The current data protection landscape in Indonesia
Until recently, Indonesia has had a largely patchwork approach to personal data protection. There is not currently a singular comprehensive data protection law or regulation; nor, for example, are there any regulations specifically addressing cookies and location data. Overall, the scattered guidance is found in regulations relating to employees; banks; criminal procedures; human rights; health; financial services; and the more detailed Electronic Information and Transactions Law (Law No. 11 of 2008) (“EIT Law“) and its implementing regulations, among others.
In 2012, Indonesia passed Government Regulation 82 (“GR82“), implementing various aspects of the EIT Law but with a key focus on ensuring that electronic system operators for “public services” use Indonesia-based data-centres. The scope of “public services” is still somewhat unclear but it has the potential to cover both government organisations and certain public-facing private sector businesses (which may include certain organisations in banking, insurance, health, security, industrial services and social activities) that are serving an Indonesian customer base through some digital means or housing Indonesian data. Companies have until October 2017 to comply fully with GR82. However, there have been some ministerial statements about relaxing this requirement and some concern across sectors that a data localisation requirement would limit the ability for affected organisations to take advantage of new technologies, such as cloud computing, which typically require some transfer of data across borders.
The recently enacted Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 regarding Protection of Personal Data in Electronic Systems (“Data Protection Regulation“), which became effective on 1 December 2016, is an implementing regulation of the EIT Law and GR82. It seeks to define personal data and to lay down some requirements for protecting it. In terms of jurisdictional coverage, the Data Protection Regulation is silent on whether it applies to organisations outside of Indonesia. In practice, the enforcement risk will of course be lower but as an implementing regulation of the EIT Law, organisations should assume that it will have extraterritorial coverage. In addition, organisations will want to comply as a matter of good business practice because, with the passage of these new requirements, internet users in Indonesia will come to expect certain minimum privacy protections to be applied by the companies they engage with.
What has changed?
In the Data Protection Regulation, MOCI stipulates requirements on personal data collection and data subject consent, personal data storage, analysis, processing, display, delivery, distribution and removal, including where the intention is to transfer personal data outside of Indonesia. These requirements appear to be largely in line with those contained in the protection laws of many other countries – although, as with all data protection laws, the devil will be in the detail of the underlying guidance and enforcement.
Why is this happening?
Indonesian ecommerce is a hot topic in Southeast Asia’s startup world. Home-grown startups GoJek, MatahariMall and Tokopedia are just some of the big names competing for a slice of a rapidly growing ecommerce and online pie. Out of a population of more than 250 million people, approximately 88 million have access to the internet largely through the ubiquity of mobile devices. This has resulted in a huge increase in the volume of personal data processed by businesses in Indonesia.
What does this mean for organisations operating in Indonesia?
Organisations must be fully-compliant no later than 1 December 2018.
1. Definition of “Personal Data”
The Data Protection Regulation offers a very broad definition of “Personal Data” that could essentially cover any information of an individual. It is still unclear what would not be considered as personal data and whether anonymised data or publicly available data (or data which is otherwise not confidential) is covered under the definition.
2. Requirements for using “Personal Data”
Key actions for relevant companies include:
- Ensure that all consents obtained from personal data owners are express and in writing – further guidance will be needed as to what form these consents will have to take, since written consents may not always be practicable;
- Create a method of obtaining the required consent that effectively communicates that the personal data provided is accurate and not confidential (if there will be extensive use of the personal data);
- Communicate clearly to personal data owners the intended use of the personal data, the process to follow if personal data needs to be updated at any time, the right to be forgotten, and the necessary actions to be taken in the event of a failure to protect personal data. In particular, topics such as “the right to be forgotten”, which has consumed so much attention in Europe, will require detailed consideration and further guidance will be needed;
- Make arrangements to encrypt any stored personal data (although the exact requirements around this are yet to be codified) and monitor any further guidance on the certified electronic system that may be required;
- Be prepared to follow a clear procedure for the deletion of personal data if a request is made to exercise the ‘right to be forgotten';
- Formulate internal standard operating procedures on data privacy to which all staff involved in the collection, storage, processing and use of personal data must adhere – organisations will need to kick off internal compliance programs;
- Keep track of any further guidance from the government for relevant companies, not falling under the data localisation limitation imposed by GR82, to transfer personal data outside of Indonesia. The required “coordination” with the MOCI or an authorised government official remains unclear. Currently, it is certain that such companies will be required to disclose the intended transfer location, identification of the receiving party, proposed date of transfer, the reason or purpose of the transfer. In other words, organisations cannot collect data for one purpose and then transfer outside of Indonesia for a different reason. A report on the result of the transfer will also have to be made although it remains to be seen how reporting will be structured (for example, whether an annual report will be sufficient); and
3. Retroactive Effect
Any relevant company that provided, stored and managed personal data prior to the enactment of the Data Protection Regulation must continue to maintain the privacy of the personal data managed and commence actions now with a view to full compliance no later than 1 December 2018.
The enactment of the Data Protection Regulation represents a significant development in data privacy laws and regulations in Indonesia. Non-compliance may result in administrative sanctions including warnings (verbal and in writing), a temporary suspension of business activities, and an announcement on the website of the non-compliant party. Of course, these sanctions are not the only concern – one of the key concerns with data protection breaches in any jurisdiction is the reputational fallout that tends to follow.
Meanwhile, the issue of data localisation and GR82 will continue to be a concern for organisations in Indonesia. It remains to be seen whether GR82 will be closely enforced as drafted and this may have a knock-on effect for the implementation and enforcement of the Data Protection Regulation. There is still some way to go in terms of clarity but certainly within the next two years, organisations with operations in Indonesia should expect a move from unconsolidated laws and regulations on personal data to a comprehensive and unified approach to data privacy law.