Industrial technology in Indonesia has been developing in recent years. The release from Indonesian Association of Internet Service Providers (Asosiasi Penyelenggara Jasa Internet Indonesia or APJII) states that in 2014, 88.1 million people in Indonesia are users of the internet. That is equal to 34.9% of Indonesian citizens. Imagine that there are so many Indonesian people that have not used the internet. In future years, the situation will be rapidly changing as internet users in Indonesia have been growing fast. Besides for works and business, people are using the internet also for their personal purposes such as personal transaction, social networking, etc. In order to anticipate the growing use of the internet in the future, electronic system operators for public services will need data centres with a big capacity.
Facebook, a well-known social network with 900 million active users and 1 trillion page views each month, has built two huge data centres and another two are currently under construction. With its large number of users, Facebook also leases additional server space in at least nine data centres. The need for data centres also applies to the businesses and industry such as banking which involve millions of customers whose data will also need to be backed up and fast transactions.
With the high number of users of technological devices and social media in Indonesia, all of the well-known technology companies should have data centres in Indonesia, and therefore this will open up tremendous job opportunities for the benefit of the Indonesia people.
Data Protection and Its Regulation in Indonesia
People’s need for the internet is parallel to the need for data protection. Furthermore, both individuals and legal entities as business entrepreneurs in Indonesia will also need safety and protection in their use of the internet for their businesses. For example, to support banking industry in Indonesia, data centre is designed to address banks business needs and operations including but not limited to retail, deposit, loan, general ledger, bank’s monthly report, and compliance with Bank Indonesia, etc. It gives benefits to the banks by optimizing business process, faster time to market, compliance with Bank Indonesia regulations, flexible and fast reporting. As a result of using data centres, bank transactions, including through ATM, can be done at any time 24 hours and 7 days a week.
Taking into account the high need for this, the Indonesian government issued Government Regulation No. 82 of 2012 concerning Operation of Electronic Systems and Transactions, which contains an obligation for electronic system operators serving the public to put a data centre and disaster recovery centre in Indonesia. The obligation among others is for the purpose of law enforcement, protection and enforcement of national sovereignty over the data of Indonesia’s citizen. Further, by having 100% access to the data centre in Indonesia, the government will have access to all information in the data centre such as financial transaction traffic, consumer purchasing power, and people’s demand for the goods/services which each region will be different in each region. The government will also be able to prepare strategies for the economy and trade based on studies of the data obtained from the data centre.
In fact, the banking industry has been required to have data centre and disaster recovery centres in Indonesia since 2008 under Regulation of Bank Indonesia No. 9/15/PBI/2007 concerning Application of Risk Management in the Use of Information Technology for Commercial Banks. Banks may have a data centre and/or disaster recovery centre overseas on obtaining prior approval from Bank Indonesia by fulfilling certain requirements that are relatively difficult to meet. Moreover, the oil and gas industry also has this requirement since Decree of Head of Special Task Force for Upstream Oil and Gas Business Activities (Satuan Kerja Sementara Pelaksana Kegiatan Usaha Hulu Minyak dan Gas Bumi or SKMIGAS) No. KEP-0008/SKO0000/2013/S0 issued on 10 January 2013 provides that contractors in contracts of work in the oil and gas industry must take into account geographical condition to determine the position of the data centre, which must be in the territory of the Republic of Indonesia. This obligation was made for the convenience of law enforcement in Indonesia and data protection.
Worldwide Standards and Criteria for Data Centre
Uptime Institute, an advisory organization which serves stakeholders in IT service through industry leading standards, education, networking, and consulting, created the standard Tier Classification System to consistently evaluate various data centre facilities in terms of potential site infrastructure performance, or uptime. It is recognized worldwide for the creation and administration of the Tier Standards & Certifications for Data Centre Design, Construction, and Operational Sustainability. Data centre tier standards exist to evaluate the quality and reliability of a data centre’s server hosting ability, and therefore the four-tier ranking system servers as a benchmark for determining the reliability of a data centre. Data centres are ranked as follows:
- Tier 1
Composed of a single path for power and cooling distribution, without redundant components, providing 99.671% availability.
- Tier 2
Composed of a single path for power and cooling distribution, with redundant components, providing 99.741% availability.
- Tier 3
Composed of multiple active powers and cooling distribution paths, but only one path active, has redundant components, and is concurrently maintainable, providing 99.982% availability.
- Tier 4
Composed of multiple active powers and cooling distribution paths, has redundant components, and is fault tolerant, providing 99.995% availability.
Based on the above ranking system, the Tier 4 data centre is considered as the most robust and the least prone to failures since it is designed to host mission critical servers and computer systems, with fully redundant subsystems (cooling, power, network links, storage, and etc.) and compartmentalized security zones controlled by biometric access controls methods. Naturally, the simplest is a Tier 1 data centre used by small businesses or shops.
In its implementation in the field, there are 4 factors to decide which country to use as the location of a data centre and these criteria could also be used to decide which part of Indonesia to locate a data centre in:
- Availability of electrical power for the operation of the data centre
The sharp rise in electricity consumption frequently causes power outages frequently in some countries that have poor infrastructure, since data centres require enormous power.
- The cooling system and the climate
The gathering of many computers in one room will generate heat, and to cool it can be expensive. Data centres are usually built in a cool climate and cold can reduce the cost because the outside air can be used to cool the centre.
- The risk of disaster
Data centres should be built somewhere with a minimal risk of disasters such as floods, earthquakes, etc
- Data Security
Regulations of a country that mandate government access to data stored in a data centre is a threat to the security of a company’s corporate data the data centre stores. In addition, the political instability of a country is also something that must be considered before choosing a location for data centre construction.
Operating a Data Centre in Indonesia
The good news for operating a data centre business in Indonesia is that the business is open 100% for foreign investment. A foreign investor with the capability to provide a data centre business in Indonesia may join the party. Local entrepreneurs may also cooperate with foreign data centre providers to run data centre businesses in Indonesia. Of course, there are several requirements which must be complied with under the prevailing regulations. Therefore, a legal review must also be considered by the entrepreneur since this business field is a high-regulated business, which means there are a lot of legal requirements which must be followed. Further, the establishment of a data centre will also need a construction service provider company which has the capability to build such a complex construction.
Given the possibility of foreign investment to operate data centres in Indonesia, regulations which cover the interest of both the data centre company and the data centre user are required. For example, in banking business, the obligation to apply risk management to the use of IT management has been provided in the relevant regulations. The obligation includes on a requirement for an audit by internal and external auditors to control the use of IT by the service provider. Further, the data centre provider must also allow Bank Indonesia to check and examine the use of IT by Indonesian banks. In the future, every business sector which needs data centres will also need its own regulations to protect the interest of the data centre provider, data centre user and the public.
Referring to the 4 factors to be considered in choosing a country to be the location for a data centre mentioned earlier, there are several basic requirements for establishing a data centre business in Indonesia: (i) a data centre requires enormous power, which in Indonesia would be provided by the State Electricity Company (Perusahaan Listrik Negara or PLN) with its many sources of power, (ii) Indonesia has a very good and friendly climate, (iii) data centres need to be built somewhere with a minimal risk of disasters such as floods, and earthquakes and in Indonesia there are many choices of places/locations to build a data centre, and (iv) regulations of a country that mandate government access to data stored in a data centre, which is strictly regulated by Indonesian regulations.
Government Regulation No. 82 of 2012, means that the government will have to do a lot of homework to ensure all of the above criteria can be seen by investors in Indonesia.
Expansion and Financing of Data Centre Providers in Indonesia
As a fast-growing business, it is acceptable if a data centre provider and disaster recovery centre provider decides to expand their business into Indonesia. According to the International Business Consultant, Frost and Sullivan, the growth in data centre in Indonesia currently reaches 27% per year. The figure was higher than the growth of information technology industry spending in Indonesia, which only reached 17%.
A prospective investor that intends to enter this business may have a strategy of commencing by performing general corporate actions such as establishing a new company or entering into a merger or acquisition transaction. Another common way used by data centre investors is commencing a strategic alliance with another investor that has strong resources which will be used in the operation of the data centre and disaster recovery centre.
The prospective investor should also consider obtaining funding from third parties. Under Indonesian law, sources of funding that can be chosen by prospective investors or data centre providers to fund expansion projects are loans from banks or capital markets. However, the data centre provider should be prudent in choosing the right expansion strategy, specifically in deciding the proper source of funds.
If a data centre provider decides to obtain funding from a bank, there are some advantages and disadvantages that must be taken into account. One advantage of choosing a bank as a source of funds is the ease of the transaction. In obtaining funding from a bank, the bank and the data centre provider will enter into a simple private agreement which stipulates the terms and conditions of the funding. However, the disadvantage of choosing a bank as a source of funds is the obligation to provide security and interest rates in a certain amount determined by the bank. In this case, a data centre provider must ensure that the security for a transaction is an asset whose value does not easily decline (e.g. piece of land, long term receivables, etc.) or, otherwise it will not sufficient to attract the bank to approve the proposed funding. In general, a data centre’s fixed assets may only consists of a piece of land and/or building located in a rural area, while the value of electronic equipment (i.e. server racks, hard drive, etc.) rapidly depreciates. Furthermore, the intangible assets of a data centre provider such as receivables from customers may also not be attractive to a bank and therefore the bank may impose a high interest rate or propose a lower funding amount which may not meet the data centre provider’s expectations.
On the other hand, funds from the capital market may be raised by the existing company engaged in or intending to engage in data centre and disaster recovery centre business through an Initial Public Offering (“IPO”) or bonds issuance. In general, fund raising from capital markets will oblige the issuer to go through some stages which some people saying more “complicated” than the stages to obtain funding from the bank. Moreover, obtaining funds from the capital market will oblige the issuer to comply with the Indonesian capital market framework which requiring disclosure and fairness in every transaction. Furthermore, prior to the listing of a prospective listed company’s shares IDX will assess the prospective listed company’s business development and sustainability. In general, IDX assessment measures will be applied based on the prospective listed company’s financial report(s), business development planning and strategy, and the general business and economic situation in Indonesia (current or forecast).
Moreover, according to the IDX Listing Regulation, a prospective listed company must have a Net Tangible Asset according to its latest a audited financial report of at least Rp 5,000,000,000.- (five billion Rupiah) to list its shares on the Development Board and Rp 100,000,000,000.- (one hundred billion Rupiah) to list its shares on the Main Board, and obtain a Fair Without Exception opinion from the registered accountant. This may constrain a data centre provider’s plan to list its shares on IDX since (i) its fixed assets may be limited, (ii) the agreements with customers may not be for a long term period, and (ii) the value of electronical assets rapidly depreciates. While its most valuable assets may be in the form of intangible assets such as their computer software and the research and development of the software.
However, considering the benefits of capital markets such as (i) no maturity date, no underlying securities or collateral and without any interest rate (for IPO), and (ii) adjustable coupon rate and collateral (for bonds issuance), raising funds for expansion through capital markets may still be more attractive and feasible for a data centre provider.
In conclusion, raising funds for expansion through a bank may be considered for a data centre provider which will utilize funds in a short-term basis. Since one of the main asset of a data centre provider is the electronic infrastructure (e.g. servers, gigantic hard drive, etc.) whose value rapidly depreciates. If the data centre provider aims for long term expansion, raising funds through a capital market mechanism may be more suitable for them. However, considering the constrains on a data centre provider listing their shares on IDX, we take the view for IDX needs a “regulation supporting package” for a data centre provider to list their shares on IDX. This will also help prospective investors to have interest and confidence in their proposed investment in the data centre company.
This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions or matters. For more information, please contact us at firstname.lastname@example.org. No part of this publication may be reproduced by any process whatsoever without prior written permission from Hanafiah Ponggawa & Partners.