Upon the new revision of Law No. 11 of 2008 on Information and Electronic Transaction through Law No. 1 of 2024 (collectively referred to as the “ITE Law”), many have speculated and questioned the decision of omitting regulations explicitly regarding Artificial Intelligence (“AI”). As a result, many AI business actors and/or AI users must depend on the limited existing regulations such, among others, the ITE Law, Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), and the Regulation of the Government No. 71 of 2019 on The Organization of Electronic Systems and Transactions (“GR 71/2019”) to regulate the implementation of AI in Indonesia.
However, as a recent development, the Ministry of Communications and Information (“MOCI”) has published AI guidelines as a preliminary step before issuing AI regulations that will be developed in the future. Thus, we have elaborated below the regulatory interpretation of AI using the current limited regulations along with these AI guidelines.
- General Indonesian Regulations on AI
At present, Indonesia has yet to issue regulations specifically on AI, however, the definition of ‘Electronic Agent’ is considerably debatable when applied to AI. The definition is read as follows:
‘A device from an electronic system that is created to automatically perform certain actions on certain electronic information held by a person’.[1]
The term ‘automatically perform certain actions’ may apply to the nature of AI. Thus, the obligations and rights attached to Electronic Agent under the ITE Law and GR 71/2019 (amongst other regulations) may apply to AI operators and/or users. For instance, in the event of legal consequences arising from electronic transactions that are executed via the assistance of an electronic agent[2] or from operational failure of the electronic agent,[3] then the responsible party would be the operators of the electronic agents. Further, generally, AI operators may also be included under the definition of ‘Electronic System Operators’ under Regulation of MOCI No. 5 of 2020 on Electronic System Operators in the Private Sector, as lastly amended by Regulation of MOCI No. 10 of 2021 (“MOCI 10/2021”).[4]
Despite not having a specific regulation dedicated to AI, it should be noted that the sanctions stipulated under the revised ITE Law may still apply to AI operators. This is exemplified by Article 40A of the ITE Law which is intentionally broad enough to be effective in any circumstance, including the misuse of AI whereby the government has the discretion to instruct electronic system operators (AI operators) to conduct adjustments to its electronic systems and/or conduct other specified actions.[5] This discretion is to create a digital ecosystem that is fair, accountable, safe, and innovative.[6]
In addition, under Regulation of MOCI No. 3 of 2021 on Business Activity Standards and Product Standards in the Implementation of Risk-Based Business Licensing in the Postal, Telecommunications and Electronic Systems and Transactions Sectors (“MOCI 3/2021”),[7] business actors may operate under the standard classification of Indonesian business fields number 62015 (“62015 Businesses”). Thus, 62015 Businesses are able to conduct programming activities based on AI that involve consultancy that is followed by analysis and programming utilizing AI technology including subsets from AI such as machine learning, natural language processing, expert systems, and other AI subsets.[8] However, 62015 Businesses must comply with and fulfill certain conditions to operate under this business activity such as, among others, developing Internal Guidelines (as defined below) and publishing technological innovation and developments to the public through activities, demos, or other methods that can be accessed by the public with caution to privacy and legality of information.[9]
- AI Preliminary Ethical Guidelines
Generally, the Circular Letter of MOCI No. 9 of 2023 on Ethics of Artificial Intelligence (“CR 9/2023”) is addressed[10] to (i) 62015 Businesses; (ii) public electronic service operators (“Public PSEs”); and (iii) private electronic service operators (“Private PSEs”), whereby MOCI’s definition of AI is read as follows:
‘A form of programming on a computer device in carrying out precise data processing (pemrosesan) and/or data analysis (pengolahan)’.[11]
It should be noted that MOCI 3/2021 has only specified 62015 Businesses for the obligation to develop their own policies/guidelines on data and internal ethics of AI (“Internal Guidelines”).[12] Thus, this may be why the initial draft of CR 9/2023 was only addressed to 62015 Businesses as CR 9/2023 is an extension of MOCI 3/2021. However, CR 9/2023 has since been revised to extend to Public PSEs and Private PSEs, requiring them to construct Internal Guidelines for AI implementation.[13]
Implementing of AI is defined as activities related to research, product development, marketing, and use of AI[14] (i.e., consulting, analysis, and programming).[15] Additionally, the use of AI technology is included within the subsets of machine learning, natural language processing, expert systems, deep learning, robotics, neural networks, and other subsets.[16] During the process of implementing AI, 9 (nine) ethical values must be adhered to, which are listed as follows:[17]
| 1. | Inclusivity – to consider equality, justice, and order for the common good in producing information and innovation; |
| 2. | Humanity – to protect human rights, social relations, belief systems, and individual opinions and thoughts; |
| 3. | Safety – to consider the security of users and data used to protect privacy and personal data and prioritize the rights of the users of the electronic system so that no party is harmed; |
| 4. | Accessibility – to have equal rights for users to access AI-based technology inclusively and indiscriminately; |
| 5. | Transparency – to have transparency of data used to avoid misuse of data; |
| 6. | Credibility and Accountability – upon public distribution, to have the information produced by AI as trustworthy and accountable; |
| 7. | Personal Data Protection – to ensure compliance with personal data protection requirements based on the prevailing law; |
| 8. | Environmental Sustainability – to consider the impact of AI on humanity, the environment, and other living beings; and |
| 9. | Intellectual Property – to ensure compliance with intellectual property rights protection requirements based on the prevailing law. |
However, it should be noted that the values mentioned above require further elaboration and regulations for certain circumstances, such as AI, which can create new content and ideas based upon recognition of patterns in data (“Generative AI”). Regarding to credibility and accountability, there is still the issue of certainty of who will be the responsible party if there is an occurrence of error or loss caused by the use of Generative AI. Additionally, in regards to intellectual property, this would be difficult, since the identity of the author of the work generated by the AI and the ownership of the work generated by the AI is still not clearly assessed. Furthermore, in regards to personal data protection, the implementing regulations of the PDP law are still not complete and/or issued whereby AI operators and/or users would be required to abide by such implementing regulations especially since the availability and process of data would be the most important factor for AI to operate.
- Conclusion
In summation, due to the rising use of AI within industries such as e-commerce and even law firms, it is imperative for AI regulations to support these developments. Based on the decision to omit AI provisions from the revision of the ITE Law, one may perceive that AI regulations will be issued within a separate law similar to the issuance of the PDP Law.
As an impact of having no regulations on AI, the current existing regulations allow for more flexibility for AI operators and/or users to implement AI in Indonesia. However, on the other side of the spectrum, AI operators and/or users must be vigilant to keep awareness of new regulations on AI to be able to adjust to possible significant changes.
[1] Article 1 Paragraph (8) of the ITE Law.
[2] Article 21 Paragraph (2) Point (c) of the ITE Law.
[3] Article 21 Paragraph (3) of the ITE Law.
[4] Article 1 Paragraph (5) of MOCI 10/2021.
[5] Article 40A Paragraph (2) of the ITE Law.
[6] Article 40A Paragraph (1) of the ITE Law.
[7] Page 21 of Attachment of MOCI 3/2021.
[8] Point 1 Page 21 of Attachment of MOCI 3/2021.
[9] Ibid.
[10] As it is not an official regulatory form that is included within the Indonesian hierarchy of regulations, CR 9/2023 is implied to be only binding for parties that listed as the specific addressees.
[11] Article 5 Paragraph (a) of CR 9/2023.
[12] Page 21 of Attachment of MOCI 3/2021.
[13] Article 1 of CR 9/2023.
[14] Article 5 Paragraph (b) of CR 9/2023.
[15] Article 6 Paragraph (a) of CR 9/2023.
[16] Article 6 Paragraph (a) of CR 9/2023.
[17] Article 6 Paragraph (b) of CR 9/2023.