Indonesia Personal Data Protection Law: High-Level Overview on the Newly Passed Personal Data Protection Law
On 20 September 2022, the Indonesian House of Representative (Dewan Perwakilan Rakyat or “DPR”) officially passed the Personal Data Protection ("PDP”) Bill to be further ratified by President Joko Widodo. After the ratification, PDP Bill would officially become the law. If PDP Bill is not ratified within 30 (thirty) days from 20 September 2022, the bill would automatically become a law ("PDP Law”).
In our previous article regarding the Code of Ethics on Personal Data Protection and Data Privacy in Fintech Industry ("Fintech Code of Ethics") (https://www.mondaq.com/article/1221128), there is a growing concern over the need to implement a law in respect of personal data processing through identification of the data subjects. This development is based on the existing regulation, Ministry of Communication and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MoCI Reg. 20/2016”). As such, PDP Law will be the first umbrella law that addresses comprehensive and crucial protection of the overall personal data in Indonesia.
In this article, we provide a high-level overview of PDP Law, particularly the: (i) Definition and Classification of Personal Data; (ii) Rights and Obligations of Data Subjects, Controllers, and Processors; (iii) Personal Data Protection Officer; (iv) Transfer of Personal Data; (v) Personal Data Protection Institution; (vi) Prohibitions and Sanctions; (vii) Transition Period; and (vi) Concluding Remarks.
Definition and Classification of Personal Data
Although MoCI Reg. 20/2016 has provided several definitions on data subject, e.g., Personal Data or Data Owner, the regulation does not promote any specific classifications of data subjects. With the promulgation of PDP Law, we note that the Law further specifies the classifications of data subjects. These new definitions have similarities with Fintech’s Code of Ethics, where it promotes a tendency towards the personal data protections under the General Data Protection Regulation ("GDPR”) of the European Union ("EU”). Below are the new classifications of data subjects under PDP Law:
- Personal Data: data of any person who is identified or can be identified individually or in combination with other information, directly or indirectly through an electronic or nonelectronic system.
- Personal Data Protection: the overall effort in the data processing to protect Personal Data by ensuring the subject’s constitutional rights.
- Personal Data Subject: an individual who has Personal Data attached to him/her. (“Data Subject”)
- Personal Data Controller: any individual, public entity, or international organization, acting individually or jointly to determine the purpose and control of Personal Data process. (“Controller”)
- Personal Data Processor: any individual, public entity, or international organization, acting individually or jointly to process the Personal Data on behalf of the Controller. (“Processor”)
Furthermore, PDP Law provides two definitions of Personal Data that are protected by law: Specific Personal Data and General Personal Data.
- Specific Personal Data: This group of data includes Personal Data information such as biometrics, health information, genetics, criminal record, children data, personal finance, and any other data in accordance with the regulation. Under the explanatory note on Specific Personal Data, PDP Law explains that the above data may potentially cause loss and damage to the data subject.
- General Personal Data: This group of data includes full name, gender, nationality, religion, marital status, and other personal data combined to identify an individual.
(Article 4 of PDP Law)
Rights and Obligations of Data Subjects, Controllers, and Processors
PDP Law further specifies the rights and obligations of data subjects:
- Rights of Data Subject: Under PDP Law, a data subject has the rights to:
- obtain information on the identity, legal basis, purpose of the request and utilization of his/her Personal Data, and accountability of any party requesting his/her Personal Data.
- complete, update, and/or correct his/her Personal Data in the event of inaccuracy.
- access and obtain a copy of his/her Personal Data.
- end the processing, delete and/or terminate his/her Personal Data.
- withdraw the approval of Personal Data processing which given to the Controller.
- raise an objection to any automatic processing of his/her Personal Data legally implicating or having significant effect on the Data Subject.
- file a lawsuit and receive compensation on any violation regarding the processing of his/her Personal Data. viii. receive his/her Personal Data from the Controller, and/or use the data given by the Controller.
(Article 5 to 13 of PDP Law)
PDP Law further regulates the exceptions that may rule out the rights of a data subject when his/her Personal Data is collected:
- for the interest of national defence and security;
- for the purpose of law enforcement and public interest in respect of state administration;
- to oversee the sector of financial service, monetary, or payment systems, and the economic stability if the financial system is carried out by the state; or
- for statistics and research.
(Article 15 of PDP Law)
- Obligations of Data Controller and Processor: Under PDP Law, the obligation to protect Personal Data is given to the Processor and Controller. Both Processors and Controllers can be individuals, public entities, and international organizations.Their obligations are as follows:
Obligations of a Controller: Obligations of a Controller are comprehensively elaborated in Articles 20 up to 52 of PDP Law. In general, the obligations of a Controller in Personal Data processing include:
- obtaining an explicit agreement or consent from the data subject;
- fulfil the agreement obligation and requests of the data subject;
- protecting the vital interest of the data subject.
- fulfilling the data controllers’ obligations based on the prevailing laws and regulations;
- implement task for the public interest, public services, or implementation of Controllers;
- fulfilling the legitimate interests in terms of the purpose and needs of data processing; and balancing between the interests of the Controller and the rights of the Data Subject.
Obligations of a Processor: Under Article 51 of PDP Law, a Processor is in charge of:
- processing the Personal Data based on the instructions of the Controller.
- involving other Processors (if necessary) in conducting the Personal Data processing.
- obtaining the written approval of the Controller before involving other Processors in processing the Personal Data.
- processing the Personal Data with the consent of the Controller. Otherwise, it will implicate individual liabilities on the Processor.
Note that the Controller’s obligations under Articles 29, 31, 35,36,37, 38, and 39 also apply to the Processor.
Personal Data Protection Officer
Please bear in mind that in protecting Personal Data, both the Processor and Controller are obligated to appoint a Personal Data Protection Officer (“PDPO”). The PDPO is appointed based on his/her professional capability, legal knowledge, data protection practice, and his/her competence to fulfil the tasks. As such, please find below, the main tasks of a PDPO:
- He/she does the personal data processing for public service;
- His/her main activities as a Controller require regular and systematic overseeing of largescale Personal Data; and
- He/she processes large-scale, specific Personal Data, and/or Personal Data relating to criminal acts.
(Article 53 of PDP Law)
In protecting Personal Data, the relevant PDPO has the duties to, at least:
- inform and give suggestions to the Controller or Processor to comply with PDP Law;
- oversee and ensure the compliance towards the PDP and policies on PDP for both the Processor and Controller;
- give suggestions on the evaluation of effective Personal Data Protection and oversee the performance of both the Controller and Processor;
- coordinate with the Controller and Processor, and act as the intermediary in solving issues related to Personal Data processing.
(Article 54 of PDP Law)
Further stipulations on the PDPO’s scope of rights and duties will be addressed under a government regulation.
Transfer of Personal Data
Under PDP Law, the transfer of Personal Data is conducted by the Controller. The transfer of Personal Data can be conducted within the territory of Indonesia and to foreign countries. In such transfer, the Controller is obligated to meet the standard of Personal Data protection as stipulated in PDP Law. In transferring the Personal Data Protection out of Indonesia, the Controller must ensure that the recipient country has the protection standard in accordance with PDP Law or has more comprehensive standard than PDP Law does (Article 55 and 56 of the PDP Law).
Personal Data Protection Institution
In connection with the implementation of Personal Data Protection, the Indonesian government shall appoint an independent institution (“PDP Institution”), stipulated by and responsible to the President of Indonesia. PDP Law further explains that the institution has the responsibilities to:
- create policies and strategies of Personal Data Protection that become the guideline for the Data Subjects, Controllers, and Processors;
- oversee the implementation of Personal Data Protection;
- enforce the administrative sanctions based on PDP Law; and
- facilitate alternative dispute resolutions (i.e., consultancy, arbitration, negotiation, mediation, conciliation, or evaluation from the experts).
In addition, the PDP Institution is also authorized to assist the police and prosecutors in handling allegations of violation of Personal Data Protection. Lastly, further provisions and procedures of the institution will be regulated by Government Regulations. (Article 59 and 60 of PDP Law)
Prohibitions and Sanctions
Under PDP Law, violations of Personal Data are subject to administrative and criminal sanctions. The breakdown is as follows:
- Criminal Sanctions: Please be informed that a violation of Personal Data protection is subject to criminal sanctions imposed on the relevant individuals. If such violations are conducted by a corporation, the responsible persons would be the director, controller, instructor, and beneficiaries.
- The criminal violations and sanctions are as follows:
- Unlawful obtainment or collection of a person’s personal data that benefit themselves or cause losses to the affected persons attracts serious penalties, namely imprisonment for up to 5 (five) years, and/or fine of up to IDR 5 billion.
- Unlawful disclosure of a person’s Personal Data also attracts serious penalties, in the form of imprisonment for up to 4 (four) years and/or fine of up to IDR 4 billion.
- Unlawful use of a person’s Personal Data may lead to imprisonment for up to 5 (five) years and/or fine of up to IDR 5 billion.
- Lastly, intentional or unlawful falsifying of a person’s Personal Data may lead to imprisonment for up to 6 (six) years and/or fine of up to IDR 6 billion.
(Article 67 of PDP Law)
- Administrative Sanctions: Under PDP Law, a violation of Personal Data protection is subject to administrative sanctions. Generally, such sanctions are due to nonperformance of the applicable Personal Data protection under PDP Law. The applicable administrative sanctions are as follows:
- Written warning;
- Temporary suspension of Personal Data Processing activity;
- Deletion of Personal Data; and/or iv. Administrative fines.
(Article 57 of PDP Law)
In addition, the PDP Institution is the authorized entity to enforce the administrative sanctions.
Transitional Period
Bear in mind that Controllers, Processors, and other parties related to Personal Data processing shall conform to the provisions of PDP Law within no later than 2 (two) years after the enactment of the law. Other relevant laws and regulations previously issued in relation to personal data protection shall be deemed applicable, as long as they do not contravene PDP Law. (Articles 74 and 75 of PDP Law)
Concluding Remarks
We note that the upcoming PDP Law will make significant impacts on the regulatory mechanism of the transfer and protection of Personal Data. Based on our elaboration, PDP Law would manage to establish the appropriate characterizations of data subjects, which in effect, would further identify the rights and obligations of the data subjects in relation to the protection and transfer of Personal Data. As the classification of data subjects tends to rely on the one under GDPR, we note that the Indonesian government has taken a significant step in defining the standard of personal data transfer, particularly from Indonesia to EU countries, to ease the transfer process given its close similarities with the one under GDPR. Note that it would be difficult to transfer Personal Data to non-EU countries, because the law obligates it should have standards that are similar to, or higher than those under PDP Law. At this stage, PDP Law has established a greater clarity with regard to Personal Data protection in Indonesia.
The article above was prepared by Marshall S. Situmorang (Partner) and Audria Putri (Senior Associate).