Indonesia is often cited as an example of data localisation laws in Asia. In this article, we will help you navigate the latest laws and regulations governing cross-border data transfers in Indonesia.

  1. Private sector is no longer subject to data localisation laws

The old rule under GR 82 has been revoked by GR71

In the past, when we discussed data localisation restrictions in Indonesia, we were probably referring to Government Regulation No. 82 of 2012 on the Management of Electronic Systems and Transactions (“GR 82”). GR 82 provides that electronic systems operators (“ESO”) that provide public services1 must establish a local data centre.

GR82 has been revoked by Government Regulation No. 71 of 2019 on Organisation of Electronic Systems and Transactions (“GR 71”).2 Unlike GR82, GR 71 draws a distinction between public and private ESOs, and imposes data localisation obligations on public ESOs only.

Under GR71 and Regulation 5, Indonesian regulators have the authority to request a private ESO (including foreign private ESOs) to grant the Ministry of Communications and Informatics (“MOCI”) access to the ESO’s electronic systems and electronic data which relate to Indonesian citizens or legal entities. However, in practice, given the relatively new state of the law, we are not aware of this particular provision being enforced by MOCI.

  1. Data privacy regulations apply to personal data

Where electronic information contains personal data, the personal data will be subject to the Indonesian personal data protection regime as well.

Legal requirements on transferring personal data overseas

Under GR 71, consent must be obtained from data owners (i.e. data subjects) for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.

Proposed new requirements on cross-border transfers of personal data

The proposed Indonesian Privacy Bill (“Privacy Bill”)6 has helpfully removed the above MOCI notification requirement for cross-border data transfers.

  1. Other industry-specific requirements on transfer of data, e.g. financial services

While private ESOs now have the ability to process or host their electronic systems and data offshore, there may be industry-specific requirements (such as the banking and financial services sector) which impose data localisation requirements.

Source:  Herbert Smith Freehills LLP news