Cyber Security in Indonesia

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Yes. Under article 32 of the Law of the Republic of Indonesia Number II of 2008 concerning Electronic Information and Transactions Law(EIT Law):

Each person is prohibited, whether intentionally and without right or unlawfully, from changing, adding, reducing, transmitting, destroying, deleting, transferring or hiding in any way electronic information and/or electronic documents belonging to other persons.

Each person is prohibited, whether intentionally and without right or unlawfully, from moving or transferring electronic information and/or electronic documents to another person.

Each person is prohibited, whether intentionally and without right or unlawfully, from committing the act as referred to in point (a) if that causes confidential electronic information and/or electronic documents to become accessible by the public.

Violation of the above provisions may result in imprisonment of up to 10 years and/or monetary fines up to Rp. 5,000,000,000. Further, under the EIT Law and Government Regulation (GR) 82, any use of personal data (e.g. collect, process, disclose, transfer, etc) must be based on consent from the relevant data owner and that use of personal data must be in accordance with the purpose conveyed to the data owner when collecting the personal data. Consequently, any unauthorised access or storage of personal data is unlawful. In addition to the EIT Law, article 322.1 of the Indonesian Criminal Code also provides that anyone who intentionally discloses confidential information that he/she is under an obligation to keep secret by virtue of his/her present or past position or employment is subject to nine months imprisonment. A violation of GR 82 may also result, where the relevant party is a legal entity, in administrative sanctions in the form of warning letters, administrative fines, suspension, and deregistration as a business. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? There is no specific legal mechanism in relation to a data breach. However, the matter could be referred to the police and/or other relevant institutions (e.g. District Attorney and the Minister of Communications and Informatics) in the case of criminal proceedings and based on reports for the relevant authorities to conduct investigations and identify any relevant matter (e.g. who may have accessed the data, how it was used and/or other relevant matters in relation to the alleged violation or breach). Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? Generally, in Indonesia, all proceedings are open to the public (except for several matters such as family and child proceedings, etc) and any information or documentation obtained from such proceeding (including the court judgments) is also available to the public and can be used for any purposes. In reality though gaining public access is very difficult and rarely done and judgments are not readily available. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? No, as noted above the general rule is that all proceedings are open to the public (except for several matters such as family and child proceedings, etc) as determined by the relevant Court). If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? It is not possible to do so in the case of criminal proceedings. However, it may be possible to do so in the case of a civil proceeding provided that there has been no court judgment for that case and the relevant claim is revoked by the plaintiff before the defendant filed any response to the claim. Is there an obligation in your jurisdiction to hold personal information securely? Yes. As a general rule, under GR 82, Electronic Systems Operators must:

  • maintain the secrecy, integrity, and availability of personal data that is being managed;
  • ensure that the collection and use of personal data is based on the personal data subject’s consent, unless otherwise provided by laws and regulations; and
  • ensure that the use or disclosure of data is with the personal data subject’s consent, and in accordance with the purpose for the data collection conveyed to the personal data subject.

Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Not specifically. However, as noted above, any use of personal data (including transfer of data) must be done with the data subject’s consent. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? Yes, GR 82 requires written notification to the relevant data subjects in case of a data breach. However, there is no specific procedure or timeline in relation to the notification. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? No. Are there sector specific mandatory data breach notification obligations in your jurisdiction? No.