DLA Piper Intelligence

Data Protection
Laws of the World

Law

Indonesia
Indonesia

 

Specific Regulations

 

In Indonesia, as of the date of this publication there is no general law on data protection. However, there are certain regulations concerning the use of electronic data. The primary sources of the management of electronic information and transactions are Law No. 11 of 2008 regarding Electronic Information and Transactions (“EIT Law”) as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law (“EIT Law Amendment”), Government Regulation No. 82 of 2012 regarding Provisions of Electronic systems and Transactions (“Reg. 82”) and its implementing regulation, Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (the “MOCI Regulation”).

 

However, a new draft Bill on the Protection of Private Personal Data (the "Bill") is being discussed and there is reason to believe that this Bill may come into law in 2017, although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives. If passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.

 

In addition to the provisions under EIT Law, Reg. 82 and MOCI Regulation, there are also a series of regulations which also cover certain provisions which may relate to data protection, such as:

 

Telecommunications Sector

 

Article 40 of Law No. 36 of 1999 regarding Telecommunications (‘Telecommunications Law’) provides that any person is prohibited from any kinds of tapping on information transmitted through any kinds of telecommunications network. Furthermore, Article 42 of the Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information transmitted and/or received by telecommunications service subscriber through telecommunications networks and/or telecommunications services provided by the relevant operator.

 

Public Information Sector

 

Article 6 of Law No. 14 of 2008 regarding Disclosure of Public Information provides that information relating to personal rights may not be disclosed by public bodies. Furthermore, Article 17 of the relevant law, together with other laws, prohibits the disclosure of private information of any person, particularly that which concerns family history; medical and psychological history; financial information (including assets, earnings and bank records)and evaluation records concerning a person's capability/recommendation/intellectual, formal/ informal education records.

 

Banking and Capital Markets Sectors

 

Data privacy in this sector is regulated under Law 7 of 1992 as amended by Law 10 of 1998 on Banking (‘Banking Law’) and Law 8 of 1995 on Capital Markets (‘Capital Markets Law’) respectively. The regulations apply to both individuals and corporate data.

 

Bank Indonesia’s Regulation No. 9/15/PBI/2007 on the Implementation of Risk Management in the Utilisation of Information Technology by the Bank stipulates that the bank’s customer data transfer (by way of establishing a data

 

centre or a data processing outside Indonesia territory) necessitates prior approval being obtained from Bank Indonesia.

 

Last modified 26 Jan 2017
Law
Indonesia

 

Specific Regulations

 

In Indonesia, as of the date of this publication there is no general law on data protection. However, there are certain regulations concerning the use of electronic data. The primary sources of the management of electronic information and transactions are Law No. 11 of 2008 regarding Electronic Information and Transactions (“EIT Law”) as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law (“EIT Law Amendment”), Government Regulation No. 82 of 2012 regarding Provisions of Electronic systems and Transactions (“Reg. 82”) and its implementing regulation, Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (the “MOCI Regulation”).

 

However, a new draft Bill on the Protection of Private Personal Data (the "Bill") is being discussed and there is reason to believe that this Bill may come into law in 2017, although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives. If passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.

 

In addition to the provisions under EIT Law, Reg. 82 and MOCI Regulation, there are also a series of regulations which also cover certain provisions which may relate to data protection, such as:

 

Telecommunications Sector

 

Article 40 of Law No. 36 of 1999 regarding Telecommunications (‘Telecommunications Law’) provides that any person is prohibited from any kinds of tapping on information transmitted through any kinds of telecommunications network. Furthermore, Article 42 of the Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information transmitted and/or received by telecommunications service subscriber through telecommunications networks and/or telecommunications services provided by the relevant operator.

 

Public Information Sector

 

Article 6 of Law No. 14 of 2008 regarding Disclosure of Public Information provides that information relating to personal rights may not be disclosed by public bodies. Furthermore, Article 17 of the relevant law, together with other laws, prohibits the disclosure of private information of any person, particularly that which concerns family history; medical and psychological history; financial information (including assets, earnings and bank records)and evaluation records concerning a person's capability/recommendation/intellectual, formal/ informal education records.

 

Banking and Capital Markets Sectors

 

Data privacy in this sector is regulated under Law 7 of 1992 as amended by Law 10 of 1998 on Banking (‘Banking Law’) and Law 8 of 1995 on Capital Markets (‘Capital Markets Law’) respectively. The regulations apply to both individuals and corporate data.

 

Bank Indonesia’s Regulation No. 9/15/PBI/2007 on the Implementation of Risk Management in the Utilisation of Information Technology by the Bank stipulates that the bank’s customer data transfer (by way of establishing a data

 

centre or a data processing outside Indonesia territory) necessitates prior approval being obtained from Bank Indonesia.

 

Last modified 26 Jan 2017
Definitions

Definition of personal data

Reg. 82 and MOCI Regulation defines Personal Data as: data of an individual, which is stored, maintained and which correctness is preserved and of which its confidentiality is protected (including under the EIT Law and Reg 82).

Definition of sensitive personal data

Currently, there is no specific definition on sensitive personal data under the prevailing laws and regulations.

Last modified 26 Jan 2017
Authority

There is no national data protection authority for data privacy in general in Indonesia.

For example, the Indonesian Financial Services Authority ('FSA') has the authority to act as the regulator of data privacy in the capital markets sector (since 31 December 2012) and with regard to banks' customer data privacy issues (since 31 December 2013).

However, please note that article 65 of Reg. 82 provides that a business enactor who operates electronic transactions may be certified by a Competence Certification Body (Lembaga Sertifikasi Keandalan) which may be a domestic Indonesian (but currently no such domestic bodies exist) or foreign competence certification body.

Last modified 26 Jan 2017
Registration

Minister of Communication and Informatics Regulation No. 36 of 2014 regarding Procedures of Electronic System Provider Registration (“MOCI Reg 36”) differentiates electronic system providers into electronic system provider for public services and electronic system provider for non-public services.An electronic system provider for public services must conduct registration, while an electronic system provider for non-public services may conduct registration, which suggests registration is not mandatory for an electronic system provider for non-public services).

MOCI Reg 36 specifically states that electronic system providers for public services are legal entities related with the government for example state institutions, government agencies, corporations in the form of state-owned enterprises, regional government-owned enterprise, or other legal entities in relation with state's mission.

Electronic system providers for non-public services are not specifically defined under MOCI Reg 36, but in general other legal entities that are not related with government, such as private corporations, can be classified as electronic system providers for non-public services.

However, the regulators interpret ‘public service’ in regards to electronic system provider pursuant to Government Regulation No. 96 of 2012 regarding Implementation of Law No. 25 of 2009 regarding Public Service (“GR No. 96”).

GR No. 96 defines Public Service as an activity or chain of activities in term of fulfilling the service needs in accordance with the law and regulation for every citizen and individual on goods, services, and/or administrative services that are provided by the public service operator. GR No. 96 further defines Public Service Operator as every state operator institution, corporation, independent institution that are formed based on laws for public service activity, and other legal entity that are formed only for the public service activity. Law No. 25 of 2009 regarding Public Services (“Law No. 25”). Article 5 (1) of Law No. 25 provides that the scope of public services includes public goods and services as well as administrative services. Article 5 (2) of Law No. 25 further provides that this includes education, teaching, work and business, housing, communication and information, environment, health, social security, energy, banking, transportation, natural resources, tourism and other stragetic sectors.

In relation to the above, an electronic system provider for non-public services falls under the corporation (non-government related legal entity), providing service for every citizen/individual. Therefore, an electronic system provider for non-public services is also considered as public services pursuant to GR No. 96.

Consequently, all electronic system providers, whether for public services or non-public services, must conduct registration.

Furthermore, Article 4 of Minister of Communications and Informatics Regulation No. 4 of 2016 regarding Management System of Information Protection (“MOCI Reg. No. 4/2016”) provides that there are three categories of electronic systems such as: (i) strategic electronic system, which is an electronic system that causes serious impact to the public interest, public services, state governance stability, or state defense and security; (ii) high electronic system, which is an electronic system that causes limited impact to the interest of certain sector and/or territory; and (iii) low electronic system, which is any other electronic system aside from strategic and high electronic systems.

Article 10 of MOCI Reg. No. 4/2016 provides that strategic and high electronic system providers (for public services) must obtain a Certificate of Management System of Information Protection, while low electronic system providers (for public services) may obtain Certificate of Management System of Information Protection.

Last modified 26 Jan 2017
Data Protection Officers

There is no requirement in Indonesia for organisations to appoint a data protection officer.

Last modified 26 Jan 2017
Collection & Processing

EIT Law, Reg. 82 and the MOCI Regulation specifically regulates the obligation to obtain "consent" from the owner of the personal data in the case of data collection, use and processing.Furthermore, Article 7 (1) of MOCI Regulation regulates that in obtaining and collecting Personal Data the electronic system provider must also be limited to the relevant and suitable information in accordance to its purpose and must be conducted accurately. Article 12 (1) of MOCI Regulation also regulates that Personal Data can only be processed and analysed in accordance with the needs of the electronic system provider that have been stated clearly at the time the Personal Data is obtained and collected.

Reg. 82 provide the specific provisions on the obligation for Electronic System Providers to public services to set up a data centre and disaster recovery centrein Indonesia, namely:

  • before an Electronic System for public services is implemented, the provider of an Electronic System must register with the Minister of Communication and Information and Technology ("MOCI");

  • in providing the provision of an Electronic System, the provider should ensure secrecy, totality and the availability of the Personal Data it manages. The provider should also ensure that the obtaining, the consumption, and usage of Personal Data is based on the consent of the Personal Data owner, except if regulated otherwise[1]. Further the provider should ensure that the usage or disclosure of data is done based on the consent of Personal Data and is in line with the objectives as disclosed to the relevant owner at the time of obtaining the data[2]; and

  • the provider of the Electronic System is also obliged to provide audit track records of the Electronic System.

 

[1] Article 15 (1) (b) of Reg. 82.

[2] Article 15 (1) (c) of Reg. 82.

Last modified 26 Jan 2017
Transfer

Article 22 (2) of Reg. 82 regulates the transfer of data, which provides in any case that in the implementation of an Electronic System and/or Electronic Document aimed to transfer Electronic Information and/or Electronic Document, the Electronic Information and/or Electronic Document must be unique and (the provider shall) explain the control and possession of the Electronic Information and/or Electronic Document.

Article 21 (1) of MOCI Regulation states that displaying, announcing, transferring, broadcasting, and/or opening Personal Data access in the Electronic System can only be conducted:

  • By Consent (being defined as a written agreement either manually and/or electronically being given by the owner of Personal Data after obtaining a full explanation regarding the process for acquiring, collecting, processing, analyzing, storing, displaying, announcing, disseminating, storing, displaying, announcing, sending, and disseminating including the confidentiality or non-confidentiality of the Personal Data), except stipulated otherwise by laws and regulations; and

  • After its accuracy and compability with the purpose of obtaining and collecting such Personal Data is verified.

Article 22 (1) of the MOCI Regulation states that transferring Personal Data that is managed by an electronic system operator at the government and regional government institution including the public or private sector domiciled in the territory of Indonesia to [parties] outside the  territory of Indonesia must:

  • Coordinate with the MOCI or the official or institution being authorized for such purpose; and

  • Implement the laws and regulations regarding the transboundary exchange of Personal Data.

The implementation of the coordination as stipulated in Article 22 (1) (a) of MOCI Regulation are:

  • To report the implementation plan of Personal Data transfer, at least containing the  clear name, designated country, recipient subject name, implementation date, and reason/purpose of the transfer;

  • To request for advocacy, if needed; and

  • To report the activities implementation result.

Last modified 26 Jan 2017
Security

The obligations of Electronic System Providers are regulated under Reg. 82 and MOCI Regulation, which amongst other things shall amongst other things:

  • guarantee the confidentiality of the source code of the software;

  • ensure agreements on minimum service level and information security towards the information technology services being used as well as security and facility of internal communication security it implement;

  • protect and ensure the privacy and personal data protection of users;

  • ensure the appropriate lawful use and disclosure of the personal data;

  • provide data centre and disaster recovery centre (for Electronic System Providers for public services);

  • provide the audit records on all Provision of Electronic Systems activities;

  • provide information in the Electronic System based on legitimate request from investigators for certain crimes.

  • provide options to the Personal Data Owner regarding the Personal Data that is processed so that [the Personal Data] can or cannot be used and/or displayed by/ at third party based on the Consent as long as it is related with the purpose of obtaining and collecting the Personal Data;

  • provide access or opportunity to Personal Data Owner to change or renew his/her Personal Data without disturbing the system management of the Personal Data, except regulated otherwise by laws and regulations;

  • delete the Personal Data if (i) it has reached the maximum period of storing the Personal Data (at the shortest 5 years or based on the applicable regulations/ specific sectoral regulations); or (ii) by request from the Personal Data Owner, except regulated otherwise by the laws and regulations;  and

  • provide contact person that is easy to be contacted by the Personal Data Owner in relation to his/her Personal Data..

In the telecommunication sector, Article 19 of Minister of Communication and Informatics Regulation No. 26/PER/M.KOMINFO/05/2007 regarding the Security and Utilisation of Internet Protocol‑based Telecommunications Network (as amended) ("MR 26/2007") also provides that the telecommunication service provider is responsible for data storage due to its obligation to record its log file for at least three months.

Last modified 26 Jan 2017
Breach Notification

Article 15 (2) of Reg. 82 provides that the provider of an Electronic System must provide written notification to the owner of personal data, upon its failure to protect the personal data.

Article 20 (3) of Reg. 82 provides that the provider of an Electronic System must make the utmost effort to protect personal data and to immediately report any failure/serious system interference/disturbance to a law enforcement official or the Supervising and Regulatory Authority of the relevant sector.

Article 28 (c) of the MOCI Regulation provides that a written notice to the Personal Data Owner is required if there is a failure in protecting the secrecy of the Personal Data in the Electronic System. Theprovisions of the notice are as follows:

  • must provide reason or cause of the occurence of the failure in protecting the secrecy of Personal Data;
  • can be conducted electronically, if the Personal Data Owner has given Consent for it, at the time of obtaining and collecting his/her Personal Data;
  • must ensure that the notcie has been received by the Personal Data Owner if the failure contains potential loss to the relevant Personal Data Owner; and
  • a written notice is sent to the Personal Data Owner no later than14 days after the failure is discovered.

 

Last modified 26 Jan 2017
Enforcement

In Indonesia, the sanctions for breaches of data privacy are found under the relevant legislation and are essentially fines. Imprisonment may be imposed in severe instances such as in the event of intentional infringement.

The EIT Law and EIT Law Amendment provides criminal penalties ranging from:

  • Rp. 600,000,000 fine to Rp. 800,000,000 and/or 6 to 8 years imprisonment for unlawful access;
  • Rp. 800,000,000 fine and/ or 10 years imprisonment for interception/wiretapping of transmission;
  • Rp. 2,000,000,000 to Rp. 5,000,000,000 and/or 8 to 10 years imprisonment for alteration, addition, reduction, transmission, tampering, deletion, moving, hiding Electronic Information and/or Electronic Records.

Failure to comply with Reg. 82 is subject to administrative sanctions (which do not eliminate any civil and criminal liability). These administration sanctions are in the forms of:  

  • written warning; 
  • administrative fines;
  • temporary dismissal; or
  • expulsion from the list of registrations (as required under the regulation).

Failure to comply with MOCI Regulations is subject to administrative sanctions in the form of:

  • verbal warning;
  • written warning;
  • temporary dismissal of activiites; and/or
  • an announcement in the online website.

Banking Law

Under Article 47 of the Banking Law, any commissioner, director or employee of a bank or its affiliates who intentionally provides information which has to be kept secret may be sentenced to imprisonment for not less than two years but not more than four years, and fined at least four billion but not more than eight billion Indonesian Rupiah.

Capital Markets Law

Under Capital Markets Law, the Financial Services Authority (Previously BAPEPAM LK) is empowered to impose the following administrative sanctions for breaches of the provisions dealing with data protection). The sanctions comprise:

  • A written reminder;
  • A fine;
  • Limitations on business;
  • Suspension of business;
  • Revocation of business license;
  • Cancellation of approval; and
  • Cancellation of registration.
Last modified 26 Jan 2017
Electronic Marketing

EIT Law and Reg. 82 do not specifically address electronic marketing.

Article 25 of the EIT Law provides that an Internet website, amongst other things, is acknowledged and protected as an Intellectual Property (IP) and consequently, should fall under the ambit of the relevant IP laws, which may in certain cases fall under the Indonesian Copyright Law.

Last modified 26 Jan 2017
Online Privacy

There are currently no laws and regulations concerning cookies and location data.

However, if the data collected by cookies or location data is obtained by the unlawful access of another party’s electronic information, this is subject to 6 to 8 years imprisonment and/or a fine of Rp. 600,000,000 to Rp. 800,000,000.

Last modified 26 Jan 2017
Contacts
Erwin Purba
Erwin Purba
Partner
T +62 21 5790 5090
Robert Hasan
Robert Hasan
Associate
T +62 21 5790 5090
Last modified 26 Jan 2017