15 October 2024
Indonesia Data Protection Regulatory Landscape
Key Highlights – The Present & Future
In 2022, Indonesia formalize its standing in regards to the personal data protection in Indonesia by enacting Law No. 27 of 2022 governing the Personal Data Protection (“PDP Law”). PDP Law is largely inspired by EU General Data Protection Regulation (“GDPR”).
The PDP Law is designed as the comprehensive regulatory framework regulating personal/sensitive data collection, processing, transfer, sharing, both by public entity (e.g., governmental authority) and private entity (e.g., businesses).
The PDP Law is due to fully come into effect by 17 October 2024 being the end of its 2 years transition period.
Although PDP Law is designed as the main regulatory framework, the data protection regulatory landscape in Indonesia itself must be seen as dimensional rather than a linear landscape as the sectoral provisions is in play alongside the PDP Law. For example, the health laws in Indonesia would govern the treatment of data involving someone’s age or medical condition or financial services related regulations in Indonesia would govern the treatment of transaction data e.g., debtor personal data, or someone’s credit score.
The Present
General principles
Under the PDP Law, personal data processing includes the following activities. It must be noted that “personal data” is broadly defined by the PDP Law as the data regarding identified or could be identified individuals whether as a standalone or aggregated information with others either directly or indirectly through the electronic system or other system.
- Acquisition and pooling;
- Management and analysis;
- Storage;
- Revision and renewal;
- Display, announcement, transfer, publication, or disclosure; and/or
- Deletion or destruction.
The personal data processing shall subject to the following principles:
- The acquisition of personal data must be done under a limited and specific purpose, transparent, and as per the relevant legal requirements;
- The processing of personal data must be done as per the acquisition purpose;
- The processing of personal data must also be done by taking into account the rights of the data owner;
- The processing of personal data must be done accurately, complete, not misleading, up to date, and can be held liable;
- The personal data processing is performed in consideration of the personal data security from unauthorised access, invalid disclosure, invalid correction, unlawful use, unlawful damage, and/or loss of personal data;
- Within the processing of the personal data, there must be a notice of purpose and processing activities, including if any failure occurs in relation to the personal data protection;
- Personal data must be destroyed and/or erased by the expiry of the retention period or as per the request of the individual who owns the personal data, except when determined otherwise by the laws and regulations; and
- Personal data processing is performed in a responsible way and can be clearly proven.
Scope of application
PDP Law applies to any entities within the territory of Indonesia, and outside of Indonesia which could carry a legal impact within the territory of Indonesia/where the personal data is possessed by Indonesian although such person is outside of the Indonesian territory.
Only processing of personal data by individuals within non-commercial activities/private activities is excluded from the application of PDP Law.
Contractual arrangement needed
Similar to GDPR, PDP Law requires certain contractual arrangement to be in place where the processing of personal data involves 2 or more data processors. The contractual arrangement must include, at least, purpose, responsibilities and liabilities, and roles of each processor.
Further, any individual rights over the personal can be waived on the basis of the national security or government interest.
Enforcement agencies
The function of personal data protection must be carried out by an officer appointed by the controller and the processor of the personal data. Under GDPR, this office is known as DPO or data protection officer.
Essentially, DPO under the PDP Law would be performing an advisory role to ensure compliance to regulations as well as the communication bridge when any issue in relation to the personal data arises.
Under the PDP Law, a PDP agency will be formed and this agency will be responsible for formulating and stipulating policies and strategies for personal data protection, which will serve as guidelines for personal data subjects, controllers, and processors. Additionally, it will supervise the implementation of personal data protection, enforce administrative law against violations of the PDP Law, and facilitate out-of-court dispute resolution. It must be noted that the PDP agency will be reporting to the President rather than to the House of Representative.
Further guidance in relation to DPO or the government agency will be included under the implementing regulation (see future state below).
Sanction
Non-compliance could lead to sanctions ranging from written warning, cease of processing activities, order of removal of data, or monetary fine. The monetary find shall not be higher than 2% of the annual revenue in relation to the violation.
The Future – overview of the implementing regulation draft (“RPP”)
The implementing regulations of the PDP Law was expected to be promulgated in 2024 as the RPP was circulated for public comments in 2023.
The RPP, from its drafting, appears to focus on the governance of the data controller and/or data processor; the RPP appears to impose various degree of reporting and governance policy to ensure the protection of personal data and risk-based approach backed by sufficient mitigation actions.
Data owner’s explicit consent/notice to the data owner
Required in case of:
- 2 or more processors are involved in the data processing.
- Disclosure of purpose.
- Failure in protecting the personal data.
- In case of visual data processing facility being implemented, clear notice must be in place.
- Merger, acquisition, or consolidation – prior to any of these events.
It must be noted that without consent from the data owner, the data controller must not refuse the data owner’s request to obtain services or goods.
Similar to GDPR, minor’s data must be validated by its guardian and consent to process minor’s data must also be granted by the guardian.
Enforcement agencies
DPO must be appointed by the data controller and DPO’s contact must be informed to the personal data owner. DPO is positioned as an independent task force within the organization.
Duties of the DPO, in general:
- Provide the necessary advice to the controller/processor. Under the RPP, these advisory works must be documented by the DPO.
- Comment or respond to any questions from the data owner.
- Supervise and ensure the processor/controller compliance to laws and regulations.
- Coordinate and bridge any issues in relation the data processing.
RPP appears to allow DPO to take a risk-based approach in providing the advice in relation to the data processing.
The Ministry of Communications and Informatics (“MOCI”) is in the process of setting up the PDP agency. The MOCI has allocated funds from the 2024 State Budget for the establishment of the PDP agency and is currently proposing an initiative permit (Izin Prakarsa) to the President.
Closing note
PDP Law and the RPP show the level of importance of data protection in the eyes of Indonesian government.
Hence, for businesses, it becomes pivotal to look closer into its collection of (particularly) customers’ data and the processing involved. Not only the process built but also the relevant contractual arrangements within the process itself.
Training for DPO would also be necessary to ensure that the DPO carries out its duties as per the expectation of the regulations.
To read the article in PDF version, click here.
————- III ————-
MURZAL & PARTNERS
For more information, please reach us at Murzal & Partners Law Firm to:
e-Mail: info@murzallawfirm.com
Telp: +62 21 29930869
Linkedin: Murzal & Partners Law Firm
Disclaimer:
The foregoing material is the property of MNP and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
Read an article about Sneak Peak to 2025 Fintech Regulatory – https://murzallawfirm.com/a-sneak-peak-to-2025-fintech-regulatory-climate-an-overview-of-indonesia-central-bank-2025-blueprint/