Indonesian Data Controller Get Ready: The House Will Pass the Indonesia PDP Bill Soon

On 7 September 2022, the Ministry of Communication and Informatics ("MCI") met with the House of Representatives to move forward with the process of finalizing the Indonesian Personal Data Protection Bill (“PDP Bill”). The long-awaited PDP Bill, which has been stuck for years, is now moving to the next phase, as the House will discuss it in the next parliament plenary meeting (Rapat Paripurna) within this month or so. While there has yet to be a confirmation on the exact schedule date, once the House approves the PDP Bill during its plenary meeting, it will be passed as law.

The PDP Bill is expected to mimic certain European Union General Data Protection Regulations (“EU GDPR”) provisions. Though no final draft has been published yet, following our observation of the public discussion, the final version of the PDP Bill will cater to several provisions:

• PDP Bill's Applicability: The PDP Bill shall apply to any foreign and domestic organization, both public and private, including International organizations, that processes personal data of Indonesian citizens and other activities stipulated under the PDP Bill.

• Personal Data Processing Legal Basis: This PDP Bill is expected to provide better clarity based on processing. Suppose the current personal data regulation only recognizes consent as the only legal basis. In that case, the PDP Bill recognizes another alternative legal basis for personal data processing, such as agreement, legal obligations, vital interest, public purpose, and/or legitimate interest. 

• Obligations on Agreement(s) Related to Personal Data Processing: The PDP bill also stipulates provisions on contractual arrangements related to personal data processing. For instance, the PDP Bill stipulates that if two or more data controller carries personal data processing activities, the data controller must enter into a data processing agreement. 

• Cross-Border Personal Data Transfer: The PDP Bill also provides more explicit data transfer provisions similar to EU GDPR. The requirements include: (i) data controller can only transfer the personal data to a country that has adequate protection to Indonesia, (ii) assurance from the data controller to the data subject that a legally binding and appropriate personal data protection is available, or (iii) data controller has obtained consent from data subject to transfer their personal data abroad. These requirements apply alternatively, and further provisions on this will be stipulated under Government Regulation.  

• Sanctions: The PDP Bill stipulates two types of sanctions: administrative fines and criminal sanctions. The criminal sanction for non-compliance with personal data provision is considerably new in Indonesia. The criminal sanction ranges from a maximum penalty of IDR 4-6 billion and/or a maximum of 4-6 years imprisonment. 

With a grace period of 2 years and a hefty list of obligations from the upcoming PDP Bill, organization processing personal data need to ensure compliance with PDP Bill, especially considering that the PDP Bill reinforces the existing regulatory framework on personal data.

Please contact us via email at [email protected] or [email protected] for further information on the PDP Bill. (DNK/GAB)