Database

Breaches of the Act on the Protection of Personal Information may result in fines up to 300,000 yen (around 2,500 USD) or imprisonment up to 6 months.

In the financial sector, companies are required to alert both the authorities and the data subjects in case of a breach.

In the financial sector, companies are required to appoint a data protection officer (DPO).

A ruling in December 2015 by Saitama district court is the first in the country to cite the right to be forgotten in demanding the removal of personal information online. Previously, in October 2014, a Japanese man asked a Tokyo court to fine Google Inc., after it failed to remove certain Internet search results referencing him, despite being ordered to do so in a previous judgement by the Tokyo District Court.

The National Center of Incident Readiness and Strategy for Cybersecurity’s (NISC) “Common Standards for Information Security Measures for Government Agencies” allows for government agencies to make use of systems that are "isolated" from the internet if necessary. Information on the agencies affected is not readily available. This policy effectively involves the localisation of data used by the public services concerned.

The Act on the Protection of Personal Information (APPI) did not originally restrict the transfer of personal information to foreign countries, but amendments enacted in 2015 and which took effect in May 2017 added restrictions on cross-border data flows. The amended APPI prescribes three types of legitimate transfers of personal information to a third party in a foreign country: (1) transfers to a country that the Personal Information Protection Commission (PPC) has designated as having an acceptable level of data protection; (2) transfers to a third party in a foreign country in circumstances in which actions have been taken to ensure the same level of data protection as in Japan (such as entering into a data transfer agreement imposing obligations on the transferee meeting the requirements of the APPI); or (3) transfers with the data subject’s consent.

The sanctions for breaching data privacy are found in the Electronic Information and Transaction Law (EIT Law) and Regulation 82. The EIT Law provides a maximum of 12 years' imprisonment and/or a maximum fine of 12 billion IDR (around 870,000 USD). Imprisonment may be imposed for severe breaches and intentional infringement.
Moreover, failure to comply with Regulation 82 would be subject to administrative sanctions in the forms of:
- a written warning;
- administrative fines;
- temporary dismissal;
- expulsion from the list of registrations.

Regulation 20 of 2016, an implimenting law of Regulation 82 of 2012, stipulates that consent from the data subject is necessary for the transfer of data, and that this consent should be expressed in writing.

In March 2016, Indonesia's Ministry of Communication and Informatics (MOCI) released a circular letter “Concerning the Provision of Application Services and/or Content over the Internet (OTT)”, which proposes a range of new regulations on Internet services. The packages include proposed requirements to use local IP numbers and store data within Indonesia.

It is reported that the requirements, as proposed, could present compliance problems for foreign service providers and raise competition concerns and trade barriers.

Additionally, a draft OTT regulation was issued in 2017 for public consultation and comments, signalling that the MOCI is still pressing on with these measures, although its contents may change.

In the Annex of Circular Letter of Bank Indonesia No. 16/11/DKSP Year 2014 regarding E-money Operations, there is a requirement for all operators of e-money to localise data centres and data recovery centres within the territory of Indonesia.

In Indonesia, data protection is covered by Law No. 11 of 2008 regarding Electronic Information and Transaction (EIT Law) and Government Regulation No. 82 of 2012 regarding the Provision of Electronic System and Transaction (Regulation 82), which went into force on 15 October 2012. Regulation 82 requires “electronic systems operators for public service” to set up a data center and disaster recovery center in Indonesian territory for the purpose of law enforcement and data protection.

In January 2014, the Technology and Information Ministry circulated a Draft Regulation with Technical Guidelines for Data Centers. The unclear and possibly all-encompassing definition of public services gave rise to concerns when a spokesperson was quoted saying: “[the draft] covers any institution that provides information technology-based services.” Data carriers covered by these provision, therefore, would include a wide range of actors such as cloud providers, foreign banks and mobile phone providers.

Regulation 82 states that the storing of personal data and performing a transaction with the data of Indonesian nationals outside the Indonesian jurisdiction is restricted. This requirement appears to apply particularly to personal data and transaction data of Indonesian nationals which is used within Indonesia and/or related to Indonesian nationals. The Regulation targets "electronic systems operators for public services", whose definition remains unclear.

In January 2014, the Technology and Information Ministry circulated a Draft Regulation with Technical Guidelines for Data Centers. The unclear and possibly all-encompassing definition of public services gave rise to concerns when a spokesperson was quoted saying: “[the draft] covers any institution that provides information technology-based services.” Data carriers covered by these provision, therefore, would include a wide range of actors such as cloud providers, foreign banks and mobile phone providers.

The Personal Data (Privacy) Ordinance implicitly requires the appointment of a data protection officer to whom data access and data correction requests can be sent.

By rejecting on an appeal brought by David Webb against an enforcement notice issued by the Privacy Commissioner for Personal Data requiring Mr. Webb to remove from webb-site.com the names of parties set out in court judgments of matrimonial proceedings published on the Hong Kong judiciary's website over a decade earlier, the Administrative Appeals Board (ABB) has established a precedent for the "right to be forgotten" in Hong Kong. The decision has been based on the Data Protection Principle 3 of the Personal Data (Privacy) Ordinance, which concerns the original purpose for which personal data was collected.

The proposal of Data Protection Law will impose fines of up to CLP 236,500,000 (approximately USD 370,000).