Indonesia has relaxed its data storage rules, revising the 2012 regulations which require domestic storage of a range of data to allow oversight by the government. Although the regulation was largely not enforced, foreign tech companies found it to be a large stumbling block to invest in the country, which is the largest internet economy in South East Asia. Estimated at USD 40 billion in 2019 by the e-Conomy SEA report from Google and Temasek, Indonesia’s Internet economy has grown at an average growth rate of 49% a year since 2015.
Government Regulation 82 passed in 2012 mandates that electronic system operators for “public services” must place their data center and disaster recovery center in Indonesian territory for the purpose of law enforcement, protection, and enforcement of national sovereignty to the data of its citizens. “Public services” could refer to government organizations and also public-facing private sector businesses, extending its coverage to banking, insurance, health, security, industrial services and social activities serving Indonesian customers or housing Indonesian data.
With the new regulation, Indonesia allows private sector data, which are considered commercial and non-strategic, to be stored abroad. However, government data is still required to be held and processed onshore. Furthermore, the new rules also call for “the right to erasure” and “the right of delisting”. A data subject has the right to request data controllers for removal and to ask search engine not to show information on its page.
The move is seen as a positive move to attract foreign investment, but local business associations express concerns over data protection due to restricted access to data stored overseas by Indonesian law enforcement officials and difficulties for local businesses in competing with much larger global players.