0

If one searches about "Indonesia data retention law 5 years" one will find that there seems t be a regulation in Indonesia that states that one must retain ll collected data fr five years and it applies to personal data contollers.Now I.P. logs are generally considered personal data .Does this mean at must I.P. logs must be retain ed fr 5 years?On top of that generally I find websites delete I.P. addresses after few months and emails of inactive user after few years. All this is illeagal or not?Lastly can we run a website but be out of scope of the Indonesian ministry of informaon regulation legally?

Also (though this is not a part of the question) it also seems we must retain a history of the information like if an user changes i.p. or email 10 bare times a day does that mean all those have to be stored? Similar requirements also seem to exist in philipenes data privacy law section 16 d) .

Improve this question
11
  • Also (though this is not a part of the question) it also seems we must retain a history of the information like if an user changes i.p. or email 10 bare times a day does that mean all those have to be stored?
    – user36042
    Commented Jan 4, 2021 at 7:54
  • Can you link to the regulation in question? Or at least whatever you read that makes you think this regulation exists?
    – Paul Johnson
    Commented Jan 4, 2021 at 8:25
  • I've removed the GDPR tag as this is not about EU privacy legislation.
    – Paul Johnson
    Commented Jan 4, 2021 at 8:26
  • just google search what is in the quotes.Many websites have various hyperlinking policies mainly .
    – user36042
    Commented Jan 4, 2021 at 9:02
  • Sorry, doesn't work like that. If you want us to do the work of answering your question, please at least meet us half way.
    – Paul Johnson
    Commented Jan 4, 2021 at 9:34

2 Answers 2

Reset to default
1

Apparently, Indonesia is currently in the process to alter how Personal Identification Data is to be handled in the future:

For example, the PDP Draft Law provides that in processing personal data, data controllers are obliged to, among other things, erase/delete personal data after the retention period has lapsed or at the request of the personal data owner. Prior to obtaining the consent of a personal data owner for the collection and utilization of their data, a data controller must inform the personal data owner of its retention period for the personal data. A data controller also is required to cease all processing of personal data once the retention period has lapsed.

Despite the above provisions, the PDP Draft Law is silent on how long a retention period should be. Lawmakers in the House have expressed concern that there will be no legal certainty if the duration of the retention period is not stipulated in the PDP Draft Law, resulting in a hodgepodge of retention period policies among companies. With input from lawmakers, the government may decide to stipulate a specific data retention period in the new law, although as far as we are aware the House has not suggested how long the retention period should be.

The term PDP Draft Law brought me further to lexology, further detailing the proposed law. To get the current state, I finally unearthed legal500. The latter points to an EIT Law of 2016 and an MCI Regulation of the same year. A quick glance over the explanations given by the site makes it appear to be very close to GDPR with a data minimistion requirement and Right to delisting.

IP Addresses?!

Apparently, a comparison of VPN networks points out that ISPs in Indonesia only need to contain IP-addresses for 3 months, quoting a website that paraphrases the indonesian law as follows:

GR 52/2000 requires [Telecoms and internet operators] to maintain and store a Customer Data Record ("CDR") or details of the communications usage. Storage of the CDR shall be kept for a period of at least 3 months.

A website doesn' count as an Internet operator, an ISP does. The 5 year period is for Personal Data of non-specified retention period. But since IP addresses are CDR, they are only to be retained 3 months, but might be kept longer.

Improve this answer
0
0

I'm not a lawyer, I'm a programmer and I just found this on StackOverflow (so it's their fault that I'm here). But I have 2 brothers and a father who are lawyers.

Again I am not a lawyer but I run many web apps and sites. We encounter a huge amount of personal data every day, but it is far too expensive to store all of that data. (Most sites are not in the business of monetizing cheap data like that...only social networks, Google, etc). It seems to me that any reasonable law would only require you to keep a record of the data you actually intended to capture. Yes of course if you set up a server log for every single detail of every request from every IP address for 5 years, you could store that... but the cost of capturing and retaining that information would be ridiculous (especially if your site isn't even online anymore!)

As a software engineer, I can tell you that there are 100 times more data points we could capture than we actually do capture, because they aren't valuable enough to the business we're employed by. IP addresses are not very valuable and we don't retain them for long, only to sometimes help validate cookies for 30-60 minute periods, because they're constantly changed and traded between end users. Perhaps telecoms store to whom those were assigned and when, and then we could know who had the exact IP who was posting on a forum at a certain time if we put our information together with the telecom company's. But we already have user email and login addresses, so holding the IP addresses serves no purpose and it actually hurts security (we never want someone to fake an IP and login on someone else's account). So, if you don't store it, you don't store it; so there is nothing to retain.

Bottom line: Don't store the IP addresses of your users. There is no good reason to do it and you won't have to worry about anyone asking you for the records later. I can't speak to the rest of this as I don't know anything about Indonesian laws but you can always build a cold storage somewhere if you need to, to back up anything you captured.

Improve this answer
11
  • 1
    Firstly I do NOT want to store i.p. but it seems that laws makes it cmpulsury.
    – user36042
    Commented Jan 4, 2021 at 9:00
  • 1
    So as a data engineer my next question would be: Does the law compel you to store which user account was related to that IP address? The timestamp of the hit on the site? Or any other data besides the raw IP address? Because if you must store any other data with it like a user account, those can change all the time. For example, user accounts can be deleted. Many user accounts can have the same IP address. Many IP addresses can relate to the same user account. Does the law go any further than storing the numbers of the IP? If so then you need to clarify what extra data they want attached.
    – joshstrike
    Commented Jan 4, 2021 at 9:04
  • For example, it's trivial to just dump all IP addresses that ever used the site into a text file. With no further information. Does that satisfy the requirement of the law?
    – joshstrike
    Commented Jan 4, 2021 at 9:06
  • Frankly (just saying) if the law is really there then it ould even apply to you if if you had a website accessible to indonesians.(I am not a lawyer.).
    – user36042
    Commented Jan 4, 2021 at 9:06
  • 1
    Extradition? Really, all of Europe has very good privacy laws... we do not extradite people for failing to send private data to the Indonesian government!
    – joshstrike
    Commented Jan 4, 2021 at 9:13

You must log in to answer this question.