The principal regulation is Law 27 of 2022 on Personal Data Protection (“PDPA”). Please refer to this article for an overview of the PDPA.
Data breaches encompass incidents when the data controller system is hacked resulting in hackers gaining access to personal data and releasing such personal data on the web because their demand for ransom is not satisfied. A data breach can also happen when a company employee whether intentionally or immensely releases personal data into the public domain. For the purpose of this article, data breach refers to a situation when a data controller system has been hacked and personal data is disclosed. This is because such type of breaches seems prevalent in Indonesia.
This article discusses the following:
1. Liability of data controller in the event of a breach caused by hackers
In a sense, the data controller is a victim of hackers, but the public probably does not see it that way. The real victim would be the data subjects who become vulnerable with personal data, some likely to be sensitive in nature, cast into the public domain.
It should first be clarified that the loss of data is not through any volitional act of the data controller. The criminal provisions in the PDPA arguably do not ensnare the hacked data controllers. For consideration is Article 67 paragraph (2) of PDPA below, criminal liability based on the unauthorized disclosure of personal data:
Every Person who intentionally and unlawfully discloses Personal Data that do not belong to them as referred to in Article 65 paragraph (2) shall be sentenced to a maximum imprisonment of 4 (four) years and/or a maximum fine of Rp4,000,000,000.00 (four billion rupiah).
Article 67 paragraph (1) and Article 67 paragraph (3) PDPA concern criminal sanction for unauthorized collection and unauthorized use of personal data respectively.
It is arguable that the act of disclosure is not by the data controller but rather by the hackers who stole the personal data and release them into the public domain. There are some concerns that this provision is of a "rubbery" nature (a local term that a law can have the broad application) and therefore could possibly be stretched to indict the unfortunately hacked data controller.
On balance, we are inclined to the view that a hacked data controller should not be caught by the criminal provisions but could still be administratively fined (discussed below).
This view was supported by a public prosecutor when he spoke about sanctions criminal under the PDPA shortly after the introduction of the PDPA. A public prosecutor shared his view that it is probably difficult to prefer criminal charges against the data controller based on the criminal provisions in the PDPA.
We will discuss administrative sanctions in the next section.
2. Steps to take to minimize liability
We first touch on the responsibility under the PDPA to keep the information systems safe – in terms of "preventing personal data from being accessed illegally". These are:
Article 39 of PDPA
(1) The Personal Data Controller must prevent the Personal Data from being accessed illegally.
(2) The prevention as referred to in paragraph (1) shall be carried out by using a security system for the processed Personal Data and/or by processing Personal Data by using an electronic system in a reliable, secure, and responsible manner
(3) The prevention as referred to in paragraph (2) shall be carried out in accordance with provisions of laws and regulations.
At first glance, this provision seems to impose an absolute standard of preventing data leaks. In other words, the liability under Article 39 paragraph (1) of PDPA can still be breached as long as a data controller is hacked despite best efforts in keeping the system safe according to the latest best practices.
There is, however, some room to argue that responsibility is not an absolute one in view of Article 39 paragraph (2) of PDPA. It can be said that Article 39 paragraph (2) of PDPA stipulates the standard to be complied with in meeting the requirement of preventing unauthorized access: "by using a security system ... or using an electronic system in a reliable, secure, and responsible manner."
Regard should also be given to Article 35 of PDPA on preventive measures to be taken:
The following pre-PDPA Ministerial Regulation* may also be relevant on steps to take:
Every Electronic System Operator shall be obligated to the following:
It is therefore recommended that good records and written policies be kept should it become necessary to satisfy the requirement of Article 39 paragraph (2) of PDPA.
Evidence of certification by independent parties is likely to be helpful should it become necessary to defend the security of the electronic system of the data controller as a result of a data breach. Other anticipatory measures include putting in place "internal regulation" and "audit track record".
Where a data processor is engaged to process data, it would serve the data controller well for it to be satisfied itself that the data processor has in place such procedures, and conduct periodic reviews of the same, as well as maintain records of such processors.
In the event of being hacked, under Article 46 paragraph (1) of PDPA, the data controller is required to take the following steps:
The data controller should probably take protective action and launch its internal investigation of such breaches. While doing so, the data controller should organize records of its internal procedure and audit if available, and take professional advice on how best to present the same to the government oversight agency.
Assuming that the criminal sanctions are not applicable, and a data controller cannot exculpate itself by putting forward preventive measures discussed above, the data controller may be faced with one of the administrative sanctions as provided by Article 57 paragraph (2) of the PDPA.
Article 57 paragraph (2) of PDPA
(2) The administrative sanctions as referred to in paragraph (1) shall be in the form of:
The administrative fine can be up to a maximum of 2% of the annual revenue of the company (Article 57 Paragraph (3) of PDPA)
It is understood that administrative sanctions are to be imposed by a government oversight agency to be set up under Article 58 of the PDPA.
This government agency has yet to be set up. In any case, the companies have up to two years from 17 October 2022 to comply with the regulatory provisions on Personal Data processing under PDPA.
For an overview of the PDPA, please see the article on this link.
* Ministry of Communication and Informatics Regulation No. 20 of 2016 on Data Protection in Electronic Systems