INDONESIA Law and Practice Contributed by: Agus Ahadi Deradjat (Agung), Mahiswara Timur, Nina Cornelia Santoso and Natasya Nurul Amalia, ABNR Counsellors at Law
• device end-user IDs; or • internet protocol numbers. Electronic Agents
appropriate lawful basis for data processing and inform the data subject in a transparent manner. 4.2 Compliance and Governance The deployment of the IoT in Indonesia offers numerous opportunities across various sectors. However, it also introduces significant challeng - es for companies offering IoT services in terms of compliance and governance. These com - panies must navigate IoT-related regulations, including fulfilling the mandatory certification requirements outlined in MOCD Regulation No 3 of 2024 on Standardization and Certification of Telecommunication Equipment. The certification process requires device importers, manufactur - ers, distributors and brand owners/licensees to ensure that their devices are compliant with the relevant technical standards determined for each type of device and technology. 4.3 Data Sharing IoT companies might be subject to (i) personal data protection regulations (ie, the PDP Law and its implementing regulations) if sharing personal data and (ii) sector-specific regulations if data sharing would involve specific industries (eg, financial institutions). Cross-Border Personal Data Transfer Requirements Cross-border personal data transfer by a data controller may only be performed upon meet - ing the following conditions under the PDP Law, which must be assessed and implemented in sequence: • adequacy of protection – the country of domicile of the receiving data processor and/ or data controller has a personal data protec - tion level that is equal or higher than the PDP Law;
Although not specifically regulated, the automa - tisation of information processing possible with the IoT render it comparable to an “electronic agent” under Indonesian law. The EIT Law essentially defines an electronic agent as “a device of an electronic system that is made to perform an action based on certain electronic information provided automatically by a person”. The phrase “automatically by a person” refers to natural persons or legal entities (both Indonesian citizens and foreign nationals). Data Protection All personal data processing activities involved in the operation of the IoT will fall within the material scope of the PDP Law, given that IoT devices may process personal data. The key data protection challenges relevant to the use of the IoT are as follows. Difficulty in determining responsibility upon failure to protect personal data IoT services typically involve more parties than mobile operators. Given the multitude of com - ponents involved, it is essential to conduct an assessment of data processing activities in order to determine the relevant data protection roles (ie, data controller or data processor) and their attendant obligations. Abuse of data collection Private entities that provide IoT devices or ser - vices that can access IoT data may use or dis - close personal information for additional purpos - es, such as profiling, targeted advertising or the sale of data to data brokers. In accordance with the PDP Law, the data controller must secure the
154 CHAMBERS.COM
Powered by FlippingBook