The European Parliament and the Council of European Union enacted Regulation 2016/679 on 25 May 2018, known as General Data Protection Regulation (“GDPR”). The GDPR provides a set of standardized data protection laws, which are intended to make it easier for consumers worldwide to understand how their data is being used.
GDPR has extra-territorial application outside European Union (“EU”) member states, and therefore affects data processing activities of controllers in other countries including Indonesia, where goods and services are being offered to individuals in the EU, and where their behavior may be monitored as a result of it. In this way, GDPR can be applicable to Indonesian companies if said company has a presence in EU territory and engages in business through digital platforms with EU customers or users, or tracks and analyzes the behavior data of EU individuals that are active online. Often, this monitoring and analysis is used to predict personal preferences, behaviors, and attitudes.
GDPR applies to personal data, both automated personal data and that under manual filling systems, which are accessible according to specific criteria. 1 GDPR classifies sensitive personal data as “special categories of personal data”. 2
The GDPR also recognizes that children deserve special protection of their personal data: consent for processing the data of children must be given or authorized by the holder of the parental responsibility over the child. According to such stipulations, a company which provides or offers service directly to children must ensure that its privacy notice is written in a clear and simplified way which makes it digestible for children. Furthermore, the consent under GDPR must be a freely-given, specific, informed, and unambiguous indication of the individual’s wishes. Consent shall also be separated from other terms and conditions, and be provided in a way that allows withdrawal of consent to be a simple process.
Through GDPR new rights for individuals have also been established, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right related to automated decision making and profiling. The GDPR also includes a provision that promote accountability and governance, imposing more policies and procedures for company.
Unfortunately, the issuance of this article does make clear how the GDPR will be enforced in Indonesia. Currently, data protection in Indonesian is regulated by the Regulation of Minister of Communication and Information No. 20 of 2016 (“MOC Regulation 20/2016”), which concerns Data Privacy Protection and Electronic Systems. However, the scope of MOC Regulation 20/2016 is limited to electronic communication, and there is no provision regarding the recognition and enforcement of international or foreign data protection laws.
Indonesia and the EU are currently negotiating a Comprehensive Economic Partnership Agreement (“CEPA”), which should help to clarify the issues on enforcement of GDPR in Indonesia when signed and ratified.
Furthermore, Indonesian legislative Dewan Perwakilan Rakyat is planning to pass a Personal Data Protection Bill this year. Its draft suggests that Indonesia will adopt a similar approach to the EU for personal data protection.
One of Schinder Law Firm’s key practice areas is cyber law and personal data protection law. Our Senior Advisor Professor Abu Bakar Munir is a renowned international expert in the subject and our team of lawyers have extensive experience in advising technology companies. We also host trainings and workshops on personal data protection law.
Contact us if you need legal assistance on any matter related to personal data protection.
1Article 4 (1) of GDPR.
2Based on Article 9 and Recitals (51) to (56) of GDPR, the special categories of personal data that may be deemed sensitive and is protected under GDPR are data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health, and sex life or sexual orientation.
About the author:
Akbar received his Sarjana Hukum (LLB) in 2012 from Universitas Trisakti. Subsequently, he earned his Magister Hukum (LLM) in transnational law in 2014. While at university, Akbar was actively involved in Student Executive Body where he served as Vice Head of Foreign Affair Department.