LAW

Specific Regulations

Law No. 11 of 2008 regarding Electronic Information and Transaction (the "EIT Law") and the recently issued the Government Regulation No. 82 of 2012 regarding Provision of Electronic System and Transaction ("Reg. 82"), which just came into force on 15 October 2012.

Prior to promulgation of Reg. 82, provisions regulating data protection and/or collection of personal data/personal information were scattered under various regulations.

In addition to the provisions under EIT Law and Reg. 82, there are also a series of regulations which also cover certain provisions which may relate to data protection, such as:

  • Telecommunications Sector

Article 40 of Law No. 36 of 1999 regarding Telecommunications (the "Telecommunications Law") provides that any person is prohibited from any kinds of tapping on information transmitted through any kinds of telecommunications network. Furthermore, Article 42 of the Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information transmitted and/or received by telecommunications service subscriber through telecommunications networks and/or telecommunications services provided by the relevant operator.

  • Public Information Sector

Article 6 of Law No. 14 of 2008 regarding Disclosure of Public Information provides that any information relating to personal rights is prohibited from distribution by public agencies or entities. Furthermore, Article 17 of the relevant law also prohibits the disclosure of private information of any person, particularly which concerns family history; medical and psychological history; financial information (incluing assets, earnings and bank records); evaluation records concerning a person's capability/recommendation/intellectual, formal/ informal education records.

  • Banking and Capital Markets Sectors

Data privacy in this sector is regulated under Law 7 of 1992 as amended by Law 10 of 1998 on Banking ("Banking Law") and Law 8 of 1995 on Capital Markets ("Capital Markets Law") respectively. The regulations apply to both individuals and corporate data.

Bank Indonesia's Regulation No. 7/15/PBI/2007 on the Implementation of Risk Management in the Utilization of Information Technology by the Bank stipulates that the bank's customer data transfer (by way of establishing a data centre or a data processing outside Indonesia territory) necessitates prior approval being obtained from Bank Indonesia.

In addition, the transfer of the bank's customer data for purposes other than banking transactions requires the customer's prior consent.

DEFINITION OF PERSONAL DATA

Reg. 82 defines personal data as: data of an individual, which is stored, kept, and of which its confidentiality and truth is maintained.

DEFINITION OF SENSITIVE PERSONAL DATA

Currently, there is no specific definition on sensitive personal data under the prevailing laws and regulations.

NATIONAL DATA PROTECTION AUTHORITY

There is no national data protection authority for data privacy in general in Indonesia.

The Capital Markets and Financial Bodies Supervisory Body ("Bapepam LK") acts as regulator of data privacy in the capital markets sector.

Bank Indonesia also acts as the regulator with regard to banks' customer data privacy issues.

REGISTRATION

Indonesia does not maintain a register of controllers or of processing activities.

DATA PROTECTION OFFICERS

There is no requirement in Indonesia for organisations to appoint a data protection officer.

COLLECTION AND PROCESSING

According to general law principles, data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject consents;
  • the data controller needs to process the data to enter into or carry out a contract to which the data subject is a party;
  • the processing satisfies the data controller's legal obligation;
  • the processing is required by the Government of Indonesia or by law, or to perform a public function in the public interest, or to administer justice; or
  • the data controller has a legitimate reason for the processing, except if the processing would damage the data subject's rights, freedoms or other legitimate interests.

Both EIT Law and Reg. 82 specifically regulate the obligation to obtain "consent" from the owner of a personal data in the case of data collection, use and processing.

Reg. 82 provide the specific provisions on the obligation to set up a data centre in Indonesia, namely:

  • Before an Electronic System is implemented, the provider of an Electronic System has to obtain a Electronic certificate from the Ministry of Communication, Information and Technology ("MCIT").
  • In providing the provision of an Electronic System, the provider should certify that its Electronic System is secure, continuous, and that the personal data obtained, used and utilised is based on the owner's prior consent and that the disclosure of the personal data is conducted in accordance with the owner's prior consent and is in line with the objectives as disclosed to the relevant owner.
  • The provider of the Electronic System is also obliged to provide audit track records.

TRANSFER

Reg. 82 regulates the transfer of data in Article 22 which provides that in any case that electronic information and/or electronic document is transferred, the provider has to explain the control and possession of the electronic information and/or electronic document.

SECURITY

The obligations of Electronic System Providers are regulated under Reg. 82 and amongst other things:

  • Guarantee the confidentiality of the source code of the software (Article 9);
  • Ensure agreements on minimum service level and information security as well internal communication security (Article 12);
  • Protect and ensure the privacy and personal data protection of users (Article 15);
  • Ensure the appropriate lawful use and disclosure of the personal data (Article 15);
  • Provide data centre and disaster recovery centre (Article 17);
  • Provide the audit records on all Provision of Electronic Systems activities (Article 18); and
  • Provide information in the Electronic System based on legitimate request from investigators for certain crimes (Article 29).

On the telecommunication sector, Article 19 of Minister of Communication and Informatics Regulation No. 26/PER/M.KOMINFO/05/2007 regarding the Security and Utilisation of Internet Protocol-based Telecommunications Network ("MR 26/2007") also provides that the telecommunication service provider is responsible for data storage due to its obligation to record its log file for at least 3 months.

BREACH NOTIFICATION

Article 15 Paragraph 2 of Reg. 82 provides that the provider of a Electronic System must provide written notification to the owner of personal data, upon its failure to protect the personal data.

Article 20 Paragraph 3 of Reg. 82 provides that the provider of Electronic System must make the utmost effort to protect personal data and to immediately report any failure/serious system interference/disturbance to a law enforcement official or Supervising Authority of telecommunications sector.

ENFORCEMENT

In Indonesia, the sanctions for breaches of data privacy are found under the relevant legislation and are essentially fines. Imprisonment may be imposed in severe instances such as in the event of intentional infringement.

  • The EIT Law provides criminal penalties ranging from; Rp. 600,000,000 fine to Rp. 800,000,000 and/or 6 to 8 years imprisonment for unlawful access; Rp. 800,000,000 fine and/or 10 years imprisonment for interception/wiretapping of transmission; to Rp. 2,000,000,000 to Rp. 5,000,000,000 and/or 8 to 10 years imprisonment for alteration, addition, reduction, transmission, tampering, deletion, moving, hiding Electronic Information and/or Electronic Records.
  • Failure to comply with Reg. 82 is subject to administrative sanctions (which do not eliminate any civil and criminal liability). These administration sanctions are in the forms of:
    • Written warning;
    • Administrative fines;
    • Temporary dismissal; and/or
    • Expelled from the list of registrations (as required under the regulation).
  • Banking Law

Under Article 44 of the Banking Law, any commissioner, director or employee of a bank or its affiliates who intentionally provides information which has to be kept secret may be sentenced to imprisonment for not less than two years but not more than four years, and fined at least four billion but not more than eight billion Indonesian Rupiah.

  • Capital Markets Law

Under Capital Markets Law, the Capital Market and Financial Institutions Regulatory Body (BAPEPAM LK is empowered to impose the following administrative sanctions for breaches of the provisions dealing with data protection). The sanctions comprise:

  • a written reminder;
  • a fine;
  • limitations on business;
  • suspension of business;
  • revocation of business licence;
  • cancellation of approval;
  • cancellation of registration; or
  • ET Law.

ELECTRONIC MARKETING

EIT Law and Reg. 82 do not specifically address electronic marketing.

Article 25 of the EIT Law provides that Internet website, amongst other things, is acknowledged and protected as an Intellectual Property (IP) and consequently, should fall under the ambit of the relevant IP laws, which may in certain cases fall under the Indonesian Copyright Law.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

There is currently no laws and regulations concerning cookies and location data.

However, if the data collected by cookies or location data is obtained from by the unlawful access of another party's electronic information, this is subject to 6 to 8 years imprisonment and/or a fine of Rp. 600,000,000 to Rp. 800,000,000.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com