E-commerce in Indonesia – Data Protection and Privacy

In Indonesia, Ministry of Communication and Information (MOCI) Regulation No. 20 of 2016 on the Protection of Private Data in Electronic Systems (the Data Privacy Regulation) defines personal data as certain individual data, the authenticity of which is verified, sustained and maintained while its confidentiality remains protected.

Any personal data may only be utilized within the certified electronic system and it must at all times be protected during the implementation of the personal data management activities.

Customer Consent and Sale of Personal Data

Personal data can be managed by an organizer based on a written consent of the owner. By maintaining such consent, an organizer is entitled to legally undertake the receipt, collection, processing, analysis, saving, display, announcement, transmission, dissemination, opening of access and deletion of such personal data.

Indonesian legislation does not recognize personal data as a commodity that can be used for trading purposes. By definition the ownership of personal data will always be attached to the relevant individual. In theory, however, if the individual has consented to his or her personal data being transferred, that particular transfer should be deemed as lawful.

Data Breach and Cybersecurity

The Data Privacy Regulation provides that in case of a failure to keep personal data confidential, the relevant electronic system provider shall notify the owner of the personal data within a maximum of 14 days as of the date such failure becomes known to the provider.

In terms of Indonesian regulation, there are no specific requirements or guidelines that electronic system providers must follow to avoid data breaches and ensure cybersecurity. If an electronic system provider wants to help ensure cybersecurity, it can retain the services of competent professionals. In Indonesia, information security consulting services are listed in the Indonesia Standard Industrial Classification, which classifies the different business activities and fields in Indonesia.

Right to Be Forgotten

Indonesia recognised the right to be forgotten in 2016 through the issuance of an amendment to Law No. 11 of 2008 on Electronic Information and Transactions (the ITE Law). Only the relevant user can submit an application to erase electronic information or document, and the application to shall be addressed to the relevant competent court.

Electronic system providers must provide a mechanism to erase electronic information or documents, and they shall erase the concerned electronic information or documents upon receiving a court order.

Consumer Rights

The individuals who own the personal data have the right to report the failure to process their personal data. The right to file a report is intended to allow negotiations between the parties to reach an amicable agreement. The Data Privacy Regulation is silent on whether ‘owner of personal data’ includes foreign citizens.

By SSEK, Indonesia, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact indonesia@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.