This comparative guide was prepared in collaboration with Clyde & Co.

A. Definition and Scope of Data Privacy and Cybersecurity

Data Privacy

1. Is there any specific definition of "personal data" in your jurisdiction? Do the prevailing laws provide distinction between personal data and sensitive personal data?

Personal data is defined as "a certain personal data that is stored, maintained, kept true and its confidentiality is protected" (Art. 1 (1) of Minister of Communications and Informatics ("MoCI") Regulation No. 20 of 2016 on Personal Data Protection within the Electronic System ("MoCI Regulation 20/2016")).

However, the applicable laws and regulations on personal data protection in Indonesia do not provide any specific definition of "sensitive personal data" and are silent on these matters.

Therefore, there is no clear distinction between "personal data" and "sensitive personal data".

2. What is the scope of "personal data" pursuant to the relevant laws and regulations in your jurisdiction?

Indonesian prevailing laws do not provide any specific scope of personal data. There are merely provisions under MoCI 20/2016 as outlined above.

The concept of data privacy is interpreted as a part of the privacy right, which, pursuant to Law No. 11 of 2008 as amended by Law No. 19 of 2016 ("EIT Law"), is defined as:

  1. the right to enjoy a private life and be free from all kinds of disturbances;
  2. the right to communicate with other persons (without being spied on);
  3. the right to supervise the access to information on his/her personal life and data (Elucidation of Art. 26 (1) of EIT Law).

In addition to the above, Personal Data Protection Bill ("PDP Bill") sets out a more specific scope of personal data:

  1. General personal data consists of a person's full name, gender, citizenship, religion, and/or combined personal data to identify a person;
  2. Specific personal data, which consists of, among other things, information on a person's health, biometric data, political view, etc. (Art. 3 (1), (2), and (3) of PDP Bill).

However, PDP Bill has not been enacted up to the publication of this comparative guide.

3. Who are the relevant stakeholders (i.e., data processor, controller, etc.) under the data protection regime in your jurisdiction?

Stakeholders of data protection under the Indonesian prevailing laws include: (i) personal data user; and (ii) Electronic System Operator ("ESO"), each of which has different obligations. Please note that the current prevailing laws and regulations for personal data protection do not specifically stipulate data processor and data controller, but merely the party collecting and processing personal data and the relevant data subject. PDP Bill, however, provides specific definitions of data processor and data controller.

With regard to ESOs, Art. 2 of Government Regulation ("GR") No. 71 of 2019 on Administration of Electronic Transactions and Systems ("GR 71/2019") stipulates two categories of ESOs, namely (i) public ESO and, (ii) private ESO.

Public ESOs include state administrator agencies and other agencies as formed by virtue of laws and/or appointed by the relevant agencies. Meanwhile, private ESOs include individuals, business entities, and the public that run portals, websites, or online applications on the internet, regulated or supervised by the Minister of Communication and Informatics, and/or the institutions based on the relevant regulations.

Cybersecurity

4. Is there any specific definition of "cybersecurity" in your jurisdiction? Do the prevailing laws provide distinction between "data protection" and "cybersecurity"?

Cybersecurity in Indonesia is governed by EIT Law and GR 71/2019, but they provide no specific definitions or terms on cybersecurity itself. A bill on cybersecurity was once proposed, but it was eventually rejected and failed to be enacted in 2019.

Based on EIT Law and GR 71/2019, the general concept of cybersecurity provisions focuses on cyber incidents including prohibitions of hacking, denial of service, phishing and identity theft, as well as cybercrimes.

5. What are the subjects of cybersecurity? Does cybersecurity apply to certain industries and types of information?

The government has established an institution that oversees cybersecurity and encryption namely, the National Cyber and Crypto Agency/ Badan Siber dan Sandi Negara ("BSSN"), which functions include but not limited to identification, detection, protection, monitoring of the implementation of technical policies regarding cybersecurity in e-commerce protection, cyber-attacks, and/or cyber incidents in Indonesia.

In addition to the above, the government stipulates protection over certain strategic information of these sectors: (i) Government Administration; (ii) Energy and Mineral Resources; (iii) Transportation; (iv) Finance; (v) Health; (vi) Information and Communication Technology; (vii) Food; (viii) Defense; and (ix) other sectors as determined by the President.

B. Governing Authority of Data Privacy and Cybersecurity

Data Privacy

6. Is there any specific government agency that oversees data privacy legislation in your jurisdiction? Please define what powers and authorities such agency has in the data privacy enforcement?

Indonesia has no specific government agency or independent body overseeing the data privacy legislation given that neither data privacy nor cyber security bills have been passed. Considering data privacy provisions within the scope of EIT Law and MoCI 20/2016, the enforcement of data privacy is supervised by (i) MoCI and several sector-specific authorities, (ii) BSSN; and (iii) an agency under BSSN i.e., Indonesia Security Incident Response Team on Internet Infrastructure/ Coordination Center (Id-SIRTII).

MoCI, the main supervisory body, can be supported by Indonesian police in the enforcement of data privacy protection. There are also sector-specific authorities that supervise data protection along with MoCI, e.g., Central Bank of Indonesia for data protection in the banking sector, and the Ministry of Health in the health sector.

BSSN's duty, function, and authority are not limited to data privacy enforcement. They cover a broader scope overseeing the overall matters under EIT Law, including cybersecurity. BSSN carries out the government's duties in the field of cyber and crypto security, focusing on cyber resilience, and resistance against possible attacks by crime organizations on the national level, and those with private interests.

Furthermore, the duty and function of Id-SIRTII mainly focus on supporting the internet growth in Indonesia through various awareness campaigns on securing the technology and information systems, monitoring the potential security incidents, supporting the law enforcement, and providing the relevant technical supports in the interests of the general public.

7. Can the data protection authority in your jurisdiction cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

MoCI 20/2016 stipulates that MoCI may coordinate with the sectoral supervision and regulatory body to (i) address complaints of data subjects for breaches of personal data protection committed by ESOs; and (ii) impose administrative sanctions for such breaches. MoCI further delegates the authority for the supervision and dispute settlement to the Directorate General of Informatics Application/ Direktorat Jendral Aplikasi Informatika ("Ditjen Aptika").

In this regard, MoCI and BSSN may work with other relevant authorities, for instance, Indonesian police and the intelligence service agencies (i.e., the State Intelligence Agency/ Badan Intelejen Negara (BIN) and the Strategic Intelligence Agency/ Badan Intelejen Strategis (BAIS)).

Cybersecurity

8. Is there any specific government agency that oversees cybersecurity legislation in your jurisdiction? Please define what powers and authorities such agency has in the cybersecurity enforcement?

Cybersecurity in Indonesia is supervised by MoCI, BSSN, and Id-SIRTII.

9. How does the cybersecurity authority cooperate with Data Protection Office ("DPO")? Does your jurisdiction provide certain guidelines for this matter?

Indonesia has yet to establish a specific, independent office in-charge of Data Protection. However, MoCI Regulation 20/2016 requires the appointment of a person-in-charge that can be contacted by the relevant personal data owners regarding the management of their personal data.

Although appointing a DPO is not a requirement, please note that Art. 45 of PDP Bill obliges any data controller or processor to appoint a DPO. This obligation applies to any data controller or processor: (i) who works on data processing to provide public services, (ii) whose main activity requires large-scale, frequent, and systematic monitoring of personal data; and (iii) whose core activity includes processing specific personal data in a large scale, and/or processing personal data related to criminal activity.

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.