Personal Data Protection Law in Indonesia: The Law No. 11/2008 (“UU-ITE”) and its Amendment in 2016

By: Sonny Zulhuda

wonderful indonesiaIndonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.

Law No. 11/2008 (“UU-ITE”)

First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).

This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.

Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:

(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.

(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).

Meanwhile the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:

  1. A right to enjoy a private life free from interference;
  2. A right to communicate with other persons free from spying/surveillance;
  3. A right to access to information about his private life and private information.

What we can draw from this provision is as follows:

First, that the recognition of the right to privacy as far as this law is concerned is only limited to that of data/informational privacy, i.e. the right of every person to control what kind of information about him should belong to public domain. (Other aspects of privacy rights include right of anonymity, right of solitude and much more).

Second, be that as it may, the right to information privacy here is further restricted to the ‘use’ of such data. This is overwhelmingly restrictive bearing in mind that the international standard of data privacy covers so many dimension including the collection, processing, use, retention and disclosure of personal data. Here, on the other hand, restricts the matter only to the ‘use’ of personal information.

Third, more restriction was put in place that such rule on the use of personal data is only applicable as long as it is a use ‘by means of electronic media’. Therefore, any use of people’s personal data by which are documented not in electronic media, such as the usual paper archives, will not be subject to this law.

Fourth, the law mentions the need to get the approval of a person whose personal data was to be used (by means of electronic media). This is never explained as to how such approval can be obtained. Is it sufficient to have it on the basis of ‘opt-out’ principle, or does it require a more protective ”opt-in’ principle? There is a big gap between the two in terms of requirements, efforts and consequences. The more protective it is (i.e. with ‘opt-in’ principle), the better for the data subjects, i.e. people whose data is being used.

Fifth, with all these exceptions (a ‘data privacy’ in ‘electronic media’ to be ‘used’ with an ‘approval’).. it is found that the legal redress is also not very attractive. It allows civil suit for damages but is silent about criminal penalties. Thus, while compensation might be aimed at, a deterrence could be significantly absent.

Based on my notes above, it is argued therefore, that this Law (UU-ITE) with due respect, is not the best answer for protecting people’s privacy right be it in electronic and conventional media. Nevertheless, this law is perhaps a little solution for a huge problem. Do we require further law?

Amendment by Law No. 19/2016: Right to be Forgotten

Eight years after the enactment, in 2016, this law was amended to introduce more sub-sections were inserted under section 26, which made it to five sub-sections in total. This amendment is popularly known as “The Right to be Forgotten” rule. Section 26(3)

The Law No. 19 Year 2016 on the Amendment to Law No. 11 Year 2008 introduces section 26(3) which says that (I quoted the original words):

“Setiap Penyelenggara Sistem Elektronik wajib menghapus Informasi Elektronik dan/atau Dokumen Elektronik yang tidak relevan yang berada di bawah kendalinya atas permintaan Orang yang bersangkutan berdasarkan penetapan pengadilan.

It says, “A controller of an electronic system must delete an electronic information and/or electronic document under his control which is no longer relevant if that deletion is requested by a related person through a decision of a court.”

So, this is, in other words, a right to be forgotten. A person is given a right to compel an electronic system controller in whose system his personal data is retained, to ensure that such personal data under his control be disposed of. However, two things are required. First, that the personal data is no longer relevant. And, secondly, that such obligation only applies if it is already upheld by a court of law.

In sub-section (4) it says that “Setiap Penyelenggara Sistem Elektronik wajib menyediakan mekanisme penghapusan Informasi Elektronik dan/ atau Dokumen Elektronik yang sudah tidak relevan sesuai dengan ketentuan peraturan perundang-undangan.”

This sub-section requires that for the disposal/deletion of such irrelevant electronic information and/or electronic document, the controller of an electronic system has to provide a specific mechanism that would be prescribed by law. To the best of my knowledge, there is no specific by-law or regulation as yet that prescribes this deletion mechanism to abide by.

Having said that, the additional rule found in Law No. 19/2016 can bring some fresh air that the Parliament has shown “some further interest” on the issue of personal data protection. Also, it seems that they are also trying to catch up with one of the few development on the matter, i.e. pertaining to the right to be forgotten, although it would seem a little “too soon” for the Indonesians. Ideally, we need to be first introduced and educated on the general principles of personal data and its protection, only then we embrace this specific issue later.

As a matter of fact, a right to be forgotten can be dealt with under the principle of data retention. Under such principle, data users must put in place mechanism to dispose of personal data when they are no longer in use. Alternatively, under consent and choice principles, a data user or data controller is obliged to data subjects’ request to delete data if they do not wish such data  to be processed any more by the data user/controller.

More comments will come later.

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

Readings on SOSMA 2012 and the Electronic Monitoring Devices

By: Sonny Zulhuda

emd-sample-ag-250813

Electronic tagging is a form of surveillance which uses an electronic device (a tag) fitted to the person. It is commonly used as a form of electronically monitored punishment for people who have been sentenced to electronic monitoring by a court, or required to wear a tag upon release from prison. The use of electronic monitoring devices in Malaysia has been first introduced by the  Security Offences (Special Measures) Act 2012 (SOSMA) (Act 747). This article sourced few online reading materials relating to the use of electronic monitoring devices vis a vis the SOSMA. Therefore the similar concerns under the new amendment to the Criminal Procedure Code (CPC) 2012 are beyond the ambit of this survey.

In December 2015, Bernama reported that more than 200 people detained under the Prevention of Crime Act (POCA) have been strapped with an electronic monitoring device (EMD), quoting the Federal CID director, Datuk Seri Mohmad Salleh as saying. Salleh added that this effort was taken to monitor the movements of those people (apparently upon release – added), as well as to test the effectiveness of the device. Based on the similar report by Datuk Nur Jazlan Mohamed, the Home Deputy Minister, those who were detained under POCA include mainly those involved in gangsterism, violent crimes, property crimes as well as drug-related crimes. The report can be read here.

A similar provision on the use of EMD is also found in the Security Offences (Special Measures) Act 2012 (SOSMA). In section 7(1), the SOSMA provides for special procedures relating to the electronic monitoring device. It prescribes that, upon application by the Public Prosecutor under section 4 (which provides for the arrest and detention of a person believed to be involved in security offences), the Court shall order the person to be attached with an electronic monitoring device for a period as the Court may determine but which shall not exceed the remainder of the period of detention allowed under subsection 4(5) for purposes of investigation. Section 4(5) of SOSMA grants the maximum of extension to 28 days after the initial 24 hours of detention for the purpose of investigation.

Continue reading

Developing Privacy-Friendly Mobile Apps: Takeaways for Mobile Developers

By: Sonny Zulhuda

Image credit: computerworld.com

Image credit: computerworld.com (click on the image for full display)

This week (28th Aug) I will be participating in a national event dedicated for the modern digital lifestyle in Malaysia, named KL CONVERGE! which runs from 27th-29th August 2015 at Kuala Lumpur Convention Centre (KLCC) in the heart of the Malaysia’s capital. Visit the site here: http://www.klconverge.my/.

As the site highlights, KL CONVERGE! is a multi-platform digital content and creative industry event showcasing the world’s latest achievements and opportunities in the music, film, gaming and Internet space. It seeks to provide an immersive experience to show “how technology and content is an everyday part of our lives.” The event is bringing together leading industry executives from multimedia, applications, Internet and creative content to discuss, deliberate, showcase and celebrate the issues, opportunities and successes in digital space.

I have a honour to be part of the event to speak about key privacy issues for mobile apps developers – thanks to my friends and partners at the Data Protection Academy (DPA) LLP (Noris and Eddie). The discussion will reflect the new legal landscape brought about by the Personal Data Protection Act 2010 that concern mobile apps designers and developers. It’s this Friday, 28th August 2015 at 4.00PM (not one of the best time to listen a talk – sigh) at Room 306 KLCC Convention Hall. It is adjacent to the majestic Petronas twin tower, and it is a free admission event 😉 (ugh.. still..) (*_*)

In the one-hour talk, I will demonstrate the salient features of the data privacy laws in Malaysia and the emerging global trend, especially concerning the users/consumers of mobile apps. Issues such as data collection, notification and retention will be touched. Not less importantly will be the issue of personal data security that each mobile apps developer will have to consider when they decide to retain users’ personally identifiable information (PII). But on top of all those, I am posing a big question: “Should you ever collect the users’ personal information at all?” — I am at the moment finalising my presentation and will share here the key points in due course. See you there, if you make it:)

“Mirror mirror on FB Wall… Should you comment of them all?!”

(CASE CHAT ON ONLINE DEFAMATION)

By Sonny Zulhuda

ImageThe online wall that you have on your Facebook or other social networking sites is not like a wall in your private bedroom where you can always at your own freedom stick things from your own photos to class schedules, to your favorite Football Club posters. Those things would remain as your “private’ enjoyment and view.

But things that you, or others, post on your social networking sites wall is not private. There are people who share such wall and are ready to read your posts every time you have something new.

So this is a rather common-sense thing; just be careful, mindful and.. don’t do fool!

Let me just share with you this incident:

“Retiree to pay RM100,000 over FB posts

It was reported by the Star on October 1st, 2011, that a retiree from Penang has been ordered by a High Court here to pay a total of RM100,000 in damages and costs to a private automotive technology training centre where his son had studied over three defamatory postings on Facebook.

Continue reading

Breach of Personal Data — Telco was Sued for Leak of Communications Data

By: Sonny Zulhuda

What would you do when you realised an unknown has in his/her possession records of your SMS exchanges and a the actual recordings of your telephone conversations and sent them to your own desktop? Shocked, fear, terrorised, humiliated (somehow), and so on, you name it. But yes, it’s a nightmare! A lady who experienced this had brought a lawsuit against her telecommunication provider for allegedly revealing the content of her private communication to a third party.

Read the news report here. This particular lawsuit is the first that could trigger the provisions of Personal Data Protection Act 2010. Since the case proceeding has not started yet, nothing much can be heard from the case. Hopefully we can hear more updates in near future.

Meanwhile, the telecommunications company involved had issued a statement that they would carry out an investigation relating to the said allegation. Read the statement here.

Invasion of Privacy in Malaysia: A surgery turns sour!

By: Sonny Zulhuda

This is particularly a court decision that will attract many who are curious about law on invasion of privacy in Malaysia. The timing could not be more intriguing that now when the first privacy-related legislation was recently passed in the form of the Personal Data Protection Act 2010. No, this Act was not in the case (yet?), not even possibly so because the Act is still now not enforced. This case was instead dealt with under the civil law of torts.

As reported by the Sun Daily (3/9/2010), Judicial Commissioner Chew Soo Ho who sit in Penang High Court heard this suit brought about by a female writer against the doctors who were involved in a haemorrhoid surgery back in 2006. The point of concern was the fact that a doctor had taken photographs of her private parts while she was unconscious — without getting her prior consent.

Continue reading

  • June 2017
    M T W T F S S
    « May    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,573 other followers