How-to understand legal framework of data protection, security in Indonesia

Ownership of personal data is very important in the digital age. Each individual is required to submit personal data when using online services, buying products online, registering an email account, making doctor’s appointments, paying taxes, signing contracts, etc. The practice of intervention in privacy and interference with Personal Data is certainly one of the big problems that arise. Personal data is often collected without the knowledge of individuals and companies or institutions that do not interact directly with the person. Their data can then be used without allowing the owners to hold those parties accountable and for processes that have not been explicitly approved by the data owners. According to the data, the Amazon company itself has been fined €746 million for data protection violations while companies like WhatsApp itself have been fined €225 million. Therefore, it is important for business actors, especially in the fintech sector, to know the rules regarding data protection and what must be regulated to protect consumer and company data.

Governing laws and regulation 

• Law No. 39/1999 concerning Human Rights
• Law No. 19/2016 concerning Amendments to Law No. 11/2008 concerning Information and Electronic Transactions
• Law No. 36/1999 concerning Telecommunications
• Law No. 36/2009 concerning Health
• Government Regulation (PP) No. 71/2019 concerning Electronic Systems and Transactions
• Minister of Communication and Information Technology Regulation (Permenkominfo) No. 20/2016 concerning Protection of Personal Data in Electronic Systems
• Financial Services Authority (OJK) Regulation No. 76/POJK.07/2016 concerning Improving Financial Literacy and Inclusion in the Financial Services Sector for Consumers and/or the Community
• Bank Indonesia Regulation (PBI) No. 18/40/PBI/2016 concerning the Implementation of Payment Transactions Processing

Overview

Personal Data in Indonesia regulation is defined as certain Personal Data containing every correct and factual information attached and identifiable either directly or indirectly to the respective individual which utilization shall be in accordance with the laws and regulation, which are stored, maintained, and also the truth and the confidentiality thereof secured and protected.

PP No. 71/2019 categorized Electronic System Operators (ESO) into public and private. Public Electronic System Operators consist of state institutions or other institutions appointed by a state institution that operate an Electronic System (ES) for their own needs and/or others’ needs. Meanwhile Private Electronic System Operators are persons, business entities or communities that operate an ES  for their own needs and/or others’ needs.

Electronic Information is one or a set of electronic data, including but not limited to text, sounds, images, maps, drafts, photographs, electronic data interchange (EDI), electronic mails, telegrams, telex, telecopy or the like, letters, signs, figures, Access Codes, symbols or perforations that have been processed for meaning or understandable to persons qualified to understand them.

Personal Data Consent

Personal Data Protection in ES is carried out in the process of acquisition and collection, processing and analysis, storage, repair and update, appearances, announcements, transfer, dissemination, or disclosure, and opening access and extermination.

The processing of Personal Data must comply with the provisions of a valid consent from the owner of the Personal Data for 1 (one) or several specific purposes that have been submitted to the owner of the Personal Data. A valid consent means a consent that is conveyed explicitly, may not be hidden or based on oversight, negligence, or coercion.

Data Protection Provisions in several fields 

In the health sector, Law No. 36/2009 concerning Health stipulates in principle that everyone has the right to the confidentiality of his personal health information that has been provided or collected by health service providers. In the financial sector, financial service providers are prohibited by Article 31 of OJK Regulation No. 7/2013 to disclose customer data and/or information to third parties, unless they receive written approval from the customer or are required by a legal authority. If the Financial Services Provider obtains personal data and/or information of a person and/or group of people from a third party, then there must be written confirmation from the third party that the person or group has agreed to the disclosure. In addition, the protection of consumer personal data and/or information related to payment transaction processes carried out by payment system service providers is regulated in Article 25 of PBI No. 18/40/PBI/2016 concerning the Implementation of Payment Transactions Processing. In the telecommunications sector, Article 40 of Law No. 36/1999 prohibits the “tapping” of information transmitted through telecommunications networks. Telecommunications services operators must keep any information transmitted, and/or received, by a telecommunications service subscriber, through a telecommunications network and/or telecommunications services provided by the relevant operator, confidential. 

ESO Obligation

Each ESO must be responsible reliably and safely for the operation of the ES as it should be unless the ESO can prove the occurrence of force majeure, the fault, or the omission is on the Electronic System Users.

Every ESO is required to meet the minimum requirements to operate the ES as follow:

• ES can redisplay the whole Electronic Information and Electronic Document according to the retention period as stipulated in laws and regulation
• ES can protect the availability, integrity, authenticity, confidentiality, and accessibility of the Electronic Information in the operation of ES.
• ES can operate based on the procedure and the instruction on its operation.
• ES is equipped with the procedure and the instruction explained in language,information, or symbol that can be understood by the parties concerned 
• ES has a continuous mechanism  to keep the procedure or the instruction up to date, clear, and accountable.

ESO is required to provide, and educate, train personnel in charge of and responsible for the security and protection of ES facilities and infrastructure. ESO must have internal rules related to the protection of Personal Data in accordance with the provisions of laws and regulations.

ESO also has to provide an audit track record of all its ES operations. ESO must provide options to the personal data owner regarding the Personal Data that he manages can or cannot be used and displayed by or to third parties upon approval as long as it is still related to the purpose of obtaining and collecting Personal Data. To optimize the management of the Personal Data, ESO must provide a contact person.  

For the financial sector, the relevant authorities governing this sector may regulate separate provisions on data management.

Failure of protection

Every ESO should notify in writing to the personal data owner if there is a failure to protect the confidentiality of the Personal Data in the ES it manages. The notification must be accompanied by the reasons or causes for the failure of the confidential protection of the Personal Data. It can be done electronically if the personal data owner has given the Consent for that which was stated at the time of the acquisition and collection of his Personal Data. It must be ensured that it has been received by the personal data owner if the failure contains a potential loss for the person concerned. Then the written notification must be sent to the personal data owner no later than 14 (fourteen) days after the failure is known.

Data removal

Every ESO is required to delete irrelevant Electronic Information or Electronic Documents under its control at the request of the person concerned. It must be done by the deletion (right to erasure) or the removal from the search engine listings (right to delisting). 

Right to erasure can be used for the Personal Data that:

• obtained and processed without the consent of the owner 
• the consent has been withdrawn by the owner 
• obtained and processed in an unlawful manner
• is no longer in accordance with the purpose of acquisition based on the agreement and/or the provisions of the legislation
• its use has exceeded the time in accordance with the agreement and/or the provisions of the legislation
• displayed by the ESO which results in a loss to the owner.

Right to delisting can be done based on the court decision. The request is made by the owner of Personal Data  to the local district court.

To make it obvious, each ESO must provide a mechanism for removal of irrelevant Electronic Information and/or Electronic Documents including at least communication channels between the ESO and the personal data owner, removal features, and data collection on the removal request.

Personal Data Owner’s Rights

The Owner of Personal Data has the right to:

• Confidentiality of Personal Data;
• File a complaint to the Minister of Communication and Information in the settlement of a failure of the Personal Data protection by the ESO;
• Get access or opportunity to change or update their Personal Data without disturbing the Personal Data system, unless stipulated by the provisions of laws and regulations;
• Gain access or opportunity to obtain the history of Personal Data that has been submitted to the ESO as long as it is still in accordance with the provisions of the laws and regulations; and 
• Request the destruction of their certain individual data in the ES managed by the ESO, unless stipulated by the provisions of the laws and regulations.

Electronic transactions

PP No. 71/2019 regulates that the implementation of electronic transactions is required to use electronic certificates issued by the Indonesian Electronic Certification Operators. In the electronic system, personal data protection must comply with the principle that personal data is confidential in accordance with the approval. Approval in this case means a personal data owner’s approval or statement that is written either manually or electronically given by the personal data owner after receiving a complete explanation regarding the actions of collection, analysis, storage, display, announcement, delivery and dissemination as well as confidentiality or non-disclosure. 

In the electronic system, the electronic transactions can only be carried out based on electronic contracts or other contractual forms as the form agreed upon by the parties. Electronic contracts made with standard clauses must comply with the provisions of the standard clause as stipulated in the laws and regulations.

In offering products in electronic systems, business actors must provide complete and correct information relating to contract terms, manufacturers, and products offered. Business Actors are required to provide clear information on contract offers or advertisements. It is also required to give consumers or contract recipients a time limit to return the delivered goods or services provided if they are not in accordance with the contract or there are defects. Business Actors are required to submit information regarding the goods that have been sent or the services provided. Business actors cannot burden consumers regarding the obligation to pay for the goods sent or services provided without a contract basis.

Dispute

Every personal data owner and Electronic System Operator may file a complaint to the MCI for the failure of personal data protection. Complaints can be filed for the following reasons:

• ESO is not giving the written notification of the failure of personal data protection to the personal data owner or other ESO, whether or not it has the potential to cause harm; or
• There has been a loss for the personal data owner or other ESO related to the failure of personal data protection, even though a written notification has been made but the notification time is too late.

The complaint must be done no longer than 30 (thirty) working days since the complainant notices the condition as mentioned above. The complaint is delivered in a written form and must be accompanied by supporting evidence. The response from the officer/dispute resolution team whether the complaint is complete or incomplete must be received within 14 (fourteen) days since the complaint was accepted. If the complaint is incomplete the complainant has 30 (thirty) days to settle it. 

The complaint settlement must be done within 14 (fourteen) days through deliberation or other alternative dispute solutions. The officer/dispute resolution team may provide recommendations to MCI for the imposition of administrative sanctions on ESO. If the dispute has not been resolved through deliberation or other alternative dispute settlement, each personal data owner and ESO may file a civil lawsuit for the failure of Personal Data protection.