E-KYC as An Access to Personal Data and Its Legal Protection Aspects
Nabawi, S.H., dan Clara Angela Agnes Sipangkar, S.H., M.H
• General Corporate • 24 Mar 2021

Along with the development of technology and the various needs of society, the combination of technology and finance has presented financial technology companies and platforms. The financial industry, such as banks, financial service providers, and other financial companies, in running their business requires a verification process of prospective customer’s personal data to identify risks associated by entering into agreement with that customer, or known as Know Your Customer ("KYC"). Due to the current condition which many financial technology platforms have developed, the KYC process has been digitalized and simplified into Electronic Know Your Customers (“E-KYC”) where the Indonesian Ministry of Internal Affairs giving an access right to financial service providers to access the Indonesian population database so the financial service provider could verify the customer’s data. This is allowed under Article 58 paragraph (4) in Law No. 24 of 2013 on Population Administration (Population Administration Law) which basically opens opportunities for cooperation in using the population data, especially for reasons of developing public services, law enforcement and crime prevention.

However, with the simplification of the KYC mechanism into E-KYC where legal entities who had collaborated with the Indonesian government so they can access the population data, still have to observe the aspects of personal data protection and the related regulations of personal data usage. Whereas the definition of Personal Data in Article 1 point 22 of Population Administration Law, namely:

"Personal Data shall be certain personal data stored, maintained and the accuracy and confidentiality of which must be maintained. "

Population Administration Law regulates in details the matters that are included in the Personal Data. However, in Article 84 paragraph (1) of Population Administration Law explained whatsoever Personal Data must be protected, namely:

"Personal data of residents that must be protected including:

  • information about physical and / or mental disabilities;
  • fingerprint;
  • iris eye;
  • signature; and
  • another data element that constitutes a person's disgrace."

 

Personal Data Protection based on Population Administration Law

Whereas in Article 2 letter f of Population Administration Law can be found the phrase "compensation and reparation as a result of errors in population registration and civil registration as well as misuse of Personal Data by the Implementing Agency." With the validity of this regulation, had been given the chance for the owner of the Personal Data if their Personal Data is misused by the related agency. In Article 86 paragraph 1 of Population Administration Law It is mentioned that the parties who have access right to Personal Datas are:

  1. The Minister as the person in charge in granting the right to access Personal Data to provincial officials and officers of the Implementing Agency.   (1a) The officers as referred to in paragraph (1) are prohibited from disseminating Personal Data that is not in accordance with their authority.
  2. Further provisions regarding the requirements, scope and procedures for granting access rights as referred to in paragraph (1) shall be regulated in a Ministerial Regulation. "

That all of the usage of Personal Data that is carried out exceed the limits of authority of the Agency then it must obtain prior written consent from the Minister of Internal Affairs. Protection is given to the owner of the Personal Data if the parties as mentioned above disseminate or using someone's Personal Data exceeded their authority. For example, A’s Personal Data regarding to a person's disability information is disseminated without any clear reason. On this matter, in Article 2 letter F of Population Administration Law confirmed that every population has compensation right and restoration of good name as a result of errors in Population Registration and Civil Registration as well as misuse of personal data by the agency. In the implementation of the defined rights, compensation is not automatically given. The injured party must first file a compensation claim to the Court.

 

Protection of Personal Data under the ITE Law

Article 26 paragraph (1) of the ITE Law provides that:

"Unless otherwise stipulated by laws and regulations, the use of any information via electronic media relating to a person's Personal Data must be made with the consent of the person concerned."

The phrase "unless otherwise stipulated" above provides exceptions to the Ministry of Internal Affairs on the basis of validity of the Population Administration Law which authorizes the Ministry of Internal Affairs to grant access right of personal data usage to the implementing agency which overrides the provision of obtaining approval from the data owner in terms of the purpose of the data use is within the scope of Population Administration Law. However, there are still restrictions on using a person's Personal Data. In the event that the owner of the Personal Data finds that his data is used outside the designation of the Population Administration Law and does not get permission from the Minister of Internal Affairs, it is in line with the provisions in the Population Administration Law whereas the injured party can file a charge as regulated in Article 26 paragraph (2) of the ITE Law, in addition to a claim for compensation, there is also criminal penalty that can be charged in accordance with Article 30 of the ITE Law which contains provisions and criminal penalty regarding the illegal access to personal data.

 

Personal Data Protection Process Associated with Granting Access Right and Utilization of Population Data and Legal Sanctions

In connection with the opportunities of cooperation of the Department of Population and Civil Registration to provide access to users, including but not limited to private legal entities to access population data, must pay attention to the laws and regulations concerning the personal data protection. As for what is meant by User in accordance with Permendagri 102/2019 Article 1 number 10 is an Indonesian Legal Entity. Thus, Indonesian legal entities can be granted access rights to population data by cooperating with the Department of Population and Civil Registration with a cooperation agreement.

Based on Article 1 number 12 Permendagri 102/2019, what is meant by access rights are right that is granted by the Minister to officials, implementing agencies and Users to be able to access the Population Database in accordance with the license that is given, however, the regulation does not explain in detail the limitations in accessing population data. However, by referring to the Kamus Besar Bahasa Indonesia / Indonesian Language Dictionary (“KBBI”) definition of access is “Entrance”, thus legal entities in collaboration with Department of Population and Civil Registration should only be allowed to enter the population database, not to obtain and/ or store the personal population data.

The Access Right, as described in Article 35 Permendagri 102/2019, is carried out through Web Service Access and Web Portal Access made through the Shared Platform. Shared Platform is a closed network service facility and/or joint application for the purposes of accessing Population Data with a closed network so it can ensure the security and ease of utilization of Population Data. This shared platform can be provided by both state institution and Indonesian legal entities. It is expressly stated in Article 35 paragraph 4 Permendagri 102/2019, the joint Platform Provider acts as an intermediary, is not granted Access Rights and does not store individual data. Furthermore, the implementation of cooperation between the Government and Indonesian legal entities will not be separated from the enactment of the ITE Law. Article 30 paragraph (2) of the ITE Law explicitly prohibits actions whereby a person intentionally or without rights accesses electronic information /electronic documents, as well as Article 32 paragraph (2) of the ITE Law which prohibits someone who does not have the right to transfer  electronic information and / or electronic documents to other unauthorized persons.  As  mentioned above, the user with the Access Right is only given the right to enter population data, if the user with the Access Right saves Personal Data without the permission of the Personal Data Owner, then the Access Right User may be subject to sanctions that apply in the Population Administration and ITE.

This Article is generally made for the purpose of ANR Law Firm publication only and should not be treated as legal advice for your legal problem. Shall you have any further questions regarding this topic, you may contact the Advocate who authored this article at anrlawfirm@anr-lawfirm.com.

Authors: Nabawi, S.H., and Clara Angela Agnes Sipangkar, S.H., M.H