Personal Data Protection Law in Indonesia: The Law No. 11/2008 (“UU-ITE”) and its Amendment in 2016

By: Sonny Zulhuda

wonderful indonesiaIndonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.

Law No. 11/2008 (“UU-ITE”)

First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).

This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.

Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:

(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.

(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).

Meanwhile the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:

  1. A right to enjoy a private life free from interference;
  2. A right to communicate with other persons free from spying/surveillance;
  3. A right to access to information about his private life and private information.

What we can draw from this provision is as follows:

First, that the recognition of the right to privacy as far as this law is concerned is only limited to that of data/informational privacy, i.e. the right of every person to control what kind of information about him should belong to public domain. (Other aspects of privacy rights include right of anonymity, right of solitude and much more).

Second, be that as it may, the right to information privacy here is further restricted to the ‘use’ of such data. This is overwhelmingly restrictive bearing in mind that the international standard of data privacy covers so many dimension including the collection, processing, use, retention and disclosure of personal data. Here, on the other hand, restricts the matter only to the ‘use’ of personal information.

Third, more restriction was put in place that such rule on the use of personal data is only applicable as long as it is a use ‘by means of electronic media’. Therefore, any use of people’s personal data by which are documented not in electronic media, such as the usual paper archives, will not be subject to this law.

Fourth, the law mentions the need to get the approval of a person whose personal data was to be used (by means of electronic media). This is never explained as to how such approval can be obtained. Is it sufficient to have it on the basis of ‘opt-out’ principle, or does it require a more protective ”opt-in’ principle? There is a big gap between the two in terms of requirements, efforts and consequences. The more protective it is (i.e. with ‘opt-in’ principle), the better for the data subjects, i.e. people whose data is being used.

Fifth, with all these exceptions (a ‘data privacy’ in ‘electronic media’ to be ‘used’ with an ‘approval’).. it is found that the legal redress is also not very attractive. It allows civil suit for damages but is silent about criminal penalties. Thus, while compensation might be aimed at, a deterrence could be significantly absent.

Based on my notes above, it is argued therefore, that this Law (UU-ITE) with due respect, is not the best answer for protecting people’s privacy right be it in electronic and conventional media. Nevertheless, this law is perhaps a little solution for a huge problem. Do we require further law?

Amendment by Law No. 19/2016: Right to be Forgotten

Eight years after the enactment, in 2016, this law was amended to introduce more sub-sections were inserted under section 26, which made it to five sub-sections in total. This amendment is popularly known as “The Right to be Forgotten” rule. Section 26(3)

The Law No. 19 Year 2016 on the Amendment to Law No. 11 Year 2008 introduces section 26(3) which says that (I quoted the original words):

“Setiap Penyelenggara Sistem Elektronik wajib menghapus Informasi Elektronik dan/atau Dokumen Elektronik yang tidak relevan yang berada di bawah kendalinya atas permintaan Orang yang bersangkutan berdasarkan penetapan pengadilan.

It says, “A controller of an electronic system must delete an electronic information and/or electronic document under his control which is no longer relevant if that deletion is requested by a related person through a decision of a court.”

So, this is, in other words, a right to be forgotten. A person is given a right to compel an electronic system controller in whose system his personal data is retained, to ensure that such personal data under his control be disposed of. However, two things are required. First, that the personal data is no longer relevant. And, secondly, that such obligation only applies if it is already upheld by a court of law.

In sub-section (4) it says that “Setiap Penyelenggara Sistem Elektronik wajib menyediakan mekanisme penghapusan Informasi Elektronik dan/ atau Dokumen Elektronik yang sudah tidak relevan sesuai dengan ketentuan peraturan perundang-undangan.”

This sub-section requires that for the disposal/deletion of such irrelevant electronic information and/or electronic document, the controller of an electronic system has to provide a specific mechanism that would be prescribed by law. To the best of my knowledge, there is no specific by-law or regulation as yet that prescribes this deletion mechanism to abide by.

Having said that, the additional rule found in Law No. 19/2016 can bring some fresh air that the Parliament has shown “some further interest” on the issue of personal data protection. Also, it seems that they are also trying to catch up with one of the few development on the matter, i.e. pertaining to the right to be forgotten, although it would seem a little “too soon” for the Indonesians. Ideally, we need to be first introduced and educated on the general principles of personal data and its protection, only then we embrace this specific issue later.

As a matter of fact, a right to be forgotten can be dealt with under the principle of data retention. Under such principle, data users must put in place mechanism to dispose of personal data when they are no longer in use. Alternatively, under consent and choice principles, a data user or data controller is obliged to data subjects’ request to delete data if they do not wish such data  to be processed any more by the data user/controller.

More comments will come later.

Data Protection in the Era of Big Data, the Internet of Things (IoT) & Cloud Computing

By: Sonny Zulhuda

ALB Conference 2015This is the second such conference being organised by ALB/Thomson Reuters on Data Protection following the successful event a year ago. I spoke in a panel session last year, and will be speaking again this time. The conference will be on Thursday, 7th May 2015 at the JW Marriott Kuala Lumpur.

Keynotes will be delivered by Trevor Hughes, President of the International Association of Privacy Professionals (IAPP); Dr. Zainal Abidin Sait, Deputy Director-General of the Personal Data Protection Malaysia Department (PDPD); and Prof. Abu Bakar Munir, who was the Data Protection Consultant to the Malaysian Government.

My panel session is the one slotted at 16:10, focusing on “Data protection in the era of Big Data, the Internet of Things (IoT) & cloud computing,” covering the Jurisdiction and marketplace: Asia Pacific, EU and US.

Continue reading

Whither Digital Privacy: Be afraid, be very afraid!

By: Sonny Zulhuda

imageA quick takeaway from a closed session on Students’ Digital Privacy yesterday at Le Meridien KL (June 7th, 2013), I’d like to share what California-based Jeff Gould presented.

The SafeGov.org CEO told the audience of their research findings, among others:

  • The high significance of Facebook “Like” in profiling the identity of FB users;
  • Real possibility of identifying a person via DNA reconstruction taken from a gum;
  • Telco’s effort to provide some form of customer’s surveillance as their enhanced service;
  • ISP’s role in protecting children privacy through contractual agreements with the users/subscribers

Many things shared which are not new issues but came with novel modus operandi. We just need to be vigilant.

The closed session was attended by representatives from Cybersecurity Malaysia, Parents Action Group for Education (PAGE), FOMCA, Microsoft Corp, India-based CUTS and some local universities. Mr. Rosly Yahil from Cybersecurity Malaysia spoke about various initiatives taken in Malaysian context in dealing with the issues.

During the Q&A session, I managed to share with the floor on several issues and development on data privacy in Malaysia: Continue reading

Consumers to take control of their Personal Data

My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s page HERE.

======================================

“Consumers, take control of your personal data”

The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.

Credit: The Star Online

Credit: The Star Online

EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.

It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?

This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.

Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.

Continue reading

PDP Act Compliance Program – Where to Start?

By: Sonny Zulhuda

success manThis New Year was marked by concerns about complying with the Personal Data Protection (PDP) Act 2010 for Malaysian data users: Bankers, Telco’s, Insurers, Hospitals, Marketers, Airliners, Property Sellers, and many more.

For data users, this is what you may consider:

1. Get to know about the law and its implication to you;

2. Make self-assessment on your current business processes to what extent it complies (or not) with the law;

3. Plan a massive personal-data compliance programme.

For the first one, the shortcut is to attend forum, workshops or training on Personal Data Protection law. There are now few such training in the market. Identify them and get involved. There are few types of training you can consider, according to your needs:

Continue reading

What You Need to Know about the PDPA

==============================

My Intro: The following article, appeared in The Star newspaper, is about public awareness on the Personal Data Protection Act (PDPA) 2010 (Act 709). The journalist had compiled the report out of few resources, including the PDP Department and myself (through series of interaction). It is indicated at the bottom of the article itself. I reproduce the article in this page for the benefit of more readers.

Cheers! Sonny Zulhuda

==============================

“What You Need to Know about the PDPA”

(Reproduced from The Star Online, published on Sunday, 30/12/2012)

PDPA 2010A freelance journalist from Penang was already coping with the pain from a hemorrhoids surgery when she had to endure another hurtful experience – she discovered that her surgeon had taken photographs of her private parts without her consent when she was under.

When she confronted him, she was told that it was “normal procedure” and a common practice for “medical purposes”. Outraged that her privacy had been violated, she sued the doctor.

This is one of the many cases of personal data breaches and privacy violations in the country. Hence, the enforcement of the Personal Data Protection Act (PDPA) this New Year is much lauded. In fact, it is long awaited – for some, over a decade long.

However, while pictures of one’s private parts may constitute as personal data, the aggrieved patient would not be able to take action under the Act – our PDPA only regulates commercial transactions. (The freelance journalist, however, won RM25,000 in damages in her civil court case.)

Here are some of the facts you need to know about the PDPA: Continue reading

From the 2nd Annual Summit on Personal Data Protection (KL, 12-13 Dec 2012)

By: Sonny Zulhuda

Brochure2 PDP Forum Dec 2012This 2nd Annual Personal Data Protection Summit was held in Royale Chulan of Kuala Lumpur. As admitted by the organiser (the World Asian Summit), this year edition showed much bigger interest. This impressive crowd attendance can only mean one thing: the undeniable importance of the PDP Act 2010.

The Deputy Minister Dato’ Joseph Salang had re-emphasised the Government’s seriousness about implementing the long-awaited legislation, which was already passed since June 2010. In his key-note speech, he again revealed that the Act will be enforced on the 1st January 2013 – echoing similar statement by the Minister of Information, Communications and Culture recently (Read reports on Dato’ Joseph’s announcement here, here and here).

I was invited to speak in the 2-day conference, on “Reality check on the right to privacy in Malaysia — and how is it affected by the mobile technologies and social media.” Continue reading

  • June 2017
    M T W T F S S
    « May    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,573 other followers