Personal Data Protection: FAQ On The Implementation Of Electronic Direct Marketing In Indonesia

Electronic direct marketing has been widely implemented in Indonesia, whilst at the same time, public awareness of the general public towards personal data protection had risen in recent years. Electronic direct marketing has been utilizing personal data collected through various means for commercial and marketing purposes of certain parties. Although this practice does not contravene with the prevailing personal data protection regulations there are my aspects that should be considered and requirements that needs to be complied to, particularly, on data collection and consent.

Below are the Frequently Asked Questions regarding electronic direct marketing which we have prepared based on the Indonesia's prevailing laws and regulations on personal data protection.

1. What are the legal frameworks of Indonesia data protection, particularly on electronic direct marketing activities?

There is no specific regulation which governs electronic direct marketing activities. Such activity is however, subject to Personal data protection regulation that is stipulated under various different regulations, such as:

  1. Law No. 11 of 2008 Electronic Information and Transaction, as amended by Law No. 19 of 2016 ("Law 11/2008");
  2. Government Regulation ("GR") No. 71 of 2019 on the Operation of Electronic System and Transaction ("GR 71/2019");
  3. Minister of Communication and Informatics ("MoCI") Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems ("MoCI Reg 20/2016"); and
  4. MoCI Regulation No. 5 of 2020 on Private Electronic System Providers ("MoCI Reg 5/2020").

         (together "Personal Data Protection Regulation")

In addition to the Personal Data Protection Regulation, electronic direct marketing is also subject to the following regulations:

  1. Law No. 8 of 1999 on Consumer Protection ("Law 8/1999");
  2. GR 80 of 2019 on Trading through Electronic System ("GR 80/2019");
  3. Minister of Trade Regulation No. 50 of 2020 on Terms of Business Licensing, Advertising, Development, and Supervision of Business Actor in Trading through Electronic System ("MoT Regulation 50/2020"); and
  4. Financial Service Auhority/Otoritas Jasa Keuangan ("OJK") Regulation No. 1/POJK.07/2013 of 2013 as partially amended by OJK Regulation No. 31/POJK.07/2020 of 2020 on Organization of Consumer and Public Services by the OJK within the Financial Service Sector ("OJK Regulation 1/POJK.07/2013").

Furthermore, the Indonesian government has completed a bill on personal data protection ("PDP Bill") in 2020, which being finalized by the House of Representative/Dewan Perwakilan Rakyat and is currently planned to be enacted. The PDP Bill also provides provisions that are relevant to the electronic direct marketing activities.

2. What are the scope of personal data processing in connection with direct marketing activities?

Personal data is defined as:

"any data on a person which is identified and/or may be identified individually or jointly with other information both directly and indirectly through an electronic and/or non-electronic system" (Art. 1 point 29 of GR 71/2019).

The Personal Data Regulations requires any personal data processing (including direct marketing activities) to be carried out lawfully upon an appropriate legal ground (i.e., consent or for the legitimate interest of the data controller and/or data owner (Art. 14 (3) and 14 (4) (f) of GR 71/2019)). Legitimate interest of personal data controller, in this context means, the processing of personal data that is being carried out by a data controller can be made without prior consent from the data owner. Provided that such processes is within the permitted activities under the prevailing laws and regulations.

Applicable Exceptions for Direct Marketing Activities: Notwithstanding the above provisions, specifically for financial service provider, OJK strictly prohibits any financial service provider to make direct marketing communications without prior customers' consent (Art. 19 of OJK Regulation 1/POJK.07/2013).

Given that consent is extensively emphasized with personal data protection and unclear scope of legitimate interest, it is always advisable for business owners to acquire lawful specific consent from their costumers prior to carrying out any direct marketing activities towards such costumers.

3. Are there any restrictions applicable to electronic direct marketing communication in Indonesia?

In general, any businesses may carry out direct electronic marketing activities as long it complies with the relevant prevailing laws and regulations. In addition, all businesses must ensure that their marketing activities are valid and shall not disturb the personal data owner in any way (Art. 44 of GR 71/2019).

Furthermore, Art. 19 (2) of MoT Regulation 50/2020 requires all electronic advertisement to fulfill the following:

  1. It shall not deceive the consumers on quality, quantity material, utility and price of goods and/or fee of services, as well as the expected time of arrival.
  2. It shall not mislead the guarantee/warrant of goods and/or services;
  3. It shall not contain untrue, false, or inaccurate information;
  4. It shall include the risk of products and/or services utilization;
  5. It shall not exploit an event and/or a person without consent of the relevant party;
  6. Provide a clear exit function (e.g., close or skip button) on the displayed electronic advertisement.

The above stipulation is in line with the requirement sets out on Art. 17 of Law 8/1999, which additionally requires all advertisers to comply with the advertisement code of ethics (ACE) as issued by the Indonesian Advertising Council.

4. Does the electronic marketing restriction also apply extraterritorially?

Yes, the applicable restrictions as noted on point 2 above shall apply extraterritorially to direct marketing that is being sent from outside of Indonesia due to the requirement under Law 11/2008 (Please refer to Art. 2 of Law 11/2008 and its elucidation).

It is important to note that Law 8/1999 applies to all business that carries out activities (including marketing actions) within Indonesian jurisdiction regardless of such business has a legal presence in Indonesia.

5. What agencies are responsible for data protection in Indonesia? Is there any authority that is specifically responsible for the enforcement of direct marketing restrictions?

In general, the authority that is responsible for data protection in Indonesia is MoCI. Additionally, individuals can also file a complaint of any improper electronic advertisement activities to the relevant advertisers and/or Directorate General of Consumer Protection and Trade Order under the Ministry of Trade

On a related note, consumers can also file complaints to the Indonesian Consumer Protection Foundation/Yayasan Lembaga Konsumen Indonesia (YLKI) and/or the Indonesian Advertising Council for non-electronic marketing materials.

6. Are there any applicable penalties for the breach of data protection on direct marketing activities?

Any breach of data protection on direct marketing activities may be subject to administrative sanctions, among others, verbal warning, written reprimand, and suspension of activities. Furthermore, if applicable, such can also be subject to criminal and civil liabilities.


The article above was prepared by Marshall S. Situmorang (Partner), Audria Putri (Senior Associate), and Aniendita Rahmawati (Associate)

Disclaimer: The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances. For more information, please contact us at mail@nusantaralegal.com.