by Setyawati Fitrianggraeni, Sri Purnama
Personal Data are data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly, through an electronic or non-electronic system.[1] Every person can be an individual or a corporation,[2] and a Personal Data Subject is an individual with which the Personal Data is associated.[3]
Data transfer is one process in Personal Data Processing,[4] and the processing is made by the Personal Data Controller, who is every person, public agency, and international organization that acts individually or jointly in determining purposes and exercising control over the processing of Personal Data.[5] In conducting Personal Data processing, the Personal Data Controller must maintain the confidentiality of the Personal Data.[6] This follows the confidentiality principle applied in Law Number 27 of 2022 on Personal Data Protection (PDP Law).
The transfer shall mean the transfer, delivery, and/or duplication of Personal Data, both electronically and non-electronically, from a Personal Data Controller to another party.[7] Secure file sharing refers to transferring files or data between individuals or organisations to ensure shared data’s confidentiality, integrity, and availability. Suppose organisations are restricted in their ability to transfer data across borders lawfully. In that case, they may be unable to enter new markets, reach potential customers, and deliver their offerings to consumers, which can hold back innovation and consumers’ access to new technologies and services.[8] Related to that, several articles regulate secure and lawful data transfer in PDP Law.
Generally, the principles of consent and necessity govern the legal basis for data transfer rights, per the rights of Data Subjects regulated under PDP Law.[9] Specific regulations relate to data transfer under PDP Law,[10] and it can be done within or outside the jurisdiction of the Republic of Indonesia.
Data transfer is a part of the processing of personal data.[11] Therefore, the data controller must have a basis for data transfer, such as
Article 35 of the PDP Law states that the Personal Data Controller must protect and ensure the security of the Personal Data that they process by performing:
Furthermore, the personal data controller must ensure that the country of domicile of the personal data controllers or processors that receive the transfer of personal data has a Personal Data Protection level equal to or higher than the PDP Law.[12]
While processing personal data, the Personal Data Controller must ensure its security and confidentiality by establishing technical procedures to mitigate and prevent potential threats. They must assess the appropriate security level based on the nature of the data and the associated risks.[13] In practices such as a bank adopting end-to-end encryption[14] for data transfers and establishing strict access controls to ensure that only authorised personnel can access sensitive information, a bank also used secure, encrypted communication channels for transmitting personal data to third parties. It regularly audited its data transfer processes to identify and address any potential vulnerabilities.
Balancing innovation and privacy is a critical challenge in the digital age, as advancements in technology often involve collecting and processing vast amounts of personal data. It is a journey that accelerated with milestones like the advent of personal computers, the rise of social media, and the proliferation of smartphones. The surge of Artificial Intelligence (AI) introduces pressing concerns about safeguarding personal data. AI systems heavily rely on substantial personal data for learning and predictions, prompting scrutiny over data collection, processing, and storage practices. Insights from tech experts shed light on the unfolding landscape.[15]
Data ethics encompasses the moral obligations of gathering, protecting, and using personally identifiable information and how it affects individuals.[16] One major ethical dilemma emerging technologies face is data privacy,[17] specifically data transfer. Ethical dilemmas in data transfer often revolve around issues of consent and transparency. One primary concern is obtaining informed consent from Data Subjects whose data is being transferred; they must fully understand how their information will be used, shared, and protected.[18] Another challenge is ensuring transparency about data practices, including informing individuals of third parties who might receive their data and the purpose of such transfers. Ethical dilemmas can also arise when balancing the need for data to drive innovation with the potential privacy risks. Organisations must navigate these issues carefully to uphold ethical standards and maintain trust, ensuring that data transfer practices are lawful and respectful of individuals’ rights and expectations.
In this Digital Age, personal data can be transferred electronically either within the same country[19] or even across countries.[20] The PDP Law purports to have extraterritorial reach, which may impact businesses, government, and the public and expand the scope of doing business. For businesses, these regulations necessitate significant investments in compliance, including updating data protection infrastructure and revising international contracts to meet local legal requirements following PDP Law.
The government will face the challenge of developing and enforcing robust compliance mechanisms while managing the broader implications for international trade and diplomatic relations. These regulations generally enhance privacy and data security for the public, providing better protection and transparency. On the other hand, data transfer regulation on PDP Law may impact personal data controllers and processors outside Indonesia’s jurisdiction.[21] All stakeholders must comply with that regulation because failing to comply can seriously affect the trust and stability of data subjects and the public.
In conclusion, ensuring secure data transfers under PDP Law is paramount for protecting personal and sensitive information in an increasingly digital world. The importance of robust data protection measures cannot be overstated, as they safeguard individual privacy and bolster business credibility and regulatory compliance. Adhering to these regulations helps prevent data breaches and misuse, fostering a secure and trustworthy digital ecosystem. As we look ahead, the interoperability challenge will become a critical focus. Navigating the complexities of varying data protection standards across different jurisdictions will be essential for maintaining seamless international data flows. It is also essential to maintain integrity and confidentiality, which are foundational to customer trust and operational success.
Law Number 27 of 2022 on Personal Data Protection.
Bart Custers and Gianclaudio Malgieri, “Priceless data: why the EU fundamental right to data protection is at odds with trade in personal data”, Elsevier, Vol. 45, July 2022.
Catherine Cote, “5 Principles of Data Ethics for Business”, Harvard Business School Online, https://online.hbs.edu/blog/post/data-ethics accessed dated 29 July 2024.
End-to-end encryption (E2EE) is a method of secure communication that prevents third parties from accessing data while it’s transferred from one end system or device to another. See, Ben Lutkevich, “End-to-end encryption (E2EE)”, TechTarget, https://www.techtarget.com/searchsecurity/definition/end-to-end-encryption-E2EE accessed dated 28 July 2024.
Lubna Luxmi Dhirani, et.al., “Ethical Dilemmas and Privacy Issues in Emerging Technologies: A Review”, sensors, 23 (3): 1151.
Tahir Khan, “Balancing Innovation & Privacy: A Deep Dive Into Data Protection”, The Barrister Group, https://thebarristergroup.co.uk/blog/balancing-innovation-and-privacy accessed dated 28 July 2024.
TechUK, “International Data Transfers: what are they and why are they so important?”, techUK For What Come Next, https://www.techuk.org/resource/international-data-transfers-what-are-they-and-why-are-they-so-important.html accessed dated 28 July 2024.
[1] Article 1 point 1 of Law Number 27 of 2022 on Personal Data Protection.
[2] Article 1 point 7 of Law Number 27 of 2022 on Personal Data Protection.
[3] Article 1 point 6 of Law Number 27 of 2022 on Personal Data Protection.
[4] Article 16 paragraph (1) point e of Law Number 27 of 2022 on Personal Data Protection.
[5] Article 1 point 4 of Law Number 27 of 2022 on Personal Data Protection.
[6] Article 36 of Law Number 27 of 2022 on Personal Data Protection.
[7] Elucidation Article 16 letter e of Law Number 27 of 2022 on Personal Data Protection.
[8] TechUK, “International Data Transfers: what are they and why are they so important?”, techUK For What Come Next, https://www.techuk.org/resource/international-data-transfers-what-are-they-and-why-are-they-so-important.html accessed dated 28 July 2024.
[9] Bart Custers and Gianclaudio Malgieri, “Priceless data: why the EU fundamental right to data protection is at odds with trade in personal data”, Elsevier, Vol. 45, July 2022, p. 2.
[10] Chapter VII Transfer of Personal Data of Law Number 27 of 2022 on Personal Data Protection.
[11] See, Article 16 paragraph (1) letter e of Law Number 27 of 2022 on Personal Data Protection.
[12] Article 56 paragraph (2) of Law Number 27 of 2022 on Personal Data Protection.
[13] The Personal Data Controller must assess the impact of Personal Data Protection in the event that the Personal Data processing has a high risk potential to the Personal Data Subject. See, Article 34 of Law Number 27 of 2022 on Personal Data Protection.
[14] End-to-end encryption (E2EE) is a method of secure communication that prevents third parties from accessing data while it’s transferred from one end system or device to another. See, Ben Lutkevich, “End-to-end encryption (E2EE)”, TechTarget, https://www.techtarget.com/searchsecurity/definition/end-to-end-encryption-E2EE accessed dated 28 July 2024.
[15] Tahir Khan, “Balancing Innovation & Privacy: A Deep Dive Into Data Protection”, The Barrister Group, https://thebarristergroup.co.uk/blog/balancing-innovation-and-privacy accessed dated 28 July 2024.
[16] Catherine Cote, “5 Principles of Data Ethics for Business”, Harvard Business School Online, https://online.hbs.edu/blog/post/data-ethics accessed dated 29 July 2024.
[17] Lubna Luxmi Dhirani, et.al., “Ethical Dilemmas and Privacy Issues in Emerging Technologies: A Review”, sensors, 23 (3): 1151, p. 2.
[18] Article 16 paragraph (2) letter f of Law Number 27 of 2022 on Personal Data Protection.
[19] A Personal Data Controller may transfer Personal Data to other Personal Data Controllers within the jurisdiction of the Republic of Indonesia. See, Article 55 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[20] A Personal Data Controller may transfer Personal Data to other Personal Data Controllers and/or Personal Data Processors outside the jurisdiction of the Republic of Indonesia in accordance with the provisions stipulated under this Law. See, Article 56 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[21] See, Article 56 paragraph (2) and (3) of Law Number 27 of 2022 on Personal Data Protection.
This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:
No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.
Accuracy and Completeness: Anggraeni and Partners strives to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaims any liability for any errors or omissions in the articles.
No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.
No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.
No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.
By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.
For further information, please contact:
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
S.F. Anggraeni
Managing Partner
Sri Purnama
Junior Legal Research Analyst
Research Group Transnational Litigation and Tort Law