Cybersecurity in Indonesia

    By Emir Nurmansyah, Ammalia Putri and Desi Rutvikasari, ABNR Law

    Data protection and cybersecurity are evolving areas of regulation in Asia. Here, experts shed light on emerging jurisprudence in the region’s top jurisdictions


    Indonesia has the fastest-growing digital-based economy in Southeast Asia. This growth is expected to continue, as the government has been promoting the development of digital business and encouraging small and medium-sized enterprises (SMEs) to participate in the utilization of the internet and technology, embracing the era of “Industry 4.0”.

    Emir Nurmansyah
    Partner at ABNR Law in Jakarta
    Tel: +62 21 250 5125

    Information technology has played a significant role in the Indonesian economy, and the rapid growth of the digital industry has increased the necessity for more advanced and comprehensive cybersecurity and data protection rules.

    In light of the rapid growth of digital technology, Indonesia has introduced a law that specifically regulates electronic information and transactions since 2008: Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (EIT Law). This law establishes fundamental rules for the operation and involvement of electronic information and systems within a variety of contexts, including cybersecurity and personal data protection.

    Nevertheless, Indonesian e-commerce platforms are not free from breaches of their internal databases, resulting in massive data leaks of compromised user data (usernames, e-mail addresses, phone numbers and encrypted passwords). These incidents have exposed the vulnerability of security in electronic systems, while Indonesia has increasingly turned to e-commerce as a significant support system for its economy. Therefore, the government policies and regulations have also tried to adapt with these technological developments and challenges.


    The EIT Law and its implementation regulations, such as Government Regulation No. 71 of 2019 on the Provisions for Electronic Systems and Transactions, cover the general provisions on cybersecurity, which are expected to promote and accommodate reliance on electronic systems while maintaining the principle of neutral technology.The EIT Law requires electronic systems operators (ESOs) to provide systems in a reliable and secure manner, and take responsibility for their proper operation. Security aspects cover the protection of electronic systems physically and non-physically, and include the security of hardware and software, based on regulation No. 71. Further, this regulation requires ESOs to maintain and implement security procedures, facilities and systems to prevent and mitigate security threats and attacks.

    Ammalia Putri
    Partner at ABNR Law in Jakarta
    Tel: +62 21 250 5125

    Pursuant to the Minister of Communications and Informatics (MOCI) Regulation No. 4 of 2016 on Information Security Management Systems (regulation No. 4), the compliance requirement for information security management standards depends on the risk category of the electronic systems concerned. This regulation classifies the risk categories as: (1) strategic; (2) high; and (3) low.

    Electronic systems categorized as strategic and high are required to implement ISO/IEC 27001 standards on information security, while electronic systems categorized as low must implement guidelines for an Information Security Index.

    However, regulation No. 4 is expected to be updated in the future, as it still refers to a categorization of ESOs made in a predecessor of regulation No. 71: Government Regulation No. 82 of 2012 on the Provision of Electronic Systems and Transactions, which was revoked by regulation No. 71.

    This determination of technical requirements for information security management, including the applicable Information Security Index, was initially assigned to the MOCI. However, the role has now been assigned to the Cyber and Crypto National Agency (Badan Siber dan Sandi Negara, or BSSN). It is anticipated that the BSSN will establish technical regulations on the requirements and compliance for information security in the future.

    In addition to the BSSN, another institution that is authorized to handle cybersecurity matters is the Indonesia Security Incident Response Team at the Internet Infrastructure/Co-ordination Centre (ID-SIRTII), which was established by the MOCI in 2007. ID-SIRTII’s authority is focused on raising awareness on IT security, advanced monitoring, advanced detection, and advanced warning of threats in telecoms networks, especially the internet.

    On criminal aspects, article 46 of the EIT Law stipulates that action considered a breach of cybersecurity will be punishable by imprisonment of up to eight years and/or a fine of up to IDR800 million (US$53,000).

    Data protection

    Data and privacy protection are recognized under article 28G of the Indonesian Constitution as basic human rights. The article states that every person shall have the right to protection of his/herself, family, honour, dignity and property. To date, however, Indonesia has not issued a dedicated law on data and privacy protection, so the rules are still scattered across several sectoral laws and regulations.

    However, the EIT Law, regulation No. 71, and regulation No. 20 are currently considered an umbrella for the management of personal data, and are applicable to the operation of electronic systems in any field of business.

    These regulations emphasize the importance of obtaining consent for the use of information through electronic media that involve personal data, unless provided otherwise by the relevant laws and regulations.

    Desi Rutvikasari
    Senior Associate at ABNR Law in Jakarta
    Tel: +62 21 250 5125

    The concept under the EIT Law that “protection of personal data is part of an individual’s privacy rights”, establishes the overarching principle of regulation No. 20, which emphasizes the need to obtain a data subject’s consent for the handling or management of personal data, and verification of personal data being handled as well as protection of a data subject’s rights over their personal data.

    Regulation No. 20 requires ESOs to obtain a data subject’s consent for all stages of personal data handling, including the collection, processing, storage, dissemination, and deletion of personal data.

    As per regulation No. 71, the government’s attempt to apply personal data protection rules that are based on more common standards indicates the heavy influence of the EU’s General Data Protection Regulation (GDPR), as can be seen from our analysis of the following:

    . Article 14(1) of regulation No. 71 refers to the general principle of personal data protection (broadly similar to article 5 of the GDPR);

    . Requirements for lawful personal data processing, which are based on a data subject’s consent to one or several purposes, and compliance with other requirements under article 6 of the GDPR, are considered the basis for the lawfulness of processing. However, instead of providing an exemption to the consent requirements, regulation No. 71 takes a different approach, where consent is still a mandatory requirement.

    . Use of the term “personal data controller” (pengendali data pribadi) is directly from the GDPR. The only time this term appears in regulation No. 71, is in article 14, and there is no elaboration on the term. Further, in comparison with the GDPR, regulation No. 71 does not specifically differentiate between the terms “personal data controller” and “personal data processor”.

    . Development of a general “right to be forgotten” was first established by the EIT Law, which requires an ESO to delete electronic information and/or an electronic document within its control, and which is no longer relevant, based upon a court order or at the request of the data subject, depending on whether the specific right being exercised is the Right to Delisting or the Right to Erasure.

    The government is preparing a bill on personal data protection, which, in the authors’ view, and based on the latest draft, seems to take GDPR principles further. This can be viewed as an opportunity to increase the compatibility of Indonesian regulations with industry-wide standards. For example, differentiation between personal data controller and personal data processor is introduced, and the bill requires a faster timeframe for notification of a breach, (three days, compared with 14 days stipulated in regulation No. 20). However, there is no indication on when the bill will be enacted as law.

    Closer focus

    Taking into account recent cyberattacks on several digital platform companies, it is clear that data abuse is hugely attractive to criminals; cybercrime is inevitably a growing trend. Without prejudice to a series of preventive actions, the government and the private sector are expected to focus their attention more sharply on issues that relate to cybersecurity and data protection, as data is now considered an important asset of a company. It is therefore very much the case that awareness of the need to combat cybercrime and establish effective and efficient personal data protection will be critical areas of focus for both the government and the nation’s corporate sector.

    Graha CIMB Niaga 24/F
    Jl Jenderal Sudirman Kav 58
    Jakarta 12190 Indonesia
    Tel: +62 21 250 5125