The management of personal data under Indonesian law is largely consent based. This consent must be given in writing by the owners of the personal data, either manually or electronically, after the owners are given a full explanation of any actions that will be taken in regard to their personal data – including any cross-border transfer.
Any company that obtains such consent can manage the personal data as long as this management falls under the scope of the consent given. So, for example, a company may not disclose the personal data if the owner of the data has not given his or her consent for such disclosure.
Transfer of Personal Data Outside of Indonesia
The newly issued Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (“Reg. 20/2016”), provides that any electronic system provider that operates in Indonesia must fulfill several requirements if it intends to transfer personal data outside of Indonesia.
First, the electronic system provider must coordinate with the MOCI or an authorized government official prior to and after the transfer. This coordination includes (i) reporting the planned transfer of personal data, including at least the destination country, the full name of the party that will receive the personal data, the date of the transfer, and the reason or purpose of the transfer; and (iii) reporting the result of the transfer.
Second, the electronic system provider must fulfill all applicable regulatory provisions on the cross-border exchange of personal data.
That said there are currently no further regulatory provisions on the cross-border exchange of personal data. Such provisions are contained in a draft law on the protection of personal data. This draft law stipulates that any cross-border transfer of personal data must obtain the prior consent of the owner of the transferred personal data.
This transfer of personal data must be done in accordance with the purpose of the acquisition and collection of the data.
Definition of an Electronic System Provider
An electronic system provider is defined as any person, state administrator, business entity, or community that provides, manages and/or operates an electronic system, either individually or collectively, to electronic system users for its own or another party’s interests.
Accessing and Storing Personal Data
Reg. 20/2016 provides for the right of owners of personal data to access their data stored by an electronic system provider, including to change or update the data. It also provides that electronic system providers that provided, stored and managed personal data prior to the enactment of Reg. 20/2016 must continue to maintain the privacy of the personal data managed and to comply with all provisions under Reg. 20/2016 at the latest two years after the enactment of Reg. 20/2016 (i.e., by December 1, 2018).
Non-compliance with the provisions of Reg. 20/2016 may result in administrative sanctions. These sanctions are (i) written warnings, (ii) temporary suspension of business activities, and/or (iii) an announcement on the website of the non-compliant party.