This content was last reviewed around June 2023.
Cloud-neutral
1. Are financial institutions legally permitted to use cloud services?
Yes, generally there is no prohibition on financial institutions using cloud services under applicable regulatory laws, save for some circumstances where financial institutions are required to observe certain regulatory restrictions and requirements when deemed to be outsourcing work (including IT functions). For instance, there is a prohibition on outsourcing the IT functions of peer-to-peer lending businesses, based on Financial Services Authority (Otoritas Jasa Keuangan (OJK)) Regulation No. 10/POJK.05/2022 on IT-Based Collective Funding Services.
2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?
Yes, while there are no specific regulations governing cloud use, in respect of information technology, cloud use is generally subject to consumer protection and data privacy rules. Financial institutions must comply with Financial Services Authority (Otoritas Jasa Keuangan (OJK)) Regulation No. 6/POJK.07/2022 on Consumer and Public Protection in the Financial Services Sector. This mandates that information technology must be supported by reliable technology, ensuring the security of personal data that must be routinely monitored. Data privacy rules will be discussed further under Q&A 7 on data privacy and security.
There are also institution-specific rules that apply to the outsourcing of information technology functions for different kinds of financial institutions. For instance, outsourcing for securities companies that are licensed as broker dealers is governed under OJK Regulation No. 50/POJK.04/2020 on Internal Control for Securities Companies that Carry out Business Activities as Broker Dealers ("OJK Regulation 50/2020"). A broker dealers, as defined by OJK Regulation 50/2020, is an entity that conducts trading of securities for its own benefit or for the benefit of other entities. Note that OJK Regulation 50/2020 is not applicable in cases where a company is only licensed to conduct securities underwriting.
Banks adhere to OJK Regulation No. 9/POJK.03/2016 on Prudential Principles of Banks that Partially Outsource Work to Other Parties. This covers the outsourcing of a bank's supporting business activities to other parties, which may include use of technology, such as cloud services.
Note that many financial institutions in Indonesia often enter into cooperation arrangements instead of outsourcing for cloud services. Cooperation between financial institutions and companies that provide cloud services are governed under the specific regulations applicable to such financial institutions.
3. Are there any specific contractual requirements for cloud outsourcing?
Generally, to cooperate with a third party, financial institutions must provide a template of a cooperation agreement to ensure that the template is in line with the Financial Services Authority (Otoritas Jasa Keuangan (OJK)) requirements. At a minimum, OJK Regulation No. 6/POJK.07/2022 on Consumer and Public Protection in the Financial Services Sector ("OJK Regulation 6/2022") sets out the requirements to ensure consumer protection principles are upheld. In the case of cooperation with third parties, OJK Regulation 6/2022 prohibits financial institutions from limiting the accountability of a financial institution for mistakes and/or negligence caused by a third party.
But there are more specific requirements applicable to outsourcing IT-related activities for certain financial institutions. For example, in OJK Regulation No. 9/POJK.03/2016 on Prudential Principles of Banks that Partially Outsource Work to Other Parties, which applies to banks, there is a requirement that the agreement must cover at least the following:
4. When does cloud outsourcing fall within the scope of the rules?
For banks, cloud outsourcing falls within the scope of supporting activities that are permitted to be outsourced, which means adhering to the following criteria: (a) low risk; (b) no requirement for a high-competence qualification in banking; and (c) is not directly related to decision-making processes that impact a bank's operations. There is arguably an exception for cloud outsourcing conducted by broker dealers. Under the Financial Services Authority (Otoritas Jasa Keuangan (OJK)) Regulation No. 50/POJK.04/2020 on Internal Control for Securities Companies that Carry out Business Activities as Broker Dealers, outsourcing to cloud service providers may not be considered as outsourcing on the basis that the services to be outsourced do not represent the entire IT function.
5. Does the outsourcing need to be notified to the regulator?
Whether notification is required depends on which type of financial institution conducts the outsourcing activity. Outsourcing of IT services by banks will need to be reported to the Financial Services Authority (Otoritas Jasa Keuangan) ("OJK"). In accordance with OJK Regulation No. 9/POJK.03/2016 on Prudential Principles of Banks that Partially Outsource Work to Other Parties, banks must submit an outsourcing plan report and a report on any issues arising from the outsourcing. The report on the outsourcing plan is submitted annually, at the latest by 31 December. Banks can only add and/or change a planned outsourced work activity that has been reported and must submit the report on the change to the outsourcing plan at the latest by 30 June of the current year.
6. What are the potential consequences for breaching financial services rules on cloud outsourcing?
Generally, non-compliance with the regulations of the Financial Services Authority (Otoritas Jasa Keuangan) are subject to written warnings and administrative fines, which upon persistent failure to remedy may lead to the limitation or suspension of business activities and revocation of the financial institution's license.
7. Are there any data privacy and/or data security laws that would apply?
Yes, there are four main regulations that govern data privacy in Indonesia: (i) Law No. 27 of 2022 on Personal Data Protection ("PDP Law"); (ii) Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions; (iii) Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions; and (iv) Minister of Communication and Informatics Regulations No. 20 of 2016 on Personal Data Protection in Electronic Systems. While the PDP Law is effective as of the enactment date, the regulation provides a two-year transitional period for parties to adjust their data privacy practices to comply with the PDP Law. In addition, the two-year period will also be used by the government to prepare and issue implementing regulations that are mandated by the PDP Law and stipulate the data protection authority that will oversee and monitor the implementation of the PDP Law.
The PDP Law introduces some new concepts such as the categorization of general and specific personal data, the concept of data controller and data processing, the lawful basis to use personal data besides express consent from data subjects, the strict requirement to notify if there has been a data breach, and new requirements regarding the transfer of personal data outside of Indonesia.
Prior to the PDP Law, the enforcement of data protection regulation in Indonesia was more focused toward the platform operator that collects personal data from the users. There was no differentiation between data controller and data processor prior to the PDP Law. Currently, the PDP Law provides for the concept of data controller and data processor. A data controller is every person, public agency and international organization that acts individually or jointly in exercising control over the processing of personal data, while a data processor is every person, public agency and international organization that acts individually or jointly in personal data processing on behalf of a data controller.
Generally, these regulations require electronic system operators to maintain the confidentiality of personal data, by not sharing it with any third party unless the requisite consent is obtained.
Additionally, electronic system operators (such as a cloud service provider) must implement the following personal data protection principles when processing personal data:
The PDP Law has added a further requirement to the personal data protection principles that "personal data processing is carried out responsibly, and which can be clearly proven."
8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?
Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions classifies electronic system operators into two categories: public electronic system operators and private electronic system operators. Public electronic system operators must process and store personal data only in Indonesia. In contrast, private electronic system operators (such as a cloud service provider) may process and store personal data offshore. However, under Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), the data controller/electronic system operator may transfer personal data to other data controllers and/or data processors outside the jurisdiction of Indonesia if any of the following can be fulfilled:
As such, based on the current PDP Law, the data controllers can still rely on the data subject's consent to an offshore data transfer. There is no strict requirement with respect to the country of the recipient having the same level of data protection as Indonesia, as this requirement can be waived if the data subject has consented to the offshore data transfer.
9. Does a cloud service provider need a financial services authorization or license to provide cloud services?
Yes, a cloud service provider, as an electronic system operator, must be registered with the Ministry of Communication and Informatics (MOCI). This requirement can be found in Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions. This registration requirement is only applicable for onshore entities, as offshore entities cannot register themselves in Indonesia. The registration process at MOCI is performed online by filling in an application form and furnishing to MOCI the supporting documents related to the electronic systems that the applicant/operator wishes to register.
10. Is express consent from customers or other data subjects required before moving data to the cloud?
As a rule, any use of personal data must be based on consent from the data owner. The consent must be in writing (i.e., express and opt-in consent), whether manually or electronically and in Bahasa Indonesia (although there is no prohibition on using a dual language format).
Prior to Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), Indonesia only recognized "valid consent" as the lawful basis for processing personal data. However, with the issuance of the PDP Law, a data controller can conduct data processing activity if it has fulfilled any or all of the following lawful basis of processing personal data (which may be similar to the EU GDPR concept):
However, in the absence of a further implementing regulation or guideline on the additional lawful bases (e.g., on how to determine whether a data processing activity can be covered under those additional lawful bases), consent remains an integral part of processing personal data, in the sense that if the data subject intends to revoke their consent, the data controller should cease processing the personal data. Further guidance is required from the Data Protection Authority on the lawful bases.
If the personal data processing activity is based on "explicit consent," the data controller must inform the data subject of all the following information:
The data controller must ensure that the above information has been communicated to the data subject prior to the data processing activity (e.g., incorporating the above information in a privacy policy). Furthermore, if there is any change in the information as mentioned above, the data controller must notify the data subject before any change in information occurs. While there is no specific explanation of "explicit consent" under Law No. 27 of 2022 on Personal Data Protection, "explicit consent" should refer to opting-in and express consent (where consent is not implied or given under duress or due to negligence). A simple "click to agree" box (or any other opt-in mechanism) should be sufficient to reflect "explicit consent." Indonesia does not have a concept of acceptance by silence and, therefore, a deemed/opt-out consent can be challenged.
If personal data is received indirectly from another entity, then in the legal documentation between the entities, the disclosing entity should represent to and warrant to the receiving entity that sufficient consent has been obtained from the data owner to allow the disclosing entity to share the personal data and for the receiving entity to process the personal data.
11. Are there any local laws that require a cloud service provider to be able to access the data it hosts?
There are none.
12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?
Under Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, private electronic system operators must ensure the effectiveness of government monitoring and law enforcement, including open access to electronic systems and data if requested (subject to further implementing regulations). Access to data may be needed in criminal investigations.
Under Ministry of Communication and Informatics (MOCI) Regulation No. 5 of 2020 (as amended by MOCI Regulation No. 10 of 2021) on Private Electronic System Operators, private electronic system operators are required to grant access to electronic data requested by the government. The regulation requires that the request for access should explain the basis for the authority (of the requesting governmental agency/institution), the purpose and objective of the request and the specific description of the electronic data requested. The private electronic system operator must comply with the request within five business days of receiving such a request by the private electronic system operator.