Indonesia e-Commerce – Data Breach And Cybersecurity.
Legal News & Analysis - Asia Pacific - Indonesia - Regulatory & Compliance - Cybersecurity
29 January, 2020
Indonesian Ministry of Communication and Information (MOCI) Regulation No. 20 of 2016 on the Protection of Private Data in Electronic Systems (Data Privacy Regulation) provides that in case of a failure to keep personal data confidential, the relevant electronic system provider shall notify the owner of the personal data within a maximum of 14 days as of the date such failure becomes known to the provider.
Avoiding Data Breaches and Ensuring Cybersecurity
In terms of Indonesian regulation, there are no specific requirements or guidelines that electronic system providers must follow to avoid data breaches and ensure cybersecurity. If an electronic system provider wants to help ensure cybersecurity, it can retain the services of competent professionals. In Indonesia, information security consulting services are listed in the Indonesia Standard Industrial Classification (Klasifikasi Baku Lapangan Usaha Indonesia, or KBLI), which classifies the different business activities and fields in Indonesia.
Right to Be Forgotten
Indonesia recognized the “right to be forgotten” in 2016 through the issuance of an amendment to Electronic Information and Transactions Law. Only the relevant user can submit an application to erase electronic information or document, and the application to shall be addressed to the relevant competent court.
Electronic system providers must provide a mechanism to erase electronic information or documents, and they shall erase the concerned electronic information or documents upon receiving a court order.
Indonesia does not have any specific rules on email. The definition of “electronic information” provided in the Electronic Information and Transactions Law includes “email”.
The individuals who own the personal data have the right to report the failure to process their personal data. The right to file a report is intended to allow negotiations between the parties to reach an amicable agreement.
The Data Privacy Regulation is silent on whether “owner of personal data” includes foreign citizens.
This article was first published in Lexology Getting the Deal Through – e-Commerce 2020 (Published: August 2019).
Fahrul S. Yusuf, Partner, Soewito Suhardiman Eddymurthy Kardono