Governmental Civil Officials (i.e. the Ministry of Communication and Informatics officials) have the power to investigate complaints and determine violations of data privacy/protection.
- Under Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions (“GR 82”), any violations of provisions of GR82 are subject to the following administrative sanctions:
- Warning letters;
- Administrative fines;
- Suspension; and
GR 82 also provides that a written notification to the relevant data owner is required if there is a breach. However, GR 82 is silent on when the notification should be made.
The Law No. 11 of 2008 on Electronic Information and Transactions (“EIT Law”) stipulates that individuals whose rights have been violated can file lawsuits to the relevant courts.
Under Article 32 of the EIT Law:
- Each person is prohibited from intentionally and unlawfully changing, adding, reducing, transmitting, destroying, causing to disappear, transferring and hiding in any way electronic information and/or electronic documents belonging to other persons or the public;
- Each person is prohibited from intentionally and unlawfully moving or transferring electronic information and/or electronic documents to another person; and
- Each person is prohibited intentionally or unlawfully from committing the action referred to in sentence (1) that causes confidential electronic information and/or electronic documents to become accessible by the public which changes the data from the original.Other than the EIT Law, Article 322.1 of the Indonesian Criminal Code also provides that anyone who intentionally discloses confidential information that he/she is under an obligation to keep secret by virtue of his/her present or past position of employment is subject to imprisonment of nine months.
Violation of the above provision can be subject to imprisonment for up to 10 years and/or monetary fines of up to five billion Rupiah (approx. €400,000). Other than the EIT Law, Article 322.1 of the Indonesian Criminal Code also provides that anyone who intentionally discloses confidential information that he/she is under an obligation to keep secret by virtue of his/her present or past position of employment is subject to imprisonment of nine months. The Indonesian Police is the authorized official which holds the rights to investigate the above actions.
Selected Enforcement Actions/ General Comments
There are no specific laws and regulations in Indonesia that govern data privacy/protection. The main law and regulation in Indonesia that address data privacy/protection are as follows:
- The EIT Law which was enacted on 21 April 2008; and
- GR 82 which was enacted on 15 October 2012.
Implementation of the law and regulation Indonesia is an emerging market and as a civil law country its laws and regulations are principle based, where implementation is driven by policy. Therefore, the implementation of the EIT Law and GR 82 may depend on the practical approach given the nature of electronic/internet development which is likely to be more advanced than what is regulated. Enforcement of data privacy/protection clauses has not yet been tested in Indonesian courts. There has been no court case reported in relation to breaches of data privacy/protection. Requirement for Consent In principle, unless a law or regulation provides otherwise, the EIT Law requires the consent of the individuals concerned to collect, use and utilize their private or personal information through electronic media. GR 82 further requires that the use or utilization of personal information must be in accordance with the purpose conveyed to the personal data owner for the data collection. Draft Regulations The Government has been preparing draft implementing regulations in relation to data privacy protection which may come into force this year.