Data Privacy Legislation and Electronic Systems in Indonesia

Data Privacy Legislation and Electronic Systems in Indonesia

Indonesia’s Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems, also known as Kominfo Regulation 20 for short, is a data privacy law that was passed in 2016. As the country of Indonesia has yet to pass a national comprehensive data protection law as of 2022 and is currently in the process of deliberating on the potentially passing such as law, the Personal Data Protection Act, in the House of Representatives, Kominfo Regulation 20 is one of various data protection laws that currently exist within the country and is applicable to personal data that is contained within electronic systems. To this point, Kominfo Regulation 20 outlines the requirements that data controllers and processors must follow when managing the personal data of Indonesian citizens that is contained within electronic systems.

How is personal data defined under Kominfo Regulation 20?

Under Kominfo Regulation 20, personal data is defined as “data on certain individuals retained, treated, and the accuracy of which is maintained as well as the confidentiality of which is protected.” Alternatively, the law defines an electronic system as “a set of electronic devices and procedures which function to prepare, collect, process, analyze, retain, display, publish, transmit, and/or disseminate electronic information.” Furthermore, the law defines an electronic system operator as a “person state administrator, business entity, and community providing, managing, and/or operating an electronic system either individually or jointly to electronic system users for its personal purpose and/or another party’s purpose.”, while a data user is defined as a “person state administrator, business entity, and community utilizing goods, services, facilities, or information provided by electronic system operators.”

What are the requirements of electronic system users and operators under Kominfo Regulation 20?

Under Kominfo Regulation 20, electronic system users and operators within Indonesia are responsible for adhering to a number of principles when collecting or processing personal data, in a manner similar to that of the EU’s GDPR law. These data protection principles include:

  • The respect for personal data as privacy.
  • Personal data shall be private in accordance with the agreement and/or based on the provisions of laws and regulations.
  • The collection and processing of personal data must be based on consent or approval.
  • The relevance to the purpose of acquisition, collection, processing, analysis, retention, display, publication, transmission, and dissemination.
  • The feasibility of all electronic systems that are used.
  • The good faith to immediately notify personal data owners in writing of each failure in the protection of personal data.
  • The availability of an internal rule for the management of personal data protection.
  • The responsibility for personal data is in users’ control.
  • The ease of access and correction to personal data by personal data owners.
  • The integrity, accuracy, and validity as well as update of personal data.

What are the rights of data subjects under Kominfo Regulation 20?

Kominfo Regulation 20 does not provide a definition for the term data subject and instead used the term personal data owners, which is defined to mean “individuals to which data on certain Individuals is attached.” To this end, the rights of personal data owners under Kominfo Regulation 20 include:

  • The right to confidentiality.
  • The right to file a complaint.
  • The right to access.
  • The right to rectification.
  • The right to erasure.

In terms of the enforcement of Kominfo Regulation 20, the law is enforced by the Minister of Communication and Informatics, or the minister for short. Subsequently, the minister has the authority to impose a variety of sanctions and penalties against electronic system operators and users who fail to comply with the law, including:

  • A verbal warning.
  • A written warning.
  • The suspension of relevant activities.
  • Administrative sanctions.

As Indonesia is still in the process of implementing a comprehensive data protection law, Kominfo Regulation 20 represents one of the many ways in which the personal data of Indonesian citizens is regulated. As the country continues to deliberate on whether or not to pass such a new data protection law, much like other countries throughout Asia have done in recent years, such as Kazakhstan’s Amendment Law and Taiwan’s Personal Data Protection Act 2015, there is hope that the provisions of Kominfo Regulation 20 could be implemented in a national data privacy law in the near future. Nevertheless, Indonesian citizens are afforded certain data protection rights through Kominfo Regulation 20 and its various provisions.