Data Privacy and Cybersecurity Comparative Guide
A. Definition and Scope of Data Privacy and Cybersecurity
Data Privacy
1. Is there any specific definition of "personal data" in your jurisdiction? Do the prevailing laws provide distinction between personal data and sensitive personal data?
Personal data is defined as "a certain personal data that is stored, maintained, kept true and its confidentiality is protected" (Art. 1 (1) of Minister of Communications and Informatics ("MoCI") Regulation No. 20 of 2016 on Personal Data Protection within the Electronic System ("MoCI Regulation 20/2016")). However, the applicable laws and regulations on personal data protection in Indonesia do not provide any specific definition of "sensitive personal data" and are silent on these matters.
Therefore, there is no clear distinction between "personal data" and "sensitive personal data".
2. What is the scope of "personal data" pursuant to the relevant laws and regulations in your jurisdiction?
Indonesian prevailing laws do not provide any specific scope of personal data. There are merely provisions under MoCI 20/2016 as outlined above.
The concept of data privacy is interpreted as a part of the privacy right, which, pursuant to Law No. 11 of 2008 as amended by Law No. 19 of 2016 ("EIT Law"), is defined as:
a. the right to enjoy a private life and be free from all kinds of disturbances;
b. the right to communicate with other persons (without being spied on);
c. the right to supervise the access to information on his/her personal life and data (Elucidation of Art. 26 (1) of EIT Law).
In addition to the above, Personal Data Protection Bill ("PDP Bill") sets out a more specific scope of personal data:
(i) General personal data consists of a person's full name, gender, citizenship, religion, and/or combined personal data to identify a person;
(ii) Specific personal data, which consists of, among other things, information on a person's health, biometric data, political view, etc. (Art. 3 (1), (2), and (3) of PDP Bill).
However, PDP Bill has not been enacted up to the publication of this comparative guide.
3. Who are the relevant stakeholders (i.e., data processor, controller, etc.) under the data protection regime in your jurisdiction?
Stakeholders of data protection under the Indonesian prevailing laws include: (i) personal data user; and (ii) Electronic System Operator ("ESO"), each of which has different obligations. Please note that the current prevailing laws and regulations for personal data protection do not specifically stipulate data processor and data controller, but merely the party collecting and processing personal data and the relevant data subject. PDP Bill, however, provides specific definitions of data processor and data controller.
With regard to ESOs, Art. 2 of Government Regulation ("GR") No. 71 of 2019 on Administration of Electronic Transactions and Systems ("GR 71/2019") stipulates two categories of ESOs, namely (i) public ESO and, (ii) private ESO.
Public ESOs include state administrator agencies and other agencies as formed by virtue of laws and/or appointed by the relevant agencies. Meanwhile, private ESOs include individuals, business entities, and the public that run portals, websites, or online applications on the internet, regulated or supervised by the Minister of Communication and Informatics, and/or the institutions based on the relevant regulations.
Cybersecurity
4. Is there any specific definition of "cybersecurity" in your jurisdiction? Do the prevailing laws provide distinction between "data protection" and "cybersecurity"?
Cybersecurity in Indonesia is governed by EIT Law and GR 71/2019, but they provide no specific definitions or terms on cybersecurity itself. A bill on cybersecurity was once proposed, but it was eventually rejected and failed to be enacted in 2019.
Based on EIT Law and GR 71/2019, the general concept of cybersecurity provisions focuses on cyber incidents including prohibitions of hacking, denial of service, phishing and identity theft, as well as cybercrimes.
Click here to continue reading . . .
Originally Published by NLP & Singhania & Partners (India).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
