By Eko Basyuni and Zacky Husein, Assegaf Hamzah & Partners
After for more than a year in the pipeline, Indonesia has issued rules that mark the start of a new era for personal data protection in the country.
The new regulation is limited to personal data stored in electronic form, which might appear to limit its scope, but the extent of electronic communications and transactions these days means it should have a sufficiently wide-ranging impact.
Issued on December 1, 2016 by the Minister of Communications and Information Technology, Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems puts into effect Article 15(3) of Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions.
Electronic system providers
The primary subject of the PDP Regulation is “electronic system providers”, which are defined as:
“Any person, state authority, business entity or community that provides, manages, and/or operates an electronic system, whether independently or jointly, in the interest of the electronic system’s users and/or the interests of other parties.”
This definition includes state authorities. If we go by the letter of the regulation, similar standards will be imposed on the management of personal data by both the public and private sectors. Certain government ministries and agencies, such as the Financial Supervisory Authority (OJK), the Tax Office and the Ministry of Home Affairs, handle huge amounts of personal data, not to mention state companies that provide public services, such as the state-owned power utility (PLN) and state-owned telecommunications company (Telkom).
Another aspect of the definition is its broad coverage. A public or private entity is subject to the PDP Regulation not only when it “provides” its own services, but also when it “manages” or “operates” an electronic system, presumably on behalf of a third party. As companies embark on outsourcing or managed-service arrangements, it will be crucial that the compliance obligation is assigned to the right party.
The PDP Regulation requires any action taken in relation to personal data to have secured the prior consent of the person who is the owner of such personal data. To secure such consent, the electronic system provider must provide a standard form in Bahasa Indonesia to be agreed by the person who is being asked to provide his/her personal data. Note that although this Privacy Notice and Consent must be in Bahasa Indonesia, the PDP Regulation does not preclude the making of versions in other languages.
A Privacy Notice and Consent will primarily set out:
- The purpose for which the personal data is being requested;
- How the personal data will be processed; and
- Rights of the personal data owner, including the right to have their personal data modified or updated, to access their personal data and to have their personal data deleted or destroyed (in the case of a hard-copy record).
Most importantly, the Privacy Notice and Consent will set out the prior consent of the personal data owner for the actions of the electronic system provider, which, according to the PDP Regulation, may include the acquisition, collection, processing, analysing, storage, display, announcement, transfer, transmission, providing access, and disposal of his/her personal data.
If the personal data owner is a minor, the Privacy Notice and Consent must be agreed to by his or her parents or guardian. Under the Indonesian Civil Code, any person under 21 years of age is considered
Obtaining and collecting personal data
“Personal data” is defined as “certain data related to an individual”, ie information that can be used to identify a specific person. The acquisition and collection of personal data must be based on the purpose(s) set out in the Privacy Notice and Consent. In other words, personal data must serve certain purposes as the basis for its collection.
Furthermore, the relevant sectoral government supervisory/regulatory agency may determine the type of personal data that is considered relevant and in accordance with the purposes of electronic system providers operating in their sector of responsibility. For example, the OJK, as the agency responsible for supervising the financial services sector, may determine which personal data is most relevant and in accordance with the purposes of the business operations of banks. The concept of involving the relevant sectoral agencies in determining
what is and is not personal data is novel, if applied as intended. However, it may make it more challenging to establish uniformity as to the meaning of personal data across the various sectors.
When providing prior consent, personal data owners have the right to stipulate that their personal data is confidential and may not be transferred or disclosed to third parties.
Storing personal data
The PDP Regulation provides a minimum retention period of five years for personal data, unless otherwise provided by a sector-specific regulation. This retention period is calculated from the time when the personal data owner terminates the use of the services provided by the electronic system provider. For example, if a person deletes an email address on January 2, 2017, any personal data related to that email address must be retained until January 2, 2022.
After the expiration of the said minimum retention period, the personal data may be erased, unless it is still to be used or utilised for the purpose that was originally consented to by the personal data owner.
Furthermore, the PDP Regulation requires personal data to be stored in the form of encrypted data. Even though this is not explained, encrypted data generally means data that is encoded in such a way that only authorised parties in possession of the encryption key can access it.
Any display, announcement, transfer, distribution or provision of access to personal data must be based on consent, as provided in the Privacy Consent and Notice. In addition, the accuracy of the personal data must first be verified. These requirements are applicable to actions conducted between electronic system providers, between electronic system providers and users, and between users.
The data centre and disaster recovery centre for an electronic system that provides a public service must be located within the territory of Indonesia. Further details regarding this obligation will be provided by the sectoral regulator pursuant to the respective laws and regulations, and in coordination with the Minister.
An overseas transfer of personal data must be reported to the Minister prior and subsequent to the transfer, citing the country of destination, recipient, date and reason for or purpose of the transfer.
Given that only providers of public services are required to maintain data centres and data recovery centres in Indonesia, the relevancy of these overseas transfer requirements might be questionable. With the prevalence of web-based storage facilities and cloud services, it is increasingly common to view data storage as borderless.
Electronic system certification
According to the PDP Regulation, electronic system providers that manage personal data must have their electronic systems certified in accordance with the Electronic System Worthiness Certification requirement under the Electronic Systems and Transactions Regulation. However, as this regulation has not been issued to date, the provisions on Electronic System Worthiness Certification have yet to be implemented in practice.
Notification of personal data breach
As also obligated by the Electronic Systems and Transactions Regulation, the PDP Regulation requires an electronic system provider to notify a personal data owner of any breach involving his/her personal data.
The notification may be provided in written or electronic form, depending on what was agreed under the Privacy Notice and Consent, and must give the reason for or cause of the personal data breach. It must be delivered to the personal data owner not more than 14 days after the occurrence of the breach. Further, the electronic system provider must ensure that it has been duly received if the breach has the potential to cause loss or damage to the personal data owner.
A failure to provide such notification provides the personal data owner with the right to submit an official complaint to the Minister.
Internal data protection policy
An electronic system provider that manages or processes personal data must develop and maintain an internal data protection procedure that includes efforts to heighten the awareness of employees as to the importance of personal data protection and the provision of training for employees regarding the steps that must be taken to protect the personal data that is managed by the electronic system provider.
We believe the requirement to develop an internal policy represents a significant undertaking that electronic system providers, both in the public and private sectors, will have to face in the coming year.
The PDP Regulation also sets out several miscellaneous requirements that must be complied with by an electronic system provider that manages personal data:
- To provide an audit trail record of all activities relating to the management of their electronic system;
- To provide the option to choose whether personal data may be used and/or revealed to third parties;
- To provide access to personal data owners to modify or update their personal data; and
- To designate a contact person who can be easily reached.
Formal complaints procedure
A personal data owner or electronic system provider may lodge a formal complaint regarding a personal data protection breach with the Minister’s Directorate General of Information Technology Application. The Directorate General will then initiate a consensual dispute resolution process between the parties in dispute.
Such formal complaint may be lodged pursuant to:
- A failure on the part of an electronic system provider to provide a written notification of a personal data breach, whether this could potentially cause loss; or
- Loss caused by a personal data protection breach because of delay on the part of the electronic system provider in providing written notification of the personal data breach.
The formal complaint must be lodged within 30 business days counting from the time when the prejudiced party discovered the personal data breach.
The official or team appointed to handle the complaint has 14 business days from the date of receipt of the complaint to state whether the complaint is complete and is supported by sufficient evidence. A complaint that is incomplete will be returned to the complainant, who will then have 30 business days to fulfil all the requirements.
Upon acceptance of the complaint, the dispute resolution process will be initiated within 14 business days. During this process, the official or team assigned to the handle the complaint may recommend to the Minister that an administrative sanction be imposed on an electronic system provider that is involved, even if the dispute has yet to be resolved.
If the dispute remains unresolved, the injured party may file a civil lawsuit against the electronic system provider in the local district court. If a seizure is required, the relevant law enforcement agency may only confiscate personal data that is relevant to the case, rather than seizing the entire electronic system.
Any person or legal entity found to be in violation of the PDP Regulation will be subject to the following administrative sanctions:
- Verbal or written warning;
- Temporary suspension of business activities; and/or
- Public disclosure of the violation.
The procedures for imposing such administrative sanctions will be further provided for by the Minister.
The PDP Regulation provides a grace period of two years (at most) to adopt its provisions. The most significant adjustments that will need to be made are as follows:
- Preparing a Privacy Notice and Consent form;
- Encrypting personal data that is stored;
- Reporting overseas transfers of personal data to the Minister (if applicable);
- Certifying electronic systems used to manage personal data (once the necessary procedures have been put in place by the Minister);
- Establishing an internal policy for personal data protection;
- Providing an audit trail record of all activities relating to the management of an electronic system;
- Providing access to personal data owners to modify or update their personal data; and
- Designating a contact person who can be easily reached.