Insights

The law that everyone has been waiting now eventually comes into existence. Following the enactment of Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia now has its own personal data protection law which contains ‘comprehensive’ set of personal data protection.

PDP Law is effective from its enactment on 17 October 2022; however it does actually accommodate a two-year transitional period for parties to prepare and adjust processing of personal data practice and activity to be fully in line with PDP Law. We also would expect Indonesian government to issue necessary implementing regulations as mandated under PDP Law within the period.

Summary

PDP Law expresses that protection of personal data constitutes protection of human rights hence it is undoubtedly one of the most essential laws for Indonesia’s national interest. The issuance of PDP Law is also intended to “uniform” provisions on protection of personal data that are currently existed in other Indonesian legislations.

The below is a summary of several key points that we wish to highlight in PDP Law:

1.    Extra-territorial reach

PDP Law will have extraterritorial effect to reach any individuals (either Indonesian or non-Indonesian) and corporation, public body or international organizations outside Indonesia, to the extent the action or activity committed by that party would have legal consequence in Indonesian jurisdiction and/or for any Indonesian individuals outside Indonesian jurisdiction.

2.    Processing of personal data

PDP Law provides two main roles in the context of personal data protection i.e., “data controller” (who will determine purposes of processing of the personal data) and “data processor” (who will process personal data on behalf of controller). It however might be the case that a data controller does not appoint different party to carry out processing of personal data and does the processing by itself. Activities of processing of personal data consist of: (i) obtaining and collecting, (ii) processing and analyzing, (iii) storing, (iv) repairing and updating, (v) displaying, announcing, transferring, disseminating, or disclosing, and/or (vi) erasing and destroying.

Fundamental point related to activities for processing of personal data is legitimacy to do so. PDP Law hence prescribes the following grounds for a data controller prior to process personal data:

• explicit consent from the “Personal Data Subject” (i.e., the person concerned whom personal data is adhered);
• contractual fulfilment under a contract;
• fulfilment of data controller’s legal obligations based on the prevailing laws;
• protection of vital interest of the Personal Data Subject;
• fulfilment of duty for public interest or public service, or to implement data controller’s authority under prevailing laws; and/or
• any other legitimate reason – taking into account of purposes, needs and equal interest of both data controller and Personal Data Subject.

It further can be said that PDP Law predominantly aiming for data controller since the data controller will be fully liable for processing personal data of Personal Data Subject to the extent that data processor being appointed does the processing of personal data based on order and instruction of data controller.

3.    Rights and Obligations

PDP Law provides certain rights for Personal Data Subject and on the other hand, certain obligations for data controller and/or data processor. The rights and obligations could merely be excepted under circumstances where an exception is done for the purposes of (i) national defense and security, (ii) legal enforcement or (iii) state administration, and (iv) applicable for the exception of rights, statistical and scientific research.

Rights of Personal Data Subject

The rights, among others, are: (i) to obtain information on identity clarity as well as ground and purposes for processing of personal data, (ii) to complete, update or rectify his/her personal data, (iii) to revoke any consent given for processing his/her personal data, (iv) to file objection on unilateral decision with respect to the processing of his/her personal data, and (v) to suspend or limit processing of his/her personal data in accordance with the purposes of processing of his/her personal data.

PDP Law also provides a right for Personal Data Subject to lodge a claim and receive compensation as a result of violation of provisions under PDP Law – further implementing regulation on this is expected to be issued in the near future.

Obligations of data controller and/or data processor

PDP Law provides certain obligations for data controller and/or data processor. Several of the obligations are (as relevant): (i) to ensure they have legitimate grounds in processing of personal data, (ii) to accommodate a special mean for processing personal data of children and disabled persons, (iii) to ensure accuracy, completeness and consistency of personal data, (iv) to update and/or rectify mistake on and/or inaccuracy of personal data within 3 days after a request was made, (v) to record every activity related to processing of personal data, (vi) to have and do Data Protection Impact Assessment (DPIA) when processing is likely to result in a high risk to Personal Data Subject, (vii) to maintain confidentiality of personal data while processing the same, (viii) to protect personal data from illegal processing and/or accessing, (ix) to terminate processing of personal data following revocation of consent by the Personal Data Subject, (x) to erase and destroy personal data based on request from the Personal Data Subject, (xi) to designate “personal data officer” in the event processing of personal data is, among other, for public service, and (xii) to notify the Personal Data Subject if the data controller wishes to do merger, spin-off, acquisition, consolidation or dissolution.

Administrative sanctions can be imposed to data controller and/or data processor for any failure to comply with the obligations prescribed under PDP Law. The sanctions are written warning, fines, temporary suspension on processing of personal data and deletion or destruction of personal data.

4.    Transfer of personal data to offshore

Data controller is allowed to transfer personal data to offshore if the following requirements are met:

• the recipient country has similar or higher level of personal data protection; or
• if requirement (i) cannot be met, the data controller must ensure sufficient and binding personal data protection; or
• if requirement (ii) cannot be met, the data controller must have consent from Personal Data Subject.

5.    Data Protection Institution

PDP Law gives mandate to President to establish a special institution. This institution will have duties and broad authorities to, among others, formulate and determine policies in personal data protection space and directly involve in law enforcement of PDP Law (e.g., to receive complaint, to assist other law enforcers as well as to impose administrative sanctions over any breaches of PDP Law.) As of the date of this insight, the relevant presidential decree has not been issued and hence the institution has yet to be established.

6.    Sanctions for criminal offences

PDP Law also establishes criminal offences; those offences are: (i) an unlawful act of obtaining or collecting of other’s personal data either to get benefit from it or that causes damage/loss to Personal Data Subject, (ii) an unlawful act of disclosing other’s personal data, (iii) an unlawful act of utilizing other’ personal data and (iv) any act to produce false personal data or to falsify personal data. These offences are subject to maximum imprisonment of 6 (six) years and/or maximum fine of IDR 6 billion.

Criminal sanction can also be imposed to corporation and its management and/or owners if several offences are committed by corporation – noting that corporation will be subject to a fine up to 10 (ten) times of the maximum fine that can be imposed under PDP Law.

What to expect?

While the existence of PDP Law is perhaps ‘the best thing since sliced bread’, several provisions are still lack of clarity until the relevant implementing regulations are finally issued. For example: PDP Law has indicated that an implementing regulation (i.e., Government Regulation) will be issued to set out further implementation of processing of personal data. We are obviously hopeful that the implementing regulation would provide clear and detailed rules – not just providing rather further ‘general’ rules that may be interpreted differently by people.

The extra-territorial reach of PDP Law, in our view, is also great but seems – apology– overly optimistic. Not that we decide to take a sit on the opposite end of the table, but it does need extra efforts to pursue individuals or institutions outside Indonesia. Even nowadays, enforcement of cases related to violation of data privacy in Indonesia is quite rarely seen or heard unless it involves large corporations or high-profile individuals. Same problem might also be expected in relation to a claim for compensation: it could be a lengthy process to settle the claim if it is done via ‘traditional’ court. That being said, this certainly will affect businesses and adequate precautions need to be taken from now on.

Few obligations imposed to data controller arguably may also be difficult to be implemented in reality. One of the few examples is a data controller must record every activity related to processing of personal data. While future implementing regulation may further address concerns on this issue, at least for now businesses should be fully aware on this as well as other obligations that may be potentially problematic.

It might be a bit cliché but people’s awareness, in our view, will be the key. Protection of personal data cannot be relied merely upon law enforcement. On the opposite end of the spectrum, it is also necessary for all parties to be aware on their respective rights and obligations and make themselves equipped to entering a new era of Indonesia’s personal data protection.

---

Disclaimer: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.  Information on this website may not constitute the most up-to-date legal or other information.