Hello Privacymu Buddies!

On October 17, 2022, Indonesia ushered in a new regulatory era by introducing and implementing Regulation No. 27 of 2022, which focused on protecting personal data, commonly referred to as the PDP Regulation. The PDP regulation was drafted and passed certainly not without reason but because various sectors of life have utilized information technology systems in the trade sector, education sector, health sector, government sector, and other sectors.

In 2022, the Indonesian Internet Service Providers Association conducted an Indonesian Internet Profile Survey, which stated that internet-connected residents increased by 3.32% during 2021-2022. This survey proves the increasing use of technology by the people of Indonesia.

The use of technology goes hand in hand with the easier it is to access personal data belonging to the Data Owner. This convenient access, however, poses a risk of personal data leakage, where the Data Owner may remain unaware that their data has been leaked or traded, resulting in potential material and non-material losses. These actions undoubtedly influence the privacy rights vested in Data Owners, enabling individuals to regulate access to both them and their information, underscoring the significance of establishing robust safeguards in the digital realm.

Protecting personal data is a mandate from Article 28G paragraph (1) of the 1945 Constitution, which states that everyone has the right to protect themselves, their family, honor, dignity, and property under their control. This right extends to a sense of security and protection from threats that may induce fear, an inherent human right concerning actions one chooses to undertake or abstain from. The Cross-Border Transfer of Personal Data containing information about an individual instills apprehension as it raises concerns that parties engaging in cross-border data flows may infringe upon the individual's privacy.

The PDP Regulation has arranged the Cross-Border Transfer of Personal Data or Transborder Data Transfer and Cross Border Data Flows. The OECD Privacy Guidelines state that Cross-Border Transfer of Personal Data means moving personal data across national borders. An example of a Cross-Border Transfer of Personal Data is a transaction that includes personally identifiable information, such as credit history, criminal record, employment record, medical history, and roster. Such personally identifiable information then appears in commercial and financial data streams.

Several European countries have enacted personal data protection regulations to protect their citizens from improper use of personal information transferred across borders. Implementing Cross-Border Personal Data Transfer aims to enable companies to offer completely new products, improve the flow of information through Cross-Border Transfer of Personal Data, expand and deepen the world market and make it more interdependent. Telecommunications policy will have a great influence. The impact will strengthen the behavior of multinational companies, thereby encouraging the development of world trade and foreign investment.

Previously, the Regulation of the Minister of Communication and Information Technology Number 20 of 2016 concerning Personal Data Protection in Electronic Systems (Minister of Communication and Information 20/2016) stated the provisions regarding the act of Cross-Border Transfer of Personal Data in Article 22 in the Transfer of Personal Data managed by Electronic System Operators (PSE) from within the territory of Indonesia to outside the territory of Indonesia.

This provision is then continued with Government Regulation Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions (PP PSTE), which states various types of personal data processing, including the acquisition and collection, processing and analysis, correction and update, display, announcement, transfer, dissemination, or disclosure, and deletion or destruction of Personal Data.

The PDP regulation, specifically outlined in Article 56, addresses the provisions governing the implementation of Cross-Border Transfer of Personal Data. In this context, the Personal Data Controller is permitted to transfer Personal Data to entities, both Personal Data Controllers and Processors, located outside the jurisdiction of Indonesia. However, this transfer comes with the obligation to ensure that the country of residence of these entities maintains a level of Personal Data Protection equal to or higher than that stipulated in the PDP Law. If the aforementioned conditions are not met, the Personal Data Controller must guarantee sufficient and binding Personal Data Protection. Failing compliance with these requirements, the Personal Data Controller is further obligated to secure the consent of the Personal Data Subject.

The act of Cross-Border Transfer of Personal Data seems like a two-sided coin, which can impact privacy and the economy. Although the aim is to improve the economy and trade, it is undeniable that without adequate handling and processing with adequate protection can result in privacy processing failures and adverse effects on the image of the PSE concerned. Therefore, before carrying out Cross-Border Personal Data Transfer actions, it is necessary to ensure readiness for adequate personal data protection for both sending and receiving countries.

That wraps up the discussion on "Cross-Border and Privacy Transfer of Personal Data." Hopefully, this information proves beneficial for you, Privacymu Buddies.

writer:
Shafira Nadya Nathasya

Sources

Asosiasi Penyelenggara Jasa Internet Indonesia. “Survei Profil Internet Indonesia 2022”. <https://apjii.or.id/survei> [20/07/2022]

Beling, Craig T. “Transborder Data Flows: International Privacy Protection and the Free Flow of Information”. Boston College International and Comparative Law Review. 6:2. (1983).

Moore, Adam. “Defining privacy”. Journal of Social Philosophy. 39:3. (2008).

Undang-Undang No. 27 Tahun 2022 tentang Pelindungan Data Pribadi

The OECD Privacy Guidelines

Peraturan Menteri Komunikasi dan Informatika Nomor 20 Tahun 2016 tentang Pelindungan Data Pribadi Dalam Sistem Elektronik

Peraturan Pemerintah Nomor 71 Tahun 2019 tentang Penyelenggaraan Sistem dan Transaksi Elektronik.