Indonesia - Data Protection Overview
The concern of data protection exists wherever personal data is collected or stored. As a general guidance, Indonesia provides protection for the data of its citizens in the Constitution of the Republic of Indonesia 1945 ('the Constitution'). In particular, Article 28G of the Constitution states that 'each person shall have the right to the protection of their personal selves, families, respect, dignity, and possessions under their control.'
Nevertheless, at present, there is no law that specifically regulates data protection in Indonesia in a comprehensive manner. The provisions applicable for data protection in Indonesia are found in several regulations.
1. GOVERNING TEXTS
In the past decades, data protection laws in Indonesia has been undergoing significant progress and development. To date, Indonesia has enacted various laws relating to data privacy in a number of specific areas. Most notably, Indonesian citizens are entitled to the protection of their personal data collected under Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) ('the Demography Law'), which came into force on 24 December 2013.
Personal data protection regulations
Further to the above, there are provisions governing the protection of personal data specifically in the realm of electronic systems which apply to electronic service providers ('ESPs'), hereinafter referred to as 'the PDP Regulations.'
Such provisions can be found in Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions (only available in Indonesian here) ('the Electronic Information Law'), which came into force on 25 November 2016. The procedural guidelines for the Electronic Information Law are contained in Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (only available in Indonesian here) ('GR 71'), which revokes the previous Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions ('GR 82').
The Electronic Information Law provides that, unless otherwise regulated, the use of any information pertaining to a person's personal data through electronic media requires the consent of such person. The elucidation of the Electronic Information Law provides that the protection of personal data is a part of the right to privacy which encompasses the following:
- the right to enjoy a private life, free of any disturbance;
- the right to communicate with other people without any espionage; and
- the right to monitor the access of information about a person's personal life and data.
To further clarify and implement data protection in electronic systems, the Minister of Communication and Information ('Kominfo') issued, on 1 December 2016, Regulation No. 20 of 2016 on Personal Data Protection in Electronic System ('Kominfo Regulation 20'). Kominfo Regulation 20 came into force on 1 December 2016 and established consent as the core foundation of data privacy protection under Indonesian data privacy laws, so that all processing can only be implemented after obtaining consent from the data subject.
Most recently, the Government of Indonesia ('the Government') further clarified the scope of protection for personal data by issuing Government Regulation No. 40 of 2019 on the Implementation of Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) ('GR 40'). GR 40 came into force on 24 May 2019.
Furthermore, the activity of trading through electronic systems is governed by Government Regulation No. 80 of 2019 regarding Trading through Electronic System (only available to download in Indonesian here) ('GR 80').
Finally, as mentioned above, in October 2019, the Government issued GR 71, which came into force on 10 October 2019 and, aside from reaffirming existing concepts of personal data protection encapsulated in present Indonesian data protection regulations, contains several previously unrecognised additions to ESP's obligation with regards to the protection of personal data previously set out in GR 82.
Draft law on personal data protection
In addition to the PDP Regulations outlined above, the Indonesian House of Representatives ('DPR') is in the process of discussing a draft of the Personal Data Protection Act (only available in Indonesian here) ('the PDP Bill'). The enactment of the PDP Bill would result in the first comprehensive law in Indonesia that specifically deals with the protection of personal data, particularly data in the control of a private data controller.
As of December 2020, the PDP Bill is still being examined by the DPR, and the examination is expected to be completed early or mid 2021.
Personal data in the health sector is also governed under the Ministry of Health Regulation No. 269/MENKES/PER/III/2008 on Medical Record (only available in Indonesian here) which provides for obligations pertaining to the storing, deletion, and confidentiality of medical record.
The main reference for personal data protection in Indonesia is the PDP Regulations. There are currently no notable guidelines or best practices commonly adopted by relevant stakeholders in the field of personal data protection.
1.3. Case law
Cases on breaches of the Electronic Information Law primarily concern defamation through electronic platforms. There are only very few notable cases concerning unlawful acts specifically pertaining to personal data protection.
Some of the notable/landmark cases concerning personal data protection are outlined below.
Constitutional Court Decision No. 20/PUU-XIV/2016
Decision No. 20/PUU-XIV/2016 (only available in Indonesian here) was submitted by Setya Novanto, the former speaker of the DPR. He requested that the Constitutional Court of the Republic of Indonesia ('the Constitutional Court') adjudicate the constitutionality of several Articles pertaining to interception and evidence contained in the Electronic Information Law (before the latest amendment was issued) and Law No. 20 of 2001 on the Amendments to Law No. 31 of 1999 regarding the Eradication of Criminal Acts of Corruption (only available in Indonesian here) ('the Corruption Law'). The articles concerned were Article 5(1) and (2) and Article 44(b) of the Electronic Information Law and Article 26A of Corruption Law, which state that electronic information and/or documents are valid evidence before a court. The main contention of the applicant was that the aforementioned articles did not provide limitations regarding the type of electronic information and/or documents which are valid evidence before a court, therefore opening up the possibility of admitting electronic information and/or documents which are obtained through the unlawful interception by an unauthorised party.
In its decision, the Constitutional Court, while acknowledging that interception may impinge on the right of individuals, emphasised that there were already several legal bases which stipulate the procedure for a lawful interception. In addition, the Constitutional Court held that the interpretation of the term 'electronic information and/or documents' in the context of evidence before a court will contradict the Constitution, unless it is interpreted alongside the phrase '[e]lectronic information and/or electronic documents obtained in accordance with applicable laws and regulations and/or carried out in the framework of law enforcement at the request of the Police, Attorney General's Office, the Corruption Eradication Commission, and/or other law enforcement agencies.'
Therefore, the Constitutional Court limited the scope of valid 'electronic information and/or documents' evidence in courts to electronic information and/or documents that are obtained in accordance with law and/or carried out by the law enforcement agencies.
Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST
Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST (only available to download in Indonesian here) is the most recent notable case regarding data protection law. The parties involved in the case are the Indonesian Consumer Community ('KKI'), acting as plaintiff, and Kominfo and PT Tokopedia, as defendants. The case concerns the recent leakage of Tokopedia's consumer personal data for approximately 15 million accounts. However, since the case is still ongoing, there is yet any decision issued by the Court. We believe that the Court decision on this matter would become a notable precedent case that may impact data protection law going forward.
2. SCOPE OF APPLICATION
The PDP Regulations primarily focus on electronic information. Accordingly, the personal scope of the PDP Regulations is relatively broad as demonstrated through the definition of an ESP under the PDP Regulations, which seems to be generic in nature. An 'ESP' is defined as every person, state administrator, business entity, and community providing, managing, and/or operating an electronic system, either individually or jointly, for electronic system users for its personal purpose and/or another party's purpose.
In this regard, the term 'electronic system' is defined in GR 71 and Kominfo Regulation 20 as a set of electronic devices and procedures that function to prepare, collect, process, analyse, retain, display, publish, transmit, and/or disseminate electronic information. In this case, the interpretation applied by Kominfo is that any person or entity that stores data electronically would be considered an ESP using an electronic system and therefore subject to the PDP Regulations.
Furthermore, GR 71 distinguishes two types of ESP: public scope ESPs and private scope ESPs. Public scope ESPs are:
- state administrator agencies, defined in GR 71 as legislative, executive, and judiciary institutions at the central and regional level; and
- other agencies formed by virtue of laws and regulations; and
- institutions appointed by state administrator agencies.
The latter refers to institutions providing electronic systems with a public scope on behalf of the appointing state administrator agency. It should be noted that Article 2(4) of GR 71 excludes public scope ESPs which are regulatory and supervisory authorities in the financial sector.
In contrast, the definition of private scope ESPs covers the provision of electronic system by individuals, business entities, and the public, which includes:
- ESPs regulated or supervised by the ministries or institutions based on laws and regulations; and
- ESPs with portals, sites, or applications in a network via internet that are used for certain purposes, such as providing, managing, and/or operating offers and/or trade of goods and/or services, including ESPs whose electronic system is used and/or offered in Indonesia (Article 2(5)(b) of GR 71).
The provisions of the PDP Bill apply to individuals, legal entities, business entities, government institutions, public entities, and civic society organisations.
The data protection provisions of the Electronic Information Law apply extra-territorially in certain circumstances. In particular, Article 2 of the Electronic Information Law, which states that the Electronic Information Law 'is applicable to every person who commits legal act as regulated under this Law, both who are within Indonesian jurisdiction and outside of Indonesian jurisdiction, and which has legal consequences in Indonesian jurisdiction and/or outside of Indonesian jurisdiction and which is detrimental to Indonesia's interest.'
The extraterritorial scope is further emphasised by the elucidation of Article 2. These provisions have been enacted under the consideration that the use of information technology for electronic information and electronic transaction can be cross-territorial or universal.
The phrase '[d]etrimental to Indonesia's interest' should be construed to include, but not be limited to, detriments to national economic interests, strategic data protection, the dignity of the nation, state defence and security, state sovereignty, citizens, as well as Indonesian legal entities.
The provisions of the PDP Bill apply to entities both in and outside of the territory of Indonesia where their actions:
- result in legal consequences within the territory of Indonesia; and/or
- affect Indonesia citizens in and outside of the territory of Indonesia.
Kominfo Regulation 20 regulates the following processes:
- acquisition and collection;
- processing and analysing;
- display, publication, transmission, dissemination, and/or access opening; and
On the other hand, Article 56(4) of GR 40 grants access to personal data for the purpose of national security and law enforcement, subject to the approval from the Minister of Home Affairs.
The provisions of the PDP Bill regulate specifically on sensitive personal data, which consists of data related to religion, health, physical and mental conditions, sexual life, personal financial data, as well as other personal data that may danger or harm the privacy of the data subject.
Please note that the DPR has since confirmed that data relating to sexual orientation may be deleted from the PDP Bill and therefore may not be regulated therein.
3.1. Main regulator for data protection
There is no general data protection authority, regulatory body, or organisation specifically responsible for protecting personal information and ensuring that companies comply with data protection laws. Furthermore, there is no central records database in Indonesia.
Nevertheless, Kominfo is empowered to carry out government affairs in the field of communication and information technology, pursuant to Presidential Regulation No. 54 of 2015 concerning the Ministry of Communication and Information Technology (only available in Indonesian here) and Kominfo Regulation No. 6 of 2018 concerning Organisation and Work Procedure of the Ministry of Communication and Information Technology (only available in Indonesian here).
Furthermore, pursuant to Article 85 of the Demography Law, the personal data of citizens shall be maintained accurately and protected by the administrator and executive agency.
The PDP Bill does provide for a data protection authority that will have authority to ensure that the implementation of personal data complies with the provisions under the PDP Bill. In this regard, the data protection authority is the Central Information Commission based on Law No. 14 of 2008 on Public Information Disclosure (only available in Indonesian here).
3.2. Main powers, duties and responsibilities
According to the PDP Regulations, the Government is encumbered with the duty of supervision, advocacy, evaluation, enforcement, and other conducts necessary to ensure personal data protection. Furthermore, both the Electronic Information Law and the GR71 contain provisions which require the Government to protect public interests in the field of electronic communication. In particular, the Government is empowered, among other things, to determine the national cybersecurity strategy and regulate information security standards.
Furthermore, Kominfo is authorised, among other things, to formulate and implement policies as well as technical guidance and supervision in the field of communication and information technology.
As for the administrator and executive agency referred to in the Demography Law, Article 1(6) and (7) of the Demography Law stipulate that the administrator agency consists of the central government, provincial government, and regency or city government which are responsible for and are authorised to oversee population administration affairs, while the executive agency consists of the apparatus of the regency/city government responsible for and are authorised to implement services related to population administration affairs.
4. KEY DEFINITIONS
Existing definitions under the PDP Regulations
Personal data: Data on certain individuals that is stored, managed, and maintained, the accuracy and confidentiality of which is maintained and protected. More specifically, it refers to any accurate and actual information attached and identifiable, either directly or indirectly, to each individual, the purpose of which is in accordance with the laws and regulations.
Examples of 'personal data' under Article 84 of the Demography Law include:
- family identification card number;
- personal population identification card number;
- date of birth;
- information regarding any physical or mental condition;
- biological mother's population identification card number;
- father's population identification card number;
- other important events involving birth, death, marriage, divorce, child legalisation, name change, or change of nationality;
- eye scan;
- signatures; and
- other information considered as shameful (e.g. embarrassing) for any individual.
The elements of the term 'shameful' are further elaborated under GR 40. Under Article 54 of GR 40, other information that is considered shameful includes elements of data from an important event that should not be disclosed to other people. These events include:
- a child born whose parents' origins are unknown;
- gender change;
- a child born outside of marriage; and
- other important events determined by the Minister of Home Affairs.
Proposed definitions under the PDP Bill
Personal data: Any data regarding an identified person or a person that can be identified either individually or in combination with other information, directly or indirectly, by using electronic and/or non-electronic system (Article 1 of the PDP Bill).
Sensitive data: Personal data that requires special protection, and includes data concerning religion or belief, health, physical and mental conditions, sexual life, personal financial data, and other personal data that may be dangerous or detrimental to the privacy of the data subject (Article 3 of the PDP Bill). Please note that the DPR has since confirmed that data relating to sexual orientation may be deleted from the PDP Bill and therefore may not be regulated therein.
Data controller: A party that determines the purpose and exercises control over the processing of personal data (Article 1 of the PDP Bill).
Data processor: A party that processes personal data on behalf of the controller. The PDP Bill further dissects 'processor of personal data' to include individuals, legal entities, public agencies, as well as organisations or institutions (Article 1 of the PDP Bill).
Data subject: There is no explicit definition of data subject under the PDP Bill. Article 1 of the PDP Bill however does define 'personal data owners' as 'individuals as data subjects who has personal data attached to themselves,' hereinafter referred to as 'data subjects.'
Biometric data: There is no explicit definition of biometric data in the PDP Regulations. However, the elucidation of Article 40(1)(a)(3) of GR 71 provides examples of biometric data, which are retina and fingerprint data. Additionally, Article 3 of the PDP Bill stipulates that, '[what] is referred to as 'biometric data' is data relating to the physical, physiology, or characteristic of individuals' behaviour which allows the unique identification of an individual, such as facial images or dactyloscopy data. Biometric data also describes in the unique nature and/or characteristic of an individual which should be kept and maintained, including but not limited to fingerprint records, eye retina, and DNA sample.'
Health data: There is no definition of health data provided under the PDP Regulations. However, GR 71 through Article 99(1) and (2) acknowledges that the health sector possesses strategic electronic data which must be protected. The closest term to health data being defined in the existing law is the term medical record based on Ministry of Health Regulation No. 269/MENKES/PER/III/2008 (only available in Indonesian here), meaning files containing records and documents regarding patients' identity, examination, medication, conducts and other services which has been given to a patient.
On the other hand, an explicit definition of health data could be found in the PDP Bill which stipulates that, '[w]hat is referred to as 'health data and information' is the individual's record or description relating to physical health, mental health, and/or health service.'
Pseudonymisation: This term is neither defined in the PDP Regulations nor in the PDP Bill.
5. LEGAL BASES
Consent is an important principle regulated strictly by the PDP Regulations.
Under Article 26(1) of the Electronic Information Law, the use of any information through electronic media which is related to the personal data of a person must be conducted with consent from the person concerned, unless otherwise determined by laws and regulations.
Under Article 14(3) of GR 71, the processing of personal data is subject to the provision of consent of the data subject for one or more specific purposes that have been conveyed to the data subject.
Under Article 9(1) of Kominfo Regulation 20, the acquisition and collection of personal data by ESPs should be based on consent or based on the provisions of laws and regulations.
Finally, Law No. 36 of 2009 on Health (only available to download in Indonesian here) ('the Health Law') contains specific regulations regarding personal data in the health sector. One of the provisions of the Health Law stipulates that human testing shall require the collection of the subject's informed consent. Before such consent is obtained, the researcher must, among other things, guarantee the confidentiality of the identity and personal data of the data subject.
Article 14(4) of GR 71 stipulates, among other things, that data processing may be carried out without the consent of the data subject in order to fulfil contractual obligations in the event that the data subject is one of the parties or to fulfil the request of the data subject upon entering into an agreement.
Article 14(4)(b) of GR 71 provides that data processing may be carried out without the consent of the data subject in order to fulfil legal obligations of the controller in accordance with statutory provisions.
Under Article 14(4)(c) of GR 71, personal data may be processed without the consent of the data subject in order to fulfil the vital interests of the data subject. There is no exhaustive nor non-exhaustive list of the interests of the data subject. The elucidation of Article 14(4)(c) of GR 71 elaborates the meaning of 'vital interest' as the need/necessity to protect very important matters about a person's existence.
Under Article 14(4)(e) of GR 71, personal data may be processed without the consent of the data subject in order to fulfil the obligations of the controller in public services for the public interest.
Under Article 14(4)(f) of GR 71, personal data may be processed without the consent of the data subject in order to fulfil the legitimate interests of the controller. There is no exhaustive nor non-exhaustive list of the legitimate interests of the data controller. Data controllers may pursue any interests so long as they adhere to the prohibitions and obligations set out in the PDP Regulations.
Under Article 3 of the Electronic Information Law, the utilisation of IT and electronic transactions shall be implemented based on the principle of legal certainty, benefit, prudence, good faith, and freedom to choose technology or technology neutral.
Under Articles 2 and 4 of Kominfo Regulation 20, the processing of personal data shall be carried out based on the principle of good personal data protection, which includes the following elements (see also Article 36 of Kominfo Regulation 20):
- having due regard towards personal data as private;
- personal data is confidential in nature, in accordance with the consent of the data subject and/or based on the provisions of laws and regulations;
- obtaining sufficient consent from the data subject, and basing its processing activities on such consent;
- ensuring processing is relevant to the purpose of acquisition, collection, processing, analysing, storage, display, announcement, delivery, and dissemination;
- limiting processing activities to what is necessary;
- ensuring the suitability of the electronic system that is being used;
- having the good faith to immediately notify data subjects of any failure in relation to personal data protection;
- ensuring the availability of internal regulation for the management of personal data protection;
- having responsibility for any personal data under possession of users;
- ensuring ease of access to and correction of personal data for data subjects; and
- ensuring the integrity, accuracy, and validity of personal data, and ensuring that personal data is up to date.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
General obligations applicable to ESPs
As there are several stakeholders in the field of personal data protection, the PDP Regulations provide for different obligations for the various stakeholders.
Article 27 of Kominfo Regulation 20 governs the obligations of personal data users which are to:
- maintain the confidentiality of personal data they receive, collect, process, and analyse;
- solely use personal data in accordance with the needs of users;
- protect personal data and documents containing such personal data from any misappropriation; and
- be responsible for the personal data that is under their control (i.e. either control by way of organisation which falls under their authority or individual control), if any misappropriation occurs.
Articles 4 and 28 of Kominfo Regulation 20 governs the obligations of ESP which are to:
- undergo certification process for electronic systems under its management in accordance with the provisions of laws and regulations;
- safeguard the authenticity, validity, confidentiality, accuracy, and relevance as well as the conformity with the purpose of acquiring, collecting, processing, analysing, storing, displaying, announcing, delivering, disseminating, and erasing personal data;
- ensuring that personal data stored in an electronic system is encrypted;
- have internal regulations relating to the protection of personal data which conforms with the provisions of laws and regulations (e.g. provide audit track records on all electronic system organisation activities that are under its management);
- provide options to data subjects regarding whether their personal data may or may not be used and/or displayed by/to any third party based on an approval as long as it still relates with the purpose of acquiring and collecting personal data;
- grant access or opportunity to data subjects to alter or renew their personal data without disrupting the personal data management system, unless stipulated otherwise by the provisions of laws and regulations;
- delete personal data in accordance with the provisions of Kominfo Regulation 20; and
- provide a point of contact who can be easily contacted by data subjects as regards the management of their personal data.
Contracts with data subjects
While there is no explicit provision requiring the existence of a contract with the data subject, the PDP Regulations emphasise the importance of adherence to contractual obligations arising from agreements between personal data processor with the data subject. Additionally, the PDP Regulations provide for general requirements regarding electronic contracts, including electronic contracts involving data subjects.
Under Article 1(17) of the Electronic Information Law and Article 1(17) of GR 71, an electronic contract is defined as an agreement between the parties made through an electronic system. As the implementing regulation to the Electronic Information Law, GR 71 provides for further rules regarding electronic contracts. In particular, Article 46(2) of GR 71 stipulates that an electronic contract is valid if it:
- contains the consent between those who bind themselves;
- is entered by legal subjects having capacity or authority to conclude an agreement;
- regulates a certain subject matter; and
- has a legal cause.
An electronic contract made with a data subject is only valid if it fulfils the aforementioned requirements.
Internal policies for ESPs
Kominfo Regulation 20 requires ESPs to have an internal policy on the protection of personal data when implementing the following data processing operations:
- acquisition and collection;
- processing and analysing;
- presentation, publication, transmission, dissemination, and/or access opening; and
Usually, ESPs create their own data protection guidance/policy for users of their electronic systems and/or services, which should be compliant with the PDP Regulations.
Obligations for trading activities through electronic systems
GR 80 provides strict regulations on the personal data protection of consumers, providing that business entities conducting trade through electronic systems shall keep personal data in accordance with the standard of personal data protection or the common business practice. Such personal data protection must be carried out in accordance with the following rules:
- personal data must be obtained truthfully and legally from the owner of the personal data concerned, accompanied by the existence of choices and guarantees for the safeguarding and prevention of loss to the data subject;
- personal data must be used for one or more purposes that are described in a specific and valid manner, as well as cannot be further processed in a way that is not in accordance with said purposes;
- personal data that is obtained must be proper, relevant, and not too broad in relation to the purpose of their processing as previously conveyed to data subject;
- personal data must be accurate and must always be up to date by way of giving opportunities to data subject to update their personal data;
- personal data must be processed in accordance with the purpose of their acquisition and allocation, as well as cannot be possessed longer than the required time;
- personal data must be processed in accordance with the rights of data subjects as regulated under laws and regulations;
- parties which store personal data must possess a proper security system to prevent leaks or prevent any unlawful utilisation or processing of personal data, as well as be responsible for unexpected losses or damages to said personal data; and
- personal data cannot be sent to another country or area outside Indonesia, except if said country or area has been declared as having the same protection level and standard as Indonesia by the Minister of Trade.
The PDP Regulations do not require notification or registration prior to the processing of data.
The transfer of personal data is prohibited without the consent of the data subject, as stipulated under Article 27(1) of the Electronic Information Law and emphasised in Article 21(a) of Kominfo Regulation 20.
The Electronic Information Law also provides that anyone who intends, without valid rights, to change, add, reduce, transmit, destroy, eliminate, transfer, or hide electronic information and/or electronic documents owned by another person or owned by the public shall be prohibited from doing so.
Additionally, Article 59(2)(h) of GR 80 provides that personal data is prohibited from being transferred to another country or territory outside Indonesia unless such country or territory has been declared by the Minister of Trade as having an equal standard or level of personal data protection.
Furthermore, Article 31 of Regulation No. 1/POJK.07/2013 concerning Consumer Protection in Financial Services Sectors ('OJK Regulation 1/2013'), issued by Financial Services Authority ('OJK'), also limits the transfer of personal data to a third party by financial services providers, except when there is a written consent from the consumer and/or as required by laws and regulations.
The PDP Regulations do not mention the term data processing records. However, under Article 22(1) of GR 71, ESPs are required to provide an audit trail for all activities of the electronic system organisation. This includes:
- maintaining the transaction log in accordance with the provider data retention policy, in accordance with laws and regulations;
- notifying to the consumer if a transaction has been conducted; and
- ensuring the availability of audit trail function to be able to detect an effort and/or incursion which must be reviewed or evaluated periodically.
In addition, in the event that the processing and audit trail are the responsibilities of the third party, then such audit trail process shall be in accordance with the standard which has been determined by the ESP.
Under Article 12 of GR 71, ESPs must apply risk management towards damages or losses that they incurred. Such provision provides the meaning of 'risk management' as conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system which it manages.
More elaborated provisions pertaining to Data Protection Impact Assessment ('DPIA') are contained in the PDP Bill. Article 27(b) of the PDP Bill obliges controllers to protect and ensure the safety of personal data by determining the safety level of personal data through considering the nature and risk to personal data during processing. The language of such provision indicates that a DPIA must be done whenever a data process occurs.
The PDP Regulations do not require the appointment of a data protection officer ('DPO'). However, Article 4 of Kominfo Regulation 20 requires ESPs to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.
Furthermore, the PDP Bill in Article 45 introduces the requirement for controllers and processors to appoint a DPO, in certain circumstances, namely where:
- the data processing is carried out for the public interest;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; or
- the main activity of the controller consists of large-scale processing which is specific in nature and/or which is related to criminal conduct.
Implementing the Electronic Information Law, GR 71 regulates the notification obligation for ESPs in the event that there is a failure to protect personal data. Under Article 14(1) of GR 71, it is stipulated that ESPs must adhere to the principles of personal data protection in the processing of personal data including by notifying the failure to protect personal data. The notification must be made in writing to the data subject.
Furthermore, under Article 28 of Kominfo Regulation 20, an ESP is generally encouraged to notify the data subject in the event of a breach. Such notification should contain the reason or cause of the failure to protect the confidentiality of the personal data. The notification may be sent electronically if the data subject has given approval for such electronic notification during the acquisition and collection of their personal data. An ESP must ensure that the notification has been received by the data subject if the data breach has the potential to cause loss to the relevant data subject. The written notification must be sent to the data subject no later than 14 days after the identification of the breach. Although this requirement is not mandatory, a data subject can file a complaint to Kominfo if no notification is given or loss to the data subject has occurred as a result of such breach.
Implementing the Electronic Information Law, GR 71 regulates the obligation for ESPs to delete certain personal data. ESPs must delete personal data which is irrelevant. Personal data is irrelevant when:
- it is acquired and processed without the consent of the data subject;
- consent has been withdrawn by the data subject;
- it is acquired and processed illegally;
- processing is no longer in accordance with the acquisition purpose based on an agreement and/or laws and regulations;
- its utilisation has exceeded the period in accordance with an agreement and/or laws and regulations; and/or
- the ESP's treatment of it has caused a loss for the data subject.
The obligation of deletion stipulated in the GR 71 consists of erasure and delisting from search engines.
As for the timeframes for data retention, GR 71 and the Electronic Information Law do not explicitly stipulate a timeframe for data retention or a maximum retention period, but instead it defers to the authority to do such, and to other relevant laws. One of the relevant laws which mentions retention period for personal data is Law No. 43 of 2009 regarding Archive (only available in Indonesian here) ('the Archiving Law'). The Archiving Law distinguishes data into data with a maximum of 10-year retention period and data with a maximum of 25-year retention period. The data and its retention period shall be listed further in a retention schedule archive.
While deferring the retention period to other laws, GR 71 is strict in regulating that data retention must comply with the retention period of each personal data. Article 14(1)(g) of GR 71 stipulates that personal data should be destroyed and/or deleted unless in a retention period in accordance with the need based on laws and regulations.
More elaborated provisions on data retention may be found in the PDP Bill. Under the PDP Bill, the following data retention provisions would apply:
- personal data must be destroyed and/or erased after the retention period is over or based on the request of the data subject except otherwise regulated by the law (Article 17(2)(g) of PDP Bill);
- in order to obtain approval for data processing, the personal data controller must convey the information regarding, among other things, retention period for the documents containing the personal data (Article 24(1)(d) of PDP Bill);
- the personal data controller must end the processing of personal data if, among other events, the retention period has been reached (Article 37(1)(a) of PDP Bill);
- in the event that the retention period has not elapsed, personal data which has been erased may be recovered or redisplayed in its entirety based on the written request of data subject (Article 38(4) of PDP Bill); and
- the personal data controller must destroy personal data if, among other events, its retention period is over and based on the retention schedule archive the data must be destroyed (Article 39(1)(b) of PDP Bill).
Kominfo Regulation 20 regulates the processing of children's data in the context of obtaining consent. Article 37 of Kominfo Regulation 20 provides that, in the event that the data subject constitutes a person who falls under the category of children in accordance with the provisions of laws and regulations, then the granting of consent as referred to under Kominfo Regulation 20 should be carried out by the parent or guardian of the child in question. The parent should be the father or mother of the child in question in accordance with the provisions of laws and regulations. The guardian should be the person who has the obligation to take care of the child in question before the child reaches adulthood in accordance with the provisions of laws and regulations.
Kominfo Regulation 20 defers the authority to set out age of consent to other laws. Based on Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014 (only available in Indonesian here), a child is an individual who has not reached the age of 18.
There are no explicit obligations in relation to the processing of criminal data.
However, GR 71 specifically addresses personal data related to criminal conduct. In particular, Article 33 of GR 71 stipulates that 'for the purpose of criminal justice process, the ESP must provide electronic information and/or electronic data which is contained in the electronic system, or electronic information and/or electronic data which are processed by the electronic system, at the valid request from an investigator for certain criminal acts in accordance with the authority regulated in laws.'
There is no reference in the PDP Regulations which requires a contract to be in place between a data controller and processor.
8. DATA SUBJECT RIGHTS
In general, pursuant to Article 26 of Kominfo Regulation 20, data subjects are entitled to:
- confidentiality of their personal data;
- file complaints to Kominfo in relation to disputes over the failure of the relevant ESP to protect the confidentiality of their personal data;
- obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations;
- obtain access or the opportunity to receive the history of their personal data, which has been given to an ESP insofar as it is still in accordance with the applicable laws and regulations; and
- request the destruction of their personal data in an electronic system managed by an ESP, unless otherwise determined by the applicable laws and regulations.
The following information should be provided to data subjects at the point of collection of the personal data:
- the purpose of the collection of the personal data;
- other possible purposes that may arise in the future that would involve processing the personal data; and
- a contact person who can be easily contacted by the data subject related to the management of their personal data.
Pursuant to Article 36 of Kominfo Regulation 20, data subjects are entitled to:
- obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations; and
- obtain access or the opportunity to receive the history of their personal data, which has been given to an ESP insofar as it is still in accordance with the applicable laws and regulations.
Kominfo Regulation 20 provides that data subjects shall be entitled to gain access or opportunity to alter or renew their personal data without disrupting the personal data management system, unless stipulated otherwise by the provisions of laws and regulations. This shall mean that data subjects can rectify its personal data in cases of inaccuracy, so long as it doesn't disrupt the personal data management system.
Such right is also mentioned in Article 59(1)(d) of GR 80, which provides that personal data shall be accurate and up to date. This should be achieved by giving the data subject the chance to update their personal data.
A data subject is entitled to request the deletion of their personal data, or it may be erased once the storage time limit lapses, provided that such request is in accordance with the applicable laws and regulations.
In this regard, GR 71 distinguishes the rights of the data subject into the right to erasure and the right to delisting in which the ESP is then obliged to delete electronic information no longer under its control. In particular, Article 15 of GR 71 defines the right to erasure as erasing irrelevant information or electronic documents (including those obtained without the person's consent), whereas the right to delisting means to delist such information from the internet search engine through a court order.
The fundamental principle of data processing is the existence of consent from the data subject. This approval indicates the freedom for the data subject to object to any form of processing with which they disagree.
Additionally, the data subject is given the right to revoke their consent. Article 16 of GR 71 emphasises that personal data which must be erased by ESPs includes personal data for which consent to be used has been withdrawn by the data subject.
There is no provision concerning the right to data portability in the PDP Regulations.
The PDP Regulations do not regulate the right not to be subject to automated decision-making.
However, the protection of a similar right could be found in the PDP Bill. Under Article 10 of the PDP Bill, data subjects would have the right to object to decision-making which is solely based on automatic processing of an individual's profile (i.e. profiling). Although the language of Article 10 does not explicitly mention 'objection to automated decision-making,' it addresses concerns regarding decisions taken solely based on automatic profiling.
There are two types of sanctions for violation of the PDP Regulations: administrative and criminal sanctions. Articles 46 and 48 of the Electronic Information Law stipulate the following sanctions for the violation of personal data protection in an electronic system:
- any person who unlawfully accesses the electronic system of another person shall be sentenced to imprisonment not exceeding six years and/or a fine not exceeding IDR 600 million (approx. €35,600);
- any person who unlawfully accesses the electronic system of another person with the intent to obtain electronic information and/or electronic records shall be sentenced to imprisonment not exceeding seven years and/or a fine not exceeding IDR 700 million (approx. €41,500);
- any person who unlawfully accesses the electronic systems of another person by breaching, hacking into, trespassing into, or breaking through security systems shall be sentenced to imprisonment not exceeding eight years and/or a fine not exceeding IDR 800 million (approx. €47,500);
- any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public shall be sentenced to imprisonment not exceeding eight years and/or a fine not exceeding IDR 2 billion (approx. €118,800); and
- any person who unlawfully moves or transfers electronic information and/or electronic records to the electronic system of an unauthorised person shall be sentenced to imprisonment not exceeding nine years and/or a fine not exceeding IDR 3 billion (approx. €178,100).
Sanctions for the violation of personal data protection in general are regulated under Article 36 of Kominfo Regulation 20, which stipulates that any person who unlawfully obtains, collects, processes, analyse, deposits, displays, announces, transmits, and/or disseminates personal data is subject to administrative sanctions in the form of:
- verbal warning;
- written warning;
- temporary suspension of activities; and
- announcement of its name on sites within the network (websites).
Sanctions for the violation of the implementation of an electronic system are regulated under GR 82, which stipulates that an ESP may be subject to administrative sanctions in the form of:
- written warning;
- administrative fine; and
- temporary suspension.
Further, Article 58 of GR 40 imposes administrative sanctions for the violation of using personal data exceeding one's authority granted by law or any approval, or to display the collected personal data in public without prior approval from the Ministry, in the form of revocation of user access rights, destruction of data that has been accessed, and an administrative fine of IDR 10 billion (approx. €600,000).