Indonesia Has Passed Its Long-awaited Personal Data Protection Law

The wait is finally over. Indonesia has officially enacted its first-ever Personal Data Protection Law (“PDP Law”). After years of discussions and several postponements, on 20 September 2022, Indonesia’s House of Representatives officially passed the Personal Data Protection Bill. This sped-up process comes as no surprise, given the recent multiple data breaches that occurred in Indonesia in the past couple of months.

The PDP Law will apply to any person, foreign and domestic organization, both public and private, including an International Organization that processes the personal data of Indonesian citizens and other activities stipulated under the PDP Law.

The PDP Law is closely based on the European Union General Data Protection Regulations (“EU GDPR”). It provides several critical changes to personal data protection regulations, such as follows:

Data Controller and Data Processor

Prior to the PDP Law, Indonesian laws only recognize Electronic System Provider (“ESP”). The PDP Law recognizes the distinction between data controller and data processor. Data controller is defined as any party (individual, public institution, and/or organization) that determines the purpose and exercises control over the processing of personal data. Meanwhile, a data processor is defined as any party (individual, public institution, and/or organization) that processes personal data on behalf of the data controller. Both data controller and data processor carry their own rights and responsibilities under the PDP Law.

Legal Basis to Process Personal Data

The PDP Law provides better clarity on the legal basis for processing personal data. The current personal data regulations only recognize consent as the only legal basis. On the other hand, the PDP Law recognizes other alternative legal basis for processing the personal data, such as agreement, legal obligations, vital interest, public purpose, and/or legitimate interest.

Obligations on Agreement(s) Related to Personal Data Processing

The PDP Law also stipulates contractual arrangements for personal data processing. For instance, the PDP Law requires that if two or more data controller carry personal data processing activities, the data controllers must enter into a data processing agreement.

Data Protection Authority (“DPA”)

The PDP Law will introduce a DPA, an authority which will be determined later by the President. A DPA will have the roles of formulating personal data policies and strategies, supervising personal data protection implementation, enforcing administrative sanctions, and facilitating alternative dispute resolution. The DPA also has the authority to supervise the compliance of personal data controller, assist law enforcement officers in handling violations of PDP Law, and request an inspection of complaints.

Data Protection Officer (“DPO”)

The PDP Law obligates a data controller and/or data processor that meets certain criteria to appoint a DPO. The DPO has a duty to inform and advise the data controller/data processor on PDP Law compliance, monitor and ensure compliance with the PDP Law and their internal policies, provide advice on DPIA, and to coordinate and act as a focal point on personal data protection matters.

Data Processing Impact Assessment (“DPIA”)

Data controller must assess the impact of their processing activities if the processing potentially poses high risk to the data subjects. High risk processing of personal data includes, amongst others, automatic decision which brings significant impact to the data subject, processing of specific personal data, processing of personal data on a large scale, and processing of personal data which limits the data subjects from exercising their rights.

Cross-Border Personal Data Transfer

The PDP Law also provides more explicit data transfer provisions that are similar to EU GDPR. Cross-border transfer of personal data must comply with the following requirements (applies alternatively): (i) data controller can only transfer the personal data to a country that has adequate or higher level personal data protection to Indonesia, (ii) assurance from the data controller to the data subject that there is a legally binding instrument to protect personal data, or (iii) data controller has obtained consent from data subject to transfer their personal data abroad. Further provisions on cross-border data transfer will be stipulated under implementing regulations issued by the government.  

Criminal Sanctions

Besides administrative sanctions, the PDP Law also introduces criminal sanctions for certain violations of personal data. The administrative sanction includes written reprimand, temporary cease of personal data processing, obstruction or deletion of personal data, and administrative fine (maximum 2 percent of annual total revenue). Criminal sanction for non-compliance is considerably a new concept in Indonesia. Criminal offences under the PDP Law includes, unauthorized collection of personal data, unauthorized disclosure and use of personal data, and forging of personal data. These offences are subject to imprisonment of up to 6 years and/or fines of up to Rp.6,000,000,000 (six billion Rupiah), depending on the type of offence.

The PDP Law gives the data controller and data processor a 2-year grace period to prepare to comply. Furthermore, we also expect that some more implementing regulations on personal data protection will be issued following the issuance of the PDP Law.

If you want to understand how the PDP Law might affect your operation, feel free to reach us via email at [email protected] or [email protected].