The need for robust protections for intellectual property ("IP") and confidential data has become only more glaring as we stride fully into the digital era. This applies to companies and business sectors across the board, including the education sector.
Universities generate a large amount of IP, whether generated by the universities themselves, including through research activities, or from teaching activities. The first type of IP can include inventions, publications, new plant varieties, databases, computer programs and confidential information. And the latter may be in the form of print publications, theses, software, films, sound recordings, computer presentations and multimedia works.
There are also different types of data at universities that need to be protected, including student data, academic records, information related to employee salaries and confidential research.
Although universities are traditionally established to serve the public interest by distributing knowledge through teaching and research, the development of the internet and modern technologies has created new challenges for those in the sector. As technology gives people greater access to materials and data, be it from the internet, intranet or Ethernet, the possibility of conflict over the ownership and use of IP or confidential data also becomes greater.
To protect the interests of a university, its employees and students, business players in Indonesia's education sector must understand the prevailing laws and regulations on IP and data protection. While Indonesia does not have specific laws or regulations on the protection of IP and personal data in the education sector, this article will discuss the general regulatory framework for IP and data protection in Indonesia.
IP Legal Framework in Indonesia
As a general matter, Indonesian law provides protection for copyrights, trademarks, patents, industrial designs, geographical indications and trade secrets. The protections for each of the properties are stipulated in separate regulations as follows:
- Law No. 20 of 2016 regarding Marks and Geographical Indications dated November 26, 2016 ("Marks Law")
The Marks Law categorizes marks as trademarks or service marks. Marks are classified in 45 classes, with 34 classes of goods and 11 classes of services, in accordance with the internationally recognized and adopted Nice Classification system. The class of mark shall initially be decided before determining the kinds of goods and/or services to be protected under the pertaining class. Marks which conflict with morality, religion, or public order cannot be registered. Registration shall be done electronically through the website of the Directorate General of Intellectual Property Rights ("DGIPR") or non-electronically at the Ministry of Law and Human Rights ("MOLHR").
Indonesia applies the "first to file" principle in trademark rights. This means that if there is a dispute over a trademark, the party that files for registration first will principally have superior rights, without consideration of the party that developed or used the mark in the first place.
If a registered mark is not used within three years as of its registration, it is possible that the mark may be removed from the register. After five years from the initial registration date a trademark's validity may no longer be challenged. Rights on a mark constitute an exclusive right for the owner to use the mark or for licensing to third parties for their use. A trademark registration is valid for 10 years and may be renewed indefinitely for successive 10-year periods upon payment of fees and declaration of use.
Violations of the Marks Law are subject to criminal sanction. In addition, the lawful holder of the trademark can submit a claim for compensation and/or termination of use to the Commercial Court.
- Law No. 13 of 2016 regarding Patents dated July 28, 2016 ("Patent Law")
Patents are classified under the Patent Law as either patents or simple patents. Patents are granted for new inventions that are applicable in industry and contain inventive steps, whereas a simple patent is for the development of an existing product or process. A simple patent is only granted to one invention. Similar to marks, the application for registering a patent shall be filed either online with the DGIPR or manually through the MOLHR, along with a fee. Protection lasts for 20 years from the date of receipt for a patent, and 10 years from the date of receipt for a simple patent. Violations of the Patent Law are subject to criminal sanctions. The lawful holder of the patent or simple patent can also submit a claim for compensation to the Commercial Court.
- Law No. 28 of 2014 regarding Copyright dated September 16, 2014 ("Copyright Law")
Copyright is defined in the Copyright Law as an exclusive right of a creator arising automatically on creation in a tangible form. Such creation can be in the fields of science, art and literature. Copyright is comprised of moral and economic rights. Moral rights (to use a name or pseudonym, to change the creation or its title and so on) are attached permanently to the creator and cannot be transferred. Economic rights (to publish, duplicate, distribute the creation, and so on) can be licensed to other parties. Copyrights can be registered to prove the owner of the copyrights, but this is not required for the rights to accrue. The length of protection of copyrights differs based on the type of creation:
o Copyrights in literature, drama, music, and arts are protected until 70 years after the death of the creator, or for 50 years from the date of announcement (if the holder of the copyright is a company).
o Copyrights in photography, cinematography, video games, computer programs, portraits, and adaptations or translations of other creations are protected for 50 years from the date of announcement.
o Copyrights in applied arts are valid for 25 years from the date of announcement.
o Copyrights in traditional culture held by the state are protected indefinitely.
o Copyrights for creations whose creator is unknown are held by the state for 50 years from the date of announcement.
Violations of the Copyright Law are subject to criminal sanction. In addition, the lawful holder of the copyright can submit a claim for compensation to the Commercial Court.
- Law No. 30 of 2000 regarding Trade Secrets dated December 20, 2000 ("Trade Secret Law")
Protection of trade secrets can be obtained if the information is confidential and has an economic value, and if the confidentiality is maintained. The information covered by this law will be considered: (i) confidential if the information is known only by limited parties or is not known by the general public; (ii) as having economic value if the confidentiality of the information can be used for commercial activities or can increase economic profits; and (iii) as maintaining confidentiality if the owners or parties controlling it have taken proper and suitable steps. There is no registration system in place in Indonesia for trade secrets. However, the owner can grant a license to others and sub-licenses are allowed. The agreement should not directly or indirectly harm the Indonesian economy or cause unfair competition and must be recorded by the DGIPR.
- Law No. 31 of 2000 regarding Industrial Designs dated December 20, 2000 ("Industrial Design Law")
Industrial design is defined under the Industrial Designed Law as a creation regarding form of configuration, or composition of lines or colors, or lines and colors or a mixture of both, being three-dimensional or two-dimensional form, which gives an esthetical impression and that can be realized in a three-dimensional or two-dimensional pattern and can be used to produce goods and industrial commodities and handicrafts. Industrial designs can also be licensed through a license agreement to produce, sell, use, import/export, or distribute the production goods using the industrial design. The agreement must be registered with the DGIPR. To obtain legal protection, a person must make a written request to the state to register the right through the DGIPR. Protection of industrial design rights is granted for a period of 10 years as of the receipt of application.
- Law No. 32 of 2000 regarding Layout Designs of Integrated Circuits dated December 20, 2000 ("Integrated Circuit Design Law")
An integrated circuit is a completed or half-completed product containing various elements inside, at least one of which is active, whether partially or wholly, connected and formed in an integrated manner in semi-conductor material which is intended to produce electronic functions. In the event the integrated circuit has already been commercially exploited, the request for protection must be made within two years as of the date of first exploitation. To obtain legal protection a person must make a written request to the state to register the right through the DGIPR, using the attachment included in the Integrated Circuit Design Law. Protection for integrated circuit designs is granted to the rightholder for 10 years as of the date the design is first commercially exploited.
- Law No. 29 of 2000 regarding Plant Variety Protection dated December 20, 2000 ("PVP Law")
Under the PVP Law, plant variety protection is defined as a specific protection provided by the state (in this case through the Plant Variety Protection Office, under the Ministry of Agriculture) for varieties of crops or plants produced by plant breeders through agricultural activities. Plant varieties refer to a group of crops or plants from one type or species that is denoted by its shape, growth, leaves, flowers, fruits, seed, and its genetic characteristics or genetic combination that can be differentiated from similar types or species by at least one determining attribute, and when reproduced do not experience any change.
Priority right is given to an individual or legal body that submits a Plant Variety Protection rights application in Indonesia after submitting the application for the same plant in another country. Varieties that may be granted protection are those plants or species that are new, distinct, uniform and stable and given a denomination. Varieties that conflict with the prevailing laws, social order, ethics/morality, religious norms, health, and the conservation of the environment cannot be granted protection. The duration of the protection shall be 20 years for seasonal plants and 25 years for annual plants.
Data Protection Legal Framework in Indonesia
There are three regulations that can be regarded as the basis of data protection in Indonesia, namely:
- Law No. 11 of 2008 regarding Electronic Information and Transactions dated April 21, 2008, as amended by Law No. 19 of 2016 dated November 25, 2016 ("ITE Law");
- Government Regulation No. 82 of 2012 regarding the Implementation of the ITE Law dated October 12, 2012 ("GR 82"); and
- Minister of Communication and Informatics ("MOCI") Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems dated November 7, 2016 ("MOCI Reg").
(the ITE Law, GR 82 and MOCI Reg will hereinafter be collectively referred to as the "PDP Regs").
The ITE Law and GR 82 simply provide the general idea of data protection without providing comprehensive guidelines. MOCI Reg can currently be deemed as the most comprehensive regulation for personal data protection in Indonesia. However, MOCI Reg is only applicable to personal data stored in electronic systems and the enforcement of several specific requirements under MOCI Reg is still uncertain due to the absence of sufficient procedural guidelines.
An Electronic System Provider ("ESP") is defined in the MOCI Reg and GR 82 as "every person, state administrator, business entity, and community providing, managing, and/or operating an Electronic System either individually or jointly to Electronic System Users for its personal purpose and/or another party's purpose". The term "Electronic System" is defined in GR 82 and the MOCI Reg "as a set of electronic devices and procedures which function to prepare, collect, process, analyze, retain, display, publish, transmit, and/or disseminate electronic information." The MOCI has always been of the view that any person or entity who stores data electronically would be considered an ESP using an Electronic System.
MOCI Reg does not explicitly declare that it has extraterritorial coverage but the ITE Law does. Since the MOCI Reg is an implementing regulation of the ITE Law, the MOCI Reg's scope is also extraterritorial and the MOCI Reg is applicable to foreign entities managing Electronic Systems as an ESP.
According to the PDP Regs, any use of personal data in an Electronic System shall only be done based on the proper prior consent of the data owner who shall have the right to access and change such data. The MOCI Reg further stipulates that the consent needs to be in writing and it can be provided manually or electronically. The consent should be in the Indonesian language, but there is no prohibition from having it given in bilingual format. The PDP Regs do not stipulate that the consent form needs to be a separate stand-alone document.
If a party fails to comply with the MOCI Reg, the MOCI may issue a verbal or written warning, suspend the activities of the party in question and/or announce the non-compliance on a website.
The MOLHR and the MOCI are said to be finalizing a draft law on Personal Data Protection ("PDP Draft Law"), which was initially targeted to be issued in 2017. The enactment of the PDP Draft Law would result in the first comprehensive law in Indonesia that specifically deals with the protection of personal data. There are several new provisions in the most recent publicly available Draft PDP Law that are not contained in the ITE Law, GR 82 or the MOCI Reg. This includes provisions on the categorization of personal data, sensitive personal data, visual data processing devices, international cooperation, and additional sanctions in the form of imprisonment and fines. Note that these provisions may be not be included in their current form or at all in the finished law.
The MOCI is also in the process of preparing a draft amendment to GR 82 ("GR 82 Draft Amendment"), in coordination with Indonesia's central bank, Bank Indonesia, the Financial Services Authority (Otoritas Jasa Keuangan or "OJK"), the MOLHR and the National Agency for Food and Drug Supervision (Badan Pengawas Obat dan Makanan or "BPOM"). It is rumoured that the GR 82 Draft Amendment is in the finalization stage and will be ready for issuance in the near future. In its current form, the GR 82 Draft Amendment introduces several new categories of data and sets forth several amendments including to the definition of electronic system provider for "public service" and the process for deleting electronic information and documents.
It is expected that the issuance of the PDP Draft Law and GR 82 Draft Amendment will introduce more certain procedural guidelines and enforcement of data protection in Indonesia.
In principle, the various types of IP that are generated from activities in a university can be registered and protected in Indonesia, as long as it meets the terms and conditions under the relevant regulations as explained above. Nonetheless, before IP can be registered and used the ownership and rights pertaining to the IP should ideally first be determined among the relevant parties to avoid conflicts among the different stakeholders in the university (e.g., researchers, students, lecturers, etc.) and commercial partners (e.g., sponsors, consultants, organizations, governments, etc.). It is important for business players in the university sector to first determine a policy to govern the ownership and use of IP, and seek legal advice to identify the most suitable IP policy for the university, pursuant to the prevailing laws and regulations.
As a data controller and processor that uses an electronic system, universities are responsible to protect the data of their employees and students. Universities need to ensure their data handling policies are in accordance with the prevailing laws and regulations. They will also have to be prepared for the upcoming enactment of the PDP Draft Law and GR 82 Draft Amendment, as these regulations might provide stricter conditions for data protection. As such, business players in the university sector will need to closely monitor developments related to the PDP Draft Law and GR 82 Draft Amendment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.