Following our Advisory on Indonesia’s long-awaited Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”) (view the Advisory here), this Advisory focuses on the transfer of personal data from Indonesia to other countries (cross border transfer).
In the digital era, the cross-border transfer of personal data has become a common and important part of data processing activities, especially for global companies that operate or conduct business in Indonesia but have centralized data centers located in one or more other countries.
It is therefore vital that companies know how to comply with the PDP Law and related regulations to protect the rights of data subjects when transferring their personal data to other countries to prevent misuse or illegal processing.
With a broad scope of applicability, the PDP Law is binding to any parties that control and/or process personal data within and/or outside Indonesian territory, provided such control or processing has a legal impact within Indonesia or on Indonesian data subjects outside Indonesia.
The law has a two-year transitional period from its enactment, so full compliance will be required by 17 October 2024.
Prior to the PDP Law, personal data protection was regulated under Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (“GR 71/2019”) and Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI Regulation 20/2016”). These regulations, which remain in effect to the extent they are not contrary to the PDP Law, mandate that valid consent be obtained for any processing of personal data. Such consent must be made in the Indonesian language (a bilingual format with Indonesian as one of the versions is allowed) and is a legal basis for the transfer of personal data.
MOCI Regulation 20/2016 also requires that the transfer of personal data by Indonesian private or public entities to abroad must be done in coordination with the MOCI or an authorized official/institution, in the form of:
1. a report on the planned personal data transfer, listing the destination country, the recipient’s name, the transfer date, and the purpose of the transfer (a form for this is provided by the MOCI);
2. an advocacy request to the government, such as consultation, if necessary; and
3. a report on the implementation of the personal data transfer (a form for this is provided by the Ministry).
The PDP Law does not explicitly revoke the cross-border personal data transfer requirements under GR 71/2019 and MOCI Regulation 20/2016. Instead, it introduces new principles and provisions for the implementation of personal data protection, although further implementing
regulations are expected to be issued to provide clearer references.
Under the PDP Law, data transfer is defined as the movement, transmission and/or duplication of personal data, either electronically or non-electronically, from a personal data controller1 to another party.
The cross-border transfer obligations for the sending party (i.e., the personal data controller) are set out in the following hierarchical manner under Article 56 of the PDP Law:
1. the sending party must ensure the recipient party’s country/state has a personal data protection level that is equal to or higher than the provisions in the PDP Law (Article 56(2));
2. if the requirement in 1. is not met, the sending party must ensure the existence of adequate and binding data protection (Article 56(3)); and
3. if the requirements in 1. and 2. are not met, the last option is to obtain consent from the data subject before conducting the cross-border transfer. However, the PDP Law exempts certain rights of the data subject in the interests of:
a. national defense and security;
b. law enforcement;
c. state administration;
d. supervision of the financial services sector, monetary sector, payment systems and
financial system stability; or
e. statistical and scientific research.
To date, the Indonesian government has not issued any guidance on the implementation of crossborder personal data transfers under the PDP Law, especially on requirements 1 and 2 above, such as how to assess the adequacy of the data protection level set out in the recipient’s country/ state (requirement 1) and what are the instruments to satisfy adequate and binding data protection (requirement 2).
1. Obligations under the PDP Law
The key issue of this principle is how to determine which countries have a personal data protection level that is equal or higher than the provisions in the PDP Law. As the PDP Law is silent on this determination, it remains unclear whether a data controller may determine a country’s data protection level through independent assessment or at its sole discretion.
The PDP Law is also silent on the instrument to ensure adequate and binding personal data protection; whether it must be in the form of a cross-border transfer agreement prepared in line with the PDP Law, or whether global terms and conditions adopted by the recipient from standard international guidelines, such as the ASEAN Model Contractual Clauses for Cross Border Data Flows, will be appropriate safeguards.
Given the above, at the current stage, it would be premature to conduct a cross-border transfer without consent as set out under Article 56(2) and Article 56(3) of the PDP Law until a further regulation or formal guidance is issued by the MOCI. Therefore, obtaining consent remains the safest compliance option for conducting a cross-border transfer.
2. Requirement on Coordination with MOCI
As both GR 71/2019 and MOCI Regulation 20/2016 remain in effect, in practice, the coordination with the MOCI, including the reporting requirements, referred to in the Regulatory Framework section above, is still required, in addition to the cross-border provisions under Article 56 of the PDP Law. While the enforcement and practicability of Article 56 are insufficiently clear, for best practice, compliance with requirements under GR 71/2019 and MOCI Regulation 20/2016 is recommended to the extent feasible.
On the requirement to submit a cross-border transfer plan and implementation reports, MOCI 20/2016 does not provide a timeframe for their submission. For practicality and efficiency, the reports can collectively mention various cross-border transfer activities for the same recipient party and be submitted together periodically, for example, by quarter, semester or annually, which would be more feasible than submitting a report whenever a cross-border transfer is conducted.
1 Any individual, public institution or international organization that acts individually or collectively to determine the purposes and exercising control of personal data processing.