16 March 2021
In Indonesia, Ministry of Communication and Information (MOCI) Regulation No. 20 of 2016 on the Protection of Private Data in Electronic Systems (the Data Privacy Regulation) defines personal data as certain individual data, the authenticity of which is verified, sustained and maintained while its confidentiality remains protected.
Any personal data may only be utilized within the certified electronic system and it must at all times be protected during the implementation of the personal data management activities.
Customer Consent and Sale of Personal Data
Personal data can be managed by an organizer based on a written consent of the owner. By maintaining such consent, an organizer is entitled to legally undertake the receipt, collection, processing, analysis, saving, display, announcement, transmission, dissemination, opening of access and deletion of such personal data.
Indonesian legislation does not recognize personal data as a commodity that can be used for trading purposes. By definition the ownership of personal data will always be attached to the relevant individual. In theory, however, if the individual has consented to his or her personal data being transferred, that particular transfer should be deemed as lawful.
Data Breach and Cybersecurity
The Data Privacy Regulation provides that in case of a failure to keep personal data confidential, the relevant electronic system provider shall notify the owner of the personal data within a maximum of 14 days as of the date such failure becomes known to the provider.
In terms of Indonesian regulation, there are no specific requirements or guidelines that electronic system providers must follow to avoid data breaches and ensure cybersecurity. If an electronic system provider wants to help ensure cybersecurity, it can retain the services of competent professionals. In Indonesia, information security consulting services are listed in the Indonesia Standard Industrial Classification, which classifies the different business activities and fields in Indonesia.
Right to Be Forgotten
Indonesia recognised the right to be forgotten in 2016 through the issuance of an amendment to Law No. 11 of 2008 on Electronic Information and Transactions (the ITE Law). Only the relevant user can submit an application to erase electronic information or document, and the application to shall be addressed to the relevant competent court.
Electronic system providers must provide a mechanism to erase electronic information or documents, and they shall erase the concerned electronic information or documents upon receiving a court order.
Consumer Rights
The individuals who own the personal data have the right to report the failure to process their personal data. The right to file a report is intended to allow negotiations between the parties to reach an amicable agreement. The Data Privacy Regulation is silent on whether ‘owner of personal data’ includes foreign citizens.
Fahrul S. Yusuf, Partner, Soewito Suhardiman Eddymurthy Kardono
fahrulyusuf@ssek.com