Updated: Dec 9, 2020
Indonesia’s Personal Data Protection Bill (“PDP Bill”) was initially planned to be issued in October 2020. Its issuance and enactment were, however, delayed and are now scheduled for November 2020.
Currently, the protection of people's data is regulated in Law Number 24 of 2013 on Population Administration. That law did not anticipate the massive take-up of information technology and e-commerce by the private sector.
In May 2020, one of the largest e-commerce players in Indonesia, released a message to explain a breach of its users’ personal data and its efforts to handle it. The case spurred regulators to expedite the issuance of a Personal Data Protection Law in Indonesia.
The PDP Bill regulates a wide range of matters, from types of personal data, stakeholders’ rights and obligations, data processing and transfer, data protection officer appointments, dispute resolution, and even administrative and criminal sanctions.
Personal Data Definition and Types
Personal data is defined as data about a person, either fully identified and/or who can be identified separately, or data combined with other information directly or indirectly through an electronic and/or non-electronic system.
There are two types of personal data:
General personal data
This comprises an individual’s full name, gender, citizenship, religion, and/or personal data, which together constitute that person’s identity.
Specific personal data
This comprises data on an individual’s health, etc., biometric and genetic characteristics, life/sexual orientation, political orientation, criminal record, child data, personal financial data, and/or any other data in accordance with the prevailing laws and regulations.
Rights of Personal Data Owners
The PDP Bill regulates the rights of a personal data owner (“PD Owner”), including to:
request clarification on identity data, the legal basis for holding the data, the purpose in requesting and using personal data, and the accountability of the party requesting personal data;
complete gaps in their personal data before it is processed by a personal data controller;
access their personal data in accordance with the prevailing laws and regulations;
renew data or rectify errors/inaccuracies in their personal data, in accordance with the prevailing laws and regulations;
request termination of personal data processing and/or deletion and/or destruction of personal data;
revoke consent for processing personal data previously submitted to a personal data controller;
object to data used for automated decision-making on individuals (profiling);
postpone or limit processing of personal data proportionately in accordance with the intention of personal data processing; and
sue and receive compensation over personal data violations in accordance with the law.
some exemptions to the above rights exist, however, in the interests of: (i) national defense and security, (ii) law enforcement, (iii) the public interest within the scope of state administration, (iv) supervision of financial, monetary, payment systems and financial system stability sectors, or (v) data aggregate processing that is intended for statistical purposes and scientific research in the framework of state administration. The foregoing exemptions may only be implemented within the framework of implementing the provisions of the Law.
Personal Data Controller and Personal Data Processor
The PDP Bill regulates the obligations of a Personal Data Controller and Personal Data Processor.
The PDP Bill defines a Personal Data Controller (“PD Controller”) and Personal Data Processor (“PD Processor”) as:
A party (PD Controller) that determines the purpose of and controls the processing of personal data.
A party (PD Processor) that processes personal data on behalf of the Personal Data Controller.
The term “party” above can refer to an individual, public entity or an organization/institution.
A PD Controller must first obtain express consent from the PD Owner for single or multiple purposes that have been conveyed to the PD Owner. To obtain consent, a PD Controller must provide information on:
legality of the personal data processing;
purpose of the personal data processing;
types and relevance of personal data that will be processed;
retention period of documents containing personal data;
detail on information being collected;
period of personal data processing; and
rights of a PD Owner.
PD Controller must cease to process data if the PD Owner revokes their consent for personal data processing, and it must be completed within 3 x 24 hours of the first revocation.
A PD Controller is obliged to protect and ensure the security of personal data being processed, supervise parties involved in personal data processing under the control of a PD Controller, and ensure personal data is protected from illegal personal data processing. Further, a PD Controller is also required to prevent illegal access to personal data by utilizing a security system that is safe, reliable, and responsible.
In the event the PD Controller appoints a PD Processor, the latter may only process personal data on an instruction or order from the PD Controller, which must be issued in accordance with the prevailing laws and regulations. Personal data processing by a PD Processor is the responsibility of a PD Controller, unless for data processing outside an instruction or order from the PD Controller.
Personal Data Transfer
Personal data transfer from one PD Controller to another within Indonesia is permitted, provided that they implement the PDP requirements under the Bill. For a merger, acquisition, spin-off or consolidation of a PD Controller, the Bill requires that personal data transfer must be notified to the PD Owner before and after these corporate actions.
In addition, to transfer data beyond Indonesian territory, some further requirements need to be adhered to, such as:
the receiving country of the PD Controller or international organization must have a data privacy protection level that is equivalent to or of a higher standard than the PDP Bill’s;
there must be an international treaty between Indonesia and the country of the receiving party; and
consent from the PD Owner must be obtained.
Administrative and Criminal Sanctions
The PDP Bill provided two types of sanction for non-compliance with the PDP Bill:
Administrative Sanctions, which could be: written warning, temporary suspension of processing of personal data, deletion or destruction of personal data, compensation, or administrative fines.
Criminal Sanctions, of imprisonment and fines.
The issuance of the PDP Bill was largely anticipated by market players, institutions, consumers and stakeholders in the collection, use and processing of personal data, in particular stakeholders of IT based companies, either large-scale or start-ups.
Through enactment of the PDP Bill, the relevant stakeholders are expected to enjoy direct or indirect benefits, specifically from the provisions on the use of personal data and sanctions on personal data breaches. Evidence on the imposition of sanctions against a PD Controller or Processor for a personal data breach does not yet exist. Once enacted, the provisions of the PDP Bill will hopefully clarify guidelines on personal data protection and responsibilities should personal data breaches occur.
Despite a big expectation of what the PDP Bill will achieve, discussions are still continuing between the Bill’s stakeholders, focusing on collection and processing of personal data from outside Indonesian territory and the need to establish an independent body with the authority and ability to supervise personal data protection, both by private and public entities.
For further information, please contact:
Freddy Karyadi, Partner, ABNR
Novario Asca Hutagalung, ABNR