Indonesia - India Data Privacy and Cybersecurity Comparative Guide

This comparative guide was prepared in collaboration with Shinghania&Partners LLP, a prominent full-service law firms in India. The firm is recommended by reputed legal directories such as Chambers and Partners, Legal500, Indian Business Law Journal, Benchmark Litigation, and Asialaw Profiles across practice areas including Arbitration-Litigation, Corporate-M&A, Banking & Finance, Projects and Energy, Intellectual Property, and Employment practice. You can access the complete Comparative Guide here.

See also our previous collaboration with Clyde & Co Clasis Singapore on this topic that can be accesed here.


Indonesia

A. Definition and Scope of Data Privacy and Cybersecurity


Data Privacy

1. Is there any specific definition of “personal data” in your jurisdiction? Do the prevailing laws provide distinction between personal data and sensitive personal data?

Personal data is defined as “a certain personal data that is stored, maintained, kept true and its confidentiality is protected” (Art. 1 (1) of Minister of Communications and Informatics (“MoCI”) Regulation No. 20 of 2016 on Personal Data Protection within the Electronic System (“MoCI Regulation 20/2016”)). However, the applicable laws and regulations on personal data protection in Indonesia do not provide any specific definition of “sensitive personal data” and are silent on these matters.

Therefore, there is no clear distinction between “personal data” and “sensitive personal data”.

2. What is the scope of “personal data” pursuant to the relevant laws and regulations in your jurisdiction?

Indonesian prevailing laws do not provide any specific scope of personal data. There are merely provisions under MoCI 20/2016 as outlined above.

The concept of data privacy is interpreted as a part of the privacy right, which, pursuant to Law No. 11 of 2008 as amended by Law No. 19 of 2016 (“EIT Law”), is defined as:

a. the right to enjoy a private life and be free from all kinds of disturbances;
b. the right to communicate with other persons (without being spied on);
c. the right to supervise the access to information on his/her personal life and data (Elucidation of Art. 26 (1) of EIT Law).

In addition to the above, Personal Data Protection Bill (“PDP Bill”) sets out a more specific scope of personal data:

  1. General personal data consists of a person’s full name, gender, citizenship, religion, and/or combined personal data to identify a person;
  2. Specific personal data, which consists of, among other things, information on a person’s health, biometric data, political view, etc. (Art. 3 (1), (2), and (3) of PDP Bill).

However, PDP Bill has not been enacted up to the publication of this comparative guide.

3. Who are the relevant stakeholders (i.e., data processor, controller, etc.) under the data protection regime in your jurisdiction?

Stakeholders of data protection under the Indonesian prevailing laws include: (i) personal data user; and (ii) Electronic System Operator (“ESO”), each of which has different obligations. Please note that the current prevailing laws and regulations for personal data protection do not specifically stipulate data processor and data controller, but merely the party collecting and processing personal data and the relevant data subject. PDP Bill, however, provides specific definitions of data processor and data controller.

With regard to ESOs, Art. 2 of Government Regulation (“GR”) No. 71 of 2019 on Administration of Electronic Transactions and Systems (“GR 71/2019”) stipulates two categories of ESOs, namely (i) public ESO and, (ii) private ESO.

Public ESOs include state administrator agencies and other agencies as formed by virtue of laws and/or appointed by the relevant agencies. Meanwhile, private ESOs include individuals, business entities, and the public that run portals, websites, or online applications on the internet, regulated or supervised by the Minister of Communication and Informatics, and/or the institutions based on the relevant regulations.

Cybersecurity

4. Is there any specific definition of “cybersecurity” in your jurisdiction? Do the prevailing laws provide distinction between “data protection” and “cybersecurity”?

Cybersecurity in Indonesia is governed by EIT Law and GR 71/2019, but they provide no specific definitions or terms on cybersecurity itself. A bill on cybersecurity was once proposed, but it was eventually rejected and failed to be enacted in 2019.
Based on EIT Law and GR 71/2019, the general concept of cybersecurity provisions focuses on cyber incidents including prohibitions of hacking, denial of service, phishing and identity theft, as well as cybercrimes.

5. What are the subjects of cybersecurity? Does cybersecurity apply to certain industries and types of information?

The government has established an institution that oversees cybersecurity and encryption namely, the National Cyber and Crypto Agency/ Badan Siber dan Sandi Negara (“BSSN”), which functions include but not limited to identification, detection, protection, monitoring of the implementation of technical policies regarding cybersecurity in e-commerce protection, cyber-attacks, and/or cyber incidents in Indonesia.

In addition to the above, the government stipulates protection over certain strategic information of these sectors: (i) Government Administration; (ii) Energy and Mineral Resources; (iii) Transportation; (iv) Finance; (v) Health; (vi) Information and Communication Technology; (vii) Food; (viii) Defense; and (ix) other sectors as determined by the President.

B. Governing Authority of Data Privacy and Cybersecurity


Data Privacy

6. Is there any specific government agency that oversees data privacy legislation in your jurisdiction? Please define what powers and authorities such agency has in the data privacy enforcement?

Indonesia has no specific government agency or independent body overseeing the data privacy legislation given that neither data privacy nor cyber security bills have been passed. Considering data privacy provisions within the scope of EIT Law and MoCI 20/2016, the enforcement of data privacy is supervised by (i) MoCI and several sector-specific authorities, (ii) BSSN; and (iii) an agency under BSSN i.e., Indonesia Security Incident Response Team on Internet Infrastructure/ Coordination Center (Id-SIRTII).

MoCI, the main supervisory body, can be supported by Indonesian police in the enforcement of data privacy protection. There are also sector-specific authorities that supervise data protection along with MoCI, e.g., Central Bank of Indonesia for data protection in the banking sector, and the Ministry of Health in the health sector.
BSSN’s duty, function, and authority are not limited to data privacy enforcement. They cover a broader scope overseeing the overall matters under EIT Law, including cybersecurity. BSSN carries out the government’s duties in the field of cyber and crypto security, focusing on cyber resilience, and resistance against possible attacks by crime organizations on the national level, and those with private interests.

Furthermore, the duty and function of Id-SIRTII mainly focus on supporting the internet growth in Indonesia through various awareness campaigns on securing the technology and information systems, monitoring the potential security incidents, supporting the law enforcement, and providing the relevant technical supports in the interests of the general public.

7. Can the data protection authority in your jurisdiction cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

MoCI 20/2016 stipulates that MoCI may coordinate with the sectoral supervision and regulatory body to (i) address complaints of data subjects for breaches of personal data protection committed by ESOs; and (ii) impose administrative sanctions for such breaches. MoCI further delegates the authority for the supervision and dispute settlement to the Directorate General of Informatics Application/ Direktorat Jendral Aplikasi Informatika (“Ditjen Aptika”).

In this regard, MoCI and BSSN may work with other relevant authorities, for instance, Indonesian police and the intelligence service agencies (i.e., the State Intelligence Agency/ Badan Intelejen Negara (BIN) and the Strategic Intelligence Agency/Badan Intelejen Strategis (BAIS)).

Cybersecurity

8. Is there any specific government agency that oversees cybersecurity legislation in your jurisdiction? Please define what powers and authorities such agency has in the cybersecurity enforcement?

Cybersecurity in Indonesia is supervised by MoCI, BSSN, and Id-SIRTII.

9. How does the cybersecurity authority cooperate with Data Protection Office (“DPO”)? Does your jurisdiction provide certain guidelines for this matter?

Indonesia has yet to establish a specific, independent office in charge of Data Protection. However, MoCI Regulation 20/2016 requires the appointment of a person-in-charge that can be contacted by the relevant personal data owners regarding the management of their personal data.

Although appointing a DPO is not a requirement, please note that Art. 45 of PDP Bill obliges any data controller or processor to appoint a DPO. This obligation applies to any data controller or processor: (i) who works on data processing to provide public services, (ii) whose main activity requires large-scale, frequent, and systematic monitoring of personal data; and (iii) whose core activity includes processing specific personal data in a large scale, and/or processing personal data related to criminal activity.

C. Regulatory Framework and Registration


Data Privacy

10. What are the applicable laws and regulations that govern data privacy and personal data protection in your jurisdiction? Please identify further laws on data protection in specific sectors, if any.

Data privacy and personal data protection are governed under the following laws and regulations:

  1. EIT Law;
  2. GR 71/2019;
  3. GR No. 80 of 2019 regarding Trading through Electronic System; and
  4. MoCI Regulation 20/2016.

MoCI Regulation 20/2016 also stipulates that a data owner reserves the right to file a lawsuit for a breach of his/her personal data, in accordance with Art. 1365 of Indonesia’s Civil Code/Kitab Undang-Undang Hukum Perdata regulating that any person violating the law is liable for any losses caused by his/her action. The enforcement of data protection refers to Indonesia’s Criminal Code/ Kitab Undang-Undang Hukum Pidana for the criminal sanction.

Other relevant sectors also governing the legislation on data privacy and personal data which include the banking, health, and capital market sectors under:

  1. Law No. 36 of 1999 on Telecommunications as amended by Law No. 11 of 2020 on Job Creation;
  2. Law No. 10 of 1992 on Banking as amended by Law No. 10 of 1998;
  3. Law No. 8 of 1995 on Capital Market;
  4. Law No. 36 of 2009 on Health; and
  5. Law No. 14 of 2008 on Disclosure of Public Information.

11. Are there any exemptions under the data privacy and personal data protection rules in your jurisdiction?

The prevailing laws and regulations do not provide any exemption with respect to the mandatory registration of ESO.

12. Do the data privacy applicable laws and regulations apply extraterritorially? If yes, how do DPO and the government exercise such duties?

Yes. Art. 2 of EIT Law explicitly states that it applies extraterritorially, including to foreign legal subjects regardless of their presence in Indonesia. Therefore, any legal action regarding data protection carried out outside the jurisdiction of Indonesia by Indonesian citizens or legal entities, or foreign citizens or legal entities that have legal consequences in Indonesia shall be subject to EIT Law. Furthermore, Article 50 of PDP Bill also provides that the Indonesian PDP laws shall be applicable to any breach of personal data protection occurring domestically or abroad.

The provision was built on the concept where the misuse of information technology for electronic information and transactions might, in the future, threaten and harm the interests of Indonesia, which might be detrimental to the nation’s (i) economic interests, (ii) protection of strategic data, (iii) dignity, (iv) defense and state security, (v) sovereignty, citizens, and (vi) legal entities. Given the authority over DPO has yet to be established, MoCI shall be the authority that oversees and responsible for coordinating with the ESOs in cross-border, personal data transmissions.

13. Is the registration of data controllers and processors mandatory in your jurisdiction? If yes, how is the registration procedure completed, and what are the consequences for failing to conduct the registration?

In general, Indonesia’s prevailing regulations do not specifically distinguish a data controller from a data processor. Both are recognized as ESOs. Pursuant to GR 71/2019, any public or private ESO, located onshore or offshore, is obliged to conduct ESO registration to MoCI (“ESO Registration”) through the OSS system prior to conducting any business activity.

The required documents for ESO Registration are (i) registration form including the corporate documents, tax identification number of the company, contact person; and (ii) supplemental documents i.e., general information regarding the electronic system including the system’s profile, URL website, IP address, descriptions on the system’s functions and business process, and the ESO’s statement of willingness to conduct the personal data protection.

Failure to comply with the mandatory ESO registration will be subject to administrative sanctions in the form of warning letters, administrative fines, temporary suspension, access termination, and/or removal from MoCI’s list.

Cybersecurity

14. Is there any specific laws and regulations that govern cybersecurity for data privacy and personal data in your jurisdiction?

As outlined in Points 4 and 5 above, Indonesia has no specific regulation on cybersecurity for data privacy and personal data. But EIT Law, GR 71/2019, and MoCI Regulation 20/2016 stipulate general provisions on data protection, including cybersecurity for data privacy and personal data.

15. Is there any specific threshold on the number of personal data subjects that requires a certain level of cybersecurity system?

There is no specific provision regarding this matter.

D. Data Processing


16. What are the recognized, legitimate grounds of personal data processing in your jurisdiction?

The lawful basis for personal data processing in Indonesia is to obtain consent from the relevant data subject. Such data processing should be carried out in accordance with the specific purposes, expressly elaborated during the data obtainment. Therefore, the use of electronic information involving any personal data must be made with the approval of the relevant person and only for the specified purposes.

Nevertheless, there are certain exceptions where the lawful basis may be waived if: (i) the disclosure of personal data is for law enforcement purposes; and (ii) the personal data interception is for the legitimate interest of the ESO as the data controller. The laws allow the legitimate interest basis as long as the relevant ESO adheres to the prevailing laws and regulations.

17. What are the key requirements (such as notification or consent from the personal data subject) when processing personal data in your jurisdiction?

Please refer to our response in Point 16 above.

18. Are there other requirements, restrictions, and best practices that should be considered when processing personal data in your jurisdiction?

As outlined in Point 16 above, the purposes of data processing shall be restricted and clearly expressed during the time of data collection. Therefore, ESOs are not allowed to process any data that is not in the scope of processing purposes stated in the data subject’s consent form.

In addition, GR 71/2019 stipulates that the management, processing, and/or retention of the electronic system and data for ESO in the public sector shall be done within the Indonesian territory. The exemption of this provision is available if the required retention technology is not available domestically. This clearly provides that any data processing done by a Public ESO is still subject to the data onshoring requirements.

Another provision worth considering is the Personal Data retention period. MoCI Regulation 20/2016 stipulates that the retention period of personal data is five years. In this instance, any obtained data should be retained for, at least, five years, from the last date it is used by the data subject.

E. Data Transfer


19. What are the requirements that apply to a transfer of data to third parties?

There is no specific requirement on this matter. However, it is important to note that a transfer of personal data is prohibited without the consent of the data subject.

20. Are there restrictions that apply to a transfer of data abroad? Are there any exemptions on this matter?

MoCI Regulation 20/2016 requires any cross-border transfer of personal data to fulfill the following requirements:

  1. Submission of notification regarding the intended transfer of Personal Data abroad, containing, at least, information on: (i) the country of destination; (ii) the name of recipient; (iii) the date of transfer, and (iv) the purpose of transfer.
  2. A request for advocacy if required; and
  3. Submission of report on the result of such cross-border transfer,

Additionally, no personal data may be transferred abroad unless the receiving country has been declared to have the equivalent protection standard by the Minister of Trade.

21. Do the prevailing law and regulations on cybersecurity provide certain requirements for a local data transfer? If yes, do they require certain methods or procedures for a data transfer?

We note that no certain methods or procedures specifically apply to local data transfers apart from the principles discussed in Points 19 and 20 above.

F. Rights of Data Subject


22. What are the rights of data subject in connection to personal data processing? Are there any exemptions to such rights? Please elaborate.

The rights of a data subject pursuant to Art. 26 of MoCI Regulation 20/2016 are as follows:

  1. the right to confidentiality of his/her personal data;
  2. the right to access data alternation, supplementation, as well as renewal. This right should include the access to historical record of his/her personal data already transferred to the ESO;
  3. the right to delisting, a data subject exercising this right is required to submit a petition to the relevant district court. If the petition is granted, the court decision should become the basis to request a delisting of the irrelevant electronic information and/or document to the ESO (under GR 71/2019);
  4. the right to request the erasure of his/her personal data; and
  5. the right to file a complaint in the dispute settlement for the failure to get the needed protection to maintain the confidentiality of his/her Personal Data.

In addition to the above, PDP Bill also provides that the personal data controller must ensure the implementation of the “right to be forgotten”.

23. Is there any procedure for data subjects to exercise their rights in your jurisdiction?

There is no specific procedure under the prevailing laws, but there are legal provisions as discussed in this article.

24. What remedies are available to data subjects in case of a breach of their rights?

EIT Law provides the right for a data subject to file claim of monetary damages to the relevant ESOs by providing evidence of the actual damages due to the transpired security breach.

G. Data Protection Officer


25. Is the appointment of a Data Protection Officer (“DPO”) mandatory in your jurisdiction? If yes, what are the consequences of failing to appoint the officer?

The prevailing laws do not stipulate mandatory appointment of a DPO, nor consequences for failing to conduct such appointment. The laws, however, require ESOs to provide accessible contacts to data subjects. The term DPO was introduced in PDP Bill.

26. What are the key responsibilities of a DPO in your jurisdiction?

The current prevailing laws do not stipulate this matter, given that PDP Bill has not been passed. Nonetheless, PDP Bill provides the following key responsibilities of a DPO:

  1. informing and advising the personal data controller or processor to comply with the prevailing laws and regulations;
  2. supervising and ensuring the relevant data controller’s or processor’s compliance with PDP law and the privacy policy related to the assignment, including taking the responsibility, raising the awareness, providing the training for the related parties in the personal data process, and conducting the audit;
  3. providing the advice in the evaluation on the impact of personal data protection, and monitoring the performance of the personal data controller and/or processor; and
  4. coordinating the relevant stakeholders and acting as the liaison officer in managing issues related to personal data processing, including providing the consultancy on risk mitigation and/or other matters.

H. Data Breach


27. Is it mandatory to provide a notification in the event of a data breach? If yes, who must be notified (i.e., the data protection authority, the data subject, etc.) and what kind of information must be provided?

Indonesian prevailing laws and regulations requires an ESO experiencing a data breach to immediately notify the relevant personal data subject and authorities, then go through the process in the following details:

  1. Relevant Authorities: An ESO experiencing a data breach is obliged to notify the owner of the leaked data, and later on, file a complaint to the Directorate General of Informatics Application of MoCI. This complaint is intended to resolve a possible dispute caused by the data breach.
  2. Personal Data Subject: The notice of breach to the Data Subject should include the following information:
  • the reasons and causes of the data breach;
  • the notice of breach can be submitted electronically provided that the Data Subject has agreed to such submission method during the collection of his/her Personal Data;
  • the confirmation that the Data Subject will receive a report if the data breach leads to a potential loss; and
  • the written report submitted to relevant Data Subject within 14 days after the occurrence of the breach.

28. Are companies required to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industries or other stakeholders? If yes, what kind of information must be shared?

No requirements have been imposed on companies in this sense. The prevailing laws only require the ESOs to notify the relevant parties in the event of data breaches as explained in Point 27.

29. How would a breach of data protection be handled by the authority? Can such breach lead to administrative sanctions or criminal penalties?

Administrative and criminal sanctions can be imposed on persons committing unlawful acts, which include but not limited to all activities that violate the provisions of the prevailing laws and regulations on data protection and cybersecurity, carried out in bad faith. These sanctions are regulated by EIT Law, and other relevant regulations.

The applicable administrative sanctions are as follows:

a. MoCI Regulation 20/2016 provides the following sanctions:

  1. verbal warnings;
  2. written warnings;
  3. suspension of business activities; or
  4. announcement of the breacher in MoCI’s website.

b. GR 71/2019 provides the following sanctions:

  1. written warnings;
  2. administrative penalty;
  3. suspension of business activities;
  4. termination of access to the electronic system; or
  5. expulsion of the relevant platform as registered ESO.

In addition to the above, criminal sanctions in the form of fines and/or imprisonment are also applicable.

  1. fine of IDR 600,000,000 (six hundred million rupiah) to IDR 800,000,000 (eight hundred million rupiah), and/or 4 to 8 years imprisonment for unlawful access;
  2. fine of IDR 800,000,000 (eight hundred million rupiah) to IDR 1,000,000,000 (one billion rupiah), and/or 6 to 10 years imprisonment for illegal interception or wiretapping of transmission;
  3. fine of IDR 2,000,000,000 (two billion rupiah) to IDR 5,000,000,000 (five billion rupiah), and/or 8 to 10 years imprisonment for unlawful alteration, addition, reduction, transmission, tampering, removal, transfer or concealment of electronic information or record; and
  4. fine of IDR 10,000,000,000 (ten billion rupiah) to IDR 12,000,000,000 (twelve billion rupiah), and/or 10 to 12 years imprisonment for unlawful manipulation, creation, alteration, destruction, or damage of electronic information or document with a purpose of creating a certain assumption or conducting other violations in the processing of electronic information or documents.

30. What other requirements, restrictions, and best practices should be considered in the event of a data breach?

The government of Indonesia is aiming to complete the enactment of PDP Bill soon. When the bill is enacted into law, stricter provisions on Personal Data Protection and cybersecurity will be enforced. PDP Bill is expected to provide a more comprehensive guideline for personal data protection practitioners.

We still have to wait and see whether PDP Bill will have further changes prior to its enactment.


The above Comparative Guide was prepared by Marshall S. Situmorang (Partner) and Audria Putri (Senior Associate)

Disclaimer: The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.