7 December, 2017
Article 28(G) of the 1945 Constitution is considered as the basis for more specific data privacy legislation in Indonesia. Article 28(G) provides that every person has the right to: (i) Protection of their personal selves, families, respect, dignity and possessions under their control; and (ii) Security and protection from threat of fear for doing, or not doing, something which constitutes a human right.
Provisions on the protection of personal data can be found in Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No. 19 of 2016 (the Electronic Information Law). The procedural guidelines for the Electronic Information Law are contained in Government Regulation No 82 of 2012 regarding the Implementation of Electronic Systems and Transactions (Government Regulation 82).
However, none of these regulations provide a comprehensive set of provisions for the protection of personal data in Indonesia, but rather simply provide the general idea of personal data protection without specific guidelines. On December 1, 2016, the Minister of Communication and Informatics (MOCI) issued a regulation specifically for the protection of personal data that is contained in an electronic system, namely MOCI Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems (MOCI Regulation 20).
MOCI Regulation 20 is an implementing regulation for the Electronic Information Law and Government Regulation 82.
The House of Representatives is now in the process of discussing a draft law on Personal Data Protection (PDP Draft Law). The enactment of the PDP Draft Law would give rise to the first comprehensive law in Indonesia that specifically deals with the protection of personal data.
Sectoral Laws on Data Privacy in Indonesia
There are several laws in a number of specific areas that indirectly deal with data privacy in Indonesia. These include:
Employment. There is no specific stipulation under Indonesian employment laws on the protection of personal data of employees. It would normally be considered sufficient for employers in Indonesia to regulate the protection of the personal data of their employees by way of unilateral employee consents, employment agreements, company regulations or collective labor agreements. The basis to make these agreements and/or consents depends on the freedom of contract principle under Article 1338 of the Indonesian Civil Code. These agreements and/or consents authorize the collection, retention, disclosure and use of employees’ personal data or other confidential information.
Health sector. Article 57 of Law No 36 of 2009 regarding Health stipulates in principle that every person is entitled to the confidentiality of their personal health information that has been provided to, or collected by, health care providers.
Financial sector. Financial services providers are prohibited by Article 31 of Financial Services Authority (Otoritas Jasa Keuangan or OJK) Regulation No. 1/POJK.07/2013 regarding Financial Consumer Protection from disclosing customer data and/or information to third parties, unless they receive written consent from the customer or are required to by lawful authority. If a financial services provider obtains personal data and/or information of a person and/or a group of persons from a third party, it is required to have written confirmation from the third party that the person or group has agreed to the disclosure. Additionally, the protection of consumers’ personal data and/or information in relation to the payment transaction process conducted by payment system service providers is provided under Article 25 of Bank Indonesia Regulation No. 18/40/PBI/2016 regarding the Provision of Payment Transaction Processing.
Telecommunications sector. Article 40 of Law No 36 of 1999 regarding Telecommunications (the “Telecommunications Law”) prohibits the “tapping” of information transmitted through telecommunications networks. Telecommunications services operators must keep any information transmitted, and/or received, by a telecommunications service subscriber, through a telecommunications network and/or telecommunications services provided by the relevant operator, confidential (Article 42, Telecommunications Law).