Our Client Alert November 2019 provided a glimpse of what is in Bank Indonesia: Blueprint of Indonesia Payment System 2025. Given that payment is the lifeblood of any business, the payment system blueprint is relevant not only for banks and fintechs but also for e-commerce and other digital economy operators. The blueprint suggests a future where open and interoperable platforms will become a norm. This will require the portability of individual customers’ (financial) data. Hence, the current high visibility of the coined term "Data is the New Oil".
We need to get our vision clear that personal data does not belong to the ecommerce and financial service operators. Bank Indonesia's 2025 blueprint clearly sets its sight in improving personal data protection based on the fundamental premise that the ownership of personal data is with the relevant individual customer.
Currently, personal data protection is already stipulated in the Law No. 11/2008 on Electronic Information and Transaction and its implementing regulations. Given the heightened concerns over personal data protection, the Government has to date issued several working drafts on personal data protection.
Personal Data Protection Law and GDPR
It is worth pointing out that the draft personal data protection law is to a considerable extent based on the European Union’s General Data Protection Regulation ("GDPR"), which is arguably the golden standard for data protection. The key provisions in GDPR include:
- increased documentation requirements (mapping, record keeping, accountability)
- significant increased rights of individuals (right to be forgotten, right to object to automated decisions, data portability)
- data breach reporting (72 hours)
Some of these key provisions also exist in the draft personal data protection law.
The key points in the draft personal data protection law worth noting are:
- Personal data - Any data on an individual that is identified and/or can be identified on its own or if combined with other information, either directly or indirectly, through electronic and/or non-electronic systems.
- General personal data v. specific personal data - The draft differentiates between general personal data and specific personal data (this is akin to the concept of sensitive personal data in GDPR).
- Data controllers v. data processors - The draft differentiates data controllers (parties that determine the purpose and control the processing of personal data, e.g. e-commerce platforms) and data processors (parties that process personal data on behalf of data controllers, e.g. payment system providers). A data controller will have the legal responsibility for any data processing activities as long as the appointed data processor conducts the data processing activities in accordance with the instructions from the data controller. Otherwise, the data processor will bear the legal responsibility.
- Offshore data transfers - The draft introduces more strict requirements on conducting offshore data transfers. The offshore data transfer is allowed if: (i) the receiving country or international organization must have data privacy protection level that is equivalent to or higher than the draft personal data protection law, (ii) there must be a contractual arrangement between the Indonesian data controller and the offshore receiving party with due observance of data protection, and (iii) there must be an international agreement between Indonesia and the country of the receiving party.
- Prohibition on monetization and/or profiling - The draft prohibits the monetization and/or profiling of personal data without explicit consent.
- Sanctions - It is important for financial institutions to note that compared to the previous data protection regime, the draft personal data protecion law imposes more severe sanctions if there is a violation by a company. These sanctions include (i) criminal sanctions on the company and/or its management, (ii) maximum criminal penalties that are three times those that apply for individuals and (iii) confiscation of cash and assets, prescriptive orders, suspension of activities, and business closure.
End in Sight
We certainly hope that the draft personal data protection law will not be a case of "no end in sight". Given the seriousness of the Government, Bank Indonesia, and the Financial Services Authority/OJK toward the huge potential of Indonesia in the growth of digital economy in Southeast Asia, we are optimistic that Indonesia will have a personal data protection law in 2020.
Businesses will need to start familiarising themselves with the features and possible consequences of the data protection law and formulating steps and actions plans for compliance purposes