Database

Regulation 20 of 2016, an implimenting law of Regulation 82 of 2012, stipulates that consent from the data subject is necessary for the transfer of data, and that this consent should be expressed in writing.

In March 2016, Indonesia's Ministry of Communication and Informatics (MOCI) released a circular letter “Concerning the Provision of Application Services and/or Content over the Internet (OTT)”, which proposes a range of new regulations on Internet services. The packages include proposed requirements to use local IP numbers and store data within Indonesia.

It is reported that the requirements, as proposed, could present compliance problems for foreign service providers and raise competition concerns and trade barriers.

Additionally, a draft OTT regulation was issued in 2017 for public consultation and comments, signalling that the MOCI is still pressing on with these measures, although its contents may change.

In the Annex of Circular Letter of Bank Indonesia No. 16/11/DKSP Year 2014 regarding E-money Operations, there is a requirement for all operators of e-money to localise data centres and data recovery centres within the territory of Indonesia.

In Indonesia, data protection is covered by Law No. 11 of 2008 regarding Electronic Information and Transaction (EIT Law) and Government Regulation No. 82 of 2012 regarding the Provision of Electronic System and Transaction (Regulation 82), which went into force on 15 October 2012. Regulation 82 requires “electronic systems operators for public service” to set up a data center and disaster recovery center in Indonesian territory for the purpose of law enforcement and data protection.

In January 2014, the Technology and Information Ministry circulated a Draft Regulation with Technical Guidelines for Data Centers. The unclear and possibly all-encompassing definition of public services gave rise to concerns when a spokesperson was quoted saying: “[the draft] covers any institution that provides information technology-based services.” Data carriers covered by these provision, therefore, would include a wide range of actors such as cloud providers, foreign banks and mobile phone providers.

Regulation 82 states that the storing of personal data and performing a transaction with the data of Indonesian nationals outside the Indonesian jurisdiction is restricted. This requirement appears to apply particularly to personal data and transaction data of Indonesian nationals which is used within Indonesia and/or related to Indonesian nationals. The Regulation targets "electronic systems operators for public services", whose definition remains unclear.

In January 2014, the Technology and Information Ministry circulated a Draft Regulation with Technical Guidelines for Data Centers. The unclear and possibly all-encompassing definition of public services gave rise to concerns when a spokesperson was quoted saying: “[the draft] covers any institution that provides information technology-based services.” Data carriers covered by these provision, therefore, would include a wide range of actors such as cloud providers, foreign banks and mobile phone providers.

According to a proposed Data Protection Law, data transfer is permitted when (i) the data subject consents to it and in order to fulfill the purposes of the processing; (ii) it is necessary for performing a contract to which the data subject is a party; (iii) there is a legitimate interest by the transferor or transferee; and (iv) the law provides it as such. Additionally, international transfers of data will be considered lawful when the transfer is made to a person subject to the legal system of a country that provides adequate levels of protection, understood as meaning that such protection meets the standards similar or higher than those of the data protection law. The Personal Data Protection Agency will determine the countries that have adequate levels of data protection, considering the elements provided for by the data protection law.

Alberta’s Freedom of Information and Protection of Privacy Act permits the disclosure of personal information controlled by a public body in response to a “subpoena, warrant or order” only if issued by a court with “jurisdiction in Alberta.”

In 2006, Québec amended its Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information to require public bodies to ensure that information receives protection “equivalent” to that afforded under provincial law before “releasing personal information outside Québec or entrusting a person or a body outside Québec with the task of holding, using or releasing such information on its behalf.”

According to the Canadian Federal Law Personal Information Protection and Electronic Documents Act, consent is not necessary for transfer to third country as the Canadian law does not distinguish between domestic and international transfers of data. The company should, however, grant a comparable level of protection while the information is being processed by a third party. This is preferably achieved on a contractual basis with the third party.

British Columbia requires that personal information held by a public body (primary and secondary school, universities, hospitals, government-owned utilities and public agencies) must be stored or accessed only in Canada. A public body may override the rules where storage or access outside of the respective province is essential. Moreover, the data can be transferred outside Canada "if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction".

Nova Scotia requires that personal information held by a public body (primary and secondary school, universities, hospitals, government-owned utilities and public agencies) must be stored or accessed only in Canada. A public body may override the rules where storage or access outside of the respective province is essential. Moreover, the data can be transferred outside Canada "where the individual the information is about has identified the information and has consented, in the manner prescribed by the regulations, to it being stored in or accessed from, as the case may be, outside Canada".

Brunei has laws that require that data generated within the country should be stored only in servers within the country.

The data holder generally must abstain from making transfers of personal data if the destination country does not offer 'adequate protection levels', which are equivalent to those offered by the Personal Data Protection Law or in international standards.

If the destination country fails to offer adequate protection levels, the controller must guarantee that the treatment of personal data meets such requirement (for example, via a written agreement). This guarantee is not necessary if the owner of the personal data has given its prior, informed, express and unequivocal consent to the transfer or if other exceptions apply.

Moreover, any cross border data transfers must be reported to the Peruvian Data Protection Authority.

Under the Federal Privacy Act, before an organisation discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient will not breach the Australian Privacy Principles (APPs).
This requirement does not apply only if:
- the overseas recipient is bound by a law similar to the APPs that the data subject can enforce;
- the data subject consents to the disclosure of the personal data in the particular manner prescribed by APP; or
- another exception applies.
An organisation may be held liable for any breaches by that overseas organisation of the APPs.

The Personally Controlled Electronic Health Record Act of 2012 requires local data centres to handle 'personally controlled electronic health records'. Therefore, no electronic health information can be held or processed outside Australia, unless they do not "include information in relation to a consumer" or "identifying information of an individual or entity".