• Instgram
  • LinkeIn
  • Lexologoy
One Asia Lawyers > NEWSLETTER > Indonesia > Indonesia’s Personal Data Protection Law: Prepare for the coming Implementation Regulation (2) =Cross Border Transfer=

Indonesia’s Personal Data Protection Law: Prepare for the coming Implementation Regulation (2) =Cross Border Transfer=

2023年11月15日(水)

We published a newsletter regarding Indonesia’s Personal Data Protection Law. To view PDF version, please click the following link.

Indonesia’s Personal Data Protection Law: Prepare for the coming Implementation Regulation (2) =Cross Border Transfer=

 

Indonesia’s Personal Data Protection Law:
Prepare for the coming Implementation Regulation (2) =Cross Border Transfer=

November 2023
One Asia Lawyers Indonesia Office
Koji Umai, Lawyer (Japan)
Yusuke Tomofuji, Lawyer (State of New York, USA)
Prisilia Sitompul, Lawyer (Indonesia)

 

1. Introduction.

In our last newsletter, we discussed the Personal Data Protection Official with respect to Law No. 27 of 2022 on the Protection of Personal Data (“PDP Law”)[1] and its draft implementing regulations (“Draft Regulation”).

This month, we will focus on cross-border transfers of Personal Data which is a type of processing/pemrosesan of Personal Data as stipulated in type of transfer as stipulated in Article 16 e. of the PDP Law and Article 9 e. of the proposed Regulation.

2. Cross-Border Transfer

(1) In PDP Law

The transfer of Personal Data in Indonesia (whether it is domestic or cross-border) is regulated by Articles 55 and 56 of the PDP Law. With respect to cross-border transfers, Article 56(2)(iv) provides that a Data Controller may do so only when one of the following three steps is fulfilled.

  1. The level of Personal Data protection in the recipient country is equal to or higher than the level of the one in Indonesia
  2. If (a) above is not fulfilled: Adequate and binding protection of Personal Data exists in the recipient country.
  3. If neither (a) nor (b) is fulfilled: the Personal Data Subject[2] has consented to the transfer


Further, Article 56 (5) of the PDP Law stipulates that it should be regulated in detail in its implementation regulation. 

(2) In Draft Regulation

While some of the provisions are to be separately defined by the PDP Committee (Lembaga PDP) (Article 184(4)), Articles 181 through 196 of the Draft Regulation set provisions in regard to cross-border transfer. Below is an explanation of the main provisions of the Draft Regulation.

(a) Framework of Principles and Regulations

First, Article 181(1) provides that, in principle, a Personal Data Controller may transfer Personal Data to a Personal Data Controller and/or a Personal Data Processor outside of the jurisdiction of Indonesia in accordance with the provisions of the Law. In addition, paragraph 2 of the same article stipulates its principle: when transferring Personal Data cross-border, the Personal Data Controller, both who transfers and receives, shall protect the Personal Data in accordance with the provisions of the laws and regulations.

Furthermore, Article 182 reiterates the three-step requirements for cross-border transfers as mentioned above in the section of PDP law, and Articles 183 through 196 set forth the details of each step.

(b) Step 1: Equivalent or higher level of Personal Data protection

Article 183(1) provides that the Personal Data Controller making the cross-border transfer is responsible for ensuring that the destination country has an equivalent or higher level of data protection.

Article 183(2) of the PDP stipulates that the PDP Committee is obligated to conduct an evaluation to confirm the same, and Article 184(1) stipulates three criteria for the evaluation as follows.

  1. The country where the Personal Data is transferred has legal regulations regarding the protection of Personal Data
  2. Such a country has a supervisory authority or authority for Personal Data protection in the other country; and
  3. Such a country has international commitments or other obligations through participation in legally binding treaties, instruments, and multilateral or regional systems for the protection of Personal Data.


In addition to the above, the PDP Committee is then supposed to determine a list of countries and/or international organizations that meet the above criteria (Article 184(2)), and cross-border transfers of Personal Data to territories of such list can be implemented without further approval (Article 184(3)).

(c) Phase 2: Adequate and binding protection of Personal Data

a.  Principle

Article 185(1) provides that if a Personal Data Controller is unable to fulfill the requirements of the first step above, the said Controller must ensure adequate and binding Personal Data protection.

In this regard, Article 185(2) provides that the above “adequate and binding protection” may take the form of (a) interstate agreements, (b) standard Personal Data Protection Contract clauses, (c) binding corporate regulations of the corporate group, and/or (d) other adequate and binding Personal Data protection measures recognized by the PDP Committee.

In any case, the Personal Data Controller is required to prepare evidence in the form of written and/or recorded documents (Article 185.3), and the PDP Committee may conduct an assessment of the fulfillment of cross-border requirements (Article 185.4).

b.  Standard Personal Data Protection Contract Clauses

(b) Standard Personal Data Protection Contractual clauses are stipulated that it shall be set by the PDP Committee (Article 187(1)) and it shall include, at a minimum, the following: the basis for Personal Data processing, clauses on Personal Data protection, the obligation to notify in case of failure to protect Personal Data, the obligation to exercise due diligence on the party to whom Personal Data is transferred (Article 187(2)).

The Draft Regulation also stipulates that the Personal Data Controller may add provisions for the transfer of Personal Data in consideration of the need for the transfer of Personal Data and the provisions of the laws and regulations concerning Personal Data protection. However, the Personal Data Controller must consult with the PDP Committee in such cases (Art. Article 187, paragraphs 3-4).

c.  Binding corporate rules of the corporate group

The above (c) binding corporate rules may only be used if the recipient and sender of Personal Data belong to the same corporate group, i.e., if one party controls the other or if both parties are controlled by the same party (Article 188(2)).

In turn, such binding corporate rules must include at least the following requirements (Article 188(1))

  1. Recipient is obliged to provide Personal Data protection equal to or better than the protection of Personal Data in Indonesia:
  2. Both the sender and recipient of Personal Data are bound by binding corporate rules;
  3. The country and territory to which Personal Data will be transferred will be specified in accordance with binding corporate rules; and
  4. The roles, rights, and obligations of the parties involved (both the sender and recipient of Personal Data) are to be defined.


(d) Phase 3: Approval by the Personal Data Subject

Article 189 provides that a cross-border transfer may be carried out on the basis of the data subject’s authorization if the Personal Data Controller is unable to fulfill the requirements of the two steps above. Article 190(2) then provides that cross-border transfers based on approval by the Persona Data Subject may only be carried out if

  1. Non-recurring transfers;
  2. The number of Personal Data Subjects to be transferred is limited;
  3. The cross-border transfer is necessary to fulfill a condition, which condition is not detrimental to the interests, rights, and freedoms of the Personal Data subject;
  4. The Personal Data Controller must have conducted a risk assessment[3] and have appropriate safeguards in place; and
  5. The Personal Data Controller has informed the PDP Committee and the Personal Data Subject are informed of the cross-border transfer activity itself and of the compelling legitimate interests which are fulfilled by the cross-border transfer


However, the Draft Regulation does not clarify how the above approval is granted; it only states that it will be provided in the rules of the PDP Committee (Article 190(3)).[4]

3. Comparison with GDPR

As mentioned above, the PDP Law and the Draft Regulations do not necessarily clarify the specific operation regarding cross-border transfers, and we need to wait for the PDP Committee’s Rules, which are expected to come into effect in the future. On the other hand, the PDP Law and the Draft Regulations are similar to the GDPR in many respects. Therefore, to predict the future implementation of the PDP Law and the Draft Regulation, we would like to discuss them in comparison with the GDPR below.

(1) Comparison of cross-border transfer frameworks

As mentioned above, the PDP Law and the Draft Regulation stipulate the above-mentioned three-step requirement for cross-border transfers. On the other hand, the GDPR stipulates only transfers based on the adequacy decision (Stage 1) and transfers in accordance with appropriate safeguards (Stage 2). As described below, these are similar to the first and second stages of the three-stage requirements in the PDP Law and the Draft Regulation.

On the other hand, the third step (approval by the Personal Data Subject) in the PDP Law and in the proposed Regulation is slightly differently stipulated in the GDPR as described below.

(2) Phase 1: “Equivalent or higher level of Personal Data protection (equivalent to “transfer based on a finding of adequacy (adequacy decision)” under GDPR)

With respect to the first step, the provisions of the PDP Law and the Draft Regulation are very similar to those of the GDPR.

As mentioned above, just as the PDP Law and the Draft Regulation provide that the PDP Commission determines which countries meet the relevant criteria so that the data may be transferred to those countries without any additional requirements, the GDPR also provides that public authority (in the GDPR, the European Commission) decides whether a foreign jurisdiction has an adequate level of Personal Data protection so that cross-border transfers of Personal Data to such jurisdictions can be made without requiring additional authorization (Article 45(1) of the GDPR).

The level of protection required by the destination jurisdiction is not clear in the wording of the GDPR as “an adequate level of protection” (Article 45(1) of the GDPR), whereas the PDP Law and this draft Regulation clearly stipulate “equal to or greater than (Indonesia).” However, based on a ruling of the European Court of Justice (ECJ), an “adequate level of protection” is interpreted as a level of protection that is “substantially equivalent” to the level of protection guaranteed in the EU by a third country[5].

(3) Phase 2: “Adequate and binding protection of Personal Data (transfers subject to “adequate safeguards (appropriate safeguards)” under the GDPR)

As mentioned above, (2. (2) (c) a.) of the PDP Law and this Draft Regulation states that cross-border transfers are permitted if they take the form of (a)~(d) as “adequate and binding protection of Personal Data.”

The GDPR also provides that in the case of cross-border transfers to jurisdictions where the requirements of the first step above are not met, the second step (i.e., (a) binding instruments between public authorities, (b) binding corporate rules, and (c) standard data protection clauses adopted by the European Commission may be taken. (Article 46 of the GDPR)).

The standard data protection clause (Article 46(2)(c) of the GDPR) cannot be binding on public authorities in third countries due to its contractual nature, and if the country to which the Personal Data is transferred has mandatory access to such data (so-called governmental access), the protection measures in this Article may not be sufficient. The European Court of Justice has therefore held that the protection measures in this Article are not sufficient to protect the Personal Data. For this reason, the European Court of Justice has held that Supplementary measures may be sought depending on the circumstances of the country concerned[6] and the European Data Protection Board has also issued a Recommendation on the implementation of Supplementary measures depending on the circumstances. This point is not mentioned in the PDP Law or in the proposed Regulation but may be stipulated in a future PDP Commission Regulation.

(4) Phase 3: “Authorization by the Subject of Personal Data (GDPR: “Transfer Based on Explicit Consent”)” vs.

Regarding this requirement, the PDP Law and the Draft Regulation stipulate that, in principle, approval by the Personal Data subject is one of the conditions under which a cross-border transfer is permitted.

The GDPR, on the other hand, states that, in principle, cross-border transfers are permitted only when the two aforementioned conditions are met and provides for “derogations for specific situations”) as an exception to this rule, one type of which is “transfers based on explicit consent” (Article 49 of the GDPR). One such exception is “transfers based on explicit consent” (Article 49 of the GDPR).

Thus, while the PDP Law and the proposed Regulation position transfers based on the third step as one of the conditions for allowing cross-border transfers, the GDPR positions this as an exceptional measure (this point is also emphasized in the GDPR guidelines[7] ).

While it is too early to assess the differences, it is possible that the PDP Committee Regulations, for example, which are scheduled to come into effect in the future, will follow the GDPR and provide for stricter enforcement of the third step of cross-border transfers based on authorization by the Personal Data subject.

As mentioned above, the PDP Law and the proposed Regulation do not clearly specify how authorization is required and given, but the PDP Committee Regulation states that consent must be given expressly after being informed in advance of the possible risks associated with the transfer (Article 49(1)(a) of the GDPR). The GDPR stipulates that consent must be given explicitly, with the possible risks associated with the transfer provided in advance (Article 49(1)(a) of the GDPR).

As for “explicit,” based on the guidelines issued by the European Working Party, consent must be expressed explicitly, for example, by making a statement, sending an email, or filling out an electronic form, and thus the absence of any response (silence), checking a box on an electronic form, or implicit action shall not be considered sufficient[8].

It is possible that future regulations issued by the PDP Committee will include these points.

4. Conclusion

As mentioned above, while the Draft Regulation provides more specific provisions on “cross-border transfers” (Article 56) than the PDP Law, there are still some areas that remain unclear. We expect that the PDP Committee Regulations will clarify these issues, and we will keep a close eye on future legislative developments.

*Please note that this Draft Regulation is only a draft, and there are points that may be changed before it is officially approved and issued. (What is discussed in this paper relates only to the current draft.)

—–

[1] For the content of PDP Law, please kindly refer to our newsletter of October 2022 (https://oneasia.legal/8947) (Please be noted that only Japanese version is available.)
[2] A Personal Data Subject is a natural person with whom the Personal Data concerned is associated. (Article 1.6 of the PDP Law)
[3] The content of the risk assessment will be an evaluation of the need for the transfer and its impact on the rights of the subject of Personal Data (Article 194).
[4] Given that the Draft Regulation first provides for a general “consent” for the processing of Personal Data (Article 20(1) of the PDP Law and Article 44(2)(a) of the Draft Regulation), it seems likely that, in addition to such consent, additional authorization (i.e., specific consent that the Personal Data to be transferred may be subject to lower protection standards than those provided under Indonesian law) would be required in the case of a cross-border transfer. In any event, the details are not clarified in the Draft Regulation.
[5] ECJ Judgment 16 July 2020, Schrems II, C-311/18, EU:C:2020:559, para 94. https://curia.europa.eu/juris/document/document.jsf?text=&docid =228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1068615
[6] Ibid. paras 128-135.
[7]Guidelines on exemptions to Article 49 under Regulation 2016/679 2/2018 (https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_ en.pdf).
[8] For more information on consent  under the GDPR, see Art. 29 Working Party Guidelines on consent under Regulation 2016/679. https://ec.europa.eu/newsroom/article29/ items/623051


  |