After months of drafting and deliberation, Indonesia’s Ministry of Communication and Informatics (“MOCI”) in late 2016 issued a long-awaited regulation on the protection of personal data. MOCI Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (“MOCI Reg”) was issued on 1st December 2016. The regulation aims to protect personal data by electronic system providers in Indonesia, a longstanding grey area in the country.
The protection of personal data in electronic systems was first regulated under Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended (“ITE Law”), which provides general overarching guidelines for the handling of personal data. The ITE Law stipulates that, unless otherwise regulated, the use of any information pertaining to a person’s personal data through an electronic media requires the consent of such person (Article 26 paragraph (1) of the ITE Law). The elucidation of this article provides that the protection of personal data is a part of privacy rights, and defines privacy rights to encompass the following:
However, the ITE Law does not define “personal data”. This definition was only given in Government Regulation No. 82 of 2012 regarding the Provision of Electronic Systems and Transactions (“GR 82”), which defines personal data as certain data of an individual which is stored, maintained, and kept accurate, and the confidentiality of which is protected. However, GR 82 does not provide any further definition of what is meant by “certain data of an individual”.
GR 82 reinforces the necessity of consent by requiring that electronic system providers (i) guarantee that the collection, use, and utilisation of personal data is conducted based on the consent of the personal data owner; and (ii) guarantee that the use or disclosure of the personal data will be done based on the consent of the personal data owner and in accordance with the purpose informed to the personal data owner during the collection of the personal data (Article 15 paragraph (1) of GR 82). Again, while undeniably important, GR 82 does not discuss the more technical aspects of personal data protection, such as to what extent will the protection be granted? Aside from consent, are there any specific obligations for the party handling the personal data? What about the rights of personal data owners? The answer to these questions can be found in the MOCI Reg.
The definition of personal data under MOCI Reg is the same as the definition given in GR 82, but MOCI Reg provides a further definition for “certain data of an individual,” namely any information that is correct and actual and that is attached to and can be identified with, whether directly or indirectly to an individual and which is used in accordance with regulations (Article 1 paragraph (2) of MOCI Reg).
MOCI Reg also addresses several previously unregulated issues that were frequent sources of uncertainty. First, MOCI Reg specifies the processes for which the protection of personal data must be ensured. These processes consist of obtaining, collecting, processing, analysing, storing, showing, announcing, transferring, distributing, opening access, and deleting personal data (Article 3 of MOCI Reg). An electronic system provider conducting any of the above activities must use a certified electronic system (Article 4 paragraph (1) of MOCI Reg) and have an internal policy on data protection that serves as a guideline to prevent any failure to protect personal data (Article 5 of MOCI Reg).
During the obtaining and collecting of personal data, MOCI Reg obliges an electronic system provider to accurately obtain and collect only information that is relevant and suitable for its purposes (Article 7 of MOCI Reg). The purpose of the collection must also conform to any action taken to process and/or analyse the personal data, unless the personal data has been openly shown or announced by an electronic system for public purposes (Article 12 paragraph (1) of MOCI Reg).
Second, MOCI Reg sets a retention period for any personal data, which is at least five years unless any regulation in the relevant sector requires otherwise (Article 15 of MOCI Reg). After this retention period, the personal data may be deleted, either at the discretion of the electronic system provider or at the request of the personal data owner (Article 19 of MOCI Reg).
MOCI Reg also explicitly regulates the rights of personal data owners and the obligations of the users of personal data. The rights of personal data owners consist of:
Whereas the user of personal data is obligated to:
The element of consent is constantly highlighted throughout the provisions of MOCI Reg. Every step or action taken by an electronic system provider, no matter how trivial, must be based on the consent of the personal data owner for that specific action. The only exception to this rule is if the personal data is handed over for the purpose of law enforcement based on a valid and legal request (Article 23 paragraph (1) of MOCI Reg).
In practice, however, there is still work to be done in the implementation of MOCI Reg. Even the requirements related to the cross-border transfer of personal data – one of the most common activities conducted by companies – are still not fully enforced. The lack of clarity as to who precisely shall supervise the obligations set forth under MOCI Reg may play a substantial part in this. Under Article 35 paragraph (1) of MOCI Reg, supervision can be done by MOCI and/or the head of the Supervisory Institution and Sector Regulator. At the end of the day, MOCI does not have the absolute authority to supervise all companies in Indonesia; at most it can only supervise companies holding licenses issued by it. As such, it will be necessary to coordinate with the relevant authorities to achieve the full implementation of MOCI Reg.
Admittedly, MOCI Reg leaves a lot of room for further discussion. Several requirements need further guidance to be properly implemented. Take, for example, the coordination requirement for the cross-border transfer of personal data. This requirement obliges any party intending to conduct a cross-border data transfer to take the following actions (Article 22 paragraph (2) of MOCI Reg):
These requirements raise more questions than they provide answers. What is meant by advocacy and to whom will it be requested? How often must reports be made if data is transferred periodically over, say, a year?
Fortunately, MOCI has not turned a blind eye to this matter and there has been talk of issuing further clarifications on the several ambiguous provisions of MOCI Reg. However, when or in what form these clarifications might be made is still unknown. At the same time, MOCI has prepared a draft law on personal data protection that is expected to be included in the National Legislation Programme (Program Legislasi Nasional) in the near future. This draft law is of particular importance as it would provide a firmer regulatory foundation, specifically for the prohibition on the misuse of personal data, which has seen a sharp rise in recent years.
Slowly but surely, Indonesia is paving the way to ensure its citizens are granted sufficient protection of their personal data. Patience is indeed required, but as the saying goes, anything worth having is worth waiting for.
SSEK - 18th July 2017
Capital: Jakarta
Population: 259 million (2016)
Currency: Indonesian Rupiah
Nominal GDP: $936 billion USD (IMF, 2016)
GDP Per Capita: $3,620 USD at Current Prices (IMF, 2016)
GDP Growth: 5.0% (2016)
External Debt: 36.80% of GDP (BI, Q2 2016)
Ease of Doing Business: 91/190 (WB, 2017)
Corruption Index: 90/176 (TI, 2016)