Indonesia is often cited as an example of data localisation laws in Asia. In this article, we will help you navigate the latest laws and regulations governing cross-border data transfers in Indonesia.
Private sector is no longer subject to data localisation laws
The old rule under GR 82 has been revoked by GR71
In the past, when we discussed data localisation restrictions in Indonesia, we were probably referring to Government Regulation No. 82 of 2012 on the Management of Electronic Systems and Transactions (GR 82). GR 82 provides that electronic systems operators (ESOs) that provide public services1 must establish a local data centre.
GR 82 has been revoked by Government Regulation No. 71 of 2019 on Organisation of Electronic Systems and Transactions (GR 71).2 Unlike GR 82, GR 71 draws a distinction between public and private ESOs, and imposes data localisation obligations on public ESOs only.
- Public ESOs are defined to include (a) public bodies (such as central and regional executive, legislative, judicative bodies and any other bodies established pursuant to a statutory mandate); and (b) entities appointed by public bodies to operate electronic systems on their behalf.
- A private ESO may manage, process and/or store electronic data or electronic system outside of Indonesia, pursuant to GR 71 and its implementing regulation, i.e. Regulation of Minister of Communication and Informatics No. 5 of 2020 on Private Electronic System Operators (Regulation 5).
Under GR 71 and Regulation 5, Indonesian regulators have the authority to request a private ESO (including foreign private ESOs) to grant the Ministry of Communications and Informatics (MOCI) access to the ESO’s electronic systems and electronic data which relate to Indonesian citizens or legal entities. However, in practice, given the relatively new state of the law, we are not aware of this particular provision being enforced by MOCI.
Data privacy regulations apply to personal data
Where electronic information contains personal data, the personal data will be subject to the Indonesian personal data protection regime as well.
Legal requirements on transferring personal data overseas
Under GR 71, consent must be obtained from data owners (i.e. data subjects) for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.
Furthermore, under Regulation of Minister of Communication and Informatics No. 20 of 2016 on Personal Data Protection in Electronic Systems (Regulation 20), such consent must also be in Bahasa Indonesia (or in bilingual format) and collected online or by paper hardcopies.
To comply with the regulations set out above, a transfer of personal data outside Indonesia must comply with the following requirements:
a. before the collection or transfer of personal data, an electronic system operator must obtain written consent of the personal data owner (i.e. data subject) for the purpose of processing3 his/her personal data; and
b. all transfer of personal data outside Indonesia must be coordinated with MOCI by: (i) reporting to MOCI the plan of transfer of personal data4, (ii) requesting advocacy from the government (e.g. having a consultation with the government)5, if required; and (iii) reporting to MOCI the implementation of such transfer.
Proposed new requirements on cross-border transfers of personal data
The proposed Indonesian Privacy Bill (Privacy Bill)6 has helpfully removed the above MOCI notification requirement for cross-border data transfers. Under the Privacy Bill, personal data controllers in Indonesia can transfer personal data to other controllers7 outside of Indonesia if:
- the recipient jurisdiction has personal data protection laws which provide equivalent or higher level of protection to personal data than the Privacy Bill in Indonesia (i.e. white-listed jurisdictions)8;
- there is an international treaty between Indonesia and the recipient jurisdiction allowing data transfer between the two jurisdictions;
- there is a data transfer agreement for the data transferor to impose data protection obligations on the transferee and such legal obligations are of equivalent or higher standard than the protection given to personal data under the Privacy Bill in Indonesia; or
- consent of the personal data owner (i.e. data subject) has been obtained.
The Privacy Bill is expected to be enacted later this year. The Privacy Bill is silent as to whether it will revoke or amend Regulation 20.
Other industry-specific requirements on transfer of data, e.g. financial services
While private ESOs now have the ability to process or host their electronic systems and data offshore, there may be industry-specific requirements (such as the banking and financial services sector) which impose data localisation requirements.
Private ESOs should continue to monitor the development of laws affecting transfer of data in Indonesia.
1 Although “public services” was not defined under GR 82, this term had been interpreted in practice by MOCI broadly. Therefore, the data localisation obligation under GR 82 was widely understood to cover all services offered to the public via the internet, effectively affecting many private sector companies.
2 GR 71 was passed in October 2019 and became effective in October 2020 for existing ESOs after a one-year-transition period.
3 Processing of personal data should cover the full life cycle of the personal data, namely: (i) collecting; (ii) processing and analysing; (iii) storing; (iv) correcting and updating; (v) displaying, announcing, transferring, disseminating or disclosing; and/or (vi) deleting or destructing, personal data.
4 The report must contain, at a minimum, the name of destination country, name of the recipient, date of transfer, and reason/purpose of the transfer.
5 As far as we are aware, this particular requirement has not been implemented in practice.
6 The Privacy Bill is still being debated by the Indonesian Parliament.
7 The Privacy Bill expressly allows data controllers to transfer personal data outside Indonesia but there is no reference to data processors. This is a grey area which requires clarification.
8 We do not know how this provision will be implemented in practice yet, e.g. whether the Indonesian privacy regulator will publish a whitelist or whether this can be determined by the Indonesian data controller itself.
By Peggy Chow, Sakurayuki, and Cellia Cognard