A Q&A guide answering common questions and concerns about the Data Privacy landscape in various Southeast Asian regions
To download the Data Privacy Q&A guide, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.
Is there a data privacy law in the jurisdiction of Indonesia? If yes, is it implemented? If no, what laws are relied on?)
No, Indonesia does not have a specific Data Privacy regulation.
However, there are various relevant laws and regulations that are applicable for data protection. Among others, the law on Electronic Information and Transactions (EIT) Law No. 19/2016 is the main reference for data privacy and personal data protection in the country. That said, Indonesia is getting closer to passing its first PDP Law – Personal Data Protection Law. The law aims to introduce new key roles, data ownership rights, data transfer rules and compliance guidelines. According to the current draft of the PDP Laws, entities that process personal data will be given a two-year period to achieve full compliance. It will be applicable to all entities across the globe that deal with personal data belonging to Indonesian customers. If the PDP Bill passed, it will be the first Indonesian law to provide a comprehensive set of provisions for the protection of personal data.
What significant legal instruments relating to data protection are currently pending? If any, what are the timelines?
The PDP Bill was included in the Indonesian House of Representatives (DPR RI) Priority National Legislation Program (Prolegnas) with the status of a government proposal. Due to incomplete discussions, the PDP Bill will re-enter the Prolegnas in 2021 and has not been passed as of this writing.
Who do Indonesia Data Protection Laws apply to?
The data protection provisions of the Electronic Information and Transactions (EIT) Law No. 19/2016 apply extra-territorially in certain circumstances. The Personal Data Protection bill provides more information in this regard. The PDP law is expected to apply to all entities both in and outside of the territory of Indonesia and across all sectors that deal with personal data of Indonesian citizens.
It also clarifies that the law applies to individuals, legal entities, business entities, government institutions and public entities whose actions:
• result in legal consequences within the territory of Indonesia; and/or
• affect Indonesia citizens in and outside of the territory of Indonesia (Article 2 of PDP Bill).
Who are the relevant regulatory and enforcement authorities in Indonesia with regards to personal data protection?
There is no general regulatory body or authority that is specifically responsible for protecting personal data and ensuring that companies comply with data protection laws.
However, Minister of Communication and Informatics (MOCI) is usually the one that is responsible for administering and enforcing regulations related to personal data protection. MOCI can also be supported by the Police.
How is personal data defined in Indonesia?
The definition and specifics vary depending on the sector and their relevant regulations. At a minimum, information that enables the identification of an individual is protected by the law. The PDP Bill defines Personal data as any data regarding an identified person or a person that can be identified either individually or in combination with other information, directly or indirectly, by using electronic and/or non-electronic system (Article 1 of the PDP Bill).
Is there a distinction between personal data and sensitive data under the laws?
Currently, there is no specific definition of sensitive data or sensitive personal data under the prevailing regulations applicable to data privacy in Indonesia. However, the Minister of Communication and Informatics Regulation No. 5 of 2020 on Electronic System Provider in the Private Sector (“MOCI 5/2020”) defines “Specific Private Data” as data and information on health, biometric data, genetic data, sexual life/orientation, political views, children's data, personal financial data, and/or other data in accordance with the provisions of laws and regulations.
In the PDP Bill, sensitive data is defined as personal data that requires special protection, and includes data concerning health, biometric, genetic, sexual orientation, political views, crime records, child data, personal financial data, and other personal data in accordance with the provision of the legislation (Article 3 of the PDP Bill).
What is the consent requirement in Indonesia?
As a general rule to process personal data, the EIT Law, GR 71/2019, the MOCI 20/2016 and other laws and regulations governing data protection in Indonesia require the obligation to obtain "consent" from the owner of the personal data.
The Government regulation No. 71 of 2019 (GR 71/2019) also stipulates among other things that data processing maybe carried out without consent of the data owner in order to fulfill:
• Legal obligations of the controller in accordance with statutory provisions;
• Vital interests of the data subject; and
• Legitimate interests of the controller.
The PDP Bill proposes the following requirement in relation to consent:
Article 18 (1)
The processing of Personal Data as referred to in Article 17 must comply with the provisions of a valid approval from the Personal Data Owner for one or several specific purposes that have been submitted to the Personal Data Owner.
What restrictions are there for cross-border transfer of personal data?
The transfer of personal data is prohibited without the consent of the data subject, as stipulated under the various laws and regulations that currently govern data protection in Indonesia. The PDP bill proposes to permit cross-border data transfer as long as the operator coordinates with MOCI or an authorized agency. After the cross-border transfer is completed, the operator must submit an implementation report to the minister. But given the current status of the bill, these requirements are subject to further change. Rouse Indonesia will provide updates on future developments.