Under the Indonesian Constitution, the concept of privacy rights is recognised and protected as part of the general concept of human rights, which is regulated specifically that of internet and electronic translation-related activities. As written in the constitution, the law is covered by Electronic Information and transaction (EIT) Law No. 19/2016 and Law No. 11/2008 (collectively, EIT Law) as amended by the constitution.
The EIT Law also recognises the protection of personal data as part of privacy rights. The article further mentions that privacy rights shall include, among others, the right to monitor the access of information concerning private life and data. To further the effort to satisfy the need for effective protection of personal data, the Minister of Communications and Informatics issued MoCI Regulation No. 20/2016 on Protection of Personal Data in Electronic System.
In essence, the EIT Law is only applicable to all processing or use of personal data in electronic form by an Electronic System Operator (ESO), which is defined as any person, state administrator, business entity, and community that provides, manages or operates an electronic system, whether individually or jointly, for the electronic system’s users’ own interests or the interests of other parties. Electronic systems are defined broadly as a series of devices and electronic procedures used to prepare, collect, process, analyse, store, display, announce, deliver or disseminate electronic information.
Although processing or usage of personal data in a manual record is excluded from the scope of the above regulations, ESOs have the responsibility to comply with relevant regulations, regardless of the sectors and any type of organisations. This is especially applicable when it comes to protecting personal data of employees, clients, users, etc.
Certain exemptions are also applicable in the banking sector. In principle, banks are required to maintain the confidentiality of information concerning savings of customers except for special circumstances – namely, taxation purposes, settlement claims and interbank exchange of information.
Breach of data protection might be subject to administrative and criminal liability in Indonesia. As a rule of thumb, under MoCI Regulation 20, any person that collects, processes, analyses, stores, promotes, announces, transmits or publishes personal data without the right to do so will be subject to certain administrative sanctions, such as verbal warning; written warning; suspension of activities; or announcement on the relevant website.
In addition, failure to comply with the law will also be subject to similar administrative sanctions, consisting of a written warning, administrative fines, temporary dismissal, or dismissal from the list of registrations. Under the EIT Law, a breach of privacy is also subject to criminal penalties, as follows:
Further, any person or organisation is prohibited from wiretapping information transmitted through telecommunication networks. Those who violate this prohibition might be sentenced to imprisonment of up to 15 years.