Data Protection and Cybersecurity in Indonesia: Enforcement and Litigation
By Denny Rahmansyah and Farah Nabila
The Electronic Information Law, Government Regulation 82 regarding the Implementation of Electronic Systems and Transactions, and Ministry of Communication and Informatics (MOCI) Regulation 20 regarding the Protection of Personal Data in Electronic Systems (jointly referred to as the PDP Regulations) do not provide much detail on the standards that must be established by regulators in Indonesia to allege violations of privacy or data protection laws.
In the absence of specific standards, in order to allege violations of privacy or data protection laws, a regulator is bound by the standards under the applicable criminal laws in Indonesia. Indonesian criminal law requires a regulator to put forward a minimum of two pieces of evidence in order to establish an allegation of any criminal violation. Under the Electronic Information Law, any electronic document would constitute lawful evidence.
The Electronic Information Law provides for criminal penalties including:
- fines of IDR600 million to IDR800 million and/or four to eight years imprisonment for unlawful access;
- fines of IDR800 million to IDR1 billion and/or six to ten years imprisonment for interception/wiretapping of transmission;
- fines of IDR2 billion to IDR5 billion and/or eight to ten years imprisonment for the alteration, addition, reduction, transmission, tampering, deletion, moving or hiding of electronic information and/or electronic records; and
- fines of IDR10 billion to IDR12 billion and/or ten to 12 years imprisonment for the manipulation, creation, alteration, destruction or damage of electronic information and/or electronic documents with the purpose of creating an assumption that such electronic information and/or documents are authentic, and other violations related to the processing of electronic information and/or documents.
Government Regulation 82 provides administrative sanctions - that do not abrogate any civil and criminal liability - in the form of written warnings, administrative fines, temporary dismissal of part of the components or services in the related electronic system for a certain period, and exclusion from the list of registrations of Electronic System Providers (as required under the regulation).
For any party processing personal data without lawful authority or at odds with the laws and regulations, MOCI Regulation 20 provides administrative sanctions in the form of verbal warnings, written warnings, temporary dismissal of activities and an announcement on MOCI\'s website stating that the party has not complied with data protection regulations.
The cybercrime unit of the Indonesian Police has become quite aggressive in investigating cybercrimes pertaining to malicious comments, defamation of character and hoaxes, particularly those that interfere with the national interest. One of the most recent highest-profile enforcement cases relating to cybercrime involved a former lecturer at a private university in Jakarta, who was convicted of violating Article 32 of the Electronic Information Law for editing an electronic document so that the altered document was publicly accessible.
In 2013, a 19-year-old man was sentenced to six months in prison and fined after he was found guilty of hacking the official website of a former president of Indonesia. Another hacker was sentenced to 15 months in prison after he was found guilty of hacking the official website of the Indonesian Press Council.
The Electronic Information Law allows any violation of the PDP Regulations to be resolved privately through a civil suit, in accordance with the applicable laws and regulations. Generally, a civil suit can be filed based on one of two grounds - namely, a breach of contract or an unlawful act. Specifically, for unlawful acts, the plaintiff must prove that the defendant has committed an unlawful act in contrary to the laws and regulations, causing a loss to the plaintiff. There must also be a causal link between the unlawful act and the losses suffered by the plaintiff.
There are no express provisions for class actions over data protection and/or cybersecurity violations, as are available under the Indonesian Environmental Law and Consumer Protection Law. It is unknown if there has ever been an attempt to file a class action suit for violations of data protection and cybersecurity.
This first appeared in the 2019 Chambers Data Protection and Cyber Security Guide, published by Chambers and Partners. You can find the full chapter here.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user\'s own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.