I. Introduction
In this post, we examine the data governance framework of Indonesia, from the perspective of: data processing and other obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV);the penal and enforcement framework (V); and the exemptions given to state agencies (VI). Part VII concludes.
Although the Constitution of Indonesia[1] recognises the right to privacy, Indonesia does not yet have a standalone national data protection law. Data protection is governed primarily through the Electronic Information and Transactions Law (“EITL”),[2] which is supplemented by two regulations – Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions (“GR 71”)[3] and Minister of Communications & Informatics Regulation No. 20 regarding Protection of Personal Data in Electronic System (“PDP Regulation”).[4] This post will primarily focus on the PDP Regulation, since that provides the most comprehensive privacy protections.
In January 2020, the President submitted a draft Bill on the Protection of Private Personal Data (“Bill”) to Parliament. The Bill is expected to pass this year. It is reported to be a GDPR-style comprehensive data protection law, that will replace the existing laws/regulations and will apply to the government and the private sector. While details of the Bill are not available, the Ministry of Communication and Information’s Press Release highlighted the four important elements in the draft – data sovereignty and security; the regulation of personal and sensitive personal data of individuals, the importance of data quality and accuracy; and the regulation of cross-border data flows.[5] (Where available, we highlight additional requirements introduced in the Bill.)
II. Data processing and other obligations
Scope
The ETIL is the sectoral law for electronic systems (similar to India’s Information Technology Act).[6] The data processing obligations in GR 71 and the PDP Regulation apply to the operators of electronic system (“operator”), which includes any company or state apparatus who operates or manages an electronic system.[7]
Consent
Consent is the basis for processing personal data, unless otherwise provided by any regulation.[8] Consent for the collection/processing/storing/publishing/destroying personal data must be obtained in Indonesian language.[9]
Under the draft Bill, individuals must give explicit consent for the collection of personal data such as name, sex, nationality, religion, medical records, biometrics and sexual orientation.[10]
Retention requirements
Operators must store personal data on the electronic system till the completion of the purpose for which it was collected and/or for a period specified by law. If no laws governs such retention period, operators must store personal data for a minimum period of five years.[11]
Use limitation
Operators can process data only for the stated and approved purpose for which it was collected,[12] unless the personal data is already publicly available.[13] Sharing of data with third parties requires the consent of the individual.[14]
The draft Bill too reportedly only permits the use of data for the purpose for which consent was originally given. It also prohibits the trading of private data with third parties.[15]
Data quality
Operators must maintain the accuracy, relevance, and truthfulness of personal data processed and analysed by them.[16]
Confidentiality and data breach notification:
Individuals’ personal data must be kept confidential.[17] Individuals can opt to declare their personal data as non-confidential (unless the law designates it as confidential).[18] In case of any breach of confidentiality, operators must inform the individuals in writing. The notice must specify the reasons for the failure to maintain the confidentiality of their personal data and must be sent within 14 days of knowledge of the breach.[19]
Interoperability
Operators must ensure that electronic systems storing personal data are interoperable, have compatibility capabilities, and use legal software.[20]
Security
As part of their security protocol, and as a preventive measure, operators have to prepare internal rules regarding the protection of personal data.[21] Operators must ensure the security of personal data within their possession and to protect such data from misuse.[22] This includes storing personal data in encrypted form,[23] although the standards for encryption have not been specified in the law.
Accountability
Operators must maintain an audit trail on all the implementation activities carried out by them.[24] They must also designate a contact person who can be contacted by an individual in relation to the management of her personal data.[25]
III. Individual rights
An individual has the following rights under the PDP Regulation:
- Access and updation: Individuals can access and update their personal data.[26]
- Deletion and destruction: Individuals can seek to delete their data if the purpose for which it was collected has been completed[27] or the specified storage period is over.[28] The data should be deleted and destroyed such that it cannot be displayed unless the individual gives their personal data afresh.[29]
- Right to be forgotten: Individuals can request electronic system providers to delete irrelevant electronic information about them, after obtaining a court order.[30]
IV. Cross-border data flows
Cross-border transfer of data is permitted under the PDP Regulations, as long as the operator[31] coordinates with the Minister of Communications & Informatics (“Minister”) or an authorised agency. This coordination requires the operator to, among other things, submit an implementation plan to the Minister, which contains details regarding the destination country, the recipient, the transfer date, and the reason for transfer.[32] The operator can also make an advocacy request,[33] and request advice in the form of consultation with the Minister. After the completion of the cross-border transfer, the operator must submit an implementation report to the Minister.
Unlike the PDP Regulations, GR 71 distinguishes between private and public operators. Public operators are state institutions or entities appointed by state institutions that process personal data on an electronic system. Under GR 71, data localisation requirements are only imposed on public operators, while private operators can store their data outside Indonesia, subject to supervision by government agencies for law enforcement purposes.[34]
V. Penal and enforcement framework
Penal framework
An individual can file a claim for damages if her personal data is used on electronic media without her consent.[35] In cases of failure to protect their confidentiality, individuals and operators must file a written complaint within 30 days of such failures with the Minister.[36] The Minister should first attempt to amicably resolve the dispute and explore alternative resolution methods; and may set up a dispute resolution panel in the process.[37]
As part of the complaint mechanism, the Minister can impose administrative sanctions on any person who collects/processes/analyses/stores/publishes personal data in violation of the laws in force. These sanctions take the form of verbal warning, written warning, suspension of activities, and/or a publication of a notice on the Ministry’s website online.[38]
If the complaint is not resolved through the alternative dispute resolution mechanism, individuals and operators can then file a civil claim in court.[39]
As part of the draft Bill, the use of an individual’s personal data without their consent will now be an offence punishable with up to seven years imprisonment or a fine of 70 billion Indonesian Rupiah (around US$ 5.13 million).[40]
Enforcement framework
Indonesia does not have a national data protection regulator. The Minister is responsible for supervising the implementation of the PDP Regulation.[41] The Minister can (through its delegate) ‘request’ data and information from the operators for the purpose of ‘protecting’ personal data.[42] However, the law does not detail the manner in which such supervisory power will be exercised.
VI. Exemption given to state agencies
The EITL punishes the unlawful and unauthorised wiretapping or interception of any electronic information and/or electronic documents, unless it is carried out by law enforcement at the request of the police, prosecutor’s office, and/or other law enforcement institutions.[43]
Under the PDP Regulations, operators must provide the state agencies with relevant personal data if it is for the purpose of law enforcement and is based upon a valid request under relevant laws.[44]
VII. Conclusion
Indonesia has one of the fastest growing digital economies in the APAC region.[45] While Indonesia does have data-focussed regulations (like the PDP Regulations), it does not yet have a standalone data protection law. This is all the more interesting given that Indonesia abstained from the Osaka Declaration stating the Declaration should accommodate more of an element of data privacy.[46] There is a growing focus on developing a comprehensive data protection framework, much like other countries in the APAC region. In the next post, we look at Malaysia, which passed its data protection law a decade ago.
Authored by the Ikigai Law Team.
For more on the topic, please feel free to reach out to us at contact@ikigailaw.com.
[1] Article 28(G) of the Indonesian Constitution, 1945 states among other things that every person has a right to “protection of themselves, their families, respect, dignity and possessions under their control”, available at https://www.ilo.org/wcmsp5/groups/public/—ed_protect/—protrav/—ilo_aids/documents/legaldocument/wcms_174556.pdf.
[2] Electronic Information and Transactions Law No. 11 of 2008, available at http://www.flevin.com/id/lgso/translations/JICA%20Mirror/english/4846_UU_11_2008_e.html.
[3] GR 71 notably distinguishes between public and private electronic system operators and focuses on the government’s role in electronic systems and transactions. For more details on the changes brought about by GR 71, see Baker McKenzie, Indonesia: New Regulation on Electronic System and Transactions (October 2019), available at < https://www.bakermckenzie.com/en/insight/publications/2019/10/new-regulation-electronic-system-and-transactions>
[4] PDP Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System, available at http://makna.co/wp-content/uploads/2018/01/MOCI-Regulation-No-20-of-2016-Makna-Eng.pdf. The PDP Regulation implements Article 15 of GR 82.
[5] Ministry of Communication and Information, President Submits Manuscript of PDP Bill to DPR RI, Press Release No. 15/HM/KOMINFO/01/2020, available at https://www.kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-indonesia-akan-jadi-negara-asia-tenggara-kelima-yang-miliki-uu-pdp/0/siaran_pers. See also Jessica Damiana, Indonesia to step up data protection with new bill amid booming digital economy (January 2020), available at https://www.reuters.com/article/us-indonesia-data/indonesia-to-step-up-data-protection-with-new-bill-amid-booming-digital-economy-idUSKBN1ZR1NL. The draft of the law, available in Indonesian, is available here.
[6] Article 1(5), PDP Regulation defines “electronic system” as a set of electronic apparatus and procedures, which prepare, collect, process, analyse, store, display, announce, transmit and/or disseminate electronic information.
[7] Article 1(6), PDP Regulation defines “electronic system operators” as any person, state apparatus, business entity and community, which, inter alia, manages and/or operates an electronic system.
[8] Article 26, EITL and Article 21(1)(a) read with Article 24, PDP Regulation. See also Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems, as described in Indrawan Yuriutomo, Indonesia: Data Protection Overview, One Trust, available at https://www.dataguidance.com/notes/indonesia-data-protection-overview. See also ABLI,
[9] Article 6, PDP Regulation.
[10] Damiana, supra note 5.
[11] Article 15(3) read with Article 19, PDP Regulation.
[12] Article 12(1) read with 27(b), PDP Regulation.
[13] Article 13, PDP Regulation.
[14] Article 28(f), PDP Regulation.
[15] Damiana, supra note 5.
[16] Article 14 read with 10 and 28(b), PDP Regulation.
[17] Article 26(a), PDP Regulation.
[18] Article 8 and 9, PDP Regulation.
[19] Article 28(c), PDP Regulation.
[20] Article 11, PDP Regulation.
[21] Article 5, PDP Regulation.
[22] Article 27(c)-(d), PDP Regulation.
[23] Article 15(2) read with Article 18, PDP Regulation.
[24] Article 28(e), PDP Regulation.
[25] Article 28(i), PDP Regulation.
[26] Article 26(c)-(d), PDP Regulation.
[27] Articles 19 and 20 read with 26(e), PDP Regulation.
[28] Article 25, PDP Regulation.
[29] Id.
[30] Law No. 19/2016 amending the EITL. See Kristo Molina, Indonesian Electronic Information and Transactions Law Amended, White & Case (May, 2016), available at https://www.whitecase.com/publications/alert/indonesian-electronic-information-and-transactions-law-amended.
[31] Under the PDP Regulation, there is no distinction between public and private operators. See Article 1(6), PDP Regulations, supra note 7.
[32] Article 22, PDP Regulation.
[33] Advocacy refers to the procedure provided by the Minister to facilitate/mediate a discussion between the individual and the transferring party in case of any misconduct, and provides a medium to facilitate an amicable settlement between the two. See also ABLI, supra note. The Report notes that there is a lot of ambiguity on how this procedure will work in practice, and hence, the Minister, has agreed to provide the necessary clarifications in the future.
[34] For further details see Daniel Pardede, Indonesia: New Regulation on Electronic Systems and Transactions, Global Compliance News (November 2019), available at https://globalcompliancenews.com/indonesia-new-regulation-electronic-systems-transactions-20191028/
[35] Article 26(2), EITL.
[36] Article 29 and 31(a), PDP Regulation.
[37] Articles 29 and 30, PDP Regulation.
[38] Article 31(h) read with Article 36, PDP Regulation.
[39] Article 32, PDP Regulation.
[40] Damiana, supra note 5.
[41] Article 35, PDP Regulation.
[42] Article 35(3)-(4), PDP Regulation.
[43] Article 31, EITL
[44] Article 23, PDP Regulation.
[45] Damiana, supra note 5.
[46] Agnes Anya, Indonesia’s G-20 abstention result of data protection concerns, Jakarta Post (July, 2019), available at https://www.thejakartapost.com/news/2019/07/04/indonesias-g20-abstention-result-of-data-protection-concerns.html.
