Indonesia to Introduce Personal Data Protection Rules in Electronic Systems

Continuing the momentum of developing Indonesia’s personal data protection, in addition to proposing the Draft Bill on Personal Data Protection (“PDP Bill”) to Indonesia’s parliamentary body,[1] the House of Representatives (“House”), the Minister of Communication and Information Technology (“MOCIT”) has drafted a regulation on personal data protection in electronic systems (“PDP Draft Regulation”).

According to recent updates, the PDP Draft Regulation’s issuance will be prioritized over the PDP Bill, which has not been included into the 2016 Priority National Legislative Program (“Legislative Program”),[2] and as such is likely to be further delayed until 2017 at the earliest. Based on confirmation from an official from the Ministry of Communication and Informatics, the PDP Draft Regulation will be enacted in June this year.

This article will elaborate the provisions set out under the PDP Draft Regulation along with any related provisions under the PDP Bill.

Definitions

Being an implementation instrument of Government Regulation No. 82 of 2012 regarding Implementation of Electronic Systems and Transactions (“Electronic Systems Regulation”), which is also a derivative legislation of Law No. 11 of 2008 regarding Electronic Information and Transactions (“EIT Law”), the primary purpose of the PDP Draft Regulation is to set out personal data rules for electronic system administrators.

Considering this main purpose of the PDP Draft Regulation, the most essential definitions under the PDP Draft Regulation are those given to the terms:

  1. Personal data; and
  2. Electronic system administrators.

Personal Data

The PDP Draft Regulation remains in conformance with the definition of “personal data” under the Electronic Systems Regulation, namely “certain personal data of which the accuracy is kept, treated, and maintained, and of which the confidentiality is protected,” a definition originally deriving and adopted word for word from Law No. 23 of 2006 regarding Citizen Administration, as amended by Law No. 24 of 2013 (“Citizen Administration Law”).[3]

However, the PDP Draft Regulation expands the definition of “certain personal data,” introducing the concept of identified personal data. “Certain personal data” is defined as “any true and valid information which is inherent and can be identified, whether directly or indirectly, to each respective individual which is exploited in accordance with the provisions of laws and regulations.”[4]

This definition of “certain personal data” is similar to the definition of “personal data” under the PDP Bill, which is “every data regarding the life of a person, whether identified and/or can be identified separately or in combination with other information, either directly or indirectly, through electronic and/or non-electronic systems.”[5]

As can be observed from these new definitions, the general direction for Indonesia’s privacy law framework is leaning towards regulating identified personal data rather than anonymous personal data which is currently prevalent under the Electronic Systems Regulation, as well as the Citizen Administration Law. Below is a comparison of these definitions.

PDP Bill

PDP Draft Regulation

Electronic Systems Regulation and Citizen Administration Law

Personal Data

“Every data regarding the life of a person, whether identified and/or can be identified separately or in combination with other information, either directly or indirectly, through electronic and/or non-electronic systems.”[6]

Personal Data

“Certain personal data of which the accuracy is kept, treated, and maintained, and of which the confidentiality is protected.”[7]

 

Certain Personal Data

“Any true and valid information which is inherent and can be identified, whether directly or indirectly, to each respective individual which is exploited in accordance with the provisions of laws and regulations.”[8]

Personal Data

“Certain personal data of which the accuracy is kept, treated, and maintained, and of which the confidentiality is protected.”[9]

What this means is that only identified personal data will be subject to the provisions under the PDP Bill and PDP Draft Regulation. As an example, data collected from website cookies are generally anonymous personal data, which will be outside the scope of the PDP Bill and PDP Draft Regulation, meaning that they can be freely used without being subject to the PDP Bill and PDP Draft Regulaton.

It is important to note, however, the definition of certain personal data under the PDP Draft Regulation, as well as the definition of personal data under the PDP Bill, covers pseudo-anonymous personal data, which is a type of data in between being anonymous and identified.

An example is IP addresses that can be linked to a specific customer of an internet service provider. Even if the internet service provider have details on the customer of a specific IP address, the actual person operating the computer using the IP address in question cannot be ascertained (alike with the registration plate of a car; the owner of the car can be identified but it is not always the owner of the car that is behind the steering wheel).

Electronic System Administrators

As a whole, the PDP Draft Regulation only applies to “electronic system administrators,” which is defined as “any person, state authority, business entity, and community that provides, manages, and/or operates an electronic system, whether independently or jointly, for the electronic system’s users for its own interests and/or the interests of other parties.”[10]

To further understand what is considered as electronic system administrators, “electronic systems” are defined as “a series of electronic devices and procedures that functions to prepare, collect, process, analyse, store, display, announce, transfer, and/or distribute electronic information.”[11] Electronic information may include “text, sounds, images, maps, drafts, photographs, electronic data interchange (EDI), electronic mails, telegrams, telex, telecopy or the like, letters, signs, figures, access codes, symbols, or perforations that have been processed or understandable to persons qualified to understand them.”[12]

When read together the definition of “electronic system administrator” and “electronic system” as mentioned above, the scope of the PDP Draft Regulation is essentially any person or entity that administers an electronic system containing personal data. This would include an office that uses internal servers or networks which would inevitably contain the personal data of employees.

Protection of Personal Data in Electronic Systems

Similar to the PDP Bill, the PDP Draft Regulation covers the phases of personal data management quite comprehensively and complements the provisions under the PDP Bill.

Protection of personal data in electronic systems extends to any person or entity that intends to obtain, collect, process, analyse, store, display, announce, transfer, distribute, and dispose of personal data via an electronic system.[13]

Agreement

At the foremost, there must be an agreement between the respective personal data owner and electronic system administrator. This agreement must at least set out three main matters:

  1. Purposes that the personal data will serve;
  2. Processes that will be undertaken to the personal data; and
  3. Consent of the respective personal data owner that his/her personal data will undergo processes to serve the purposes set out in the agreement.

In addition, the agreement must be made in Bahasa Indonesia, although the PDP Draft Regulation does not prohibit versions in other languages to also be provided and be made as the controlling version (the version that will prevail in case of any discrepancies between the different language versions).[14]

If the personal data owner is a minor, consent must be obtained from his/her parents or guardian. The PDP Draft Regulation does not set the age that is considered a minor, for example those under the age of 18 or 21, and refers to prevailing laws and regulations.[15] The main issue in referring to prevailing laws and regulations is that there are differing age stipulations as elaborated in the table below, causing confusion which legislation the PDP Draft Regulation is actually referring to.

Legislation

Definition of Minor

Indonesia Criminal Law Code (Kitab Undang-Undang Hukum Pidana)

Under 16 years of age[16]
Indonesia Civil Law Code (Kitab Undang-Undang Hukum Perdata) Under 21 years of age[17]
Law No. 1 of 1974 regarding Marriage Under 18 years of age[18]
Law No. 13 of 2003 regarding Labour Under 18 years of age[19]
Law No. 12 of 1995 regarding Penitentiary Under 18 years of age[20]
Law No. 11 of 2012 regarding Juvenile Criminal Justice System Under 18 years of age[21]
Law No. 39 of 1999 regarding Human Rights Under 18 years of age[22]
Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014 Under 18 years of age[23]
Law No. 44 of 2008 regarding Pornography Under 18 years of age[24]
Law No. 21 of 2007 regarding Eradication of Crime of Human Trafficking

Under 18 years of age[25]

Obtaining and Collecting Personal Data

Obtaining and collecting personal data must be based on the purposes set out in the agreement between the respective personal data owner and electronic system administrator. In other words, personal data must serve certain purposes as the basis to be obtained and collected from the person in question. [26]

As an example, in a workplace, the company may need your full name, address, contact number, and social security details, however, a workplace will not require your credit history or medical records (unless relevant; for example a workplace could involve an environment that will cause seizures to persons suffering from epilepsy).

Personal data may only be obtained and collected based on prior consent as expressly provided under the agreement between the respective personal data owner and electronic system administrator. In addition, persons who are being collected their personal data may provide their consent with the condition that their personal data is confidential and must not be transferred or disclosed to other parties.[27]

Processing Personal Data

As previously explained, personal data may only be processed and analysed in accordance with what is set out in the agreement between the respective personal data owner and electronic system administrator, which will also state consent to process the personal data. However, these requirements, agreement and prior consent, are not necessary to process personal data that has been publicly displayed or disclosed by public services.[28]

Storing Personal Data

The PDP Draft Regulation provides a minimal retention period of 5 years for personal data, unless stipulated otherwise by a sector-specific legal instrument. This retention period is calculated from when the personal data owner terminates the use of services of the electronic system administrator. For example, if a person deletes an email address on 22 February 2016, any personal data attached to that email must be kept until 22 February 2021.[29]

With respect to electronic system administrators of public services,[30] the data centre[31] and disaster recovery centre[32] must be located in Indonesia.

Displaying, Announcing, Distributing, and Providing Access to Personal Data

Any display, announcement, transfer, distribution, or provision of access to personal data must be based on consent and after the personal data is verified of its accuracy. These requirements to display, announce, transfer, distribute, or provide access to personal data is applicable to those conducted between electronic system administrators, between electronic system administrators and users, and between users.[33]

It is important to note that displaying, announcing, transferring, distributing, or providing access to personal data to the general public may only be conducted for personal data being administered by public services,[34] unless such is also prohibited to be carried out by public services[35] based on prevailing laws and regulations.[36]

Overseas Transfer Personal Data

Any overseas transfer of personal data conducted by the government or private entity must be reported to the Minister of Communication and Informatics. The report must be submitted prior to and after conducting the overseas transfer of personal data.[37]

Disposal of Personal Data

The disposal of personal data may be carried out under the following circumstances:[38]

  1. The retention period have passed based on the PDP Draft Regulation or a sector-specific regulation; or
  2. Based on request from the personal data owner.

The disposal of personal data must be carried out thoroughly, covering electronic and non-electronic copies, as such that the disposed personal data can no longer be retrieved.[39]

Electronic System Requirements

The PDP Draft Regulation establishes a number of requirements for electronic systems that administers personal data. One of the requirements is that the electronic system must be certified by an electronic certification institution acknowledged by the MOCIT in accordance with the Electronic Systems Regulation. Other requirements include:[40]

  1. Able to connect with other electronic systems and is compatible with other relevant electronic systems;[41] and
  2. Uses legally acquired software (non-pirated).

Internal Policies

In addition to the electronic system requirements as stated above, any electronic system administrator that manages personal data must establish internal guidelines on obtaining, collecting, processing, analysing, storing, displaying, announcing, transferring, distributing, and providing access to personal data.[42]

These internal guidelines must take into account aspects of applicable technology, human resources, technical procedures, and cost analysis, as well as be in accordance with the PDP Draft Regulation and other prevailing laws and regulations.[43]

The main purpose of establishing such internal guidelines is to prevent personal data leakage, which must be followed up by:[44]

  1. Increasing the awareness of employees on the importance of personal data protection; and
  2. Providing training for employees regarding the steps that must be taken to protect personal data that are being administered.

In relation to these internal guidelines that must be established by electronic system administrators, the PDP Bill requires the level of security of each type of personal data to be determined individually, taking into consideration the characteristic, size, and possible risk of the respective personal data. The PDP Bill also obligates policies related to personal data be publicly made available.[45]

Notification Obligation

As required by the Electronic Systems Regulation, the PDP Draft Regulation requires electronic system administrators to notify the respective personal data owner of any leakage of his/her personal data. This notification must elaborate the reasons or cause of the personal data protection failure, and notification may be delivered electronically, provided that such has been consented by the personal data owner in question.[46]

There are also other related notification obligations under the Electronic Systems Regulation and PDP Bill.

The PDP Bill stipulates a similar notification obligation with the PDP Draft Regulation, but expands on the details that must be contained in the notification made to the personal data owner, including: 1) which personal data was leaked, 2) time and sequence of events that lead to the personal data leak, 3) efforts made to address the personal data leak, and 4) contact information to find out further details on the personal data leak.[47]

The Electronic Systems Regulation, on the other hand, requires electronic system administrators to immediately notify law enforcement authorities or the relevant sectoral supervisory and regulatory institution (for example, in the banking sector, this would be the Financial Services Authority and Bank Indonesia, Indonesia’s central bank) in the event of an attack by an outside party that is causing system failure which may lead to serious impacts.[48]

Dispute Resolution Procedure

A dispute resolution procedure for personal data protection failure is a newly stipulated matter under both the PDP Bill and PDP Draft Regulation.

At the foremost, the PDP Bill provides that the disputing parties must undertake extra-judicial processes to settle their conflict before resorting to filing a claim to the local district court. This can take the form of mediation or arbitration, or any other procedure as agreed by the parties, including the alternative dispute resolution procedure provided under the PDP Draft Regulation which will be further explained below. Any amicable solution produced by such extra-judicial means will be final and binding upon the disputing parties.[49]

However, it is unclear whether or not the mandatory mediation at district courts that must be undertaken by any disputing parties in civil cases[50] is considered to fulfil this obligation to undergo extra-judicial means before proceeding the case to a district court. If it is considered to fulfil this obligation, ultimately the disputing parties are not required to go through any extra-judicial proceedings and may directly attempt to resolve their dispute at the local district court which require the disputing parties to first undertake a mandatory mediation process before proceeding with the case.

Alternative Dispute Resolution Procedure under the PDP Draft Regulation

Any personal data owner or electronic system administrator may lodge a formal complaint regarding personal data protection failure to the so-called Personal Data Dispute Resolution Institution (“Institution”) under the MOCIT, which will initiate an extra-judicial dispute resolution proceeding between the conflicting parties. This formal complaint may be lodged based on:[51]

  1. Failure by the electronic system administrator to provide written notification regarding the personal data protection failure; or
  2. Damages caused by the personal data protection failure, notwithstanding any written notification made by the respective electronic system administrator.

A formal complaint may be filed against the electronic system administrator directly responsible for the personal data or any other electronic system administrator that is related to the personal data in question.[52]

The formal complaint must be lodged within 30 business days since the injured party discovered the personal data leakage or breach. The formal complaint must be completed with supporting evidence and contain the following details:[53]

  1. Name and address of the applicant;
  2. Reasons or basis for filing the formal complaint;
  3. Request of the amicable settlement to the issue; and
  4. Place and time of submission of the formal complaint, completed with the signature of the applicant.

The Institution has 14 business days since receiving a formal complaint to state whether or not it has fulfilled the necessary administrative requirements as mentioned above. The Institution will return any formal complaint failing to do so, and the applicant will have 30 business days since the formal complaint was returned by the Institution to complete the administrative requirements.[54]

Upon receiving a completed formal complaint, the Institution will initiate the proceedings within 14 business days. During this proceeding, the Institution may recommend to the MOCIT to impose administrative sanctions to any electronic system administrator that is involved in the dispute, even if the dispute remains unresolved.[55]

In the event the Institution is unable to resolve the dispute between the parties, the injured party may file a civil lawsuit against the electronic system administrator to the local district court.[56]

Administrative Sanctions

Any person or legal entity found administering personal data in contrary to the provisions under the PDP Draft Regulation or any other prevailing laws and regulations will be subject to the following administrative sanctions:[57]

  1. Verbal or written warning;
  2. Temporary suspension of business activities; or
  3. Public announcement of the violation.

The procedure in imposing the said administrative sanctions will be detailed further separately by the MOCIT.[58]

 


FOOTNOTES

[1] See: Andin Aditya Rahman, “Developments Seen in Indonesia’s Privacy Law,” 26 November 2015

[2] See: Andin Aditya Rahman, “Indonesia’s 2016 Priority National Legislative Program,” 17 March 2016

[3] PDP Draft Regulation, Art. 1 (1); Electronic Systems Regulation, Art. 1 (27); Article 1 (22) of the Citizen Administration Law

[4] In Bahasa Indonesia: “Setiap keterangan yang benar dan nyata yang melekat dan dapat diidentifikasi, baik langsung maupun tidak langsung, pada masing-masing individu yang pemanfaatannya sesuai ketentuan peraturan perundang-undangan.” See: Article 1 (2) of the PDP Draft Regulation

[5] In Bahasa Indonesia: “Setiap data tentang kehidupan seseorang baik yang teridentifikasi dan/atau dapat diidentifikasi secara tersendiri atau dikombinasi dengan informasi lainnya baik secara langsung maupun tidak langsung melalui sistem elektronik dan/atau non elektronik.” See: Article 1 (1) of the PDP Bill

[6] Ibid

[7] In Bahasa Indonesia: “Data Perseorangan Tertentu yang disimpan, dirawat, dan dijaga kebenaran serta dilindungi kerahasiaannya.” See: Article 1 (1) of the PDP Draft Regulation

[8] Supra, n. 4

[9] In Bahasa Indonesia: “Data perseorangan tertentu yang disimpan, dirawat, dan dijaga kebenaran serta dilindungi kerahasiaannya.” See: Article 1 (22) of the Citizen Administration Law

[10] In Bahasa Indonesia: “Setiap orang, penyelenggara negara, badan usaha, dan masyarakat yang menyediakan, mengelola, dan/atau mengoperasikan Sistem Elektronik baik secara sendiri-sendiri maupun bersama-sama kepada Pengguna Sistem Elektronik untuk keperluan dirinya dan/atau keperluan pihak lain.” See: Article 1 (4) of the Electronic Systems Regulation; Article 1 (6) of the PDP Draft Regulation

[11] In Bahasa Indonesia: “Serangkaian perangkat dan prosedur elektronik yang berfungsi mempersiapkan, mengumpulkan, mengolah, menganalisis, menyimpan, menampilkan, mengumumkan, mengirimkan, dan/atau menyebarkan informasi elektronik.” See: Article 1 (5) of the PDP Draft Regulation; Article 1 (5) of the EIT Law; Article 1 (1) of the Electronic Systems Regulation

[12] In Bahasa Indonesia: “tulisan, suara, gambar, peta, rancangan, foto, electronic data interchange (EDI), surat elektronik, telegram, teleks, telecopy atau sejenisnya, huruf, tanda, angka, kode akses, simbol, atau perforasi yang telah diolah yang memiliki arti atau dapat dipahami oleh orang yang mampu memahaminya. See: Article 1 (6) of the Electronic Systems Regulation

[13] PDP Bill, Art. 3

[14] PDP Bill, Art. 6

[15] PDP Bill, Art. 37

[16] Indonesia Criminal Law Code, Art. 45

[17] Indonesia Civil Law Code, Art. 330

[18] Law No. 1 of 1974 regarding Marriage, Art. 47

[19] Law No. 13 of 2003 regarding Labour, Art. 1 (26)

[20] Law No. 12 of 1995 regarding Penitentiary, Art. 1 (8)

[21] Law No. 11 of 2012 regarding Juvenile Criminal Justice System, Art. 1 (3), (4) and (5)

[22] Law No. 39 of 1999 regarding Human Rights, Art. 1 (5)

[23] Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014, Art. 1 (1)

[24] Law No. 44 of 2008 regarding Pornography, Art. 1 (4)

[25] Law No. 21 of 2007 regarding Eradication of Crime of Human Trafficking, Art. 1 (5)

[26] PDP Draft Regulation, Art. 7

[27] PDP Draft Regulation, Art. 7, and 9 (1)

[28] PDP Draft Regulation, Arts. 12, and 13

[29] PDP Draft Regulation, Art. 16

[30] According to Law No. 25 of 2009 regarding Public Services, public services include those that entail procurement and distribution of goods, as well as the provisions of services that are conducted: 1) by government institutions or bodies, which are wholly or partially funded by the state budget or regional budget, 2) by any government-owned business entity (state-owned enterprises and regional-owned enterprises), and 3) for purposes of fulfilling state missions.

[31] Data centre is a facility to accommodate the electronic system and its components to place, store, and process data. See: Article 17 (2) of the PDP Draft Regulation

[32] Data recovery centre is a facility to recover data or information and critical functions of the electronic system which has suffered errors or damaged by natural and/or man-made disasters. See: Article 17 (3) of the PDP Draft Regulation

[33] PDP Draft Regulation, Art. 21

[34] Supra, n. 29

[35] Ibid

[36] PDP Draft Regulation, Art. 21

[37] PDP Draft Regulation, Art. 23

[38] PDP Draft Regulation, Art. 26 (1)

[39] PDP Draft Regulation, Art. 26 (2)

[40] PDP Draft Regulation, Arts. 4, and 11

[41] See: Official Elucidation of Article 6 (1) letter a and Article 23 of the Electronic Systems Regulation

[42] PDP Draft Regulation, Art. 5 (1) jo. Art. 3

[43] PDP Draft Regulation, Art. 5 (3)

[44] PDP Draft Regulation, Art. 5 (2) and (4)

[45] PDP Bill, Arts. 19, and 20 (3)

[46] PDP Draft Regulation, Art. 29 letter c

[47] PDP Bill, Art. 29

[48] Electronic Systems Regulation, Art. 20 (3)

[49] PDP Bill, Art. 41

[50] See: Supreme Court Regulation No. 1 of 2016 on the Mediation Procedure in Courts

[51] PDP Draft Regulation, Arts. 30, and 31

[52] PDP Draft Regulation, Art. 30 (3)

[53] PDP Draft Regulation, Art. 32 letters a, b and c

[54] PDP Draft Regulation, Art. 32 letters d and e

[55] PDP Draft Regulation, Art. 32 letters f and h

[56] PDP Draft Regulation, Art. 33

[57] PDP Draft Regulation, Art. 36 (1)

[58] PDP Draft Regulation, Art. 36 (2)


DISCLAIMER

The information contained in this website is for general information purposes only, and is not intended to be taken as legal advice or opinion or replace a formal consultation with a legal counsel.

The views and opinions expressed in this website, unless expressly stated otherwise, are my own and written by me. They do not represent the views or opinions of my current workplace nor any other parties that I may have connections with.

The information contained in this website is compiled from various reliable sources. However, despite best intentions to keep the information updated and correct, I do not make any representations or warranties of any kind whatsoever, express or implied, regarding the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under my control, whether with respect to their nature, content or availability. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website online and running smoothly. However, I shall not be responsible or liable for the website being temporarily unavailable due to technical issues beyond my control.


 

Leave a Reply

Your email address will not be published. Required fields are marked *