|

Cross-Border Data Transfer in Indonesia 2023

Cross-Border Data Transfer in Indonesia 2023

DENNY RAHMANSYAH AND AGUNG KURNIAWAN SIHOMBING

After almost a decade of discussion, Indonesia finally passed its personal data protection law in September 2022. Law No. 27 of 2022 dated 17 October 2022, regarding Personal Data Protection (PDP Law) becomes Indonesia’s umbrella regulation for personal data protection, both in electronic and non-electronic form. The PDP Law also applies extraterritorially to any personal data processing that has an impact in Indonesia and/or affects Indonesian citizens outside of Indonesia’s jurisdiction.

Consisting of 16 chapters and 76 articles, the PDP Law regulates the main principles of personal data protection, the rights of personal data subjects, and the obligations of Personal Data Controllers (Data Controller) and Personal Data Processors (Data Processor). It also regulates sanctions (administrative and criminal) for violations of the law.

Despite being a comprehensive regulation, most of the provisions of the PDP Law require implementing regulations to be fully implemented. The PDP Law provides a two-year transitional period, beginning 17 October 2022, for Data Controllers, Data Processors, and other parties involved in data processing activities to adjust their data processing practices to the requirements under the PDP Law.

One of the provisions in the new law that lacks clarity concerns cross-border data transfers, an issue of great importance in the digital age. Noting the lack of clarity in the PDP Law, this article will provide a brief overview of the current practice applicable under MOCI Reg. 20/2016 and offer a comparison with the General Data Protection Regulation (GDPR) of the European Union (EU), which was referred to heavily during the drafting of the PDP Law.

Personal Data Under The PDP Law

Article 1(1) of the PDP Law defines “personal data” as data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system. Personal data is further divided into specific and general personal data.

Specific personal data is personal data which, in its processing, may create a bigger impact on the data subject, such as discriminatory acts and other greater losses to the data subject. Specific personal data includes (i) data and information regarding health; (ii) biometric data; (iii) genetic data; (iv) criminal records; (v) children’s data; (vi) personal financial data; and/or (vii) other data in accordance with the relevant laws and regulations.

General personal data includes (i) full name; (ii) gender; (iii) nationality; (iv) religion; (v) marital status; and/or (vi) personal data combined to identify a person.

The PDP Law has yet to provide specific guidance on how one should treat specific personal data differently from general personal data.

Cross-border Data Transfer Under MOCI Reg. 20/2016

Before the PDP Law, MOCI Reg. 20/2016 was the main regulation used as a reference for the protection of personal data in Indonesia. In terms of cross-border data transfers, the requirement for such transfers under MOCI Reg. 20/2016 is the data subject’s consent and coordination with the MOCI.

Article 22 of MOCI Reg. 20/2016 requires companies that operate an electronic system (Electronic System Provider or ESP) to coordinate with the MOCI before and after a crossborder data transfer.

Such coordination is accomplished by completing a designated form with information including the name of the ESP and the recipient of the transferred data; the personal data being transferred; the purpose of the transfer; and the transfer destination. This form is then submitted to the MOCI through a specific MOCI email address.

Prior to the PDP Law, the terms “Data Controller” and “Data Processor” were not explicitly recognised by the relevant regulations. Nonetheless, under the unwritten policy of the MOCI, the party that should comply with the coordination requirement is the Indonesian ESP that acts as a Data Controller.

If personal data transfer is conducted on a regular basis, e.g. multiple transfers hourly, daily, weekly, etc., the MOCI notification may be provided once, at the beginning, assuming that the notification indicates that the transfer shall be conducted on the appropriate routine basis. Then going forward, a report recording all such cross-border transfers should be provided to the MOCI on an annual basis for the preceding 12-month period.

Article 22 of MOCI Reg. 20/2016 requires companies that operate an electronic system (Electronic System Provider or ESP) to coordinate with the MOCI before and after a cross-border data transfer

 In addition to the above requirements, there may be additional obligations related to crossborder data transfers under sectoral regulations, e.g. financial sector regulations.

In practice, however, the coordination requirement with the MOCI is rarely implemented because it relies heavily on the ESP’s awareness of the requirement and its willingness to comply.

Cross-border Data Transfer Under The PDP Law

Under the PDP Law, “Data Controller” is defined as any person, public entity, or international organisation acting individually or jointly in determining the objectives and exercising control over the processing of personal data. “Data Processor” is defined as any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Data Controller.

Under the PDP Law, “Data Controller” is defined as any person, public entity, or international organisation acting individually or jointly in determining the objectives and exercising control over the processing of personal data. “Data Processor” is defined as any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Data Controller.

The PDP Law defines “transfer” as the displacement, delivery, and/or duplication of personal data both electronically and non-electronically from the Data Controller to another party.

Article 56 of the PDP Law allows Data Controllers to transfer personal data to other Data Controllers and/or Data Processors outside the jurisdiction of the Republic of Indonesia. In conducting a cross-border personal data transfer, the Data Controller is obligated to ensure any of the following:

  1. the jurisdiction where the recipient is located must have an equivalent or higher data protection standard than the PDP Law;
  2. there is adequate and binding personal data protection; or
  3. the valid consent of the data subject for the transfer has been obtained.

A Data Processor is also allowed to transfer personal data to another Data Processor (onward transfer), provided that such transfer is approved by the Data Controller. If the Data Controller fails to fulfill one of the above obligations under Article 56 of the PDP Law, it may be subject to administrative sanctions, including written warning, temporary suspension of personal data processing activities, deletion or destruction of personal data, and/ or administrative fines.

Further provisions on these requirements are expected to be regulated in an implementing regulation, i.e. a Government Regulation. Until such implementing regulation is enacted, there are unanswered questions on the fulfillment of the obligations under Article 56 of the PDP Law and the procedure to demonstrate such compliance.

Comparison With The GDPR

The requirements for cross-border data transfer under the PDP Law are similar to the requirements under the GDPR. Under the GDPR, cross-border data transfer may be allowed if the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection based on the adequacy decision; the data exporter puts in place appropriate safeguards; or a derogation or exemption applies.

The EU Commissioner provides a list of countries that are considered to have adequate protection, which means that data transfers to these countries will not require any specific authorisation. If the recipient country is not included in the list, EU member states must ensure that the recipient country has in place appropriate safeguards, which will also be subject to each state’s authorisation of a Data Protection Authority (DPA). This includes the existence of binding agreements between public authorities. In the absence of the first two requirements, i.e. adequacy decision and appropriate safeguards, certain derogations, including by way of the consent of the data subject, may be used as the basis to conduct the cross-border data transfer.

It remains unseen whether the PDP Law will adopt a similar approach as the GDPR. Absent implementing regulations, it seems that crossborder data transfers from Indonesia can only be conducted based on the consent of the data subject.

 It is also noteworthy that Indonesia has yet to establish a DPA, which is expected to be the authority supervising the implementation of cross-border data transfers under the PDP Law. Based on Article 58 of the PDP Law, the formulation of the DPA will be further established by virtue of a Presidential Regulation.

Closing Remarks

With the rapid development of technology, the PDP Law is necessary to protect personal data. It not only helps ensure the rights of data subjects over their personal data, but it may also increase the confidence of offshore business actors in doing business with Indonesian companies due to an improved framework for personal data protection.

However, the PDP Law requires further implementing regulations and guidance to be implemented fully and provide the intended level of protection. This is especially true with the requirements for conducting cross-border data transfers.

Until the necessary implementing regulations are in place and the DPA established, the current practice for cross-border data transfers will remain in force, subject to the coordination requirement with the MOCI as regulated under MOCI Reg. 20/2016, which enforcement is lacking supervisory power.

b61263ef3b7445712f20ce1a9bc20270

33c986903e49564e8729b00186417cfc

Denny Rahmansyah, Partner

Denny is an extensively experienced lawyer who joined SSEK in 2001. He has been involved in major projects and transactions in various sectors, including TMT (fintech/e-commerce, cryptocurrency, data protection/privacy).

+62 21 2953 2000

dennyrahmansyah@ssek.com

8f8ff1cd3c99d34ae6342a5bcdd12f4e

Agung Kurniawan Sihombing, Associate

Agung works on corporate transactions, privacy matters, and projects and transactions in the ecommerce, payment systems, financial services, environment, employment, and immigration sectors.

+62 21 2953 2000

agungsihombing@ssek.com


This article was published in the April 2023 issue of the IHC Magazine. To read more articles from the issue, click here

IHC_Magazine_Data_Protection_23

Similar Posts

  • 东盟重点国家外商投资——泰国

    作者:卓纬律师事务所:邹永忠、姜凤纹、李诘 泰王国(The Kingdom of Thailand,简称泰国)位于中南半岛中部,是东盟第二大经济体,在国际贸易与地区事务中表现活跃,以其明显的区位优势、稳定的社会环境、全面的投资政策与开放的营商环境成为值得关注的首选投资地点。2023年上半年,外商投资项目申请数量与2022同期(受到疫情影响)相比增长33%,外商直接投资(FDI)项目总投资额达到3040亿泰铢,同比增长141%。[1] 一、泰国外商投资环境 泰国外商投资环境友好,据世界银行发布的《2020全球营商环境报告》数据,泰国在共190个经济体中排名第21位,比上年度上升4位,在世界知识产权组织发布的《2022全球创新指数》中,泰国在132个国家和地区中排名第43。[2]泰国政府重视投资发展,泰国投资促进委员会(BOI)作为泰国主要的投资促进机构,不断推动各项政策法规完善,改善国内营商环境,激励外商投资。2022年10月,泰国投资促进委员会批准五年期(2023-2027)的《新投资促进战略框架》,提出多项投资激励举措,尤其针对上游产业和先进技术,为相关项目提供长达13年的企业所得税豁免(根据不同业务和资质),减半高达5年,机器进口关税免税,用于生产出口产品原物料免进口关税,对于从事研究开发使用的原物料或必要材料免进口关税。除行业优惠外,泰国政府同时积极推进针对地区的投资优惠,包括先后制定了东部经济走廊、南部边境省份、经济特区等投资计划,为投资者提供开办企业、获得电力、施工许可、财产登记、税收、跨境贸易等方面的便利。 从国际关系来看,泰国与世界各国广泛建立贸易联系。泰国作为世界贸易组织(WTO)和东盟成员国,遵守一系列相关组织的自由贸易协定,与18个国家和地区签署了14个自由贸易协定。并且与中国、韩国、日本、澳大利亚等国家和地区签署了《区域全面经济伙伴关系协定》(RCEP)。截止2022年底,泰国已与超过60个国家和地区签订了双边免税协定,与多个国家签订了双边投资保护协定。同时,泰国出口商品可享受美国、瑞士、挪威、俄罗斯等国家的普惠制待遇。 中泰两国自1975年建交以来,政治互信不断深化,互为重要的贸易伙伴。随着中国——东盟自贸区正式建成与“一带一路”计划不断升级,中泰两国经济贸易合作稳健发展,已签订了《关于避免双重征税的协定》《中泰农产品贸易合作谅解备忘录》《东部经济走廊(EEC)合作备忘录》等经贸合作文件。据泰国商务部数据,2022年,中泰双边贸易达到了1050亿美元,并预计2023年泰国对中国大陆出口额将增长1%,达到32.7亿美元。[3]2023年上半年的数据显示,中国是泰国FDI最大来源国,承诺投资132个项目,总投资额达615 亿泰铢。[4]   泰国外商投资合规体系及优惠政策 主管部门及法规 泰国投资促进委员会负责根据《投资促进法》制定投资相关政策,主管泰国投资促进事项,投资促进委员会办公室负责执行委员会各项政策,包括对投资优惠项目的审批与投资咨询与服务等。泰国商业部和泰国投资部也负责外商投资不同方面的工作。 泰国制定了专门的《投资促进法》,规定关于外商投资的各项规则与举措针对外商投资,同时,泰国《外籍人经商法》(Alien Business Act)针对外商对特定行业或特定形式的经营要求作出规定。根据《外籍人经商法》规定,若企业股权中外商持股比例达到50%,除法定豁免情形外(符合投资鼓励、工业园区、条约或政府批准的豁免),需获得泰国商业部颁发的外商营业执照(Foreign Business License)或外商经营证书(Foreign Business Certificate)。此外,外商在泰投资,需遵守泰国《民商法典》《税法典》《土地法典》《外汇管理法》《劳动保护法》等法律规定。…