Data Protection & Privacy – Indonesia

Lexology Getting the Deal Through – Data Protection & Privacy: Indonesia provides local insight into the legislative framework; relevant authorities; treatment of breaches; legitimate processing; data handling responsibilities of PII owners; security obligations; internal controls, including the data protection officer; registration formalities transfer and disclosure of PII; rights of individuals; judicial supervision; specific data processing use cases such as cookies, electronic communications marketing, and cloud services; and recent trends.

Legislative Framework for Protection of Personal Information in Indonesia

The main legislation in Indonesia concerning the protection of personal information (PI) is Law No. 27 of 2022 regarding Personal Data Protection (PDP Law). The PDP Law recognises standard international concepts, including PI, personal data controller, personal data processor, specific personal data, personal data protection officers and automatic processing.

Other than the PDP Law, there are provisions regarding the protection of PI that are spread across various laws and regulations, namely:

• Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No. 19 of 2016 (the Electronic Information Law);
• Government Regulation No. 71 of 2019 regarding the Provision of Electronic Systems and Transactions (GR 71/2019);
• Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (MOCI Regulation 20/2016); and
• MOCI Regulation No. 5 of 2020 regarding Private Electronic System Providers, as amended by Law No. 10 of 2021 (MOCI Regulation 5/2020).

The above laws and regulations (including the PDP Law) are hereinafter collectively referred to as the PDP Regulations.

In addition to the PDP Regulations, the protection of personal data is included in several sector-specific laws and regulations, though most of these laws and regulations only address data protection briefly. These are:

• Law No. 36 of 2009 regarding Health, as most recently amended by Government Regulation in Lieu of Law No. 2 of 2022 regarding Job Creation, which stipulates that, in principle, every person is entitled to the confidentiality of their personal health information that has been provided to or collected by healthcare providers (the Health Law);
• Bank Indonesia Regulation No. 22/20/PBI/2020 regarding Bank Indonesia Consumer Protection;
• Financial Services Authority (OJK) Regulation No. 6/POJK.07/2022 of 2022 regarding Consumer and Community Protection in the Financial Services Sector (OJK Regulation 6/2022). OJK Regulation 6/2022 prohibits financial service providers from disclosing customer data or information to third parties without written consent from the customer or unless they are required to make such disclosure by law. Where a financial service provider obtains the data or PI of a person or a group of persons from a third party, it is required to obtain written confirmation from the third party that the person or group of persons has agreed to the disclosure;
• Financial Services Authority (OJK) Regulation No. 1/POJK07/2013 regarding Financial Consumer Protection, as amended by OJK Regulation No. 18/POJK07/2018 regarding Consumer Complaint Services in the Financial Services Sector (OJK Regulation 1/2013);
• Financial Services Authority (OJK) Circular Letter No. 14/SEOJK07/2014 of 2014 regarding Confidentiality and Security of the Personal Data or Information of Consumers, which provides that personal data consisting of name, address, date of birth date or age, phone number and the subject’s biological mother’s name, can only be shared with a third party with the consent of the personal data owner or as obligated by laws and regulations; and
• Law No. 36 of 1999 regarding Telecommunications, as amended by Government Regulation in Lieu of Law No. 2 of 2022 regarding Job Creation, which prohibits the tapping of information transmitted through telecommunications networks. Telecommunications service operators must maintain the confidentiality of any information transmitted or received by a telecommunications subscriber through a telecommunications network or telecommunications service provided by the respective operator.

Excerpted from Lexology Getting the Deal Through – Data Protection & Privacy, published by Law Business Research.

Find Lexology Getting the Deal Through – Data Protection & Privacy: Indonesia here.

This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.