Data privacy update – Indonesia

Indonesia is still getting to grips with how to manage data. A full data protection/privacy regime does not yet exist. Personal data processing requires proper prior consent of the data subject under 2016 personal data protection regulations. It is widely thought not to be well observed. Spam calls, messages and social media data use are common by businesses.

Parliament is deliberating a new data privacy law. The Bill was drafted 4 years ago but is not yet passed. It was initially listed to pass in 2019. However in April a new draft was prepared and sent to Parliament.  The new bill follows a structure to define data, give rights to data owners/subjects, and establish data controllers, provide data processing steps, deal with data transfers, data erasure and destruction.  The bill may not pass until next year now.

A new Presidential Regulation 39/2019 provides a framework for managing the government’s own data.  There are rules on the type of data and how it must be collected (e.g. with metadata, that is standardized structures and formats) and held (e.g. in an open format so it can be searched, used and managed with ease). Various government institutions are created to help manage the data correctly. Four separate processes ensure data principles are adhered to – planning, collection, review and dissemination.  For citizens this provides some level of comfort that the government is managing data correctly.

Another new Regulation 40/2019 covers Residents’ Personal Data, covering the proper fixing of Resident's Identification Numbers and related personal identifying information (fingerprints, gender, biometrics etc), as well as rules for acquisition, storage and management by ministries. 

In a separate interesting development at the G20 in July, the issue of data protection arose. The G20 launched the Osaka Declaration on the Digital Economy, which is an affirmation the launch of a WTO program on developing consistent global ecommerce regulations for the digital economy. Indonesia however abstained at the G20, citing a lack of commitment to data privacy in the Osaka Declaration.  The Indonesian government expressed further concern that ecommerce in international trade had cross border and tax implications.  Indonesia is seeking to pursue online platforms that trade in Indonesia from outside the country, to tax their Indonesian revenues.  It is unclear whether it is really this or data concerns that were at the heart of the G20 abstention.