The fundamental basis for privacy and data protection in Indonesia can be found in Article 28(G) of the 1945 Constitution of the Republic of Indonesia, which provides that every person has the right to:
- protection of themselves, their families, respect, dignity and possessions under their control; and
- security and protection from threat of fear for doing, or not doing, something that constitutes a human right.
To date, there is no specific law in Indonesia that regulates protection of private and family life. The most relevant regulation for the protection of privacy is related to personal data protection.
Provisions on the protection of personal data can be found in Law No 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No 19 of 2016 (the "Electronic Information Law"). The procedural guidelines for the Electronic Information Law are contained in Government Regulation No 82 of 2012 regarding the Implementation of Electronic Systems and Transactions ("Government Regulation 82"). However, none of these regulations provides a comprehensive set of provisions for the protection of personal data, but rather, simply the general idea of personal data protection without specific guidelines.
On December 1, 2016, the Ministry of Communication and Informatics (MOCI) issued a regulation specifically for the protection of personal data that is contained in an electronic system, namely MOCI Regulation No 20 of 2016 regarding the Protection of Personal Data in Electronic Systems ("MOCI Regulation 20"). MOCI Regulation 20 is an implementing regulation for the Electronic Information Law and Government Regulation 82. The Electronic Information Law, Government Regulation 82 and MOCI Regulation 20 are jointly referred to here as the PDP Regulations.
The application of the PDP Regulations appears to be rather broad. This can be seen from the definition of Electronic System Providers (ESP) under the PDP Regulations, which covers every person, state administrator, business entity and community providing, managing, and/or operating an electronic system, either individually or jointly, for electronic system users, for their personal purpose and/or another party's purpose. The term 'electronic system' is defined as a set of electronic devices and procedures that function to prepare, collect, process, analyze, retain, display, publish, transmit and/or disseminate electronic information. The MOCI has interpreted this to mean that any person or entity that stores data electronically is considered an ESP using an electronic system that should be subject to the PDP Regulations.
The key regulator for data protection in Indonesia is the MOCI. Officials at the ministry supervise the implementation of the PDP Regulations, particularly MOCI Regulation 20.
To implement its supervisory role, the relevant official at the MOCI is authorized to request any data and information from an ESP to ensure its compliance with data protection rules. This may be done periodically or at any time considered necessary.
In the event of a dispute, the MOCI may delegate its authority to settle the dispute to its Director General of Informatics Application, who will form a data privacy dispute settlement panel. This panel may provide a recommendation to the MOCI to impose administrative sanctions against the relevant ESP, although the dispute can also be settled amicably or by any other alternative dispute resolution process between the ESP and the owner of the data.
As for cybersecurity, the Indonesian Police has formed a cybercrime unit dedicated to investigating online crimes.
This is an excerpt from the Indonesia chapter of the Data Protection & Cybersecurity 2019 guide published by Chambers & Partners. You can find the complete chapter here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.