The Minister of Communication and Informatics has issued Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (Data Protection Regulation), which became effective on 1 December 2016 (but was only made publicly available on 9 December 2016). This regulation is an implementing regulation of the Electronic Information and Transactions Law (i.e., Law No. 11 of 2008) (EIT Law) and Government Regulation No. 82 of 2012 (GR 82) (which address the use of personal data through electronic media/systems).
The Data Protection Regulation emphasizes the current personal data protection provisions in Indonesia by providing new measures to protect the use of personal data in electronic systems.
While the data protection regime in Indonesia is not as sophisticated as other developed countries (such as European countries or Singapore), the Data Protection Regulation introduces new measures that clients need to be aware of; although there is a two-year period for compliance with the Data Protection Regulation.
The Ministry of Communication and Informatics (MOCI) will use the two-year transitional period to prepare for the implementation of the new regulation, as many provisions require further clarification and processes.
Implications for Electronic System Operators
The Data Protection Regulation provides more detailed provisions than the EIT Law and GR 82 on how to use personal data in electronic systems in every stage of the process, namely acquiring and collecting, processing and analyzing, storing, displaying, announcing, transmitting, disseminating and/or providing access to, and/or deleting personal data.
Failure to comply with the provision under the Data Protection Regulation could lead to administrative sanctions, including verbal warnings, warning letters, temporary suspension of business activities, and announcement on online website.
In terms of coverage, the Data Protection Regulation does not specifically state that it has extraterritorial coverage like the EIT Law. However, as an implementing regulation of the EIT Law, there should be an assumption that it does have extraterritorial coverage. It remains to be seen whether the MOCI will enforce the Data Protection Regulation against offshore electronic system operators.
What the Data Protection Regulation says
Definition of Personal Data
The Data Protection Regulation defines:
- “Personal Data” as “certain individual data which is stored, maintained and kept accurate and the confidentiality of which is protected”.
- “Certain individual data” is defined as “true and actual information that is attached to and identifiable towards, directly or indirectly, an individual”.
The definition above is very broad and basically could cover any information of an individual. It is unclear what would not be considered as personal data and whether anonymized data or publicly available data (or data which is otherwise not confidential) is covered under the definitions.
Requirements for Personal Data Usage
The Data Protection Regulation classifies the requirements in “using” Personal Data based on the relevant processes, i.e.:
|Acquiring and collecting|| 1. The acquisition and collection ofPersonal Data is limited for the specific purposes set out in the collection fom1.|
2. Data owners must be given options to (a) specify whether the collected Personal Data is confidential, and (b) change,add to or update their Personal Data.
3. Collected Personal Data must be verified to ensureits accuracy.
4. Electronic systemoperators must have interoperability and compatibility, and must utilize legal (read as non-pirated) software
|Processing and analyzing|| 1. The processing and analyzing ofPersonal Data is limited to the extent it is disclosed to and given consent by the data owners.|
2. The processed and analyzed Personal Data must be verified to ensure its accuracy.
|Storing|| 1. Stored Personal Data must be verified to ensure its accuracy.|
2. Stored Personal Data must be encrypted data (the minimum requirement forthe encryption is unclear)
3. The minimum retention for stored Personal Data is 5 years (unless stated otherwise in other laws and regulations).
4. Electronic system operators must have onshore data centers and disaster recovery centersif they are engaged in “public service” activities (the Data Protection Regulation does not define “public service”; so this issue,which has arisen under other regulations, remains unclear).
|Displaying, announcing, transmitting, disseminating and/or providing access||1. The display,announcement, transmission,dissemination and/or accessibility of Personal Data are limitedto the extent itis disclosed to and given consent by the data owners.|
2.The Personal Data that is used in these processes must be verified to ensure its accuracy.
3. Offshore data transfers may only be conducted after a coordination with the MOCI (which involves reporting the plan and results of the transfer and seeking advocacy (the latter is unclear)). This process will need to be further clarified by the MOCL
4. Providing access to personal data can be done for law enforcement purposes based on a valid request from the law enforcement agency.
|Deleting|| 1. Deletion of Personal Data can only be done (a) if the retention period has expired,or (b) based on a request from the data owner (and supported by a court order (see below)).|
2.Deletion of Personal Data covers both electronic and non-electronic deletions to the point where such Personal Data
cannot be re-displayed in an electronic system unless the data owner gives the Personal Data/consent again.
There following are some general requirements that are not specific to the processes above and which are relevant.
Any use of Personal Data through an electronic system may only be done with proper prior consent from the data owner. The consent must be in writing (meaning an express consent), whether manually or electronically, and in the Indonesian language (although there is no prohibition of a dual language format, so that format can still be used, if preferred). Further, the consent is only effective after a complete explanation from the electronic system operators on the intended use, broadly defined as noted above, of the Personal Data.
There is no further elaboration on the nature of the consent form and consequently it is unclear whether this means that a separate form must be prepared.
How the MOCI will regulate the concept of consent and the consent form and how market practice will develop remains to be seen.
2. System Certification
Electronic system operators must use a certified electronic system. There is no further elaboration on this requirement. The only regulations that govern the electronic system certification process are GR 82 and MOCI Regulation No. 4 of 2016 on Information Security Management Systems. Clearly further clarification on the certification process is needed from the MOCI.
3. Data Breach
Electronic system operators are required to promptly notify in writing the data owners when there is a data breach. The notification:
(i) must include the reasons or the causes of the data breach;
(ii) can be done electronically to the data owners if the approach has been approved by the data owners during the data collection;
(iii) must be received by the data owners if the breach has a potential to cause loss to the relevant data owners (that is, a positive obligation on electronic system providers to ensure that the data owner is fully aware of the breach); and
(iv) must be sent within 14 days after the data breach is known by the electronic system operator.
4. Right to be Forgotten
The Data Protection Regulation provides that the data owner has the right to request his/her personal data to be removed at any time. However, the deletion request must be made in accordance with the prevailing laws and regulations (which under the EIT Law is only for irrelevant data and must be based on a court order).
Further, the Data Protection Regulation now stipulates that the deletion of Personal Data covers both electronic and non-electronic deletions to the point where such personal data cannot be re-displayed in an Electronic System, unless the data owner gives the Personal Data/consent again.
5. Dispute Resolution
Every data owner and electronic system operator can submit a complaint to the MOCI in relation to a failure to protect Personal Data. The intent is that the complaint will be dealt with outside the court process (through a discussion or mediation). The MOCI will delegate the dispute resolution authority to its Director General, who may form a panel for the dispute resolution.
The processes and procedures for this alternative dispute resolution mechanism are not yet in place.
If the complaint cannot be resolved through the alternative dispute resolution mechanism, a claim can be submitted to the court (but this is limited to civil claims).
Actions to Consider
Electronic system operators should consider the following (noting the need for further clarifications from the MOCI and the two-year transitional period):
1. Ensure that all consents are express and written consents.
2. Ensure that there is a data collection form containing the required consent, and the data collection form specifies (i) that the data provided is accurate, (ii) that the data is not confidential (if there will be extensive use of that Personal Data) and (iii) the purposes and use, as broadly defined (above), of the Personal Data.
3. Establish internal standard operating procedures on Personal Data protection:
a. to comply with the above “usage” requirements;
b. to prevent data breaches; and
c. to stipulate the necessary actions should there be a breach of data.
4. Establish internal standard operating procedures on the deletion of Personal Data given the new provisions on the right to be forgotten.
6. Monitor processes for the certification of electronic system operators.
7. Lobby the MOCI for favorable processes and procedures that the MOCI will need to set for implementation of the Data Protection Regulation.
The enactment of the Data Protection Regulation is a significant development in Personal Data protection in Indonesia. Electronic system operators and users face new requirements in using Personal Data on electronic systems. To ensure compliance with the Data Protection Regulation, electronic system operators must start considering how to change their approach in handling Personal Data in Indonesia and taking steps to comply with the Data Protection Regulation.