Data Protected - Indonesia

Contributed by Widyawan & Partners, an associated firm of Linklaters LLP and Allens 

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

There is no consolidated data protection law in Indonesia. However, there are a number of laws that address data protection issues. The key laws and regulations are Law No. 11 of 2008 on Electronic Information and Transaction, as amended by Law No. 19 of 2016 ("EIT Law") and its implementing regulations: (i) Government Regulation No. 82 of 2012 on Implementation of Electronic Systems and Transactions ("GR 82"); and (ii) Menkominfo Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems (“Reg 20”).

There are also other industry-specific laws and regulations that regulate data protection, for example, the banking, telecommunications and health sectors. This summary does not address these industry-specific laws and regulations nor does it address laws regulating specific types of data other than personal data (such as laws regulating corporate and tax records) or regulating the collection, maintenance and use of personal data by government institutions.

Currently, the House of Representatives is preparing a draft bill on Protection of Personal Data as an overarching privacy law in Indonesia. We do not know when this bill will be enacted. We understand that it is not included in the 2018 national legislation program (i.e. a list setting out draft legislation prioritised to be passed in 2018) and therefore the earliest it is likely to be enacted is in 2019.

Entry into force

The EIT Law was enacted and came into full force on 21 April 2008. GR 82 was enacted on 15 October 2012 and came into full force on 15 October 2017. Reg 20 was enacted on 1 December 2016 and will come into full force on 1 December 2018.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The data protections laws pertaining to data held electronically are mainly enforced by the Ministry of Communication and Information ("Menkominfo").

Jl. Medan Merdeka Barat No. 9
Jakarta 10110
Indonesia

https://kominfo.go.id/

Notification or registration scheme and timing

There is no notification or registration scheme.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The EIT Law applies to a "legal act" (this term is not defined) of any person (whether an individual or legal entity) inside or outside the territory of the Republic of Indonesia, which has legal effect inside or outside the territory of the Republic of Indonesia and which is “detrimental to the interest of the Republic of Indonesia”. The law applies to legal acts performed not only in Indonesia or by Indonesian citizens, but also outside the jurisdiction of Indonesia by both Indonesian and foreign citizens or legal entities.

A legal act is “detrimental to the interest of the Republic of Indonesia” if, among other things, it is detrimental to the interests of the national economy, strategic data protection, the nation’s dignity and degree, state defence and security, sovereignty, citizens or Indonesian legal entities.

Is there a concept of a controller and a processor?

GR 82 and Reg 20 introduce the concept of an “electronic system operator” which is defined as any person, state official, business entity or society that provides, manages and/or operates, jointly or singly, an electronic system for the users of the electronic system for the operator's interest and/or others, and imposes certain obligations to such electronic system operator. However, neither GR 82 and Reg 20 make a clear distinction between controller and processor of personal data.  Electronic system operator may constitute either a controller or processor of personal data.

Are both manual and electronic records subject to data protection legislation?

The EIT Law and its implementing regulations apply to data held electronically and, to certain extent, hard copy print outs of electronic data (e.g. use of hard copy print outs as an evidence in court proceeding).

Are there any national derogations?

The application of personal data protection rules may be exempted under certain circumstances or for specific purposes contemplated under the laws. Under Reg 20, the electronic system operator is obliged to make available any personal data stored in the electronic system for law enforcement purposes.

There may be other exemptions provided under the industry specific regulations (e.g. banking, telecommunications and health sectors).

_____________________________________________________________________ Top

Personal Data

What is personal data?

Reg 20 defines personal data as the any true and actual information that adheres and can be identified, either directly or indirectly, to an individual, which is used in accordance with the laws and regulations, that is stored and maintained, the truthfulness of which is maintained and the secrecy of which is protected. This definition is quite similar to the definition of the standard definition of personal data.

Is information about legal entities personal data?

Yes, to the extent that such information contains any individual personal data (e.g. personal data of its director/commissioner).

What are the rules for processing personal data?

Under the EIT Law and its implementing regulations, unless exempted under other applicable laws or regulations, the prior express consent of the data subject must be obtained in order to process their personal data in an electronic system. The entity collecting such personal data is required to explain the purpose of the data use, processing, transfer and disclosure in detail in the consent document, and can only use or process such personal data based on the scope consented by the data subject.

Are there any formalities to obtain consent to process personal data?

Consent must be given in written from, either in hard copy or through electronic means (such as clicking an 'agree' button provided with a consent notice). However, as a matter of practice, there is a likely possibility that the courts might not accept electronic consent as evidence and it is therefore recommended to obtain a data subject's express consent in writing for evidentiary purposes.

Are there any special rules when processing personal data about children?

In relation to personal data of a person under the age of 18, the collector of data must obtain prior express consent from a parent or legal guardian of such person.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The EIT Law and its implementing regulations do not specifically distinguish between sensitive and non-sensitive personal data.

Are there additional rules for processing sensitive personal data?

No.

Are there additional rules for processing information about criminal offences?

 

No.

 

Are there any formalities to obtain consent to process sensitive personal data?

No.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no requirement under the EIT Law or GR 82 to appoint a data protection officer. However, there is a general requirement under GR 82 that the electronic system operator must appoint a certified expert in the field of electronic systems and information technology.

What are the duties of a data protection officer?

The key requirements applicable to an electronic system operator are, among others to: (i) notify data subjects of any failure in personal data protection in their electronic system no later than 14 days from becoming aware of such failure; (ii) give access data subjects to change or update their personal data; (iii) destroy any personal data in accordance with the prevailing laws and regulations; and (iv) provide a contact person who can be contacted by data subjects with respect to their personal data.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Yes. Reg 20 imposes an obligation on an electronic system operator to have an internal set of rules on data protection, to emphasise the importance of personal data protection to employees and carry out relevant training on the prevention of personal data protection failure.

Are privacy impact assessments mandatory?

No.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The entity collecting such personal data is required to inform data subjects of how their personal data will be used and processed when collecting the data or before using or processing such personal data and before conducting any action in respect of personal data. Such personal data can only be used or processed based for the purposes consented to by the data subject.

Rights to access information

Yes. Data subjects have a right to review and update personal data held by electronic system operators about them. Additionally, data subjects have the rights to access and obtain the history of their personal data stored in such electronic systems.

Rights to data portability

The EIT Law and its implementing regulations do not regulate ‘rights to data portability’.

Right to be forgotten

Under the EIT Law, the data subjects have the right to request the electronic system operator to erase any irrelevant data relating to them with a court order. There is no explanation of what constitutes ‘irrelevant data’.

Objection to direct marketing and profiling

There are no specific provisions regarding the right to object to direct marketing. However, it is good practice to inform data subjects if their personal data will be used for direct marketing as part of the process of obtaining consent.

Other rights

Other than in relation to the “right to be forgotten” above, data subjects have the right to request an electronic system operator to delete their data, provided that such personal data has been stored in accordance with the minimum retention period under the applicable laws and regulations.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

GR 82 imposes a general requirement on the electronic system operator to implement a security system to protect personal data and the electronic systems used must be certified with Menkominfo.

Specific rules governing processing by third party agents (processors)

There are no specific rules relating to processing by third party agents. However, if an electronic system operator engages a third-party agent, it must inform data subjects that their personal data will be accessed and processed by a third-party agent, and obtain their prior consent to this (if it has not been obtained in the course of data collection).

Notice of breach laws

Yes. An electronic system operator is required under the EIT Law and its implementing regulations to notify data subject if the electronic system operator's security system has been breached.

Additionally, electronic system operator must also notify the relevant authority in case of a failure or interruption to the electronic system which has a serious impact on the electronic system itself, and which is caused by the action of other parties on the electronic system.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Under the existing laws, an electronic systems provider must maintain a first (original) copy of the personal data in a data centre, and maintain a disaster recovery centre, within Indonesia. However, an electronic systems provider may also maintain a subsequent copy of that personal data outside of Indonesia (subject to the notification requirement below), provided that it holds the first instance of the personal data within Indonesia.

Notification and approval of national regulator (including notification of use of Model Contracts)

In addition to the requirement to obtain consent (discussed above), under Reg 20, an electronic system operator must notify Menkominfo of its plan to transfer the personal data outside Indonesia before the transfer. After the transfer, the electronic system operator must submit a post-transfer report to Menkominfo, which must include details of the transfer. The notification to Menkominfo does not need to be made for each instance of cross-border transfer, and may include plans for several cross-border transfers in the future.

Use of binding corporate rules

There is currently no ability to use binding corporate rules under the EIT Law or any of its implementing regulations.

_____________________________________________________________________ Top

Enforcement

Fines

Breaches of the EIT Law may lead to administrative and civil liability which include fines (ranging from IDR 600 million to IDR 12 billion (approximately €40,000 to €800,000).

Imprisonment

Breaches of the EIT Law may lead to criminal sanctions for violations of privacy which include between one and 12 years’ imprisonment.

Compensation

Data subjects have the right to compensation for contravention of their rights under the EIT Law and its implementing regulations. These laws entitle a data subject to claim damages for loss against any party which causes that loss. In addition, compensation may be available under the Indonesian Civil Code. This is based on the general law of tort under the Indonesian Civil Code and allows an aggrieved data subject to claim damages for actual loss suffered by the data subject where that loss is caused by an unlawful act of an electronic system operator. In this context, the term “unlawful act” is interpreted broadly, including not only violations of statutory law, but also violations of public morals or the duty of care owed to other persons' interests. There is no clear definition in Indonesian law on what violates “public morals” or “duty of care”. The meaning of these terms varies over time and in different places.

Other powers

Menkominfo may impose administrative sanctions such as a written warning and temporary suspension of activity to an electronic systems provider that breaches the provisions of GR 82 or Reg 20.

As Reg 20 will only come into full force on 1 December 2018, any administrative sanctions provided under Reg 20 are unlikely to be imposed until such date.

Practice

We are not aware of any significant court cases directly relating to the unlawful use or processing of personal data.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific ePrivacy laws, and the EIT Law and its implementing regulations do not contain provisions on direct marketing. However, any marketing materials distributed to consumers in Indonesia should be compliant with applicable Indonesian consumer protection laws (including the specific consumer protection provisions of the EIT Law and the general requirements under Law No. 8 of 1999 on Consumer Protection), particularly the provision which prohibits business entrepreneur in any way to coerce the offering goods and/or services which may cause physical or psychological disturbance to consumer.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The use of cookies is not specifically regulated in Indonesia. To the extent that cookies contain personal data, the provision applicable to personal data (discussed above) will also apply.

Regulatory guidance on the use of cookies

There are no specific regulations regarding guidance on the use of cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Under the EIT Law and its implementing regulations, personal data processing is only allowed with the prior consent of the data subject. In practice, senders of direct marketing by e-mail use the following process to comply with the EIT Law: (i) send an email which identifies the sender and explains the purpose of the e-mail to the recipient; and (ii) stop sending direct marketing by e-mail to the recipient if the recipient does not reply to the first e-mail.

Conditions for direct marketing by e-mail to corporate subscribers

There are no specific provisions on the conditions for sending direct marketing by e-mail to corporate subscribers. However, the provisions applying to individuals described above also apply to corporate subscribers.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under the EIT Law and its implementing regulations, personal data processing is only allowed with the prior consent of the data subject. In practice, telephone marketers use the following process to comply with the EIT Law: (i) place a call which identifies the caller and explains the purpose of the call to the recipient; and (ii) stop the call if the recipient does not wish to continue the call.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no specific provisions on the conditions for sending direct marketing by telephone to corporate subscribers. However, the provisions applying to individuals described above also apply to corporate subscribers.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top