“While there has not been any codified national law on data protection in Indonesia, the implementation of data protection has been regulated by provisions distributed throughout existing regulations.”
In general, the words “data” and “information” are defined separately. “Data” is defined as raw facts or elementary description, whereas “information” is defined as a collection of facts (data) which are organized in some manner so that they are meaningful to a recipient. However, in practice, the two words are often used interchangeably, especially in the area of data protection laws.
General Concept of the Personal Data
Through the definitions of “data” and “information”, the concept of “personal data” and “personal information” has started to develop. In Indonesia, the definition of “personal data” is stipulated by Regulation of the Ministry of Communication and Informatics No. 20 of 2016 (“MCI No.20/2016”), which is “certain types of personal data that have their validity preserved, maintained, and safeguarded, as well as their confidentiality protected.” Further, the phrase “certain types of personal data” is defined as “any valid and factual information that is inherent and identifiable, either directly or indirectly, on each individual and that their utilization should conform with the provision of laws and regulations”. Therefore, it can be concluded that personal data refers to any information which identifies a certain individual which should be used according to the prevailing laws and regulation.
In implementing appropriate protection of personal data, regards must first be given to the general principles of privacy. The Black’s Law Dictionary defines privacy as the right to be left alone, or the right of a person to be free from the unwarranted public. Similarly, within the Law No. 19 of 2016 concerning Electronic Information and Transactions (“ITE Law”), privacy rights are defined as follow:
- Privacy rights are the rights to enjoy a private life and be free from all kinds of distractions.
- Privacy rights are the rights to be able to communicate with other persons without being spied on.
- Privacy rights are the rights to supervise information access regarding someone’s personal life and data.
Distribution of Provisions Concerning Data Protection in Prevailing Laws
Besides the ITE Law briefly touches upon the subject of personal data and privacy, it also mentioned in the several prevailing laws and regulation as following:
- Law No. 10 of 1998 concerning Banking;
- Law No. 39 of 1999 concerning Human Rights;
- Law No. 36 of 2009 concerning Health;
- Law No. 21 of 2011 concerning the Financial Services Authority;
- Law No. 19 of 2019 concerning Corruption Eradication Commission; and
- Government Regulation No. 71 of 2019 concerning the Operation of Electronic System and Transaction.
Within the subsequent degrees of legal products, matters related to data protection have been mentioned in the MCI No.20/2016 that delineates the principles of good personal data protection, which can be summarized in the following points:
- Personal data are confidential in nature, with due regard towards the privacy of the personal data owners;
- Collection and retention of the personal data must be based upon approval or consent of the personal data owners;
- Personal data collected and retained must be relevant with the purpose for which the personal data were collected, which must have been informed to the personal data owners;
- The integrity, accuracy, and validity of the personal data must be maintained by constant updates, which constitutes a responsibility of the user/controller of the personal data;
- Personal data must be used and processed with an adequate electronic system, as well as in accordance with the internal regulation for management of personal data;
- Personal data must be available to be accessed and modified by the personal data owners;
- Personal data owners must be entitled to the right to be forgotten, which is erasure of the personal data upon request of the personal data owners;
- In the event of a failure of personal data protection, the responsible party must immediately notify the personal data owners related thereto.
The principles mentioned above are mandatory to be regarded within the whole procedure related to personal data, which are:
- processing and analyzing;
- display, announcement, delivery, dissemination, and/or opening of access; and
Sanctions Against Prohibited Actions Concerning MCI No.20/2016
Within the ITE Law, it is stipulated that any person is prohibited from intentionally and illegally or unlawfully changes, adds, reduces, transmits, damages, omits, moves, and/or hides any electronic information that belongs to another person, which results in disclosure of confidential electronic information. Although it is not specified that this provision applies to personal data, it can be construed that any action that results in disclosure of confidential electronic information is punishable by law. Any person liable for this type of conduct shall be subject to imprisonment for a maximum of ten years and/or a maximum fine of IDR 5 billion.
Within the MCI No.20/2016, the prohibited actions are stated to include acquiring, collecting, processing, analyzing, storing, displaying, announcing, delivering, and/or disseminating personal data unlawfully or against any prevailing laws and regulations. The sanctions to be imposed onto this type of conduct is in the form of administrative sanctions, namely:
- verbal notice;
- written notice;
- temporary suspension of activities; and/or
- online announcement through websites.
Author: Yohana Veronica Tanjung
Gaffar & Co., Indonesian Boutique Law Firm which specializing and focus on commercial law areas include Information & Technology.
For further queries and information, please contact us: