On August 20, 2015, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) filed comments to the Indonesian Draft Regulation proposed by the Minister of Communication and Information (RPM) of the Protection of Personal Data in Electronic Systems. The comments were limited to the issue of cross-border data transfers and were submitted in the form of a new CIPL white paper entitled Cross-Border Data Transfer Mechanisms.

This white paper is directed at all policy makers and legislators who are drafting privacy laws that contain cross-border transfer restrictions for personal data. The paper argues that while an approach to cross-border data transfers that relies on “accountability” rather than transfer restrictions is both viable and preferable, an increasing number of countries are including cross-border transfer restrictions modeled on the EU example. Given this trend, privacy laws that contain cross-border data transfer restrictions should also include the full range of existing exceptions and derogations to such restrictions, as well as a comprehensive set of available cross-border transfer mechanisms to enable accountable global data flows. These mechanisms include:

  • Contracts: The law should allow cross-border transfers on the basis of contractual arrangements that stipulate appropriate data privacy and security controls to be implemented by the organizations.
  • Corporate Rules: The law should allow cross-border transfers based on binding corporate rules.
  • Cross-Border Rules: The law should allow for enforceable corporate cross-border privacy rules modeled on the APEC Cross-Border Privacy Rules.
  • Codes of Conduct, Certifications, Privacy Marks, Seals and Standards: The law should allow for the use of certified codes of conduct, certifications, privacy marks, and seals and standards as cross-border transfer mechanisms.
  • “Safe Harbors” and Self-Certification Arrangements: The law should allow the possibility of cross-border transfers based on negotiated safe harbor arrangements, including arrangements that rely on self-certification to a given privacy standard, coupled with enforcement.
  • Consent: The law should allow cross-border data transfers on the basis of data subject consent.
  • Adequacy and Whitelists: The law should allow adequacy rulings and “whitelists.”

Any derogations and exceptions to cross-border data transfer restrictions should be comprehensive in light of global practice.