The Existence of Certified Electronic Signatures in Indonesia

The development of technology affects contracting practices so that everyone can bind themselves to each other in electronic contracts through electronic systems efficiently.[1] Despite the efficiency value obtained, electronic signatures have the same risk of loss as data leakage from someone as the data owner. Because electronic systems have the risk of being accessed by others, everyone who uses Electronic Signatures is required to provide security for the Electronic Signatures used[2] because signatures are very crucial in contracts. To ensure the security of the Electronic Signature, the form of security contains at least:[3]

  1. The system cannot be accessed by other unauthorized persons;
  2. Apply the precautionary principle to mitigate the risk of unauthorized use of data related to electronic signatures;
  3. The Signatory must without delay use the method recommended by the Electronic Signature provider or other reasonable and appropriate means if a signature leak occurs and causes significant risk; and
  4. Use electronic certificates to support Electronic Signatures by ensuring the correctness and integrity of all information associated with the electronic certificate.

In connection with the security measures referred to, the Electronic Signature is modified into a Certified Electronic Signature by the Indonesian Electronic Certification Provider (“PSrE”) with the strongest evidentiary value. These provisions are recognized by the Government of Indonesia through PP No. 71/2019 and require every Electronic Transaction Operator and User to use an Electronic Certificate issued by PSrE. However, the enactment of the provisions of PP No.71/2019 does not override the provisions of Article 13 paragraph 1 of UU No.1/2024 because the owner of the Electronic Signature can choose not to certify the electronic. [4]

The urgency of the Certified Electronic Signature lies in the security guarantee for the signature owner because the electronic contract contains electronic transactions that provide legal consequences to the parties bound. As with conventional contractual, electronic transactions are a form of agreement made by the parties[5] and have the same validity requirements as the provisions of Article 1320 of the Civil Code which regulates the legal requirements of conventional contracts. Therefore, the use of Certification Electronic Signatures can be used for any type of contract until there are National or International arrangements related to restrictions on the use of Certification Electronic Signatures.

To obtain an Electronic Certificate, Electronic System Users and Electronic System Providers submit an application to PSrE[6] which is an institution that has obtained recognition as PSrE from the Minister who organizes government affairs in the field of communication and informatics.[7] In connection with this, the Electronic Signature Making Device owned by PSrE must be certified[8] in accordance with the provisions stipulated in SNI ISO/IEC 15408, SNI ISO/IEC 18045, and the standards specified in the PSrE facilities and equipment standards issued by the Ministry.[9]  PSrE also has the authority to extend the validity period, block, and/or revoke certificates.[10] 

Electronic Signature Certification is very important considering the function of the Electronic Signature as a means of authentication and verification of the identity of the Signatory and the integrity and authenticity of Electronic Information containing personal data from the owner of the Electronic Signature. Based on Law Number 24 of 2013 concerning Amendments to Law Number 23 of 2006 concerning Population Administration, Signatures are Individual Data protected by law as stipulated in the provisions of Article 4 paragraph 1 of Law No.27/2022. In addition, the data contained in authentication is a type of Personal Data that is public based on the provisions of Article 4 paragraph 3 of Law No.27/2022 and must be protected. Therefore, Electronic Signatures are also related to Personal Data Protection.

The owner of an Electronic Signature is a Personal Data Subject under Law No.27/2022 and therefore has the right to end the processing, erasure and/or destruction of Personal Data about him/her[11] and to withdraw the consent to the processing of Personal Data about him/her that has been given to the Personal Data Controller.[12] In addition, the owner of an Electronic Signature as a Personal Data Subject has the right to object to decision-making acts based solely on automated processing, including profiling, which give rise to legal consequences or have a significant impact on the Personal Data Subject[13] and thus has the right to sue and receive compensation for infringement of the processing of Personal Data about him/her.[14] Therefore, PSrE as a Data Controller must have a basis for processing the Personal Data of the Electronic Signature Owner. The basis for processing Personal Data is as follows:[15]

  1. Explicit valid consent from the Personal Data Subject for 1 (one) or more specific purposes that has been conveyed by the Personal Data Controller to the Personal Data Subject;
  2. Fulfillment of agreement obligations in the event that the Personal Data Subject is one of the parties or to fulfill the request of the Personal Data Subject when entering into an agreement;
  3. Fulfillment of legal obligations of the Controller of Personal Data in accordance with the provisions of the Laws and Regulations;
  4. Fulfillment of the protection of the vital interests of Personal Data Subjects;
  5. Implementation of tasks in the context of the public interest, public service, or implementation of the authority of the Personal Data Controller based on laws and regulations; and/or
  6. Fulfillment of other legitimate interests with due regard to the purposes, needs, and balance of the interests of the Personal Data Controller and the rights of the Personal Data Subject.

Based on the description above, Certification Electronic Signatures has better security and proof for Electronic Signature Owners compared to ordinary Electronic Signatures. However, for owners of Electronic Signatures that are not certified by PSrE, they do not have obligations and rights to the provisions and requirements regulated by PSrE so that if a legal problem occurs, the Electronic Signature Owner is responsible for his own signature without requiring proof from PSrE.

[1] Article 1 point 17 of Law No.11/2008 jo. Law No.19/2016 jo. PP No.71/2019.

[2] Article 12 paragraph 1 of Law No.11/2008.

[3] Article 12 paragraph 2 of Law No.11/2008.

[4] Article 35 paragraph 2 letter b Permenkominfo No.11/2022.

[5] Article 46 paragraph 1 of Government Regulation No.71/2019.

[6] Article 51 paragraph 3 of Government Regulation No.71/2019.

[7] Article 1 point 36 of Permenkominfo No.11/2022.

[8] Article 35 paragraph 4 Permenkominfo No.11/2022.

[9] Article 36 of MOCI Regulation No.11/2022.

[10] Article 25 of MOCI Regulation No.11/2022.

[11] Article 8 of Law No.27/2022.

[12] Article 9 of Law No.27/2022.

[13] Article 11 of Law No.27/2022.

[14] Article 12 paragraph 1 of Law No.27/2022.

[15] Article 20 paragraph 2 of Law No.27/2022.