logo-ahplogo-ahplogo-ahplogo-ahp
  • Home
  • Firm
    • About Us
    • Careers
  • Solutions
      • Banking & Finance
      • Capital Markets
      • Competition Law
      • Debt & Corporate Restructuring
      • Dispute Resolution
      • Energy, Oil & Gas
      • Foreign Direct Investment
      • Fraud & Forensics Investigation
      • Intellectual Property
      • Islamic Finance
      • Labor Law
      • Mergers & Acquisitions
      • Projects & Natural Resources
      • Real Estate & Property
      • Shipping & Aviation
      • Tax & Customs Services
      • Telecommunications & Media
  • Members
  • News & Events
    • News & Insights
  • Rajah Tann Asia
✕
            No results See all results

            Government Relaxes Data Localisation Requirement

            A new regulation on electronic systems and transaction exempts the private sector from the data localisation requirement. The Indonesian government enacted the long-awaited regulation1 in early October of this year, after dissatisfaction with the previous regulation2, particularly on the confusion surrounding the data localisation requirement.

            Under the previous regulation, electronic systems operators that provide “public services” must establish a local data centre. Although “public services” was not defined, the Ministry of Communications and Informatics defined the term broadly3, such that it would essentially cover all services offered to the public over the Internet. Consequently, many private sector companies were subjected to the data localisation requirement. Businesses that largely operate online were greatly affected as they do not typically set up a technological infrastructure in each jurisdiction where they offer their services or products. Further, it also had a negative impact on the government’s effort in promoting foreign investment.

            New Data Localisation Requirement

            The government relaxes the data localisation requirement by limiting its application to “public electronic systems operators” only and by defining the intended subjects into the following two entities:

            1. public bodies, i.e. central and regional executive, legislative, judicative bodies and any other bodies established pursuant to a statutory mandate; and
            2. entities appointed by public bodies to operate electronic systems on their behalf.

            Interestingly, public bodies in the banking and financial services sectors are exempted from the data localisation requirement. Further, public bodies or operators appointed on their behalf can still process and/or host their electronic systems and data overseas if a specific data storage technology required by them is not available in Indonesia. But, it will be up to the Ministry and certain regulatory bodies such as the National Cybersecurity Agency to decide the ambit of this “specific technology”.

            Meanwhile, private operators can now choose whether to process and/or host their electronic systems and data onshore or offshore. Regardless of the location, they must ensure that their electronic systems and data are accessible to the authority. This flexibility does not apply to private operators in the banking and financial services sectors, as they are subject to sector-specific laws and regulations, depending on the type of financial institution. For example, the Indonesian Financial Services Authority (Otoritas Jasa Keuangan) would allow a commercial bank to host certain data overseas upon its approval, while insurance and reinsurance companies must keep their data within Indonesia.

            Definition of Personal Data and the “Right to be Forgotten”

            The new regulation also introduces a relatively robust rules on the processing of personal data. We understand that these rules will only apply temporarily as the government is currently working its way through the legislative process of preparing a full-fledged personal data protection rules under the Personal Data Protection Bill.

            One of the most important provisions on personal data under the new regulation is the definition of “personal data” as data that can be used to identify an individual (alone or collectively with other data). It is meaningful because this marks the first time that Indonesia aligns the definition of personal data with the global standard.

            The new regulation also elaborates the right of a subject to request the removal of any data pertaining to it that are “no longer relevant” – which is popularly known as “the right to be forgotten”. There are two types of the right to be forgotten, which is the right to erasure and the right to delisting. The latter can only be requested based on a court’s order.

            Lawful Basis to Process Personal Data

            In the previous regulation, collection, transfer or other types of utilisation of personal data must be based on the consent of the relevant data subject. Without such consent, the personal data collected is deemed to have been unlawfully collected or used.

            Recognising that the global personal data protection practice has shifted, by moving the burden from the data subject to the users (i.e. the controllers or processors of personal data), the government introduces other lawful bases that can be relied in collecting or processing personal data, for example, contractual obligation, legal obligation, vital interest and legitimate interest.

            This is a significant development that is in line with standard market practice, for example, under the European Union’s General Data Protection Regulation (GDPR), which we believe was used as the lawmakers’ primary benchmark in drafting the new regulation, a user only needs to show at least one lawful basis for collecting or processing personal data. Unfortunately, the new regulation seems to misinterpret it and instead places more burden by requiring that at least one of the newly introduced lawful bases must be satisfied over and above the consent of the data subject.

            Sanctions

            In addition to the usual administrative penalties, the authority is now permitted to disconnect access (pemutusan akses), which may include access blocking (e.g. IP blocking), shut down an account (e.g. taking down a social media account) and/or take down the content (e.g. taking down a social media post). Likewise, civil and criminal lawsuit may apply against the perpetrator.

            Conclusion

            The new regulation, as with other regulations enacted recently, seems to have been introduced for the purpose of pushing foreign investment. Clarifications provided are certainly foreign investment-friendly, especially the relaxing of the data localisation requirement.

            On the other hand, there are still issues that need to be resolved, such as the application of the new lawful bases, which we hope would be addressed in the approximately 20 implementing regulations mandated in the new regulation.

            1. Government Regulation No. 71 of 2019 on Electronic Systems and Transactions.
            2. Government Regulation No. 82 of 2012 on Electronic Systems and Transactions.
            3. This is defined under Ministry of Communications and Informatics Regulation No. 36 of 2014 on Electronic Systems Operator – Registration Procedure

            Contacts

            Ahmad Fikri Assegaf
            Co-Founder & Senior Partner

            D (62) 21 2555 7880
            F (62) 21 2555 7899
            ahmad.assegaf@ahp.id

            Zacky Zainal Husein
            Partner

            D (62) 21 2555 9956
            F (62) 21 2555 7899
            zacky.husein@ahp.id

            Muhammad Iqsan Sirie
            Senior Associate

            D (62) 21 2555 7805
            F (62) 21 2555 7899
            iqsan.sirie@ahp.id

            More Articles

            • Managing Greenwashing Risk: A Southeast Asian Lens
              May 31, 2023
            • Resolving Construction Disputes through Dispute Adjudication Boards under Indonesian Law
              May 31, 2023
            • BUMN Omnibus Regulations Highlights Special Assignment and Environmental Social Responsibility Programs
              May 25, 2023
            • Regional Competition Bites Q1 2023
              May 24, 2023
            • How KPPU’S New Guidelines Use Data and Quantitative Approach to Enforce Antitrust Measures
              May 17, 2023
            • Assegaf Hamzah & Partners Takes Top Honours at Three Prestigious Legal Awards
              May 15, 2023
            • Constitutional Court Rulings Illuminate Certain Provisions of the PDP Law
              May 4, 2023
            • New KPPU Case Handling Procedure May Allow Dismissal of Anti-Competition Investigation Based on Change of Behaviour
              April 17, 2023
            • New Regulations Relax Criteria for Foreign-To-Foreign Merger and Charge Filing Fees for Merger Notification
              April 12, 2023
            • OJK Sets New Cyber Security Best Practices for the Banking Industry
              April 6, 2023
            By Practice Area
            • Projects & Energy
            • Technology Media & Telecommunications
            • Intellectual Property
            • Real Property
            • Banking & Finance
            • Capital Markets
            • Competition
            • Mergers & Acquisitions
            • Dispute Resolution
            • Tax and Customs

            Jakarta Office

            Capital Place, Level 36 & 37
            Jalan Jenderal Gatot Subroto Kav. 18
            Jakarta 12710,
            Indonesia

            Phone: +62 21 2555 7800
            Fax: +62 21 2555 7899
            Email: info@ahp.id


            Subcribe

            Surabaya Office

            Pakuwon Center, Superblok Tunjungan City
            Lantai 11, Unit 08
            Jalan Embong Malang No. 1, 3, 5,
            Surabaya 60261
            Indonesia

            Phone: +62 31 5116 4550
            Fax: +62 31 5116 4560
            Assegaf Hamzah & Partners


            © 2001 - 2023 Assegaf Hamzah & Partners. All rights reserved.

            Rajah & Tann Asia is a network of legal practices based in Asia.

            Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

            This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.