The protection of personal data is an interesting area of IT law, since it is generally covered in Law No. 11 of 2008 on Electronic Transactions & Information (“Law 11/2008”), and briefly mentioned in the draft e-commerce regulation. Under Law 11/2008, electronic system providers must retain transaction data and personal information that includes consumers’ data for at least 10 years. On the other hand, the draft e-commerce regulation requires all personal data used in electronic transactions to be erased immediately upon receipt of a request from the data owner.
The draft data protection law known to public up to date covers, among other things:
the definition and scope of personal data, including its collection, protection, and what constitutes sensitive personal data;
the use, operation, and suspension of the use of personal data requires approval from the data owner, and the user of personal data may not prohibit or restrain the owner from withdrawing its own personal data;
the obligation of personal data users to protect and maintain the personal data they obtain (including the accuracy of the personal data) and to delete the personal data once the retention period has expired, the purpose of the use of the personal data has been achieved, or at the request of the data owner;
the prohibition against transfers of personal data to third parties offshore unless they are authorized, or parties to a contract between the personal data user and the offshore data receiver, or allowed under an international agreement;
the settlement of disputes over personal data; and
the criminal sanction for misusing personal data, which is 1 (one) year imprisonment and/or a fine of up to Rp.300,000,000 (three hundred million Rupiah).
Although the draft law is included as one of the 2015 – 2019 National Legislation Program/Prolegnas, to this date, there is no indication as to when this law will be issued.