This article was written with contributions from Mr Kin Wah Chow, Principal, and Ms Evi Triana, Partner at Suryomurcito & Co, a Rouse Network, Indonesia member. Thanks to Anindito FNU, S.Kom., S.S., MTI., CHFI., a faculty member at the Republic of Indonesia Defense University, for his feedback/comments.
As advancements in technology continue to shape our modern world, managing and protecting personal data have become increasingly crucial. In Indonesia, where digitalisation plays a significant role in various sectors, the issue of data privacy has gained considerable attention. The Indonesian Government has responded to these concerns by enacting legislation and regulations to safeguard personal data and ensure the responsible handling of such information.
By understanding the legal framework surrounding data privacy in Indonesia, individuals and organisations can navigate the intricacies of data management, uphold privacy rights, and implement effective measures to safeguard personal information from unauthorised use or disclosure.
We spoke to Kin Wah Chow and Evi Triana from Suryomurcito & Co to obtain their insights on the challenges of data privacy and management in Indonesia and the implications of the country’s data localisation requirements on businesses.
How has Indonesia approached the regulation of data privacy, considering its cultural diversity and emerging tech landscape?
The current government, under the leadership of President Joko Widodo, understands the importance of being attuned to the needs of businesses. It was for this reason that he had a track record of making key ministerial appointments from the private sector, especially those who are outspoken on government policy. The current Minister of Education, Culture, Research, and Technology of Indonesia, Nadiem Makarim, was the CEO of PT Gojek Indonesia (one of the Indonesian on-demand multi-services companies in online transportation and digital payment technology group). His appointment was relevant because of his past views expressing the importance of computer programming skills among the youths, and he had also called for the need to simplify regulations so as not to hinder growths of startups by young entrepreneurs.
It is against this backdrop that Indonesia has been willing to adapt to the needs of businesses by tweaking electronic transaction regulations by generally taking a light-touch approach. For example, see our responses to the second question.
We are therefore hopeful that the government will adopt the same approach as it prepares the implementation framework for Law Number 27 of 2022 on Personal Data Protection (“2022 PDP Law”).
There was an initial plan to park the data protection agency under the Ministry of Communication and Information. However, this was met with resistance from members of Parliament. The rationale for the resistance was that the agency should be independent, considering that some of the recent data breaches had occurred at the government ministries' level.
However, there are signs that the Ministry of Communication and Information is going to have an oversight in the administration of the data protection agency. This can be seen from the Ministry's issuance of SKKNI (also known as “Standar Kompetensi Kerja Nasional Indonesia” or “Indonesian National Work Competency Standards”) based on Decree of the Minister of Manpower Number 103 of 2023 on the “Establishment of Indonesian National Work Competency Standards for the Category of Information and Communication Main Groups of Programming, Computer Consulting and Related Activities (YBDI) Field of Personal Data Protection Expertise” which is meant to set the standard for data protection officer competency. It leaves one to wonder if oversight of the data protection regime will ultimately vest in the Ministry of Communication and Information instead of being administered by an independent agency as was originally hoped for.
Can you discuss the legal implications of Indonesia's data localisation requirements and their impact on businesses?
The government is generally receptive to the needs and concerns of industry and the public. In 2012, Government Regulation Number 82 of 2012 on “The Organization of Electronic Systems and Transactions” caused some ripples in the industry with an outright requirement for data localisation. This restriction was removed in 2019 by Government Regulation Number 71 of 2019 on “The Organization of Electronic Systems and Transactions” where only government agencies are required to localise data, not businesses.
The Ministry of Communication and Informatics Regulation Number 20 of 2016 on “Personal Data Protection in Electronic Systems” (which will continue to apply notwithstanding the 2022 PDP Law when it comes into effect) requires electronic systems operators to file reports (in the prescribed form) of any data transfer, and so far, there has not been any issue with such implementation.
The 2022 PDP Law continues with the trend of permitting cross-border data transfer subject to conditions similar to the General Data Protection Regulation (“GDPR”) counterpart. It is hoped that the framework, when implemented, will continue to be user-friendly.
What steps should companies take to ensure compliance with Indonesia's data protection regulations when processing personal data?
Consent of the data subject remains the key premise for collecting and processing data in addition to other bases similar to the GDPR counterpart. The unique feature of Indonesia is that it may be necessary to have good record keeping of such consents because the Indonesian legal system still requires traditional methods of proving consent or contractual assent. It is, therefore, important that local counsel be sought on how records are to be kept in the event that it becomes necessary to prove consent.
How does Indonesia's legal framework balance data privacy concerns with the growth of e-commerce and digital services?
It is too early to comment because the government is still putting together a framework and setting up the data protection agency to administer the PDP Law. However, it is hoped that the President will continue to be business-friendly and minimise unnecessary hindrances. It is also uncertain if the current direction will be maintained following the 2024 Presidential election.
One concern is whether it will become mandatory for a Data Protection Officer to be certified. This is likely to impact overseas online businesses targeting Indonesians.
What role does Indonesia's Personal Data Protection Bill play in shaping the future of data privacy in the country?
The passing of the bill was largely prompted by various high-profile data breaches as a result of hacking and, secondly, by the need to keep up with other countries.
It is hoped that the mindset for data protection will extend beyond data security to safeguard privacy against indiscriminate data processing by data controllers. However, this will require a well-resourced data protection agency and it remains to be seen how the agency will eventually take shape.
This article was first published on LawNet Asian Insights, an online regional legal resource compiled and managed by the Singapore Academy of Law. LawNet Asian Insights contains practical, business-focussed updates and analyses on legal developments in Asia. Please click here to access the article (available to LawNet subscribers)."