Revision of PP PSTE, Kemkominfo Highlights Data Protection

Kominfo highlights the issue of data protection as a basis PP PSTE revision or PP No. 82 of 2012 concerning the Implementation of Electronic Systems and Transactions. This issue translates into placement data center (DC) and data recovery center (DRC) must exist in Indonesia.

The old rules put more emphasis on physical evidence in Indonesia, when in fact what is considered more important is the data.

"In the old regulations it regulated the physical, even though the important thing was the data. Currently we require the data not only physically," the Director General of Aptika, Kemkominfo, Semuel A Pangerapan, as quoted from Between.

Kominfo reformulated the rules in revision, by making the Electronic Data Classification (KDE). Arrangements are needed to clarify the legal subjects of electronic governance, including owners, controllers and processors of electronic data.

This KDE will manage data localization based on data classification approach. The classification is divided into three types, namely strategic data, high data, and low data.

This strategic data must be within the territory of Indonesia, use the Indonesian electronic system network, and make electronic backups and be connected to the data center. Further technical provisions will be determined by the president and regulated separately through a Presidential Regulation (Perpres).

Strategic data should not be exchanged abroad. This is because the data included in this classification include data on state administration, security, and defense.

High data and low data under certain conditions can be outside Indonesia provided that they meet the requirements of the industry study. What determines this is the Sector Supervisory and Regulatory Agency (IIPS) which is responsible for a particular sector. For example BI and OJK for the financial sector.

This PP revision will also contain that data must be encrypted, so that data remains safe from cyber attacks.

Confirm sanctions

This classification of data, previously not present in the old rules. Which, according to Semmy (Semuel's nickname), is vulnerable to non-compliance by Electronic System Operators (PSE).

"There is no classification of any data that must be placed, so there are no parameters for PSE as business actors. In the absence of this classification, it is likely that many PSEs will be closed or blocked due to violations of these obligations."

For this reason, the revision also clarifies violations of administrative sanctions, fines, to blocking the PSE in accordance with Article 40 of the ITE Law.

Currently, it is stated that the revision of the PP PSTE has been entered at the State Secretariat for the re-checking process before it is signed by the president. The draft has been sent since October 26 2018, after the harmonization process has been completed since October 22, 2018.