separate Personal Data Protection Bill, which is currently in draft – including ideas of establishing of an Independent Commission on Data Protection operating outside the government, not unlike Indonesia’s own Anti-Corruption Body.

As the deadline for registration has been pushed to late 2021, there may be time yet to turn around the harmful provisions of M5. It’s a prolonged extra time, and likely the only one before Indonesia’s digital landscape is changed dramatically.