Indonesia Fintech and Personal Data Protection: Code of Ethics on Personal Data Protection and Data Privacy in Fintech Sector
Technology has stormed aspects of our society to the core of living. It creates a new substantial force of disruption, which provides a different perspective on how technology co-exists in every aspect of our lives. Our economic, social, and cultural aspects have become more integrated and inclusive. In the age of artificial intelligence, it is important to note that emerging technologies are embedded in data, as evidenced by the emergence of Internet of Things (IoT) together with its penetration into various sectors. As a result of this disruption, economists now consider data as the “new oil”, which serves as a beneficiary to either common good or criminality.
Although the value of data is a contested topic, crucial sectors such as the financial technology ("fintech”) has seen the significant impact. With the heavy use of data processing, processing personal data, varying from general data such as name and email address, to sensitive data such as financial information risks the negative impact of data inclusion with the rising of various issues such as cybercrime, blackmail, and identity theft. To counter these issues, it is essential that every fintech business actor implements personal data protection.
Personal data protection always becomes the topic of discussions among fintech business actors and regulators in Indonesia. In this regard, the Financial Services Authority (Otoritas Jasa Keuangan or “OJK”), the government agency responsible for regulating Indonesia’s financial services such as Digital Financial Innovation (Inovasi Keuangan Digital or “IKD”), has officially appointed the Indonesia Fintech Association (Asosiasi Fintech Indonesia or “AFTECH”) to address personal data protection in the financial services sector. For the purpose, AFTECH issued the Code of Ethics on Personal Data Protection and Data Privacy ("Code of Ethics”) in November 2021.
In this article, we provide the summary of AFTECH’s Code of Ethics on the: (i) legal basis and definitions; (ii) general principles on regulating personal data; (iii) rights of the data owner and obligations of the controller; (iv) data processing mechanism; (v) dispute resolution; and (vi) concluding remarks.
Legal Basis and Definitions.
The formulation of Code of Ethics is based on the provisions of the prevailing laws and regulations on personal data protection and electronic system transaction, particularly, Regulation of the Minister of Communication and Informatics Number 20 of 2016 on Personal Data Protection in Electronic Systems ("MoCI Reg. 20/2016”) and Government Regulation Number 71 of 2019 on Implementation of Electronic Systems and Transactions ("GR 71/2019”).
The Code of Ethics includes added definitions on personal data subjects and processing, while MoCI Reg. 20/2016 generally follows data characterization under the European Union’s General Data Protection Regulation ("GDPR”). These are the additional definitions of personal data under the Code of Ethics:
- Personal data controller: a party that determines the purpose of, and controls personal data processing ("Controller");
- Personal data processor: a party that processes personal data on behalf of the Controller ("Processor”); and
- Personal data processing includes the collection, storage, utilization, processing and analysis, repair and renewal, display, announcement, transfer, disclosure, and/or erasure of personal data. All processes and processing activities can be done as long as they are related to the personal data, and interpreted within the scope.
General Principles on Regulating Personal Data
The Code of Ethics establishes the general principles ("General Principles”) on personal data governance, namely:
Lawfulness, Fairness, and Transparency: It is mandatory that the processing of personal data is based on a clear legal basis. Such processing must be in accordance with the purpose, it must be appropriate, and it will not harm the personal data owner. These principles require each AFTECH member to develop a privacy policy that complies with the standard personal data protection principles as stipulated in the prevailing laws and regulations, and notify the users on any changes in it. Moreover, these principles apply when any member of AFTECH processes personal data without the owners’ consent for other “legitimate interests”, which scope must comply with the following rules:
- such interest must refer to the legitimate legal basis of the purpose of data processing;
- such interest must be necessary in the utilization and processing of personal data to achieve the purpose; and
- the implementation of the legitimate interests should not override/terminate/harm the rights and principles of freedom of the personal data owner.
Data Minimisation: Personal data processing by AFTECH members must be based on the pre-determined purposes and consent of the personal data owners. In other words, all related issues shall be previously communicated to, and consented by the personal data owners. Furthermore, AFTECH members must perform data deletion if the data is no longer relevant or necessary for achieving the purpose of data collection, based on the prevailing laws and regulations on data retention in each respective fintech sector.
Accuracy: AFTECH members must maintain the accuracy of the personal data obtained from the owner. To maintain such accuracy, AFTECH member shall:
- further clarify and confirm the personal data to the owner, or do other relevant mechanism based on the prevailing regulations in each respective fintech sector.
- record all data processing activities in (electronic or non-electronic writing or inscription, containing all highly important information regarding personal data processing.
Integrity and Confidentiality: Although there are no specific measures in this regard, AFTECH members are entrusted to take practicable and responsible methods to protect personal data. They are required to, among other things, execute a non-disclosure agreement regarding personal data protection with third parties, ensure the legal engagement in business-to- business collaborations, ensure that the processor only processes personal data as approved by the owners, set appropriate limited liabilities for third parties, and supervise parties involved in the data processing.
Accountability: In this principle, every personal data processing by AFTECH members must:
- be conducted responsibly and in compliance with the prevailing laws and regulations;
- have internal socialization of the privacy policy to ensure that the employees understand and comply with said policy;
- provide special communication channel for the owners to inquire about the use of their data, and obtain a Data Protection Officer (“DPO”) in the form of a unit/function/individual responsible for personal data processing and communicating with regulators on violation or failure of data protection.
Good Intention: AFTECH members are obligated to act in good faith for the personal data owners (i.e., have a clarification mechanism in case of a violation of personal data protection). Such mechanism shall be independently established by each AFTECH member, and contain, at least, the process flow of receiving the reports from the personal data owners. It means that the AFTECH member has to provide the data owner with the evidence, follow-up reports (on the agreements, mediation, or other agreed actions), a certain settlement period, and a communication method related to clarification.
Rights of the Data Owner and Obligations of the Controller
The Code of Ethics also stipulate the rights of the data owner and obligations of the controller.
Under the prevailing laws, a data owner has the rights to:
- have confidentiality and security over his/her own personal data;
- submit a complaint for failing to receive adequate protection over his/her personal data;
- have access to amend or renew his/her personal data;
- have access to obtain the record of his/her personal data processing; and
- request erasure of his/her personal data.
On the other hand, a Controller is obligated to:
- secure the confidentiality of personal data;
- utilize the personal data based on the appropriate necessity and consent of the data owner;
- protect and secure the personal data against unwanted actions; and
- responsible for the personal data, in the event of any breach or misuse of the relevant personal data.
Data Processing Mechanism
The Code of Ethics emphasizes the importance of consent granted by the personal data owner as the basis of data processing. The consent should be in the form of clear notification on the request of AFTECH member to collect the personal data of the owner.
These are examples of valid approvals based on the prevailing laws and regulations:
- an electronic or other forms of written signature or tick of the personal data owner indicating his/her approval;
- an electronic or other forms of written signature or tick of the person legally authorized by the personal data owner to give the consent.
Consents must be in Bahasa Indonesia, or at least, in dual-language format;
In terms of data processing (including profiling), AFTECH members can make automatic decision or processing, provided they follow the General Principles. However, a data owner may object the actions of AFTECH members who make decisions on data processing based solely on automated decision-making for profiling. Therefore, it is necessary for AFTECH members to have a certain, including compensation, mechanism for receiving and following up objections submitted by personal data owners.
In processing the personal data, AFTECH members can also implement anonymity and pseudonym for certain purposes as long as it does not conflict with the purpose of personal data processing by ensuring the security of the anonymous and pseudonymous processes.
Furthermore, a personal data owner has the right to request the relevant AFTECH member to stop processing his/her personal data. In such event, the AFTECH member must explain the consequences of terminating the process to the personal data owner, if the cessation is carried out within the previously agreed usage period. Moreover, the AFTECH member must cease the process in no later than 3x24 hours after receiving the request, or in accordance with the applicable laws and regulations.
Dispute Resolutions
The Code of Ethics includes a dispute resolution mechanism in the event of violations or failure of personal data protection involving the personal data owner and the controller. AFTECH shall review the evidence of dispute, and notify the Ministry of Communication and Informatics ("MoCI”), Bank of Indonesia ("BI”) and/or OJK, and the relevant personal data owner. If based on the evidence, the violation of personal data protection exists, AFTECH may offer dispute resolution such as mediation between the claimant and AFTECH member, or recommend BI and OJK on the possible steps to manage the dispute.
Concluding Remarks
With the appointment of AFTECH as the independent regulatory agency for personal data protection in, particularly, the fintech sector in Indonesia, and the issuance of the Code of Ethics, we note that there is a significant shift towards the data protection laws to conform with GDPR standard. This is evidenced by the incorporation of new definitions (i.e., on Controller and Processor) as stipulated under GDPR. In conclusion, we trust that the Code of Ethics would give positive impacts on personal data protection in Indonesia.
The article above was prepared by Marshall S. Situmorang (Partner) and Audria Putri (Senior Associate).