With the rapid growth of the IT industry and culture in Indonesia, since 2014 the Ministry of Communication and Informatics (MOCI) has been proposing that the Parliament passes a data protection law. In 2015 the Government issued a draft data protection law for public comment (Initial Draft Law), although there has been no significant progress.
The Initial Draft Law's content was more or less a copy paste of concepts and provisions from European Union law. Questions were raised about how sophisticated data protection provisions in the Initial Draft Law would be developed and could be implemented; noting that individual awareness and concerns about data privacy were still minimal at the time.
In 2016, the MOCI issued a ministerial regulation on personal data protection in electronic systems as an implementing regulation of the 2008 Electronic Information and Transaction Law (Regulation 20). Regulation 20 encapsulated certain provisions from the Initial Draft Law (such as the right to be forgotten).
Given recent data breaches, the Government has issued a new draft personal data protection law (Draft Law).
The Draft Law is not in the 2018 National Legislation Program, which is a list of prioritized laws for Parliament's deliberation. Consequently it is uncertain when the Draft Law will be passed by the Parliament, however the Government may still prioritize the Draft Law this year/early next year.
Content and implications
The content of the Draft Law is not much different from the Initial Draft Law and still introduces concepts from European Union law (and will need to be harmonized with Regulation 20).
Among other things, the Draft Law deals with personal data categorization, differentiation between the concepts of data controller and data processor (absent to date), processing personal data, and the forming of a dedicated dispute settlement commission.
Failure to comply with the provisions under the Draft Law could lead to administrative sanctions, including orders to cease activities, orders to delete personal data and orders to stop unauthorized use of personal data, and provides for indemnity payments and monetary penalties.
In addition, there are also criminal sanctions for certain actions, such as personal data forgery and unauthorized sale of personal data.
In terms of coverage, the Draft Law states that it has extraterritorial coverage and applies to individuals, public bodies, business actors and public organizations, whether domiciled in Indonesia or outside of Indonesia, that conduct legal actions that have a legal effect in Indonesia and/or other countries and harm the interests of Indonesia.
Notable Provisions in the Draft Law
General and Specific Personal Data
The Draft Law defines Personal Data as:
- any data about a person that can identify automatically the person
- any data about a person, when combined with other information directly or indirectly obtained through electronic and/or non-electronic systems, can identify a person
Further, the Draft Law distinguishes between two categories of Personal Data:
- general Personal Data
- specific Personal Data
Specific Personal Data is Personal Data that requires special protection, and consists of data relating religion/beliefs, health, physical and mental conditions, biometrics, genetics, sex life, political views, criminal records, child data, personal financial information, and other Personal Data covered specifically by other laws and regulations.
Other types of data outside of the abovementioned scope for specific Personal Data will fall into the scope of general Personal Data.
The Draft Law elaborates that general Personal Data means Personal Data that can be obtained from the public domain or has been disclosed under an identity document, eg, name, identity card number, photo, telephone number, email address and birth date (noting that identity documents are widely used in Indonesia).
A Personal Data Owner is an individual that legally owns the Personal Data.
Personal Data Controller and Personal Data Processor
The Draft Law differentiates between a party that collects Personal Data (and obtains consent from the Data Owner) and manages the data processing, being a Personal Data Controller, and a party that processes the Personal Data on behalf of a Personal Data Controller, being a Personal Data Processor.
The Draft Law places more focus on Personal Data Controllers as the parties who should obtain the consent from the Personal Data Owner. Almost half of the relevant provisions under the Draft Law are on Personal Data management by Personal Data Controllers.
As long as the scope of consent also allows Personal Data Processors to process the data, then Personal Data Processors do not need to obtain another consent from the Personal Data Owner. In any case, there is no requirement for a Personal Data Processor to obtain consent directly from the Personal Data Owner, and consequently the Personal Data Processors will rely on the Personal Data Controllers to obtain the appropriate consent (as is the case under the current regulations).
The term "process" above consists of the following activities : (a) acquiring and collecting, (b) processing and analyzing, (c) storing and displaying, (d) fixing and renewing, (e) announcing and delivering, (f) distributing and disclosing, and (g) deleting and/or destroying, Personal Data.
Consent Requirement and Use of Personal Data
The Draft Law states that Personal Data Controllers must obtain written consent from Personal Data Owners in order to manage their specific Personal Data.
The Draft Law suggests that Personal Data Controllers do not have to get written consent for general Personal Data processing. However, given the subsequent articles in the Draft Law use the general term "Personal Data" rather than the specific term "specific Personal Data", we assume the intention is to require consent for the management and use of any Personal Data.
Further the Draft Law states that consent should only be given after a Personal Data Controller provides the following information:
- the legality of the Personal Data management - what this means is not clear at the moment
- the purposes for which the Personal Data will be managed
- the types of Personal Data that will be managed
- the retention period of the Personal Data
- details on the information that will be collected
- the period of the Personal Data management by and the deletion policy of the Personal Data Controller
- the right of the Data Owner to revise and/or retract any consent
Specific Personal Data can be managed by a Personal Data Controller (or processed by a Personal Data Processor) without prior written consent from the Personal Data Owner for the following purposes:
- for the Data Owner's data security protection
- for medical purposes by doctors, other medical staff, or people who are bound by obligations to maintain patients' secrecy
- law enforcement purposes
- as required under laws and regulations
Additionally, specific Personal Data can also be processed without prior written consent if the specific data has come into the public domain due to the Personal Data Owner's actions (there is no further elaboration on what is covered, but this may include social media postings).
Further, consent is not required if (a) the use of Personal Data is mandated by law; (b) the use of the Personal Data is required in order for the Personal Data Controller to perform a contract/an agreement with the Personal Data Owner; and/or (c) the use of the Personal Data is required to protect the Personal Data Owner from any threat to their life or their physical or economic well being.
Personal Data Controllers must obtain consent from Data Owners in order to transfer Personal Data to a third party within Indonesia, otherwise the third party cannot use the Personal Data except for the intended use that has been approved by the Data Owner.
Apart from consent, either of the following requirements must be fulfilled in order for a Personal Data Controller to transfer Personal Data outside of Indonesia:
- The receiving country must have a level of Personal Data protection that is at least as good as that under the Draft Law.
- There is a contract between the Personal Data Controller and an offshore third party.
- There is an international bilateral agreement.
The intention of this requirement is to implement adequate national protection and adopt the concepts used in the European Union on cross border data transfers. The elucidation of the Draft Law recognizes that in practice it will be difficult to implement or substantiate point a above and therefore, an international bilateral agreement with the receiving country will be required.
Notification on Breach of Personal Data
Personal Data Controllers also have an obligation to notify the Personal Data Owner if his Personal Data has been disclosed inadvertently. The Draft Law does not state when the notice should be made (however Regulation 20 requires that a notice be made within 14 days after the data breach is known).
Currently this obligation does not extend to Personal Data Processors, even though a breach of Personal Data is usually by the Personal Data Processor.
The question remains as to whether the Personal Data Controller would be held liable for not notifying the Personal Data Owner about a breach of their Personal Data in case the Personal Data Controller has delegated the processing activity to the Personal Data Processor and the Personal Data Processor does not alert the Personal Data Controller about the occurrence of the breach.
The notification must contain (a) the disclosed Personal Data, (b) when and how the Personal Data was disclosed, and (c) actions taken by the Personal Data Controller to manage and resolve the incident.
Requirements to Delete or Destroy Personal Data
The Draft Law distinguishes between Personal Data deletion and Personal Data destruction. Deletion is applicable for Personal Data that is processed electronically, while destruction is applicable for Personal Data that is not processed electronically.
A Personal Data Controller must destroy Personal Data (a) that no longer has usage value, (b) that has an expired retention period, (c) if there are indications of a leak in the Personal Data management system caused by that particular Personal Data, (d) if there is a written request from the Personal Data Owner to destroy it (no court order is required under the Draft Law but a Personal Data Owner may need to seek a court order to request a Personal Data deletion given requirements under the Electronic Information and Transaction Law and Regulation 20), or (e) that is not related to any dispute resolution proceeding.
A Personal Data Controller must delete Personal Data (a) that is no longer needed to achieve the purpose of the Personal Data management, (b) if the Personal Data Owner has revoked his consent related to the management of the Personal Data, through a written request to the Personal Data Controller, or (c) if the Personal Data Controller uses the Personal Data for purposes that are not in line with the consent or the Draft Law.
Although the provisions seem to indicate that the obligation to destroy or delete the Personal Data only applies to Personal Data Controllers (and not the Personal Data Processors), naturally the Personal Data Controllers should instruct Personal Data Processors to do the same.
Strengthening in the Privacy Protection
The Draft Law has increased the protection for data privacy. This can be seen by the inclusion of a higher threshold of rights for Personal Data Owners.
• Provisions on Processing Devices/Visual Data Processors/CCTV
Under the Draft Law, no party is allowed to install and operate visual data processing devices in a public facility that could threaten individuals' privacy.
Processing Device/Visual Data Processor/CCTV operators must provide information if there is a visual data processing device installed in an area, except for the purpose of a criminal investigation (how this will be implemented in still unclear and clearly placing a CCTV in a public area without notice on the basis of a "criminal investigation" might be challenged).
• Direct Marketing
Personal Data Owners at any time can make a written request to the Personal Data Controller to stop using their Personal Data for direct marketing activities.
If such a request is not fulfilled, the Personal Data Owner can ask the Commission (as described below) to send a warning to the Personal Data Controller to fulfill the request.
Further clarity is needed on whether there is any period of time within which the Personal Data Controller must honor the request.
The Draft Law introduces a Commission as a specific implementing body that has the functions to (a) ensure that Personal Data Controllers comply with the provisions in the Draft Law and (b) encourage all parties to honor the privacy of Personal Data.
Some of the authorities of the Commission are as follows:
- Monitor the compliance
- Receive complaints, facilitate dispute resolution, and provide guidance to Personal Data Owners in the event of any breach of the Draft Law
- Give recommendations to law enforcers on Personal Data protection breaches and claims
- Take measures to protect personal data and provide recommendations for compliance with Personal Data protection standards
- Give first and second warning letters to Personal Data Controllers in relation to violations
Clearly, further regulations must be issued to clarify whether this will be an independent authority or a part of the MOCI, which is the current authority that monitors general data protection matters.
Personal Data Controllers and Personal Data Processors should expect tighter monitoring and enforcement of Personal Data management by government authorities and perhaps increased awareness and concerns over Personal Data protection from Personal Data Owners.
Personal Data Controllers and Personal Data Processors need to start considering plans to comply with the Draft Law once it is issued.