DENNY RAHMANSYAH AND AGUNG KURNIAWAN SIHOMBING
After almost a decade of discussion, Indonesia finally passed its personal data protection law in September 2022. Law No. 27 of 2022 dated 17 October 2022, regarding Personal Data Protection (PDP Law) becomes Indonesia’s umbrella regulation for personal data protection, both in electronic and non-electronic form. The PDP Law also applies extraterritorially to any personal data processing that has an impact in Indonesia and/or affects Indonesian citizens outside of Indonesia’s jurisdiction.
Consisting of 16 chapters and 76 articles, the PDP Law regulates the main principles of personal data protection, the rights of personal data subjects, and the obligations of Personal Data Controllers (Data Controller) and Personal Data Processors (Data Processor). It also regulates sanctions (administrative and criminal) for violations of the law.
Despite being a comprehensive regulation, most of the provisions of the PDP Law require implementing regulations to be fully implemented. The PDP Law provides a two-year transitional period, beginning 17 October 2022, for Data Controllers, Data Processors, and other parties involved in data processing activities to adjust their data processing practices to the requirements under the PDP Law.
One of the provisions in the new law that lacks clarity concerns cross-border data transfers, an issue of great importance in the digital age. Noting the lack of clarity in the PDP Law, this article will provide a brief overview of the current practice applicable under MOCI Reg. 20/2016 and offer a comparison with the General Data Protection Regulation (GDPR) of the European Union (EU), which was referred to heavily during the drafting of the PDP Law.
Personal Data Under The PDP Law
Article 1(1) of the PDP Law defines “personal data” as data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system. Personal data is further divided into specific and general personal data.
Specific personal data is personal data which, in its processing, may create a bigger impact on the data subject, such as discriminatory acts and other greater losses to the data subject. Specific personal data includes (i) data and information regarding health; (ii) biometric data; (iii) genetic data; (iv) criminal records; (v) children’s data; (vi) personal financial data; and/or (vii) other data in accordance with the relevant laws and regulations.
General personal data includes (i) full name; (ii) gender; (iii) nationality; (iv) religion; (v) marital status; and/or (vi) personal data combined to identify a person.
The PDP Law has yet to provide specific guidance on how one should treat specific personal data differently from general personal data.
Cross-border Data Transfer Under MOCI Reg. 20/2016
Before the PDP Law, MOCI Reg. 20/2016 was the main regulation used as a reference for the protection of personal data in Indonesia. In terms of cross-border data transfers, the requirement for such transfers under MOCI Reg. 20/2016 is the data subject’s consent and coordination with the MOCI.
Article 22 of MOCI Reg. 20/2016 requires companies that operate an electronic system (Electronic System Provider or ESP) to coordinate with the MOCI before and after a crossborder data transfer.
Such coordination is accomplished by completing a designated form with information including the name of the ESP and the recipient of the transferred data; the personal data being transferred; the purpose of the transfer; and the transfer destination. This form is then submitted to the MOCI through a specific MOCI email address.
Prior to the PDP Law, the terms “Data Controller” and “Data Processor” were not explicitly recognised by the relevant regulations. Nonetheless, under the unwritten policy of the MOCI, the party that should comply with the coordination requirement is the Indonesian ESP that acts as a Data Controller.
If personal data transfer is conducted on a regular basis, e.g. multiple transfers hourly, daily, weekly, etc., the MOCI notification may be provided once, at the beginning, assuming that the notification indicates that the transfer shall be conducted on the appropriate routine basis. Then going forward, a report recording all such cross-border transfers should be provided to the MOCI on an annual basis for the preceding 12-month period.
Article 22 of MOCI Reg. 20/2016 requires companies that operate an electronic system (Electronic System Provider or ESP) to coordinate with the MOCI before and after a cross-border data transfer
In practice, however, the coordination requirement with the MOCI is rarely implemented because it relies heavily on the ESP’s awareness of the requirement and its willingness to comply.
Cross-border Data Transfer Under The PDP Law
Under the PDP Law, “Data Controller” is defined as any person, public entity, or international organisation acting individually or jointly in determining the objectives and exercising control over the processing of personal data. “Data Processor” is defined as any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Data Controller.
Under the PDP Law, “Data Controller” is defined as any person, public entity, or international organisation acting individually or jointly in determining the objectives and exercising control over the processing of personal data. “Data Processor” is defined as any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Data Controller.
The PDP Law defines “transfer” as the displacement, delivery, and/or duplication of personal data both electronically and non-electronically from the Data Controller to another party.
Article 56 of the PDP Law allows Data Controllers to transfer personal data to other Data Controllers and/or Data Processors outside the jurisdiction of the Republic of Indonesia. In conducting a cross-border personal data transfer, the Data Controller is obligated to ensure any of the following:
- the jurisdiction where the recipient is located must have an equivalent or higher data protection standard than the PDP Law;
- there is adequate and binding personal data protection; or
- the valid consent of the data subject for the transfer has been obtained.
A Data Processor is also allowed to transfer personal data to another Data Processor (onward transfer), provided that such transfer is approved by the Data Controller. If the Data Controller fails to fulfill one of the above obligations under Article 56 of the PDP Law, it may be subject to administrative sanctions, including written warning, temporary suspension of personal data processing activities, deletion or destruction of personal data, and/ or administrative fines.
Further provisions on these requirements are expected to be regulated in an implementing regulation, i.e. a Government Regulation. Until such implementing regulation is enacted, there are unanswered questions on the fulfillment of the obligations under Article 56 of the PDP Law and the procedure to demonstrate such compliance.
Comparison With The GDPR
The requirements for cross-border data transfer under the PDP Law are similar to the requirements under the GDPR. Under the GDPR, cross-border data transfer may be allowed if the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection based on the adequacy decision; the data exporter puts in place appropriate safeguards; or a derogation or exemption applies.
The EU Commissioner provides a list of countries that are considered to have adequate protection, which means that data transfers to these countries will not require any specific authorisation. If the recipient country is not included in the list, EU member states must ensure that the recipient country has in place appropriate safeguards, which will also be subject to each state’s authorisation of a Data Protection Authority (DPA). This includes the existence of binding agreements between public authorities. In the absence of the first two requirements, i.e. adequacy decision and appropriate safeguards, certain derogations, including by way of the consent of the data subject, may be used as the basis to conduct the cross-border data transfer.
It remains unseen whether the PDP Law will adopt a similar approach as the GDPR. Absent implementing regulations, it seems that crossborder data transfers from Indonesia can only be conducted based on the consent of the data subject.
Closing Remarks
With the rapid development of technology, the PDP Law is necessary to protect personal data. It not only helps ensure the rights of data subjects over their personal data, but it may also increase the confidence of offshore business actors in doing business with Indonesian companies due to an improved framework for personal data protection.
However, the PDP Law requires further implementing regulations and guidance to be implemented fully and provide the intended level of protection. This is especially true with the requirements for conducting cross-border data transfers.
Until the necessary implementing regulations are in place and the DPA established, the current practice for cross-border data transfers will remain in force, subject to the coordination requirement with the MOCI as regulated under MOCI Reg. 20/2016, which enforcement is lacking supervisory power.
Denny Rahmansyah, Partner
Denny is an extensively experienced lawyer who joined SSEK in 2001. He has been involved in major projects and transactions in various sectors, including TMT (fintech/e-commerce, cryptocurrency, data protection/privacy).
Agung Kurniawan Sihombing, Associate
Agung works on corporate transactions, privacy matters, and projects and transactions in the ecommerce, payment systems, financial services, environment, employment, and immigration sectors.
This article was published in the April 2023 issue of the IHC Magazine. To read more articles from the issue, click here