I OVERVIEW

The 1945 Constitution of the Republic of Indonesia (the Constitution) grants various rights related to privacy. Although the right to privacy is not explicitly mentioned in the Constitution, it is embodied in the right to personal protection, freedom of religion, freedom of expression and other similar rights granting personal protection to the individual. These rights serve as a foundation for the legislative and regulatory approach to respecting individuals' privacy in existing laws and regulations that are currently scattered within sectoral regulations.

Indonesia is currently on the verge of passing its first Personal Data Protection Act. The Personal Data Protection Bill (the PDP Bill) is an effort to fill the void in the existing regulatory framework on personal data protection. At present, the issues of privacy, personal data protection and cybersecurity are embodied in array of general and sector-specific laws. Each supervisory authority for industry specific sectors has the power to enact its own regulations, including regulation related to privacy and personal data protection. However, no significant enforcement has arisen from the sector-specific laws on personal data protection. The most relevant enforcement regarding violation of personal data protection was brought by the Indonesian National Police (the Police) under Law No. 11 of 2008 on Electronic Information and Transaction as lastly amended by Law No. 19 of 2016 (Law 11/2008), in conjunction with Law No. 23 of 2006 on Population Administration as lastly amended by Law No. 24 of 2013 (Law 23/2006).2 The PDP Bill is expected to provide clear guidance on enforcement as well as better protection of individuals' personal data.

The submission of the PDP Bill3 and the Cybersecurity and Resilience Bill (the Cybersecurity Bill) to the Indonesian House of Representatives (DPR')4 signifies the development of policies on personal data protection, privacy, and cybersecurity. Despite the fact that discussion of the PDP Bill is prioritised over the Cybersecurity Bill (which is postponed until next year),5 this decision shows that the DPR is responding to public concern on the security of their personal data following several data breach incidents that happened recently.

Given its scope, the PDP Bill is expected to strengthen protection of the right to privacy.6 This is because the Indonesian judicial system can only recognise and enforce fundamental rights under the Constitution that have been transposed into effective laws. A trial-stage court has limited authority to interpret provisions of law if it is not explicitly written, even if the Constitution grants such rights. The similar approach is taken by law enforcement agencies in implementing the law. When individuals believe their fundamental rights granted by the Constitution are violated by certain provisions of a law, a judicial review mechanism can be filed to the Constitutional Court, a specific court adjudicating conflict between applicable laws and the Constitution.

The authority of the Constitutional Court on the protection of privacy rights can be found in its decisions about government surveillance powers, and specifically on government-backed interception. The Constitutional Court has revised provisions on interception several times to protect individuals' human rights and provide legal certainty, and requires that interception can only be carried out by a law enforcement authority.7

The development and dynamic of regulatory framework improvement cannot be separated from the role played by non-government entities. A number of civil society organisations (CSOs) have advocated the interest of the public by organising a series of public awareness activities, conducting public surveys, facilitating dialogue with government and industry groups, and even filing lawsuits to the relevant courts. Self-regulatory industry groups also play a significant role in bridging the gap between industries' best practices and regulations through creating industry codes of conduct and often meeting with regulators.

All in all, the involvement of multi-stakeholders in developing a regulatory framework on personal data protection, privacy, and cybersecurity is significant. However, it is indisputably important that every stakeholder educate the public on their rights, to ensure any law pertaining to the issues can be implemented properly in practice, especially given that the right to privacy itself is not commonly known by the majority of the public in Indonesia.

II THE YEAR IN REVIEW

As many will agree, 2020 has been an extraordinary year. Majorly impacted by the coronavirus pandemic (covid-19), social interaction now must be made at a distance, shifting most activities into the online environment. This is also the case for Indonesia, where the government has imposed large-scale social movement restrictions in response to covid-19, requiring most public activities to go online.8 As a result, the growth of online interaction is inevitable, followed by an increase in public awareness of online interaction as well as increase in the vulnerability of online security, personal data, and privacy.

However, the vulnerability of Indonesian public personal data has not only been exposed in 2020. In July 2019, the public was surprised by the discovery of large-scale unauthorised transactions of Indonesian ID card and Family Card information. The transactions took place over a social media platform group, with the total amount estimated to be millions of items of personal data owned by Indonesian individuals.9 This case was investigated by the Police, after it was reported to Ministry of Home Affairs (MHA), the authority in charge of protection of ID Card and Family Card information.10 The Police also arrested an individual under allegation of selling consumer data and population data in August 2019.11

In April 2020, cybersecurity became a trending issue owing to a breach suffered by an Indonesian Human Rights Activist on the activist's chat messaging application.12 The breach led to the distribution of messages from his account provoking a coup d'état and public disorder. As a result, the activist was detained by the Police under the allegation of spreading a 'prohibited message'.13 It took a few days following the detention for the activist to be released after providing sufficient evidence that the his account was compromised, and its control taken by an unknown party.14 The Police are currently investigating the party behind this breach.15

After series of incidents, there continued to be information breaches within the public. Some major data breach incidents occurred in May 2020. The incidents were suffered mostly by Indonesian marketplace platforms, exposing a significant amount of their consumers' personal data including names, email addresses and other identifying information.16 Separately, the personal data of 230,000 covid-19 patients was also breached,17 and the public discovered that an Indonesian government agency left substantive amounts of Indonesian personal data exposed to the public.18 This breach was unrelated to the PeduliLindungi app that was launched by the government to tackle the spread of covid-19.19

There was also an allegation of personal data breach of an Indonesian public figure in early July 2020.20 The breach was alleged to have concerned the figure's personal data stored by an Indonesian major telecommunications provider.21 Following the allegation, an internal investigation discovered that the breach resulted from outsourced personnel.22 The internal investigation was followed by the filing of an official police report by the telecommunications provider, which lead to the arrest of the outsourced personnel by the Police.23

All such incidents drive the improvement of personal data protection, privacy, and the cybersecurity regulatory framework. With the PDP Bill and Cybersecurity Bill on their way, the government also recently issued Government Regulation No. 71 of 2019 on Electronic System and Transaction Provision (GR 71/2019), which provides clearer obligations and rights to electronic system providers,24 including on personal data processing.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

At present, Indonesia does not have an overarching personal data protection law. The regulations on personal data protection are scattered within several sectoral laws and regulations. Many of the laws and regulations overlap, resulting in the absence of a comprehensive and integrated concept of personal data protection. However, the Indonesian government and parliament are currently discussing the PDP Bill, which is expected to be passed in the next two to three months.

Primarily, the provisions on personal data protection are regulated by Law 11/2008; GR 71/2019; and Ministry of Communication and Information Technology Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (MCI 20/2016) (collectively referred as the PDP Regulations). The above laws and regulations cover the general provisions on personal data processing requirements of electronic systems.

Other personal data and privacy obligations are distributed across several laws and sectoral regulations including, for example:

  1. the Criminal Code, which provides various sections that punish confidentiality breaches and trade secrets that may implicate personal data use or disclosure; and
  2. Law No. 36 of 1999 on Telecommunication, which requires any telecommunication service provider to maintain confidentiality of any receipt or information delivered by their customers.

The current PDP Regulations do not recognise the concept of 'data controller' and 'data processor'. Both data controllers and data processors are considered as electronic system providers (ESP),25 and theoretically share the same responsibilities regardless of whether the organisation is considered as a controller or processor in other jurisdictions. The concept of 'data controller'26 and 'data processor'27 will be recognised under the PDP Bill, bearing similar concepts to those embedded in European Union General Data Protection Regulation (GDPR), with the expectation of properly implementing fair information practice principles28 that are implicitly recognised by the current PDP Regulations.

Unlike GDPR, there is no classification of personal data under current PDP Regulations. Any data or information that identifies or may identify an individual is considered as personal data.29 However, the PDP Bill will recognise two classifications of personal data: general30 and specific personal data.31

Separately, the PDP Regulations stipulate that an ESP's failure to comply with PDP Regulations may subject that ESP to administrative sanctions, namely,. written warning, administrative fine, temporary suspension, removal from the ESP registry and access termination. Under the PDP Bill, non-compliance may result in an administrative fine and criminal sanctions, which also opens up the possibility of a civil claim.

To ensure compliance, the laws and regulations require an ESP to provide an audit record on all electronic system activities that are under its management. It may be used for the purposes of supervision, law enforcement, dispute resolution, verification, testing and other examinations.

ii General obligations for data handlers

GR 71/2019 and MCI 20/2016 require ESPs to meet the following obligations.

Certification of electronic systems

Article 28 Paragraph (a) of MCI 20/2016 requires ESPs to certify their systems in accordance with the relevant laws and regulations.

Obligations to the collected personal data

Article 28 of MCI 20/2016 stipulates that an ESP shall ensure the validity, legality, confidentiality, integrity, relevancy and appropriateness of data for the purpose of personal data processing.32

Obligations to data owner

Article 28 of MCI 20/2016 requires an ESP to provide data subjects with the following:

  1. an audited track record of any electronic systems operated by the ESP;
  2. access or opportunity for the data subject to exercise their rights;
  3. the option for a third party to allow or to forbid the data subject's personal data to be published, distributed, disclosed or utilised, or a combination of these; and
  4. the right to have personal data destroyed upon request by the data subject.

Requirement to obtain consent

Pursuant to Article 14 of GR 71/2019 in conjunction with Article 6 of MCI 20/2016, personal data owner consent is required for any personal data collection. An ESP is required to inform the data owner of the purpose of collection upon obtaining consent. An ESP may only obtain the consent of the personal data owner by means of an Indonesian-language consent form.

Data breach notification

Article 14 Paragraph (5) of GR 71/2019 in conjunction with Article 28 Paragraph (c) of MCI 20/2016 specifically requires an ESP to provide written notification to personal data owners in the event of personal data breach. Such notification may be provided electronically if the data subject has provided their approval upon the collection of personal data.

Contact person obligation

Article 28 Paragraph (d) of MCI 20/2016 stipulates that the ESP is required to provide a contact person who is accessible to data owners to facilitate the management of individuals' personal data.

iii Data subject rights

The PDP Regulations grant data subjects several rights, such as:

  1. the right to obtain access to or the opportunity to change or update his or her personal data;
  2. the right to receive his or her personal data history that has been provided to an ESP; and
  3. the right to request the removal of any irrelevant personal data from the ESP's electronic system.

The exercise of such requests and rights should be conducted without interfering with personal data management and should conform with the applicable laws and regulations. Even though the PDP Regulations do not stipulate the enforcement of such right, the PDP Bill provides that the request must be submitted in writing to the data controller.

iv Specific regulatory areas

Specific to the health sector, Law No. 36 of 2009 on Health and Ministry of Health Regulation No. 269/Menkes/Per/III/2008 of 20008 on Medical Records would apply. They regulate all activities associated with storing patient medical records that involve doctors and medical workers.

Whereas in the financial sector, Law No. 7 of 1992 on Banking as amended by Law No. 10 of 1998 and Financial Services Authority Regulation No. 38/POJK.93/2016 on Risk Management in the Use of Information Technology by Commercial Banks as amended by Financial Services Authority Regulation No. 13/POJK.03/2020 would apply on the processing of personal and financial data by banks. Additionally, Financial Services Authority Regulation No. 1 of 2013 on Consumer Protection in Financial Services provides general provision on consumer data by financial services, and Financial Services Authority Regulation No. 77 of 2016 on Information Technology-based Peer-to-Peer (P2P) Lending Provider regulates the obligation of P2P in personal data processing activities.

The maintenance and protection of personal data related to population data33 is governed by Law No. 23 of 2006 on Population Administration. This Law governs the processing and collection of personal data of Indonesian ID cardholders, who theoretically are almost all Indonesian, under the MHA. Meanwhile, Law No. 14 of 2008 on Public Information Disclosure provides protection regarding public information that may contain personal data. Public entities are prohibited from granting any request that may potentially disclose such information.

v Technological innovation

There have been several innovations related to data privacy in Indonesia. However, there only a few regulatory frameworks or standards have been fully implemented in response to the innovations, such as use of cookies, internet of things, facial recognition and biometric data.

The PDP Regulations have no information on the use of cookies. However, the use of cookies is recognised under the Indonesian Advertising Ethics (IAE).34 The IAE stipulates that data collection through cookies should be informed to the individual. If cookies gather personal data, consent is required from the data subject.

Meanwhile, regarding the internet of things, there are no provisions that specifically address the issue of personal data protection for the internet of things. So far, regulation relating to the internet of things is limited to the standardisation and use of radio frequencies, specifically to the use of low power wide area (LPWA) networks as regulated under Directorate General of Resources and Post Equipment and Informatics Regulation No. 3 of 2019 on Technical Requirements for Telecommunication Equipment of Low Power Wide Area.

Biometrics data and facial recognition will be recognised as specific personal data under the PDP Bill; however, it remains unclear whether specific personal data would receive any extra protection under the PDP Bill.

IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

i Cross-border data transfer

Article 22 of MCI 20/2016 requires that the transfer of personal data must be coordinated with the MCI. In practice, coordination is carried out by submitting a personal data transfer implementation plan (transfer plan) and report (transfer report) to the MCI, as well as by requesting advocacy from the MCI, if deemed necessary. The transfer plan must contain the following information at least:

  1. the country of the data recipient;
  2. the full name of the data recipient;
  3. the date of the transfer implementation; and
  4. the background to or purpose of the transfer.

Upon completion of the transfer, the ESP is required to submit a transfer report to the MCI that contains the result of the transfer plan implementation.

The PDP Bill stipulates slightly different requirements for the cross-border transfer of personal data. Pursuant to the PDP Bill, transfer of personal data outside of Indonesia may be conducted under the following conditions:

  1. the designated country has an adequate or higher level of protection of personal data;
  2. the existence of a treaty between the countries;
  3. the existence of a contract between data controllers; and
  4. that consent has been obtained from the data subject.

ii Data localisation

GR 71/2019 recognises two classifications of ESP: public ESP and private ESP. A public ESP is obliged to process, manage or collect electronic systems and electronic data within the Indonesian jurisdiction, unless the required technology to store such data is not available in Indonesia. Unlike public ESPs, private ESPs can manage, process or store electronic systems and electronic data outside of the Indonesian jurisdiction. However, the ESP is obliged to provide access to the electronic system and data for supervisory purposes (i.e., to law enforcement agencies and the relevant authorities).

V COMPANY POLICIES AND PRACTICES

MCI 20/2016 and GR 71/2019 require ESPs to ensure that they have taken the necessary technical and organisational measures to comply with the applicable laws and regulations. The technical and organisational measures are performed through the following activities:

  1. certification of electronic systems used by the ESP;
  2. implementing an internal personal data protection policy in processing the personal data;
  3. raising employee awareness to ensure the protection of personal data in the electronic system managed by the ESP; and
  4. organising employee training for the prevention of personal data breach in the electronic system managed by the ESP.

The PDP Bill also stipulates similar requirements. Data controllers and data processors are obliged to prepare and apply any necessary operational technical measures to protect the personal data from personal data disturbance or interference, and to determine the level of personal data security by taking into account the nature of and risks concerning the personal data.

VI DISCOVERY AND DISCLOSURE

An interception or request for disclosure is considered as lawful if it is carried out for the purpose of law enforcement at the request of the Indonesian police, prosecutor's office or other law enforcement institutions as stated by the applicable laws and regulations.

Article 221 of the Indonesian Criminal Code stipulates that if any person or entity refuses to cooperate with a law enforcement agency, such act can be considered as an obstruction of justice or law enforcement efforts and is subject to criminal sanction. On the other hand, there is no clear provision or established practice for disclosure requests arising out of the civil litigation process. However, in practice, there is also the possibility for parties to a proceeding to demand disclosure of data from counterparts to challenge the grounds of their argument.

At present, there has been no information published on request for data disclosure submitted by a foreign jurisdiction that has been fulfilled by the Indonesian authorities, or on the attitude towards such a request. In theory, any disclosure and discovery on criminal matters may be requested by a foreign government as regulated under Law No. 1 of 2006 on Mutual Legal Assistance on Criminal Matters. However, given the absence of specific provisions on cross-border personal data transfer related to requests from foreign governments, coordination requirements for cross-border transfer as stipulated under MCI 20/2016 may be applicable. There is no regulation on disclosure related to civil proceedings.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

Pending enactment of the PDP Bill, the Ministry of Communication and Informatics (MCI) is currently the primary authority to regulate, supervise, and enforce the PDP Regulations. The MCI has the authority to issue administrative sanctions, including removal of entities from electronic system provider lists, temporary suspension of business activities, imposing administrative fines and revocation of business licences connected to any violation of the PDP Regulations. The MCI is also authorised by Ministry of Communication and Informatics Regulation No. 19 of 2014 on the Handling of Internet-based Negative Content to block access to apps and websites that violate applicable laws and regulations.

The authority of the MCI is limited to personal data, privacy and cybersecurity, which are not regulated by other specific sector authority. Specific to the financial industry, the Indonesian Central Bank/Bank Indonesia, and Financial Services Authority (OJK) are in charge of the governance of personal data on financial activities. The MHA has the authority to protect population data comprised of personal data stored in Indonesian ID cards and the Ministry of Health is responsible for the regulation of medical personal data.

Enforcement actions by the MCI often do not result in criminal procedures, as it usually blocks access to apps or websites that go against the applicable laws and regulations. Meanwhile the OJK has been actively enforcing its authority by revoking various licences and requesting blocking of access of unauthorised peer-to-peer lending providers that violate the personal data of its users. Several such providers have been referred to the Police for criminal proceedings.

If a criminal investigation is required, the above authorities will handle the investigation in cooperation with the Police. The Police will lead the investigation and hand over the case to the prosecution, if applicable. The enforcement power of the Police may extend to raid actions leading to arrest and seizure of goods and individuals. There is, however, no provision on authorities to audit under the applicable laws.

ii Recent enforcement cases

Regarding data breach incidents suffered by several marketplaces, there has been no official information regarding investigation activities. However, one of the marketplaces has filed a report to the MCI as required under MCI 20/2016. For enforcement carried out by the OJK, publicly available sources indicate the cessation of business activities and blockage access, assisted by the MCI, for the processing of consumers' personal data without proper authorisation.35

Regarding criminal proceedings on population data and consumer data selling, the police have recently arrested a suspect. The modus operandi of the suspect was selling data via websites and WhatsApp accounts. Upon arresting the suspect, the police found out that the suspect distributed 761,435 cellular phone numbers, 129,421 credit card numbers, 1,162,864 ID Card Numbers, 50,854 Family Cards and 64,164 bank account numbers. The suspect may receive the maximum nine years' imprisonment and a fine of 3 billion rupiahs. Details of the investigation process and current situation have not been released to the public.

iii Private litigation

In general, any individual has the right to file an administrative lawsuit by administrative decree36 issued by an administrative body or authority37 to administrative court or by civil lawsuit, over loss suffered due to the actions of the authority or other entities to the civil court. Subject to the applicable conditions, each lawsuit allows its party to file appeal to a higher court and even to the Supreme Court. According to Article 97 of Law No. 5 of 1986 on Administrative Judiciary as lastly amended by Law No. 51 of 2009, a court decision in an administrative lawsuit may instruct revocation of the relevant administrative decree, issuance of a new administrative decree, rehabilitation and indemnity payment. Meanwhile in a civil lawsuit, the decision of the court may require that compensation for the damage be made in the form of a fine, the transfer of ownership of certain goods or prohibition to perform certain acts toward the losing party.

In recent years, private litigation has been opted by number of litigants to bring lawsuits for data breach. In 2018, several Indonesian CSOs filed lawsuits against Cambridge Analytica and Facebook over allegations of data breach, demanding compensation at the amount of 21.9 billion rupiahs.38 Recently, in response to a data breach, an Indonesian CSO filed a civil lawsuit demanding compensation at the amount of 100 billion rupiahs.39

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

As Indonesian PDP Regulations are currently developing, and the PDP Bill is being discussed, foreign organisations must anticipate revision of existing rules and laws.40

While the PDP Regulations do not impose data localisation requirements, and allow cross-border transfer, legitimate basis for processing is one of the major issues foreign organisations need to be aware of. If the GDPR provides options other than consent to legitimate basis, the PDP Regulations still require consent as the basis for processing, although this may change upon enactment of the PDP Bill. This requirement may be concerning to various foreign organisations that have adjusted their practice to fit with the GDPR. Notwithstanding this, the PDP Regulations apply to any organisation processing Indonesian personal data located in Indonesia and abroad, which requires every organisation to obtain consent to process any Indonesian personal data.

The PDP Regulations and PDP Bill have extraterritorial application. This principle, as stated in Article 2 of Law 11/2008, stipulates that Law 11/2008, including its implementing regulations, is applicable to any individual and any organisation located in Indonesia or abroad that has a legal impact on Indonesian territory or abroad that is detrimental to Indonesian interests. A similar provision is also stipulated in the PDP Bill. Accordingly, since processing Indonesian personal data has a legal impact on Indonesian individuals, Indonesian interests or both, the PDP Regulations and PDP Bill will also apply to foreign organisations.

Additionally, the absence of enforcement practices by authorities may pose significant concern to foreign entities in understanding the authorities' attitude in interpreting the applicable laws. The degree of inconsistency and uncertainty in the interpretation of the PDP Regulations may lead to certain provisions being interpreted vaguely or ambiguously.

IX CYBERSECURITY AND DATA BREACHES

i Cybersecurity standards

MCI 20/2016 requires an ESP to ensure that the electronic system being used to process the personal data is certified. The hardware used by an ESP to process any personal data should also be certified by providing relevant certifications or other similar evidence.

GR 71/2019 also requires an ESP to conduct an electronic system worthiness test. This test can be performed over all components or parts of the components in an electronic system pursuant to characteristic or protection and the strategic nature of the electronic system. However, there has been no implementing regulation on this matter.

ii Data breach notification

If a personal data breach incident occurs, the ESP has an obligation to notify the data subject, and the law enforcement agency and supervisory authority (e.g., the MCI) if the breach or disruption of the system has a serious impact on the electronic system.

Notification must be sent to the data subject within 14 days after the personal data breach becomes known by the ESP. The ESP should ensure that the data subject receives the notification if the breach may potentially harm the data subject. The notification should include reasons or causes of the failure to protect the confidentiality of personal data. The notification may be carried out electronically if the data subject has granted approval for such notification during the collection of personal data. The notification to the law enforcement and supervisory authority should be made in the first instance upon discovering such breach or disruption of the system.

iii Data protection officer

The current PDP Regulations do not require an ESP to appoint a data protection officer (DPO). However, the PDP Bill requires data controllers and data processors to appoint a DPO if:

  1. they process personal data for public interest;
  2. the controller's core activities regarding the personal data require constant, regular and systematic monitoring of the data on a large scale; or
  3. the core activities consist of large-scale processing of specific personal data or personal data related to criminal offences.

iv Data retention

Generally, MCI 20/2016 stipulates that the retention period for personal data in an electronic system be a minimum of five years if there are no specific sectoral regulations that stipulate otherwise.

X OUTLOOK

The DPR is in the middle of finalising the PDP Bill and is aiming to enact the law by the end of 2020. The PDP Bill will serve as an umbrella law to ensure the protection of personal data, especially in this digital economy era with its vast development of information and technology. The PDP Bill may provide a two-year grace period, to allow existing ESPs that have been actively processing personal data to fully comply with all the requirements stipulated under the PDP Bill.

The PDP Bill will play a vital role in the protection of personal data as it will encourage and strengthen the position of the national telecommunication and technology industry, as well as development of the Indonesian economy in general. Being the first personal data protection law in Indonesia, the PDP Bill will provide strict conditions and obligations to data controllers and processors regarding the collection and processing of personal data. Compliance with the PDP Bill shall ensure protection of consumers' data, which could increase the element of trust that consumers have in companies. As the enactment of the PDP Bill is only months away, companies should start to prepare for compliance with the Bill.

It is still unclear how the PDP Bill, if enacted, will interact with other jurisdictions' personal data, especially the GDPR and the California Consumer Privacy Act (CCPA), regarding cross-border transfers and multi-jurisdiction operations – especially with the recent Data Protection Commission v. Facebook Ireland decision of the Court of Justice of the European Union, which adds an extra layer of requirement on cross-border transfers from the EU to third-party countries. Indonesia may be required to provide an adequate level of protection before any transfer can happen, potentially hampering the multi-jurisdiction operations of data controllers and processors. Meanwhile, for the CCPA, the impact remains to be seen since its applicability scope is quite limited and the enforcement actions were only initiated in July 2020.


Footnotes

1 Danny Kobrata is a partner, Bhredipta Socarana is a senior associate and Rahma Atika is an associate at K&K Advocates.

2 Haryanto A and Briantika A, 'Polisi Tangkap Penjual Data Nasabah Dan Data Kependudukan' (15 August 2019) https://tirto.id/polisi-tangkap-penjual-data-nasabah-dan-data-kependudukan-egmx, accessed 20 July 2020.

3 'DPR Terima Surpres Jokowi Soal RUU Perlindungan Data Pribadi' (13 February 2020) www.cnnindonesia.com/nasional/20200204022359-32-471351/dpr-terima-surpres-jokowi-
soal-ruu-perlindungan-data-pribadi, accessed 21 July 2020.

4 '7 Masalah RUU KKS Yang Akan Disahkan DPR' (26 September 2019) www.cnnindonesia.com/teknologi/20190926152946-185-434335/7-masalah-ruu-kks-yang-akan-disahkan-dpr, accessed 18 July 2020.

5 Andi Nugroho, 'Baleg DPR: Komisi I Fokus RUU PDP, RUU KKS Dipindah 2021' (1 July 2020) https://cyberthreat.id/read/7350/Baleg-DPR-Komisi-I-Fokus-RUU-PDP-RUU-KKS-Dipindah-2021, accessed 24 July 2020.

6 Achmad Nasrudin Yahya, 'RUU PDP Dinilai Hanya Berupaya Lindungi Data Pribadi, Bukan Warga Negara' (KOMPAS.com 6 February 2020) https://nasional.kompas.com/read/2020/02/06/09081831/ruu-pdp-dinilai-hanya-berupaya-lindungi-data-pribadi-bukan-warga-negara, accessed 19 July 2020.

7 Elucidation of Law No. 11 of 2008 Preamble.

8 Fardah F, 'Indonesia Introduces Large-Scale Social Distancing Measures' (17 March 2020) https://en.antaranews.com/news/143882/indonesia-introduces-large-scale-social-distancing-measures, accessed 22 July 2020.

9 Kuwado FJ, 'Pelaku Jual Beli Data Kependudukan Ditangkap, Ini Kronologinya' (15 August 2019) https://nasional.kompas.com/read/2019/08/15/19181091/pelaku-jual-beli-data-kependudukan-ditangkap-
ini-kronologinya?page=all, accessed 25 July 2020.

10 'Rupanya Dukcapil Sudah Lapor Jual Beli Data KTP Dan KK Ke Polisi' (Kontan 2 August 2019) https://insight.kontan.co.id/news/rupanya-dukcapil-sudah-lapor-jual-beli-data-ktp-dan-kk-ke-polisi?page=all, accessed 24 July 2020.

11 Haryanto A and Briantika A, 'Polisi Tangkap Penjual Data Nasabah Dan Data Kependudukan' (tirto.id 15 August 2019) https://tirto.id/polisi-tangkap-penjual-data-nasabah-dan-data-kependudukan-egmx, accessed 21 July 2020.

12 The Jakarta Post, 'Activists Demand Police Investigate Alleged Hacking of Government Critic Ravio Patra's Phone' (25 April 2020) www.thejakartapost.com/news/2020/04/24/activists-demand-police-
investigate-alleged-hacking-of-government-critic-ravio-patras-phone.html, accessed 23 July 2020.

13 id.

14 'Kronologi Penangkapan Ravio Patra Versi Polri' (27 April 2020) www.cnnindonesia.com/nasional/20200427104309-12-497555/kronologi-penangkapan-ravio-patra-versi-polri, accessed 28 July 2020.

15 Ibrahim I, 'Polri Beberkan Kelanjutan Kasus Peretasan Akun Aktivis Ravio Patra' (1 July 2020) www.tribunnews.com/nasional/2020/07/01/polri-beberkan-kelanjutan-kasus-peretasan-akun-aktivis-ravio-patra, accessed 25 July 2020.

16 'Kominfo Sindir Marketplace Tak Patuh Sebabkan Kebocoran Data' (teknologi 11 June 2020) www.cnnindonesia.com/teknologi/20200611100814-185-512112/kominfo-sindir-marketplace-tak-patuh-
sebabkan-kebocoran-data, accessed 28 July 2020.

17 '230 Ribu Data Pasien Covid-19 Di Indonesia Bocor Dan Dijual' (teknologi 20 June 2020) www.cnnindonesia.com/teknologi/20200620083944-192-515418/230-ribu-data-pasien-covid-19-di-indonesia-bocor-dan-dijual, accessed 28 July 2020.

18 'Ini Kronologi Tersebarnya Jutaan Data KPU Yang Bocor' (CNBC Indonesia 22 May 2020) www.cnbcindonesia.com/tech/20200522141735-37-160286/ini-kronologi-tersebarnya-jutaan-
data-kpu-yang-bocor, accessed 28 July 2020.

19 Fachriansyah R and Syakriah A, 'COVID-19: Indonesia Develops Surveillance App to Bolster Contact Tracing, Tracking' (30 March 2020) www.thejakartapost.com/news/2020/03/30/covid-19-
indonesia-develops-surveillance-app-to-bolster-contact-tracing-tracking.html, accessed 18 July 2020.

20 Wahid AB, 'Cerita Telkomsel Investigasi Kebocoran Data Denny Siregar' (detikinet 10 July 2020) https://inet.detik.com/telecommunication/d-5088551/cerita-telkomsel-investigasi-kebocoran-data-denny-siregar, accessed 25 July 2020.

21 id.

22 id.

23 id.

24 GR 71/2019 recognises two classification of electronic system provider (ESP), namely ESP for public and ESP for private. 'ESP for public' means a state agency or institutions appointed by a state administrator agency (except for electronic system providers under the supervision of financial sector authority) that operates electronic systems. Meanwhile, 'ESP for private' means a private person, business entity or community that operates electronic systems and is supervised or administered by ministries or relevant agencies or regulated under applicable laws and regulations to provide various services to its customers (e.g., procurement goods or services, search engines, administration of financial services).

25 Article 1 Paragraph (4) defines ESP as any person, state administrator, business entity, and the public that provides, manages, or operates electronic systems individually or jointly to electronic system users for their own purposes or for other parties' purposes.

26 Article 1 Paragraph (3) of the PDP Bill defines 'data controller' as a party that determines the purposes and means of the processing of personal data

27 Article 1 Paragraph (4) of the PDP Bill defines a data processor as a party that processes personal data on behalf of a controller.

28 Article 14 Paragraph (1) of GR 71/2019 in conjunction with Article 2 of MCI 20/2016.

29 Article 1 Paragraph 29 of GR 71/2019 defines personal data as any data on a person that is identified or may be identified individually or combined with other information both directly and indirectly through an electronic system or non-electronic system.

30 The general personal data includes: full name, gender, citizenship, religion, or other combined data that can identify an individual.

31 The specific personal data would include: health data and information, biometric data, genetics, sexual orientation, political views, crime records, data on minors, personal finances, and other data in accordance with the applicable laws and regulations.

32 Article 14 of GR 71/2019 stipulates that personal data processing shall consist of acquisition and collection; processing and analysis; retention; improvement and update; display, announcement, transfer, dissemination and disclosure or deletion or destruction.

33 Article 1(10) of Law 23/2006 defines population data as structured individual data or aggregated data resulted from civil recordation and citizen registration activities.

34 IAE serves as the general advertising guidelines. It applies to any kind of advertising activities on all media, including the internet. The IAE is a form of industry self-regulation; therefore, it is not a part of the legal hierarchy in Indonesia. Nonetheless, it serves as a guideline on advertising activities and is adhered to among entrepreneurs in Indonesia.

35 Franedya R, 'OJK Tutup 133 Fintech Ilegal Ini, Minta Kominfo Blokir' (10 October 2019) www.cnbcindonesia.com/tech/20191010062344-37-105780/ojk-tutup-133-fintech-ilegal-ini-minta-kominfo-blokir, accessed 1 August 2020.

36 Article 1 (3) of Law 5/1986 defined 'administrative decree' as a written stipulation that is issued by an administrative body of official, which contains an administrative legal act based on prevailing laws and regulations, which is concrete, individual, and final and that establishes legal effect upon a person or civil legal entity.

37 Article 1(2) of Law 5/1986 defines 'administrative body of official' as a body of official that undertakes governmental affairs based on prevailing laws and regulations.

38 'Sidang Gugatan Rp 21,9 M Atas Facebook Indonesia Dimulai 21 Agustus' (Kumparan 14 March 2019) https://kumparan.com/kumparantech/sidang-gugatan-rp-21-9-m-atas-facebook-
indonesia-dimulai-21-agustus, accessed 22 July 2020.

39 Asih DN, 'Tokopedia Tanggapi Gugatan Rp100 M Soal Data Pengguna Bocor' (CNN Indonesia 11 June 2020) www.cnnindonesia.com/teknologi/20200611071643-185-512034/tokopedia-tanggapi-
gugatan-rp100-m-soal-data-pengguna-bocor, accessed 18 July 2020.

40 Jelita I, 'Serius Bahas RUU PDP, DPR Targetkan Tuntas September' (Media Indonesia 6 July 2020) https://mediaindonesia.com/read/detail/325827-serius-bahas-ruu-pdp-dpr-targetkan-tuntas-september; accessed 14 July 2020.