(October 6, 2022) Indonesia has seen a recent rise in data breaches. Recent incidents include 105 million people reportedly having their data compromised in a breach of the General Elections Commission database in September 2022. And the month before that, 26 million customers of Internet service provider IndiHome were reportedly affected in a suspected data breach. These incidents and others underline the need in Indonesia for a regulation that clearly outlines the requirements and procedures for reporting a data breach when it happens.
Cybersecurity and the protection of personal data have been regulated under a set of laws known as the PDP Regulations. These apply to Electronic System Providers (“ESPs”) that: (i) provide services within Indonesian territory; (ii) engage in business in Indonesia, and/or; (iii) whose electronic systems are used and/or offered within Indonesian territory. Now, with the long-awaited Personal Data Protection (PDP) Bill said to have been passed into law, companies can expect changes to the cybersecurity and data breach notification regime.
Reporting a Cybersecurity Incident
Pursuant to Article 24(3) of Government Regulation No. 71 of 2019 regarding Provision of Electronic Systems and Transactions (“GR 71”), in the event of a system failure or disturbance which has a serious impact as a result of the actions of another party, an ESP must secure the electronic information and documents in its system and immediately report the incident at the first opportunity to law enforcement and the relevant ministry or institution.
While the PDP Regulations do not identify the specific agencies to which a data breach is to be reported, a Minister of Communication and Informatics (“MOCI”) official was consulted and said ESPs are required to submit data breach reports to (i) the MOCI and (ii) the National Cyber and State Codes Board (Badan Siber dan Sandi Negara or “BSSN”).
To submit a report to the MOCI, ESPs that experience a data breach must complete and submit a form to pengendalianaptika@kominfo.go.id. To report to the BSSN, ESPs that experience a data breach should submit the report, accompanied by evidence, to the BSSN at aid70@bssn.go.id or pusopskamsinas@bssn.go.id.
Notification to Data Owners
In addition to the obligation to report to the MOCI and BSSN, Article 28 of MOCI Regulation 20 of 2016, dated December 1, 2016, regarding the Protection of Personal Data in Electronic Systems (“MOCI Reg. 20”), requires ESPs to notify affected data owners in the event of a failure of personal data confidentiality protection in the electronic systems under its management. This means that ESPs that experience a data breach must notify affected data owners regardless of whether the data breach may result in damages. If the breach has the potential to cause harm to data owners, Article 28(c)(3) of MOCI Reg. 20 requires ESPs to ensure the notification is actually received by the personal data owners.
According to Article 28(c) of MOCI Reg. 20, the notification to affected data owners shall be in writing but can be delivered by email or other electronic means if the data owner has previously so consented.
There is no required form for this notification other than that it must, pursuant to Article 28(c)(1) of MOCI Reg. 20, include the reasons or causes of the data breach.
While the PDP Regulations are silent as to the language of the notifications, according to the MOCI official who was consulted, notifications in Indonesia must be made in the Indonesian language or accompanied by an Indonesian translation.
Pursuant to Article 100 of GR 71, failure to fulfill reporting obligations may result in administrative sanctions including written warning, administrative fines, temporary suspension from operating an electronic system, blocking access to the electronic system, and removal from the list of registered ESPs.
Personal Data Protection Bill
The PDP Bill, which had been under discussion for several years, is reported to have been passed by the House of Representatives as of September 20, 2022, and is now awaiting the President’s signature before it takes effect. The latest publicly available draft of the PDP Bill stipulates the establishment of a new agency to, among other things, regulate and stipulate policies in the field of personal data protection, accept reports of breaches, and enforce punishments for violators.
In regard to cyberbreach notifications, Article 46 of the PDP Bill stipulates that in the event of a personal data protection failure, the Personal Data Controller must deliver a written notification at the latest 3×24 hours to affected Personal Data Subjects and the new agency to be established under the PDP Bill. The Personal Data Controller must also notify the public if the breach disturbs public services and/or significantly affects the public interest.
Article 46 also provides guidelines on the required contents of this written notification, which must at least include a description of the personal data that was breached, when and how the personal data was breached, and the efforts undertaken by the Personal Data Controller to mitigate the effects of the data breach and recover affected personal data.
These provisions provide clarity on the previously unclear timeframe for notifying the relevant parties in the event of a personal data breach and the information that must be included in the notification. It also eliminates the need for Personal Data Controllers to report a data breach to the MOCI and BSSN.
However, during the transition period before the new agency under the PDP Bill is formed and functioning, data breach notifications should continue to be submitted to the MOCI and BSSN. Furthermore, pursuant to Article 75 of the PDP Bill, all laws and regulations regarding personal data protection are still applicable as long as they do not contradict any of the provisions of the PDP Bill. This means the procedure to notify affected Personal Data Owners under MOCI Reg. 20 is still applicable.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.