News & Announcements

W&P Newsletter – Key Differences Between Existing Indonesian Personal Data Regulations

For the past few years, the Indonesian market has seen the rise of technology-based start-up companies, and this phenomenon stimulates the rapid development of technology-based transactions (including the technology-based “unicorn”[1] companies such as Go-Jek, Tokopedia, and Traveloka[2]). One distinctive characteristic of these technology-based transactions is that consumers are generally required to provide their personal information into a database accessible to many. Although such data sharing brings certain benefits to the consumers (for example, advertisements can be focused on what the consumers are interested in (targeted advertising) and provides greater opportunity for creating new jobs and obtaining loans), it potentially leads to certain privacy problems.[3]

The global nature of these privacy problems understandably puts governments, including the Indonesian Government, in the position to act and to implement regulations to protect its citizens from any possible breach of their personal data. The Indonesian Government has taken the necessary steps to address this issue by enacting Regulation of Minister of Communication and Informatics No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (“MCI Regulation”), which requires all Electronic System Providers (“ESP”) to develop, manage and/or operate an electronic system to do, among others, the following:

  • obtain certification for their electronic system;
  • maintain the accuracy, validity, confidentiality and relevancy of the personal data;
  • notify the data owner in writing of any failure to protect the confidentiality of the personal data;
  • establish internal rules for personal data protection;
  • provide audit reports to the relevant individuals on the operation of the electronic system;
  • seek consents when using any personal data/disclosing them to any third party;
  • provide access to data owners to change or update their data;
  • delete the data if so required by a regulation;
  • obtain written consent before implementing personal data protection (i.e method of collection, processing, storage, display, and termination).

In line with the above, the Financial Services Authority (Otoritas Jasa Keuangan, OJK) has also issued a number of rules and regulations on data privacy in the Financial Services Sector, one of which is OJK Circular Letter No. 14/SEOJK.07/2014 on the Confidentiality and Protection of Consumer’s Data/Information (which is intended as an implementing regulation to OJK Regulation No. 1/POJK.07/2013 on Consumer Protection in the Financial Services Sector) (“Privacy Regulation in Financial Services Sector”). In addition, to address data privacy in the Peer-to-Peer (P2P) Lending Business, the OJK has also issued OJK Circular Letter No. 18/SEOJK/.02/2017 on Governance and Risk Management of Information Technology in Information Technology-Based Lending Services  (as an implementing regulation of OJK Regulation No. 77/POJK.01/2016 on Information Technology-Based Lending Services) (“Privacy Regulation in Fin-tech Services Sector”).

From the applicability perspective, the Privacy Regulation in Financial Services Sector is only applicable to Financial Services companies, while the Privacy Regulation in Fin-tech Services Sector is only applicable to P2P Lending companies (each with its own specific provisions to accommodate the unique characteristics of the industry). However, it should be noted that the MCI Regulation serves as the umbrella provision (lex generalis) for data privacy in respect of both the Privacy Regulation in Financial Services and the Privacy Regulation in Fin-tech Services and thus applies to all ESPs in general. For example, while the Privacy Regulation in Fin-tech Services Sector specifically requires that the data owner’s written consent be given in electronic form, the MCI Regulation does not specifically stipulate whether it must be made in paper or electronic form. In addition, both the Privacy Regulation in Financial Services Sector and the Privacy Regulation in Fin-tech Services Sector are more specific than the MCI Regulation in terms of what constitutes personal data.

Below is a summary of the major differences between the 3 regulations in terms of (i) scope of personal data, (ii) form of data owner’s consent, (iii) third-party disclosure, and (iv) data center location. The difference in scope of personal data may be crucial in the interpretation of whether omitting certain details/variables set by the regulation may be exempted from the personal data requirements

Subject

 

MCI Regulation

 

Privacy Regulation in Financial Services Sector

 

Privacy Regulation in Fin-tech Services Sector
Scope of Personal Data All data identifiable to a specific individual, whether directly or indirectly.

 

1.         Individual: (i) name, address, (ii) DOB/age, (iii) phone number, and/or, (iv) name of biological mother.

2.         Corporate: (i) name, (ii) address, (iii) phone number, and/or (iv) composition of the Board of Directors/Board of Commissioners /Shareholders composition (and the relevant documents),

 

 

1.         Individual: (among others) (i) name, (ii) IP address, (ii) Biometrics, (iii) bank account (iv) credit card number, and/or, and (v) list of assets.

 

2.         Corporate: (among others) (i) name, (ii) address, (ii) phone number, and/or (iii) composition of the Board of Directors/Board of  Commissioners /Shareholders (and the relevant documents).

 

3.         Material & non-public data, and data related to financial transactions, contracts, or agreements.

 

Form of Data Owner’s

Consent

 

Consent must be made in writing and in bahasa Indonesia, either paper or electronic. Consent must be made in writing, possibly (i) containing the option to agree or disagree, or (ii) providing mark/evidence of consent.

 

Consent must be made in writing, possibly (i) containing the option to agree or disagree, or (ii) providing mark/evidence of consent.

 

 

Third Party Disclosure Not specific. If a company obtains personal data from a third party, the third party must provide a statement letter confirming that it has received written consent from the relevant data owner.

Upon disclosure of personal data to a third party, the company must ensure that that the third party will not disclose/use the data for any other purpose.

 

Upon disclosure of personal data to a third party, the company must ensure that that the third party will not disclose/use the data for any other purpose.
Location of Data Centre (DC) & Disaster Recovery Centre (DRC) Any ESP conducting public service: Indonesia. Not specific. Indonesia.

 

If you have further inquiries about this newsletter, please reach out to us at info@wplaws.com or any of our lawyers.

[1] Valuation exceeding USD 1 Billion
[2] https://tirto.id/melihat-perjalanan-4-startup-unicorn-asal-indonesia-cAdQ
[3] https://www.csoonline.com/article/2855641/privacy/the-5-worst-big-data-privacy-risks-and-how-to-guard-against-them.html

This publication is intended for informational purposes only and therefore does not constitute legal advice or legal opinion. Any reliance on the material is at the user’s own risk. All of W&P publications may not be reproduced without the express written consent of W&P.