Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

Data protection legislation in Indonesia is undeniably behind the international curve. While many countries have passed detailed data protection laws, Indonesia is yet to pass any comprehensive laws on this issue. At present, the primary regulations on data protection are the Law Concerning Electronic Information Technology (11/2008) and its implementing regulation, the Government Regulation Concerning Electronic Systems and Transaction Providers (82/2012).

Are any changes to existing data protection legislation proposed or expected in the near future?

The government is preparing the Draft Law on Personal Data Protection and the Draft Regulation on the Protection of Personal Data in the Electronic System, both of which are expected to be enacted within the next two years.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

Article 1(27) of the Government Regulation Concerning Electronic Systems and Transaction Providers defines ‘personal data’ as data pertaining to a specific individual, the accuracy and confidentiality of which must be protected and maintained.

In addition, Articles 1(5) and 1(6) of the Law Concerning Electronic Information Technology define an ‘electronic system provider’ as a state administrator, person, business or public entity that uses a set of electronic devices and procedures to prepare, collect, process, analyse, store, display, disclose, send or disseminate electronic information.

The Government Regulation Concerning Electronic Systems and Transaction Providers imposes general obligations on electronic system providers specifically in relation to personal data, including to:

  • maintain the confidentiality, integrity and availability of personal data;
  • ensure that consent is obtained from the personal data owner for the purpose of – among other things – the collection and use of personal data; and
  • ensure that the use and disclosure of personal data is based on the personal data owner’s consent and is in accordance with the purpose conveyed to the personal data owner at the time of collection. 

Scope and jurisdiction
Who falls within the scope of the legislation?

The Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers apply to electronic system providers that collect, process and store electronic information and personal data in an electronic system.

In addition, the Law Concerning Electronic Information Technology applies to every person who resides within Indonesian jurisdiction and conducts the activities regulated by the law. It also applies to every person conducting the regulated activities who resides outside Indonesian jurisdiction where the activity has a legal impact within Indonesian jurisdiction or harms Indonesian national interests. 

What kind of data falls within the scope of the legislation?

The Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers govern only the protection of electronic information and personal data in an electronic system.

According to Article 1(1) of the Law Concerning Electronic Information Technology, ‘electronic information’ means one group or groups of electronic data, including writings, sounds, images, maps, drafts, photographs, electronic data interchanges, emails, telegrams, telex messages, telecopy, letters, signs, figures, access codes and symbols or perforations that have been processed for meaning or are understandable to persons qualified to understand them.

Are data owners required to register with the relevant authority before processing data?

The obligation to register applies only to public service electronic system providers. Registration is optional for those that are not in public service.

Is information regarding registered data owners publicly available?

There is no obligation for a list of registered data owners to be publicly available and no such list is available at present.

Is there a requirement to appoint a data protection officer?

There is no requirement to appoint a data protection officer under the Law Concerning Electronic Information Technology or the Government Regulation Concerning Electronic Systems and Transaction Providers. However, the Government Regulation Concerning Electronic Systems and Transaction Providers mandates that every expert hired by an electronic system provider must be certified and competent in electronic or IT systems.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Ministry of Communication and Information is responsible for the enforcement of data protection matters. It has the authority to impose administrative penalties on electronic service providers that fail to comply with the Government Regulation Concerning Electronic Systems and Transaction Providers. However, if the non-compliance involves a criminal act, the case will be handled by the police or a Ministry of Communication and Information civil servant investigator.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

There are no limitations on the collection, storage and processing of personal data, as long as proper consent from the personal data owner has been obtained beforehand.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There is no limitation period for retaining personal data that is stored in an electronic system.

Do individuals have a right to access personal information about them that is held by an organisation?

There is no express provision conferring on an individual the right to access his or her personal data. The Government Regulation Concerning Electronic Systems and Transaction Providers stipulates that an electronic system provider must maintain the confidentiality, integrity and availability of personal data, but it is unclear whether this can be interpreted to mean that individuals have the right to access their personal data. 

Do individuals have a right to request deletion of their data?

There is no express provision that confers on an individual the right to delete his or her personal data.  In the absence of any prohibition, individuals should be able to request the deletion of their personal data.

Consent obligations
Is consent required before processing personal data?

Consent must be obtained from the personal data owner for the purpose of – among other things – the collection and use of personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

In principle, consent from the personal data owner is required unless determined otherwise by applicable laws and regulations. One example where consent is not required is when the personal data is collected as part of a legitimate request from an authorised authority for law enforcement purposes.

What information must be provided to individuals when personal data is collected?

The Government Regulation Concerning Electronic Systems and Transaction Providers requires an electronic system provider to ensure that the use and disclosure of data is based on the personal data owner’s consent and is in accordance with the purpose conveyed to the personal data owner at the time of collection. A broad interpretation of this provision implies that an electronic system provider must convey the collection purpose to the personal data owner at the time of collection.

In addition, the regulation also requires an electronic system provider to provide an electronic system user with:

  • its identity;
  • the object of the electronic transaction;
  • details of the electronic system’s security;
  • a user manual;
  • the contractual terms and conditions for the electronic transaction;
  • the procedures for reaching a transaction agreement; and
  • a privacy guarantee or personal data protection guarantee.

Article 1(9) of the regulation defines an ‘electronic system user’ as any person, state administrator, business entity or society that utilises the goods, services, facilities or information provided by an electronic system provider.

The scope of this requirement is broad and covers more than just personal data.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Under the Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers, electronic system providers must do the following to secure electronic systems that store personal data:

  • implement a risk management scheme to mitigate damages and losses;
  • maintain management policies and operational work procedures;
  • maintain a continuous auditing mechanism;
  • maintain and implement procedures and means to avoid parties interfering with the system or causing it to fail or be damaged; and
  • implement a security system that includes prevention procedures and countermeasures against threats and attacks enabling parties to interfere with or damage the system or cause it to fail.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Electronic service providers must provide written notification to personal data owners in the event that the confidentiality of their personal data has been breached.

Are data owners/processors required to notify the regulator in the event of a breach?

In the event that external parties have caused an electronic system to fail or have seriously interfered with an electronic system, electronic service providers must secure the data and immediately notify law enforcement or the Sectoral Supervisory and Management Agency.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Unsolicited electronic marketing is regulated by Section 4.6.8 of the Indonesian Advertising Ethics – a code of ethics that applies to any advertising material published in Indonesia and to any person or business operating within the Indonesian jurisdiction.

The Indonesian Advertising Ethics require marketing emails to include:

  • the reason why the marketing material has been sent to the recipient;
  • clear and simple guidance on how to unsubscribe from the marketing material, including the provision of an opt-out mechanism;
  • the sender’s identity; and
  • a guarantee that the recipient’s personal data will be treated with confidentiality, in accordance with his or her rights. 

Cookies
Are there rules governing the use of cookies?

Section 4.6.7 of the Indonesian Advertising Ethics require website visitors to be informed of the gathering of data via cookies.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

The Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers include no specific rules pertaining to the transfer of data outside the Indonesian jurisdiction. Specifically for personal data, consent from the personal data owner must be obtained before the data transfer.

Are there restrictions on the geographic transfer of data?

There are no restrictions on the geographic transfer of data under the Law Concerning Electronic Information Technology or the Government Regulation Concerning Electronic Systems and Transaction Providers.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Consent must be obtained from the personal data owner before personal data is transferred to a third party. Once the personal data is transferred, the receiving party will become an electronic system provider and will therefore be subject to the requirements set out in the Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers. 

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

Failure to comply with the Law Concerning Electronic Information Technology or the Government Regulation Concerning Electronic Systems and Transaction Providers could result in:

  • a warning letter;
  • an administrative fine;
  • temporary suspension; or
  • exclusion from the public service provider, electronic agent, electronic certification provider or reliability certification institution lists. 

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Under the Law Concerning Electronic Information Technology, anyone may file a civil claim against a party that operates an electronic system or uses information technology that causes damages. 

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

In general, provisions regarding cybercrime and cybersecurity are regulated by the Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Indonesia has adopted no international standards pertaining to cybersecurity.

Which cyber activities are criminalised in your jurisdiction?

The following activities are criminalised in the Indonesian jurisdiction:

  • the distribution or transmission of electronic material that involves:
    • pornography or child pornography;
    • gambling;
    • defamation; or
    • extortion;
  • the dissemination of:
    • wrongful and misleading information that leads to consumer loss in an electronic transaction; or
    • hate speech on ethnicity, religion, race or culture;
  • the transmission of electronic materials that contain threats of violence;
  • unauthorised access to computer or electronic systems;
  • the unauthorised interception of electronic information or documents that are not intended for the public. This includes both a regular interception and an interception that changes, deletes or interupts the transmission of the electronic information or documents;
  • the amendment, expansion, reduction, transmission, corruption, removal, hiding or making public of electronic information or documents that are owned by other parties or the public, without proper rights; and
  • any activity that interferes with the electronic system or its purpose.

Which authorities are responsible for enforcing cybersecurity rules?

The Indonesian police and the Ministry of Communication and Information. 

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

The Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers neither require nor prohibit companies from obtaining cybersecurity insurance. In practice, multiple insurers offer cybersecurity insurance.

Are companies required to keep records of cybercrime threats, attacks and breaches?

The Government Regulation Concerning Electronic Systems and Transaction Providers requires electronic system providers to maintain audit trails for any electronic system operational activities, including cybercrime threats and intrusion activities pertaining to the electronic system.  The audit process must include:

  • the maintenance of transaction logs in accordance with data retention requirements governed by applicable laws and regulations;
  • the notification of consumers on the completion of electronic transactions;
  • the monitoring of audit trails to ensure that any attempt or occurence of infiltration will be detected (this must be reviewed or evaluated regularly); and
  • the confirmation that a third party’s audit process is in accordance with standards determined by the electronic system provider if auditing of the processing system is the third party’s responsibility. 

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

From a criminal perspective, anyone who learns of cybercrime should file a criminal report with the police.

In case of failure of or serious interference with an electronic system caused by external parties, the electronic service provider must immediately notify law enforcement or the Sectoral Supervisory and Management Agency.

Are companies required to report cybercrime threats, attacks and breaches publicly?

There are no specific obligations under the Law Concerning Electronic Information Technology or the Government Regulation Concerning Electronic Systems and Transaction Providers to report cybercrime threats, attacks or breaches publicly.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

The Law Concerning Electronic Information Technology provides for criminal penalties, including imprisonment (ranging from six to 12 years) and fines (ranging from Rp600 million to Rp12 billion), depending on the type of crime.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Failure to implement a risk management scheme and maintain a management policy, operational works procedures and a continuous audit mechanism for an electronic system as required under the Government Regulation Concerning Electronic Systems and Transaction Providers can result in the following administrative penalties:

  • a warning letter;
  • an administrative fine;
  • temporary suspension; or
  • exclusion from the public service provider, electronic agent, electronic certification provider or reliability certification institution lists.