Personal Data Protection Law in Indonesia: The Law No. 11/2008 (“UU-ITE”) and its Amendment in 2016

By: Sonny Zulhuda

wonderful indonesiaIndonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.

Law No. 11/2008 (“UU-ITE”)

First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).

This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.

Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:

(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.

(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).

Meanwhile, the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:

  1. A right to enjoy a private life free from interference;
  2. A right to communicate with other persons free from spying/surveillance;
  3. A right to access to information about his private life and private information.

Continue reading


Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda


Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

Sistem ‘Co-regulatory’ Penanganan Konten Internet di Indonesia

Oleh: Sonny Zulhuda

Dalam menangani kelestarian berekspresi di Internet, diperlukan infrastruktur pengaturan yang bisa berbentuk self-regulatory (pengaturan sendiri) atau state regulatory (pengaturan via perangkat undang-undang oleh pemerintah).  Namun dari itu semua, yang ideal adalah dengan pendekatan sinergis antara semua pihak yg terkait, atau para pemangku kepentingan (stakeholders). Pendekatan ini biasa dikenal sebagai ‘pengaturan bersama’ atau ‘co-regulatory approach’). Bagaimana pendekatan ‘co-regulatory’ bagi isu pemuatan konten bisa dilaksanakan di Indonesia?

Di Indonesia, tindakan pemuatan informasi yang menimbulkan permusuhan/kebencian, misalnya, berdasarkan agama, dapat dikenakan sanksi berlapis di bawah Kitab Undang-undang Hukum Pidana (KUHP) dan UU No. 11/2008 tentang Informasi dan Transaksi Elektronik (UU-ITE) dengan ancaman denda maksimal satu milyar rupiah dan/atau penjara enam tahun.

Continue reading

Pengaturan Konten Internet: UU Pornografi vis a vis UU ITE

By: Sonny Zulhuda

Bangsa Indonesia sekali lagi mencatat peristiwa penting dengan lahirnya Undang-undang Pornografi (UUP) yang bertujuan menciptakan kepastian hukum atas penggunaan, penyediaan dan penyebaran produk dan jasa pornografi di tengah-tengah masyarakat Indonesia. Coretan kecil ini mencoba melihat beberapa tantangan implementasinya di ruang maya.

Continue reading

Kaitan Pasal-pasal UU Pornografi terhadap Media Internet

Ketentuan Undang-undang Pornografi* yang terkait dengan media Internet dan perbuatan hukum pengguna Internet – Draft Matriks

Disusun oleh: Sonny Zulhuda

Media Internet merupakan salah satu obyek pengaturan UUP yang mencakup pasal-pasal pidana bagi siapa saja yang menyebarluaskan atau mengunduh pornografi melalui media informasi dan komunikasi itu.

Selain itu ada juga pasal-pasal yang terkait pencegahan, pembuktian dan pnyidikan. Pasal-pasal ini dilihat melengkapi peraturan perundangan yang sebelumnya juga baru disahkan oleh DPR pada bulan maret lalu, yaitu Undang-undang Informasi dan Transaksi Elektronik (UUITE).

Dengan adanya kepastian hukum ini, kita berharap citra negatif Internet dapat dipebaiki dan dengan demikian dapat menumbuhkan masyarakat informasi Indonesia yang kreatif, produktif dan beretika tinggi.

Lantas, sejauh mana keterkaitan pasal-pasal di UU Pornografi terhadap Media Internet? Ini bisa disimak di matriks yang tersusun dibawah. Dalam kolom keterangan, nantinya akan kita analisa lebih jauh implikasi dan penjelasannya.

Continue reading

[Petikan UU-ITE] Cybersquatting, HAKI dan Perlindungan Data Pribadi

Sonny Zulhuda: UU ITE does cover more than what its name implies. This e-commerce law (note the name ‘e-Transaction’ ) does not only cover contractual issues, but also others such as evidentiary aspects, content regulation, cyber-squatting, IP and personal data protection, and also range of cybercrimes, although some aspects are dealt with in more details than others. This is one reason why this Indonesia’s first cyberlaw is distinct from other e-transaction laws in major countries and that in the UNCITRAL model law. In this respect, India is notably having similar approach.

In the following excerpt, one can find that the law provides some ruling on the cybersquatting, domain names management, protection of Intellectual Property Rights (IPR), and the personal data protection. The last two issues are touched in very minimum provisions, likely due to different reasons. While it is quite clear that regulations on IPR is minimum due to the existence of specific existing laws, it is not yet clear as to the Parliament’s intention in prescribing very minimum provisions on personal data protection. One may argue that the law on data protection should be specifically drafted on its own in near future.

Continue reading

  • September 2018
    M T W T F S S
    « Mar    
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,592 other followers