The Indonesian People's Representative Council and Government of the Republic of Indonesia has recently enacted the long-awaited Personal Data Protection Bill into law, providing a new overarching framework for Personal Data Protection in Indonesia. Prior to this, Indonesia had lacked a comprehensive Personal Data Protection framework, with most provisions regarding Personal Data Protection being scattered in various governmental and ministerial regulations in a piecemeal fashion.

The new Personal Data Protection Law ("PDP Law" or "Law") introduces significant developments in the regulatory framework regarding Personal Data Protection in Indonesia. While the changes are many and varied, in many aspects of Data Protection in Indonesia, we have identified six (6) changes to the regulatory framework contained in the latest PDP Bill which are especially significant.

General and Specific Personal Data

The PDP law introduces a new division of Personal Data, that being 'General' Personal Data and 'Specific' Personal Data. General Personal Data encompasses the name, sex, nationality, religion, marital status, and other Personal Data which in combination may be used to identify persons. Specific Personal Data encompasses medical data and information, biometric data, genetic data, criminal records, child records, financial records and other data which may be specified as 'Specific' by further regulation. This division allows for a risk-based approach to be taken in relation to the risk analysis and the appointment of Data Protection Officers (as discussed further below), with actors handling Specific Personal Data being made subject to more stringent requirement.

Data Controllers and Data Processors

The PDP Law now introduces the commonly known distinction between 'Data Controllers' and 'Data Processors' into Indonesian Law. Under the PDP Law, Data Controllers are the persons or entities that decides the purpose and exercises control over the processing of Personal Data. Meanwhile, Data Processors are those persons or entities that conduct the processing of Personal Data on the behalf of Data Controllers. This distinction allows separate regulations to apply to each category of actors, though in general, Data Controllers are subject to stricter regulations.

Risk Analysis

The new Law obliges Data Controllers to assess the impact to Personal Data Protection if the processing of Personal Data undertaken by the Data Controller has a high risk of affecting Personal Data Subjects (the persons from which data was collected). According to the Law, the processing of Personal Data is considered 'high-risk' if it involves automatic decision making which has a legal effect or significant impact on Personal Data Subjects, the processing of 'Specific Personal Data', the processing of Personal Data in a massive scale, the processing of Personal Data for the purposes of evaluation, scoring, or systematic monitoring of a Personal Data Subject, the processing of Personal Data for matching and compiling groups of data, the use of new technology in processing Personal Data, and the processing of Personal Data which limits the rights of Personal Data Subjects.

Data Protection Officer

The PDP law establishes the position of 'Data Protection Officer' formally into Indonesian Law. Under the PDP Law, Data Controllers and Data Processors must appoint a Data Protection Officer if they are conducting Personal Data Processing for the purposes of a public service, if the main activity of a Data Controller requires an organized and systematic monitoring of Personal Data in a massive scale, and if the main activity of the Data Controller involves the processing in a massive scale of 'Specific Personal Data' and/or Personal Data related to crimes. This officer will, at the very least, carry out the functions of:

  1. informing and providing advice to Data Controllers or Data Processors regarding compliance with the PDP Law;
  2. monitoring and ensuring compliance with the PDP Law and the internal policies of a Data Controller or Data Processor;
  3. providing advice regarding the assessment of the impact to Personal Data Protection and monitoring the performance of Data Controllers or Data Processors; as well as
  4. Coordinating and acting as a contact person for issues related to Personal Data processing.

Establishment of Data Protection Authority

The PDP Law provides a mandate for the President to set up a 'Data Protection Authority' to implement the PDP Law, through a Presidential Regulation. This Institution will draft and enact policies and strategies for the protection of Personal Data, oversee the implementation of Personal Data Protection, enforce administrative laws related to the PDP Law, as well as facilitating dispute resolution relating to Personal Data Protection disputes outside the court system. They will have the authority to, inter alia, asses risks in relation to the transfer of Personal Data to a foreign territory, to call persons and entities to investigate alleged violations of the PDP Law, and to inspect and access Electronic Systems managed by Data Controllers or Data Providers. Further provisions regarding functioning and exercise of authority by this Institution will be regulated through Governmental Regulation.

New Criminal and Administrative Sanctions

The PDP Law imposes new criminal and administrative sanctions against breaches of the PDP Law. It criminalizes, the unlawful collection of Personal Data with intent to enrich oneself or another, the unlawful and intentional disclosure of Personal Data, and the unlawful use of Personal Data. It also criminalizes the falsification of Personal Data with intent to enrich oneself or another. It also allows for Corporate Crimes for these violations. Additionally, it allows for administrative sanctions to be given to parties which fail to comply with the rules of the PDP Law, (As stipulated in Art. 57 sub-article (1) of the PDP Law), allowing for fines up to a maximum of 2% of annual revenue or annual income.

Closing Remarks

GHP will address each of these developments and its effects on actors in the relevant industries in a series of upcoming client alerts discussing each of these issues in further detail. In the meantime, actors affected by the PDP Law should wait for further implementing regulations that may be forthcoming, as many of the provisions of the PDP Law is dependent on implementing regulations to take full effect. In any event, the enactment of the PDP Law is a significant development in Personal Data Protection in Indonesia, which will likely have a great impact on the future of the technology sector in Indonesia.

Originally Published 23 September 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.