Indonesia

Cross-Border Data Transfer in Indonesia 2023

DENNY RAHMANSYAH AND AGUNG KURNIAWAN SIHOMBING

After almost a decade of discussion, Indonesia finally passed its personal data protection law in September 2022. Law No. 27 of 2022 dated 17 October 2022, regarding Personal Data Protection (PDP Law) becomes Indonesia’s umbrella regulation for personal data protection, both in electronic and non-electronic form. The PDP Law also applies extraterritorially to any personal data processing that has an impact in Indonesia and/or affects Indonesian citizens outside of Indonesia’s jurisdiction.

Consisting of 16 chapters and 76 articles, the PDP Law regulates the main principles of personal data protection, the rights of personal data subjects, and the obligations of Personal Data Controllers (Data Controller) and Personal Data Processors (Data Processor). It also regulates sanctions (administrative and criminal) for violations of the law.

Despite being a comprehensive regulation, most of the provisions of the PDP Law require implementing regulations to be fully implemented. The PDP Law provides a two-year transitional period, beginning 17 October 2022, for Data Controllers, Data Processors, and other parties involved in data processing activities to adjust their data processing practices to the requirements under the PDP Law.

One of the provisions in the new law that lacks clarity concerns cross-border data transfers, an issue of great importance in the digital age. Noting the lack of clarity in the PDP Law, this article will provide a brief overview of the current practice applicable under MOCI Reg. 20/2016 and offer a comparison with the General Data Protection Regulation (GDPR) of the European Union (EU), which was referred to heavily during the drafting of the PDP Law.

Personal Data Under The PDP Law

Article 1(1) of the PDP Law defines “personal data” as data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system. Personal data is further divided into specific and general personal data.

Specific personal data is personal data which, in its processing, may create a bigger impact on the data subject, such as discriminatory acts and other greater losses to the data subject. Specific personal data includes (i) data and information regarding health; (ii) biometric data; (iii) genetic data; (iv) criminal records; (v) children’s data; (vi) personal financial data; and/or (vii) other data in accordance with the relevant laws and regulations.

General personal data includes (i) full name; (ii) gender; (iii) nationality; (iv) religion; (v) marital status; and/or (vi) personal data combined to identify a person.

The PDP Law has yet to provide specific guidance on how one should treat specific personal data differently from general personal data.

Cross-border Data Transfer Under MOCI Reg. 20/2016

Before the PDP Law, MOCI Reg. 20/2016 was the main regulation used as a reference for the protection of personal data in Indonesia. In terms of cross-border data transfers, the requirement for such transfers under MOCI Reg. 20/2016 is the data subject’s consent and coordination with the MOCI.

Article 22 of MOCI Reg. 20/2016 requires companies that operate an electronic system (Electronic System Provider or ESP) to coordinate with the MOCI before and after a crossborder data transfer.

Such coordination is accomplished by completing a designated form with information including the name of the ESP and the recipient of the transferred data; the personal data being transferred; the purpose of the transfer; and the transfer destination. This form is then submitted to the MOCI through a specific MOCI email address.

Prior to the PDP Law, the terms “Data Controller” and “Data Processor” were not explicitly recognised by the relevant regulations. Nonetheless, under the unwritten policy of the MOCI, the party that should comply with the coordination requirement is the Indonesian ESP that acts as a Data Controller.

If personal data transfer is conducted on a regular basis, e.g. multiple transfers hourly, daily, weekly, etc., the MOCI notification may be provided once, at the beginning, assuming that the notification indicates that the transfer shall be conducted on the appropriate routine basis. Then going forward, a report recording all such cross-border transfers should be provided to the MOCI on an annual basis for the preceding 12-month period.

Article 22 of MOCI Reg. 20/2016 requires companies that operate an electronic system (Electronic System Provider or ESP) to coordinate with the MOCI before and after a cross-border data transfer

 In addition to the above requirements, there may be additional obligations related to crossborder data transfers under sectoral regulations, e.g. financial sector regulations.

In practice, however, the coordination requirement with the MOCI is rarely implemented because it relies heavily on the ESP’s awareness of the requirement and its willingness to comply.

Cross-border Data Transfer Under The PDP Law

Under the PDP Law, “Data Controller” is defined as any person, public entity, or international organisation acting individually or jointly in determining the objectives and exercising control over the processing of personal data. “Data Processor” is defined as any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Data Controller.

Under the PDP Law, “Data Controller” is defined as any person, public entity, or international organisation acting individually or jointly in determining the objectives and exercising control over the processing of personal data. “Data Processor” is defined as any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Data Controller.

The PDP Law defines “transfer” as the displacement, delivery, and/or duplication of personal data both electronically and non-electronically from the Data Controller to another party.

Article 56 of the PDP Law allows Data Controllers to transfer personal data to other Data Controllers and/or Data Processors outside the jurisdiction of the Republic of Indonesia. In conducting a cross-border personal data transfer, the Data Controller is obligated to ensure any of the following:

  1. the jurisdiction where the recipient is located must have an equivalent or higher data protection standard than the PDP Law;
  2. there is adequate and binding personal data protection; or
  3. the valid consent of the data subject for the transfer has been obtained.

A Data Processor is also allowed to transfer personal data to another Data Processor (onward transfer), provided that such transfer is approved by the Data Controller. If the Data Controller fails to fulfill one of the above obligations under Article 56 of the PDP Law, it may be subject to administrative sanctions, including written warning, temporary suspension of personal data processing activities, deletion or destruction of personal data, and/ or administrative fines.

Further provisions on these requirements are expected to be regulated in an implementing regulation, i.e. a Government Regulation. Until such implementing regulation is enacted, there are unanswered questions on the fulfillment of the obligations under Article 56 of the PDP Law and the procedure to demonstrate such compliance.

Comparison With The GDPR

The requirements for cross-border data transfer under the PDP Law are similar to the requirements under the GDPR. Under the GDPR, cross-border data transfer may be allowed if the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection based on the adequacy decision; the data exporter puts in place appropriate safeguards; or a derogation or exemption applies.

The EU Commissioner provides a list of countries that are considered to have adequate protection, which means that data transfers to these countries will not require any specific authorisation. If the recipient country is not included in the list, EU member states must ensure that the recipient country has in place appropriate safeguards, which will also be subject to each state’s authorisation of a Data Protection Authority (DPA). This includes the existence of binding agreements between public authorities. In the absence of the first two requirements, i.e. adequacy decision and appropriate safeguards, certain derogations, including by way of the consent of the data subject, may be used as the basis to conduct the cross-border data transfer.

It remains unseen whether the PDP Law will adopt a similar approach as the GDPR. Absent implementing regulations, it seems that crossborder data transfers from Indonesia can only be conducted based on the consent of the data subject.

 It is also noteworthy that Indonesia has yet to establish a DPA, which is expected to be the authority supervising the implementation of cross-border data transfers under the PDP Law. Based on Article 58 of the PDP Law, the formulation of the DPA will be further established by virtue of a Presidential Regulation.

Closing Remarks

With the rapid development of technology, the PDP Law is necessary to protect personal data. It not only helps ensure the rights of data subjects over their personal data, but it may also increase the confidence of offshore business actors in doing business with Indonesian companies due to an improved framework for personal data protection.

However, the PDP Law requires further implementing regulations and guidance to be implemented fully and provide the intended level of protection. This is especially true with the requirements for conducting cross-border data transfers.

Until the necessary implementing regulations are in place and the DPA established, the current practice for cross-border data transfers will remain in force, subject to the coordination requirement with the MOCI as regulated under MOCI Reg. 20/2016, which enforcement is lacking supervisory power.

b61263ef3b7445712f20ce1a9bc20270

33c986903e49564e8729b00186417cfc

Denny Rahmansyah, Partner

Denny is an extensively experienced lawyer who joined SSEK in 2001. He has been involved in major projects and transactions in various sectors, including TMT (fintech/e-commerce, cryptocurrency, data protection/privacy).

+62 21 2953 2000

dennyrahmansyah@ssek.com

8f8ff1cd3c99d34ae6342a5bcdd12f4e

Agung Kurniawan Sihombing, Associate

Agung works on corporate transactions, privacy matters, and projects and transactions in the ecommerce, payment systems, financial services, environment, employment, and immigration sectors.

+62 21 2953 2000

agungsihombing@ssek.com


This article was published in the April 2023 issue of the IHC Magazine. To read more articles from the issue, click here

IHC_Magazine_Data_Protection_23

Tags: Data Transfer, Indonesia, PDP Law
Related Articles by Firm
Cryptoassets in Indonesia: Regulation Clearing Way for Trading of 229 Cryptoassets Issued
Indonesia’s Commodity Futures Trading Supervisory Body (Badan Pengawas Perdagangan Berjangka Komoditi or “Bappebti”) has issued the long-awaited list of cryptoassets that can be legally traded in Indonesia.
Indonesian government imposes VAT on imported digital goods and services
The tax particularly targets intangible goods and services provided by foreign tech companies that lack a physical presence in Indonesia.
Indonesia’s New Negative Investment List
Presidential Regulation No. 44 of 2016 regarding the List of Business Fields That Are Closed and Business Fields That Are Conditionally Open...
Revisiting the Indonesian Language Law
Indonesia’s Law No. 24 of 2009 regarding the National Flag, Language, Emblem and Anthem (the Language Law) was very likely ...
Indonesia Update
New Body Set Up to Resolve Disputes in the Construction Sector; and a Change to the Mediation Process ...
Indonesia’s Anti-Monopoly Law: Changes Ahead?
Since its enactment in 1999, Indonesia's Anti-Monopoly Law has never been amended. The New Anti-Monopoly Law has been prioritized for enactment by the Government of Indonesia. Here's a look at some proposed major changes.
Non-compete agreements and protecting confidential information
Indonesian labour and employment laws do not expressly impose or regulate non-competition obligations ...
Indonesian regulatory framework for real estate investment funds
In late 2015, the Indonesian Minister of Finance issued Regulation No. 200/PMK.03/2015 regarding Tax Treatment of Taxpayers and Taxable Entrepreneurs ...
Indonesia Widens Door to Foreign Investment
Indonesia released its tenth economic policy package on February 12, 2016, with a focus on boosting foreign direct investment and protecting small and medium enterprises and cooperatives.
Indonesian Import License Regulations
The Indonesian Minister of Trade issued two new regulations which amended importation guidelines effective 1 January 2016.
Ownership of homes or residences by foreigners in Indonesia
Indonesia issued Government Regulation No. 103 of 2015 regarding the Ownership of Homes or Residences by Foreigners Residing in Indonesia ...
When employees leave: non-compete agreements and protecting confidential information
Indonesian labour and employment laws do not expressly impose or regulate non-competition obligations of employees with the exception of the Chief Representative ...
New regulations bring big changes to the Indonesian manpower sector
Two recently released regulations have introduced important changes to the Indonesian manpower sector. While the changes should generally be welcomed by the business ...
Update: Guide to Background Checks in Indonesia
Background checks on employees are not expressly regulated by Indonesian employment laws but certain background checks are subject to the applicant or employee's consent.
Foreign investment restrictions in Indonesia
Restrictions on foreign shareholders in Indonesia are set out in the most recent Negative Investment List, contained in Presidential ...
New Manpower Regulation Eliminates Controversial Work Permit Requirements in Indonesia
Indonesia eases requirements for work permits of expatriates working in the country.
Establishing a presence from abroad
The most common option for an overseas company as a foreign investor to establish a presence in Indonesia is by setting up a limited liability company (Perseroan Terbatas or PT) with foreign ownership ...
Regulatory framework for insurance business
The main legislation for insurance and reinsurance business in Indonesia is the newly enacted Insurance Law, issued on October 17, 2014. The new Insurance Law ...
Indonesia: New Manpower Regulation
Foreign domiciled directors and commissioners must have Indonesian work permit ...
Indonesian Rules on E-Signatures
E-signatures in Indonesia are regulated by Law No. 11 of 2008 regarding electronic information and transactions (Law No. 11/2008) and Government Regulation No. 82 of 2012 regarding the implementation ...
Negative investment list vs. cabotage principle
In furtherance of Indonesia’s commitment to welcome the implementation of the ASEAN Economic Community (AEC) in 2015, ...
Local Authority Curbed in Indonesian Mining Sector
The Indonesian Government appears to be getting serious about stripping local authorities of the power to issue mining licenses.
Mandatory use of Rupiah in Indonesia
Indonesia’s central bank, Bank Indonesia (BI), recently issued BI Regulation No. 17/3/PBI/2015 regarding the mandatory use …
Indonesia: New Regulation on Public-Private Partnerships (PPP)
Public-private partnerships (“PPPs”) interest infrastructure investors in Indonesia for a number of reasons ...
Compliance road map for companies
Compliance is an important issue for foreign investment companies doing business in Indonesia. As international organisations, foreign investment companies are not only …
Food export regulations and licences
Export activities in Indonesia can be carried out by individuals, institutions and business entities. Export goods are classified as free export goods, which are goods that have no restrictions or prohibitions on …
Franchising rules and regulations
With a population of over 250 million, Indonesia is an attractive country for investors, particularly those interested in the distribution, retail and franchise sectors. …
Indonesia Employment Law: Quarterly Review
Update for the 4th quarter of 2014 including: Increased Protection for Outsourced Workers; New Rules on Hiring Expatriates; and Regulations for those Employed in Oil and Natural Gas Business Activities...
New Indonesian Geothermal Energy Law
Indonesia is one of the world’s most volcanically active countries and among the countries with the greatest geothermal energy potential. Dwindling production of traditional energy …
Foreign investment in Indonesian real estate
Indonesia’s Agrarian Law provides that foreigners can only acquire right to use (hak pakai) title for land if they reside in Indonesia. If foreign investors wish to engage in …
Employment Law: Hiring expats, holidays and more
The Indonesian Government has issued a Regulation on the employment of foreign workers and the implementation of education and training programs for Indonesian companion employees. Presidential …
New Negative List Introduces Changes to Health Investment in Indonesia
The Indonesian Government has released a new list of business fields that are closed to investment and business fields that are conditionally open to investment …
Indonesian-language label requirements
The Minister of Trade has updated Regulation No. 67/M-DAG/PER/11/2013 regarding the Obligation to Affix Indonesian-Language Labels on Goods with the issuance of Minister of Trade Regulation No. 10/M-DAG/PER/1/2014 …
Corporate liability for corruption
Anti-corruption compliance is rightly a focus of companies operating in Indonesia. One of the more interesting questions for such companies, particularly foreign investment companies, is whether the company …
Indonesia’s New Negative Investment List
The Indonesian Government has issued a New Negative List that determines which business fields are open, fully or partially with conditions, to investment, including foreign investment. The New Negative List, issued …
New Trade Law and its effect on business
Indonesia’s House of Representatives (Dewan Perwakilan Rakyat or DPR) recently passed into law a long-awaited trade bill. The new Trade Law will act as an underlying regulation for other trade-related …
Processing minerals for export now mandatory
After a long and contentious discussion involving many interested parties, the Government of Indonesia issued a regulation that bans the …
Indonesia’s Language Law and business agreements
In a landmark decision on June 20th, 2013, the West Jakarta District Court annulled a Loan Agreement because it was executed in English …
Indonesian Court Annuls Loan Agreement on Language Law: What Does It Mean for Your Agreements?
In a landmark decision on June 20, 2013, the West Jakarta District Court annulled a Loan Agreement entered into between a local borrower and an offshore lender because it was executed in English only ...
Keeping up with shifting foreign investment rules
Less than six months after issuing new investment guidelines and procedures, Indonesia’s Capital Investment Coordinating Board (BKPM) has …
New divestment rules for mining companies
On September 13th, 2013, the Minister of Energy and Mineral Resources (MEMR) issued MEMR Regulation No. 27 of 2013 regarding …
New import rules for cell phones in Indonesia
Indonesia’s Minister of Trade has issued a new regulation that specifically governs the importation of, among other items, cellular telephones …
BKPM introduces new investment rules in Indonesia
Indonesia’s Capital Investment Coordinating Board (BKPM) has issued BKPM Regulation No. 5 of 2013 regarding Guidelines and Procedures …
Related Articles
Related Articles by Jurisdiction
Investigative Intelligence
The dark side of business in Indonesia

Energy & Natural Resources
Dr Mohamed Idwan (‘Kiki’) Ganie, Managing Partner of Lubis Ganie Surowidjojo, explains the impact of a new law on mineral and coal mining in Indonesia and the refining conditions which must be met in order to ...
Latest Articles