Client Update 29 December 2016

Lawyers

 

Personal Data Protection Regime Gets Boost with New Regulation

After a wait of more than a year, the Minister of Communications and Information (the "Minister") issued Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems ("PDP Regulation") on 1 December 2016. The PDP Regulation, which puts into effect Article 15(3) of Government Regulation No. 82 of 2012 on Electronic Systems and Transactions ("Electronic Systems and Transactions Regulation"), sets out the rules governing the protection of personal data that are stored in electronic form. While its scope does not extend beyond electronic data, we nevertheless believe that it should have a sufficiently wide-ranging impact as to significantly strengthen personal data protection in Indonesia, given the vast extent of electronic communications and transactions nowadays

Personal Data

Prior to discussing the scope of the PDP Regulation, it is important to first understand the definitions of "personal data" and "electronic system provider."

Personal Data Defined

Under the Electronic Systems and Transactions Regulation, and now under the PDP Regulation, "personal data" is defined as:

"Certain data related to an individual, of which the (a) accuracy and (b) confidentiality is (i) kept, (ii) maintained and (iii) protected".

This definition has been adopted word for word from Law No. 23 of 2006 on Population Administration, as amended by Law No. 24 of 2013 ("Population Administration Law"), the first legislation in Indonesia to define personal data.

The PDP Regulation also provides a definition of "certain data related to an individual," namely:

"All information that is correct and real, and personally identifiable, whether directly or indirectly, with an individual in accordance with the provisions of the laws and regulations in effect."

We believe that this definition of "certain data related to an individual" precisely captures the meaning of personal data, i.e., information that can be used to identify a specific person.

Subject of the PDP Regulation

The primary subject of the PDP Regulation is "electronic system providers." An electronic system provider is defined as:

"Any person, State authority, business entity or community that provides, manages, and/or operates an electronic system, whether independently or jointly, in the interest of the electronic system's users and/or the interests of other parties."

This definition includes State authorities. If we go by the letter of the regulation, similar standards will be imposed on the management of personal data by both the public and private sectors. Certain Government ministries and agencies, such as the Financial Supervisory Authority (OJK), the Tax Office and the Ministry of Home Affairs, handle huge amounts of personal data, not to mention state companies that provide public services, such as the state-0wned power utility (PLN) and state-owned telecommunications company (Telkom).

Another aspect of the definition is its broad coverage. A public or private entity is subject to the PDP Regulation not only when it "provides" its own services, but also when it "manages" or "operates" an electronic system, presumably on behalf of a third party. As companies embark on outsourcing or managed-service arrangements, it will be crucial that the compliance obligation is assigned to the right party.

Prior Consent

The PDP Regulation requires any action taken in relation to personal data to have secured the prior consent of the person who is the owner of such personal data. Such actions include (i) acquisition, (ii) processing and analysis, (iii) storage, (iv) dissemination, disclosure and access, and (v) erasure of personal data, or its destruction in the case of a hard-copy record.

In order to secure such consent, the electronic system provider must provide a standard form in Bahasa Indonesia to be agreed by the person who is being asked to provide his/her personal data (the "Privacy Notice and Consent"). Note that although a Privacy Notice and Consent must be in Bahasa Indonesia, the PDP Regulation does not preclude the making of versions in other languages.

A Privacy Notice and Consent will primarily set out:

  1. The purpose for which the personal data is being requested;
  2. How the personal data will be processed; and
  3. Rights of the personal data owner, including the right to have their personal data modified or updated, to access their personal data, and to have their personal data deleted or destroyed (in the case of a hard-copy record).

Most importantly, the Privacy Notice and Consent will set out the prior consent of the personal data owner for the actions of the electronic system provider, which, according to the PDP Regulation, may include the acquisition, collection, processing, analysing, storage, display, announcement, transfer, transmission, providing access, and disposal of his/her personal data.

If the personal data owner is a minor, the Privacy Notice and Consent must be agreed to by his or her parents or guardian. Under the Indonesian Civil Code, any person under 21 years of age is considered a minor.

Obtaining and Collecting Personal Data

The acquisition and collection of personal data must be based on the purpose(s) set out in the Privacy Notice and Consent. In other words, personal data must serve certain purposes as the basis for its collection. As an example, one's employer may require one's full name, address, contact number, and social security details. However, an employer should not require an employee's credit history or prior medical records, unless relevant. For example, an employer that operates a hazardous workplace, such as a steel mill, would most likely have a right to request medical records in the case of an employee who suffers from epilepsy.

Furthermore, the relevant sectoral government supervisory/regulatory agency may determine the type of personal data that is considered relevant and in accordance with the purposes of electronic system providers operating in their sector of responsibility. For example, the OJK, as the agency responsible for supervising the financial services sector, may determine which personal data is most relevant and in accordance with the purposes of the business operations of banks. The concept of involving the relevant sectoral agencies in determining what is and is not personal data is novel, if applied as intended. However, it may make it more challenging to establish uniformity as to the meaning of personal data across the various sectors.

Personal data may only be acquired and collected based on prior consent, as expressly provided in the Privacy Notice and Consent. When providing prior consent, personal data owners have the right to stipulate that their personal data is confidential and may not be transferred or disclosed to third parties.

Storing Personal Data

The PDP Regulation provides a minimum retention period of 5 years for personal data, unless otherwise provided by a sector-specific regulation. This retention period is calculated from the time when the personal data owner terminates the use of the services provided by the electronic system provider. For example, if a person deletes an email address on 2 January 2017, any personal data related to that email address must be retained until 2 January 2022.

After the expiration of the said minimum retention period, the personal data may be erased, unless it is still to be used or utilized for the purpose that was originally consented to by the personal data owner.

Furthermore, the PDP Regulation requires personal data to be stored in the form of encrypted data. Even though this is not explained, encrypted data generally means data that is encoded in such a way that only authorized parties in possession of the encryption key can access it.

Displaying, Announcing, Transferring, Transmitting and Providing Access to Personal Data

Any display, announcement, transfer, distribution, or provision of access to personal data must be based on consent, as provided in the Privacy Consent and Notice. In addition, the accuracy of the personal data must first be verified. These requirements are applicable to actions conducted between electronic system providers, between electronic system providers and users, and between users.

As an example, in Facebook, generally a person will share his/her personal data with Facebook as well as other Facebook users (between electronic system providers and users, and between users). Using the same example, a Facebook account can usually be used to sign up for other services or platforms. In such a case, Facebook will share the personal data of their user who is signing up for the said other services or platforms, with the consent of the said user (between electronic system providers).

Data Centre for Public Services and Overseas Transfer of Personal Data

The data centre and disaster recovery centre for an electronic system that provides a public service must be located within the territory of Indonesia. Further details regarding this obligation will be provided by the sectoral regulator pursuant to (a) the respective laws and regulations, and (b) in coordination with the Minister.

An overseas transfer of personal data conducted by the Government or a private entity must be reported to the Minister of Communications and Information Technology. Reports must be submitted prior and subsequent to the transfer. The following aspects must be detailed in such reports:

  1. Country of destination of the transfer;
  2. Recipient of the transfer;
  3. Date of the transfer; and
  4. Reason for or purpose of the transfer.

Given that only providers of public services are required to maintain data centres and data recovery centres in Indonesia, the relevancy of these overseas transfer requirements might be questionable. With the prevalence of web based storage facilities and cloud services, it is increasingly common to view data storage as borderless.

Erasure of Personal Data

The erasure of personal data may be carried out in the following circumstances:

  1. The retention period has elapsed based on the PDP Regulation, or a sector-specific regulation; or
  2. Based on request from the personal data owner.
The erasure of personal data must be conducted thoroughly, covering both the deletion of electronic data and the destruction of non-electronic records, so that that the personal data can no longer be retrieved.

Obligations

The PDP Regulation imposes a comprehensive set of obligations on electronic system providers, including the following requirements:

  1. to have their electronic systems certified;
  2. to provide notification in case of a personal data breach;
  3. to use legal software; and
  4. to adopt internal policies for personal data protection.

Electronic System Certification

According to the PDP Regulation, an electronic system provider that manages personal data must have their electronic systems certified in accordance with the prevailing laws and regulations. This refers to Electronic System Worthiness Certification requirement under the Electronic Systems and Transactions Regulation, which is a process involving inspections and tests conducted by an authorized and competent institution to ensure that an electronic system is functioning properly. An Electronic System Worthiness Certificate may be issued by the Minister or an institution designed by the minister.

Under the Electronic Systems and Transactions Regulation, the Minister is required to issue an implementing regulation on the Electronic System Worthiness Certification process. However, as this regulation has not been issued to date, the provisions on Electronic System Worthiness Certification have yet to be implemented in practice.

Notification of Personal Data Breach

As also obligated by the Electronic Systems and Transactions Regulation, the PDP Regulation requires an electronic system provider to notify a personal data owner of any breach involving his/her personal data.

The notification may be provided in written or electronic form, depending on what was agreed under the Privacy Notice and Consent, and must give the reason for or cause of the personal data breach. It must be delivered to the personal data owner not more than 14 days subsequent to the occurrence of the breach. Further, the electronic system provider must ensure that it has been duly received if the breach has the potential to cause loss or damage to the personal data owner.

A failure to provide such notification provides the personal data owner with the right to submit an official complaint to the Minister.

Internal Data Protection Policy

An electronic system provider that manages or process personal data must develop and maintain an internal data protection procedure or policy for acquiring, collecting, processing, analysing, storing, displaying, announcing, transferring, transmitting, providing access to, and deleting personal data. This internal policy must take into account such aspects as the applicable technology, human resources, technical procedures, and cost analysis, as well as be in accordance with the PDP Regulation and other prevailing laws and regulations.

The main purpose of adopting such internal policy is to prevent personal data breaches. The adoption of the policy must be accompanied by:

  1. efforts to heighten the awareness of employees as to the importance of personal data protection; and
  2. the provision of training for employees regarding the steps that must be taken to protect the personal data that is managed by the electronic system provider.
We believe the requirement to develop an internal policy represents a significant undertaking that electronic system providers, both in the public and private sectors, will have to face in the coming year.

Other Obligations

Other than the obligations described above, the PDP Regulation sets out a number of miscellaneous requirements that must be complied with by an electronic system provider that manages personal data:

  1. To provide an audit trail record of all activities relating to the management of their electronic system;
  2. To provide the option to choose whether or not personal data may be used and/or revealed to third parties;
  3. To provide access to personal data owners to modify or update their personal data; and
  4. To designate a contact person who can be easily reached.

Formal Complaints Procedure

A personal data owner or electronic system provider may lodge a formal complaint regarding a personal data protection breach with the Minister of Communications and Information Technology's Directorate General of Information Technology Application. The Directorate General will then initiate a consensual dispute resolution process between the parties in dispute.

Such formal complaint may be lodged pursuant to:

  1. A failure on the part of an electronic system provider to provide a written notification of a personal data breach, whether or not this could potentially cause loss; or
  2. Loss caused by a personal data protection breach because of delay on the part of the electronic system provider in providing written notification of the personal data breach.
The formal complaint must be lodged within 30 business days counting from the time when the prejudiced party discovered the personal data breach.

The official or team appointed to handle the complaint has 14 business days from the date of receipt of the complaint to state whether the complaint is complete and is supported by sufficient evidence. A complaint that is incomplete will be returned to the complainant, who will then have 30 business days to fulfil all the requirements.

Upon acceptance of the complaint, the dispute resolution process will be initiated within 14 business days. During this process, the official or team assigned to the handle the complaint may recommend to the Minister of Communications and Information Technology that an administrative sanction be imposed on an electronic system provider that is involved, even if the dispute has yet to be resolved.

In the event that the dispute remains unresolved, the injured party may file a civil lawsuit against the electronic system provider in the local district court. If a seizure is required, the relevant law enforcement agency may only confiscate personal data that is relevant to the case, rather than seizing the entire electronic system.

Administrative Sanctions

Any person or legal entity found to be in violation of the PDP Regulation will be subject to the following administrative sanctions:
  1. Verbal or written warning;
  2. Temporary suspension of business activities; and/or
  3. Public disclosure of the violation.
The procedures for imposing such administrative sanctions will be further provided for by the Minister of Communications and Information Technology.

Grace Period

The PDP Regulation gives existing electronic system providers 2 years (at most) to bring themselves into line with its provisions. The most significant adjustments that will need to be made are as follows:
  1. Preparing a Privacy Notice and Consent form;
  2. Encrypting personal data that is stored;
  3. Reporting overseas transfers of personal data to the Minister of Communications and Information Technology (if applicable);
  4. Certifying electronic systems used to manage personal data (once the necessary procedures have been put in place by the Minister);
  5. Establishing an internal policy for personal data protection;
  6. Providing an audit trail record of all activities relating to the management of an electronic system;
  7. Providing access to personal data owners to modify or update their personal data; and
  8. Designating a contact person who can be easily reached.


   

*** 

AHP Client Alert is a publication of Assegaf Hamzah & Partners. It brings an overview of selected Indonesian laws and regulations to the attention of clients but is not intended to be viewed or relied upon as legal advice. Clients should seek advice of qualified Indonesian legal practitioners with respect to the precise effect of the laws and regulations referred to in AHP Client Alert. Whilst care has been taken in the preparation of  AHP  Client Alert, no warranty is given as to the accuracy of the information it contains and no liability is accepted for any statement, opinion, error or omission.

Download

AREAS OF PRACTICE

  • Pic Mgmt

    Capital Markets

    As a full-service firm, we do a broad range of transactions covering the entire spectrum. Many are high profile and cement our position as a top-tier firm, including global equity offerings in reliance on Reg. S/Rule 144A, private placements, rights issues and other share-related offerings, such as convertible and exchangeable bonds. We also frequently advise on foreign offerings by issuers having significant interests in Indonesia, bond issuances under global offering rules, mergers, acquisitions, combinations of acquisitions and IPOs, consent solicitations and exchange offers of debt instruments listed on the Indonesia Stock Exchange or offshore. more »

  • Pic Mgmt

    Banking & Finance

    We are a leading force in the Indonesian banking & finance sector, advising on all manner of structured financing transactions, from simple secured or unsecured bilateral lending to multifaceted and complex credit facilities. We handle syndicated, club and bilateral loan documentation; project finance; property finance; acquisition finance; securitization and structured finance; regulatory and compliance issues; banking documentation and legal due diligence reporting. more »

  • Pic Mgmt

    General Corporate/M&A

    Our General Corporate/M&A practice provides advice on corporate governance, compliance, negotiating and drafting agreements, transaction structure, management and succession, legal due diligence reporting, formation of new entities, preparation of internal corporate documents and approvals, and completion of regulatory filings. With a wealth of experience amassed over the years in a wide variety of industries, we are strategically placed to provide you with everything you need to satisfy your corporate or M&A needs. more »

  • Pic Mgmt

    Debt & Corporate Restructuring

    We offer a full range of services in the debt & corporate restructuring arena, including advice on capital reduction, recapitalization and rescue schemes, financial sector takeovers, global asset recovery measures, mergers, creation of new entities, compromise schemes, demergers, buyouts, preparing documents and agreements, and ensuring statutory and regulatory compliance. As an AHP client, you will benefit from the unparalleled expertise gained by many of our senior lawyers as advisors or counsel to the Indonesian Bank Restructuring Agency (IBRA), which restored the country’s banking sector to health in the wake of the Asian financial crisis of 1997/98. more »

  • Pic Mgmt

    Foreign Direct Investment

    As an Indonesian law firm, we are obviously very much at home in our own jurisdiction, and so are able to make you feel at home as well. We know how things work in Indonesia, and have excellent relations with all the relevant government and regulatory agencies. We advise on the establishment of foreign investment companies, permanent business establishments, subsidiaries and joint ventures under the Indonesian FDI regime, merger & acquisition issues, foreign ownership caps, manpower issues, regulatory and environmental compliance, land acquisition, taxation matters -- in fact, everything you will need to get your venture off the ground and to keep it running smoothly throughout the investment lifecycle. more »

  • Pic Mgmt

    Competition Law

    We are widely recognized as being at the forefront of competition law in Indonesia, a rapidly developing field in which we have been instrumental in securing a number of ground-breaking judicial precedents in recent years. We consistently focus on the practicality and commerciality aspects, and combine legal expertise with in-depth experience across a wide range of industries so as to support the achievement of your strategic goals. more »

  • Pic Mgmt

    Dispute Resolution

    AHP has a very strong litigation team made up of one partner and 15 associates, all of whom are licensed advocates. We regularly represent clients in tort, contract, employment, internal corporate fraud, real estate, trademark and intellectual property disputes, to name but a few, with our primary focus being on commercial disputes. In the arbitration field, we have developed a formidable reputation for expertise and successful outcomes with the result that AHP advocates regularly appear before the Indonesian National Arbitration Board (BANI), as well as overseas arbitration bodies, such as the Singapore International Arbitration Centre. more »

  • Pic Mgmt

    Energy, Oil and Gas

    Our Energy, Oil and Gas practice provides top-quality legal advice and transactional support to domestic and international companies operating in the oil and gas, geothermal and renewable energy sectors. As a relatively compact firm, we are able to offer advice across the entire range of practice areas, thereby allowing us to deliver outstanding legal and commercial results for our clients in a practical and cost effective way. more »

  • Pic Mgmt

    Projects & Natural Resources

    As an Indonesian law firm, we know our country, our regulatory environment and our governmental system. Armed with this knowledge, we have garnered a wealth of experience down the years guiding both domestic and international companies through areas that are often fraught with competing interests and controversy. This experience provides us with the expertise and breadth of vision needed to ensure successful outcomes for your business objectives. In doing so, we offer a comprehensive suite of services, all of which dovetail seamlessly one with the other so as to provide holistic solutions to all your legal needs. more »

  • Pic Mgmt

    Telecommunications & Media

    Indonesia has seen exponential growth over the last decade in both the telecommunications and media sectors -- both areas in which AHP is in the vanguard of legal development. Besides having a professional interest in the two sectors, all of our lawyers in the T&M practice share a genuine passion for what they do and are therefore able to offer a combination of solid technical legal knowhow and an excellent understanding of the industries, the technical aspects, the principal factors at work, and the key players in Indonesia. more »

  • Pic Mgmt

    Real Property

    We offer a full range of real property services, including assisting with purchase and sale agreements, leasing agreements, title searches and registrations, conveyancing, and real property dispositions and bequests,.We also provide effective and reliable advice on the complex rules governing property ownership by non-nationals in Indonesia, an area of the law that is set for liberalization in the near future. more »

  • Pic Mgmt

    Intellectual Property

    Our IP practice offers trademark, copyright, patent and design searches and registration, and regularly mounts successful challenges on behalf of clients against decisions of the trademark authorities. Our IP associates are all members of key associations and are frequently engaged to speak at international events as recognized leaders in the field. Combing cutting-edge expertise and a high level of commercial acumen, we take pride in our results and a high level of customer satisfaction, and do our utmost to help ensure the protection of your rights and your peace of mind. more »

  • Pic Mgmt

    Islamic Finance

    At AHP, we understand Islamic finance and have been in the vanguard of the sector’s rapid expansion and development in Indonesia. With an in-depth understanding of the religious and conventional legal principles that underpin the Shariah sector, we believe we are uniquely well-positioned to offer expert and innovative advice on how to conduct any transaction in a Shariah-compliant manner, and to provide the kind of end-to-end solutions that you need. more »

  • Pic Mgmt

    Shipping & Aviation

    As an archipelagic nation, the shipping and aviation industries are of the utmost importance to the Indonesian economy. To accommodate the needs of ship owners, charterers, and marine insurers, we provide advice on all aspects of shipping law, including ship finance & security, sale and purchase, disputes arising out of charter parties, bills of lading, insurance, and collisions, and all other admiralty matters, while in the aviation sector, we assist with aircraft financing, sale and purchase, statutory obligations related to aviation, aviation safety and the aftermath of aviation accidents. more »

  • Pic Mgmt

    Labor Law

    We have a outstanding record in representing both individuals and corporations in employment matters, and in general advisory work on the complex rules governing the employment of expatriates in Indonesia. On the litigation front, we are frequently called upon to advise in cases involving internal fraud and embezzlement, and on the remedies available to employers. We also offer expert advice on employee compensation and incentive schemes (stock options, benefits, allowances), the employment implications of mergers, acquisitions and amalgamations, and the rights and benefits available to employees upon termination. more »

Assegaf Hamzah & Partners