Data Protection in Indonesia
How is data privacy handled in different sectors in Indonesia and what are the main regulations companies should be aware of?
By Richard D. Emmerson and Indrawan Dwi Yuriutomo
Tuesday, May 16, 2017
There is no comprehensive data protection law in Indonesia. Indonesian legal scholars often refer to Article 28(g) of the 1945 Constitution as the (rather vague) basis for more specific data privacy legislation.
Article 28(g) of the 1945 Constitution states:
Each person shall have the right to protection of their personal selves, families, respect, dignity and possessions under their control and shall have the right to security and protection from threat of fear for doing or for not doing something which constitutes a human right.
There are, however, various laws that relate to data privacy in a number of specific areas.
Data privacy of employees
The employment laws of Indonesia do not specifically deal with employee data privacy. In practice, employers in Indonesia regulate the data privacy of their employees by way of unilateral employee consents, employment agreements, company regulations and collective labor agreements. Such agreements permit the collection, retention, disclosure and use of the employee’s personal data or other confidential information. Such agreements and consents are justified by the freedom of contract principle under the Indonesian Civil Code.
Data privacy in electronic transactions law
The growth of the internet and advances in technology led to the enactment of the Electronic Information and Transactions Law (Law No. 11 of 2008), as amended by Law No. 19 of 2016 (the EIT Law). The EIT Law prohibits the use of any information that has been acquired through electronic media and which contains personal data related to an individual, without the consent of such person. The EIT Law further provides that anyone who intends, without valid rights, to change, add, reduce, transmit, destroy, eliminate, transfer or hide electronic information and/or electronic documents owned by another person or owned by the public shall be prohibited from doing so.
The recent amendment of the EIT Law provides that every electronic system provider (ESP) shall be obligated to remove irrelevant electronic information and/or electronic documents based on the request of the data owner via a court decision. Every ESP shall also be obligated to provide a mechanism to remove such irrelevant electronic information and/or electronic documents. Please note that the procedures for the removal of electronic information and/or electronic documents via court order shall be further regulated in a separate government regulation.
The recently enacted Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding Protection of Personal Data in Electronic Systems (Reg. 20/2016) defines personal data in relation to the EIT Law and the scope of protection given to personal data. Owners of personal data are entitled to the privacy of their personal data. Reg. 20/2016 gives the owners of personal data the right to submit complaints over the failure of electronic system providers to protect their personal data to the MOCI through its Director General of Informatics Application. Personal data owners may also access and make changes to their personal data, and request that electronic system providers destroy their personal data.
Data privacy in financial services
Article 31 of Financial Services Authority (OJK) Regulation No. 1/POJK.07/2013 regarding Financial Consumer Protection (POJK 1/2013) stipulates that a financial services provider is prohibited from in any manner whatsoever disclosing customer data and/or information to third parties except with the written consent of the customer or as required by lawful authority. In the event a financial services provider receives the personal data and/or information of a person and/or a group of persons from a third party, it must have written confirmation from such third party that the person or group has consented to the disclosure.
In addition, Article 25 of Bank Indonesia Regulation Number 18/40/PBI/2016 regarding the Provision of Payment Transaction Processing protects the personal data and/or information of consumers in relation to the payment transaction process conducted by payment system service providers.
Data privacy in health law
The privacy and protection of the data of Indonesian citizens is also provided for under Article 57 of Law No. 36 of 2009 regarding Health, which establishes that everyone is entitled to the confidentiality of their personal health information that has been provided to, or collected by, health care providers.
Data privacy under criminal procedures
While respecting civil rights, there is an exception for data privacy in the area of criminal law. Article 47 of Law No. 8 of 1981 regarding Criminal Procedures authorizes an investigator (police) to open personal mail delivered through the post office or through telecommunication channels with a special permit from the head of the national court.
We note that an investigator is required to keep the contents of mail and other lawfully intercepted communications confidential except where they are used as evidence in criminal proceedings.
Data privacy in human rights law
With reference to Indonesia’s commitment to ensuring data privacy, the Indonesian Human Rights Law (Law No. 39 of 1999) broadly provides that each individual has the right to privacy. Article 32 of the Human Rights Law provides that freedom and secrecy of communications by letter or any electronic media may not be disturbed or interrupted except upon the instruction of a judge or other lawful authority.