DLA Piper Intelligence

Data Protection
Laws of the World

Law

Indonesia
Indonesia

Specific regulations

In Indonesia, as of the date of this publication there is no general law on data protection. However, there are certain regulations concerning the use of electronic data. The primary sources of the management of electronic information and transactions are Law No. 11 of 2008 regarding Electronic Information and Transactions ("EIT Law") as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law ("EIT Law Amendment"), Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions ("Reg. 71") and its implementing regulation, Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System ("MOCI Regulation").

However, for a number of years, a new draft Bill on the Protection of Private Personal Data (the "Bill") is being discussed but to this date it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.

In addition to the provisions under EIT Law, Reg. 71 and MOCI Regulation, there are also a series of regulations which also cover certain provisions which may relate to data protection, such as:

Telecommunications sector

Article 40 of Law No. 36 of 1999 regarding Telecommunications as partially amended by Law No. 11 of 2020 on Job Creation or generally referred to as the Omnibus Law ("Telecommunications Law") provides that any person is prohibited from any kind of tapping of information transmitted through any kind of telecommunications network. Article 42 of the Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information transmitted or received by a telecommunications service subscriber through telecommunications networks or telecommunications services provided by the relevant operator[1].

Public information sector

Article 6 of Law No. 14 of 2008 regarding Disclosure of Public Information[2] provides that information relating to personal rights may not be disclosed by public bodies. Furthermore, Article 17 of the relevant law, together with other laws, prohibits the disclosure of private information of any person, particularly that which concerns family history; medical and psychological history; financial information (including assets, earnings and bank records) and evaluation records concerning a person's capability / recommendation / intellectual, formal / informal education records.

Banking and capital markets sectors

Data privacy in this sector is regulated under Law 7 of 1992 as amended by Law 10 of 1998 on Banking and as partially amended by Law No. 11 on Job Creation ("Banking Law") and Law 8 of 1995 on Capital Markets ("Capital Markets Law") respectively. The regulations apply to both individuals and corporate data[3].

Article 21 of Financial Services Authority Regulation No. 38/POJK.03/2016 as partially amended by Financial Services Authority Regulation No. 13/POJK.03/2020 on the Implementation of Risk Management in the Utilization of Information Technology by the Bank stipulates that the bank’s customer data transfer (by way of establishing a data center or a data processing outside Indonesia territory) necessitates prior approval being obtained from the Financial Services Authority (“FSA”)[4].

Footnotes

[1] Please note that Omnibus Law only partially amend Telecommunications Law, thus Articles 40 and 42 of the Telecommunications Law are still valid and fully enforced.

[2] Please note that Law No. 14 of 2008 regarding Disclosure of Public Information has been partially amended with Constitutional Court Judgement Number 77 / PUU-XIV / 2016, however articles 6 and 17 of Law No. 14 of 2008 regarding Disclosure of Public Information have not been amended.

[3] Please note that the Omnibus Law does not amend the Articles that governs data protection in Banking Law.

[4] Please note that Financial Services Authority Regulation No. 38/POJK.03/2016 as partially amended by Financial Services Authority Regulation No. 13/POJK.03/2020 on the Implementation of Risk Management in the Utilization of Information Technology by the Bank Article 21 of Financial Services Authority Regulation No. 38/POJK.03/2016 still necessitates Bank to obtain prior approval from FSA in the event the Banks are establishing a data center or a data processing outside Indonesia territory.

Last modified 1 Feb 2021
Law
Indonesia

Specific regulations

In Indonesia, as of the date of this publication there is no general law on data protection. However, there are certain regulations concerning the use of electronic data. The primary sources of the management of electronic information and transactions are Law No. 11 of 2008 regarding Electronic Information and Transactions ("EIT Law") as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law ("EIT Law Amendment"), Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions ("Reg. 71") and its implementing regulation, Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System ("MOCI Regulation").

However, for a number of years, a new draft Bill on the Protection of Private Personal Data (the "Bill") is being discussed but to this date it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.

In addition to the provisions under EIT Law, Reg. 71 and MOCI Regulation, there are also a series of regulations which also cover certain provisions which may relate to data protection, such as:

Telecommunications sector

Article 40 of Law No. 36 of 1999 regarding Telecommunications as partially amended by Law No. 11 of 2020 on Job Creation or generally referred to as the Omnibus Law ("Telecommunications Law") provides that any person is prohibited from any kind of tapping of information transmitted through any kind of telecommunications network. Article 42 of the Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information transmitted or received by a telecommunications service subscriber through telecommunications networks or telecommunications services provided by the relevant operator[1].

Public information sector

Article 6 of Law No. 14 of 2008 regarding Disclosure of Public Information[2] provides that information relating to personal rights may not be disclosed by public bodies. Furthermore, Article 17 of the relevant law, together with other laws, prohibits the disclosure of private information of any person, particularly that which concerns family history; medical and psychological history; financial information (including assets, earnings and bank records) and evaluation records concerning a person's capability / recommendation / intellectual, formal / informal education records.

Banking and capital markets sectors

Data privacy in this sector is regulated under Law 7 of 1992 as amended by Law 10 of 1998 on Banking and as partially amended by Law No. 11 on Job Creation ("Banking Law") and Law 8 of 1995 on Capital Markets ("Capital Markets Law") respectively. The regulations apply to both individuals and corporate data[3].

Article 21 of Financial Services Authority Regulation No. 38/POJK.03/2016 as partially amended by Financial Services Authority Regulation No. 13/POJK.03/2020 on the Implementation of Risk Management in the Utilization of Information Technology by the Bank stipulates that the bank’s customer data transfer (by way of establishing a data center or a data processing outside Indonesia territory) necessitates prior approval being obtained from the Financial Services Authority (“FSA”)[4].

Footnotes

[1] Please note that Omnibus Law only partially amend Telecommunications Law, thus Articles 40 and 42 of the Telecommunications Law are still valid and fully enforced.

[2] Please note that Law No. 14 of 2008 regarding Disclosure of Public Information has been partially amended with Constitutional Court Judgement Number 77 / PUU-XIV / 2016, however articles 6 and 17 of Law No. 14 of 2008 regarding Disclosure of Public Information have not been amended.

[3] Please note that the Omnibus Law does not amend the Articles that governs data protection in Banking Law.

[4] Please note that Financial Services Authority Regulation No. 38/POJK.03/2016 as partially amended by Financial Services Authority Regulation No. 13/POJK.03/2020 on the Implementation of Risk Management in the Utilization of Information Technology by the Bank Article 21 of Financial Services Authority Regulation No. 38/POJK.03/2016 still necessitates Bank to obtain prior approval from FSA in the event the Banks are establishing a data center or a data processing outside Indonesia territory.

Last modified 1 Feb 2021
Definitions

Definition of personal data

Reg. 71 defines personal data as any data of an individual who can be identified from that data, or from that data when combined with other information both directly or indirectly through electronic or non-electronic systems.

Definition of sensitive personal data

Currently, there is no specific definition on sensitive personal data under the prevailing laws and regulations. However, Article 1(21) of the Minister of Communication and Informatics Regulation No. 5 of 2020 on Electronic System Provider in the Private Sector (“MOCI 5/2020”) defines “Specific Private Data” as data and information on health, biometric data, genetic data, sexual life/orientation, political views, children's data, personal financial data, and/or other data in accordance with the provisions of laws and regulations.

Last modified 1 Feb 2021
Authority

There is no national data protection authority for data privacy in general in Indonesia.

For example, the FSA has the authority to act as the regulator of data privacy in the capital markets sector (since 31 December 2012) and with regard to banks' customer data privacy issues (since 31 December 2013).

However, please note that Article 73 of Reg. 71 provides that a business enactor who operates electronic transactions may be certified by a Competence Certification Body (Lembaga Sertifikasi Keandalan) which may be a domestic Indonesian (but currently no such domestic bodies exist) or foreign competence certification body.

Last modified 1 Feb 2021
Registration

Pursuant to Article 2 (2) of Reg. 71 an “Electronic System Provider” is either a:

  1. Public Scope Electronic System Provider; or
  2. Private Scope Electronic System Provider.

"Public Scope Electronic System Provider" includes:

  • the Agency[1]; and
  • an institution appointed by the Agency.

The term Public Scope Electronic System Provider does not include any regulatory or supervisory authority in the financial sector. According to Article 2 (2) MOCI 5/2020, the term “Private Scope Electronic System Provider” includes:

  • an Electronic System Provider that is regulated or supervised by a Ministry or Agency based on statutory provisions; and
  • an Electronic System Provider that has a portal, site, or application in the network through the internet that is used for:
  • providing, managing, and/or operating the offering and/or trading of goods and/or services;
  • providing, managing, and/or operating financial transaction services;
  • delivering paid digital material or content through data network either by downloading through a portal or website, delivery through electronic mail, or through other applications to the device of the electronic system user;
  • providing, managing, and/or operating communication services, including but not limited to short messages, voice calls, video calls, electronic mail, and network conversations in the form of digital platforms, networking services and social media;
  • search engine services, services for providing electronic information in the form of text, sound, image, animation, music, video, film and game or a combination of part and/or all of them; and/or
  • processing personal data for public service operational activities related to electronic transaction activities.

Article 6 of Reg. 71 regulates that Public Scope Electronic System Providers and Private Scope Electronic System Providers are obliged to conduct registration. The registration shall be submitted through electronically integrated business licensing services in accordance with the statutory provisions and it must be done before the electronic system is used by the electronic system user.

Article 2 (1) of MOCI 5/2020 provides that all Private Electronic System Providers must conduct registration and that this registration must be conducted before the electronic system is used by the electronic system user. Article 4 (1) of MOCI 5/2020 further extends this obligation to Private Electronic System Providers who are established under foreign laws or who are permanently domiciled in another country but:

  • provides services in the territory of Indonesia;
  • conducts business in Indonesia; and/or
  • the electronic system is used and/or offered in the territory of Indonesia.

Furthermore, Article 4 of Minister of Communications and Informatics Regulation No. 4 of 2016 regarding Management System of Information Protection (“MOCI Reg. No. 4/2016”) provides that there are 3 (three) categories of electronic systems such as: (i) strategic electronic system, which is an electronic system that causes serious impact to the public interest, public services, state governance stability, or state defense and security; (ii) high electronic system, which is an electronic system that causes limited impact to the interest of certain sector and/or territory; and (iii) low electronic system, which is any other electronic system aside from strategic and high electronic systems.

Article 10 of MOCI Reg. No. 4/2016 provides that strategic and high electronic system providers (for public services) must obtain a Certificate of Management System of Information Protection, while low electronic system providers (for public services) may obtain Certificate of Management System of Information Protection.

Footnotes

[1] Being defined as a legislative, executive and judicative agencies at the central and regional level and other agencies that are formed by the laws.

Last modified 1 Feb 2021
Data Protection Officers

There is no requirement in Indonesia for organizations to appoint a data protection officer.

Last modified 1 Feb 2021
Collection & Processing

Based on Article 14 (2) of Reg. 71, processing of personal data includes:

  1. obtainment and collection;
  2. processing and analyzing;
  3. storing;
  4. correction and updates;
  5. displaying, announcing, transferring, distributing or disclosure; and/or
  6. deletion or removal.

As the general rule to process personal data, EIT Law, Reg. 71 and the MOCI Regulation specifically regulate the obligation to obtain "consent" (as defined below) from the owner of the personal data. Furthermore, Article 7 (1) of MOCI Regulation regulates that in obtaining and collecting personal data the Electronic System Provider must also be limited to the relevant and suitable information in accordance to its purpose and must be conducted accurately. Article 12 (1) of MOCI Regulation also regulates that personal data can only be processed and analyzed in accordance with the needs of the Electronic System Provider that have been stated clearly at the time the personal data is obtained and collected.

Article 14 (1) of Reg. 71 explains that Electronic System Provider shall also implement the principles of personal data protection in the processing of personal data which includes:

  • personal data collection is conducted in a limited and specific manner, legally valid, fairly, with the knowledge and approval of the personal data owner;
  • personal data processing is conducted in accordance with its purpose;
  • personal data processing is conducted by securing the rights of the personal data owner;
  • personal data processing is conducted accurately, completely, not misleading, up to date, can be accounted for, and by taking into account to the purpose of processing of the personal data;
  • personal data processing is conducted by protecting the security of personal data from loss, misuse, unauthorized access and disclosure, as well as the alteration or destruction of personal data;
  • personal data processing is conducted by notifying the purpose of collection, processing activities, and failure of personal data protection; and
  • personal data processing is destroyed and/or deleted except if it is still in the retention period in accordance with the necessity based on the laws and regulations.

Article 32 of MOCI 5/2020 explains that Private Scope Electronic System Providers shall grant access towards Electronic Data to law enforcement apparatus for investigation, prosecution, or trial of criminal acts within the jurisdiction of the Republic of Indonesia. Such criminal acts are criminal actions with the threat of imprisonment of a minimum of 2 (two) years. In the event the Electronic System Provider does not comply to grant access to Electronic Data to law enforcement apparatus as mentioned in this paragraph based on Article 45 (4) of MOCI 5/2020, the Minister of Communication and Informatics shall impose administrative sanctions to Electronic System Providers in the Private Scope in the form of: (i) written warning; (ii) temporary suspension; (iii) termination of access; and/or (iv) revocation of Electronic System Provider Registration Certificate.

Last modified 1 Feb 2021
Transfer

Article 26 (2) of Reg. 71 provides that in the implementation of the electronic system which is directed to electronic information and/or electronic document that can be transferred (such as securities (valuable paper) and securities in electronic form), such electronic information and/or electronic document must be unique and explain the possession and ownership.

The elucidation of Article 26 (2) of Reg. 71 further explains the above provision, as follows:

  • “Electronic information and/or electronic document must be unique” means it is the only one that represents a certain value.
  • “Electronic information and/or electronic document must explain the possession” means the electronic system has control system or recording system over such electronic information and/or electronic document.
  • “Electronic information and/or electronic document must explain the ownership” means the electronic system has technology control measures that guarantee that there is only one single authoritative copy and cannot be amended.

Article 21 (1) of MOCI Regulation states that displaying, announcing, transferring, broadcasting, and/or opening personal data access in the electronic system can only be conducted:

  • by consent (being defined as a written agreement either manually and/or electronically being given by the owner of personal data after obtaining a full explanation regarding the process for acquiring, collecting, processing, analyzing, storing, displaying, announcing, disseminating, storing, dis-playing, announcing, sending, and disseminating including the confidentiality or non-confidentiality of the personal data), except stipulated otherwise by laws and regulations; and
  • after its accuracy and suitability with the purpose of obtaining and collecting such personal data is verified.

Article 22 (1) of the MOCI Regulation states that transferring personal data that is managed by an electronic system provider at the government and regional government institution including the public or private sector domiciled in the territory of Indonesia to parties outside the territory of Indonesia must:

  • coordinate with the MOCI or the official or institution being authorized for such purpose; and implement the laws and regulations regarding the transboundary exchange of personal data.
  • implement the coordination as stipulated in Article 22 (1) (a) of MOCI Regulation being:
  • to report the implementation plan of personal data transfer, at least containing the clear name, designated country, recipient subject name, implementation date, and reason / purpose of the transfer;
  • to request for advocacy, if needed; and
  • to report the activities implementation result.
Last modified 1 Feb 2021
Security

The obligations of Electronic System Providers are regulated under Reg. 71 and MOCI Regulation, which amongst other things shall:

  • guarantee the confidentiality of the source code of the software;
  • ensure agreements on minimum service level and information security towards the information technology services being used as well as security and facility of internal communication security it implements;
  • protect and ensure the privacy and personal data protection of users;
  • ensure the appropriate lawful use and disclosure of the personal data;
  • provide the audit records on all provision of electronic systems activities;
  • have governance policies, operational work procedures, and audit mechanisms that are conducted periodically in the electronic system;
  • for Private Scope Electronic System Providers who process and/or store personal data outside of Indonesia, must ensure the supervisory effectiveness of the Ministry or Agency and law enforcement;
  • provide access to the electronic system for the purpose of supervision and law enforcement;
  • provide information in the electronic system based on legitimate request from investigators for certain crimes;
  • provide options to the personal data owner regarding the personal data that is processed so that the personal data can or cannot be used and/or displayed by / at third party based on the consent as long as it is related with the purpose of obtaining and collecting the personal data;
  • provide access or opportunity to personal data owner to change or renew his/her personal data without disturbing the system management of the personal data, except regulated otherwise by laws and regulations;
  • delete the personal data if (i) it has reached the maximum period of storing the personal data (at the shortest 5 years or based on the applicable regulations/ specific sectoral regulations); or (ii) by request from the personal data owner, except regulated otherwise by the laws and regulations; and
  • provide contact person that is easy to be contacted by the personal data owner in relation to his / her personal data.

In the telecommunications sector, Article 19 of Minister of Communication and Informatics Regulation No. 26/PER/M.KOMINFO/05/2007 regarding the Security and Utilization of Internet Protocol based Telecommunications Network (as amended) ("MR 26/2007") also provides that the telecommunication service provider is responsible for data storage due to its obligation to record its log file for at least 3 months.

Last modified 1 Feb 2021
Breach Notification

Article 14 (5) of Reg. 71 provides that the provider of an electronic system must provide written notification to the owner of personal data, upon its failure to protect the personal data.

Article 24 (3) of Reg. 71 provides that the provider of an electronic system must make the utmost effort to protect personal data and to immediately report any failure / serious system interference / disturbance to a law enforcement official and relevant Ministry or Agency.

Article 28 (c) of the MOCI Regulation provides that a written notice to the personal data owner is required if there is a failure in protecting the secrecy of the personal data in the electronic system. The provisions of the notice are as follows:

  • must provide reason or cause of the occurrence of the failure in protecting the secrecy of personal data;
  • can be conducted electronically, if the personal data owner has given consent for it, at the time of obtaining and collecting his / her personal data;
  • must ensure that the notice has been received by the personal data owner if the failure contains potential loss to the relevant personal data owner; and
  • a written notice is sent to the personal data owner no later than 14 days after the failure is discovered.
Last modified 1 Feb 2021
Enforcement

In Indonesia, the sanctions for breaches of data privacy are found under the relevant legislation and are essentially fines. Imprisonment may be imposed in severe instances, such as in the event of intentional infringement.

The EIT Law and EIT Law Amendment provide criminal penalties ranging from:

  • IDR 600 million fine to IDR 800 million and 6 to 8 years of imprisonment for unlawful access;
  • IDR 800 million fine and/or 10 years of imprisonment for unlawful interception or wiretapping of a transmission; and/or
  • IDR 2 billion to IDR 5 billion and/or 8 to 10 years of imprisonment for alteration, addition, reduction, transmission, tampering, deletion, moving or hiding electronic information or electronic records.

Failure to comply with Reg. 71 is subject to administrative sanctions (which do not eliminate any civil and criminal liability). These administration sanctions are in the form of:

  • written warning;
  • administrative fines;
  • temporary dismissal;
  • termination of access; and/or
  • expulsion from the list of registrations (as required under the regulation).

Failure to comply with MOCI Regulations is subject to administrative sanctions in the form of:

  • verbal warning;
  • written warning;
  • temporary dismissal of activities; and/or
  • an announcement in the online website.

Banking Law

Under Article 47 of the Banking Law, any commissioner, director or employee of a bank or its affiliates who intentionally provides information which has to be kept secret may be sentenced to imprisonment for not less than 2 years but not more than 4 years, and fined at least IDR 4 billion but not more than IDR 8 billion.

Capital Markets Law

Under Capital Markets Law, the FSA is empowered to impose the following administrative sanctions for breaches of the provisions dealing with data protection). The sanctions include:

  • A written reminder;
  • A fine;
  • Limitations on business;
  • Suspension of business;
  • Revocation of business license;
  • Cancellation of approval; and/ or
  • Cancellation of registration.
Last modified 1 Feb 2021
Electronic Marketing

EIT Law and Reg. 71 do not specifically address electronic marketing. Article 25 of the EIT Law provides that an Internet website, amongst other things, is acknowledged and protected as an intellectual property (IP) and consequently, should fall under the ambit of the relevant IP laws, which may in certain cases fall under the Indonesian Copyright Law.

Last modified 1 Feb 2021
Online Privacy

There are currently no laws and regulations concerning cookies and location data. However, Article 32 of EIT Law explains if the data collected by cookies or location data is obtained by the unlawful access of another party’s electronic information, this is subject to 6 to 8 years imprisonment and/or a fine of IDR 600 million to IDR 800 million.

Last modified 1 Feb 2021
Contacts
Erwin Purba
Erwin Purba
Partner
Arifin, Purba & Firmansyah Law Firm
Reanarya Alham
Reanarya Alham
Associate
Arifin, Purba & Firmansyah Law Firm
Rachdiansyah Noezar
Rachdiansyah Noezar
Associate
Arifin, Purba & Firmansyah Law Firm
Last modified 1 Feb 2021