Flow Of Electronic Data
1. IntroductionThe current development on the flow of electronic data, especially those relating to personal data across nations is increasing daily. Most of the flows are related to business activities whereas services are provided to fulfill the needs of people. It also leads to the transformation of commerce, which becomes worldwide and increasingly international. The transfer of huge quantities of data, relating to customers and employees, are required and often occurred among entities that located in different countries. An example would be the system of outsourcing, a practice in which companies and governments hire an external service provider in another country to deliver a program or provide a service, such as managing database of human resources or customers. This can often result in improved efficiencies and levels of services. Further, the advancement of global networks, such as the internet, provides the possibilities to collect, process, and distribute personal data on an unprecedented scale. However, the trans-border flow of personal data is not only performed by companies or governments but also conducted by individuals in everyday life as well. When the data is used by companies or government, this can represent a high volume of data, such as in the form of the transfer of databases. There will be a quite different volume of data when it is provided by individuals when they disclose their personal data while participating in particular activities, such as browsing the internet or registering on various websites to obtain certain services. Additionally, there is a strong possibility for individuals, who are engaging in data transfer activities to lack of full awareness concerning what could be done to their personal data. In some instances, they do not realize that they have disclosed their personal data and it is subject to transmission and processing within countries not offering the same level of protection as their own country. For example, a student - physically located in the Netherlands - may complete an online game registration form, containing several spaces soliciting his/her identities, not knowing that the actual service provider is registered in India. Another example, a social worker residing within the United Kingdom might disclose his/her personal data on a web application for an internet banking service provided by a bank based in the United States. From the short description above, the trans-border flow of personal data exists in everyday life on a daily basis and it becomes a vital need of every stakeholder, whether governments or private sectors, including individuals. Nevertheless, while the flow has led to greater efficiencies and economic benefits, on the other hand this kind of flow has also raised concerns that some information could end up in the hands of people for whom it was not intended. Worse even is the situation when no one has realized the flow has taken place, spawning a great opportunity for infringement upon one's privacy rights. Some rules concerning privacy and data protection have been set up at national, regional, and international levels to guarantee privacy as one of the human rights is not harmed by any activity, including data processing as the final purpose of trans-border flow. Consequently, the trans-border flow of personal data has to be conducted in a lawful manner. In this respect, a legal framework on trans-border flow of personal data has been enacted in Europe by the European Commission (EC) under two directives. The first one is Directive 95/46/EC concerning the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive has been further equipped by the second directive, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In relation to the research objective of this thesis, Directive 95/46/EC is the most relevant and therefore, Directive 2002/58/EC will be referred to when necessary. It should be noted that whenever a term "the Directive" is being used in this thesis, the term shall refer to Directive 95/46/EC. Under the Directive, a main rule concerning the trans-border flow of personal data has been set up. These include the obligation of data controller to use personal data for specified, explicit, and legitimate purposes, to collect only relevant and necessary data, to guarantee the security of the data against accidental or unauthorized access or manipulation, and in specific cases to notify the competent independent supervisory body before carrying out all or certain types of data processing operations. On the other hand, there is a series of rights for individuals as data subject, such as the right to receive certain information whenever data is collected, to access and correct the data, and to object to certain types of data processing. Nevertheless, all of the practice of these rights and obligations present a significant problem when the trans-border flow of personal data takes place from the European Union/European Economic Area (the EU/EEA) Member States to countries outside the EU/EEA, for the reason that the Directive requires an adequate level of protection in the destination countries. The transfer of personal data to a third country is prohibited when the third country does not have an adequate level of protection to ensure that the processing of personal data will not cause any violation to the rights of data subjects. The binding power of the Directive to the EU/EEA Member States requires each of the Member States to embed the provisions in the Directive into their national legal system. Thus, there is a "free zone" where trans-border flow of personal data can take place freely among the Member States because they provide the adequate level of protection. Any approval, adequate safeguard, or additional requirement is not necessary to any further extent. As far as public international law is concerned, by applying the extra-territoriality principle, the requirement of the adequacy is automatically fulfilled at the official representatives of the EU/EEA Member States in the third country, such as the Embassy or Consulate General because of the extended jurisdiction of the Member States. However, this principle is not extended to private sectors, since subsidiary offices of multinational companies, still have to abide to the national law in the third country although the base of operations of the company is located in the EU/EEA Member States. In this case, the adequate level of protection is still required even though the transfer is conducted internally among the subsidiaries of the company located in third countries. Currently, the EC has conducted some adequacy findings and has compiled a "white list" of countries providing an adequate level of protection. This approval means the trans-border flow of personal data can take place as in the "free zone" between the EU/EEA Member States. However, to date, the "white list" covers a limited list of countries, seven to be exact. This list might not prove too sufficient from the point of view of multinational companies in accommodating their interest, as it does not include many countries of growing commercial interest. From this point of view, there is a need to harmonize various privacy and data protection regulations in many countries through the establishment of an internationally congruent legal framework for privacy and data protection. Unfortunately, it will take some effort and time for the establishment, while a fast solution is needed. By considering the Directive thus far the strictest legal framework compared with other existing legal framework on privacy and data protection, obviously, there is a need for countries outside the EU/EEA Member States to improve their legal framework to become compliance with adequate level of protection requirement under the Directive. Since Indonesia is neither a Member State of the EU/EEA nor included in the "white list" of adequacy finding, the requirement of adequate level of protection is applied to Indonesia as a third country. The trans-border flow of personal data only can take place after the data controller is certain that the protection level of personal data in Indonesia is adequate under the Directive. Apparently, Indonesia is needed to criticize, whether or not its legal framework providing an adequate level of protection. Moreover, Indonesia as a Member State of the Asia-Pacific Economic Cooperation (APEC) has received a "pressure" to provide a sufficient level of protection on trans-border flow of personal data, in relation to the existence of the APEC Privacy Framework. This "pressure" has become heavier because of Indonesia position as the Association of South East Asian Nations/ASEAN Member States. Therefore, the main objective of this thesis is to examinehow Indonesia can improve its legal framework to comply with the adequate level of protection in view of Directive 95/46/EC. Conducting this examination is important in determining ways Indonesia might be developed into an attractive destination country for international commerce activities. In order to answer the objective of this thesis, three research questions have to be answered: firstly,currently, why Directive 95/46/EC is being acknowledged as the strictest legal instrument concerning privacy and data protection on conducting trans-border flow of personal data compared with other existing legal instruments. Secondly, how the European Commission determines the adequate level of protection in the third country in question under Directive 95/46/EC. Then, thirdly, to what extent legal framework of data protection in Indonesia measures up to the adequate level of protection in Indonesia under Directive 95/46/EC. In line with the effort to answer the first research question, this thesis will try to identify any possibility for improvement towards the current adequacy finding system. Hence, a balance accommodation might be obtained and maintained between the one who requires the adequate level of protection and the one who has to fulfill it. This thesis will be structured as follows. The first chapter is the introduction in which the objective of this thesis is explained. In the second chapter, there will be a brief comparison between the Directive with other legal instruments concerning privacy and data protection. Afterwards, some explanations on the requirement of the adequate level of protection in the light of the Directive will be provided, including the measurement to be used in conducting the adequacy finding and will explore any possible solution if there is no adequate level of protection in the third country in question. Further, this chapter will cover the current problems within the Directive as well as possible suggestions to overcome them. Thus, answering the first and second research question. In the third chapter, relevant issues surrounding Indonesian legal framework will be discussed, including a brief explanation on how Indonesia regulates privacy and data protection as well as a number of the difficulties experienced in doing so. The findings in the second and third chapters shall be employed to carry out the examination in the fourth chapter, which objective is to answer the third research question. The chapter serves to analyze the adequate level of protection of Indonesian legal framework by applying the measurements in the light of the Directive. The analysis will include various potential problems faced by Indonesia on its effort to improve protection of personal data along with several suggestions on how to overcome them. At the final stage, there will be a conclusion, to what extent Indonesia can be deemed as providing an adequate level of protection. As a result, a solution on how Indonesia might improve its legal framework under the Directive - to both avoid a lack of protection and offer an adequate level of protection - will be achieved.
2. The EU Legal Framework regarding trans-border flow of Personal DataThe trans-border flow of personal data is stipulated by regulations concerning data protection. Since the early eighties, several regulations, drawn up by different organizations, have been published in this respect. The first initiative was performed by Organization for Economic Co-operation and Development (OECD) by establishing the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (the OECD Guidelines) in 1980. The intention of the Guidelines is to prevent any conflicts between national laws, which can hamper the free flow of personal data between the OECD Member States. This establishment brought an awareness of the importance protection of the trans-border flow of personal data. A similar purpose with the OECD Guidelines has brought the Member States of the Council of Europe (the CoE) to publish a convention on their interest in the following year. They agreed that it is needed to reconcile the fundamental values of the respect for privacy and the free flow of information between them. The agreement is stated in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), with purpose to take into account the right of privacy and the increasing flow across frontiers of personal data in regards of automatic processing, as a way to extend the safeguards for everyone's rights and fundamental freedoms. In 1990, by considering the UN has more Member States compared with the OECD and the CoE, Guidelines concerning Computerized Personal Data Files (the UN Guidelines) was established as a way to bring the principles on privacy and data protection being implemented wider among countries. The UN General Assembly through Resolution No. A/RES/45/95 on 14 December 1990, requests the Governments of every Member States to take into account this Guidelines in their legislation. Further, the governmental, intergovernmental, and non-governmental organizations are also requested to respect the Guidelines in carrying out the activities within their field of competence. Nonetheless, the OECD Guidelines, the CETS No. 108, and the UN Guidelines still have some weaknesses. There are some principles of data protection, which are required to be embedded in national laws of each of the Member States but there is no means for ensuring their effective application. For examples, there are no supervisory authority provision in the CETS No. 108 and a lack of procedural clauses in the OECD Guidelines. In another case, concerning the binding power of the instrument, the OECD Guidelines is voluntarily binding to its Member States as well as the UN Guidelines, even though the UN Guidelines has the supervision and sanction provisions. Therefore, Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been established by the European Union (the EU) to overcome the limited effect of the two Guidelines and the Convention as mentioned above. Good level of compliance, support and help to individual data subject, and appropriate redress to the injured parties are the means used by the Directive for ensuring the effective application of the content of the rules. Apart from the compliance issue, the obligations and rights set down in the Directive are built upon the OECD Guidelines, the CETS No. 108, and the UN Guidelines. These three legal instruments contain similar principles, except for lawfulness, fairness, and non-discrimination principles are from the UN Guidelines; and special categories of data and additional safeguards for the data subject principles are from the ECTS No. 108. While the rest of the adopted principles are collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability. Further, the aims of the Directive can be seen from two perspectives. The first one is the economical perspective, in relation to the establishment and functioning of an internal market, in which to ensure the free movement of goods, persons, services, and capital, including the free movement of personal data. The second is from the fundamental rights perspective, in which to set the rules for high-level data protection to ensure the protection of the fundamental rights of the individuals. The newest legal instrument concerning privacy and data protection is the APEC Privacy Framework 2004 (the Framework), established by Asia-Pacific Economic Cooperation (APEC). The purpose of the Framework is to ensure there are no barriers for information flows among the APEC Member Economies by promoting a consistent approach to data protection. There are nine principles in the Framework that are built based on the OECD Guidelines. In brief, the adopted principles are preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguard, access and correction, and accountability. However, this Framework has the same weakness as the previous legal instruments on privacy and data protection before the Directive, which is the absent of means for ensuring the effective application of the principles. Additionally, it should be noted that APEC is a forum that established based on a voluntary basis, without any constitution or legally binding obligations for the Member Economies. Hence, the Framework is not binding to the Member Economies. From the brief analysis above, currently, the Directive posses the highest level of protection compared with other existing legal instruments on privacy and data protection. In this respect, to achieve the objective of this thesis as stated in the first chapter, the research questions will be answered by focusing on the Directive. Therefore, in the next section, there will be an explanation on the legal bases of trans-border flow of personal data to third countries under the Directive, followed by a rationalization on how the European Commission (EC) determines whether or not an adequate level of protection exists in the third country in question. Subsequently, the means for ensuring the effective application of the content of rules will be elaborated upon a description on a series of possibilities if the third country in question is not deemed to provide an adequate level of protection. Although currently, the Directive provides high-level of protection, some problems and suggestions will be provided, as an effort to address input for improvement. The findings in this chapter will be used to carry out the adequacy finding of Indonesia as a third country (in the fourth chapter) by doing a comparison with the findings on Indonesian legal framework in chapter three. 2. The Legal Bases of Trans-border Flows of Personal Data to Third Countries The trans-border flow of personal data to a third country to be acknowledged as lawful, it has to be conducted in accordance with the national data protection law of the EU/EEA Member States. It is applicable to the data controllers established in the EU, both at the time when data is being collected and processed. In general, the law consists of a combination between the obligations of data controllers and the rights of data subject. Before the establishment of the Directive, these rights and obligations were regulated under some national data protection laws with different level of protection. In the light of the functioning of internal market in the EU/EEA, all these obligations and rights, including certain procedures to be applied in case of trans-border flow of personal data to a third country, are regulated in the Directive. Whereas the Directive is legally binding to the EU/EEA Member States, an adequate level of protection is fulfilled and consequently trans-border flow of personal data is able to take place among them. Further, when the personal data is used for electronic communication purposes, then the rights and obligations as lay down in Directive 2002/58/EC shall take place. There are three possible types of transfer under the Directive. The first and second types are a communication of personal data by a data controller based in the EU/EEA Member States to another data controller or to a processor based in a third country. Another possibility type is a communication of personal data by a data subject based in the EU/EEA Member States to a data controller based in a third country. Nevertheless, it should noted that the Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union. The main regulation in the Directive concerning trans-border flow of personal data to a third country is Article 25. The first paragraph of the Article sets out the principle that the EU/EEA Member States shall allow the transfer of personal data only if the third country in question ensures an adequate level of protection. From this provision, it is necessary to explain further on the subject of the transfer of personal data and an adequate level of protection. First, what the Directive means by the transfer of personal data. Undoubtedly, it is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail. By seeing from a different perspective, the situation where one conducts a certain activity with the purpose to make data available for others, besides the owner of the data (the data subject), and located in another country, is included as a trans-border flow of personal data. However, by making data accessible for everyone who connects to internet by uploading any personal data on internet web pages, even though that person is located in another country, is not included in the meaning of transfer of personal data to another country. The reason for the previous statement is this kind of activity is properly acknowledged as publishing activity, not transferring activity. This exception is stated clearly by the Court of Justice in the Bodil Lindqvist Case as "there is no transfer of personal data to a third country where an individual in a Member State loads personal data onto an internet page ... making those data accessible to anyone who connects to the internet, including people in a third country". Subsequently, since the Directive is binding to 27 EU Member States, including three countries (Norway, Liechtenstein, and Iceland), which are bound by the Directive by virtue of the European Economic Area agreement (EEA), personal data can flow freely among them. In other words, there is a "free zone" among the EU/EEA member states. Therefore, transfer in the light of the Directive has to be seen as transfer of personal data from EU/EEA member states to other countries outside EU/EEA, which are recognized as third countries, and the adequate level of protection in those third countries has to be assessed. There is a so-called "white list" of countries, which have been assessed by the EC and affirmed to provide an adequate level of protection according to the Directive. Currently, the list consists of seven countries as follows: Argentina, Canada (limited to private sector data), Switzerland, United States (Safe Harbor and specific type of transfer: Passenger Name Record/PNR), the Bailiwick of Guernsey, the Isle of Man, and the Bailiwick of Jersey. The approval of adequacy shall be analyzed more carefully because once a country is listed in the "white list", does not automatically mean that personal data can flow to the country freely. One should pay attention whether the affirmation is given for the entire legal framework or only for certain part of it in a specific field, sector (public or private), or regarding a specific type of transfer. Insofar, even though the result of adequacy finding shows that the data protection level in certain countries is not adequate, the EC will not create a "black list" for that negative finding because of political consequences. Instead of the "black list", the EC tends to enter into negotiation with the certain country in order to find a solution. It can be concluded from the foregoing, that the adequacy finding is temporary and subject to be reviewed. Procedure of the Adequacy Finding In acknowledging the adequacy finding, the EC has to follow certain procedure, which has been determined in Article 25 Paragraph (6) of the Directive and is known as comitology. At first, there will be a proposal from the EC, followed by an opinion from Article 29 Working Party and an opinion from Article 31 Management Committee, which needs to be delivered by a qualified majority of member states. Afterwards, the EC submits the proposed finding to the European Parliament (EP), who will examine whether the EC has used its executing powers correctly and comes up with recommendation if necessary. As a final point, the EC then can formally issue the result of the adequacy finding. In the next section, the measurements used by the EC in conducting the finding will be explained in detail. 3. Assessing the Adequate Level of Protection The Article 29 Working Party has given an obvious statement that"any meaningful analysis of adequate protection must comprise the two basic elements: the content of the rules applicable and the means for ensuring their effective application".According to WP 12 of the European Commission (EC), a set of content principles that should be embodied in the existing regulations are the following: Purpose limitation principle: data should be processed for a specific purpose and subsequently used or further communicated only if it is compatible with the purpose of the transfer. Data quality and proportionality principle: data should be accurate and, where necessary, kept up to date. Transparency principle: individuals should be provided with information as to the purpose of the processing, the identity of the data controller in the third country and other necessary information to ensure fairness. Security principle: technical and organizational measures should be taken by the data controller that are appropriate to the risks presented by the processing. Rights of access, rectification and opposition: the data subject have the right to obtain a copy of all data relating to him/her that are processed, to rectification of those data that are shown to be inaccurate, and be able to object to the processing of the data. Restrictions on onwards transfers to non-parties to the contract: further transfers of the personal data by the recipient of the original data transfer only permitted if the second recipient provides an adequate level of protection. In addition to these content principles, another set of the means for ensuring the effective application of the principles, whether judicial or non-judicial, are required in order to fulfill the following objectives: Good level of compliance with the rules: the level of awareness of controllers and data subjects and the existence of effective and dissuasive sanctions are the measurements to examine the compliance level, including direct verification by authorities, auditors, or independent data protection officials. Support and help to individual data subjects: an individual should be able to enforce his/her rights rapidly and effectively without prohibitive cost. Institutional mechanism is needed to conduct independent investigation of complaints. Appropriate redress to the injured parties: where rules are not complied, redress to the injured party with independent adjudication or arbitration is provided, including compensation and sanction impose. Beyond the content principles, some additional principles are still needed to consider when it comes to certain types of processing. Additional safeguards when sensitive categories of data are involved and a right to opt-out when data are processed for direct marketing purposes should be in place. Another principle is the right for the data subject not to be a subject to an automated individual decision that intended to evaluate certain aspects, which can give any legal effects and have a significant effect to the data subject. These content principles, including additional principles, and the means for ensuring their effectiveness should be viewed as a minimum requirement in assessing the adequate level of protection in all cases. However, according to Article 25 Paragraph 2 of the Directive, in some cases, there will be two possibilities. There is a need to add the list with more requirements or to reduce it. To determine whether some requirements need to be added or reduced, the degree of risk that the transfer poses to the data subject becomes an important factor. The Article 29 Working Party has provided a list of categories of transfer, which poses particular risks to privacy, as mentioned below:
- Transfers involving certain sensitive categories of data as defined by Article 8 of the Directive
- Transfers which carry the risk of financial loss (e.g., credit card payments over the internet)
- Transfers carrying a risk to personal safety
- Transfers made for the purpose of making a decision which significantly affects the individual (e.g., recruitment or promotion decisions, the granting of credit, etc)
- Transfers which carry a risk of serious embarrassment or tarnishing of an individual's reputation
- Transfers which may result in specific actions which constitute a significant intrusion into an individual's private life (e.g., unsolicited telephone calls)
- Repetitive transfers involving massive volumes of data (e.g., transactional data processed over telecommunications networks, the Internet, etc.)
- Transfers involving the collection of data in a particularly covert or clandestine manner (e.g., internet cookies)
- the nature of the data
- the purpose and duration of the proposed processing operations
- the country of origin and the country of final destination
- the rules of law, both general and sectoral, in force in the country in question
- the professional rules and the security measures which are complied with in that country.
- six Member States do not regard the non-EU/EEA Member States as third countries and assume they provide an adequate level of protection, while others do regard the non-EU/EEA Member States as third countries so the adequacy finding should be done before the data being transferred
- one Member State expressly allows transfer to the Member States of the CETS No. 108 without any additional requirement to fulfill the Directive 95/46/EC provisions, while other Member States require additional requirements
- only four Member States clearly stated that in the absence of the EC adequacy finding, only the national authorities can determine whether a third country in question fulfill the adequate requirement
The Indonesian Legal Framework on Privacy and Data Protection1. Introduction As of today, Indonesia still does not have any comprehensive or specific legislation concerning privacy and data protection. Consequently, there are no clear regulations on trans-border flow of personal data, although a Personal Data Protection Law was drafted in 2006 by State Minister for Administrative Reforms. By the time this thesis is being written, the draft has been sitting at the executive level for almost three years. The draft still needs to be proposed, examined, and promulgated by the House of Representatives to be effective. Considering the time it took in the executive level, it seems like the Indonesian Government (the Government) does not regard the draft as a high priority law therefore does not find it necessary to speed up the processes. There is also a possibility that the Government relies on Law No. 11/2008 concerning Electronic Information and Transaction (the EIT Law) and Law No. 14/2008 concerning Transparency of Public Information (the Public Information Law), which have provisions on privacy and data protection issues at a general level. Unfortunately, they do not regulate trans-border flow of personal data.
Also, there are some Laws which provided general provisions on privacy and data protection, namely Law No. 7/1971 concerning General Principles of Archive (the Archive Law), Law No. 8/1981 concerning Criminal Procedural Law (the Criminal Procedural Law), Law No. 8/1997 concerning Corporate Document (the Corporate Document Law), and Law No. 39/1999 concerning Human Rights (the Human Rights Law). These laws also do not stipulate trans-border flow of personal data.Some Laws directed to certain sectors also have certain degree of provisions on privacy and data protection, such as Law No. 23/1992 concerning Health Care (the Health Care Law), Law No. 29/2004 concerning Medical Practice (the Medical Practice Law), Law No. 10/1998 concerning Banking Activities (the Banking Law), and Law No. 36/1999 concerning Telecommunication (the Telecommunication Law). In the light of the assessment whether or not Indonesia has an adequate level of protection, these general and sectoral regulations shall be analyzed. In the next sections, brief explanations on each of the Laws as mentioned in the foregoing with the focus on their protection to personal data are provided. 2. The Hierarchy of Laws and Regulations in Indonesia The Indonesian hierarchy of Laws and regulations is stipulated in Law No. 10/2004 concerning the Formulation of Laws and Regulations. The level of hierarchy is as follows; The groundnormis the 1945 Constitution (UUD 1945/the Constitution), then Laws (Undang-Undang) and Government Regulation in lieu of Law (Perpu), followed by Implementing Regulations such as Government Regulation (Peraturan Pemerintah), Presidential Regulation (Perpres) and Regional Regulation (Perda - provincial/municipal level). Additionally, there are Ministerial decrees and the decrees of non-department chiefs. They are binding as an administrative decision in their respective sectors but do not have the as much binding power as the laws. The 1945 Constitution (the Constitution) is the highest legal authority in Indonesia, of which legislative, executive, and judicial branches of government must refer to it. Hence, any law has to be drafted according to the Constitution as its basis. Under the Constitution, Laws can only be enacted after the approval of the People's Representative Council (the Legislative). A draft of Law can be proposed by the President (the Executive) to obtain the approval. During the process of establishing the draft into a law, the Legislative will form a working group to discuss and synchronize the draft with the corresponding ministries. This lengthy and costly process will be accomplished when an agreement has been reached between the Legislative and the Executive. Afterwards, the draft shall be endorsed into law by the Executive. In case the Executive for any reason does not endorse the draft that has been agreed, then it is automatically promulgated into law within thirty days. There is also a possibility when an agreement cannot be reached then the draft cannot be proposed again during the current term of the Legislative members. 3. General Regulations It has been explained that all of the Indonesian general and sectoral regulations are based upon the Constitution. As for Human rights, it is assured in the Constitution under Chapter XA, which consists of several rules as follows. Article 28G Paragraph 1 of the Constitution states that "every person shall have the right to protection of his/herself, family, honor, dignity, and property, and shall have the right to feel secure against and receive protection from the threat of fear to do or not do something that is a human right". However, this right is not without limitation. According to Article 28J of the Constitution, every person shall have the duty to respect the human rights of others. The relevance of the Constitution with regard to privacy and data protection can be seen in Article 28F of the Constitution, which states that"every person shall have the right to possess, store, process, and convey information by employing all available types of channels". However, there is no further explanation on what the Article means by types of channels.
Human Rights Lawhe only article in the Human Rights Law that accommodate Article 28F, 28G, and 28J of the Constitution is Article 21, which states that"every person shall have the right to personal integrity, both physical and spiritual, and therefore may not be the object of research without consent". vThe relevancy of Article 21 with regard to data protection is laid down in its elucidation that defines the object of research. It is defined that becoming an object of research means the data subject is requested to provide any comments, opinions, or information concerning his/her private life and the person's image and sound will be recorded during the process. Further, in Article 32 of the Law, the independence and secrecy in relation to correspondence, including the communication through electronic means may not be disturbed, except upon the judge or other authority in accordance with the legal provisions of the laws.
Criminal Procedural LawPersonal data protection is regulated in Criminal Procedural Law under Articles 43, 47, 48 and 49. In these articles, legal officers have to obtain consent from the data subject or special permission from the judge of the district court, unless statutory regulations stipulated otherwise, to seize any letters or documents. Moreover, they are obliged to keep the information confidential in the case that the letters or documents are irrelevant to a case. All of the processes have to be recorded in the official report.
Archive and Corporate Document LawsConcerning archive activities, Indonesia has two legal instruments, which regulates archiving for public and private sectors. Law No.7/1971 concerning General Principles of Archive is applicable to the public and the private sectors while Law No.8/1997 concerning Corporate Document is for the private sector. Article 1(a) of the Archive Law stipulates the requirement for protection of any archived documents from any parties who has no rights of access. There is a criminal sanction for those who fail to do so as stated in Article 11. On the other hand, the Corporate Document Law obliges a company to record every information and activity to accommodate legal certainty and stakeholders interests (as stated in consideration section point e). The Law also has procedures to be followed by the company to create, store, and destroy the documents. There is a business common practice that a company should make a list of their employees including their personal data as part of company documents. Thus, the company has to follow the regulations under the Law as well for their list of employees.
Public Services LawThe protection of personal data in relation to public services is provided under Article 17 of the Public Services Law, which excepted personal data to be accessed as public information if it contains personal authentic deeds or testament, including personal confidential information (family, medical, finance, and educational). However, the access to personal data is possible if there is any consent from the data subject or if the data subject is a public officer. Violations toward Article 17 can lead to imprisonment for up to two years and a fine up to IDR 10 million (approximately EUR 700). The exceptions of access to personal data under the Public Services Law have to be examined thoroughly by Information and Documentation Officers within each of the government agencies before any access to personal data is authorized. However, the exceptions given through the authorization is not permanent because there is a certain period for the exception of the access to protect the privacy of the data subject. The period will be regulated under the Implementing Regulations of the Law, which unfortunately, has not been drafted yet. Further, the exception of access also includes the personal data of an informant, informer, witness, or victim, who knows that a crime has occurred, if there is any interest of court process for criminal matters. The access to this information shall be granted following an authorization from the authorized legal officer and after obtaining the permission from the President to do so. Chapter VIII of the Law provides the procedures for objection and settlement of dispute if the application to access the public information is not approved by the Government Agency and the applicant opposes the decision.
Electronic Information and Transaction LawA more transparent provision on protection of personal data can be seen in Article 26 of the Electronic Information and Transaction/EIT Law. The Law is an umbrella legislation covering e-government, e-contract, privacy, cybercrime, digital copyright, and other cyber law issues. Under Article 26 Paragraph 1 of the EIT Law, the usage of every personal data provided through electronic media shall only be conducted with the approval of the data subject unless statutory regulations stipulated otherwise. The second paragraph of the Article gives an opportunity for every person, whose right has been trespassed to file a lawsuit for compensations. The elucidation of the Law defines the Article as conferring upon data subjects a very broad privacy right that involves the right to enjoy personal life and to be free from all kinds of disturbances, the right to communicate with other persons without being monitored, and the right to control access to personal data about oneself. Although the provision is the only clear provision in the protection of personal data, it is still too general and requires implementing regulations for its effectiveness. Sectoral Regulations A more focused provision on the protection of personal data in Indonesia can be found in the sectoral regulations, such as in health care, telecommunication, and banking sectors laws. These laws do not only stipulate the acts but also the codes of conduct, such as ethical codes. In the light of the Directive, the personal data that regulated in the sectors is acknowledged as sensitive data. For that reason, a brief explanation of those three sectors will be explained in this section.
Health Care SectorThe protection of patient's data in Indonesia is stated clearly in Law No.23/1992 concerning Health Care and Law No. 24/2004 concerning Medical Practice. In this respect, the implementing regulations are Government Regulation No. 32/1996 concerning Health Worker and the Minister of Health Regulation No. 269/Menkes/Per/III/2008 concerning Medical Record. Every health worker is obliged to comply with professional standards and respect for patient rights. Failure to do so shall result in disciplinary punishment from Majelis Kehormatan Etik Kedokteran/MKEK. Moreover, they are required not to freely share their patient's medical records without the patient's approval, or in the case of criminal investigation under the authorization from the head of the district court. Failure to comply with this requirement can lead to imprisonment for up to one year or a fine up to IDR 50 million. Further, there is an obligation for doctors to make a medical record for each patient and these records must be treated as confidential. However, the confidentiality of the records may be revoked for the interests of patient's health interest, court order for legal process, consent from patient, statutory obligation, and medical research-education-audit interest as long as the identity of the patient is not mentioned. In addition to the regulations, doctors have an obligation to comply with their own professional ethic codes. To keep patient's data confidential is part of these codes. A Disciplinary Board of Health Ethic has been formed that is known as Majelis Kehormatan Etik Kedokteran/MKEK) as a part of the Indonesian Medical Association (Ikatan Dokter Indonesia/IDI). Currently, the health sector (through IDI) is the only sector in Indonesia, which has the means for ensuring effectiveness of their ethic codes, compared with other sectors.
Telecommunication SectorLaw No. 36/1999 concerning Telecommunication stipulates that telecommunication service providers are required to maintain the confidentiality of all information transmitted to, or received by, their subscribers, otherwise it can lead to imprisonment for up to two years and/or a fine up to IDR 200 million. Nevertheless, when required, telecommunication service providers have to provide access to legal officers for legal enforcement interests (investigation or court). This regulation provides an appropriate redress to the injured parties if they find out that their rights are not protected by the service provider, unless the providers can proof otherwise. This obligation is applicable as well during the registration process for pre-paid mobile phone card. Unlike the health care sector, the telecommunication sector does not have any ethic codes. However, this sector has a supervisory body called Indonesia Telecommunication Regulatory Body (Badan Regulasi Telekomunikasi Indonesia - BRTI). This body is an independent regulatory body (IRB) that aims to protect public interest (telecommunication users) and to support and protect telecommunication business competition so it will remain healthy, efficient, and attractive to investors. In doing its functions, BRTI coordinates with Directorate General of Post and Telecommunication (Dirjen Postel) and give report to the Minister of Department of Communication and ICT (Depkominfo).
Banking SectorBankers are obliged to secure the confidentiality of their customers' data, so called as bank's confidentiality. Exceptions are made to taxation interest, bank receivable settlement, criminal process in court, and customer's consent. This requirement is regulated in Law No. 10/1998 concerning Amendment on Law No. 7/1992 on Banking. For each exception, a written authorization from the Governor of Central Bank of Indonesia has to be obtained. The authorization will be provided based on requests from related Government Officers, such as Minister of Finance and other Legal Officers. The customer's data shall mean any information related to customer and the deposit. Bankers may be sanctioned by imprisonment ranging from two to four years and a fine ranging from IDR 4 trillion to 8 trillion. The burden of this obligation is not only for the bankers but also for any person who would like to obtain the customers' data. Those who insist to obtain the data without any authorization from the Governor of the Central Bank of Indonesia are threatened by imprisonment up to four years and a fine up to IDR 200 trillion. Moreover, the Central Bank of Indonesia through its regulation No. 7/6/PBI/2005 concerning Transparency of Bank Product Information and the Use of Customer Personal Data requires a bank to provide a transparent policy and procedure for the use of customer personal data. The Bank's Board of Directors with the approval of the Commissioners of the Bank shall set up a transparency policy concerning the use of customer personal data. The policy at least contains the regulation on a requirement to obtain a written approval from the customer when the Bank needs to disseminate the customer personal data to other parties outside the Bank for commercial purposes, except other conditions as specified in the legislation apply. A bank is obliged as well to obtain a fully informed consent from the customer. It means, the bank has to explain to the customer in writing or verbal form about the goals and the consequences of giving consent before the customer gives the consent. Failure to comply with this requirement may result in an administrative punishment to the bank. Further, this failure will influence the rank of the bank performance provided by the Central Bank of Indonesia. Bankers are also obliged to comply with their professional ethics code, which is known as the Code of Ethics of Indonesian Bankers (Kode Etik Bankir Indonesia). The obligation is stated at point 6 of the code of ethics and is the same as regulated in the Banking Regulations. Nevertheless, there is no procedure or mechanism as a mean for ensuring the effective implementation of this code of ethics similar to the Indonesian Medical Association has. The Indonesian Banker Association (IBA - Ikatan Bankir Indonesia/IBI) does not have any authorities or boards to enforce the applicability of the codes of ethics. Upcoming Legislative Developments The absence of a single comprehensive regulation concerning protection of personal data has put Indonesia in a list of weak alignment of privacy concern countries, along with India, Malaysia, Philippines, Singapore, South Korea, Taiwan, Thailand, and Vietnam, compared with other neighboring countries in the Asia Pacific region, such as Hong Kong, Japan, Australia, and New Zealand. An impetus for reform in this area has been the endorsement of the Asia-Pacific Economic Cooperation/APEC Privacy Framework in 2005 and more recent efforts to implement the framework in the region. As a part of the APEC Privacy Framework, there is APEC Privacy Pathfinder Projects with the aim to establish a scheme for cross-border rules of personal data as an implementation effort of the APEC Privacy Principles into the business practice without creating any barriers. Indonesia is not an active participant in the APEC Privacy Pathfinder Projects, although it is a Member Economy of APEC. However, the movement in the Asia-Pacific region, followed a movement in the South East Asia Region by Association of South East Asian Nations (ASEAN), concerning privacy and data protection, have put some pressure for Indonesian Government in relation to Indonesian position as a Member Economies/Member States. To soften the pressure, the Government has given its commitment to the development of harmonized data protection legislation by 2015. In addition to the pressures from APEC and ASEAN forums, there are also some internal problems concerning privacy and data protection in Indonesia, such as misuse of customer personal data by companies as a commodity for business transactions, crimes originating from the usage of personal data, and crimes against personal data that violate privacy. Further, an improvement of Indonesia demography system as an earlier step to achieve Single Identity Number (SIN) cannot be done because of the lack of protection of citizen personal data. Both external and internal pressures have become the driving factors for the Government of Indonesia to draft a personal data protection law since 2006. In the next section, a brief explanation on the subject of the draft is provided. Afterwards, a brief explanation on social awareness faced by the Government in developing a privacy and data protections regulation will be provided as well.
Draft of Personal Data Protection LawThere are three reasons (philosophical, juridical, and sociological) stated in the elucidation of the formulation of the draft, which establish the grounds for this draft. The first reason, the effort to give protection to personal data is a manifestation of recognizing privacy as a part of human rights. For the second reason, the draft is a subordinate legislation of Article 28G of the Constitution. A balance between personal and community rights and interests can be achieved through the protection of personal data served as the third grounds for the formulation of the draft. This Draft of the Personal Data Protection Law (the PDP Law) contains certain definitions, such as data subject, personal data, data processor, data controller, supervisory body, settlement of dispute body, and data user. There are some basic principles and exceptions of the principles (national security, state sovereignty, judicial process, criminal offences, taxation, research, and historical documentary). In relation to the rights and obligations, there are sets of the rights and obligations of the data subject, the data controller, and the data processor. Further, the draft contains sanctions provisions, monitoring and enforcement procedure, including a supervisory and a dispute settlement body. The draft may seem to have accommodated The draft may seem to have accommodated the international instruments of privacy and data protection because one of its articles, also regulates trans-border flow of personal data and international cooperation, which are based on international standards and will be implemented based on a reciprocal principle. As stated in the elucidation, the applicable international standards for this draft are covered by the legal instruments as follows; the OECD Guidelines, the Directive, Directive 2002/58/EC, and the APEC Privacy Framework 2004.
DifficultiesThe effort to promulgate the draft will be not easy. The main problem in Indonesia, in relation with privacy and data protection, is the lack of awareness in Indonesia societies even in the Governmental level itself. Until today, this regulation is still in the Executive level and need to go through several processes before promulgation. In this case, the lack of awareness on privacy and data protection, and political bargain may influence the length of process and the content of the draft. The low level of awareness can be understood if one looks at the background and culture of the Indonesian people. The people rely on community relationship instead of individuality, as opposed to the situation in the western countries. The vein of a community is sharing everything to everyone. This culture can bring togetherness up to some extent, but beyond that, it can result in a situation where a person does not have any private life anymore. To establish a program to socialize the privacy and data protection is the only way to increase public awareness of the importance of personal data protection. The most effective way is to integrate it into the educational system. There will be no prompt effect but the result will be incorporated in the society. 6. Sub-conclusion There is no single comprehensive enacted legislation regulates the protection of privacy and personal data, including trans-border flow of personal data, in the Indonesian legal framework. Nevertheless, that does not mean there is no protection at all in Indonesia regarding the protection of privacy and personal data. As can be seen from the explanations, privacy is acknowledged in the Constitution as a part of human rights. This acknowledgment has implemented in various laws, which were promulgated afterwards. From general regulations point of view, privacy rights are recognized but most of the Laws only accommodate one article concerning privacy and data protection, without any further explanation to implement and to ensure its effectiveness. On the other hand, in sectoral regulations, the protection of privacy and personal data can be seen clearly. The regulations provide procedures or mechanisms to ensure effective implementation of the rules. Moreover, in health care sector, there is a professional code of conducts, known as ethics codes, with its own mechanism of monitoring and enforcement. While in the banking sector, there are ethic codes for bankers but it does not have the monitoring and enforcement mechanism. Similar conditions occurred in the telecommunication sector, although there are no ethic codes, but an independent supervisory body is established as a mean for ensuring the effective application of the rules. The poor protection of personal data in Indonesia has raised pressures from the international societies, such as APEC and ASEAN, and from several Indonesia communities or agency as there is a need of the protection of privacy and personal data. As an effort to meet the pressures, the Indonesian Government established a draft of the personal data protection law in 2006. Since then, the draft has been synchronized but still needs to be approved at the Executive level before it can be passed to the Legislative level to obtain a final approval as a requirement to turn the draft into promulgation. However, one should bear in mind that since privacy and data protection is not a popular issue in Indonesia, it will be hard for the draft to obtain a high priority label, both from the Executive and Legislative. In this case, the lack of public awareness becomes an obstacle for the draft. In the next section, an analysis whether or not the Indonesian legal framework concerning privacy and data protection, which has been explained in this chapter, fulfills the adequacy requirement of Directive 95/46/EC as mentioned in chapter 2. 4. Analysis 1. Introduction 2. Analysis 1. Scope of the protection 2. Content principles Purpose Limitation Principle Data Quality and Proportionality Principle Transparency Principle Security Principle Rights of Access, Rectification, and Opposition Principle Restrictions on Onwards Transfer Principle 3. Procedural/enforcement mechanism Good Level of Compliance with the Rules Support and Help to Individual Data Subjects Appropriate Redress to the Injured Parties 4. Additional principles Sensitive Categories of Data Direct Marketing Purposes Automated Individual Decision 3. Possibility to transfer data to Indonesia 4. Problems in developing PDP in Indonesia No omnibus law (a single umbrella provision) Poor performance of Indonesian Enforcement System (Uncertainty at court - delays and inconsistencies) Lack of social awareness 5. Recommendation Creating a comprehensive umbrella provision with horizontal approach
- Harmonization existing provisions
- Specialized local police enforcement units
- Specialized court (?)
- Education for all society level, including legal enforcer