Draft of Implementing Regulation of Personal Data Protection Law: Comprehensive, But A little Too Detailed

The draft of the Government Regulation on the Implementing Regulation of Personal Data Protection Law (“Draft GR”) requires data controllers and data processors to do more assessments, more notifications, and be more accountable. As part of the Personal Data Protection Law’s mandate, the Ministry of Communications and Informatics (“MCI”) recently issued a Draft GR for public consultation in Bali on 30 August 2023.

Here are some critical issues for you to consider:

GR Draft's Position in the Indonesian Regulatory Framework

The Draft GR provides more specific and explanatory provisions for many provisions under Law No. 27 of 2022 on Personal Data Protection (“PDP Law”). Unlike in the EU, where some interpretations are incorporated in non-binding guidelines, the interpretation of some of the provisions under PDP Law is incorporated in a government regulation. Since a government regulation is a binding instrument, the interpretations included in a government regulation shall bind the public upon enactment. The businesses, therefore, must observe this Draft GR to comply with the personal data protection law in Indonesia.

Note that the Draft GR is not necessarily the only implementing regulation of PDP Law. Further implementing regulations on personal data protection matters will likely be issued by the upcoming data protection supervisory authority.

Comprehensive, But A Little Too Detailed

Consisting of ten chapters with more than two hundred articles, the Draft GR outlines more explanation comprised of standards, norms, and parameters for data controllers and data processors to comply. For instance, if previously the PDP Law provided only one provision on the legal basis of processing, the Draft GR has expanded it into thirteen provisions, outlining requirements for the controller when using each legal basis. Provisions on data subject rights are also expanded to include requirements on how and when the controllers should respond to a request from the data subject.

However, some provisions are too detailed in regulating personal data protection matters, which should typically be left to data controllers to decide in other jurisdictions. For example, a data controller from a private entity that wishes to use legitimate interest as a legal basis must now conduct a legitimate interest assessment. The Draft GR even stipulates how a contract between the controller and processor should look like.

While this effort to provide better clarity on implementing the PDP Law should be appreciated, the extraneous scope of the Draft GR can result in less flexibility for businesses.

Getting Involved in the Formulation of the GR Draft

It is understandable to feel overwhelmed with the Draft GR. Fortunately, organizations affected by this Draft GR can give inputs on the Draft GR. The MCI allows the public to comment on the Draft GR as part of the drafting process. The public can submit their comments through registering an account and submitting comments through a website pdp.id. This website is a dedicated channel prepared by the MCI for the public to provide comments and suggest revisions to the Draft GR. The MCI has named our firm one of the few firms prioritized by the MCI to provide input on the Draft GR. If you need our help understanding the Draft GR or want to discuss it with us, please reach us at office@kk-advocates.com or danny.kobrata@kk-advocates.com.