A new regulation on electronic systems and transaction exempts the private sector from the data localisation requirement. The Indonesian government enacted the long-awaited regulation1 in early October of this year, after dissatisfaction with the previous regulation2, particularly on the confusion surrounding the data localisation requirement.
Under the previous regulation, electronic systems operators that provide “public services” must establish a local data centre. Although “public services” was not defined, the Ministry of Communications and Informatics defined the term broadly3, such that it would essentially cover all services offered to the public over the Internet. Consequently, many private sector companies were subjected to the data localisation requirement. Businesses that largely operate online were greatly affected as they do not typically set up a technological infrastructure in each jurisdiction where they offer their services or products. Further, it also had a negative impact on the government’s effort in promoting foreign investment.
New Data Localisation Requirement
The government relaxes the data localisation requirement by limiting its application to “public electronic systems operators” only and by defining the intended subjects into the following two entities:
Interestingly, public bodies in the banking and financial services sectors are exempted from the data localisation requirement. Further, public bodies or operators appointed on their behalf can still process and/or host their electronic systems and data overseas if a specific data storage technology required by them is not available in Indonesia. But, it will be up to the Ministry and certain regulatory bodies such as the National Cybersecurity Agency to decide the ambit of this “specific technology”.
Meanwhile, private operators can now choose whether to process and/or host their electronic systems and data onshore or offshore. Regardless of the location, they must ensure that their electronic systems and data are accessible to the authority. This flexibility does not apply to private operators in the banking and financial services sectors, as they are subject to sector-specific laws and regulations, depending on the type of financial institution. For example, the Indonesian Financial Services Authority (Otoritas Jasa Keuangan) would allow a commercial bank to host certain data overseas upon its approval, while insurance and reinsurance companies must keep their data within Indonesia.
Definition of Personal Data and the “Right to be Forgotten”
The new regulation also introduces a relatively robust rules on the processing of personal data. We understand that these rules will only apply temporarily as the government is currently working its way through the legislative process of preparing a full-fledged personal data protection rules under the Personal Data Protection Bill.
One of the most important provisions on personal data under the new regulation is the definition of “personal data” as data that can be used to identify an individual (alone or collectively with other data). It is meaningful because this marks the first time that Indonesia aligns the definition of personal data with the global standard.
The new regulation also elaborates the right of a subject to request the removal of any data pertaining to it that are “no longer relevant” – which is popularly known as “the right to be forgotten”. There are two types of the right to be forgotten, which is the right to erasure and the right to delisting. The latter can only be requested based on a court’s order.
Lawful Basis to Process Personal Data
In the previous regulation, collection, transfer or other types of utilisation of personal data must be based on the consent of the relevant data subject. Without such consent, the personal data collected is deemed to have been unlawfully collected or used.
Recognising that the global personal data protection practice has shifted, by moving the burden from the data subject to the users (i.e. the controllers or processors of personal data), the government introduces other lawful bases that can be relied in collecting or processing personal data, for example, contractual obligation, legal obligation, vital interest and legitimate interest.
This is a significant development that is in line with standard market practice, for example, under the European Union’s General Data Protection Regulation (GDPR), which we believe was used as the lawmakers’ primary benchmark in drafting the new regulation, a user only needs to show at least one lawful basis for collecting or processing personal data. Unfortunately, the new regulation seems to misinterpret it and instead places more burden by requiring that at least one of the newly introduced lawful bases must be satisfied over and above the consent of the data subject.
In addition to the usual administrative penalties, the authority is now permitted to disconnect access (pemutusan akses), which may include access blocking (e.g. IP blocking), shut down an account (e.g. taking down a social media account) and/or take down the content (e.g. taking down a social media post). Likewise, civil and criminal lawsuit may apply against the perpetrator.
The new regulation, as with other regulations enacted recently, seems to have been introduced for the purpose of pushing foreign investment. Clarifications provided are certainly foreign investment-friendly, especially the relaxing of the data localisation requirement.
On the other hand, there are still issues that need to be resolved, such as the application of the new lawful bases, which we hope would be addressed in the approximately 20 implementing regulations mandated in the new regulation.
Ahmad Fikri Assegaf
Zacky Zainal Husein
Muhammad Iqsan Sirie