The Indonesian government, on 17 October 2022, passed Law No. 27 of 2022 concerning Personal Data Protection Law (the “PDPA”). This article seeks to give an overview of the 2022 Indonesian Personal Data Protection Act (PDPA).
Indonesian law is touted to be modeled on the EU GDPR, however, there are differences and legal advice should be sought when adapting privacy policy for Indonesian residents.
Principles of data processing
Similar to the GDPR, Article 16 Paragraph (2) of the PDPA provides for the following principles of data protection:
- Lawfulness principle
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
Legal basis for data processing
Article 20 Paragraph (2) PDPA which mirrors Article 6 of the General Data Protection Regulation (GDPR) sets out potential legal bases for data processing, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.
Consent
The key principle is that data can only be processed according to the purpose(s) for which data subjects have consented to. Articles 22 – 24 PDPA address the requirement for obtaining consent.
The provision requiring consent from data subject appears similar to those under GDPR to some extent.
However, the PDPA does not clarify whether click-wrap method of recording consent will be recognized. This can be a concern because Indonesian judges still take a traditional view of valid agreement as a document containing the terms of agreement with wet ink signature on the document. Of late, regulations have been passed to allow for electronic signatures where the users have enrolled with local certifying authority to certify such signatures. The regulations also recognize uncertified signatures (Article 60, Government Regulation No. 71 of 2019 on Administration of Electronic Systems and Transactions). As it stands now, the legal framework recognizes certified electronic signatures and uncertified electronic signatures (coming to mind would be DocuSign). However, there is still uncertainty in the legality of signifying assent to terms and conditions using click-wrap method.
The current regime does not clearly support click wrap consent where there will be no record of signature signifying agreement or acceptance to be bound by certain terms and conditions. Data controllers should seek professional advice on how best to capture the data subjects’ consent to the privacy policy. Web-based businesses with Indonesian users may wish to seek legal advice on how best to address this issue.
Disclosure in consent
The disclosure necessary for obtaining consent is set out in Article 21 of PDPA – key information includes:
- The purpose of Personal Data processing
- The retention period of documents containing Personal Data
- The details regarding the Information collected
- The period of Personal Data processing
- The rights of the Personal Data Subject
The data subject needs to be notified of any change in the above.
Data protection officer
Data controllers are required to appoint a data protection officer – Article 53 of PDPA. At this point, there is no registration requirement for the data officer. However, the relevant provision provides for further implementing regulations to be passed with respect to the appointment of a data protection officer.
Sanctions
The PDPA creates the following offences that are punishable by fine and/or imprisonment:
- Unlawfully obtains or collect Personal Data that does not belong to them with the intention to benefit themselves or other persons (Article 67(1) of PDPA)
- Intentionally and unlawfully discloses Personal Data that does not belong to them (Article 67(2) of PDPA)
- Who intentionally and unlawfully uses Personal Data that does not belong to them (Article 67(3) of PDPA)
- Intentionally create false Personal Data or falsify Personal Data with the intention to benefit themselves or other persons (Article 68 of PDPA)
Management and/or beneficial owners could also be liable under these provisions (Article 70 Paragraph (1) of PDPA).
The specter of criminal sanction underscores the need to have in place the framework of proving that consent for the collection of data has been secured – see discussion above regarding click-wrap and consent.
The aggrieved party may seek compensation from the defaulting data controller – Article 12 of PDPA.
The court may also impose sanctions such as payment of compensation, suspension of business, confiscation of profits, partial or complete shutdown /cessation of business, and dissolution of the company (Article 70 Paragraph (4)). In the case of a fine, the amount can be up to two (2) percent of the company turnover (Article 57 Paragraph (3) of PDPA).
The sanction of imprisonment is one significant area where the Indonesian PDPA departs from the EU’s GDPR which provides for administrative fines, correction orders and compensation but not imprisonment.
What businesses should do
Businesses should immediately review their respective privacy policy to ensure that the privacy policy does not conflict with the PDPA.
Please refer to the 2022 Indonesia Data Protection Guide for more topics concerning Personal Data Protection Law (the “PDPA”)
The guide is authored by Kin Wah Chow and the legal team at Rouse network firm Suryomurcito & Co to help businesses navigate the regulatory framework by laying out the applicable regulations as of the date of publication.