Chapter 5. Recommendations
5.4 Recommendations for Data Controllers and Data Processors
company does not need to have its own technology infrastructure. It can outsource the infrastructure according to its needs, including service and maintenance.600 However, the cloud provider should guarantee to provide and update the data security protection on the system, and protect the user’s personal data. Therefore, the cloud provider should make sure to provide its own employees with the adequate competence, skill, and knowledge to understand their responsibility in the cloud business.601 Employees should be able to identify their work tasks and be responsible for the authority that they have.
The DPA,602 EU Directive 2016/680603 and EU Regulation 2016/679604 elaborate on the classification of organisations with a responsibility for processing of personal data. However, there is no classification of such organisations in Indonesia. The interview findings show that ICT companies as a cloud provider play a role as an integrator. This means that the company might deliver the obligation itself, or it may delegate the obligation to another party, this means to the electronic agent. There is no compulsion onthe cloud providers to determine themselves as a data controller or data processor as in the EU regulation. Therefore, the recommendations related to data controller and data processor are below:
5.4.1 Delegating responsibility on the contract between parties
The impact of Indonesian Regulation on delegating responsibility from ESOs to electronic agents would bring a legal uncertainty to the protection of personal data. 600Ibid. (n 157). 601Ibid. (n 74). 602Ibid. (n 25), Section 1 (1). 603Ibid. (n 27), Article 3 (8,9). 604Ibid. (n 26), Article 4 (7).
This situation might arise if it has not stated clearly on the contract between customer and the ESOs that ESOs will delegate its obligation and responsibility arise from the obligation to an electronic agent.
Therefore, it is advisable to create a legal regime that puts a responsibility on organisations to state clearly on the contract between the user and provider the obligation and responsibility of ESOs to manage the personal data in their premises. In a contract clause, it would be clearer if the provider stated the obligation and responsibility of provider and user as stated in GDPR in the regards of data controller and data processor. This is important for the cloud computing industry, since in the business, ICT companies might act as the ESO or as an electronic agent, or might deliver the data to a third party without any consent from the data subject.
If we look at EU Regulation 2016/679, consent means:
‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.605
Therefore, any change in the processing of personal data should be stated clearly, including which organisation will be responsible for the data.
5.4.2 Reforming the classification of specific organisations on processing personal data in Indonesia
Indonesian regulations do not recognise the separation of responsibility of organisations as mandated in the EU. However, under Article 35 of Government Regulation 82/2012, electronic agents might have similar responsibilitiesas data processors which work on behalf of the ESO.An electronic agent, according to Government Regulation 82/2012606 is a device of an electronic system to perform an electronic transaction. Government Regulation 82/2012607 also states that ESOs could delegate electronic transactions to electronic agents, and Indonesian Law 11/2008608
605Ibid. (n 26).
606Ibid. (n 253), Article 1(3). 607Ibid. (n 253), Elucidation. 608Ibid. (n 319), Article 21(2c).
states that if the electronic transaction is conducted through an electronic agent, all the transactions will become the responsibility of the electronic agent.
Even though Indonesian regulations state that ESOs might delegate their obligation to electronic agents, it should be clear on the process of delegation. It should also be stated on the contract between customer and ESOs related to the process and who will be responsible for the data security process and the protection of personal data. This also need to be state on the contract the clearer responsibility on who will perform as the data processor as well as who will act as data controller as stated in GDPR. If the new data protection regulation in Indonesia has stated clearly about this distribution, then it won’t be necessary to state it again on the contract. However, since Indonesia regulation has not state it clearly, this contractual provisions might act as a substitutes of the lack of clauses in Indonesian regulation. The statement is required since Indonesian regulations do not regulate a separation of responsibility between data controller and data processor as in EU Regulation. This clear separation will support ESOs and electronic agents to deliver their obligation and give legal certainty for customers related to their personal data protection.
Therefore, there is a need to reform Indonesia’s data protection laws to state clearly who will be responsible for personal data protection by stating in the regulation a clear responsibility of for ESOs and electronic agents, and whether delegating the electronic transaction will eliminate the responsibility of the ESO. The Indonesian regulator might refer to the approaches in EU regulations by splitting the roles of data controller and data processor. This is because ESOs and electronic agents have a similar role and obligation as the data controller and data processor, but not to the responsibility for personal data in electronic transactions if the obligation was delegated to an electronic agent. Therefore, the clause in Government Regulation 82/2012 related to the delegating of electronic transactions needs to be re-examined and there should be a government control related to the delegating process from provider to a third party.
5.4.3 Re-examining the provision in Indonesian regulations related to the responsibility ofESOs and electronic agents
The provisions of Government Regulation 82/2012 related to ESOs and electronic agents do not have the same legal force as those for data controller and data processor in the EU Regulation. The obligation and responsibility of data controllers and data
processors is stated clearly in the EU Regulation,609 while Indonesian Ministry Regulation 20/2016610 states the responsibility of the ESOs and Government Regulation 82/2012611 stated the responsibility of electronic agent as a behalf of ESO. Indonesian Law 11/2008612 states that ESOs are no longer responsible for the protection of personal data when electronic transaction are delegated to electronic agents. Therefore, there is no legal requirement for ESOs to be responsible for personal data if electronic transactionsare delegated to electronic agents. The responsibility will be borne by the electronic agent alone. Since there is no clear separation of data controller and data processor in Indonesian Law, it is suggested to re-examining the provision on Indonesian Law 11/2008, Government Regulation 82/2012, and Ministry Regulation 20/2016, related to the responsibility of ESOs and electronic agent in protecting personal data. This is to make sure that in processing personal data, ESOs and/ or electronic agent have fulfilled the data protection principles.
However, in the EU Regulation,613 when a processor delegates another processor to carry out the processing activities, they still have the responsibility to perform personal data protection. The delegation does not wave the processor’s responsibility. It also states that, without any instruction from the data controller, the data processor shall not process any personal data.614 Referring to the EU Regulation,615 the data controller and the data processor have to make sure and demonstrate that they perform appropriate technical and organisational measurements related to personal data protection. It clearly states the distinction between the two and each organisation cannot exceed the authority of the other. This clear classification will simplify the tasks and responsibility of each. Therefore, it is important for the Indonesian government to make a clear provision in the regulationsas to which organisation will bear the responsibility of protecting the personal data, to give a legal certainty to
609Ibid. (n 26), Chapter Four. 610Ibid. (n 11), Article 28. 611Ibid. (n 253), Article 35. 612Ibid. (n 319), Article 21(2c). 613Ibid. (n 26), Article 28(4). 614Ibid. (n 26), Article 29. 615Ibid. (n 26), Chapter Four.
customer, ESO and electronic agent.