Rules on cross-border transfer of personal data and its impact on luxury brands in Indonesia

12 Feb 2019 , 3:01pm

Justisiari P. Kusumah and Danny Kobrata of K&K Advocates look at the regulations that affect the collection and use of data by luxury brands operating in Indonesia.

The value of data

Data is becoming more valuable than ever - every business needs to collect and analyse data, including those who operate in the luxury sector. It is widely understood that retailers in the luxury sector rely on data for marketing purposes. This is especially true for those who sell the product online. By analyzing the behavior of the customers through their online activity, the retailers can better predict their customers’ needs.  In addition, the data can also be used for customer loyalty schemes, maintaining customers’ records, as well as to provide good customer service.


In order to do so, companies often operate an integrated IT system to store all the data gathered from their outlets across the world. To allow the company to analyze the data, each outlet must send the data to the centralized system implemented by the company. This centralized system is usually located in foreign country. This is the practice that has been widely adopted by foreign luxury brands, where the personal data of Indonesian customers is stored outside Indonesia. This is no longer a problem when it comes to transferring data from one country to another thanks to the internet and technology advancements which allow such transfers to happen smoothly. What often serves as an impediment for transferring data from one country to another country is the existence of restrictions around transferring personal data to foreign countries.

Restrictions in Indonesia

Similar to other countries, restrictions on cross-border transfer of personal data also exist in Indonesia. Under the Minister of Communication and Informatics Regulation No. 20 of 2016 concerning Personal Data Protection in Electronic System (“MCI 20/2016”), every transfer of personal data from institutions within the jurisdiction of Indonesia to institutions outside Indonesia must coordinate with the Ministry of Communication and Informatics (“MCI”). The coordination is conducted by submitting a personal data transfer plan to MCI. Once the transfer has taken place, the transferring organization must submit a transfer report to the MCI.

Additional restrictions for a “public service” company

A somewhat more restrictive requirement on cross-border transfer of personal data is stipulated in Government Regulation No. 82 of 2012 concerning Implementation of Electronic System and Transaction (“GR 82/2012”). GR 82/2012 stipulates a requirement for every organization operating electronic systems for a public service to locate a data center and disaster recovery center within the jurisdiction of Indonesia. The key words here are ‘public service’. If a company is not for public service, then this obligation will not apply to it.

Generally, companies who operate in the retail and luxury sectors will not fall under the category of “public service”. However, as per the issuance of Minister of Communication and Informatics Regulation No. 36 of 2014 concerning Procedures for Registration of Electronic System Provider, the term “public service” is broadened to also cover, among others, website or online applications that are used to facilitate offer and/or trading of goods/services, and electronic systems used for online payments or financial transactions.

This means if companies in the luxury sector operate an online platform to market its products, or if it facilitates online payment or transactions, then it is likely that it will be considered as a “public service”, and thus under GR 82/2012, it is required to locate a data center and disaster recovery center in Indonesia.     

Please note however, that the obligations of coordination and data center localization above are currently not strongly enforced by the government. Even if there is any government enforcement it is still very selective. This is despite the fact that these obligations are already in force.

The future

Another point to note is that the coordination and data center localization obligations might change in the near future as the government is currently preparing a draft of the Personal Data Protection Act and amendment to GR 82/2012.

Based on the draft of the Personal Data Protection Act that has been publicly published by the government, transfer of personal data outside Indonesia is only allowed if the recipient country has the same level of personal data protection as Indonesia. Some exceptions (such as the existence of an agreement between the transferring organization and receiving organization and international agreement between countries) might apply. As for the data center localization requirement, it has been proposed in the draft amendment to GR 82/2012 that the obligation to locate a data center and disaster recovery center in Indonesia will apply only to specific categories of data, not to all types of data as currently stipulated in GR 82/2012.

While nothing can be confirmed about these two drafts regulations (as it is currently being discussed and subject to further change), it is important for those in the luxury sector to follow the development of these regulations as they will surely affect the way the companies collect and use the personal data of Indonesian customers in the future.