Pustaka Ilmiah Universitas Padjadjaran

Abstrak

Indonesia’s Data Protection Regulation 2012: A Brief Code With Data Breach Notification

Indonesia is usually ignored in discussions of data protection, but as an Asian democracy with a population of over 250 million (exceeded only by China and India) and a fast-developing economy with 6.2 % economic growth in 2012, its position is important to data privacy in Asia. Although it is the largest ASEAN state, it has moved slowly to provide comprehensive legal protection for personal information, and is now lagging behind its ASEAN neighbours, Singapore, Malaysia and the Philippines, all of which now have data protection laws covering much of their private sectors (and the public sector, in the case of the Philippines). Although Indonesia has not yet gone down the path of comprehensive legislation, it has in late 2012 enacted a Regulation under its 2008 law on electronic transactions (previously dormant in relation to data protection but active in some areas such as cybercrime), adding more data protection elements, and a data breach notification requirement. This article analyses these new developments, and concludes that Article 15 of the Regulation, coupled with Article 26 of the 2008 law, and various other provisions in the Regulation, provides between them most of the elements of a brief data protection code, enforceable through court actions. However, there have as yet been no actions to enforce these rights, and Indonesia does not have a data protection authority or other enforcement body to do so. The article also discusses the ongoing moves within various Ministries to develop a full data protection law, and various reasons for this in different Ministries, and the constitutional cases on telecommunications interception which have decided that there is an implied constitutional right of privacy, which may affect both the government’s obligations to enact data protection laws, and the interpretation of any laws so enacted.