Expiry of Transitional Period of Personal Data Protection Law
On October 17, 2022, the Government enacted Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”). Under the PDP Law, Controllers, Processors, and other parties relevant to the processing of personal data have 2 (two) years from the date of enactment of the PDP Law to comply with the PDP Law. So, on October 17, 2024, the foregoing transitional period officially expired.
Despite the above, there are several remaining questions that need to be addressed to ensure full compliance with the PDP Law, including the following.
♦ Implementing Regulation of PDP Law
As of October 17, 2024, the Government has not issued the implementing regulation(s) of the PDP Law. The absence of the implementing regulation(s) makes it difficult for the relevant parties to comply with the PDP Law. Without the implementing regulation(s), key aspects such as the scope of processing activities, data subjects’ rights, details on data protection officers, transfer of personal data, enforcement mechanisms, and sanctions procedures remain unclear.
The Government issued a draft implementing regulation of the PDP Law as of August 31, 2023. Based on the information obtained from the website of the Ministry of Communication and Informatics (https://pdp.id/rpp-ppdp/1), the draft is currently at the harmonization stage. The Government is yet to confirm when the implementing regulation of the PDP Law will be officially enacted.
♦ Supervisory Institution
The PDP Law mandates the establishment of a specific supervisory institution, determined by the President, which reports directly to the President. The Institution’s responsibilities are to: (i) formulate and determine personal data protection policies and strategies, serving as guidelines for the personal data subjects and relevant key-players within the data processing environment; (ii) supervise the implementation of personal data protection; (iii) enforce administrative sanctions against violations of the PDP Law; and (iv) facilitate alternative dispute resolutions.
The Institution is crucial for monitoring compliance, providing guidance to organizations, and handling complaints from data subjects. Without a functioning supervisory institution, there may be a lack of accountability and a framework for addressing violations, leaving individuals and organizations without the necessary support to navigate their rights and responsibilities under the PDP Law.
Based on several news publications, the Government is actively preparing for the establishment of the supervisory institution mandated by the PDP Law, though it has yet to confirm an official timeline for its launch.
Notwithstanding the missing links in the PDP Law, we strongly recommend that all relevant parties comply with the PDP Law. We will continue to monitor the situation closely and provide timely updates and guidance as new information becomes available.
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com) or M. Fatih Satria Kasmaliputra (mkasmaliputra@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
Expiry of Transitional Period of Personal Data Protection Law
Health Omnibus Law Series – Data Privacy in the Health Sector
This Newsflash is a part of our Health Omnibus Law Newsflash series with respect to the issuance of Law No. 17 of 2023 dated August 8, 2023 on Health (the “Health Law”). The Health Law governs a wide range of topics in the health sector including the personal data protection in the health sector as well as to harmonize the aspects of personal data protection in the health industry to be in line with the applicable data protection laws and regulations, particularly Law No. 27 of 2022 dated October 17, 2022 on Personal Data Protection (the “PDP Law”). Please refer to our previous Newsflash on the PDP Law at the following link: AKSET Newsflash - PDP Law.
As previously noted, the Health Law is issued using the omnibus method. The Health Law revokes several laws and regulations in the health sector, including Law No. 36 of 2009 dated October 13, 2009 on Health (the “Previous Health Law”). Under the Previous Health Law, provisions relating to data privacy and/or personal data protection were inadequate and were still found sporadically in several implementing regulations under the Previous Health Law, including the Minister of Health Regulation No. 24 of 2022 dated August 31, 2022 on Medical Records. Although the Health Law revokes the Previous Health Law, all implementing regulations of the Previous Health Law remain valid for so long they do not contradict the Health Law.
We highlight the key data privacy related provisions under the Health Law, as follows.
♦ Personal Health Data and Information
- Obligation for Medical Personnel, Health Personnel, and Health Service Facilities to Maintain Confidentiality of Patients’ Personal Health Data and Information
Each Medical Personnel or Tenaga Medis (i.e., doctors and dentists) and Health Personnel or Tenaga Kesehatan (e.g., nurses) must maintain confidentiality of patients’ personal health in providing medical services to individuals. Information on patients’ personal health that shall be kept confidential includes history, condition and treatment, medication for one’s physical and psychological health, as well as the patients’ personal data. Such obligation also applies to Health Service Facilities or Fasilitas Pelayanan Kesehatan.
- Acknowledgement of Patients’ Rights to Confidentiality of Personal Health Data and Information and to Obtain Personal Health Data and Information
Patients are entitled to, among others, the right to obtain confidentiality of personal health data dan information. Further, a patient is entitled to request their personal health, including actions and treatments that a patient has received or will receive from Medical Personnel and/or Health Personnel.
However, the confidentiality above is not applicable in certain conditions such as (i) fulfillment of requests by law enforcers for law enforcement, (ii) management of extraordinary events or kejadian luar biasa, outbreaks, or disasters, (iii) limited educational and research interests, (iv) efforts to protect against threats to the safety of others, individually or to the public, (v) health maintenance, treatment, healing, and patient care interests, (vi) the patient’s own request, (vii) administrative, insurance payments, or health financing security interests, and/or (viii) other interests as regulated in the applicable laws and regulations.
♦ Medical Records
- Obligation for Medical Personnel, Health Personnel, and Health Service Facilities to Maintain Confidentiality of Medical Records
In providing medical services to individuals, each Medical Personnel and Health Personnel shall maintain a medical record prepared using an electronic system. A medical record is defined as a document that contains the patients’ identity data, observation, treatment, action, and other services provided to the patients. Such medical records shall be maintained and kept confidential by the Medical Personnel, Health Personnel, and management of Health Service Facilities.
- Acknowledgement of Patients’ Rights to Access Medical Records
Although the medical records are owned by the Health Service Facility, a patient may access information contained in their medical records. The Health Service Facility has the obligation to maintain the security, integrity, confidentiality, and availability of the data contained in the medical records.
- Management of National Health Data
In the context of the management of national health data, the Minister of Health (the “MOH”) is responsible for the management of the medical records. Such management of medical records includes formulation of policies, collection, processing, storage, security, data transfer, and monitoring.
- Operation of Health Information System
To carry out effective and efficient health efforts, the Health Law governs the operation of a Health Information System, which is a system that integrates multiple stages of processing, reporting, and use of information to increase effectiveness and efficiency in health management and directing decision making for health development. The operators of such Health Information System may be the Central Government, a Regional Government, a Health Service Facility, and the public, both individuals and groups (any one of them, an “Operator”).
- Obligation of Operators in Processing of Health Data and Information
An Operator shall ensure the reliability of the Health Information System which covers (i) availability, (ii) security, (iii) maintenance, and (iv) integration. Further, an Operator shall carry out the processing of health data and information in accordance with the applicable laws and regulations which includes (i) planning, (ii) collection, (iii) storage, (iv) inspection, (v) transfer, (vi) utilization, and (vii) destruction.
In carrying out the processing of health data and information, an Operator shall ensure the protection of health data and information of each individual. The Health Law also emphasizes that the processing of health data and information that uses individuals’ health data is subject to consent from the data owners and/or fulfill other requirements as the basis of personal data processing in accordance with laws and regulations on personal data protection.
- Rights of Data Owners in Processing of Health Data and Information
In relation to the data processing by an Operator, the data owners are entitled to, as follows: (i) obtain information regarding the purpose of collecting the individual health data, (ii) access and make changes to the data and information through the Operator, (iii) request the Operator to send the data to another Operator, (iv) request the Operator to delete incorrect data based on the data owner’s consent, and (v) obtain other appropriate personal data subject rights in accordance with laws and regulations on personal data protection.
- Location for Processing of Health Data and Information
An Operator shall carry out the processing of health data and information within Indonesia. Such processing of health data and information includes (i) acquisition and collection, (ii) management and analysis, (iii) storage, (iv) repairs and updates, (v) appearance, announcement, transfer, distribution, or disclosure, and/or (vi) deletion or destruction.
Notwithstanding the above, the Health Law provides that data processing may be carried out outside the territory of Indonesia (in the form of transfer and storage) in accordance with laws and regulations regarding electronic information and transactions, electronic system operation, and personal data protection. Specifically for cross-border data transfers, such data transfers shall be for a specific and limited purpose with a permit from the President.
We note that the Health Law expressly stipulates that provisions relating to medical records and processing of health data and information are to be further governed by a Government Regulation. As a reference, the same also applies to the majority of the provisions stipulated under the Health Law, which will be further governed by Presidential Regulations, Government Regulations, and Minister of Health Regulations.
Considering the current objections from medical society with respect to certain provisions under the Health Law, kindly anticipate that there is a possibility for the Health Law to be challenged by the medical society or other parties of interest through the Constitutional Court. We will monitor the development and will issue further updates as relevant.
August 24, 2023
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com), Clara Anastasia So (canastasia@aksetlaw.com), or M. Fatih Satria Kasmaliputra (mkasmaliputra@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
Health Omnibus Law Series – Data Privacy in the Health Sector
The Highly-Awaited Indonesian Personal Data Protection Law Is Passed
After about seven years in the making, on September 20, 2022, the Parliament finally approved the Personal Data Personal Data Protection Bill (the “PDP Bill”) during the 5th Plenary Session of 2022-2023 of the Parliament.
In the age where personal data processing activities seem inevitable, the PDP Bill is expected to be the cornerstone and centerpiece of Indonesia’s personal data protection regulatory framework. The PDP Bill will serve as an “umbrella” regulation for all personal data processing activities horizontally across all sectors while still allow flexibility for each sector to tailor a specific regulation according to each sectoral characteristic.
At present, the approved version of the PDP Bill has not been circulated publicly. Nevertheless, based on the latest publicly available PDP Bill on September 20, 2022, we note that the PDP Bill will adopt similar concepts found in a more-mature data protection regime (e.g., the European Union’s General Data Protection Regulation/GDPR).
Below we highlight several key-concepts that are in the PDP Bill based on the latest publicly available version.
♦ Supervisory Institution
Since an independent supervision is an essential component of the enforcement of data protection law, the PDP Bill gives a mandate for the establishment of a specific supervisory institution (the “Institution”) which reports directly to the President. The Institution has myriad of authorities and powers, notably:
-
- Formulate and determine personal data protection policies;
- Supervise personal data protection compliance;
- Impose administrative sanction against personal data protection violations;
- Assess cross-border data transfer activities.
♦ Separation of “Controller” and “Processor”
Adopting the similar concept to that of the EU’s GDPR, the PDP Bill recognizes and separates a “Controller” from a “Processor” within a data processing ecosystem. Both parties are the key-players within the data processing environment as the users of personal data. A Controller is defined as any person, alone or jointly with others, that determines the purposes and has the control over the processing of personal data. Meanwhile, the Processor is defined as any person who processes the personal data on behalf of a Controller.
♦ Newly Formulated Lawful Grounds for Personal Data Processing Activities
One of the most significant changes that will be brought by the PDP Bill is the acknowledgement of other lawful grounds—in addition to the traditional approach that solely relies on “consent”—such as:
-
- For the performance of a contract;
- Legal duties of a Controller;
- Vital interests of a data subject;
- Public interest and exercise of official authority; and
- Other legitimate interests.
♦ Introduction of “Data Protection Impact Assessment” Obligation
The Data Protection Impact Assessment (DPIA) is required to be carried out by a Controller where the intended personal data processing activities are likely to result in a high risk for the data subjects. The DPIA is carried out to evaluate a potential risk that may occur from a processing activity and identify mitigating steps.
To this end, the PDP Bill stipulates a list of processing activities that may be considered as having a high risk—to which, a DPIA is necessary—namely in cases where:
-
- Individual automated decision making that may produce legal effects or have similarly significant effects to the data subjects;
- Processing of sensitive personal data;
- Processing of personal data on a large scale;
- Processing of personal data for the purposes of evaluation, scoring, or systematic supervision towards the data subjects;
- Processing of personal data for the purposes of grouping or merging data group;
- The use of new technologies in the processing of personal data; and/or
- Processing of personal data which restrict the enforcement of data subjects’ rights.
♦ Appointment of Data Protection Officers
The PDP Bill requires a Controller and a Processor to appoint a Data Protection Officer (DPO), if all of the following conditions apply:
-
- The processing of personal data is carried out for public interests;
- The nature, scope, and/or purposes of the Controller’s core activities require the regular and systematic monitoring of personal data on a large scale; and
- The Controller’s core activities consist of processing activities on a large scale towards sensitive personal data and/or personal data related to criminal activities.
A DPO may be an internal person (i.e., a staff member) or an external person (e.g., a consultant/lawyer) as long as the DPO is appointed on the basis of professional qualities, expert knowledge and practice of personal data protection, and the ability to fulfill his/her tasks. In this case, a DPO has the task to:
-
- Inform and advise the Controller or the Processor to comply with the PDP Bill;
- Monitor and ensure the compliance of the PDP Bill and the relevant policies of the Controller or the Processor, including the assignment, responsibilities, awareness-raising, and training of all the parties involved in the processing activity, as well as related audits;
- Provide advice relating to the data protection impact assessment and monitor the performance of the Controller and the Processor; and
- Coordinate and act as the contact point for issues related to personal data processing activities.
♦ Sanctions
Under the PDP Law, a personal data protection violation may be subject to both administrative and criminal sanctions.
The criminal sanctions are in the form of monetary fines (up to Rp6 billion) and imprisonment (up to 6 years). Meanwhile, in addition to written warnings and temporary suspension of personal data processing activities, the PDP Bill imposes administrative fine up to 2% of the Controller or the Processor’s annual income against the relevant violation variable—which will be further regulated an implementing regulation.
September 22, 2022
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com), Raden Suharsanto Raharjo (rraharjo@aksetlaw.com), or Noor Prayoga Mokoginta (nmokoginta@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
The Highly-Awaited Indonesian Personal Data Protection Law Is Passed
A New Regulatory Framework for the Operation of Electronic System within the Territory of Indonesia
On October 10. 2019, the Indonesian Government issued Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”). This regulation is intended to be one of the key-implementing regulations of Law No. 11 of 2008, last amended by Law No. 19 of 2016 on the Electronic Information and Transaction (the “EIT Law”), revoking the outdated regime of Government Regulation No. 82 of 2012.
GR 71/2019 provides a breath of fresh air to the Indonesian EIT regulatory framework in facing challenges presented by the rapid growth of information technology. GR 71/2019 introduced myriad of new concepts in relation to the operation of electronic system and data governance, such as the classification of electronic system operator, conditional data localization requirement, a more-modern set of personal data protection rules, so on and so forth.
To further implement certain provisions referred in the GR 71/2019, the Ministry of Communication and Informatics (MOCI) subsequently issued Regulation No. 5 of 2020 on Private Electronic System Operator (“MOCI 5/2020”). This regulation went into effect on November 24, 2020, the date of its promulgation.
Below we highlight some notable provisions under GR 71/2019 and MOCI 5/2020.
- DEFINITION OF KEY-TERMINOLOGIES STIPULATED BY GR 71/2019 AND MOCI 5/2020
First and foremost, it is important to note that both GR 71/2019 and MOCI 5/2020 provide relatively broad definition on several key-terminologies. Consequently, the regulations may be applicable to the operation of almost all type of electronic system and information commonly used in this day and age.
Electronic System Operator (the “ESO”) is defined as anyone that provides, manages, or operates an Electronic System, whether individually or jointly. Further, the term Electronic System itself is defined as series of devices and electronic procedures used to prepare, collect, process, analyze, store, display, announce, deliver, or disseminate electronic information.
- THE CLASSIFICATION OF ESO, AS PROVIDED BY GR 71/2019 AND MOCI 5/2020
As the operator of Electronic System, there are 2 (two) types of ESO, as follows:
- Public ESO
Public ESOs are government institutions and other agencies which are appointed by government institutions to operate electronic systems for them and on their behalf, excluding regulatory and supervisory authorities within the financial sector (e.g., Bank Indonesia and the Financial Services Authority).
- Private ESO
Contrarily, Private ESOs are individuals (whether Indonesian or international residents) and business entities, that operate Electronic Systems, and fall under the following categorization:
- Private ESOs which are subject to the regulation or supervision of a ministry or governmental institution based on the prevailing laws and regulations; and
- Private ESOs which own internet-based portals, sites, or applications within Internet network with the purposes of:
- providing, managing, and/or operating goods and/or services trading and/or offering;
- providing, managing, and/or operating financial transaction services;
- delivery of materials or paid digital content through data networks, by way of downloading via websites, sending of emails or through applications to customers’ devices;
- providing, managing, and/or operating communication services which include but not limited to short text messages, voice calls, video calls, emails, digital chatrooms, networking services and social media;
- search engine and electronic information provider services in the form of text, audiovisual data, animations, music, video, films and games or any combination of the above; and/or
- processing of personal data in accordance with the organization of public services that address electronic transaction activities.
In addition to the above, MOCI 5/2020 also added 2 (two) specific classes of Private ESO, as follows:
- User Generated Content (UGC) Private ESOs, are those who provide Electronic System whereby the provision, display, upload, and/or exchange of electronic information and/or documents are carried out by the user.
- Cloud operator Private ESOs, are those who provide, operate, and/or manage cloud services.
- REGISTRATION REQUIREMENT AND ITS EXTRATERRITORIAL REACH
Both Public and Private ESOs are required to register itself to the MOCI. The registration shall be carried out through the Online Single Submission System (“OSS”) by completing the necessary documentation, such as technical specification, brief elaboration on the operation of the Electronic System, and so on.
This registration requirement, further, is also applicable to foreign Private ESOs which (i) provide its services within the territory of Indonesia; (ii) carry out its business in Indonesia; and/or (iii) its Electronic System is used and/or offered within the territory of Indonesia. In addition to the documentation required for the Private ESO registration, foreign Private ESO must provide the following information for ESO registration (along with its Indonesian translated version by a sworn translator):
- The identity of the foreign Private ESO;
- The identity of the head of organization and/or person-in-charge;
- Domicile certificate and/or certificate of incorporation;
- Numbers of Indonesian users; and
- The amount of transaction generated from Indonesia.
- COMPLIANCE CHECKLIST FOR PRIVATE ESO
In general, both regulations establish a set of rules that must be followed by ESOs (including Private ESO), among others:
- the Electronic System shall fulfill minimum operational requirement, such as able to redisplay information, protect the integrity, has a sustainable mechanism to maintain the accountability, so on and so forth;
- the Electronic System shall not contain, and facilitate the dissemination of, illegal content (i.e., information which violate laws and regulations, disrupt the society and public order, etc.);
- the use of appropriate hardware and software, in accordance with laws and regulations;
- ensure the security of the Electronic System, implement appropriate and accountable governance policy and procedure;
- provide information governance policy as appropriate (e.g., terms and conditions as well as privacy policy).
In addition to the above, there are specific requirements set forth by MOCI 5/2020 for UGC Private ESOs, as follows:
- provide information governance policy, consisting of (i) provisions of rights and obligations of the user and the Private ESO within the use and the operational of the Electronic System, (ii) clear stipulation of responsibility towards the electronic information uploaded by users.
- provide a complaint facility, which must be accessible to the public; and
- Respond, assess, and inform the user in regard to the lodged complaint.
As a safe harbor policy mechanism, Article 11 of MOCI 5/2020 further stipulates that the UGC Private ESO shall be indemnified from the liability of the illegal electronic information, under the condition that (i) it has already in compliance with the rules set forth by GR 71/2019 and MOCI 5/2020, (ii) provide necessary information on the user who disseminate/upload the illegal electronic information, for the purpose of supervisory and/or law enforcement, and (iii) take down the illegal electronic information.
- PERSONAL DATA PROTECTION PROVISIONS WITHIN THE EIT REGULATORY FRAMEWORK
The issuance of GR 71/2019 marks another milestone for Indonesia in its effort to protect individuals’ personal data. Despite the fact that it only consists of a few articles, the regime is jam-packed with new ideas and concepts that correspond to the international standard of personal data protection regulation.
GR 71/2019 introduces several new principles that must be followed at every step of personal data processing activity within the electronic system, such as data minimization and purpose limitation, as well as lawfulness, fairness and transparency principles. It also added several conditions for consent to be considered lawful when compared to the previous regime.
For further elaboration on this, please see our Data Protection & Privacy Recent Regulatory Development and AKSET’s latest GTDT on Data Protection & Privacy.
- TAKE DOWN MECHANISM
In relation to the obligation of ensuring that the Electronic System does not contain illegal electronic information, MOCI 5/2020 specifies a relatively detailed rules on take down mechanism.
Under MOCI 5/2020, the take down request can be submitted by public, ministry/institutions, law enforcement, and/or courts via website and/or application, written letter, and/or e-mail. A lodged take down request shall be considered urgent/emergency if the illegal information are relating to terrorism, child pornography, or content which disrupt the society and public order.
In this case, Private ESOs shall take down the illegal electronic information within 1x24 hours after receiving the take down order from the relevant institution, and within at the latest 4 hours timeframe for an urgent/emergency take down request.
- DATA DISCLOSURE AND ACCESS FOR THE PURPOSE OF REGULATORY SUPERVISION AND LAW ENFORCEMENT
Lastly, MOCI 5/2020 elaborates on the obligation of ESOs in relation to data disclosure and access for the law enforcement as stipulated by Article 22 of GR 71/2019.
The data disclosure and access, in this regard, shall be carried out in response to the written request from the relevant institutions or law enforcement, along with necessary explanation/documentation, such as the scope of the access, purposes, type of access, personal data protection mechanism, period of access, etc. The access is provided in the form of a URL, specific application made by the Private ESO, or other means agreed by the relevant parties.
MOCI 5/2020 stipulates a relatively stringent safeguard in relation to the data disclosure and access mechanism, such as the limitation of access, confidentiality e of access, and so on.
November 25, 2020
AKSET
Please contact Abadi Abi Tisnadisastra (atisnadisastra@aksetlaw.com) and Noor Prayoga Mokoginta (nmokoginta@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.