Indonesia's Data Protection Regulation 2012: A Brief Code with Data Breach Notification

Privacy Laws & Business International Report, Issue 122, 24-27, April 2013

UNSW Law Research Paper No. 2013-36

8 Pages Posted: 17 Jun 2013 Last revised: 8 Jul 2013

Graham Greenleaf

University of New South Wales, Faculty of Law

Sinta Dewi

Padjadjaran University - Faculty of Law

Date Written: April 16, 2013

Abstract

Indonesia is usually ignored in discussions of data protection, but as an Asian democracy with a population of over 250 million (exceeded only by China and India) and a fast-developing economy with 6.2 % economic growth in 2012, its position is important to data privacy in Asia. Although it is the largest ASEAN state, it has moved slowly to provide comprehensive legal protection for personal information, and is now lagging behind its ASEAN neighbours, Singapore, Malaysia and the Philippines, all of which now have data protection laws covering much of their private sectors (and the public sector, in the case of the Philippines).

Although Indonesia has not yet gone down the path of comprehensive legislation, it has in late 2012 enacted a Regulation under its 2008 law on electronic transactions (previously dormant in relation to data protection but active in some areas such as cybercrime), adding more data protection elements, and a data breach notification requirement. This article analyses these new developments, and concludes that Article 15 of the Regulation, coupled with Article 26 of the 2008 law, and various other provisions in the Regulation, provides between them most of the elements of a brief data protection code, enforceable through court actions. However, there have as yet been no actions to enforce these rights, and Indonesia does not have a data protection authority or other enforcement body to do so.

The article also discusses the ongoing moves within various Ministries to develop a full data protection law, and various reasons for this in different Ministries, and the constitutional cases on telecommunications interception which have decided that there is an implied constitutional right of privacy, which may affect both the government’s obligations to enact data protection laws, and the interpretation of any laws so enacted.

Keywords: Asia, Indonesia, data protection, privacy, data breach notification, constitution, human rights

Suggested Citation

Greenleaf, Graham and Dewi, Sinta, Indonesia's Data Protection Regulation 2012: A Brief Code with Data Breach Notification (April 16, 2013). Privacy Laws & Business International Report, Issue 122, 24-27, April 2013; UNSW Law Research Paper No. 2013-36. Available at SSRN: https://ssrn.com/abstract=2280044

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
Australia
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)

HOME PAGE: http://www2.austlii.edu.au/~graham

Sinta Dewi

Padjadjaran University - Faculty of Law ( email )

Jalan Dipati Measure No. 35
Bandung, 40132
Indonesia

Register to save articles to
your library

Register

Paper statistics

Downloads
510
rank
48,739
Abstract Views
2,462
PlumX