The roles of data controller and data processor

Regulation, for business continuity, should be able to protect all aspects of cloud computing. Indonesia has made regulations related to ISMS and the protection of 501_{Ibid. (n 26), Article 37(1).} 502_{Ibid. (n 26), Article 37(5,6).} 503_{Ibid. (n 26), Article 37(6).} 504_{Ibid. (n 26), Article 38(6).} 505_{Ibid. (n 26), Article 39.} 506_{Ibid. (n 26), Article 68.}

personal data in electronic systems. However, the Ministry Regulations do not define the roles of the data controller and data processor. To maintain data in Indonesia, the Indonesian government has a provision related to Electronic System Operators (ESO) in Government Regulation 82/2012, which refers to:

‘any person, state administrator, business entity, and public that provides, manages, and/or operates an Electronic System, either individually or jointly, to the Electronic System users for the interests of its own and/or other parties’.507

Under this regulation, the ESO has duties on registration, hardware, software, experts, system management, the obligation to keep the personal data, good management and accountability, data and disaster recovery centres, security of the system and certification,508 and ‘shall maintain the confidentiality, integrity, and availability of the personal data are managed by ESO’.509 Aside from that, the provisions in this regulation state that the ESO should make sure that the data kept are secure.

Indonesian Ministry Regulation 20/2016510 regulates how personal data should be processed. The regulation states that personal data should be kept for five years. It states how the data should be kept, and how to delete data that is no longer needed. However, it does not state clearly who is in charge of the process.

Since there is no separation of data controller and data processor in the Indonesian regulations, companies in Indonesia that deal with electronic systems should meet the obligations of both data controller and data processor. The ICT companies’ obligation is to specify and process the customers’ personal data. The purpose of the regulation is not to separate the electronic system operators but to give comprehensive protection to the customer. However, itis stated in the regulation that the operator can delegate its obligation to an electronic agent through a specific contract.511 This regulation can have a benefit or a disadvantage for the provider. The benefit is that the provider can give a comprehensive service and performance for its customers by being a one-stop shop. However, it will be a disadvantage for the provider if there is no separation 507_{Ibid. (n 253), Article 1 (4).} 508_{Ibid. (n 253), Article 5-32.} 509_{Ibid. (n 253), Article 15.} 510_{Ibid. (n 11), Article 15-19, 25.} 511_{Ibid. (n 253), Elucidation.}

division in the company to handle the personal data. This will give legal uncertainty related to the responsibility of the maintenance of personal data. If the regulation has separated the obligations of the provider in relation to who will be responsible to the data controller or data processor, it will give clear protection for the provider and consumer in the light of personal data protection.

The UK’s DPA distinguishes the terms of data controller and data processor and give clear separation of the responsibility of each. This separation is also enacted in the EU and is legally binding on its members, including the UK. Both the EU and the UK are very concerned about the protection of personal data. Therefore, this separation gives legal certainty for its members and companies that deal with personal data protection. The separation gives clarification of who owns the data and who will process it. The DPA,512 EU Directive 2016/680513 and EU Regulation 2016/679514 state clearly which legal person or public authority or agency or other body has a responsibility as data controller and data processor. In processing data, the separation of data controller and data processor could give a benefit in relation to the protection of personal data. According to the Information Commissioner’s Office (ICO),515 _{data processor} activities are limited to the technical aspects of an operation, such as data storage, retrieval or erasure, while data controllers tend to the interpretation, professional judgement or decision-making in relation to personal data. In a cloud service, the cloud provider should determine whether they act as a data controller or data processor. This is important, since they have a responsibility to protect the user’s personal data. Another benefit is that when a failure or breach on personal data occurs, it is relatively easy to see where the failure or breach is, and to look for a solution. EU Regulation 2016/679 states that data processing starts with several steps. Processing means:

‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or

512_{Ibid. (n 278), Section 1(1).} 513_{Ibid. (n 27), Article 3(8,9).} 514_{Ibid. (n 26), Article 4(7,8).} 515_{Ibid. (n 310).}

otherwise making available, alignment or combination, restriction, erasure or destruction’.516

Article 6 explains to what extent personal data may be processed, including the approval of the data subject for compliance purposes. Personal data is highly respected by the EU regulation. In Article 24, it states that the controller has a responsibility for data protection and must take proper steps to make sure that they comply with the code of conduct. They also have to make sure that they fulfil the requirement of Article 40 and make it binding and enforceable through contractual or other binding instrument. The code of conduct mentioned in this article includes appropriate protection for personal data and the rights of the data subject. The controller and processor should prepare codes of conduct to comply with the regulation. This regulation was applicable in the year 2018. Since the regulation wascome into force on 25May 2018, the EU members have been given a transition time to adjust to the new EU regulation. The adjustment is stated on the regulation itself. Therefore, to comply with the law, it does not require any implementation regulation.

Referring back to the Indonesian Government Regulation 82/2012,517 it is stated that the ESO should have procedures such as making a correction, confirming or reconfirming, and choose an activity. These protections also appear in Article 28 of Ministry Regulation 20/2016 on the responsibility of the ESO. Those protections are likely to have the same levels of protection that are offered in the new EU regulation, except there is no protection in the Indonesian regulation related to the protection ofchildren, notification of data breaches to data subjects, and the transfer of personal data to other countries.

Since the Regulation does not recognise separation between data controller and data processor, and if the company in Indonesia is to have the same level of protection of personal data as the EU and UK, we need to look further at the definition of data controller and data processor stated by EU regulation. In brief, data controllers are bodies that have the personal data, while data processors are bodies that have the

516_{Ibid. (n 26), Article 4(2).} 517_{Ibid. (n 253), Article 26.}

authority from the data controller to process the data.518

If we look at the participants in this thesis, first of all, we can take the example of Telkom Group as a stand-alone company. Assume that Telkom Group has its own IT system and can control its own employees’ personal data. Telkom Group has mandated one of its division, for example the HR division, to process the employees’ personal data. Therefore, Telkom Group can be categorised as the data controller, while the HR division is the data processor. However, since the IT system has been put in the cloud, and the cloudis maintained by TelkomSigma, the HR division is no longer the data processor. HR Telkom as part of Telkom Group has become the data controller, while TelkomSigma is the data processor. It should be realised by the employees in the Telkom Group that they have the right to make decisions related to personal data, and Telkom Sigma has the obligation to protect the personal data that is kept on its premises, related to the operational and technical aspects.

This is applicable to Tsel as well, since both Telkom Group and Tsel have delivered their employees’ personal data to be maintained by TelkomSigma. However, the situation will be tricky for TelkomSigma, since they will become the data controller and the data processor at once, and they should have an internal policy to mandate which division will the data controller, and which will be the data processor. By the internal policy, employees will figure out their responsibility in the relation of personal data protection. Employees who have the authority to process the personal data should have a clearunderstanding of their responsibility.

The categorising of data processor and data controller in the EU regulation separates the responsibilities of employees in terms of data protection and they do not overlap. The confusion between rights and obligations of data controller and data processing can be avoided, and the company will perform its duties related to its type of service. In the interviews, all the policy makers stated that Telkom Group and Tsel had delegated their data storage to TelkomSigma. TelkomSigma has the responsibility to perform, operate, maintain and protect the data of those companies. However, TelkomSigma outsourced its system to another vendor:

‘Meanwhile, the vendor as the owner of the technology should have the latest technology running. Our [TelkomSigma] position in the middle tries to integrate all, compare with the existing condition, and then review and plan’. (C3, SM)

As we can see from the quotation above, the policy maker stated that TelkomSigma did not own the cloud technology. This meant that even though the company had provided the cloud and its products, TelkomSigma still relied on another company to provide the system. TelkomSigma should inform their customers that they have delivered the system to another vendor, to meet the obligation of TelkomSigma as the cloud provider and to protect personal data.

If a company such as TelkomSigma delegates its system to another vendor, then it should be stated clearly in the contract that TelkomSigma is leveraging the responsibility of the data to the third party. There should be a detailed explanation of the responsibility that is borne by TelkomSigma and the responsibility that is borne by the third party. The cloud user, in this case, ICT companies and their employees, should be aware that their data is being transferred to another party. TelkomSigma need to make sure that the third party will protect the data and there is no breach of customer data. This condition has proved that it is necessary to have a differentiation between data processor and data controller.

If we look at Court of Justice of the EU: C-362/14-Schrems, the EU has explained that it is important for the user to understand the protection of personal data where is being stored. In that case, the data of users that been provided to Facebook Ireland should not be transferred and processed in another country without the consent of the user if the other country did not offer sufficient and adequate protection as the origin country, in this case the United States. The territorial (related to the multi jurisdictional aspects of the user and provider) issues are important for the ICT companies, especially in for the personal data protection, when the offering of goods or services, and when the payment of the data subject is required and the monitoring of their behaviour within the Union (as stated in Article 3 GDPR). Moreover, The EU affirms that transferring data to the third country should have an adequate and equivalent data protection in its domestic law or international commitments as stated in Article 45 GDPR.

This case opened a new perspective on how cloud providers have to make sure that users’ data kept on their premises is fully protected. If we refer to TelkomSigma in

Indonesia, they should inform their users if they delegate the cloud system to the third party. It is important for the customers of TelkomSigma to aware that their data is maintained not by TelkomSigma, but by another party. TelkomSigma customers should understand the consequences of the data being transferred to other party, as in the case of Schrems. It is the obligation of the data controller and data processor to maintain and protect the data of its user, especially personal data, and this should be clearly stated and protected by law.

The Indonesian regulation that integrates data controller and data processor as the ESO needs to be reconsidered, since all of the obligations of the operator are borne by the operator alone. The operator will need to make sure that they understand the responsibility in the cloud, especially in relation to data protection. Operators have to make sure that they have a clear consideration in the contract between user and provider related to the responsibility for personal data protection, and if the electronic system is being delegated to the third party, there should be consent from the user that their personal data will not be mistreated by the operator or the third party. This understanding should be forwarded to the employees of the company. They need to be aware of their obligation as an ESO and the new technology in the business.