On 1 December 2016, the Minister of Communication and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data Within an Electronic System came into force in Indonesia. Regulation No. 20 legislated against the need to set out the procedure to protect personal data collected into, retained in, and utilized within an electronic system.
Regulation No. 20 defines the relationship between personal data, certain individual data, and the owner of personal data. Clarifying these relationships clarifies an electronic systems provider’s obligation, and is especially significant given that a person is entitled to compensation from another party for unconsented use of his or her data. The relevant provisions are:
Article 1(1) defines personal data as “certain personal data stored, maintained, and whose accuracy is preserved and confidentiality protected”;
Article 1(2) defines certain personal data as “every [piece of] information that is correct and concrete, attached and identifiable, whether direct or indirect, to each individual, the utilization of which is consistent with the applicable law”;
Article 1(3) defines personal data owner as “an individual to whom certain personal data is attached”.
Article 2(2) (a) in conjunction with article 2(3) of regulation No. 20 confer onto the personal data owner the freedom to determine which data are private (subject to legislative provisions to the contrary). This principle is further reaffirmed by the owner’s positive right to confidentiality of the data in question (see article 26(a) of regulation No. 20).
Protection of personal data is implemented in five processes: (1) receipt and collection; (2) processing and analytics; (3) storage; (4) display, publication, transmission, dissemination, and/or providing access; and (5) deletion. There are measures that an electronic system provider must comply with in each process.
Receipt and Collection. Key measures that an electronic system provider must comply with at this stage are as follows:
1. Collection must be consented to by the data owner or otherwise provided for under the law;
2. The personal data owner has the option to declare the confidentiality of certain data that he or she provides, in which case confidentiality must be maintained;
3. Personal data obtained directly from the owner must be verified by the owner, while personal data obtained indirectly must be verified against collection sources;
4. Electronic systems used to pool the result of private data collection must be compatible with other electronic systems.
Personal data processing and analysis. Key measures that an electronic system provider must comply with are as follows:
1. Processing and analysis is limited to the purpose of the system provider stated at the time of obtainment or collection;
2. Processing, analysis must be based on consent;
3. The accuracy of personal data to be processed and analyzed must be verified.
Storage. Key measures an electronic system provider must comply with are:
1. The accuracy of personal data stored in an electronic system must have been verified;
2. The personal data must be encrypted;
3. The duration of the storage is a period as defined by a sectoral regulation, as issued by the pertinent sectoral regulator or, in the absence of such regulation, for five years;
4. The retention period of five years, or as defined by a sectoral regulator, commences as of the last date the personal data owner ceases being a user of the electronic system in question.
Display, publication, transmission, dissemination, and/or providing access. Important measures that an electronic system provider must comply with at this stage are:
1. Display, publication, transmission, dissemination and access to personal data must be based on the consent of the personal data owner, unless otherwise provided for by the applicable law, and only after its accuracy and conformity to the purpose of personal data collection have been verified;
2. Usage and utilization of the personal data must be based on consent and consistent with the purpose of obtainment, collection, processing and analyzing such data.
An electronic system provider must provide the private data found within an electronic system, or produced by an electronic system, to law enforcement authorities on request.
Deletion. Personal data may only be deleted on one of these two conditions:
1. The lapse of time as set out under a sectoral regulation or, in the absence of such a timeframe, five years from when the personal data owner ceases being a user; or
2. By request from the personal data owner unless otherwise provided for in the law.
Deletion of personal data must be to such an extent that deleted data can no longer be redisplayed unless the personal data owner provides new data.
AHMAD JAMAL ASSEGAF is a partner at Lubis Ganie Surowidjojo and INDRA PAMBUDY is an associate at the firm
Lubis Ganie Surowidjojo
Menara Imperium, 30th Fl. Jl. H.R. Rasuna Said
Kav. 1 Jakarta 12980, Indonesia
Tel: +62 21 831 5005; 831 5025
Fax: +62 21 831 501; 831 5018