The Indonesian Parliament finally has passed a personal data protection (PDP) law following discussions that begun in 2016 after submission by the Ministry of Communication and Informatics (Kominfo). The parliament passed the Bill into Law on 20 September 2022. The law will apply to any company or organization that handles Indonesian consumers data.
The Bill was initially expected to be passed by end of 2020, however there were lengthy discussions between the government and Parliament regarding how the data supervisory authority would be set up. Kominfo insisted that the law be administered by the ministry while Parliament –and various civil society groups-- preferred an independent body outside of government. Eventually, it was decided that a personal data protection agency in form of a Non-Ministerial Government Institution (Lembaga Pemerintah Non-Kementerian, LPNK) would be established and that it would report directly to the President.
Substance of the Law
The PDP law regulates the types of personal data, the obligations of personal data collectors and processors, personal data transfers, sanctions, the authorities of the personal data protection agency and prohibitions on the use of personal data. Modelled on the European Union's General Data Protection Regulation (GDPR), Indonesia's PDP law comprises various global components that were previously not included in its local regulations. This includes the handling of sensitive personal data and requirement that companies establish a data protection officer.
The following are the types of personal data according to the new PDP Law:
- Personal data of a specific nature: health data and information, biometric data, genetic data, crime records, data of a child, personal financial data, and other data in accordance with the provisions of the legislation.
- General personal data: full name, gender, citizenship, religion, marital status, other personal data combined to identify a person.
The following are four things that are prohibited regarding the management of personal data according to the new PDP Law (articles 65-66):
- Prohibition of obtaining or collecting personal data that does not belong to a collector with the intention of benefiting oneself or others which may result in the loss by the subject of personal data.
- Prohibition of disclosing personal data that does not belong to the discloser with the intent to benefit oneself or others which may result in the loss by the subject of personal data.
- Prohibition of using personal data that does not belong to the user with the intent to benefit oneself or others which may result in the loss by the subject of personal data.
- Prohibition of creating false personal data or falsifying personal data with the intent to benefit oneself or others that can cause harm to others.
The following are the sanctions for those who violate the four things above (articles 67-68):
- Sanctions for perpetrators who obtain or collect personal data that does not belong to them are imprisonment for a maximum of five years and/or a fine of not more than IDR 5 billion.
- Sanctions for perpetrators who disclose personal data that does not belong to them are imprisonment for a maximum of four years and/or a maximum fine of IDR 4 billion.
- Sanctions for perpetrators who use personal data that does not belong to them are imprisonment for a maximum of five years and/or a fine of not more than IDR 5 billion.
- Sanctions for perpetrators who falsify personal data are imprisonment for a maximum of six years and/or a maximum fine of IDR 6 billion.
Public Response
The Center for Indonesian Policy Studies (CIPS) in a media release and Twitter thread post underlined that there are several articles in the provisions of the PDP Law that have the potential to be a challenge for the private sector. For example, the data controller's obligation to have a data protection officer (DPO) and parameters related to the terms of the fulfillment of the rights of the owner of personal data.
Not all digital business actors/personal data controllers have DPOs in Indonesia. In addition, the provisions for the fulfillment of the rights of the owner of personal data according to the PDP Bill, if they are receiving a very high volume of applications within a certain time, are considered burdensome, especially for medium or small-scale businesses. They may even be potentially unable to apply this provision properly.
The Institute for Policy Research and Advocacy (ELSAM), one of the members of an NGO Coalition for Personal Data Protection, worried that implementation of the Personal Data Protection Law will be difficult to enforce, since the personal data protection agency is like other government institutions. Even though one of its main mandates is to ensure the compliance of other ministries or institutions with the PDP Law, it is unclear if it would be possible for one government institution to impose sanctions on another government institution.
ELSAM is also concerned about potential overcriminalization, related to Article 25 paragraph 2 and Article 67 Paragraph 2, which threaten to punish anyone who discloses personal data that is not theirs and thus, violates the law. They believe that the unclear boundaries of the phrase 'against the law' in the article will have multiple interpretations in its application, which risks being misused, for the purpose of criminalizing someone.
What next?
With the passing of the PDB Bill into law, implementing rules and regulations, including the establishment of a supervisory agency tasked to protect the public's personal data, could be formed immediately after the bill is ratified. This is expected to happen in one-two years ahead.
Most commentators believe that the formulation of the implementing rules from the personal data protection law will need to involve all stakeholders, including the private sector, because data protection mechanisms must be supported by technical readiness from the private sector.
Further reading: Final Draft of the PDP Bill (in Bahasa Indonesia)
