As Indonesia has yet to issue specific law on data and privacy protection, the rules are still fragmented across several sectoral laws and regulations. However, Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (“EIT Law”) and its implementing regulations are considered umbrella regulations for the management of personal data, and are applicable to the operation of electronic systems in any field of business.

On October 10, 2019, the Indonesian government issued Government Regulation No. 71 of 2019 on Electronic Systems and Electronic Transaction Provision (“GR 71/2019”), which sets out general rules and requirements for the operation of electronic systems. Additionally, GR 71/2019 also regulates the processing of personal data by an electronic systems operator. GR 71/2019 only provides general provisions on personal data protection, which we understand are heavily influenced by the European Union’s General Data Protection Regulation (“GDPR”). GR 71/2019 only provides general provisions on data privacy; thus, the technical requirements on personal data protection are still subject to the sectoral regulations that are applicable for each type of business.

GR 71/2019, along with Minister of Telecommunications and Information Technology ("MCIT") Regulation No. 20 of 2016 on Protection of Personal Data in an Electronic System (“Regulation 20/2016”) and MCIT Regulation No. 5 of 2020 on Electronic System Operators in Private Scope as amended by MCIT Regulation No. 10 of 2021 (“Regulation 5/2020”) are the implementing regulations of the EIT Law, which emphasize the importance of obtaining express consent for the use of any information through electronic media that involves personal data, unless provided otherwise by relevant laws and regulations. Regulation 5/2020 further regulates Electronic System Operators (“ESOs”) in private scope (“Private ESOs”) in any field of business, which implements additional data protection measures.

Note:

In addition to the EIT Law and its implementing regulations above, the following regulations that relate to privacy and data protection would apply to specific fields of business, (e.g.: trade and industry, including the banking sector, the telecommunications sector, and the medical services sector):

1. Human Rights Law

Under Article 29 (1) of Law No. 39 of 1999 on Human Rights (“Human Rights Law”), everyone has the right to protection of his privacy, family, honor, dignity and rights of ownership. Furthermore, Article 32 of the Human Rights Law states that freedom and confidentiality in communication, including via electronic telecommunications, may not be interfered with, except upon the order of a court or other legitimate authority according to the prevailing laws and regulations.

2. Banking Law and Financial Services Sector

As provided under Article 40 of Law No. 7 of 1992 on Banking Law as amended several times, last by Law No. 11 of 2020 on Job Creation (“Banking Law”), banks in Indonesia are prohibited from disclosing information regarding their customers to third parties, except under certain conditions explicitly mentioned in the Banking Law, such as for taxation purposes, debt settlements that have been delegated to the Debt and Auction Affairs Agency, criminal proceeding purposes, civil lawsuits between the bank and its customer, interbank information exchange, and inheritance.

In regard to Financial Services, pursuant to Article 31 of Financial Services Authority (“Otoritas Jasa Keuangan” or “OJK”) Regulation No. 6/POJK.07/2022, on Consumer Protection in the Financial Services Sector (“Regulation 6/2022”), financial services providers are prohibited from providing third parties with data and/or information on their own consumers except where (i) the consumer concerned has given his/her/its written approval for such purpose; and/or (ii) the provision of the data and/or information is required under the prevailing regulation. Further, based on Bank Indonesia Regulation No. 22/20/PBI/2020 on Bank Indonesia Consumer Protection (“Regulation 22/2020”), providers of payment system services must keep the confidentiality of consumers’ data and/or information. To do so, the providers must have and implement policies on the protection of consumer data and/or information. Article 33 of Regulation 22/2020 also stipulates that providers are prohibited from disclosing consumer data and/or information to other parties, except in the event that the providers have obtained prior written approval from the consumer and/or the disclosure is required by the prevailing law and regulations.

Regulation 22/2020 defines the “provider” as a bank or non-bank institution that conducts activities regulated and supervised by Bank Indonesia (“BI”) in which product and/or service is used by consumers. Regulation 22/2020 also limits the payment system services to the following fields: (i) issuance of instrument for funds transfer and/or withdrawal; (ii) transfer of funds; (iii) payment instrument via card; (iv) electronic money; (v) provisioning and/or depositing Rupiah; and (vi) other payment system operations as regulated under BI’s rules.

Additionally, BI Regulation No. 23/6/PBI/2021 on Payment System Provider (“Regulation 23/2021”) further regulates data processing and/or information related to the payment system, Payment System Provider (“PJP”) and parties cooperating with PJP. Regulation 23/2021 requires that PJP and parties cooperating with PJP must:

1. apply the principle of personal data protection including complying with the consent requirement from a service user for the use of his personal data which includes, among others, processing personal data in accordance with its purpose and destroying and/or deleting personal data processing unless it is still in the statutory retention period;
2. comply with the data and/or information processing mechanism related to the payment system stipulated by BI, including the processing mechanism through the data infrastructure and the payment system infrastructure of BI;
3. comply with the third-party data infrastructure utilization mechanism stipulated by BI;
4. implement cyber risk management in the operation of the payment system, including information system security standards (must at least consist of the following aspects: governance, prevention, and resolution);
5. pay attention to the integrity of data that represents the actual facts or circumstances and is consistent by using transparent methods; and
6. comply with the provisions of laws and regulations.

Note:

‘PJP’ is defined as a bank or a non-bank institution that provides services to facilitate payment transactions to service users.

3. Telecommunications Law

Article 42 (1) and (2) of Law No. 36 of 1999 on Telecommunications, as amended by Law No. 11 of 2020 on Job Creation (“Telecommunications Law”) requires a telecommunications service operator to keep confidential the information transmitted and/or received by a telecommunications services subscriber through telecommunications networks and/or telecommunications services that it is providing, except for the purposes of criminal proceedings.

4. Health Law

Article 57 of Law No. 36 of 2009 on Health, as last amended by Law No. 11 of 2020 on Job Creation (“Health Law”) provides that every person has the right to his/her confidential personal health conditions that have been disclosed to health care providers, unless for a certain condition in which the confidentiality requirements may be exempted. Further, based on the Regulation of Minister of Health No. 269/MENKES/PERIII/20008 of 2008 on Medical Records (“Medical Records Law”), information about the patient's identity, diagnosis, medical history, examination history and treatment history must be kept confidential by doctors, dentists, certain health personnel, management officers and leaders of health service facilities. In general, medical records are subject to a minimum retention period of five years (for hospitals) or two years (for non-hospital medical services providers). Additionally, Law No. 36 of 2014 on Medical Workers (“Medical Workers Law”) requires Medical Workers to maintain the confidentiality of medical records.

5. Public Information Disclosure Law

Pursuant to Article 2 (4) of Law No. 14 of 2008 on Public Information Disclosure (“Public Information Disclosure Law”), certain information is exempted from mandatory disclosure, which includes the personal data of a person.

6. Demographic Administration Law

Law Number 23 of 2006 on Demographic Administration as amended by Law No. 24 of 2013 (“Demographic Administration Law”) requires all Implementing Agencies and Providers of demographic administration to maintain the confidentiality of citizens’ personal data, in accordance with the laws and regulations.

7. Indonesian Criminal Procedural Law

As per Article 47 (1) of Law No. 8 of 1981 on Criminal Procedure (“Criminal Procedure Law”), an investigator has the right to retrieve/open, examine and confiscate other documents sent through the post and telecommunications office, communications or transportation agency or enterprise, if the objects concerned are, for a good reason, suspected of having a connection with a criminal case currently being examined, with special approval issued for such purpose by the head of the district court.

8. E-Commerce Sector

Under Article 1 of Government Regulation No. 80 of 2019 on E-Commerce (“GR 80/2019”), e-commerce is defined as domestic and international transactions of goods or services through a series of electronic devices and procedures.

Any domestic and/or foreign undertaking engaged in e-commerce business activities is considered the personal data controller, and in doing so, it is required to adopt personal data protection standards according to evolving business practices. If the owner of the personal data states that he/she leaves, stops subscribing or stops using e-commerce services and facilities, the owner of the personal data has the right to request to the undertaking to delete all of his/her personal data and the undertaking must delete all the personal data concerned in the system managed by the undertaking.

The types of data that are subject to protection under Indonesian law are different depending on the scope of the respective regulations.

Nevertheless, in general, ‘personal data’ is protected.

The EIT Law does not provide a detailed description on what kind of data is considered personal data. However, based on the EIT Law, the protection of personal data is part of privacy rights that include the right to:

1. enjoy personal life, free from any disturbance;
2. communicate with others without spying on others; and
3. observe access to information on personal life or privacy

The implementing regulations of the EIT Law provide a definition of personal data as below:

• Regulation 20/2016 defines personal data as "particular individual data" that is stored, maintained and kept for its accuracy and protected for confidentiality. The term, "particular individual data” is further defined as any true and correct information that is attributed and identifiable to, either directly or indirectly, each individual, the utilization of which is in accordance with the laws and regulations.
• GR 71/2019 defines personal data as all data related to a person, whether identified or capable of being identified using that data or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means.

Regulation 5/2020 further provides the definition of Specific Personal Data, as data and information comprising health data and information, biometric data, genetic data, sexuality/orientation, political views, criminal record, child data, personal financial data; and/or other data in accordance with the laws and regulations. However, Regulation 5/2020 does not provide specific requirements on the handling of Specific Personal Data.

Note: The relevant data that is subject to protection also depends on the relevant type of field.

1. Banking Law and Financial Services Sector

Based on Regulation 6/2022, Personal data and/or information shall include:

1. Individual:
   1. name;
   2. citizen identification number;
   3. address;
   4. date of birth and/or age;
   5. phone number;
   6. name of the biological mother; and/or
   7. other data provided or made available by the consumer to the financial services provider.
2. Corporation
   1. name;
   2. address;
   3. phone number;
   4. composition of the board of directors and commissioners, including their document of identity;
   5. composition of shareholders; and/or
   6. other data provided or made available by the consumer to the financial services provider.

2. Telecommunications Law

Every item of information being transmitted and/or received by a telecommunications services subscriber through telecommunications networks and/or telecommunications services shall be considered confidential information.

In addition, pursuant to MCIT Regulation No. 13 of 2019 on the Provision of Telecommunication Services, as amended several times, last by MCIT Regulation 14 of 2021 (“Regulation 13/2019”). Article 20 of this regulation requires telecommunications services operators to store and keep the confidentiality of customers’ data, which at least must include the name and identity card number of the customers. If a customer has unsubscribed to the telecommunication services, the providers are required to store customer data for at least 90 calendar days after the date of the customer subscription termination.

3. Health Law

In general, the Health Law provides protection to customers of health services, especially regarding patient's identity, diagnosis, medical history, examination history and treatment history.

4. Public Information Disclosure Law

According to the Public Information Disclosure Law, the following information shall be categorized as confidential personal data:

1. History and condition of a family member;
2. History, condition, and treatment, medication of physical and psychological health, of a person
3. Financial condition, asset, revenue, and bank account of a person;
4. The evaluation results in relation to a person’s capability, intelligence, and recommendation on his/her ability; and/or
5. A personal record of a person in relation to formal and informal educational level activity;

5. Demographic Administration Law

The Demographic Administration Law and the Government Regulation No. 40 of 2019 on the Implementing Regulation of the Demographic Administration Law includes the following information as citizens’ personal data that must be protected:

1. Information concerning physical and/or mental disabilities;
2. Fingerprints;
3. Eye iris images;
4. Signature; and
5. Other elements considered to reveal negative aspects about a person, which shall consist of data on certain important events that should not be known by other people.

6. Child Protection Law

Law No. 35 of 2014 on Child Protection, as amended several times, last by Law No. 17 of 2016 (“Child Protection Law”) does not provide a detailed description of the specific data that must be protected. However, the Child Protection Law requires any information concerning the children’s identity/personal data must be protected from publication in mass media, which includes:

1. print media (newspapers, tabloids, magazines);
2. electronic media (radio, television, films, videos); and
3. information technology/online communication media (websites, news portals, blogs, social media).

The subjects of data protection requirements under Indonesian law differ according to the respective regulations.

In general, under the EIT Law and its implementing regulations, the obligation to maintain confidential information transmitted or contained in an electronic system is imposed on ESOs. ESOs herein shall include an individual, state administrator, corporate body and the public that provides, processes and/or operates an electronic system either individually or jointly with its own interest and/or for other parties’ interest to electronic system users.

Note: The relevant party that is subject to privacy obligation also depends on the relevant type of field.

1. Banking Law and Financial Services Sector

   As provided under Regulation 6/2022 and Regulation 22/2020, the institutions that are subject to the privacy obligation are banks, payment system service providers and other financial institutions (including insurance and reinsurance companies, financing companies, security companies, pledge companies, stock exchange, investment consultant, etc.)

2. Telecommunications Law

   Article 42 (2) of the Telecommunications Law requires telecommunications service operators to keep the confidentiality of information transmitted by their customers.

3. Health Law

   Pursuant to Article 70 (4) of the Medical Workers Law, Medical Workers are obliged to maintain the confidentiality of the medical records of customers/patients. In this case, medical workers include every person that dedicates themselves to health services and has the knowledge and/or skill from education in the medical field. Under the Medical Workers Law, Medical Workers are, among others, doctors, dentists, certain health personnel, management officers and leaders of health service facilities.

4. Public Information Disclosure Law

   As the Public Information Disclosure Law is designed to regulate Public Institutions, the subjects of the privacy obligations are every state administrator institution, corporations, independent institutions established based on the law to undertake activities of public service and other legal entity solely established to undertake activities of public service.

5. Criminal Procedural Law

   Based on article 48 (3) of Criminal Procedure Law, an investigator is obligated to truly maintain the confidentiality of the contents of the documents.

6. Demographic Administration Law

   The Demographic Administration Law is applicable to:

   i. Implementing Agencies of demographic administration, which include:

   Government;

   Provincial government;

   A government of regency/municipality;

   which are responsible and authorized in demographic administration.

   ii. Providers of demographic administration, which include instruments of the government of regency/municipality, responsible for and authorized to provide public services in relation to demographic administration.

7. E-Commerce Sector

   Under GR 80/2019, domestic and/or foreign undertakings engaged in e-commerce business activities are considered personal data controllers. An undertaking is defined as every individual or business entity in the form of a legal entity or non-legal entity which carries out business activities in the e-commerce sector, which includes merchants, e-commerce providers, and intermediary services providers.

Generally, the collection of personal data must be performed at the express consent of the data owner or the authorized person, and the accuracy of the personal data must be verified.

Under the EIT Law and the GR 71/2019, the use of any information through electronic media that involves the personal data of a person must be made with the consent of the person concerned.

Every item of data must be obtained from the rightful owner or authorized person based on a mutual agreement, except for those regulated by the Criminal Procedural Law. In this case, the data owner must be fully informed on what data is being collected, how the data will be collected, and the purpose of the collection of personal data.

In addition to consent requirements, GR 71/2019 stipulates that personal data processing must be conducted in compliance with the applicable requirements: 

• Performance of contractual obligations where the personal data owner is a party to the contract or in order to fulfill a request of the data subject prior to entering into the contract;
• Compliance with a legal obligation that is imposed on the data controller based on the laws and regulations;
• Fulfillment of the vital interests of the data subject;
• Exercise of the authority vested in the data controller by the laws and regulations;
• Fulfillment of a public service obligation to which the data controller is subject in the public interest; and/or
• Pursuit of a legitimate interest of the data controller and/or the personal data owner.

Further, Regulation 20/2016 provides that the obtaining and collecting of personal data by ESOs must be (a) limited to the information that is (i) relevant to and (ii) in accordance with the purpose thereof, and (b) conducted in an accurate manner. 

During the process of personal data collection, ESOs must respect the owner of the personal data for his/her personal data which is private in nature, by way of providing the option in the electronic system for the personal data owner to choose: (i) the confidentiality or non-confidentiality of the personal data (unless for certain elements of the personal data that are explicitly and specifically required by the prevailing laws to be confidential); and (ii) the change, addition, or update of the personal data.

In addition, pursuant to Regulation 20/2016, any personal data that are directly obtained and collected must be verified with the personal data owner, or in the event that the personal data are obtained and collected indirectly, it must be verified based on the processing result of various data sources. In this case, the data sources must have a valid legal basis.

Generally, the processing of personal data is largely related to the provision under the EIT Law on “privacy rights”, which include:

1. The right to enjoy privacy, free from any disturbance;
2. The right to rights to monitor access to information; and
3. The right to access information on personal life or privacy.

Therefore, disclosure of personal data may only be carried out upon consent of the data owner or authorized person unless it is:

1. required by law for the purposes of law enforcement;
2. ordered by a court;
3. in the public interest (usually requiring authorization from a government institution);
4. in the data owner’s interest (in the event of health-related personal data).

Additionally, similar to the collection of personal data, Regulation 20/2016 and GR 71/2019 require the consent of the personal data owner to the collection, processing, use and disclosure of personal data (unless provided otherwise under the law and regulation) and the personal data itself must be verified for its accuracy and suitability, prior to being displayed, published, transmitted, disseminated, or granted access.

Regulation 20/2016 stipulates that data subjects must receive a complete explanation of the processing that will be carried out before providing their consent. Personal data that are obtained indirectly must be verified with various legitimate sources.

However, the disclosure of personal data may only be done without the consent of the data owner or the authorized person under certain circumstances as provided by law.

Pursuant to Article 14 (1) of GR 71/2019, an ESO must implement the following principles of personal data protection in processing personal data:

1. Personal data may only be collected on a restrictive, specific and lawful basis with the knowledge and consent of the data subject;
2. Personal data may only be processed in accordance with the purpose for which it is collected;
3. The rights of the data subject must be guaranteed;
4. Personal data must be accurate, comprehensive, not misleading, up to date, accountable, and have regard to the purposes for which they are processed;
5. Processing must ensure the security of personal data from loss, misuse, unauthorized access and disclosure, and changes or damage;
6. The notice must be provided of the purpose of personal data processing, and of security breaches; and
7. Personal data must be destroyed and/or erased after the expiry of the retention period, save as otherwise required by law. 

Generally, all ESOs must provide a reasonable storage and security system to ensure the personal data remains accessible and safe from harm. 

Note: 

There are some general provisions on the obligation of personal data protection under Indonesian laws and regulations. In general, the responsibility to maintain the security and retention of personal data lies with the institutions that collect and obtain it.

Article 26 of EIT Law stipulates that any utilization of information through electronic media on personal data must obtain prior consent from the person concerned. The elucidation of Article 27 of EIT Law further stipulates that personal data protection is a part of privacy rights, as described in the previous section.

Security

Article 3 of GR 71/2019 requires ESOs to provide electronic systems reliably and securely and take responsibility for the proper operation of electronic systems. This security aspect covers the protection of electronic systems physically and non-physically, including the security of hardware and software. Further, Article 24 of GR 71/2019 requires ESOs to maintain and implement security procedures, facilities, and systems (such as antivirus, anti-spamming, firewall, intrusion detection, prevention system, and/or management of information security management systems) to avoid, prevent, and control threats and attacks that cause disruption, failure and loss.

Cyber and Crypto National Agency (“BSSN”) Regulation No. 8 of 2020 on Security Systems in the Operation of Electronic Systems further requires every ESO, including Private ESOs, to self-assess to determine the risk level of its electronic systems, in accordance with the following classifications:

1. Strategic-risk Electronic Systems;
2. High-risk Electronic Systems; and
3. Low-risk Electronic Systems.

Depending on the risk level of its electronic systems, ESOs are required to implement Indonesian National Standards (SNI) ISO/IEC 27001, other security standards on cybersecurity as determined by BSSN, and/or other security standards on cybersecurity, as determined by the ministry or institution of the relevant sector.

Storage and Retention

In terms of storage and retention, Article 15 of Regulation 20/2016 provides that any personal data to be stored in an electronic system must be verified for its accuracy and must be stored in an encrypted form. The personal data itself must be stored for at least five years unless regulated otherwise under any specific laws and regulations. 

Furthermore, based on Article 25 of GR 80/2019, domestic and/or foreign e-commerce providers are required to store e-commerce data and information (i) at least 10 years for financial transaction-related data and information; and (ii) at least five years for non-financial transaction-related data and information. 

In terms of storage location, GR 71/2019 stipulates a data localization requirement which only applicable for electronic systems providers for public scope. ESOs for public scope shall include State Administrative Institutions and other institutions appointed by State Administrative Institutions. An exception to the data localization requirement for ESOs for public scope would apply, in the event, that the relevant technology is not yet available in Indonesia.

Private ESOs for private scope, on the other hand, are permitted to have data storage outside of Indonesia. However, they must ensure the effectiveness of supervision by the relevant ministries/institutions and law enforcement process (e.g., by providing the access to electronic systems and/or electronic data upon request by a ministry, institution, or law enforcement authority.

Data subject rights are regulated under the EIT Law and its implementing regulations.

Note: 

As provided under the EIT Law, ESOs are obliged to guarantee the confidentiality, integrity, authenticity, accessibility, availability, and traceability of the Electronic Information and/or Electronic Documents (which also include any personal data contained therein).

On the correction of personal data, an ESO must provide certain features in the respective electronic system, at least to:

1. make corrections;
2. cancel commands;
3. give confirmation and reconfirmation;
4. provide an option to continue or stop performing the next action;
5. check delivered information on a form of contract offer or advertisement;
6. check the status of transaction succession or failure;
7. read the agreement before continuing with the transaction.

The following are data subject rights under the implementing regulations of EIT Law:

1. Right to access and rectification

Regulation 20/2016 stipulates that a personal data owner is entitled to obtain access or opportunity to change or update their personal data without disrupting the personal data management system of an ESO unless provided otherwise by the laws and regulations. An ESO must attend to the request for access; however, the granting of such a request must be done without disrupting the ESO’s personal data management system. The regulation is silent on the specific criteria to determine what constitutes a disruption of an ESO's personal data management system.

2. Right to erasure

GR 71/2019 stipulates that data owners have the right to submit a request to ESO to have their personal data erased, on the basis that such personal data is considered irrelevant unless required to be stored or prohibited from erasure under the laws and regulations. Irrelevant data refers to data:

• acquired and processed without approval from the data subject;
• approval for which has been withdrawn by the data subject;
• acquired and processed unlawfully;
• no longer in accordance with the purposes of acquisition based on the agreement and/or provisions of laws and regulations;
• the use of which has exceeded the period in accordance with the agreement and/or provisions of laws and regulations; and/or
• the display of which by the ESO results in losses to the personal data owner.

3. Right to delisting

Right to delisting refers to the deletion of data (exclusion) from the search engine list. Under GR 71/2019, in order to exercise the right to delisting, the personal data owner must obtain a delisting order from the court. In this instance, the personal data owner may submit a request to the court to stipulate an order for the delisting.

4. Right to confidentiality

Under Regulation 20/2016, data subjects must be given an opportunity to deem their personal data confidential. If any personal data is deemed confidential and notified to an ESO as such, the ESO must maintain such confidentiality and not disclose or share that particular personal data (unless consent has been obtained for such disclosure).

The restrictions on cross-border personal data transfer are generally regulated under Regulation 20/2016 and GR 80/2019. Restrictions are also regulated specifically in certain industries such as the banking industry and the payment system industry.

Note: 

Pursuant to article 22 of Regulation 20/2016, the transfer of the personal data that is managed by ESOs at the government agencies and the regional government agencies as well as the society or private parties domiciled in Indonesia to a territory outside of Indonesia must be:

1. coordinated with the MCIT or the authorized official/agency, and
2. apply the provisions of the laws and regulations on cross-border personal data exchange. This requirement imposes an obligation on transferors to comply with sectoral laws and regulations applicable to them (such as e-commerce and banking industry).

The coordination is implemented in the following form: (a) reporting the personal data transfer plan specifying at least the full name of the destination country, the full name of the recipient, the date of transfer, and the reasons/purposes for which the personal data are transferred; (b) seeking agreement via persuasion (consultation), if necessary; and (c) reporting the results of the activity.

Furthermore, in the context of e-commerce, GR 80/2019 stipulates that cross-border personal data transfer from Indonesia to other countries or regions outside Indonesia jurisdiction is prohibited unless the country or region has been declared by the Minister of Trade as maintaining equal protection standards and levels with Indonesia. Nevertheless, to the extent of our knowledge, the Minister of Trade has not issued the list of “white-listed” countries for cross-border personal data transfer.

Specifically, within the field of banking and finance, pursuant to OJK Regulation No. 38/POJK.03/2016 on the Implementation of Risk Management in the Utilization of Information Technology as amended by OJK Regulation No. 13/POJK.03/2020 and partially revoked by OJK Regulation No. 13/POJK.03/2021 on the Implementation of Banking Products (“Regulation 38/2016”), Banks must establish and place their data center and/or disaster recovery center in Indonesia. If a bank intends to place its data center and/or disaster recovery center outside the territory of Indonesia, such a plan must be approved by the OJK by fulfilling certain requirements. The reason for this is that the operation of a data center or disaster recovery center can normally only be held within the territory of Indonesia. 

Under Regulation 38/2016, a data center is defined as a facility that is being used to locate the electronic system and its relevant components, for the purpose of data placement, storage, and processing. Further, a disaster recovery center is defined as a facility to restore the data or information and important functions of an electronic system that are being interrupted or damaged due to disaster that is caused by nature or human activity.

Specifically in the payment system sector, Regulation 23/2021 stipulates that the electronic system used for transaction processing at the initiation, authorization, clearing, and final settlement stages must be placed in a data center and disaster recovery center in the territory of the Republic of Indonesia. Payment transactions can be processed outside the territory of the Republic of Indonesia provided approval from BI is acquired.

An ESO must notify the personal data owner in writing upon any occurrence of a breach of personal data confidentiality and notify the law enforcement authority and MCIT or relevant institution.

Note: 

Article 14 (5) of GR 71/2019 provides that in the occurrence of failure in the protection of personal data managed by an ESO, it must notify the personal data owner. 

Further, Article 28 (c) of Regulation 20/2016 requires every ESO to notify the personal data owners in writing upon the occurrence of a breach of personal data confidentiality in the electronic system being managed. Such notification:

1. must include the reasons or causes of the failure;
2. may be made electronically if the personal data owner has given his/her consent for such method when the personal data was obtained and collected;
3. must ensure that it is received by the personal data owner if such failure has the potential to cause losses to the personal data owner; and
4. must be made within 14 days once the failure is known.

Article 24 (3) of GR 71/2019 also requires every ESO to immediately notify the law enforcement authority and MCIT or relevant institution in the event of system failure or disturbance caused by other parties, which has a serious impact.

Specifically in the banking sector, Regulation 38/2016 requires banks to report any critical event, abuse, and/or crime during the operation of information technology that may and/or has caused significant financial loss and/or disturbance to the bank’s operational activity, immediately via electronic mail or telephone call, followed by a written report to be submitted within seven business days of acknowledgment of the critical event, abuse, and/or crime. However, in the event that the bank’s information technology services are operated by an appointed third-party service provider, the bank must report it to the OJK within three business days of acknowledgment of the breach by the service provider.

The primary privacy regulator would be the MCIT, as it is authorized under the regulations to, among others, prepare policy formulation, norms, standards, procedures and criteria in the field of governance of personal data protection. Different sectors also have different regulators, which may stipulate sector-specific requirements in the respective regulations.

Note: 

1. Banking Law and Financial Services Sector

Previously, banking institutions were subject to BI as the authorized regulatory institution. However, as per the establishment of OJK, all regulations and supervision of banking and non-banking financial institutions are currently under the authority of OJK.

2. Telecommunications Law and EIT Law

The privacy-related regulator for telecommunications and the EIT field is under the authority of MCIT. Specifically, in the telecommunications business, the authority is under the Directorate General of Post and Information Technology Operation. The EIT business is under the authority of the Directorate General of Information Technology Applications.

3. Health Law

As provided under Medical Workers Law and Medical Records Law, regulation is under the authority of the Ministry of Health.

4. Public Information Disclosure Law and Demographic Administration Law

As provided under Article 23 of the Public Information Disclosure Law, the implementation of the Public Information Law is under the authorization of an Information Committee, an independent institution established based on the Public Information Law itself. The Information Committee consists of a Central Information Committee, Provincial Information Committee, and, if required, Regency/Municipality Information Committee.

5. E-Commerce Sector

As provided under GR 80/2019, regulation on e-commerce is under the authority of the Ministry of Trade.

The sanctions for violation of data protection regulations are primarily provided under the EIT Law and its implementing regulations. However, sectoral regulations also provide certain consequences for privacy breach.

Note: 

1. Electronic Information and Transaction Law

• Intentional and unauthorized or unlawful access to a computer or electronic system belonging to another person, in order to obtain information by breaching, hacking, trespassing, or breaking through security systems (Article 30 of the EIT Law) is subject to criminal sanction of imprisonment (up to 8 years) or a fine (up to Rp800 million).
• Intentional and unauthorized or unlawful interception or wiretapping of electronic information or electronic documents in a computer or electronic system belonging to another person; as well as interception of transmission of private electronic information or electronic documents from, to, and in a computer or electronic system belonging to another person, excluding interception or wiretapping carried out within the scope of law enforcement at the request of the police, prosecutor’s office, or other institutions whose authority to do so is provided by law (Article 31 of the EIT Law), is subject to criminal sanction of imprisonment (up to 10 years) or a fine (up to Rp800 million).
• Intentional and unauthorized or unlawful alteration, addition, reduction, transmission, tampering with, deletion, movement, concealment of electronic information and/or electronic documents belonging to another person or the public (Article 32(1) of the EIT Law) is subject to criminal sanction of imprisonment (up to 8 years) or a fine (up to Rp2 billion). If this action results in confidential electronic information or electronic documents being compromised such that the data, whose integrity is already compromised, becomes accessible to the public (Article 32(3) of the EIT Law), the perpetrator is subject to criminal sanction of imprisonment (up to 10 years) or a fine (up to Rp5 billion).
• Intentional and unauthorized or unlawful movement or transfer of electronic information and/or electronic documents to the electronic system of unauthorized persons (Article 32(2) of the EIT Law) is subject to criminal sanction of imprisonment (up to 9 years) or a fine (up to Rp3 billion).
• Intentional and unauthorized or unlawful conduct in the crimes above that causes harm to another person (Article 36 of the EIT Law) is subject to criminal sanction of imprisonment (up to 12 years) or a fine (up to Rp12 billion).

In addition, a person whose rights are violated in relation to the use of personal data may file a claim for any damages or loss arising from the unauthorized use of personal data based on the EIT Law.

GR 71/2019 stipulates that an ESO’s failure to maintain the confidentiality and the rights of the personal data owner is subject to administrative sanction, which may be in the form of a written warning, administrative fines, temporary suspension, termination of access, or exclusion from the registry maintained by the MCIT.

Regulation 20/2016 stipulates that unauthorized or unlawful acquisition, collection, processing, analysis, storage, display, announcement, transfer, and/or dissemination of personal data is subject to administrative sanctions, which may be a verbal warning, a written warning, temporary suspension of activities, and/or announcement in MCIT’s online website that the ESO had not implemented proper personal data protection measures.

2. Banking Law and Financial Services Sector

Based on Article 47 of the Banking Law, any members of Board of Commissioners, Board of Directors, bank employees or other affiliated parties who intentionally disclose information whose confidentiality must be maintained pursuant to Article 40 of the Banking Law, will be sentenced to a maximum of two years imprisonment and/or a maximum fine of Rp200 million.

Further, Regulation 6/2022 stipulates that any violation of the provisions contained in Regulation 6/2022 will be imposed with administrative sanctions in the form of:

1. written warning;
2. fines (up to IDR 15 billion);
3. restriction to act as a main party of a financial services provider;
4. limitation of products, services, or business activities;
5. suspension of products, services, or business activities;
6. revocation of products or services license;
7. revocation of business license.

As mentioned previously, Article 11 of Regulation 6/2022 stipulates that financial services provider are prohibited from providing third parties with data and/or information on their own customers except for matters that are explicitly mentioned in the regulation. Thus, any violation to this provision will subject to the foregoing administrative sanctions.

Regulation 23/2021 stipulates that BI is authorized to impose administrative sanctions to PJP in the form of: (i) warning; (ii) fines; (iii) temporary, partial, or entire suspension of activities including the implementation of cooperation; and/or (iv) revocation of license as a PJP.

3. Telecommunications Law

Pursuant to Article 57 of the Telecommunications Law, any telecommunications service operator that breaches the requirement of keeping confidential information as set out in Article 42 of the Telecommunications Law will be sentenced to maximum imprisonment of two years and/or a maximum fine of Rp200 million.

Specifically, if a telecommunication service provider fails to keep confidential the customer data and has failed to store customer data for a minimum of 90 calendar days after the date of the customer subscription termination, violating the provisions of Article 20 of Regulation 13/2019, then the provider is subject to administrative sanction under Article 52 (1) of Regulation 13/2019, namely:

1. written warning;
2. fines; and/or
3. revocation of telecommunication services provider license.

4. Health Law

Article 82 (2) of the Medical Workers Law stipulates that any medical service facility that fails to comply with the provision of Article 70 (4) on the obligation to maintain the confidentiality of medical records of customers will be liable to administrative sanction in the form of (i) verbal warning (ii) written warning (iv) administrative fines, and/or (v) license revocation.

Note: “Medical service facility” is defined as equipment and/or place that are utilized to provide a medical service, either promotional, preventive, curative, or rehabilitative offered by the Government, Regional Government, and/or society.

5. Public Information Disclosure Law

Pursuant to Article 17 of the Public Information Disclosure Law, some information is exempt from the public information category, including confidential personal data. Any violation will be subject to two years imprisonment and/or a maximum fine of Rp10 million.

6. E-Commerce Sector

Pursuant to Article 80 of GR 80/2019, an undertaking which violates its obligation to implement personal data protection requirements in carrying out their business activities is subject to administrative sanctions, in form of:

1. written warning;
2. included in the list of priority supervision;
3. blacklisted;
4. temporary blocking of domestic and/or foreign e-commerce services by the relevant competent authority; and/or
5. revocation of business license.

Ministry of Trade Regulation No. 50 of 2020 on Business Licensing, Advertising, Management, and Monitoring of E-Commerce Undertakings (“Regulation 50/2020”) stipulates that the contents of the electronic marketing material are subject to the provisions under laws and regulations regarding broadcasting, protection of personal data and privacy, consumer protection, and not against the principle of business competition. Note that, this regulation is only applicable to e-commerce undertakings.

Additionally, GR 71/2019 stipulates that the sender of electronic information must make sure that the transmitted electronic information is accurate and does not disturb the recipient. This provision is intended to protect the users of electronic systems from spam. However, a more detailed provision on this specific matter shall be regulated by a separate MCIT regulation. To this date, there is no specific MCIT regulation pertaining to this matter.

Note: 

Article 9 of EIT Law provides that product marketing through an electronic system must provide complete and true information in relation to the contractual provisions, the producers, and the offered products.

Article 20 of EIT Law further provides that an electronic transaction is deemed to occur when the offer has been sent by the sender and accepted by the recipient. Such acceptance must be acknowledged through an electronic receipt.
Article 19 paragraph (2) of Regulation 50/2020 also provides that the content of an advertisement must meet the following requirements:

1. does not mislead consumers regarding quality, quantity, material, use and price of goods and/or services as well as the speed of delivery for such goods and/or services;
2. does not mislead warranty or guaranty of goods and/or services;
3. does not contain information that are misleading, mistaken, or inaccurate regarding goods and/or services;
4. contains information regarding the risk of use or consumption of goods and/or services;
5. does not exploit any event and/or individual without permission of the authorized or consent of the relevant parties; and
6. includes exit function from the advertisement display that is shown with a close, skip, or exit button and placed in an obvious place where consumers can easily find it.

Article 19 paragraph (3) of Regulation 50/2020 adds that any advertisement which includes a review or testimony from a consumer who had used such goods and/or service before must include/have and ensure the accuracy of the identity of the consumer and done in a responsible manner.

There are also some restrictions on how a product is offered and/or marketed pursuant to Article 9 of Law No. 8 of 1999 on Consumer Protection (“Consumer Protection Law”). The marketing of a product must not:

1. be misleading, as if the  product (i) has a specific quality, price, characteristics, history, or purpose (ii) is in a good condition, (iii) has obtained a specific sponsor, consent, equipment, benefit, working characteristics, or accessory, (iv) is manufactured by a sponsored company; (v) is available; (vi) does not have any hidden defects, (vii) the product is a part of certain products; (viii) the product originated from a certain place; or
2. directly or indirectly discriminates against other products;
3. use hyperbolic terminology;
4. offers unspecific promises.

OJK Circular Letter No. 12/SEOJK.07/2014 on Provision of Information for the Marketing of Financial Services Products and/or Services stipulates that financial services providers must provide and/or convey information regarding products and/or services accurately, completely, honestly, and not be misleading.

In the financial services sector, the OJK has also published Financial Services Advertisement Guidelines (3rd amendment in October 2020).

Apart from the general marketing and advertising requirements above, certain sectors also provide specific marketing and advertising requirements and restrictions, such as: (i) drugs, cosmetics, food, traditional drugs, health supplements; (ii) cigarettes, tobacco products; (iii) alcoholic beverages.

Currently, the government is in the process of issuing a law on personal data protection (“Privacy Bill”), which will set out more detailed provisions that will be applicable to various sectors. As a general background, we note that the Privacy Bill adopts several principles under the EU’s GDPR. The Privacy Bill also has an extra-territorial effect, in which the Privacy Bill would apply to every person and entity committing legal action, either outside of within Indonesia, that has legal implications in Indonesia or against Indonesian data subjects that are domiciled offshore.

Based on the latest draft of the Privacy Bill, new principles on personal data protection are introduced, including data controller and data processor liabilities, the lawful basis for processing, data minimalization. There are several provisions that should be noted under the Privacy Bill, which are as follows: 

1. Personal data will be categorized into (i) General Personal Data; and (ii) Specific Personal Data:
   1. General personal data, comprising full name, gender, nationality, religion, and/or personal data which is combined to identify an individual; and
   2. Specific personal data, comprising health data and information, biometric data, genetic data, sexuality/orientation, political views, criminal record, child data, personal financial data; and/or other data in accordance with the laws and regulations.
2. The Privacy Bill introduces the concept of the data controller and data processor, where:
   1. A data controller is defined as the party that determines the purpose of and controlling personal data processing.
   2. A data processor is defined as the party that undertakes personal data processing on behalf of the data controller.

Similar to the provisions under the GDPR, the Privacy Bill determines the data controller as the party responsible for personal data processing activities.

3. The Privacy Bill requires data controllers to provide certain information required to be provided to the data subject when obtaining consent.
4. The Privacy Bill allows personal data processing to be carried out based on certain lawful bases, where consent is no longer required as the only lawful basis for processing personal data. This concept mirrors the GDPR’s approach on the lawful basis for data processing. This exemption for consent requirement will supersede the existing provisions under GR 71/2019, which requires ESOs to obtain consent from the personal data owner.
5. Personal data processing can be ceased if the objectives of the processing have been achieved, and personal data can be deleted if it is no longer required to achieve the objectives of processing. Thus, a minimum data retention period would not be the sole basis for determining data retention practice. 

However, to date, there is no further information as to when the Privacy Bill will be issued and promulgated as a law.