A. Regulatory framework
As in the case with the operation of AVs, there is no specific regulatory framework for the uses of biometrics either for general use or specifically for the integration of biometrics into AVs in Indonesia. The absence of regulation, however, does not necessarily mean that Indonesia does not recognize the uses of biometrics.
The Government of Indonesia has implemented biometrics technology in the new electronic residential card (Kartu Tanda Penduduk Elektronik – eKTP) which was introduced in 2009. The eKTP uses biometrics in the form of automated fingerprint identification system to recognize the individual Indonesian resident. Under Law No. 24 of 2013 on the Amendment of Law No. 23 of 2006 on Residential Administration (Residential Administration Law), we note that the biometrics in the forms of fingerprint and retina data of the Indonesian resident are classified as ‘personal data’ and shall be stored by the government of Indonesia. The Residential Administration Law, however, does not set out whether the requirement to classify biometrics as personal data and to store the biometrics in Indonesia also applies to other uses of biometrics, including its uses in AVs or other devices (such as phones, computers, etc).
B. Biometrics privacy and cybersecurity issues
(i) Data privacy
Biometrics is a technology which uses human physiological and behavioral characteristics. The unique human physiological and behavioral characteristics are what will be considered as ‘personal data’, and on the assumption that the AVs developer will obtain the biometrics data through electronic measures, several requirements under the Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding Protection of Personal Data in an Electronic System (MOCI 20/2016) shall apply.
Under MOCI 20/2016, several requirements for AV developers who wish to collect personal data through electronic measures are, among others:
- to obtain certification for its electronic system;
- to have an internal policy on the protection of personal data;
- to obtain consent for collecting, processing, analysing, storing, disclosing, transfer and deletion of personal data by providing a written consent form, either manually or electronically, using the Indonesian language; and
- to only use, process, disclose and share the personal data in accordance with the given consent.
(ii) Storing, sharing and transferring personal data
With respect to the storing of biometrics which are classified as personal data, there is a possibility that the government of Indonesia will argue that the biometrics must be stored in Indonesia in accordance with the requirement of the Residential Administration Law. The requirement to store the biometrics data onshore will be a different approach from the current rule which regulates that personal data for private uses (such as for integration of biometrics into AVs) can be stored overseas. If this is the case, the AV developers may be required to have data storage facilities in Indonesia.
If the AV developers are required to have an onshore data center, it is important to note that the existing regulations are silent as to whether the relevant AV developers should own the data center or could outsource/subcontract the onshore data center. In practice, electronic system providers in Indonesia (for public services and non-public services) can cooperate with a third party data center provider on a contractual basis in order to provide such onshore data storage.
If the AV developers are allowed to store the biometrics data offshore, note that storing such biometrics personal data offshore may be considered as offshore transfer of personal data which would trigger further requirements under MOCI 20/2016. Notification of this offshore transfer of personal data must also be given to the customer/data owners, and the AV developers must also obtain consent from the customer/data owners prior to the offshore transfer of personal data. Similarly, as in the event of breach of other personal data, the AV developers are required to provide written notification to the customer/data owners within 14 days of the failure.
The absence of regulatory framework on biometrics does not mean that crimes related to biometrics are not regulated. The Residential Administration Law sets out several sanctions related to the manipulation or illegal disclosure of residential data (including biometrics data) – which sanctions include imprisonment of two to six years and fines of IDR 25 million to 75 million. Additionally, Law No. 11 of 2008 as amended by Law No. 19 of 2016 regarding Electronic Information and Transaction (ITE Law) has covered a broad range of sanctions applicable to crimes related to electronic systems such as hacking, illegal distribution/transmission, illegal access and interception of electronic system and data – which will apply to biometrics use as well. Under the ITE Law, any hacking, illegal distribution/transmission, illegal access and interception are subject to imprisonment of 4 to 12 years and fines of IDR 600 million to IDR 10 billion.
In case the cybersecurity related to biometrics affects the safety of AV road transportation, note that sanctions under Law No. 22 of 2009 on Road Traffic and Transportation may also be imposed to the AV developers – such as in the forms of suspension or revocation of license to operate in Indonesia.
(iv) Intellectual property
Integration of biometrics to the operation of AVs requires protection of intellectual property related to the technology and devices used to collect the biometrics. In this case, it is likely that one intellectual property aspect which must be protected is patent.
With respect to patent, Indonesia adopts the principle of “first registration” and requires that any patent must be registered in the Indonesian Patent Registry. However, since Indonesia has ratified the Paris Convention for the Protection of Industrial Property, the patent holder in its country of origin (subject to whether the country of origin is a party to the Paris Convention for the Protection of Industrial Property) will reserve priority rights to be registered first in the Indonesian Patent Registry, and Indonesia will acknowledge the patent registration date of an invention in its country of origin.
One potential issue with becoming a patent holder in Indonesia is that Law No. 13 of 2016 on Patent (Patent Law) requires the patent holder to manufacture or process its product in Indonesia in order to support the transfer of technology, encourage investment and/or increase work opportunity. Patent Law (including in the previous regime of Patent Law) does not set out sanctions for noncompliance with this requirement, but the Patent Law provides a mechanism for any party have a national interest (including a prosecutor) to submit a claim to the commercial court for revocation of patent if the patent holder fails to manufacture or process its product in Indonesia. This provision has given rise to many protests from various stakeholders including governments from several countries.
The government of Indonesia then issued Minister of Law and Human Rights Regulation No. 15 of 2018 on Implementation of Patent (MOLHR Reg 15/2018) which allows the patent holder to submit application to delay its obligation to manufacture or process its product in Indonesia, however, for a period of only 5 years, with possibility of an extension. This application must be submitted to the Minister of Law and Human Rights no later than 3 years as of the date of the patent.
In the absence of relevant regulations, it appears that the growth and uses of biometric in Indonesia, in particular in the private sectors such as banks and financial institutions, outpace the regulation. For examples, a domestic bank has introduced voice biometrics as part of its customer authentication protocol while a Japanese firm has also launched a payment service using fingerprint authentication in Indonesia. It is understood globally that many of the major auto manufacturers are currently in various stages of research and development on AVs, either independently or in partnership with technology companies. However, it also appears that most of the patents and patent applications relating primarily to biometrics in AVs belong to technology or independent automotive research and development companies that are deeply invested in developing AVs and related technologies, including the incorporation of biometrics, and not the automotive manufacturers. The automotive manufacturers should carefully consider the obligations under the data privacy regulations, in particular with respect to the possible requirement to maintain the data in Indonesia and the division of responsibilities between the automotive manufacturers and the technology companies with respect to the data protection. Care should also be taken with respect to the use of the technology in relation to its patent and the obligation under the Patent Law for a patent holder to manufacture or process its product in Indonesia. With respect to the Indonesian market, it would be the interest of the automotive manufacturers to have an understanding on whether the biometrics technology that being used in the automotive vehicles is or will be a registered patent in Indonesia.
157 Indonesia currently does not have any specific law which covers a broader range of personal data protection. The current prevailing regulation only regulates personal data protection in the context of an electronic system – i.e. Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding Protection of Personal Data in Electronic System (MOCI 20/2016). MOCI 20/2016 defines personal data as true and actual in an individual data which is attached and can be identified either directly or indirectly to certain individual.
158 It is possible in practice to provide the written consent form in bilingual.
159 It is important to note that pursuant to Law No. 11 of 2008 on Electronic Information and Transaction (as amended) (EIT Law) and Government Regulation No. 82 of 2012 (GR 82/2012), the obligation to set-up data center in Indonesia applies to “public service” electronic system providers. Unfortunately, there is no definition provided in the above mentioned law and regulation on the meaning of ‘public service’.
160 MOCI 20/2016 requires that any offshore transfer of personal data must be made after coordinating with the MOCI, in which the coordination will be on case by case basis by way of (i) submission of plan; (ii) discussion; and (iii) submission of implementation report.