A good understanding of data privacy frameworks is crucial in Asia. while the laws in the region share similar elements, gaps remain as privacy compliance culture is relatively new and jurisdictions vary in their approaches. Here, experts spell out how the Philippines, Thailand and Indonesia have built their legal frameworks governing personal data
The development of information technology and increased user engagement in digital media have increased people’s awareness of entitlement to a fundamental human right: personal privacy. Personal data protection has become urgent, given the vast use and exploitation of personal data, which places a growing premium on privacy.
In Indonesia, personal data protection regulations are scattered, and can be found in the Law on Electronic Information and Transactions (EIT Law), health and medical records regulations, and demographic administrative law. Currently, the EIT Law and its implementation regulations have become the main reference for personal data protection in electronic systems, applicable to various sectors. However, there is now an urgent need for a consistent regulatory and legal umbrella to address the matter.
The Indonesian government is addressing the growing importance of personal data protection in the digital age by drafting a bill (the PDP Bill), which is currently being finalised. The PDP Bill has been designed to become the overarching privacy law in Indonesia. Based on the EU’s General Data Protection Regulation (GDPR), the PDP Bill has made some significant and much-needed changes to data privacy protection, and will bring it more in line with standards currently applied by other countries, especially the GDPR. Significant adjustments made to the PDP Bill are outlined below.
Classification of personal data
The EIT Law, Government Regulation No. 71 of 2019 on the Provision of Electronic Systems and Transactions (GR 71), and the Minister of Communications and Information Technology (MCIT) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (MR 20/2016) do not definitively describe personal data. It is broadly defined as “any data related to a person, whether identified or capable of being identified using that data, or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means.”
In the upcoming PDP Bill, personal data is classified into general personal data, which includes name, gender, nationality, religion, and other data combined to identify an individual; and specific personal data, which includes health, biometric, genetic, political views, criminal record, personal financial data, sexual orientation, child data, and other data in accordance with the laws and regulations.
However, regardless of the classification, the PDP Bill does not differentiate between requirements for processing general personal and specific personal data. Thus, the implementing regulations of the PDP Bill and sectoral regulations that follow may need to set out detailed provisions on this matter.
Data controller v data processor
Currently, Indonesian law and regulations do not differentiate between a data controller and processor. Consequently, parties that handle personal data are exposed to the same liability and obligations, regardless of their actual role in the data processing.
This issue is addressed in the PDP Bill, which separates the data controller and processor roles, as in the GDPR. The PDP Bill defines a data controller as a party that determines the purpose and controls personal data processing, while a data processor is defined as one that processes personal data on behalf of a data controller.
The PDP Bill further distinguishes liability, as that for personal data processing is borne by the data controller, instead of a processor. However, a data processor would be liable for processing that deviates from an instruction, order, or purpose pre-determined by the data controller, which means the role of the former would be tantamount to that of a data controller.
Pursuant to GR 71, express consent will be mandatory from anyone whose personal data is processed. Currently, Indonesian law and regulations do not operate on this basis, except for law enforcement matters. This requirement is deemed burdensome by businesses, as they would be required to obtain express consent from data subjects, which might sometimes be reasonably deemed as already implied or not feasible to obtain.
The PDP Bill has adopted principles akin to those of the GDPR, where consent is only one of several requirements for the lawful processing of personal data. The PDP Bill has introduced exceptions for personal data processing without consent similar to GDPR provisions:
(1) For the performance of a contract to which the data subject is a party, or in order to fulfil a request of the data subject prior to entering into the contract;
(2) To comply with an obligation that is imposed on a data controller by law;
(3) To fulfil the vital interests of the data subject;
(4) For the exercise of authority vested in the data controller by law;
(5) For the fulfilment of a public service obligation to which the data controller is subject in the public interest; and/or
(6) For the pursuit of a legitimate interest of the data controller or the data subject.
The exception for mandatory consent requirement under the PDP Bill contradicts the provisions of GR 71. However, as the PDP law will occupy a superior position in the regulatory hierarchy than GR 71, it is likely that its provisions will supersede those of GR 71, including those on the lawful basis for personal data processing.
Cross-border data transfer
Pursuant to MR 20/2016, cross-border transfer of personal data is not restricted, as long as the transfer has been consented to by the data subject, and is subject to co-ordination with the MCIT or other relevant authorities. Based on the current policy at the MCIT, mandatory co-ordination will be implemented via the submission of an annual report.
The PDP Bill introduces new requirements on controller-to-controller, cross-border personal data transfer, which will be subject to the following conditions:
(1) The partner country has a personal data protection level that is equal to or higher than the provisions in the PDP Bill;
(2) An international agreement exists between the countries;
(3) A contract between data controllers that covers personal data protection matters; and/or
(4) Consent from the data subject.
However, the above provisions do not apply to controller-to-processor, cross-border personal data transfer.
Upon the occurrence of a data breach, GR 71 and MR 20/2016 requires electronic systems operators to report the breach to the MCIT and law enforcement agencies immediately at the first opportunity and notify the data subject within 14 days of the discovery of the breach.
The PDP Bill also specifies detailed requirements on reporting obligations, which also apply to electronic and conventional personal data processing. Under the PDP Bill, a data controller must, within 72 hours, notify in writing the data subject and the MCIT of a failure to protect personal data. The notification must detail:
(i) the compromised data;
(ii) when and how the data was compromised; and
(iii) management and recovery efforts.
Data protection officer
The PDP Bill also introduces an obligation to appoint a data protection officer, for data controllers and processors that meet the following criteria:
Data processing is for the purpose of providing public services;
The data controller’s main activity requires large-scale, frequent, and systematic monitoring of personal data;
The data controller’s core activity involves processing of a specific personal data in a large scale and/or personal data related to criminal activity.
Data protection officers must be appointed on the basis of professional qualification, legal knowledge, and practice experience in data privacy. However, the PDP Bill does not stipulate specific mandatory qualifications, skills, or educational background. Generally, their role is to protect and ensure the security of personal data processed by a data controller or processor.
Although the PDP Bill is on the priority list for legislation, it is unclear when it will be issued and promulgated as law. Its finalisation may be delayed as the government is still focused on handling the coronavirus pandemic in Indonesia.
The bill is highly anticipated by businesses in Indonesia, as comprehensive and consistent personal data regulation are a crucial aspect of their activities. As business has already become fundamentally more cross-border in nature, the PDP Bill is viewed as more compatible with international standards, an unavoidable consequence of doing business in this era of ever-increasing, globalised digitisation.
Ali Budiardjo Nugroho Reksodiputro Counsellors at Law (ABNR)
Graha CIMB Niaga, 24/F
Jl. Jend. Sudirman, Kav. 58
Jakarta – 12190, Indonesia
Tel: +62 21 250 5125/5136