Personal Data Protection Regime Gets Boost with New Regulation
After a wait of more than a year, the Minister of Communications and Information (the "Minister") issued Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems ("PDP Regulation") on 1 December 2016. The PDP Regulation, which puts into effect Article 15(3) of Government Regulation No. 82 of 2012 on Electronic Systems and Transactions ("Electronic Systems and Transactions Regulation"), sets out the rules governing the protection of personal data that are stored in electronic form. While its scope does not extend beyond electronic data, we nevertheless believe that it should have a sufficiently wide-ranging impact as to significantly strengthen personal data protection in Indonesia, given the vast extent of electronic communications and transactions nowadays
Prior to discussing the scope of the PDP Regulation, it is important to first understand the definitions of "personal data" and "electronic system provider."
Personal Data Defined
Under the Electronic Systems and Transactions Regulation, and now under the PDP Regulation, "personal data" is defined as:
This definition has been adopted word for word from Law No. 23 of 2006 on Population Administration, as amended by Law No. 24 of 2013 ("Population Administration Law"), the first legislation in Indonesia to define personal data.
The PDP Regulation also provides a definition of "certain data related to an individual," namely:
We believe that this definition of "certain data related to an individual" precisely captures the meaning of personal data, i.e., information that can be used to identify a specific person.
Subject of the PDP Regulation
The primary subject of the PDP Regulation is "electronic system providers." An electronic system provider is defined as:
This definition includes State authorities. If we go by the letter of the regulation, similar standards will be imposed on the management of personal data by both the public and private sectors. Certain Government ministries and agencies, such as the Financial Supervisory Authority (OJK), the Tax Office and the Ministry of Home Affairs, handle huge amounts of personal data, not to mention state companies that provide public services, such as the state-0wned power utility (PLN) and state-owned telecommunications company (Telkom).
Another aspect of the definition is its broad coverage. A public or private entity is subject to the PDP Regulation not only when it "provides" its own services, but also when it "manages" or "operates" an electronic system, presumably on behalf of a third party. As companies embark on outsourcing or managed-service arrangements, it will be crucial that the compliance obligation is assigned to the right party.
The PDP Regulation requires any action taken in relation to personal data to have secured the prior consent of the person who is the owner of such personal data. Such actions include (i) acquisition, (ii) processing and analysis, (iii) storage, (iv) dissemination, disclosure and access, and (v) erasure of personal data, or its destruction in the case of a hard-copy record.
In order to secure such consent, the electronic system provider must provide a standard form in Bahasa Indonesia to be agreed by the person who is being asked to provide his/her personal data (the "Privacy Notice and Consent"). Note that although a Privacy Notice and Consent must be in Bahasa Indonesia, the PDP Regulation does not preclude the making of versions in other languages.
A Privacy Notice and Consent will primarily set out:
- The purpose for which the personal data is being requested;
- How the personal data will be processed; and
- Rights of the personal data owner, including the right to have their personal data modified or updated, to access their personal data, and to have their personal data deleted or destroyed (in the case of a hard-copy record).
Most importantly, the Privacy Notice and Consent will set out the prior consent of the personal data owner for the actions of the electronic system provider, which, according to the PDP Regulation, may include the acquisition, collection, processing, analysing, storage, display, announcement, transfer, transmission, providing access, and disposal of his/her personal data.
If the personal data owner is a minor, the Privacy Notice and Consent must be agreed to by his or her parents or guardian. Under the Indonesian Civil Code, any person under 21 years of age is considered a minor.
Obtaining and Collecting Personal Data
The acquisition and collection of personal data must be based on the purpose(s) set out in the Privacy Notice and Consent. In other words, personal data must serve certain purposes as the basis for its collection. As an example, one's employer may require one's full name, address, contact number, and social security details. However, an employer should not require an employee's credit history or prior medical records, unless relevant. For example, an employer that operates a hazardous workplace, such as a steel mill, would most likely have a right to request medical records in the case of an employee who suffers from epilepsy.
Furthermore, the relevant sectoral government supervisory/regulatory agency may determine the type of personal data that is considered relevant and in accordance with the purposes of electronic system providers operating in their sector of responsibility. For example, the OJK, as the agency responsible for supervising the financial services sector, may determine which personal data is most relevant and in accordance with the purposes of the business operations of banks. The concept of involving the relevant sectoral agencies in determining what is and is not personal data is novel, if applied as intended. However, it may make it more challenging to establish uniformity as to the meaning of personal data across the various sectors.
Personal data may only be acquired and collected based on prior consent, as expressly provided in the Privacy Notice and Consent. When providing prior consent, personal data owners have the right to stipulate that their personal data is confidential and may not be transferred or disclosed to third parties.
Storing Personal Data
The PDP Regulation provides a minimum retention period of 5 years for personal data, unless otherwise provided by a sector-specific regulation. This retention period is calculated from the time when the personal data owner terminates the use of the services provided by the electronic system provider. For example, if a person deletes an email address on 2 January 2017, any personal data related to that email address must be retained until 2 January 2022.
After the expiration of the said minimum retention period, the personal data may be erased, unless it is still to be used or utilized for the purpose that was originally consented to by the personal data owner.
Furthermore, the PDP Regulation requires personal data to be stored in the form of encrypted data. Even though this is not explained, encrypted data generally means data that is encoded in such a way that only authorized parties in possession of the encryption key can access it.
Displaying, Announcing, Transferring, Transmitting and Providing Access to Personal Data
Any display, announcement, transfer, distribution, or provision of access to personal data must be based on consent, as provided in the Privacy Consent and Notice. In addition, the accuracy of the personal data must first be verified. These requirements are applicable to actions conducted between electronic system providers, between electronic system providers and users, and between users.
As an example, in Facebook, generally a person will share his/her personal data with Facebook as well as other Facebook users (between electronic system providers and users, and between users). Using the same example, a Facebook account can usually be used to sign up for other services or platforms. In such a case, Facebook will share the personal data of their user who is signing up for the said other services or platforms, with the consent of the said user (between electronic system providers).
Data Centre for Public Services and Overseas Transfer of Personal Data
The data centre and disaster recovery centre for an electronic system that provides a public service must be located within the territory of Indonesia. Further details regarding this obligation will be provided by the sectoral regulator pursuant to (a) the respective laws and regulations, and (b) in coordination with the Minister.
An overseas transfer of personal data conducted by the Government or a private entity must be reported to the Minister of Communications and Information Technology. Reports must be submitted prior and subsequent to the transfer. The following aspects must be detailed in such reports:
- Country of destination of the transfer;
- Recipient of the transfer;
- Date of the transfer; and
- Reason for or purpose of the transfer.
Given that only providers of public services are required to maintain data centres and data recovery centres in Indonesia, the relevancy of these overseas transfer requirements might be questionable. With the prevalence of web based storage facilities and cloud services, it is increasingly common to view data storage as borderless.
Erasure of Personal Data
The erasure of personal data may be carried out in the following circumstances:
- The retention period has elapsed based on the PDP Regulation, or a sector-specific regulation; or
- Based on request from the personal data owner.
The erasure of personal data must be conducted thoroughly, covering both the deletion of electronic data and the destruction of non-electronic records, so that that the personal data can no longer be retrieved.
The PDP Regulation imposes a comprehensive set of obligations on electronic system providers, including the following requirements:
- to have their electronic systems certified;
- to provide notification in case of a personal data breach;
- to use legal software; and
- to adopt internal policies for personal data protection.
Electronic System Certification
According to the PDP Regulation, an electronic system provider that manages personal data must have their electronic systems certified in accordance with the prevailing laws and regulations. This refers to Electronic System Worthiness Certification requirement under the Electronic Systems and Transactions Regulation, which is a process involving inspections and tests conducted by an authorized and competent institution to ensure that an electronic system is functioning properly. An Electronic System Worthiness Certificate may be issued by the Minister or an institution designed by the minister.
Under the Electronic Systems and Transactions Regulation, the Minister is required to issue an implementing regulation on the Electronic System Worthiness Certification process. However, as this regulation has not been issued to date, the provisions on Electronic System Worthiness Certification have yet to be implemented in practice.
Notification of Personal Data Breach
As also obligated by the Electronic Systems and Transactions Regulation, the PDP Regulation requires an electronic system provider to notify a personal data owner of any breach involving his/her personal data.
The notification may be provided in written or electronic form, depending on what was agreed under the Privacy Notice and Consent, and must give the reason for or cause of the personal data breach. It must be delivered to the personal data owner not more than 14 days subsequent to the occurrence of the breach. Further, the electronic system provider must ensure that it has been duly received if the breach has the potential to cause loss or damage to the personal data owner.
A failure to provide such notification provides the personal data owner with the right to submit an official complaint to the Minister.
Internal Data Protection Policy
An electronic system provider that manages or process personal data must develop and maintain an internal data protection procedure or policy for acquiring, collecting, processing, analysing, storing, displaying, announcing, transferring, transmitting, providing access to, and deleting personal data. This internal policy must take into account such aspects as the applicable technology, human resources, technical procedures, and cost analysis, as well as be in accordance with the PDP Regulation and other prevailing laws and regulations.
The main purpose of adopting such internal policy is to prevent personal data breaches. The adoption of the policy must be accompanied by:
- efforts to heighten the awareness of employees as to the importance of personal data protection; and
- the provision of training for employees regarding the steps that must be taken to protect the personal data that is managed by the electronic system provider.
We believe the requirement to develop an internal policy represents a significant undertaking that electronic system providers, both in the public and private sectors, will have to face in the coming year.
Other than the obligations described above, the PDP Regulation sets out a number of miscellaneous requirements that must be complied with by an electronic system provider that manages personal data:
- To provide an audit trail record of all activities relating to the management of their electronic system;
- To provide the option to choose whether or not personal data may be used and/or revealed to third parties;
- To provide access to personal data owners to modify or update their personal data; and
- To designate a contact person who can be easily reached.
Formal Complaints Procedure
A personal data owner or electronic system provider may lodge a formal complaint regarding a personal data protection breach with the Minister of Communications and Information Technology's Directorate General of Information Technology Application. The Directorate General will then initiate a consensual dispute resolution process between the parties in dispute.
Such formal complaint may be lodged pursuant to:
- A failure on the part of an electronic system provider to provide a written notification of a personal data breach, whether or not this could potentially cause loss; or
- Loss caused by a personal data protection breach because of delay on the part of the electronic system provider in providing written notification of the personal data breach.
The formal complaint must be lodged within 30 business days counting from the time when the prejudiced party discovered the personal data breach.
The official or team appointed to handle the complaint has 14 business days from the date of receipt of the complaint to state whether the complaint is complete and is supported by sufficient evidence. A complaint that is incomplete will be returned to the complainant, who will then have 30 business days to fulfil all the requirements.
Upon acceptance of the complaint, the dispute resolution process will be initiated within 14 business days. During this process, the official or team assigned to the handle the complaint may recommend to the Minister of Communications and Information Technology that an administrative sanction be imposed on an electronic system provider that is involved, even if the dispute has yet to be resolved.
In the event that the dispute remains unresolved, the injured party may file a civil lawsuit against the electronic system provider in the local district court. If a seizure is required, the relevant law enforcement agency may only confiscate personal data that is relevant to the case, rather than seizing the entire electronic system.
Any person or legal entity found to be in violation of the PDP Regulation will be subject to the following administrative sanctions:
- Verbal or written warning;
- Temporary suspension of business activities; and/or
- Public disclosure of the violation.
The procedures for imposing such administrative sanctions will be further provided for by the Minister of Communications and Information Technology.
The PDP Regulation gives existing electronic system providers 2 years (at most) to bring themselves into line with its provisions. The most significant adjustments that will need to be made are as follows:
- Preparing a Privacy Notice and Consent form;
- Encrypting personal data that is stored;
- Reporting overseas transfers of personal data to the Minister of Communications and Information Technology (if applicable);
- Certifying electronic systems used to manage personal data (once the necessary procedures have been put in place by the Minister);
- Establishing an internal policy for personal data protection;
- Providing an audit trail record of all activities relating to the management of an electronic system;
- Providing access to personal data owners to modify or update their personal data; and
- Designating a contact person who can be easily reached.
AHP Client Alert is a publication of Assegaf Hamzah & Partners. It brings an overview of selected Indonesian laws and regulations to the attention of clients but is not intended to be viewed or relied upon as legal advice. Clients should seek advice of qualified Indonesian legal practitioners with respect to the precise effect of the laws and regulations referred to in AHP Client Alert. Whilst care has been taken in the preparation of AHP Client Alert, no warranty is given as to the accuracy of the information it contains and no liability is accepted for any statement, opinion, error or omission.