As mentioned in a previous e-bulletin, numerous regulatory uncertainties exist under Government Regulation No. 82 of 2012 on the Management of Electronic Systems and Transactions (“Regulation 82”), including around data localisation requirements in Indonesia.
Following lengthy public consultations led by the Ministry of Communication and Information Technology (“MOCIT”), on 10 October 2019 the Indonesian government finally issued Government Regulation No. 71 of 2019 on the Management of Electronic Systems and Transactions (the “New Regulation”).
The New Regulation, which came into effect on 10 October, revokes Regulation 82 and introduces much needed clarity on certain imprecise regulatory concepts under Regulation 82 and its umbrella legislation, Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (the “EIT Law”).
Scope of Personal Data. The New Regulation has a new definition of “personal data” which covers every individual data which is identifiable or can be identifiable, alone or combined with any other information, directly or indirectly, through an electronic system or non-electronic system.
The definition differs from that set out in MOCIT Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (the “Data Regulation”). However, the New Regulation clarifies that implementing regulations relating to Regulation 82 will remain valid insofar as they are consistent with the New Regulation and its implementing regulations. Since the Data Regulation is an implementing regulation relating to Regulation 82, the definition of personal data found in the Data Regulation no longer applies.
Distinction between Public Scope and Private Scope ESOs. Under Regulation 82, an Electronic System Operator (“ESO”) providing a public service was required to locate its data centre and disaster recovery centre within Indonesia. However, since Regulation 82 did not define the term “public service”, it was difficult for ESOs to determine whether the requirement applied to them.
The New Regulation clarifies that “Public Scope ESO” means any National Institution Operator (defined as any central or regional legislative, executive, judicial or other institution established by law), and any institution appointed by a National Institution Operator, that operates an electronic system, excluding financial services regulators.
The New Regulation also includes a concept of a “Private Scope ESO”, defined as any person, legal entity or community that operates an electronic system, excluding those operating in the financial services sector. Private Scope ESOs include ESOs owning web portals, websites and online applications that are used for:
- providing, managing, or operating offers or trades in goods or services,
- providing, managing or operating financial transaction services,
- delivering paid digital material or content through a data network,
- providing, managing, or operating communication services,
- search engine services or providing electronic information services in the form of text, sound, images, animation, music, video, film and games, or any combination thereof, and/or
- processing Personal Data for operational activities serving the community involved in the relevant electronic transaction.
Registration of Electronic Systems. Both Public Scope ESOs and Private Scope ESOs must register their Electronic Systems before they can be rolled out or, for existing Private Scope ESOs, within 12 months (i.e., by 10 October 2020). Under Regulation 82, such registration requirement only applied to Public Scope ESOs but in practice, MOCIT adopted an expansive (and sometimes inconsistent) interpretation of such requirement by requiring certain Private ESOs to also register their Electronic Systems.
Data localisation requirement. The data localisation requirement only applies to Public Scope ESOs, which must place their data centres and disaster recovery centres in Indonesia unless the storage technology is not yet available in Indonesia (as confirmed by a special MOCIT committee). In contrast, Private Scope ESOs can locate their data centres and recovery centres outside Indonesia.
Strategic Electronic Data. The New Regulation states that the government will specify which National Institution Operators and “institutions” hold strategic electronic data that must be protected. Those so identified must prepare electronic documents and electronic back-ups that must be linked to a particular data centre to ensure data security. While “strategic electronic data” is not defined, it is explained that the term covers National Institution Operators or institutions that own vital information infrastructure in certain sectors, including the following:
- government administration
- energy and mineral resources
- information and communication technology
- food (resilience)
- other sectors that are specified by the President of Indonesia.
Regulatory guidance will be needed on the location of the data centres and on whether the definition of “institution” includes any Private Scope ESOs. Further details are expected in an implementing regulation.
Right to Erasure and Right to Delisting. Under the EIT Law, an ESO had to delete irrelevant electronic information or electronic documents under its control if requested by the relevant person based on a court order. The need for a court order was seen by many to contradict the principle that an individual has the right to request an ESO for their personal data to be deleted at any time.
The New Regulation distinguishes between the “right to erasure” and the “right to delisting”. Under the right to erasure, individuals may ask an ESO to delete irrelevant electronic information or electronic documents (including personal data obtained and processed without their consent). Under the right to delisting, an individual may ask an ESO to delist irrelevant electronic information or electronic documents from an Internet search engine through a court order.
Additional requirements for processing personal data. The processing of personal data must be based on the “lawful consent” (persetujuan yang sah) of the relevant individual for one or more specific purposes and must be needed for one or more of the following reasons:
- to satisfy contractual obligations under an agreement entered into by the personal data owner, or to fulfil a request from the personal data owner at the time the parties enter into the agreement,
- to satisfy any legal obligations of the data controller contained in any applicable regulations,
- to protect the “vital interest” of the personal data owner (i.e., very important matters relating to someone’s whereabouts),
- to implement the authority of the data controller under applicable regulations,
- to satisfy the obligations of the data controller in the context of public service for the interest of the public, and/or
- to satisfy any other lawful interest of the personal data controller or owner (together, the “Additional Requirements”).
The Additional Requirements appear to be in addition to the requirement for consent, rather than alternative justifications.
The New Regulation provides that “lawful consent” means consent that is delivered explicitly, cannot be concealed, or is not based on error, negligence or coercion.
As the Indonesian government and regulators focus on laying out a framework for data protection in Indonesia, an important principle to bear in mind is the need for consistency across the various regulations.
A Bill on Protection of Personal Data drafted in June 2019 (the “Privacy Bill”) has been delivered by MOCIT to the Ministry of State Secretariat and is expected to be issued later this year. Despite a strong push by MOCIT, there has been significant delay in the passage of the Privacy Bill. Once enacted, the Privacy Bill would for the first time provide an overarching framework for personal data protection in Indonesia.
Currently, personal data protection in Indonesia is piecemeal, being set out in several regulations. Much of the Privacy Bill draws on concepts in the European Union’s General Data Protection Regulation (“GDPR”), which was issued on 24 May 2016 and has been in effect since 25 May 2018. The Privacy Bill includes concepts of data controllers and data processors taken straight from the GDPR, but also includes other concepts unique to Indonesia, such as imposing criminal sanctions for certain data breaches.