Data protection in Indonesia: overview
A Q&A guide to data protection in Indonesia.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
In general, the collection and use of personal data is regulated under Law No. 11 of 2008 regarding Information and Electronic Transactions (the IET Law) and under the Government Regulation No. 82 of 2012 regarding the Provision of Systems and Electronic Transactions (Regulation 82). These regulations apply to data privacy matters.
However, in addition to the IET Law and Regulation 82, regulation concerning the collection of personal data is also spread among several other laws and regulations.
Article 28G of the 1945 Constitution states that each person has the right to protect themselves and their families. It also states that each person has the right to protect their respect, dignity and their possessions, and that each person shall have the right to security and protection from the threat of fear for doing, or for not doing, something which constitutes a human right.
Article 322 of the Criminal Code provides that an employee who breaches confidential information on purpose, obtained by virtue of their office or work commits an offence punishable by up to nine months' imprisonment or a maximum fine of IDR600.
In addition, Article 323 of the Criminal Code further provides that an employee who deliberately reveals a trade secret commits an offence punishable by up to nine months' imprisonment or a maximum fine of IDR600.
Article 26(1) of the IET Law prohibits the use of personal data through electronic media without consent.
The sectoral laws include:
Law 7 of 1992 as amended by Law 10 of 1998 on Banking (the Banking Law) and Law 8 of 1995 on Capital Markets (the Capital Markets Law), which respectively cover the banking and financial sectors. The regulations apply to both individuals and corporate data.
Law No. 36 of 1999 regarding Telecommunications (the Telecommunications Law), which covers the telecommunications sector.
Law No. 14 of 2008 regarding the Disclosure of Public Information (the Disclosure of Public Information Law), which covers public information and data.
Law No. 36 of 2009 on Health (the Health Law), which covers the health sector.
Bank Indonesia's Regulation No. 7/15/PBI/2007 on the Implementation of Risk Management in the Utilisation of Information Technology by the Bank.
Financial Services Authority Regulation No. 1/POJK.07/2013 on the Protection for Financial Service Sector Consumer. This regulation applies to the financial services sector, such as the General Bank, Stock Exchange, investment consultants, insurance companies, collateral companies.
Minister of Health Regulation No. 269/Menkes/Per/III/2008 concerning Medical Records. This regulation applies to all activities associated with storing the medical records of patients that involve doctors and related medical workers.
Minister of Communication and Information Regulation No. 21 of 2013 concerning Content Services Provider Implementation on Mobile Cellular Network and Fixed Wireless Access with Limited Mobility (as lastly amended by Minister of Communication and Information Regulation No. 6 of 2015 concerning Third Revision of Minister of Communication and Information Regulation No. 21 of 2013 concerning Content Services Provider Implementation on Mobile Cellular Network and Fixed Wireless Access with Limited Mobility). These regulations apply to content services providers and their customers.
Minister of Communication and Information Regulation No. 4 of 2016 concerning Information Security Management System. This regulation applies to electronic system service providers.
Circular Letter of Minister of Communication and Information Technology No. 3 of 2016 concerning Internet Application/Content Services Provider (Over The Top). This Circular Letter serves as a guideline to prepare internet application and content service providers for the upcoming regulations of the provision of Over the Top (OTT) content.
Future data protection law
Based on the information obtained from the website of the Ministry of Communication and Informatics, the government is currently discussing a draft Minister of Communication and Informatics Regulation regarding personal data protection on electronic systems. The regulation will set out more detailed provisions on personal data protection including requirements on data subject consent, personal data collection, personal data storage, analysis, processing, display, delivery, distribution and removal.
Scope of legislation
Law No. 11 of 2008 regarding Information and Electronic Transactions (the IET Law) and Government Regulation No. 82 of 2012 regarding the Provision of Systems and Electronic Transactions (Regulation 82) apply to any person who conducts legal acts as governed by these laws, either within or outside the jurisdiction of Indonesia. The legal acts must have legal consequences within Indonesia and/or outside the jurisdiction of Indonesia, and must be detrimental to the interests of Indonesia.
The term "person" is defined under Article 1.21 of the IET Law and Article 1.33 of Regulation 82 to be:
An individual, either Indonesian or a foreign citizen.
A legal entity, which can be a foreign or local company which is engaged in the electronic systems business, that is, it is an electronic systems provider and/or an electronic transactions provider.
Government Regulation No. 82 of 2012 (Regulation 82) provides regulation to protect against the unauthorised use of personal data. Article 1.27 of Regulation 82 defines personal data as specific individual information which is stored, treated and kept, and its confidentiality is protected. Regulation 82 does not provide further explanation concerning the scope of the data.
Under Government Regulation No. 82 of 2012 (Regulation 82), an electronic service provider (ESP) must:
Keep the confidentiality, integrity, and availability of personal data under their system.
Guarantee that the collection and use of personal data is based on prior consent from the subject of the personal data, unless otherwise provided by the regulations.
Guarantee the use or disclosure of personal data is based on prior consent from the subject of the personal data and in accordance with the purpose as previously informed to the subject of the personal data during the data collection process.
In the case where there is a failure in the protection of confidentiality of personal data, the ESP must send written notification to the owner of the personal data regarding this.
Regulation 82 also provides that the storage and carrying out a transaction with the personal data of Indonesian nationals outside the Indonesian jurisdiction is restricted.
Article 29 of Law No. 11 of 2008 regarding Information and Electronic Transactions (the IET Law) provides that for the purposes of a criminal justice investigation, the electronic system provider must provide the information contained in the electronic systems, or information generated by the electronic systems, if investigators make a legal request in accordance with the authority they have been given under the law.
The IET Law also stipulates that the content of electronic information or a document (such as an internet website) which falls under the scope of the intellectual property right, would be protected as an intellectual property work under intellectual property law.
Under Article 15 paragraph C of Regulation 82, the data collector must guarantee that the use or disclosure of personal data is implemented based on prior consent from the data subject. The data collector must also make sure that the data is used in the way it was stated it would be in the initial notification given about the purpose of the data collection.
From a strict reading of the regulation, the law does not require the data collector to provide an initial notification to the data subject. However, as a matter of practice, prior notification to the data subject before the data collection takes place has become standard, and therefore it is strongly recommended that the data controller gives the data subject prior notification.
Indonesia does not maintain a register of controllers or of processing activities. However, Article 5 paragraph 1 of Regulation 82 requires the registration of electronic service providers who work on public services.
Main data protection rules and principles
Main obligations and processing requirements
Indonesian law does not outline the specific conditions for the collection and processing of personal data. However, Regulation 82 sets out the obligations of an electronic service provider which are, in general, as follows:
Obtaining the data subject’s consent prior to conducting the data collection.
continuity of its electronic system;
security of information and internal communications;
security of obtaining, storing, and preserving the integrity and the availability of personal data;
use and disclosure of the data is conducted with the owner's prior consent and is in line with the objectives that were explained to the data owner during the data collection.
Register its electronic system at the Ministry of Communications and Informatics (the obligation only specifically applies to an electronic service provider for public services).
Establish a Data and Disaster Recovery centre (the obligation only specifically applies to an electronic service provider for public services).
Provide audit records on the provision of all electronic systems activities.
The above requirements are also applicable to a service provider, even though the electronic system is provided through a third party. The provider of the electronic system is obliged to provide audit records of all activities relating to the provision of the electronic system (such as a transaction log, providing notification to consumers on completion of a particular transaction, and so on).
The collection of personal data must be carried out based on prior consent given by the data subject, that is, the owner of the data. Both the IET Law and Regulation 82 do not provide clear guidance on any circumstances where the data collector is able to collect personal data without having received prior consent from the data subject.
Indonesian nationals tend to avoid disclosing sensitive information, as it is not considered good practice. It may be worthwhile to give the relevant data subject the opportunity to actively avoid disclosing any sensitive information that they do not want to provide.
Further to the above, Law No. 39 of 1999 regarding Human Rights (the Human Rights Law) stipulates that in order to uphold human rights, the differences and needs of indigenous peoples must be taken into consideration and protected by the law, the public and the government. Although the law is vague in stating how to implement this, it supports the right of any individual to avoid disclosing what they deem to be offensive.
Rights of individuals
Although Regulation 82 does not provide specific information on this matter, the data controller, or electronic service provider must, at the very least, provide the following information to the data subject:
The purpose of the data collection process.
The designated parties or limited third parties which also require some personal information for the purpose of the transaction.
The specific data which would be collected or transferred.
Data controllers must take the appropriate technical and organisational measures to guard against the unauthorised or unlawful processing of data. They must also take measures to prevent the accidental loss or destruction of, or damage to, personal data. The level of security taken must be commensurate to the nature of the data.
Processing by third parties
See Question 8.
Currently there is no specific Indonesian law which regulates the sending of spam. The provision relating to spam is provided under Article 44 of Regulation 82, which stipulates that the sender (of electronic information) must ensure that the electronic information sent is correct and not of a disturbing manner.
International transfer of data
Transfer of data outside the jurisdiction
Regulation 82 states that the storing of personal data and performing a transaction with the data of Indonesian nationals outside the Indonesian jurisdiction is restricted. This requirement would appear to apply particularly to personal data and transaction data of Indonesian nationals which is used within Indonesia and/or related to Indonesian nationals.
The regulation is currently silent on classifying the types of personal data that must be stored strictly in Indonesia. However, in terms of data storage, Article 17 of Regulation 82 requires an electronic service provider for public services to set up a data centre and disaster recovery centre within the Indonesian jurisdiction. The implementation of the particular provision will be further regulated by sectoral regulations. Nevertheless the existence of such article could (arguably) be seen as the government's intention to store all personal data of Indonesian nationals inside the Indonesian jurisdiction.
Data transfer agreements
At the moment there is no specific law regarding data transfer agreements. However, under Regulation 82, electronic transactions can be based on an electronic contract. This regulation has indicated that the law allows any parties to engage in a contractual relationship. Therefore, on the assumption that the data transfer agreement is stipulated under some agreement between both parties, and both parties agree to the contractual clause, it would be possible to execute data transferring activities based on both parties' agreement to such a contract.
There are some situations where both parties have an agreement which includes clauses relating to data transferring activity. In these situations, it is thought that this agreement is sufficient as a grounds for data transferring activities. Despite this, obtaining consent would complement the requirement to minimise future complaints from the data subject.
Enforcement and sanctions
In Indonesia, the sanctions for breaching data privacy are found in the IET Law and Regulation 82, and are in the form of fines. Imprisonment may be imposed for severe breaches and intentional infringement.
The applicable sanctions are as follows:
The IET Law provides a maximum of six years' imprisonment and/or a maximum fine of IDR600 million against any person who knowingly and without authority or unlawfully accesses computers and/or electronic systems in any manner whatsoever with the intent to obtain electronic information and/or electronic records.
Failure to comply with Regulation 82 would be subject to administrative sanctions (which do not eliminate any civil and criminal liability as provided under Article 84). The relevant administrative sanctions are in the forms of:
a written warning;
expulsion from the list of registrations (as required under the Regulation). This particular sanction relates to the obligation to obtain an electronic certificate, a certificate of reliability and a licence for the information system, by registering the electronic systems operator or electronic agent operator with the Ministry of Communications and Informatics (MoCI).
Kementerian Komunikasi dan Informatika Republik Indonesia (Ministry of Communication and Information Technology)
Main areas of responsibility. Currently, the main regulatory authority responsible for supervising data protection activity is the Ministry of Communication and Information Technology.
Risti Wulansari, Partner
K&K Advocates – intellectual property
Professional qualifications. Member of INTA; licensed advocate; member of Indonesian IPR Consultant Association.
Areas of practice. Commercial intellectual property; intellectual property prosecution; information technology.
Languages. Bahasa Indonesian, English
Bhredipta Socarana, Associate
K&K Advocates – intellectual property
Professional qualifications. Internship advocate
Areas of practice. General corporate; intellectual property litigation and enforcement; information technology.
Languages. English, Bahasa Indonesian