Data Protected - Indonesia

Contributed by Widyawan & Partners, an associated firm of Linklaters LLP and Allens 

Last updated July 2022

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

There is no consolidated data protection law in Indonesia. However, there are a number of laws that address data protection issues. The key laws and regulations are Law No. 11 of 2008 on Electronic Information and Transaction, as amended by Law No. 19 of 2016 ("EIT Law") and its implementing regulations: (i) Government Regulation No. 71 of 2019 on Implementation of Electronic Systems and Transactions ("GR 71"); (ii) Menkominfo Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems (“Reg 20”) and Menkominfo Regulation No. 5 of 2020 on Private Electronic System Operator (“Reg 5”), as amended by Menkominfo Regulation No. 10 of 2021.

There are also other industry-specific laws and regulations that regulate data protection, for example, the banking, telecommunications and health sectors. This summary does not address these industry-specific laws and regulations nor does it address laws regulating specific types of data other than personal data (such as laws regulating corporate and tax records) or regulating the collection, maintenance and use of personal data by government institutions.

In January 2020, the Government of Indonesia officially submitted the final draft bill on Protection of Personal Data as an overarching privacy law in Indonesia. The bill is included as a prioritised bill within the 2022 National Legislation Program (i.e. a list setting out prioritised draft legislation). This bill is currently being discussed in the Indonesian Parliament and targeted to be enacted later this year.

Entry into force

The EIT Law was enacted and came into full force on 21 April 2008. GR 71 was enacted and came into full force on 10 October 2019 and it revoked Government Regulation No. 82 of 2012 (“GR 82”). As an implementing regulation of GR 82, Reg 20 was enacted on 1 December 2016 and came into full force on 1 December 2018. Based on the Transitional Provisions of GR 71, the implementing regulation of GR 82 shall remain valid to the extent it does not contradict GR 71. Reg 20 therefore remains applicable, to the extent its particular provisions are in line with GR 71. Reg 5 was enacted on 16 November 2020 and it serves as an implementing regulation of GR 71.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The data protections laws pertaining to data held electronically are mainly enforced by the Ministry of Communication and Information ("Menkominfo").

Jl. Medan Merdeka Barat No. 9
Jakarta 10110
Indonesia

https://kominfo.go.id/

Notification or registration scheme and timing

Any electronic system operator must be registered with Menkominfo prior to the use of the electronic system by its users. This obligatory registration also applies to any foreign electronic system provider which: (i) provides services within the territory of the Republic of Indonesia; (ii) conducts business in Indonesia; and/or (iii) operates an electronic system which is used and/or offered in Indonesia. The registration must be made to Menkominfo. Specifically for local private electronic system operators, under Reg 5 (being the individual, business entity or community that operates an electronic system), the registration with Menkominfo must be made through the Online Single Submission (“OSS”) system, as an integrated national business licensing platform operated by the OSS Authority, unless otherwise provided under the prevailing regulations.

Exemptions to notification

None.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The EIT Law applies to a "legal act" (this term is not defined) of any person (whether an individual or legal entity) inside or outside the territory of the Republic of Indonesia, which has legal effect inside or outside the territory of the Republic of Indonesia and which is “detrimental to the interest of the Republic of Indonesia”. The law applies to legal acts performed not only in Indonesia or by Indonesian citizens, but also outside the jurisdiction of Indonesia by both Indonesian and foreign citizens or legal entities.

A legal act is “detrimental to the interest of the Republic of Indonesia” if, among other things, it is detrimental to the interests of the national economy, strategic data protection, the nation’s dignity and degree, state defence and security, sovereignty, citizens or Indonesian legal entities.

Is there a concept of a controller and a processor?

GR 71 and Reg 20 introduce the concept of an “electronic system operator” which is defined as any person, state official, business entity or society that provides, manages and/or operates, jointly or singly, an electronic system for the users of the electronic system for the operator's interest and/or others, and imposes certain obligations to such electronic system operator. However, neither GR 71 and Reg 20 make a clear distinction between controller and processor of personal data. An electronic system operator may be a controller or processor of personal data. GR 71 classifies electronic system operators into two types: (i) private electronic system operators, which covers individual, business entity and community operated electronic systems; and (ii) public electronic system operators, where the operator is a government institution, or an institution appointed by government.

Are both manual and electronic records subject to data protection legislation?

The EIT Law and its implementing regulations apply to data held electronically and, to certain extent, hard copy print outs of electronic data (e.g. use of hard copy print outs as an evidence in court proceeding).

Are there any national derogations?

The application of personal data protection rules may be exempted under certain circumstances or for specific purposes contemplated under the laws. Under Reg 20 and Reg 5, the electronic system operator is obliged to make available any personal data stored in the electronic system for law enforcement purposes.

There may be other exemptions provided under the industry specific regulations (e.g. banking, telecommunications and health sectors).

_____________________________________________________________________ Top

Personal Data

What is personal data?

Reg 20 defines personal data as the any true and actual information that adheres and can be identified, either directly or indirectly, to an individual, which is used in accordance with the laws and regulations, that is stored and maintained, the truthfulness of which is maintained and the secrecy of which is protected. This definition is quite similar to the definition of the standard definition of personal data. GR 71 and Reg 5 adds other aspects to its definition of personal data, including that such personal data should cover data that can either be independently identified or combined with other information through an electronic and/or non-electronic system. Reg 20 also acknowledges that protecting personal data is an element of the right to privacy.

Is information about legal entities personal data?

Yes, to the extent that such information contains any individual personal data (e.g. personal data of its director/commissioner).

What are the rules for processing personal data?

Under the EIT Law and its implementing regulations, unless exempted under other applicable laws or regulations, the prior express consent of the data subject must be obtained in order to process their personal data in an electronic system. The entity collecting such personal data is required to explain the purpose of the data use, processing, transfer and disclosure in detail in the consent document, and can only use or process such personal data based on the scope consented by the data subject.

Are there any formalities to obtain consent to process personal data?

Consent must be given in written from, either in hard copy or through electronic means (such as clicking an 'agree' button provided with a consent notice). However, as a matter of practice, there is a likely possibility that the courts might not accept electronic consent as evidence and it is therefore recommended to obtain a data subject's express consent in writing for evidentiary purposes.

Are there any special rules when processing personal data about children?

In relation to personal data of a person under the age of 18, the collector of data must obtain prior express consent from a parent or legal guardian of such person.

Are there any special rules when processing personal data about employees?

To the extent such personal data fall within the scope of personal data under GR 71, Reg 20 and Reg 5, the general rules on personal data processing under GR 71, Reg 20 and Reg 5 shall apply.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The EIT Law and its implementing regulations do not specifically distinguish between sensitive and non-sensitive personal data.

Are there additional rules for processing sensitive personal data?

No.

Are there additional rules for processing information about criminal offences?

 

No.

 

Are there any formalities to obtain consent to process sensitive personal data?

No.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no requirement under the EIT Law or GR 71 to appoint a data protection officer. However, there is a general requirement under GR 71 that the electronic system operator must appoint a certified expert in the field of electronic systems and information technology.

What are the duties of a data protection officer?

The key requirements applicable to an electronic system operator in general are, among others to: (i) notify data subjects of any failure in personal data protection in their electronic system no later than 14 days from becoming aware of such failure; (ii) give access data subjects to change or update their personal data; (iii) destroy any personal data in accordance with the prevailing laws and regulations; and (iv) provide a contact person who can be contacted by data subjects with respect to their personal data.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Yes. GR 71 and Reg 20 impose an obligation on an electronic system operator to have an internal set of rules on data protection, to emphasise the importance of personal data protection to employees and carry out relevant training on the prevention of personal data protection failure.

Are privacy impact assessments mandatory?

No.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The entity collecting such personal data is required to inform data subjects of how their personal data will be used and processed when collecting the data or before using or processing such personal data and before conducting any action in respect of personal data. Such personal data can only be used or processed based for the purposes consented to by the data subject.

Rights to access information

Yes. Data subjects have a right to review and update personal data held by electronic system operators about them. Additionally, data subjects have the rights to access and obtain the history of their personal data stored in such electronic systems.

Rights to data portability

The EIT Law and its implementing regulations do not regulate ‘rights to data portability’.

Right to be forgotten

Under the EIT Law and GR 71, data subjects have the right to request that electronic system operators erase any irrelevant data relating to them. This right is subdivided into two separate rights: (i) the right to erasure (from the electronic system); and (ii) the right of delisting – which is the removal of personal data from search engine results.

The ‘irrelevant data’ that are subject to the right of erasure consist of personal data: (i) that are obtained and processed without consent; (ii) the consent for the use of which has been withdrawn; (iii) that are obtained and processed unlawfully; (iv) that are no longer in line with the purpose of its collection; (v) the use of which has exceeded the applicable period of use; and/or (vi) that are displayed by the electronic system operator and this inflicts losses to the data subjects. The obligation of the electronic system operator to erase the irrelevant data does not apply if the erasure is prohibited by the prevailing laws and regulations.

The irrelevant data that are subject to the right of delisting are not clearly defined. The delisting must be done based on court order which will be issued based on the application of the data subjects.

Objection to direct marketing

There are no specific provisions regarding the right to object to direct marketing. However, it is good practice to inform data subjects if their personal data will be used for direct marketing as part of the process of obtaining consent.

Other rights

None.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

GR 71 imposes a general requirement on the electronic system operator to implement a security system to protect personal data and the electronic systems used must undergo a reliability test (either conducted independently or by the authorised institutions).

Specific rules governing processing by third party agents (processors)

GR 71 provides that in case the electronic system operator carries out its electronic system through an electronic agent, the obligations of the electronic system operator under GR 71 shall apply mutatis mutandis to the electronic agent.

Notice of breach laws

Yes. An electronic system operator is required under the EIT Law and its implementing regulations to notify data subject if the electronic system operator's security system has been breached.

Additionally, electronic system operator must also notify the relevant authority in case of a failure or interruption to the electronic system which has a serious impact on the electronic system itself, and which is caused by the action of other parties on the electronic system.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

GR 71 allows private electronic system providers to manage, process and/or store electronic systems and electronic data in and/or outside Indonesia. If the management, processing and/or storage of the electronic systems and electronic data is conducted outside Indonesia, the private electronic system operator shall ensure the effective supervision by the relevant authorised ministries, government institutions and law enforcement. The private electronic system operator shall give access to its electronic system and electronic data within the framework of supervision and law enforcement according to the laws and regulations of Indonesia.

However, a public electronic system operator must manage, process and/or store electronic system and electronic data in Indonesia, unless the relevant storage technology is not available in Indonesia. The criteria for the unavailability of such storage technology shall be determined by a committee consisting of the relevant ministries and government institutions, including Menkominfo.

Notification and approval of national regulator (including notification of use of Model Contracts)

Under Reg 20, an electronic system operator must notify Menkominfo of its plan to transfer the personal data outside Indonesia before the transfer. After the transfer, the electronic system operator must submit a post-transfer report to Menkominfo, which must include details of the transfer. The notification to Menkominfo does not need to be made for each instance of cross-border transfer, and may include plans for several cross-border transfers in the future. It is the current policy of Menkominfo that despite the provision of GR 71 (which allows the management, processing and/or storage of the electronic system and electronic data outside Indonesia), the notification and reporting obligations do not contradict GR 71 and therefore, remain applicable.

Use of binding corporate rules

There is currently no ability to use binding corporate rules under the EIT Law or any of its implementing regulations.

_____________________________________________________________________ Top

Enforcement

Fines

Breaches of the EIT Law may lead to administrative and civil liability which include fines (ranging from IDR 600 million to IDR 12 billion (approximately €40,000 to €800,000).

Imprisonment

Breaches of the EIT Law may lead to criminal sanctions for violations of privacy which include between one and 12 years’ imprisonment.

Compensation

Data subjects have the right to compensation for contravention of their rights under the EIT Law and its implementing regulations. These laws entitle a data subject to claim damages for loss against any party which causes that loss. In addition, compensation may be available under the Indonesian Civil Code. This is based on the general law of tort under the Indonesian Civil Code and allows an aggrieved data subject to claim damages for actual loss suffered by the data subject where that loss is caused by an unlawful act of an electronic system operator. In this context, the term “unlawful act” is interpreted broadly, including not only violations of statutory law, but also violations of public morals or the duty of care owed to other persons' interests. There is no clear definition in Indonesian law on what violates “public morals” or “duty of care”. The meaning of these terms varies over time and in different places.

Other powers

Menkominfo may impose administrative sanctions such as a written warning and temporary suspension of activity to an electronic systems provider that breaches the provisions of GR 71, Reg 20 or Reg 5.

Practice

Other enforcement action: We are not aware of any significant court cases directly relating to the unlawful use or processing of personal data.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific ePrivacy laws, and the EIT Law and its implementing regulations do not contain provisions on direct marketing. However, any marketing materials distributed to consumers in Indonesia should be compliant with applicable Indonesian consumer protection laws (including the specific consumer protection provisions of the EIT Law and the general requirements under Law No. 8 of 1999 on Consumer Protection) and the sectoral regulations (if applicable), particularly the provision which prohibits business entrepreneur in any way to coerce the offering goods and/or services which may cause physical or psychological disturbance to consumer.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The use of cookies is not specifically regulated in Indonesia. To the extent that cookies contain personal data, the provision applicable to personal data (discussed above) will also apply.

Regulatory guidance on the use of cookies

There are no specific regulations regarding guidance on the use of cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Under the EIT Law and its implementing regulations, personal data processing is only allowed with the prior consent of the data subject. In practice, senders of direct marketing by e-mail use the following process to comply with the EIT Law: (i) send an email which identifies the sender and explains the purpose of the e-mail to the recipient; and (ii) stop sending direct marketing by e-mail to the recipient if the recipient does not reply to the first e-mail.

Conditions for direct marketing by e-mail to corporate subscribers

There are no specific provisions on the conditions for sending direct marketing by e-mail to corporate subscribers. However, the provisions applying to individuals described above also apply to corporate subscribers.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under the EIT Law and its implementing regulations, personal data processing is only allowed with the prior consent of the data subject. In practice, telephone marketers use the following process to comply with the EIT Law: (i) place a call which identifies the caller and explains the purpose of the call to the recipient; and (ii) stop the call if the recipient does not wish to continue the call.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no specific provisions on the conditions for sending direct marketing by telephone to corporate subscribers. However, the provisions applying to individuals described above also apply to corporate subscribers.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top