In our earlier article Trade Secrets/Confidentiality Agreements, we outlined key considerations for drafting trade secrets/confidentiality agreements in Indonesia.
In addition, to bolster protection of trade secrets in your organization, companies should a robust IT policy in place to take advantage of the following provisions of Law Number 11 of 2008 on Electronic Information Transaction Law as amended by Law Number 1 of 2024 (ITE Law). The law makes unauthorized access to computer systems a crime in respect of:
Prohibited Acts
Article 30
(1) Any Person who intentionally and illegally or unlawfully access a Computer and/or Electronic System that belongs to another Person in any way.
(2) Any Person who intentionally and illegally or unlawfully access a Computer and/or Electronic System in any way in order to obtain Electronic Information and/or Electronic Document.
(3) Any Person who intentionally and illegally or unlawfully access a Computer and/or Electronic System in any way by violating, breaching, bypassing, or breaking through the security system.
Criminal Provision
Article 46
(1) Any Person who fulfilled the elements as referred to in Article 30 paragraph (1) will be subject to imprisonment for a maximum of 6 (six) years and/or a maximum fine of IDR600,000,000.00 (six hundred million rupiahs).
(2) Any Person who fulfilled the elements as referred to in Article 30 paragraph (2) will be subject to imprisonment for a maximum of 7 (seven) years and/or a maximum fine of IDR700,000,000.00 (seven hundred million rupiahs).
(3) Any Person who fulfilled the elements as referred to in Article 30 paragraph (3) will be subject to imprisonment for a maximum of 8 (eight) years and/or a maximum fine of IDR800,000,000.00 (eight hundred million rupiahs).
Where a company’s IT system keeps a log of employee access to computer systems, they will be able to monitor and prosecute errant employees.
We recommend that the employee handbook clearly defines what is and what is not unauthorized access – which would then help in the enforcement of the Electronic Information Transaction Law – they should be in the employee handbook and the employment contract should refer to it as the basis for the contract.
Specific IT and Human Resource policies should also consider imposing restricted access for employees who are serving out their notice period. The restricted policy should include limits to computer storage locations and printing of documents. Where the system log could clearly capture that the departing employee has breached an appropriate policy, the company may then have a clear case for filing a criminal complaint against that employee under the ITE Law. This is a much easier means of protecting company data than under the Trade Secrets Law regime.
Where it is clearly established that the employee has breached the company's IT policy and the system log supports this, the police are more likely to accept a complaint. It cannot be over emphasized on the importance of a clear IT policy defining when access is and is not authorized and how this has been clearly communicated to employees, particularly those where misuse is alleged.
However, it should also be noted that employees must provide consent to the use of evidence as part of their employment conditions. This is to address privacy issues under Protection of Personal Data Law.
Because of difficulty in enforcing traditional contractual confidentiality undertakings, companies with operations in Indonesia should consider reviewing their IT policy to take advantage of the unauthorized computer access provision of the ITE law.