Current Status of Indonesian Data Protection Legislation

The number of internet users and mobile connections in the country has increased significantly over the last years in line with the rapid development of e-commerce and digital applications in Indonesia. A large amount of foreign and domestic investment has poured into tech-startups with new business models to monetize this rapidly developing sector. The consequence of this rapid development of the digital economy is a vast flow of personal data, accompanied by increasing risks to the security of such personal data. But although the data protection law was targeted to be enacted in 2020, we saw some further delay due to new priorities amid the global pandemic. 

Even though the exact date remains uncertain and the law is still to be considered by the House of Representatives, if passed, this will eventually become Indonesia’s first comprehensive law to specifically address the issue of data privacy. However, there are certain regulations concerning the use of electronic data in Indonesia. The principal sources of the management of electronic information and transactions are (i) Law No. 11 of 2008 regarding Electronic Information and Transactions as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law (“EIT Law”), (ii) Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions (“GR 71”) and (iii) its implementing regulation, Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (“MR 20”). 

MR 20 defines personal data as the any true and actual information that adheres and can be identified, either directly or indirectly, to an individual, which is used in accordance with the laws and regulations, that is stored and maintained, the truthfulness of which is maintained and the secrecy of which is protected. The processing of personal data in Indonesia follows certain key principles, particularly the lawful basis for processing. The personal data protection regulations mandate consent for any personal data processing.

However, GR 71 stipulates that processing an individual's personal data can i.a. be done without express consent in order to satisfy the obligations of a contract or to fulfil the request of such personal data owner when concluding an agreement or for the fulfilment of legal obligations of the personal data controller in line with applicable laws and regulations. Consent is also not required when the processing is guarding vital interests of the personal data owner or performing obligations of a public service personal data controller in the interest of the public. Although GR 71 uses the term "data controller" in context with the above, it notably provides no further guidance on the legal obligations of such data controllers or their role and responsibilities. Moreover, GR 71 and the personal data protection regulations do not define data processors or distinguish them from data controllers. But the regulations introduce the concept of an “electronic system operator” which is defined as any person, state official, business entity or society that provides, manages and/or operates, jointly or singly, an electronic system for the users of the electronic system for the operator's interest and/or others, and imposes certain obligations to such electronic system operator.

The key requirements applicable to an electronic system operator include to (i) notify data subjects of any failure in personal data protection in their electronic system no later than 14 days from becoming aware of such failure, (ii) give access data subjects to change or update their personal data, (iii) destroy any personal data in accordance with the prevailing laws and regulations and (iv) provide a contact person who can be contacted by data subjects with respect to their personal data.

Other important key principles are purpose limitation and data minimisation. MR 20 provides that one of the key forms of personal data protection is that the processing of personal data must be in accordance with the original purpose of its processing. Further, GR 71 provides that Electronic System Providers must disclose the purpose of their processing of personal data to the data subjects. MR 20 provides that Electronic System Providers may only use the personal data of data subjects in accordance with the needs of the data subjects while GR 71 adds that Electronic System Providers must put in place a mechanism that accommodates the deletion of personal data if it has outlived its relevance. MR 20 provides that Electronic System Providers need to retain personal data for a minimum period of five years unless stipulated otherwise by sectoral regulations. Data may be retained beyond the five-year period if it is to be used in accordance with its initial purpose.

The personal data protection regulations do not expressly identify transparency as a key principle, but the principle of transparency is reflected in certain obligations that apply to Electronic System Providers, who e.g. must notify data subjects of data breaches within 14 days after the discovery of such breach. Unlike in many other jurisdictions there is no requirement under the EIT Law or GR 71 to appoint a data protection officer. However, there is a general requirement under GR 71 that the electronic system operator must appoint a certified expert in the field of electronic systems and information technology. 

Some relevant provisions can also be seen with regard to the telecommunications sector. Article 40 of Law No. 36 of 1999 regarding Telecommunications provides that any person is prohibited from any tapping of information transmitted through any kind of telecommunications network. Article 42 of the Telecommunications Law further stipulates that any telecommunications services operator must keep confidential any information transmitted or received by a telecommunications service subscriber through telecommunications networks or telecommunications services provided by the respective operator. The Telecommunications Law was amended by the Omnibus Law No. 11 of 2020 on Job Creation, but it is noted that this new legislation only partially amended the Telecommunications Law and Articles 40 and 42 of the Telecommunications Law are still valid and fully enforced. 

Indonesian personal data protection regulations impose restrictions on transfers to third countries. GR 71 allows private electronic system providers to manage, process or store electronic systems and electronic data in or outside Indonesia. However, if the management, processing or storage of the electronic systems and electronic data is conducted outside Indonesia, the private electronic system operator shall ensure the effective supervision by the relevant authorized ministries, government institutions and law enforcement. The private electronic system operator shall give access to its electronic system and electronic data within the framework of supervision and law enforcement.  However, a public electronic system operator must manage, process and/or store electronic system and electronic data in Indonesia, unless the relevant storage technology is not available in Indonesia. The criteria for the unavailability of such storage technology shall be determined by a committee consisting of the relevant ministries and government institutions.