This article discusses the Indonesian regulatory requirements applicable to the cross border transfer of data.
The legal position is not straight forward because of overlapping legacy regulations passed in 2019 and 2016. This note attempts to reconcile Indonesian laws and regulations on the cross border transfer of data:
- Law No. 27 of 2022 on Personal Data Protection (the “PDPA”)
- Government Regulation No. 71 of 2019 on Organization of Electronic Systems and Transactions (“GR 71”)
- Ministry of Communication and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data Protection in Electronic Systems (“MOCI 20/2016”)
GR 71 on Organization of Electronic Systems and Transactions
Article 21(1) of GR 71 explicitly allows for private commercial enterprises to store data outside Indonesia.
This is in contrast with government sector electronic system organizer – data collected by the government (public electronic system organizers) must be stored locally.
Although ESOs may locate their data outside Indonesia, they must ensure that their electronic systems and data are accessible to the Indonesian authority for supervision and law enforcement (Article 21(2) of GR 71).
GR 71 is a government-issued regulation passed before 2022 (the year when the 2022 PDPA was passed) and remains in force.
Under Article 56 of the 2022 PDPA, the transfer of personal data out of Indonesia is permitted if:
- The destination country has in place a data protection Law that is on par or impose "higher" than Indonesia's data protection law; or
- Data controller ensures that "there is adequate and binding personal data protection"; or
- Obtain consent of the data subject (if both of the above requirements cannot be satisfied).
Presumably, this means that the data controller needs to at least have in place adequate assurance from the overseas entity that is receiving the data.
MOCI 20/2016 on the Protection of Personal Data Protection in Electronic Systems
In addition to securing consent from the users, when a cross border transfer of the customers’ personal data from Indonesia occurs, ESOs are required to "be in coordination with" (Article 22 of MOCI 20/2016) the Directorate of Informatics Application Control, a division under Ministry of Communication and Information. In practice, this is compiled by submitting pre and post notification of such transfer. MOCI has confirmed that the requirement is still in effect. This is done by submitting reports in prescribed forms – before and after transfer.
In the case where data is submitted by Indonesian data subjects directly to a server outside Indonesia, MOCI has confirmed that data controllers/electronic system operators must also comply with the same reporting requirement.
Data Collected by Financial Institutions
Approval from the Indonesian Financial Services Authority ("FSA") is required before financial institutions can establish a data center or a data processing outside Indonesia territory (Article 35(2) and (3) of the Financial Services Authority Regulation No. 11/POJK.03/2022 on the Organization of Information Technology by Commercial Banks).
In summary, the primary obligation is to comply with Article 56 of the 2022 PDPA as discussed above, the primary purpose is to ensure that the data subject would get the same level of protection as they would get in Indonesia.
Other related articles:
2022 Indonesian Data Protection Law
Electronic Contract Best Practices: Indonesia
Data Controller responsibility in the event of data breach – Indonesia
Digital Services Regulations in Indonesia