Baker Mckenzie | 22 September 2020
Indonesia: IA-CEPA - Impact on data localization and offshore data transfers in Indonesia
What is IA-CEPA?
Brief Overview of the IA-CEPA
Indonesia and Australia have made a framework to unlock the vast potential of the bilateral economic partnership, fostering economic cooperation between businesses, communities and individuals through the Indonesia-Australia Comprehensive Economic Partnership Agreement ("IA-CEPA")1.
The IA-CEPA was ratified by Australia on 26 November 2019 and by Indonesia on 6 January 2020, and came into force on 5 July 2020.
The main discussion in the IA-CEPA is on international trading aspects, including export and import activities, between Indonesia and Australia. In addition to the conventional trading matters, the IA-CEPA also talks about electronic commerce (e-commerce) and treatment of electronic systems and data.
This article focuses on the treatment of electronic systems and data, such as data localization and personal data protection In Indonesia due to the IA-CEPA.
Effect of a Bilateral Agreement
Implementation of the IA-CEPA in Indonesia
In response to the IA-CEPA, the Indonesian Government has issued three implementing regulations related to the implementation of the IA-CEPA in Indonesia.
These regulations address import-export activities between Indonesia and Australia. No specific regulations in respect of data localization and personal data have been proposed in response to the IA-CEPA.
As a sovereign country, the Indonesian Government is free to draft the concept for regulations in its territory; however, on the other hand, there are other considerations when drafting regulations, such as fulfilling and complying with commitments under bilateral agreements/relationships.
In brief, bilateral agreements such as the IA-CEPA will affect the decisions and directions of the Indonesian Government in preparing and issuing regulations.
Implication for Business
Data Localization Provisions in Indonesia under the IA-CEPA
Based on Article 13.12 of the IA-CEPA, Indonesia should not require an Australian party to use or locate computing facilities in Indonesia as a condition for conducting business in Indonesia, except where such a measure exists at the date of entry into force of this Agreement (and vice versa).
The above provision intends to give Indonesian and Australian business actors the ability to choose where data is stored, including on the cloud, and so to allow businesses to make efficient and cost effective decisions2.
Data Localization Provisions in Indonesia
The data localization provisions in Indonesia have been relaxed somewhat since the issuance of Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions ("GR 71") in October 2019.
Prior to GR 71, the previous regime required electronic system operators that provided public services (not specifically defined) to have an onshore data center and an onshore disaster recovery center.
GR 71 established a classification of public electronic system operators (i.e., government authorities and appointed parties) and private electronic system operators (e.g., private companies).
In terms of data localization requirements, only public electronic system operators must place their electronic systems and data in Indonesia.
GR 71 provides a two-year transitional period for public electronic system operators to place their electronic systems and data onshore (deadline is October 2021). At the time of publication of this article, during the transition period public electronic system operators can still place their electronic systems and data offshore.
Private electronic system operators can place their electronic systems and data in or outside of Indonesia, unless otherwise regulated such as in the financial services sector, provided that they maintain the effectiveness of law enforcement and legal monitoring in Indonesia.
Synergy with the IA-CEPA
The current general data localization provisions in Indonesia are in line with the intention of the IA-CEPA, whereby Indonesia allows private electronic system operators to process and store electronic systems and data offshore.
This means that companies, including foreign investment companies in Indonesia, can store their data offshore, including in Australia, as long as they are deemed as private electronic system operators.
With the IA-CEPA in place, should the Indonesian Government consider going back to the former regime of data localization requirements, it would need to consider if such a step may affect its trade relationship with Australia.
Specific Requirements in the Banking and Insurance Sectors
GR 71 specifically states that the provisions on data localization in the financial sector are governed further by the regulator and supervisory board in the financial sector (in this case, Bank Indonesia and the Financial Service Authority (commonly known as OJK)).
OJK has issued regulations3 that include specific data localization provisions for general banks and insurance companies. These regulations state that only certain electronic systems and data of general banks and insurance companies can be processed and stored offshore.
For electronic systems and data that can be stored and processed offshore, banks and insurance companies must obtain prior approval from OJK in order to conduct the offshore arrangements.
For other sectors, the requirements will refer to the general data localization requirements under GR 71.
Supporting Cross-border Data Flow
Personal Data and Offshore Data Transfer Provisions in Indonesia
Personal Information under the IA-CEPA
Under the IA-CEPA, “personal information” means any information, including data or opinions, about an identified or identifiable natural person. This is a very broad definition that can be interpreted to cover any information related to an individual.
Article 13.7 of the IA-CEPA provides that both parties must adopt or maintain a legal framework that provides for personal information protection and takes into account principles and guidelines of relevant international bodies.
Offshore Data Transfer Provisions under the IA-CEPA
The IA-CEPA contains the following cross-border data transfer provisions:
(i) Article 10.4: Treatment of Certain Information and Processing of Information
“Neither Party shall take measures that prevent transfers of information or the processing of financial information, including transfers of data by electronic means, or that, subject to importation rules consistent with international agreements, prevent transfers of equipment, where such transfers of information, processing of financial information or transfers of equipment are necessary for the conduct of the ordinary business of a financial service supplier. Nothing in this Article restricts the right of a Party to protect personal data, personal privacy and the confidentiality of individual records and accounts or to require compliance with domestic regulation in relation to data management and storage and system maintenance so long as such right is not used to circumvent the provisions of this Chapter and Chapter 9 (Trade in Services) and Chapter 14 (Investment).”
(ii) Article 13.11.2: Cross-Border Transfer of Information by Electronic Means
“2. Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.”
The above provisions in the IA-CEPA state that both parties must allow the cross-border transfer of information (data) as regulated in the IA-CEPA. Chapter 13 of the IA-CEPA specifically commits Australia and Indonesia to ensuring service suppliers and investors can transfer data across borders by electronic means.
Offshore Data Transfer Provisions in Indonesia
As the data protection regulation in Indonesia does not prohibit offshore data transfers, the current regulatory regime in Indonesia is in line with the cross border data transfer provisions in the IA-CEPA - albeit there are requirements that need to be fulfilled in order to conduct an offshore data transfer.
As an update, the Indonesian Government is preparing a data privacy law. This data privacy law will set, among other things, stricter requirements for offshore data transfers. Based on the latest draft, the Indonesian Government will impose requirements and not a prohibition on offshore data transfers. However, the draft data privacy law is still subject to changes until it is officially issued. To date, there is no official date for when the law will be issued, but it is expected to be issued around November 2020.
- The IA-CEPA came into force on 5 July 2020, and it covers the framework to unlock the vast potential of the bilateral economic partnership between Indonesia and Australia, fostering economic cooperation between businesses, communities and individuals in the two countries.
- With the IA-CEPA, Indonesia need to reconsider any plans to go back to the stricter regime of data localization requirements, as it may affect its trade relationship with Australia.
- The IA-CEPA ensures both Indonesia and Australia allow cross-border transfer of information (data).
3 These are (i) OJK Regulation No. 38/POJK.03/2016 as amended by OJK Regulation No. 13/POJK.03/2020 on the Implementation of Risk Management in the Use of Information Technology by General Banks, and (ii) OJK Regulation No. 69/POJK.05/2016 as amended by OJK Regulation No. 38/POJK.05/2020 on the Implementation of Insurance, Shariah Insurance, Reinsurance, and Shariah Reinsurance Businesses