Indonesia e-Commerce – Data Breach and Cybersecurity

Legal Updates
Indonesia e-Commerce – Data Breach and Cybersecurity
18 December 2019

By Fahrul S Yusuf

Indonesian Ministry of Communication and Information (MOCI) Regulation No. 20 of 2016 on the Protection of Private Data in Electronic Systems (Data Privacy Regulation) provides that in case of a failure to keep personal data confidential, the relevant electronic system provider shall notify the owner of the personal data within a maximum of 14 days as of the date such failure becomes known to the provider.

Avoiding Data Breaches and Ensuring Cybersecurity

In terms of Indonesian regulation, there are no specific requirements or guidelines that electronic system providers must follow to avoid data breaches and ensure cybersecurity. If an electronic system provider wants to help ensure cybersecurity, it can retain the services of competent professionals. In Indonesia, information security consulting services are listed in the Indonesia Standard Industrial Classification (Klasifikasi Baku Lapangan Usaha Indonesia, or KBLI), which classifies the different business activities and fields in Indonesia.

Right to Be Forgotten

Indonesia recognized the \"right to be forgotten” in 2016 through the issuance of an amendment to Electronic Information and Transactions Law. Only the relevant user can submit an application to erase electronic information or document, and the application to shall be addressed to the relevant competent court.

Electronic system providers must provide a mechanism to erase electronic information or documents, and they shall erase the concerned electronic information or documents upon receiving a court order.

Email Marketing

Indonesia does not have any specific rules on email. The definition of \"electronic information” provided in the Electronic Information and Transactions Law includes \"email”.

Consumer Rights

The individuals who own the personal data have the right to report the failure to process their personal data. The right to file a report is intended to allow negotiations between the parties to reach an amicable agreement. The Data Privacy Regulation is silent on whether \"owner of personal data” includes foreign citizens.

Reproduced with permission of Law Business Research Ltd. This article was first published in Lexology Getting the Deal Through - e-Commerce 2020 (Published: August 2019). For further information, please visit

This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user\'s own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.

For More Information, Please Contact
Back to Indonesia Law Blog
Related Articles