23 Sep 2022
Long-Awaited Personal Data Protection Law Aims to Take Data Privacy to Next Level
After several years of deliberation and amid a long running epidemic of Personal Data breaches, the Indonesian Parliament finally passed the long-awaited Personal Data Protection Bill on 20 September 2022. The Bill has now been sent to the President for signing, after which it will be promulgated as law by publication in the State Gazette. As these steps are normally mere formalities, we will refer to the Bill as the Personal Data Protection Law (“PDP Law”). A bilingual version of the PDP Law, which we will update over time, can be accessed here.
The PDP Law is largely modelled on the European Union’s General Data Protection Regulation (“GDPR”), the “gold standard” for Personal Data protection worldwide. Existing data privacy legislation, such as Law No 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016, Government Regulation No. 71 of 2019 on the Provision of Electronic Systems and Transactions (“GR 71/2019”), Government Regulation No. 80 of 2019 on E-Commerce (“GR 80/2019”), Minister of Communication and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems, and other sector-specific regulations, will remain in force to the extent they do not conflict with the PDP Law. This is important to bear in mind as there are quite a few provisions of the existing legislation that are inconsistent with the PDP Law.
It should also be noted that the PDP Law has extraterritorial effect, meaning that overseas-based organizations (including individuals, public entities and international organizations) that infringe its provisions are liable to prosecution in Indonesia if they engage in activities that come within the ambit of the PDP Law.
Here is a summary of some key features of the PDP Law.
B. Key Features
1. Types of Personal Data
The PDP Law defines “Personal Data” as “any data related to an individual (natural person), whether identified or capable of being identified independently or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means”. Such individual is referred to as a “Data Subject.” These definitions are consistent with those in GR 71/2019.
The PDP Law further categorizes Personal Data as follows:
a. General Personal Data, which includes:
i. Full name
v. Marital status; and/or
vi. Personal Data that is combined to identify a person.
b. Specific Personal Data, which includes:
i. Data and information on health;
ii. Biometric data;
iii. Genetic data;
iv. Criminal records;
v. Children’s data;
vi. Personal financial data; and/or
vii. Other data in accordance with the laws and regulations.
However, the PDP Law does not differentiate between the requirements for processing General Personal Data and Specific Personal Data. Consequently, implementing and sectoral legislation will be required to set out the nuts and bolts as otherwise the classifications of General Personal Data versus Specific Personal Data will be meaningless.
It is interesting to note that just like the GDPR, an earlier version of the PDP bill categorized “political views” and “sexual orientation” as sensitive data. However, these categories were deleted from the final version.
2. Lawful Basis for Processing of Personal Data
Prior to the PDP Law, consent was the only legal basis for Personal Data processing. Whilst this approach might be intended as the ultimate form of protection by giving the Data Subject control over the use of their Personal Data, the practical implementation of this requirement was often problematic. The PDP Law tries to resolve this issue by introducing several legal bases for Personal Data processing: (i) consent; (ii) contractual necessity; (iii) compliance with a data controller’s legal obligations (for an explanation of data controller, see section 4 below); (iv) protection of the vital interests of the Data Subject; (v) public interest, for the provision of public services or for the exercise of lawful authority; and (vi) legitimate interest.
These new legal grounds for processing are very similar (if not identical) to those stipulated in the GDPR. Nevertheless, the implementation of the requirements will require voluntary compliance, and imposes an obligation on every organization to determine and assess the most relevant legal basis for processing, relative to the intended purposes. Furthermore, regulatory guidelines on how to assess the applicability of each lawful basis are imperative if the intended level of protection is to be attained.
Importantly, Article 23 of the PDP Law provides that any clause of an agreement that permits the processing of Personal Data without express and valid consent from the Data Subject is null and void.
3. Rights of Data Subjects
Generally, the rights of Data Subjects under the PDP Law are similar to those under the existing data privacy legislation. However, the PDP Law creates additional important rights that include the right to withdraw consent, restrict processing, and object to decision-making based solely on automated processing, including profiling.
Further, consistent with the previous regime, the PDP Law further emphasizes Data Subjects’ right to claim damages for Personal Data violations. This could obviously expose Data Controllers, as well as Data Processors, to significant claims from Data Subjects that have fallen victim to data breaches.
4. Data Controller and Data Processor
Unlike existing data privacy legislation, the PDP Law expressly differentiates between the concepts of “Data Controller” and “Data Processor”, which are akin to their counterparts in the GDPR. In this case:
The Data Controller is fully accountable and liable to the Data Subject for the processing of their Personal Data. Further, the PDP Law limits the liability of the Data Processor, which should only be independently liable if they are processing Personal Data in a manner that deviates from the Data Controller’s instruction, order, or purpose.
This provision should help provide greater legal certainty as there is now a clear distinction between the liability of those who actually control data and those who are only involved in the processing of Personal Data that is provided to them. This should also make it easier for both the state authorities and Data Subjects to identify whom to prosecute or sue when data breaches occur.
5. Data Protection Impact Assessment
The PDP Law obligates a Data Controller to carry out a Data Protection Impact Assessment ("DPIA”) when processing Personal Data with a high potential risk to Data Subjects, including:
As is often the case with legislative obligations of this kind, compliance will be difficult to police and so will largely depend on the good faith of Data Controllers. Of course, should an investigation or audit be conducted, the Data Controller will likely be in trouble if it is unable to show that it has fulfilled its DPIA obligations.
6. Data Protection Officer
The PDP Law requires Data Controllers and Data Processors to appoint a Data Protection Officer in the event that:
7. Cross-Border Data Transfer
Previously, cross-border data transfers were only subject to the general requirements of (i) coordinating with the Ministry of Communications and Information Technology (by submitting a cross-border Personal Data transfer report), and (ii) complying with the relevant requirements of the laws and regulations.
By contrast, the PDP Law introduces layered requirements to allow Data Controllers to transfer Personal Data outside Indonesia territory, namely:
Compared with the previous regulatory regime, the current layered requirements under the PDP Law will be more cumbersome for organizations as they must first assess and ensure the availability of Adequacy of Protection and Appropriate Safeguards prior to deciding to rely on consent. However, the requirements under the PDP Law are generally consistent with those of the GDPR. Further, similar requirements on Adequacy of Protection have previously been introduced in the context of e-commerce under GR 80/2019. However, to date it appears that these requirements have not been effectively enforced.
8. Notification to Data Subjects in Event of Corporate Action
The PDP Law creates a new obligation for Data Controllers that perform corporate actions, such as a merger, acquisition, spin-off, consolidation or dissolution, to notify relevant Data Subjects of resultant data transfer. The corporate action involved should be notified before and after it has been undertaken. It is notable that the PDP Law gives the impression that notification should be made to Data Subjects irrespective of whether a data transfer or change of Data Controller actually takes place. Thus, this requirement may turn out to be burdensome in many cases.
9. Enforcement and Sanctions
The PDP Law is expected to revolutionize the enforcement of Personal Data protection, as it mandates the establishment of an independent data protection authority under the supervision of the President, with extensive regulatory, monitoring, enforcement, dispute resolution, and investigation authority.
Failure to comply with the requirements of the PDP Law may result in administrative sanctions of written warnings, a temporary ban on personal-data processing, deletion or destruction of Personal Data, and/or administrative fines.
It is particularly noteworthy that fines can be imposed of up to 2% of an organization’s total annual income or revenue. However, it is not clear at this stage whether this refers to worldwide annual revenue or only revenue generated in Indonesia.
In addition, the PDP Law establishes a number of criminal offenses, punishable with terms of imprisonment and/or fines. If the criminal offense is committed by a corporation, the fines amount to up to 10 times the maximum fines for individuals. A corporation may also be subjected to the following additional sanctions:
C. ABNR Commentary
There have been a series of major data breaches in recent years in both the private and public sectors in Indonesia that have raised significant public concern, including a raft of highly damaging hacks of government and state-enterprise databases that have led to the theft and publication of Personal Data belonging to tens of millions of Indonesians.
These cases have served to highlight how toothless and ineffectual the previous data protection regime was, and the crucial need for comprehensive and robust data protection legislation in Indonesia, back up by strong sanctions.
In comparison with the previous data privacy rules, which were spread across a long list of laws and regulations, the unified approach under the PDP Law should help provide more consistent protection across all sectors.
The many similarities between the PDP Law and GDPR should, on paper at least, help raise the level of data protection in Indonesia to international standards. Of course, this will pose challenges for both the State and private organizations of all kinds. Not only will the political determination to enforce the law be required on the part of the State (as well as a commitment to complying with it in the State’s own operations), good faith and potentially significant additional expenditure will be required of private organizations.
Given its extra-territorial effect, it is expected that the PDP Law will become a major compliance challenge for organizations, especially those with extensive cross-border operations, as well as for state authorities in taking practical enforcement action.
Organizations now have 2 years to bring their operations into line with the PDP Law’s requirements. During this 2-year grace period, it is imperative that Personal Data protection policies and practices are reassessed so as to ensure that these are compliant with the new regime.
In conclusion, a word of caution: those currently subject to the GDPR and who have taken action to comply with it should not automatically assume that they comply with the PDP Law as there are a number of substantive differences between the PDP Law and the GDPR that could easily be overlooked. So, once again, a thorough reassessment of policies and practices is called for.
Ranked as a Tier 1 Firm for IT, Telecoms and Fintech by Legal 500 Asia Pacific and as a Band 1 Firm for Technology, Media and Telecoms by Chambers Asia Pacific, ABNR advises many of the world’s leading social media and internet companies, and many of the top corporations operating in Indonesia, on the country’s data privacy and protection regime. As such, we are ideally placed to help you organization comply with the requirements of the new Personal Data Protection Law.
Should you have any queries on this, or indeed any other related, matter, please contact: partners Mr. Agus Ahadi Deradjat (email@example.com) and Mr. Kevin Sidharta (firstname.lastname@example.org), foreign counsel Mr. Gustaaf Reerink (email@example.com), and senior associate Mr. Mahiswara Timur (firstname.lastname@example.org).
This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.