The Indonesian Government recently enacted an e-commerce regulation to regulate all aspects of online commerce (including e-contracts, online advertisements and parties to e-commerce transactions) (GR No. 80 of 2019 on Electronic Commerce (E-Commerce Regulation)).

Other laws and regulations may also apply, depending on the type of online business and the activities involved.

For example, specific regulations issued by the relevant authority will apply to the:

The Indonesian House of Representatives (Dewan Perwakilan Rakyat) is responsible for passing legislation in this area, as in any other area of law. However, the government can also propose legislative initiatives. Legislation passed by the House of Representatives often empowers the President and ministries or statutory bodies to make further and more detailed regulations in specific areas of the law. These regulations can be issued as any of the following:

When setting up an existing/new business online, a company must:

Depending on the nature of the business or its business model, an online business in its early stages may enter into contracts with:

While there are no specific legal requirements about website or app design, there are several laws and regulations that must be taken into account when designing website or app. For example, when collecting and processing a child's personal data, the website or app operator must obtain consent from the child's parent or guardian (Minister of Communications and Information Technology (MOCIT) Regulation No. 20 of 2016 on Personal Data Protection (PDP Regulation)).

Further, when collecting and processing the personal data of any disabled person, the data controller must use the appropriate communication means in consent notices to obtain the consent of the disabled person and/or their guardian (PDP Law). The consent notice and the website or app's policies must therefore be designed to comply with this requirement. However, at the date of writing, there was no clarity on the procedure for obtaining consent from the disabled person.

In addition, if the website or app is a user-generated content platform. MOCIT Regulation No. 5 of 2019 requires operators to make available a complaint channel where users can report finding illegal content.

A company must first consider the desired design, functionality and features of the app. Subsequently, if the company cannot develop the app internally, a third-party app developer must be appointed. An agreement should be in place for this engagement, which should address, among others, ownership of intellectual property rights, security, maintenance services and a user manual for the app.

The app can be distributed via the company's website or through third-party marketplaces such as Google Play, Apple Store and Microsoft Store.

Indonesian law recognises electronic contracts. The criteria for a valid electronic contract are as follows:

(Article 46(2) of GR No. 71 of 2019 on Application of Electronic Systems and Transactions (GR 71/2019)).

An electronic contract must be in the Indonesian language if it involves an Indonesian party. Electronic contracts can also be drafted in a bilingual format. In this case, a standard language clause should be included, which, among others, specifies which text will prevail in the event of a discrepancy between the Indonesian text and the foreign language text.

Although Indonesian law does not specifically regulate click-wrap, browse-wrap and shrink-wrap contracts, consent in these types of contracts can be provided by:

(Article 49(3), GR 71/2019.)

This means that, as long as the formation of any click-wrap, browse-wrap, or shrink-wrap contracts complies with Article 46(2) and 49(3) of GR 71/2019, such a contract is valid and enforceable.

In the e-commerce context, additional conditions for a valid and enforceable electronic contract are as follows:

(Article 52, E-Commerce Regulation.)

In addition, an electronic contract for an e-commerce transaction must also contain certain information, that is the:

In addition to the local language requirements, the following documents must be manually signed and cannot be signed electronically:

The primary laws and regulations governing contracting on the internet are:

Generally, the PDP Regulation requires an electronic systems provider to retain personal data for at least five years from the date when the relevant data subject ceases to be a user of the service provided by that provider, unless stipulated otherwise by other specific laws and regulations such as the:

A site accreditation is issued in the form of an electronic certificate (sertifikat elektronik), which can either be a certified site accreditation or a non-certified site accreditation (MOCIT Regulation No. 11 of 2022 on Governance of Electronic Certification Application (E-certification Regulation)).

There are three categories of certified site accreditation:

Only a local certification authority (penyelenggara sertifikasi elektronik) can issue a certified site accreditation. A site accreditation issued by a foreign certification authority will therefore be deemed a non-certified site accreditation.

A list of local certification authorities can be found at https://tte.kominfo.go.id/. If a local certification authority does not provide a certified site accreditation service, a service provider can use an industry-accepted site accreditation issued by a foreign certification authority (for example, DigiCert) if the foreign authority has complied with the E-certification Regulation that is, having a local representative in Indonesia within four years from the enactment date of this regulation (that is, 22 September 2022).

In addition, a site accreditation issued by a foreign certification authority has less evidentiary value before an Indonesian court than an accreditation from a licensed local certification authority.

The general remedies available for a breach of contract apply. Typically, these are determined by:

Remedies can include termination of the contract or monetary compensation/damages (but not punitive damages) and/or specific performance.

In addition, where there is a breach of a regulatory requirement, such as a breach of the obligation to allow buyers to refund, return, or exchange the purchased product, other remedies may apply.

The following laws apply to electronic signatures:

Under the EIT Law, an electronic signature is defined as electronic information (which includes, among others, electronic sound, text or symbol) attached to or associated to a different electronic information (such as a contract or other record), for which it serves as a verification and authentication tool.

There are two types of e-signatures:

See Question 7.

The collection or use of personal data in Indonesia is regulated by Law No. 27 2022 on Personal Data Protection (PDP Law) issued on 17 October 2022, and its implementing regulations, including existing ministerial-level regulations enacted before the PDP Law if to the extent that they do not conflict with the PDP Law.

The existing regulations include the PDP Regulation, which applies to electronic system providers that use electronic systems (for example a computer program, a website, a mobile app, or an online platform) to collect, process, store, disseminate, transfer, allow access to, and/or erase personal data.

The PDP Law applies to:

The PDP Law also applies to personal data processing by private or public parties, although there are exemptions to its application, for example for the processing of personal data for personal or household activities. Unfortunately, the PDP Law is silent on the nature of these activities. This is expected to be elaborated in the PDP Law's implementing regulations.

There are also partial exemptions for some provisions in the PDP Law. For example, a data subject's rights can be derogated if the purpose of the personal data processing is for:

In addition, the PDP Law also grants a two-year transitional period from 17 October 2022 for data controllers, data processors, and other parties in a data processing activity to adjust their data processing practices to conform with the PDP Law's requirements. This means that while these requirements became effective from 17 October 2022, no sanction will apply for failure to comply during the transitional period.

However, some provisions of the PDP Law became effective immediately from 17 October 2022. These govern prohibited conduct related to data processing activities, which are considered criminal offences.

For example,

The PDP Law defines personal data as any data relating to an identified or identifiable natural person (data subject) that can be identified on its own or in combination with other information either directly or indirectly through an electronic or non-electronic system.

Specific personal data includes:

General personal data includes:

The PDP Law restricts the collection and use of personal data in that a data controller must be able to identify the appropriate “lawful basis” for each type of data processing that they perform (Article 20, PDP Law).

The PDP Law generally permits the collection and use of personal data to the extent necessary for the performance of a contract with data subjects, or for taking any action requested by the data subject with a view of entering into a contract.

The PDP Law does not specifically limit the storage of personal data in cloud. However, when personal data is stored, data controllers and processors have certain obligations under the PDP Law, such as ensuring appropriate security safeguards, including encryption of personal data.

Personal data can be transferred outside of Indonesia to another country if one of the following lawful bases for the processing exists:

In addition to the PDP Law, GR 71/2019 also applies to electronic system providers (such as online businesses) that process personal data using electronic systems (a website, a computer program, or an online platform). A provider can choose whether to process and/or host its electronic system and data, including personal data, onshore or offshore. However, offshore data processing must comply with the PDP Law.

Regardless of the location, a system provider must ensure that the authority can access its electronic system and data. This flexibility does not apply to businesses in several sectors, such as the banking and financial services sectors, as they are subject to sector-specific laws and regulations. For example, the OJK only allows commercial banks and insurance and reinsurance companies to host certain data overseas based on its approval.

An electronic system provider that keeps personal data within their electronic system must provide access to the data for law enforcement purposes if the requesting law enforcement agency (such as the police or the anti-corruption agency) has a bona fide legal ground to request it (Article 23, PDP Regulation; Articles 26 and 29 of MOCIT Regulation No. 5 of 2020 on Electronic System Providers in the Private Sector, as amended by MOCIT Regulation No. 10 of 2021 (Private ESP Regulation)).

Under those regulations, before accessing or compelling disclosure of personal data, a law enforcement agency must give a written formal request setting out their statutory powers for its request, the purpose of the request and a specific description of the requested data.

If the law enforcement agency wishes to access the contents of the communication in an individual's electronic device, additional requirements will apply, including having to obtain a court order.

Under Article 21 of the Private ESP Regulation, a government body is entitled to both:

Indonesian law does not explicitly regulate the use of cookies. However, if a cookie collects personal data, then the PDP Law applies, and the relevant requirements, such as the requirement to have a lawful basis for data processing, must be fulfilled.

See Question 16 for details of the lawful bases for personal data processing.

In operating its electronic system (for example a website or mobile app), an electronic system provider must put in place certain security measures to prevent any failure or disturbance to its electronic system (including any transaction using, or taking place within, the electronic system). These measures can include implementing anti-virus or anti-spamming software, firewalls and intrusion detection.

In addition, an electronic system provider must register all its electronic systems with the MOCIT for accountability purposes.

See Question 16.

Online businesses are free to incorporate a licensed payment system (obtained through a third party) that facilitates electronic payments on their websites. The PDP Law applies to the extent that the payment system collects or uses personal data.

However, an online business seeking to establish and operate its own payment system must obtain a licence from BI. The regulations that apply to payment systems providers are:

Specifically for online gaming, games must be rated and classified based on the standards that apply to the content of games as set under MOCIT Regulation No. 11 of 2016 on Classification of Interactive Electronic Games.

When consent is required in relation to a minor's personal data, only a parent or a guardian of the minor can give consent on the minor's behalf. A person under the age of 21 is generally regarded as a minor in contract-related matters (as regulated under the Indonesian Civil Code).

Law No. 8 of 1999 on Consumer Protection (Consumer Protection Law) generally excludes the liability of a business that resells or markets goods or services provided by a supplier outside the jurisdiction if, among others, the business does not modify the goods or services before reselling or marketing them.

There are no limitations on the use of links to third-party websites and other practices such as framing, caching, spidering and using metatags. However, online businesses that carry out these practices must ensure that they are not facilitating or hosting illegal content. See Question 37 on illegal content.

See Question 24.

The following regulations are relevant to the licensing of domain names:

Under these regulations, a domain name must not include elements of pornography, gambling, terrorism, racism/discrimination, anything relating to personal data, violence, phishing, malware, hacking and others (such as fraud, trade mark or drugs).

Moreover, the use certain domain names are restricted, i.e. if such domain names contain the name of a geographic area (e.g. a state or a city) or the name of an official position or government institution.

There is no non-commercial/government domain name registrar in Indonesia. The Ministry of Communication and Information Technology, which initiated and promoted the high-level domain name .id and other related domain names, collaborates with the Indonesian Internet Domain Name Administrator (Pengelola Nama Domain Internet Indonesia) (PANDI), to manage these domains through the PANDI members. These include commercial domain name registrars. In practice, many registrars offer certain domain name free of charge to their customers.

Domain names do not confer any additional rights unlike trade marks. Their registration process and the supervising body also differs from that of trade marks.

To register a trade mark, a party must file an application to the Directorate General of Intellectual Property Rights (DGIP) at the Ministry of Law and Human Rights of Indonesia. The application is subject to a formal examination, a publication phase and a substantive examination before the DGIP issues a trade mark certificate. The first-to-file principle applies and therefore the issuance of a certificate depends on the availability of the trade mark. Under Law No. 20 of 2016 on Trademarks and Geographic Indications as amended by Law No. 11 of 2020 on Job Creation (Trademark Law), even if a party has obtained a trade mark certificate, the trade mark is subject to:

Domain names are considered to simply be the address or the identity of a state administrator, person, business entity and/or the public, and are obtained on a first-applicant basis. This first applicant principle for domain names is different from the first-to-file principle in the intellectual property sector as the former does not involve any examination procedure (unlike for trade marks).

A domain name can be registered as a trade mark. In this case, the domain name will be considered as a mark, not a domain name, and the Trademark Law will apply.

If the domain name infringes a registered trade mark, this will be considered as passing-off in violation of the Trademark Law.

A party that wishes to object to the alleged infringement of a person's trade mark right must raise such an objection either during the publication phase or by filing a cancellation suit in the commercial court.

A business name is usually either the company's name or its trade mark name.

The following restrictions apply when selecting a company name for a limited liability company:

A party must apply for a company name before incorporating the company. This application must be submitted via the Ministry of Law and Human Rights' website.

In selecting a trade mark name, the following restrictions must be observed:

See Question 27 for the procedure to apply for a trade mark.

The courts apply the rules set out in Article 18 of the EIT Law. The EIT Law requires any agreement giving effect to an internet transaction to specify the governing law and jurisdiction for disputes. In the absence of such a provision, the courts should apply the principles of international private law and determine the governing law based on the following factors:

See Question 29.

The forum for dispute resolution is typically included in a website's terms of use or T&Cs.

The E-Commerce Regulation contains a provision that recognises ODR if the disputing parties have agreed to use this method to resolve disputes. This regulation provides little explanation of ODR, but allows the disputing parties to determine the ODR's specifics, including whether to use professional mediators or an accredited ODR service provider. The Ministry of Trade is understood to be developing a national ODR system that is expected to come into operation in 2024. This ODR platform will be linked with ASEAN's ODR system.

Alternatively, online traders and customers can use the ADR services provided by general ADR centres such as the Indonesian National Arbitration Board (Badan Arbitrase Nasional Indonesia).

ADR/ODR options in the form of consultation, negotiation, conciliation, mediation, or arbitration can result in the award of either or both:

The main legislation that governs advertising (including online advertising) is the Consumer Protection Law, which generally prohibits the misleading or deceitful advertising of goods or services. Advertisements are considered as misleading or deceitful if, for example, they present the goods or services as having certain features that they do not have, such as:

The E-Commerce Regulation and its implementing regulation, Regulation 50/2020, prohibit online advertisements that violate the rights of consumers or are contrary to anti-trust principles. Under Regulation 50/2020, an e-commerce business can self-publish its advertisements or hire a third-party e-commerce service provider (such as an online marketplace operator) to do so.

As Regulation 50/2020 does not regulate electronic advertisements in detail, e-commerce businesses must still ensure that their advertisements comply with the general regulations on broadcasting, personal data, consumer protection, and competition.

Indonesian law does not specifically regulate online behavioural advertising. However, the Indonesian Advertisement Ethics provide that if cookies are used to collect users' data (which are then used for advertising purposes), the users must be informed of the data collection and processing. If the cookies relate to the collection of personal data, the business must have a lawful basis for its collection.

See Question 16 for details of the lawful bases for personal data processing.

The types of services or products that are specifically regulated when advertised online include:

Generally, personal data protection rules apply to marketing communications (whether text messages or spam e-mails). However, under OJK Regulation No. 6/POJK.07/2022 of 2022 on Financial Services Consumers Protection, a financial service provider cannot send any marketing communication to consumers without their prior consent.

The Indonesian language must be used in any electronic contracts or other forms of contracts that are signed in relation to an internet transaction involving an Indonesian party (Article 47(1), GR 71/2019). Other than that, there is no language requirement for websites that target Indonesia or whose target market includes Indonesia.

Online sales or e-commerce transactions are subject to tax.

Under Directorate General of Tax (DGT) Circular Letter No. SE-62/2013 (2013 Circular), e-commerce transactions are subject to value-added tax (VAT) and income tax. The 2013 Circular classifies four types of e-commerce transaction models:

Law No. 7 of 1983 on Income Tax as amended by Law No. 7 of 2021 on Harmonisation of Tax Regulations (Income Tax Law) defines income as "any increase in economic ability received or earned, originating from within or outside Indonesia, that is used for consumption or to increase the wealth of the taxpayer, in whatever name or form".

Any income obtained or received by a taxpayer, including from online sale transactions, is subject to income tax. Depending on the type of transaction, the applicable income taxes include:

Online sales or e-commerce transactions within Indonesia may be subject to VAT.

The following points apply to offshore e-commerce transactions with Indonesian customers under (Government Regulation in lieu of Law No. 1 of 2020, enacted as Law No. 2 of 2020 (Law 2/2020)):

Law 2/2020 applies until the pandemic status in Indonesia is revoked and at the time of writing was still in force.

The Indonesian Constitutional Court decided in October 2021 that Law 2/2020 was issued specifically to tackle the pandemic and therefore, the law should not have any legal force once the President revokes the pandemic status. However, provisions related to the appointment of e-commerce participants as VAT collectors have been included in:

The above provisions will continue to apply even after Law 2/2020 is deemed to be no longer in force.

An e-commerce business that does not have a presence in Indonesia but provides services to Indonesian customers must establish an e-commerce representative office (kantor perwakilan perusahaan perdagangan asing bidang perdagangan melalui sistem elektronik) in Indonesia if it either/both:

(Regulation 50/2020.)

The intention of Regulation 50/2020 is for the e-commerce representative office to function as an onshore extension of the offshore e-commerce business (that is, not a separate legal entity from the business). Therefore, the offshore e-commerce business is liable for obligations incurred by the representative office.

The representative office's activities are limited to acting on behalf of the offshore e-commerce business in:

Settling any disputes or complaints regarding customers or end-customers in Indonesia.

A separate analysis would be needed to assess whether the presence of the representative office would trigger a foreign entity to be deemed to have a PE in Indonesia.

A company is considered to be an Indonesian resident for tax purposes if it is incorporated or domiciled in Indonesia. A tax resident company must be registered with the DGT and comply with all Indonesian tax obligations in respect of, among others, maintaining bookkeeping and paying corporate income tax, employee income tax, withholding tax and VAT.

A foreign company carrying out business activities through a PE in Indonesia must generally assume the same tax obligations as a resident corporate taxpayer.

VAT is due on events involving the transfer of VAT-chargeable goods or the provision of VAT-chargeable services within the Indonesian customs area. The standard VAT rate is 11%. VAT is calculated by applying the VAT rate to the relevant tax base. In most cases, the tax base is the transaction value agreed between the parties concerned.

Under Law No. 8 of 1983 on Value Added Tax and Luxury Goods Sales Tax as amended by Law No. 7 of 2021 on Harmonisation of Tax Regulations (VAT Law), VAT is imposed on the following transactions (where the supplier/provider is VAT registered and the goods/services attract VAT):

A sole trader or business entity that delivers goods or services subject to VAT exceeding IDR4.8 billion per year must register with the tax office as a VAT-able entrepreneur (Pengusaha Kena Pajak). The entrepreneur must collect VAT on the chargeable revenue by issuing a VAT invoice (Faktur Pajak), pay the payable VAT and file the monthly VAT returns.

See Question 35 for VAT imposition and collection of offshore intangible goods or services within Indonesia through the e-commerce system.

The E-Commerce Regulation prohibits the publication of any illegal content on websites. Illegal content is defined as any content that is prohibited or violates the law according to the applicable laws and regulations relating to, among others, copyright infringement, defamation or "harmful" content.

Further, under the Private ESP Regulation, an electronic system provider must ensure that its electronic system does not contain or facilitate the distribution of illegal content. Illegal content is defined as content that:

Illegal content includes gambling, pornography (including child pornography) content, radicalism content, terrorism content and content that incites public unrest.

Under the E-Commerce Regulation, the electronic commerce provider is generally liable for any impact or legal consequences arising from the illegal content. However, under Article 11 of the Private ESP Regulation, an electronic system provider whose platform allows use- generated contents is exempted from the liability for any illegal content transmitted or distributed on its platform if the provider has fulfilled its obligations, such as:

Any person that operates a business to sell goods or services through an electronic system (such as a website or mobile app) must disclose at least the following information:

(Law No. 7 of 2014 on Trade as amended by Law No. 11 of 2020 on Job Creation)

Under Article 13 of the E-Commerce Regulation, an electronic commerce provider must provide the following information:

Under the EIT Law, an electronic system provider is prima facie liable for everything that takes place on its electronic system (for example, its website or mobile app), unless it can prove that the occurrence resulted from the wrongdoing of a third party.

In addition, the E-Commerce Regulation recognises the "safe harbour rules as adopted under the US Digital Millennium Copyright Act and the EU E-Commerce Directive. The regulation gives a broad immunity to e-commerce service providers and intermediary service providers (for example search engine providers) from the legal consequences of illegal third-party content.

The E-Commerce Regulation discharges e-commerce service providers from any liability for illegal content found on their platforms if they have acted expeditiously to remove or disable access to such contents after knowing of its existence (either by way of a report from a third party or finding it out themselves).

Providers are required to provide users with terms of use or T&Cs of the platform (which should expressly state that users can only use the platform for lawful purposes), and to use certain technology and/or feature in the platform that will allow users to report illegal contents. This aims to ensure that an e-commerce service provider is alerted to illegal contents on its platform.

An ISP can only block access to websites if ordered to do so by the relevant authority (the Ministry of Communications and Information Technology). An ISP that fails to block access to websites with illegal content can face sanctions, such as the revocation of its business licence.

All products and services that are supplied in Indonesia (whether online or not) must be safe and must meet the specified product standards and the information as disclosed on the label or advertisement under the Consumer Protection Law.

Under the E-Commerce Regulation the online provider or seller of goods must give consumers the right to exchange or cancel the purchased goods or services within at least within two business days after the date of receipt.

Further, Regulation 50/2020 governs the liability of electronic commerce providers for electronic advertisements for their goods or services.

Online business must have both:

Over the past three to five years, the Indonesian public has become more aware of personal data protection matters, primarily due to the rising numbers of data-related incidents. The government recently enacted the PDP Law (see Question 14 and Question 16) which establishes underlying principles for personal data protection, as opposed to detailed or practical rules. Implementing regulations/guidelines are expected to be issued to further regulate and clarify the provisions of the PDP Law.

In addition, the government is currently reforming the financial services sector regulatory framework, including recently passing a law on the development and strengthening of financial services sector which will have an impact on digital businesses in the financial services sector, including Fintech and cryptoassets. The OJK will be given additional authorities and powers, which include the authorities and powers to oversee and regulate crypto transactions which were previously tasked to the Bappebti. Once the law goes into effect, digital businesses engaging in crypto trading will be overseen by the OJK.