General Data Localization Requirements in Indonesia

Similar documents
Security of Critical Information Infrastructure: Legal Issues

GOVERNMENT REGULATION NO.52 OF 2000 REGARDING TELECOMMUNICATIONS OPERATION

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

WORLD TRADE ORGANIZATION

GLOBAL INDICATORS OF REGULATORY GOVERNANCE. Scoring Methodology

CHAPTER 13 ELECTRONIC COMMERCE

TELECOMMUNICATIONS OPERATION (Government Regulation No. 52/2000 dated July 11, 2000)

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Sector(s) Public administration- Information and communications (50%), General public administration sector (50%)

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

Legal framework of ensuring of cyber security in the Republic of Azerbaijan

E-Signature Law of Iraq no. ( 78) of 2012

PUBLIC AND PRIVATE ENTITY PARTNERSHIP IMPLEMENTING THE PROJECTS OF VILNIUS, KAUNAS AND PANEVĖŽYS COUNTY POLICE HEADQUARTERS

by: Eddie Widiono, Founder & Chief Advisor of Indonesia Smart Grid Initiative (Prakarsa Jaringan Cerdas Indonesia / PJCI)

DECREE OF THE MINISTER OF COMMUNICATION AND INFORMATION TECHNOLOGY NUMBER : 20/PER/M.KOMINFO/12/2010

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

PAKISTAN TELECOM SECTOR OVERVIEW

Facilities Master Plan Toronto Public Library Board Consultation

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

National Open Source Strategy

BACKGROUND NOTE ON ACTION PLANS

CEMR position paper. on the recast of the proposal for a directive on waste electrical and electronic equipement (WEEE) COM(2008)810/4

OF ELECTRICAL AND ELECTRONICS ENGINEERS POWER & ENERGY SOCIETY

STANDARD OPERATING PROCEDURE Critical Infrastructure Credentialing/Access Program Hurricane Season

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

Directive on Security of Network and Information Systems

MINISTER OF TRADE OF THE REPUBLIC OF INDONESIA REGULATION OF THE MINISTER OF TRADE OF THE REPUBLIC OF INDONESIA NUMBER 14/M-DAG/PER/3/2016 CONCERNING

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

DATA PROTECTION LAWS OF THE WORLD. Bahrain

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

March 1, Dear Minister Rudiantara,

2017 Aid for Trade - Partner Country Questionnaire SurveyMonkey

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Angola. Part. 1 Contact information. 1.1 Name

Regulatory Notice 10-21

State Planning Organization Information Society Department

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

2014 Luxury & Fashion Industry Conference for Multinationals

ADMINISTRATION DEPARTMENT TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS TOTAL SECURITTY FOR BUSINESS LICENSES FOR USE AT NIT KARACHI

Member of the County or municipal emergency management organization

Regulating Cyber: the UK s plans for the NIS Directive

Policy on Privacy and Management of Personal Information

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Digital Signatures Act 1

Review of the Canadian Anti-Spam Legislation

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

Architecture and Standards Development Lifecycle

Canadian Anti-Spam Legislation (CASL)

A comprehensive approach on personal data protection in the European Union

Resolution: Advancing the National Preparedness for Cyber Security

Negotiations or Clarifications - Do you know the difference?

Canada s Anti-Spam Law ( CASL ): It s the Law on July 1, 2014 questions for directors to ask

Concept Note: GIDC. Feasibility Study(F/S) on Government Integrated Data Center (GIDC) for the Republic of Nicaragua

INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II

Information Security Incident Response Plan

NASD NOTICE TO MEMBERS 97-58

Regulatory Notice 18-27

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

CORPORATE PERFORMANCE IMPROVEMENT DOES CLOUD MEAN THE PRIVATE DATA CENTER IS DEAD?

OAKLAND COUNTY, MICHIGAN GEOSPATIAL DATA ACCESS, DISTRIBUTION AND USE

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

General Terms & Conditions (GTC)

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA

Indonesia - SNI Certification Service Terms

BENCHMARKING PPP PROCUREMENT 2017 IN ARMENIA

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Canada s Anti-Spam Legislation (CASL) for Canadian Registered Charities and Non-profit Organizations

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Privacy Statement of Taiwan Cooperative Bank

UAE Space Policy Efforts Towards Long Term Sustainability of Space Activities Agenda Item 4; COPUOS June 2017 By: Space Policy and

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

ALGORITHMIC TRADING AND ORDER ROUTING SERVICES POLICY

Questions and answers on the revised directive on waste electrical and electronic equipment (WEEE)

Digital Assets: Practitioner s Guide Australia

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

RBC Royal Bank Online Application Terms and Conditions

Recovery and Reconstruction. towards disaster resilient communities - from lessons learnt in Japan - 24 August 2004.

OECD Experts Meeting on Telecommunications Services

Guidelines. Technical and Financial Support. State Wide Area Network (SWAN)

Data Compromise Notice Procedure Summary and Guide

0522: Governance of the use of as a valid UNC communication

Public Safety Canada. Audit of the Business Continuity Planning Program

Kingdom of Saudi Arabia. Licensing of Data Telecommunications Services

OnlineNIC PRIVACY Policy

Status of E Government in Tonga. Presented by: Ms. Siasini Petelo Ministry of Communications TONGA

Notice to Members. Branch Office Definition. Executive Summary. Questions/Further Information AUGUST 2002

What information is collected from you and how it is used

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

Directive on security of network and information systems (NIS): State of Play

Good Practice in Implementation of Grievance Redress Mechanism (GRM)

Financial Conduct Authority. Guidelines for investment firms using Trade Data Monitors (TDMs)

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Policy for Translating and Reproducing Standards Issued by the International Federation of Accountants

Transcription:

Jakarta July 2018 General Data Localization Requirements in Indonesia Authors: Mark Innis Foreign Legal Consultant +62 21 2960 8618 mark.innis@bakermckenzie.com Adhika Wiyoso Senior Associate +62 21 2960 8609 adhika.wiyoso@bakermckenzie.com Background and Overview Indonesia has had data localization requirements since the enactment of Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions ("GR 82"). GR 82 was enacted on 15 October 2012, with a transitional provision of five years for existing Electronic System Operators (as defined below) to comply with the regulations. Even with the five-year transitional period, Electronic Systems Operators had difficulties fulfilling the data localization requirements, for example, multinational companies tend to have global data center arrangements with their offshore group entities. Electronic System Operators have asked the government, through the Ministry of Communication and Informatics ("MOCI"), to clarify the requirements and provide leniency. As a response, the government is currently working on a draft amendment to GR 82. At the time of writing, there has been no official announcement from the government on when the amendment will be issued; however this is expected shortly. This article covers the general data localization requirements, explores the uncertainties, including the interpretation of "public services" and provides a brief summary of the key points in the upcoming amendment to GR 82. This article also includes information on the current lack of enforcement of the data localization requirements. Definition of Electronic Systems and Electronic Systems Operators Under GR 82: (i) An "Electronic System" is defined as a series of electronic sets and procedures which functions to prepare, collect, process, analyze, store, display, announce, send and/or disseminate electronic information. (ii) An "Electronic System Operator" is defined as any person, state entity, business entity and community that provides, manages and/or operates an Electronic System whether independently or collectively for an Electronic System user for its own use and/or another party's use. Based on the above definitions (which are broad in nature), any person or entity that manages and operates Electronic Systems (such as websites, applications,

email, and messenger), and provides those systems to other parties, may be considered as an Electronic System Operator. Data Center and Disaster Recovery Center Under GR 82, Electronic System Operators that provide public services were required by October 2017 to have data centers and disaster recovery centers in Indonesia as part of a business continuity plan. Based on the above provisions, the obligation to have a data center and a disaster recovery center in Indonesia only applies to Electronic Systems Operators that provide public services. However, there is no definition of public services under GR 82 (see the Public Services section below). These data localization requirements are replicated in Minister of Communication and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems ("Data Protection Regulation"), under which Electronic System Operators that provide public services must have a data center and disaster recovery center in Indonesia. Like GR 82, the Data Protection Regulation does not provide a definition of "public services". Public Services Definition and Scope of Public Services The definition and scope of public services are provided under Law No. 25 of 2009 on Public Services ("Public Services Law") and Government Regulation No. 96 of 2012 on the Implementation of the Public Services Law ("GR 96"). The Public Services Law defines: (i) "Public Services" as activities or a series of activities for the purpose of fulfilling goods and services needs for every citizen and resident in accordance with the laws and regulations, and/or administrative services provided by public services providers. (ii) "Public Services Providers" as state institutions, corporations, independent agencies established by law for public services activities and other legal entities established solely for public services activities. The concept of "corporations" above is elaborated in GR 96 as follows: (i) Public Services Providers in the form of "corporations" cover state-owned entities (Badan Usaha Milik Negara), regional government-owned entities (Badan Usaha Milik Daerah) and/or implementation working units (Satuan Kerja Penyelenggara). (ii) Public Services Providers in the form of other legal entities (including private corporations or foundations) implementing a state mission (i.e., services that are meant to be provided by government institutions) cover legal entities 2 General Data Localization Requirements in Indonesia July 2018

providing public services based on: (a) a subsidy and/or other similar support; and (b) norms, standards, procedures and criteria or licenses in accordance with the relevant services as stipulated by laws and regulations (e.g., government-funded hospitals, private schools with government aid). Concept of State Mission The provision of public services refers to state mission and generally refers to services that are deemed as a necessity for all members of society or required by public policy. In the case of the provision of public goods or services, the Public Services Law and GR 96 specify that these services may be provided by (i) the government and funded by the State Budget or (ii) state-owned enterprises whose capital contribution comes from the state or a region or (iii) any other entity, either funded by the State or not, but which bears a state mission. Definition of "Public Services" in Connection to Data Centers and Disaster Recovery Centers GR 96 defines "State Missions" as certain activities, or to achieve certain purposes in relation to public interest and benefit this is a literal translation of the wording in GR 96, which is still unclear. Accordingly, it appears that "public services" means services provided by government institutions, state/government owned entities or other legal entities engaged for a state mission (as opposed to services of private entities that generally are provided to the public). Although GR 96 indicates that certain activities (e.g., banking services and insurance) are examples of public services, this does not make the position clear. In the absence of the government (especially the MOCI) providing a definition of "public services" there has been lobbying against a broad definition. In particular, businesses and their advisers have sought to limit the definition of public services under the Public Services Law and GR 96 to services effectively funded by the State. In any case, currently there is no restriction on following a "mirroring" approach - that is, replicating data stored in offshore data centers and storing a copy in data centers located in Indonesia. We are aware that companies in Indonesia have implemented this approach to replicate required data in local data centers without significant issues. As long as the data that is being stored in Indonesia is the same as what is stored in the offshore data center, this should not be an issue. The same treatment (i.e., no restriction on mirroring arrangements) is also implemented in other sectors, such as the financial sectors (e.g., banking, insurance, payment and other financial services ). However, these sectors have specific requirements to store data outside of Indonesia (albeit not specifically on mirroring arrangements). 3 General Data Localization Requirements in Indonesia July 2018

Definition of "Public Services" and Registration of Electronic System The narrow interpretation of the "public services" definition as outlined above has not yet been accepted by the MOCI. For example, in the context of electronic system registration. While the MOCI has not released any official statements on the interpretation of "public services" for registration of electronic systems, both in verbal conversations and in practice, the MOCI has taken a broad interpretation of the term "public services" for the purposes of electronic system registration. The MOCI regulation on electronic system registration only requires Electronic System Operators that provide public services to register their electronic systems with the MOCI. Notwithstanding the uncertainty in the definition of "public services", in practice, the MOCI has imposed the registration requirement on any local Electronic System Operators that generally provide their services to the public and/or make their services available to the public (such as social media companies, financial institutions, banking services, insurance companies etc.). Further, the Capital Investment Coordinating Board ("BKPM") will specifically state the electronic system registration requirements under the principle licenses of companies that will offer their electronic system access to the public, e.g., web portal companies. When a web portal company applies for a BKPM business license, BKPM will ask for proof of the registration with the MOCI as an Electronic System Operator. Amendment to GR 82 As mentioned above, near the end of the five-year transitional period of GR 82, the business community extensively lobbied the Government (e.g., the MOCI) to provide greater clarity on the data localization requirements. In October 2017, the MOCI indicated that it would revise GR 82 to introduce data categorization, and lessen, where possible, the requirements for data localization. The draft amendment to GR 82 introduces, among other things: (i) A broad definition of Electronic System Operators that provide a "public services" The list includes Electronic System Operators (a) that are regulated or monitored by sectoral agencies and regulators and (b) that own Electronic Systems that are an online portal, have a facility for online payment, process electronic information containing a deposit of funds, are used to process personal data for operational activities serving the public in connection with electronic transaction activities, are used to deliver paid digital material through a data network, or provide a communication service. So this is still a very broad categorization, and for example this will have an impact on all websites that collect or process information, and does not distinguish between public facing or non-public facing systems, and potentially, given the data categorization issues raised below, might still mean that Indonesian citizens' personal data cannot leave Indonesia. 4 General Data Localization Requirements in Indonesia July 2018

(ii) Leniency on onshore data center and disaster recovery center requirements Under the draft amendment to GR 82, there is no longer a requirement for Electronic System Operators that provide a public services to have data centers and disaster recovery centers in Indonesia in all circumstances. However, Electronic System Operators that provide a public services must effectively process and store Strategic Electronic Data (if any - as defined below) in onshore data centers and have onshore disaster recovery centers. In other words, Electronic System Operators that provide a public services can process and store any electronic data (other than Strategic Electronic Data) offshore. (iii) Data categorization The draft amendment to GR 82 introduces a new concept of data categorization. There are three types of electronic data: (a) Strategic Electronic Data: Data that strategically affects the public interest, public services, the continuity of the State's administration, or the State's defense and security. For example, intelligence data, population data or Indonesian citizens data, and state defense and security data. While this is broad, and clarification is required to ensure that there is no misunderstanding, presumably it is not the government's intention that every online application with an Indonesian citizen's identity card is considered strategic nor should large companies which obtain significant amounts of Indonesian citizens' data be caught; rather what should be caught is the centralization of such data by the government. Strategic Electronic Data can be managed, processed and stored through cloud computing (e.g., a cloud server), but the cloud network must use electronic system networks in Indonesia (e.g., managed, processed and stored in a local cloud server). Also, Strategic Electronic Data must not be delivered, exchanged or copied to overseas locations. Further, sectoral agencies and regulators can identify what data should be categorized as Strategic Electronic Data, but whether or not they will (e.g., in the oil and gas sector) is unclear. While it seems that the draft amendment to GR 82 gives sectoral agencies and regulators broad authority to identify (not determine) what data should be categorized as Strategic Electronic Data under their sectoral authorities, the relevant sectoral agencies and regulators must request the MOCI to determine (read confirm) the identified data as Strategic Electronic Data. (b) High Electronic Data: Data that has a limited impact on the interests of electronic data owners and their sectors. For example, data related to a company s financial records or business data. 5 General Data Localization Requirements in Indonesia July 2018

High Electronic Data can be processed and stored offshore, but must be made accessible and must be able to be processed in Indonesia for supervision and law enforcement purposes. Further, we should note that sectoral agencies and regulators can directly determine (not identify only) what data should be categorized as High Electronic Data under their sectoral authorities. (c) Low Electronic Data: Electronic data that is not categorized as Strategic Electronic Data and High Electronic Data. For example, a company's human resources or manpower administration, and public information. Conclusion Low Electronic Data can be processed and stored offshore, but must be made accessible and must be able to be processed in Indonesia for supervision and law enforcement purposes. As with the High Electronic Data, sectoral agencies and regulators can directly determine (not identify only) what data should be categorized as Low Electronic Data under their sectoral authorities. The implementation of the data localization requirements is not without issue and uncertainty. The government has heard the arguments and complaints from the business community and is currently preparing an amendment to GR 82, which is expected to be more liberal on the data localization requirements and at the same time provide more certainty to the business community. Prior to the enactment of the amendment to GR 82, companies that engage in business lines that fall under the jurisdiction of the MOCI need to register their electronic systems with the MOCI and show proof that they are complying with the data localization requirements (whether by owning data center infrastructure or leasing local infrastructure from a provider). www.hhp.co.id HHP Law Firm Pacific Century Place, Level 35 Sudirman Central Business District Lot. 10 Jl. Jenderal Sudirman Kav. 52-53 Jakarta 12190 Indonesia For the upcoming amendment to GR 82, Electronic System Operators must identify the type of data that they control and store. While the amendment to GR 82 would allow Electronic System Operators to store data offshore, Electronic System Operators will need to ensure that there is no Strategic Electronic Data being stored offshore. *** Tel: +62 21 2960 8888 Fax: +62 21 2960 8999 2018 Hadiputranto, Hadinoto & Partners is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a partner means a person who is a partner or equivalent in such a law firm. Similarly, reference to an office means an office of any such law firm. This may qualify as Attorney Advertising requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. 6 General Data Localization Requirements in Indonesia July 2018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback