Early Cases of Implementation of Criminal Sanction under the PDP Law

Aug 09, 2024

Law Number 27 of 2022 on Personal Data Protection (“PDP Law”) was enacted in October 2022 and is currently undergoing its 2-years long grace period where data controllers and processors are expected to adjust their activities to comply with the PDP Law. During the grace period, administrative sanctions are not yet implemented, as controllers and processors are still given time to adjust their compliance towards the PDP Law, and the body authorized to impose such sanctions under the PDP Law (i.e. the Data Protection Authority) has not been established yet.

However, as indicated by the regulator shortly after the enactment of the PDP Law, its criminal sanctions have been in effect since day one. While the Data Protection Authority, responsible for imposing administrative sanctions, has yet to be established, law enforcement agencies have started addressing violations of the PDP Law by applying criminal penalties. Over the past two years, we have observed several criminal cases pursued under the PDP Law.

Criminal Sanctions under PDP Law

As noted above, the PDP Law outlines not only administrative sanctions but also criminal penalties for certain criminal offences. The sanctions include fines and imprisonment. For your reference, the offenses and their corresponding sanctions under the PDP Law are summarized below:

Article Criminal Offense Sanction

Article 68

Identity theft

Imprisonment with a maximum of 6 (six) years and/or fines of up to Rp600.000.000 (six billion Rupiah).

Article 67 (1)

Unauthorized collection of personal data

Imprisonment with a maximum of 5 (five) years and/or fines of up to Rp5.000.000.000 (five billion Rupiah).

Article 67 (2)

Unauthorized disclosure of personal data

Imprisonment with a maximum of 4 (four) years and/or fines of up to Rp4.000.000.000 (four billion Rupiah).

Article 67 (3)

Unauthorized use of personal data

Imprisonment with a maximum of 5 (five) years and/or fines of up to Rp5.000.000.000 (five billion Rupiah).

Criminal Cases Based on PDP Law

The first criminal sanction imposed under the PDP Law was the landmark PDP case examined and decided through the Karanganyar District Court Decision No. 5/Pid.Sus/2023/PN Krg dated 16 March 2023. The case involved Heri Irawan as the perpetrator of the first reported criminal sanction under the PDP Law. Irawan impersonated a police official, using their name and title to defraud a religious leader. Under the guise of a police official soliciting a donation for an event, Irawan fraudulently obtained 10 million Rupiah from the religious leader, who was unaware of Irawan’s real identity.

Heri Irawan was charged with the violation of identity theft under Article 68 jo. 66 of the PDP Law, carrying a sentence of 4 (five) years imprisonment and fines amounting to 1 billion Rupiah (if such fines are unable to be paid, it will be substituted by 4 (four) months imprisonment).

Another example of the PDP Law criminal case was the 2 (two) related cases examined and decided through Tangerang District Court Decision No. 77/Pid.Sus/2024/PN Tng and 78/Pid.Sus/2024/PN Tng dated 2 April 2024. Andi Irma Malasari, a sales supervisor for a telecommunication reseller company, was motivated by bonus incentives to achieve high SIM card sales targets. To maximize her earnings, she resorted to fraudulent practices. Instead of selling SIM cards to actual customers, Andi conspired with an external individual, Raja Firdaus, to register unsold SIM cards using stolen identity numbers (Nomor Induk Kependudukan or “NIK”). Raja provided these stolen NIK, obtained from an insider at a local telecommunication company, every 3-6 months.

Both Andi and Raja were convicted and sentenced to 1,5 (one and a half) years imprisonment, along with a 50 million Rupiah fine, for violating Article 67 (3) jo. 65 (3) of the PDP Law, which pertains to the unauthorized use of personal data.

PDP Law’s Dual Sanctions

While the criminal sanctions are currently the only enforcement measures in place, the implementation of the PDP Law underscores the government's commitment to its enforcement. The enforcement risk will rise once the government successfully establishes a dedicated PDP authority with the power to impose administrative sanctions, including fines of up to 2% of total annual revenue.

The imposition of PDP Law's criminal sanctions necessitates careful handling of personal data. The overlap between administrative and criminal penalties adds complexity to compliance. Non-compliance with PDP Law does not expose a company to only administrative sanctions, but also criminal sanctions. Therefore, ensuring compliance with the PDP Law is essential to mitigate both administrative and criminal risks.

K&K Advocates has a strong team specializing in privacy and PDP Law compliance. If you seek further information, please contact our Partner, Danny Kobrata, at danny.kobrata@kk-advocates.com. (EZS/GSA)

Avatar

K&K Advocates