INDONESIA Law and Practice Contributed by: Agus Ahadi Deradjat (Agung), Mahiswara Timur, Nina Cornelia Santoso and Natasya Nurul Amalia, ABNR Counsellors at Law
locate their data centres and/or disaster recovery centres in Indonesia, unless otherwise approved by the OJK. Similarly, non-bank financial institutions are also subject to data localisation requirements under OJK Regulation No 4/POJK.05/2021 on the Implementation of Risk Management in Using Information Technology by Non-Bank Financial Services Institutions, as partially revoked by OJK Regulation No 10/POJK.05/2022 on Peer-to- Peer Lending (POJK 4). Healthcare Under Ministry of Health (MOH) Regulation No 24 of 2022 on Medical Records, medical records can be stored on digital-based storage media at health service facilities, including on servers, via certified cloud computing and via any other cer - tified digital-based storage media. Healthcare facilities can co-operate with an ESO that has onshore data storage facilities that have been white-listed by the MOH. Processing of Personal Data in the Context of Cloud Computing In many instances, cloud computing services would be procured from a third-party provider. In such case, the third-party provider must con - firm their role in the personal data processing (eg, whether they act as the data processor of the data controller). This is crucial for the third- party cloud computing provider, as the PDP Law differentiates between the liability of a data con - troller and data processor. Thus, the third-party cloud computing provider and the user should establish a set of clear provisions on the role, obligations and liability of each party in the con - text of personal data processing. In addition, the adoption of cloud computing technology may pose greater security risks to
users’ personal data as the technology may be more susceptible to cyber-attack, particularly if the solution is deployed without using a private network. Thus, business undertakings must ensure that cloud computing service providers are offering adequate robust security measures to mitigate those vulnerabilities, which shall be proportionate with the potential risk. 3. Artificial Intelligence 3.1 Liability, Data Protection, IP and Fundamental Rights Artificial intelligence (AI) has also reached Indo - nesia. The popularity of generative AI (eg, Chat - GPT) has led to a rapid increase in its usage and integration in a variety of sectors. This has resulted in concerns about compliance, as Indo - nesian regulations do not yet specifically encom - pass this particular technology, rather relying on existing general regulations. As a response to the rapid utilisation of AI, the MCIT issued Circular Letter No 9 of 2023 on Ethics of Artificial Intelligence (CL 9). CL 9 is essentially a guideline, which is focused more on supervision and governance in order to reduce potential risks. CL 9 is intended as a pointer to ethical values for business actors that use AI- based software. The scope of CL 9 includes general definitions and guidelines pertaining to values, ethics, con - sulting, analysis and programming activities, with an AI basis, for business actors and elec - tronic systems operators. Ethical values of AI introduced under CL 9 include – among others ‒ inclusivity, humanity, safety, accessibility, transparency, credibility, accountability, personal data protection, sus -
151 CHAMBERS.COM
Powered by FlippingBook