Personal Data Protection Law in Indonesia: The Law No. 11/2008 (“UU-ITE”) and its Amendment in 2016

By: Sonny Zulhuda

wonderful indonesiaIndonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.

Law No. 11/2008 (“UU-ITE”)

First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).

This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.

Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:

(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.

(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).

Meanwhile, the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:

  1. A right to enjoy a private life free from interference;
  2. A right to communicate with other persons free from spying/surveillance;
  3. A right to access to information about his private life and private information.

Continue reading

Advertisements

Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda

seoul.jpg

Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.

IMG_20170319_095449

The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading

Data Sovereignty vs Data Localisation Law

By: Sonny Zulhuda

Transferring personal data beyond national boundaries has been a point of contention under many data protection laws across the globe. The European Union adopts this restriction that such transfer beyond EU boundaries cannot be done unless to the countries or places which have adequate protection on personal data of individuals.

Cloud-Data-SecurityThis rule is associated with the concept of “Data Sovereignty” which says that a country shall not lose a control or sovereignty over the processing of personal data pertaining to data subjects from that country. It also imposes that information which has been stored in digital form is subject to the laws of the country in which it is located. Therefore, a control over trans-border data flow is a form of upholding data sovereignty.

The concept of Data Sovereignty is reflected in the EU Data Protection Directives 1995 recitals whereas:

  • cross-border flows of personal data are necessary to the expansion of international trade;
  • the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection;
  • the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.

As much as we are concerned with personal data transferred beyond our border, we also appreciate that personal data is inherently needed for the International trade and International cooperation. Hence, when a personal data is subject to trans-border flow, there shall be no discriminatory treatment to the citizen’s personal data despite where it is processed.

Data Localisation Law

This data sovereignty is sometimes confused with the rules of “Data Localisation”, which is totally a different thing. Data localisation laws set forth requirements to keep and store data “locally” (i.e., within national or regional borders), and thus not allowing data users to transfer data beyond borders. Consequently, any foreign party who wishes to collect or process personal data of individuals will be required to establish a local data storage facilities in the country of those individuals. Continue reading

Social Media Policy and Regulation: A Network Governance Perspective

By: Sonny Zulhuda

The above is the name of the event in Tsinghua University, Beijing, on December 3-4, 2016, where I came as a speaker to the audience consisted of law, media and Internet governance academia and practitioners. Both Beijing-based School of Journalism and Communication of Tsinghua University and the School of Communication of Hong Kong Baptist University (HKBU) jointly organised this event.

The invitation came to me through Dr. Yik Chan Chin of the HKBU, who is with me at the Global Internet Governance Academic Network (GigaNet). Upon few exchanges of emails, I was then invited to come and present my views on the social media regulations in the Malaysian perspective. I must say that the event was really a rewarding experience; filled with substantial discussions, new perspectives and, of course, new friends and network!

IMG_3014

This can be highlighted from the list of the speakers of the two-day workshop: Continue reading

Open Government and Cyber Security in Malaysia

By: Sonny Zulhuda

Open government is the notion that allows transparency of governments in running matters pertinent to public interests. According to that concept, the government shall allow its citizens an access to government documents and a right to obtaining information relating to public matters.

In Malaysia recently, the Open Government initiative was represented in the Public Sector Open Data Portal programme which was launched in September 2015 by MAMPU, a Unit under the Prime Minister’s Department. It declares that the aim of such initiative is to open and share government data to public and hence to enhance transparency and efficiency of government and to create a digital innovativeness.

 

With this background, the question of how the Government deals with the increasing demand of freedom of information and other challenges ranging from personal data to the government data security is worth examining. I was invited to talk about this at an international conference hosted by Sydney Cyber Security Network, the University of Sydney, Australia. In my presentation, I highlighted a recent initiative of open data in Malaysian public sector and the related challenges on data security, privacy and information surveillance.

I was also looking at the recent developments in Malaysia relating to the enactment of personal data protection law and recent policies relating to critical infrastructure protection. Lessons from cases and incidents surrounding information security and personal data breaches were discussed to trigger discussions on relevant solutions and best practice.

Among the key summary of my talk in Sydney was as following:

  • Open Government is underway, but more economically-motivated and narrowly looked at “open data”. A long way to the “open government”.
  • Cyber security governance enhances the security of data in the Malaysian cyberspace. However:
  • There is a striking imbalance in the legal framework between the protection of secret on one hand, and the freedom of information on the other.
  • The data privacy law boosts the transparency in the private & commercial sector, but it is a missed opportunity for an open government.
  • The open government initiative needs to be supported as national agenda, to be backed by a stronger law and national policy.
  • October 2017
    M T W T F S S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,574 other followers