There is a positive development in data privacy protection in Indonesia, due to the issuance of a draft Ministerial Regulation on Data Protection (Draft Regulation) by the Ministry of Communications and Informatics of the Republic Indonesia (MOCI). This Draft Regulation was prepared as one of the implementing regulations of Law No 11 of 2008 on Electronic Information and Transactions (EIT Law) and Government Regulation No 82 of 2012 on the Implementation of Electronic Systems and Transactions (GR 82). In October 2015, the government also issued a draft Data Protection Law (Draft Law).
Until now, there is no confirmation on the issuance date of both the Draft Regulation and Draft Law.
In general, the Draft Law is aimed at bringing Indonesia in line with some other jurisdictions when it comes to protecting data privacy, which should be essential since, until now, there is no law and regulation in Indonesia specifically regulating data privacy issues.
The Draft Law contains a definition of "personal data" which includes data of a person's life that can be identified automatically or combined with other information through electronic or non-electronic systems. It also specifically regulates that all data such as religion/belief, health, physical and mental condition, sex life and financial information is deemed as "sensitive personal data".
Moreover, according to the Draft Law, personal data operators are prohibited from transferring personal data to other countries unless the receiving country has personal data protection measures consistent with the Draft Law. This does not apply if (i) there is a contract between the personal data operator and the offshore data receiver; or (ii) there is a bilateral agreement.
The personal data operator must secure consent before transferring the data, and the data receiver cannot use the personal data except for the use that the data owner has consented to. The personal data operator must also notify the data owner in case of a merger, spin-off, consolidation or other business transactions that may affect the implementation, management or transfer of personal data.
Under the Draft Regulation, electronic system operators that will make cross-border data transfers must first coordinate with the MOCI on the transfer plan and the results of the transfer activities. Moreover, if anyone wishes to show, publish, send or disseminate personal data, or open the access to its electronic system to the public, such personal data should be derived from an electronic system dedicated to public service.
The Draft Regulation also provides time requirements for personal data storage, which is five years at minimum, in the absence of laws regulating data storage in relevant business sectors.
|
|
Daru Lukiantono |
Wiku Anindito |
Hadiputranto, Hadinoto & PartnersThe Indonesia Stock Exchange Building, Tower II, 21st FloorSudirman Central Business DistrictJl. Jendral Sudirman Kav 52-53Jakarta 12190, IndonesiaTel: +62 21 2960 8888Fax: +62 21 2960 8999www.hhp.co.id