A draft bill on personal data protection (“Draft Data Protection Law”) is planned to be submitted to Indonesia’s House of Representatives for discussion in 2016. The Draft Data Protection Law, once passed, will become the first broad-based data protection law. It has potentially far-reaching consequences for all organisations, as well as individuals, in Indonesia.
The protection of certain information is already required, such as information in electronic systems (see).
The Draft Data Protection Law regulates the handling (i.e. collating, processing, analysing, storing, displaying, disclosing, sending or destroying) of personal data, by data users (which include individuals, corporations, government institutions and other types of organisations).
Types of personal data
The Draft Data Protection Law covers personal data and sensitive personal data.
“Personal data” is defined as any data about an individual who can be identified directly or indirectly by means of electronic or non-electronic systems (either from that data or in combination with other information).
“Sensitive personal data” is defined as personal data requiring special protection consisting of data relating to an individual’s religion, beliefs, health status, physical and mental status, sex life, financial conditions, and other data which may jeopardize the rights of the individual.
Sensitive personal data can only be used upon obtaining written consent from the data subject and for the following purposes:
- protecting the data subject;
- medical purposes;
- performing the functions of authorised persons (e.g. the Police, Corruption Eradication Commission (KPK), etc.) pursuant to prevailing laws and regulations; or
- other purposes if the data are already in the public domain due to actions undertaken by the data subject.
Collection and handling of personal data
Certain requirements and procedures must be followed by data users when they collect, process, analyse, store, disclose, send or destroy personal data.
Before collecting any personal data, a data user must first notify the data subject of the following:
- the legal status of the data user;
- the purpose of collecting the personal data;
- the type(s) of personal data which will be collected;
- the retention period for the personal data;
- details pertaining to any information that will be collected by the data user;
- when the personal data will be destroyed by the data user; and
- the rights of the data subject to consent to the handling of personal data by the data user.
The data user must also obtain the data subject’s consent before collecting any personal data. The requirement to obtain consent from the data subject can be waived if the collection of personal data is (i) mandated by laws and regulations, (ii) required for drafting a contract with the data subject, or (iii) required for protecting or ensuring the safety or economic interests of the data subject.
A data subject shall have the right to access the personal data retained by a data user. A data subject also has the right to modify, update, or rectify the personal data, and to withdraw at any time any consent for a data user to handle the personal data.
Transfer of personal data
A data user may transfer personal data to a third party located in Indonesia or overseas only with the data subject’s consent.
Transfers of personal data overseas are only allowed if the level of personal data protection in the destination jurisdiction is at least comparable to the standard in Indonesia, unless:
- there is an existing contract between the data user and the overseas recipient of the personal data; or
- there is an international agreement between Indonesia and the destination jurisdiction in relation to the cross-border transfer of personal data.
For domestic transfers of personal data, the third-party recipient must have obtained consent from the data subject before handling the personal data. There is no equivalent requirement with transfers overseas.
Installation of video-surveillance devices in public facilities area
The Draft Data Protection Law prohibits the use of video-surveillance devices (e.g. CCTV) in public areas that may violate an individual’s right to privacy, unless:
- such use is in accordance with prevailing laws and regulations;
- such use is for the purposes of preventing or investigating a criminal offence;
- the device is installed as a security facility or in order to prevent fires or accidents; or
- the device is installed for the purposes of traffic management.
Operators of video-surveillance devices are also obliged to display prominently information stating that such devices have been installed.
Data subjects may at any time request (in writing) that a data user stop using the personal data for direct marketing. If a data user continues to use such personal data for direct marketing, the data subject may request that the Commission (see below) issue a warning (either verbal or written) to the data user.
Accuracy, protection and destruction of personal data
Data users must ensure that personal data are accurate and complete where:
- the use of the personal data by the data user will affect the legal status of the data subject; or
- personal data has been disclosed to a third party (with the consent of the data subject).
Data users must protect and ensure the security of the personal data handled by them: (i) implementing security measures to protect personal data from destruction, unlawful modification, disclosure, or processing; and (ii) determining the level of security required to protect personal data, after taking into consideration of the nature of the personal data.
Data users must have security systems in place to protect personal from unlawful access, other unlawful ways of obtaining, using, processing, disclosing, modifying or destroying the personal data and other similar acts.
Data users must immediately destroy all personal data and prevent the destroyed data from being recovered:
- once the retention period (as set out in prevailing law and regulations, if any) has expired;
- once the purpose for collecting the personal data has been achieved; or
- upon request from a data subject.
Where the confidentiality of personal data has not been maintained, the data user must notify the affected data subject(s) without delay. The notice must contain the following as a minimum:
- the personal data that have been disclosed;
- when and how personal data were disclosed;
- the actions that have been taken by the data user; and
- information regarding the representative of the data user whom the data subject may contact to report any loss suffered from the disclosure.
Central Information Commission
The Draft Data Protection Law contains a section on the Central Information Commission (“Commission”). The Commission was established by the government pursuant to Law No. 14 Year 2008 regarding the Disclosure of Public Information and came into operation on 1 May 2010.
The Draft Data Protection Law proposes new functions for the Commission, namely:
- to ensure that organisations will comply with the law;
- to help organisations (both government institutions and the private sector) adopt good data protection practices and to help individuals to better understand how they may protect their personal data from misuse;
- to make and implement plans and policies in relation to personal data protection; and
- to administer and enforce the law, e.g. by receiving data breach complaints, facilitating the resolution of personal data related disputes and issuing warning letters to organisations.
A dispute relating to personal data may be resolved by:
- out-of-court settlement; or
- court proceedings.
Settlement proceedings outside court are voluntary and conducted with the consent of both parties. There are several types of settlement methods, such as negotiation, mediation, conciliation, arbitration, etc. Once a dispute is settled, the parties’ settlement agreement must be made in writing. The settlement agreement will be final and binding.
Court proceedings can only be commenced after the parties have tried amicable settlement but have not reached an agreement.
A person convicted of theft or falsification of personal data for criminal purposes may face imprisonment of up to 1 year as well as, or, a fine of up to Rp.300 million. If the criminal act is committed by a legal entity, then the maximum amount of any fine is Rp.1 billion.
Data users processing personal data before enactment of the Draft Data Protection Law must continue to maintain the confidentiality of the personal data, and comply with the requirements under the Draft Data Protection Law within a year from the date of its enactment.
The development of the Draft Data Protection Law in Indonesia is in line with the development of general data protection laws across a number of other Southeast Asian jurisdictions in the past few years, including Singapore, Malaysia and the Philippines, together with a draft law in Thailand.