(September 30, 2022) Indonesia’s Personal Data Protection (PDP) Bill, which was first discussed in 2012, was at last passed by the House of Representatives on September 20, 2022. The PDP Bill will become the PDP Law once it is ratified by President Joko Widodo. If the President does not sign the bill into law, it will automatically become law 30 days as of the bill’s approval date.
Prior to the PDP Law, personal data protection in Indonesia was regulated under Minister of Communication and Informatics Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems, dated December 1, 2016 (“MOCI Regulation 20/2016”), and Government Regulation No. 71 of 2019 regarding Implementation of Electronic Systems and Transactions, dated October 10, 2019 (“GR 71/2019”).
The scope of these regulations was limited to personal data protection in electronic systems. The PDP Law will be the first comprehensive law in Indonesia to govern personal data protection in both electronic systems and non-electronic systems.
This legal alert highlights key provisions of the PDP Law that organizations should note, in particular as they prepare to comply with the PDP Law during the transition period. For clarity, we refer to the newly approved PDP Bill as the PDP Law here.
A. Scope of the PDP Law
Article 2 of the PDP Law provides that the law shall apply to any person (the definition of “person” in the PDP Law includes individuals and corporations), public agency, and international organization that carries out legal actions in Indonesia. It further provides that the law applies to any person that carries out legal actions outside of the Indonesian jurisdiction if these actions have legal consequences in the Indonesian jurisdiction and/or for Indonesian Data Subjects residing outside of Indonesia.
This means that any offshore entity that processes Personal Data in any of the above-mentioned manners will also be subject to the PDP Law.
The PDP Law shall not be applicable to the processing of Personal Data by individuals for the purpose of personal or household activities.
Further exemptions apply for the processing of Personal Data for the following purposes, in the context of implementing the provisions of law:
(1) national defense and security interests;
(2) law enforcement interests;
(3) public interest in the context of state administration; or
(4) in the interest of the supervision of the financial services sector, and monetary, payment system, and financial system stability carried out in the context of state administration.
The PDP Law does not provide any further explanation regarding the above exemptions.
B. Definition and Types of Personal Data
The PDP Law defines Personal Data as any data concerning a person, whether identified or who may be identified independently or combined with other information, either directly or indirectly, through an electronic or non-electronic system. The individuals to whom Personal Data is attached are referred to as Data Subjects.
Personal Data is further classified into two types:
(1) General Personal Data, which consists of full name, gender, citizenship, religion, marital status, and/or Personal Data which is combined to identify a person (e.g., phone number and IP address). The previous draft of the PDP Bill only referred to General Personal Data as any data not classified as Specific Personal Data. So, the PDP Law provides a more specific definition of General Personal Data.
(2) Specific Personal Data, which consists of health data and information, biometric data, genetic data, criminal records, children’s data, personal financial data, and/or any data in accordance with the provisions of the prevailing laws and regulations. In the elucidation of the PDP Law, Specific Personal Data is further defined as Personal Data the processing of which may have a significant impact on the Data Subject, including acts of discrimination.
Compared to the earlier drafts of the PDP Bill, the PDP Law simplifies the scope of Specific Personal Data. Previously, information regarding religion/faith, sexual orientation and/or activity, political views, and physical and/or mental disability was also included under Specific Personal Data. In the PDP Law, information on religion is now considered General Personal Data, and information regarding sexual orientation and/or activity and political views has been completely removed. Information on physical and/or mental disability is included in “health data and information” as Specific Personal Data.
Aside from the classification of Personal Data, the PDP Law requires special procedures for the processing of Personal Data in certain cases. For example, processing the Personal Data of children and persons with disabilities requires, inter alia, the party processing the personal data to obtain the consent of the Data Subjects’ parent (for children) and/or legal guardian.
C. Personal Data Controller and Personal Data Processor
The PDP Law introduces to Indonesia express provisions and definitions for Personal Data Controller and Personal Data Processor. There is no reference to Personal Data Controller and Personal Data Processor in MOCI Reg. 20/2016, while GR 71/2019 briefly mentions Personal Data Processor without further explanation of the term. We note that prior to the PDP Law, the terms “Controller” and “Processor” were commonly understood in practice by the relevant government officials when it came to the obligations of business actors.
Personal Data Controller is defined in the PDP Law as any person, public body or international organization acting individually or jointly in determining the objectives and exercising control over the processing of Personal Data (“Controller”). And Personal Data Processor refers to any person, public body or international organization acting individually or jointly to process Personal Data on behalf of a Personal Data Controller (“Processor”).
Further, since the Processor cannot determine the objectives and exercise control over the processing of Personal Data by itself, a Processor can only process Personal Data after being appointed by a Controller, on behalf of the Controller.
The rights and obligations under the PDP Law that parties must comply with are subject to the respective role played by the party in processing Personal Data. As the party that determines the objective of processing, the obligations of the Controller are significantly greater than those of the Processor. For example, a Controller is responsible for the processing of Personal Data and must demonstrate accountability in fulfilling its obligations to implement the principles of Personal Data Protection at all times, including when the processing is carried out by a Processor.
However, if the Processor conducts Personal Data processing beyond the orders and purposes set by the Controller, the responsibility for the Personal Data processing shall shift to the Processor.
D. Rights and Obligations of Data Subjects, Controllers and Processors
1. Rights of Data Subjects
The rights of Data Subjects are set out under Article 5 to Article 14 of the PDP Law. Data Subjects are entitled to clarity of identity information on why their Personal Data is being requested and how it will be used, and information on the accountability of the parties requesting the Personal Data. They can also request that any Personal Data that is incorrect and/or inaccurate be rectified and/or updated.
One of the highlights of the PDP Law is that Data Subjects are allowed to withdraw their consent for the processing of their Personal Data that has been granted to the Personal Data Controller and are also entitled to cease and/or limit the processing, deletion, and/or destruction of Personal Data. Data Subjects can request to withdraw their consent by submitting a recorded request, delivered either electronically or non-electronically, to the Personal Data Controller.
The PDP Law does not set out the obligations of Data Subjects.
2. Obligations of Controllers
The PDP Law does not set out the rights of Controllers. The obligations of Controllers are set out under Article 20 to Article 49 of the PDP Law.
In certain cases, Article 50 of the PDP Law exempts Controllers from their obligations. These exemptions relate to national security, law enforcement, public interest, and supervision in the financial sector.
Aside from such exemptions, certain rights of Data Subjects can be refused by Controllers in certain circumstances. For example, Article 33 of the PDP Law provides that Controllers can refuse the request of a Data Subject to change its personal data and Article 44 of the PDP Law provides that a Controller may still process personal data even if the Data Subject has requested the Controller to postpone and/or restrict the data processing, subject to the fulfillment of certain conditions.
3. Obligations of Processors
As with Controllers, the PDP Law only sets out the obligations of Processors, not their rights. The obligations of Processors are set out under Article 51 and Article 52 of the PDP Law, with Article 52 emphasizing that certain obligations applicable to Controllers are also applicable to Processors. These obligations include (i) ensuring the accuracy, completeness, and consistency of Personal Data in accordance with the provisions of laws and regulations; (ii) maintaining a record of all Personal Data processing activities; and (iii) protecting and ensuring the security of processed Personal Data.
E. Basis for Personal Data Processing
Article 20 of the PDP Law specifies the basis for Personal Data Processing by Controllers, as follows:
(1) Consent: An explicit consent must be obtained from the Data Subject. Such consent shall relate to one or more purposes which have been explained to the Data Subject;\
(2) Contract: Fulfilment of contractual obligations to which the Data Subject is a party, or to fulfil the request of the Data Subject at the time of entering into an agreement;
(3) Legal Obligation: Fulfillment of the legal obligations of the Controller in accordance with the applicable laws;
(4) Vital Interest: Protection of the Data Subject’s vital interests;
(5) Public Task: Implementation of tasks in the context of public interest, public services, or the implementation of the authority of the Data Controller in accordance with the applicable laws; and/or
(6) Legitimate Interest: Fulfillment of other legitimate interests which shall be carried out by balancing the Data Controller’s interests and the Data Subject’s rights.
F. Data Protection Impact Assessment
The PDP Law requires a Data Controller to carry out a Data Protection Impact Assessment (“DPIA”) if the Personal Data processing carries a high potential risk for the Data Subject. Under Article 34 of the PDP Law, Personal Data processing with a high potential risk includes:
a. automatic decision-making that has legal consequences for or a significant impact on the Data Subject;
b. processing of Specific Personal Data;
c. processing of Personal Data on a large scale;
d. processing of Personal Data for the systematic evaluation, scoring or monitoring of Data Subjects;
e. processing of Personal Data for matching or combining a group of data;
f. the use of new technologies in the processing of Personal Data; and/or
g. processing of Personal Data that limits the exercise of the rights of the Data Subject.
Further provisions on the DPIA are expected to be issued in a Government Regulation.
G. Appointment of Data Protection Officer
If any of the following conditions under Article 53 of the PDP Law are met, a Controller and Processor are required to appoint a Data Protection Officer (“DPO”):
(1) Processing of Personal Data for the interest of public services;
(2) The nature, scope, and/or objective of the Data Controller’s main activities require regular and systematic monitoring of large-scale Personal Data; or
(3) The Data Controller’s main activities involve the processing of Specific Personal Data on a large scale and/or Personal Data relating to criminal acts.
A DPO shall carry out the function of Personal Data Protection and can be an existing employee of the Controller and Processor or recruited externally. The DPO must have the necessary professionalism, legal knowledge, and Personal Data Protection experience to fulfill their duties. The functions of a DPO are to be further regulated under a Government Regulation.
H. PDP Institution
Article 58 of the PDP Law provides that an Institution shall be created by and directly responsible to the President to oversee the implementation of Personal Data Protection practices.
The authorities of the Institution are further specified in Article 59 of the PDP Law, as follows:
a. formulate and stipulate policies and strategies on Personal Data Protection to serve as guidance for Data Subjects, Personal Data Controllers, and Personal Data Processors;
b. supervise the implementation of Personal Data Protection;
c. enforce administrative law for violations of the PDP Law; and
d. facilitate the resolution of Personal Data Protection disputes outside of court.
It is understood that the Institution shall be the supervisory authority with respect to the implementation of Personal Data Protection and will further play a role in facilitating the resolution of disputes outside of court, as mentioned in letter (d). Based on the elucidation thereto, “facilitation of dispute resolution outside of court” is meant as the provision of dispute resolution facilities through procedures agreed upon by the parties, namely settlement out of court by means of consultation, arbitration, negotiation, mediation, conciliation, or expert judgment in accordance with the provisions of laws and regulations.
Further provisions regarding the implementation of Personal Data Protection by the Institution shall be provided in a Presidential Regulation. And the procedures for implementing the authority of the Institution are to be stipulated in a Government Regulation.
I. Cross-Border Transfer of Personal Data
A Controller is allowed to transfer personal data to another Controller within the jurisdiction of Indonesia. The PDP Law further allows the cross-border transfer of Personal Data from a Controller to a Controller and/or Processor outside the jurisdiction of Indonesia if:
(1) the recipient’s country has an adequate or higher level of Personal Data protection than that stipulated in the PDP Law;
(2) there exists an adequate level of binding Personal Data protection; or
(3) the consent of the Data Subject for the cross-border data transfer has been obtained.
Please note that the fulfilment of the above conditions shall be in sequence, meaning, in the event condition (1) is not fulfilled, then the Controller shall move to the fulfillment of condition (2), and only if both (1) and (2) are not fulfilled can the Controller move to the fulfillment of condition (3). It is implied that if condition (1) is already fulfilled, there is no need for the Controller to fulfill conditions (2) or (3).
The implementation of cross-border data transfer is to be further regulated by a Government Regulation.
J. Notification Requirements
The following notification requirements must be fulfilled as applicable:
a. Notification in light of the failure of Personal Data Protection (Article 46 of the PDP Law)
Controllers that fail to protect Personal Data are required to submit written notification no later than 3 x 24 hours to the Data Subject and Institution. This notification shall at least contain: (i) the disclosed Personal Data; (ii) when and how the Personal Data was disclosed; and (iii) efforts to handle and recover the disclosed Personal Data by the Personal Data Controller.
In the elucidation of Article 46 of the PDP Law, “failure of Personal Data Protection” is further elaborated as a failure to protect a person’s Personal Data in terms of the confidentiality, integrity, and availability of the Personal Data, including violations of security, whether intentional or unintentional, leading to the destruction, loss, alteration, disclosure, or unauthorized access to Personal Data transferred, stored, or processed
In certain cases, the Personal Data Controller shall be obliged to notify the public of the failure of Personal Data Protection. For example, notification is required if the failure of Personal Data Protection interferes with public services and/or has a serious impact on the public interest.
b. Notification in light of certain corporate actions (Article 48 of the PDP Law)
If a Controller is a legal entity that performs a merger, separation, acquisition, consolidation, or dissolution of a legal entity, it is required to submit a notification of the transfer of Personal Data to the Data Subject. The notification must be submitted prior to the aforementioned corporate actions. Further provisions regarding the procedures to deliver a notification shall be regulated in a Government Regulation.
Additionally, the elucidation of Article 48 provides an explanation of “notification,” which is a notification to the Data Subject or notification in general through the mass media, either by electronic or non-electronic means.
K. Sanctions and Prohibitions
The PDP Law provides the following prohibitions and sanctions in relation to violations of the law:
1. Prohibitions on the Use of Personal Data
Expressed prohibitions on the use of personal data are regulated under Article 65 and Article 66 of the PDP Law as follows:
(1) Every Person is prohibited from unlawfully obtaining or collecting Personal Data that does not belong to such Person with the intention of benefiting themselves or another person which may result in the loss for the Data Subject. Violation of this is subject to maximum imprisonment of five years and/or a maximum fine of Rp5 billion.
(2) Every Person is prohibited from unlawfully disclosing Personal Data that does not belong to themselves. Violation of this is subject to maximum imprisonment of four years and/or a maximum fine of Rp4 billion.
(3) Every Person is prohibited from using Personal Data that does not belong to such Person in a manner that contravenes the law. Violation of this is subject to maximum imprisonment of five years and/or a maximum fine of Rp5 billion.
(4) Every Person is prohibited from creating false Personal Data or fake Personal Data with the intention of benefiting themselves or other persons that may cause harm to other persons. Violation of this is subject to maximum imprisonment of six years and/or a maximum fine of Rp6 billion.
Additional penalties may also be imposed in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts and indemnity payment.
2. Administrative Sanctions
Violations of certain articles in the PDP Law are subject to administrative sanctions under Article 57 of the PDP Law. These administrative sanctions, which shall be imposed by the Institution, are as follows:
a) written warning;
b) temporary suspension of Personal Data processing activities;
c) deletion or destruction of Personal Data; and/or
d) administrative fines.
With regard to administrative fines, the PDP Law stipulates that the maximum fine is 2% of the concerned party’s annual income or revenue. Further provisions on administrative sanctions and the procedures for the imposition of administrative fines will be provided in Government Regulations.
3. Criminal Sanctions
If the criminal act as referred to in Article 67 and Article 68 of the PDP Law is committed by a corporate entity, the PDP Law stipulates that criminal sanctions will be imposed only in the form of criminal fines. These fines will be imposed on the management, controller, instructor, beneficial owner, and/or the corporation itself. The administrative fines for corporate entities can be up to 10 times the maximum fines for individuals.
Additional criminal sanctions may be imposed on corporate entities, including (a) confiscation of profits and/or assets obtained or proceeds from criminal acts; (b) suspension of all or part of the business of the corporation; (c) permanent prohibition on certain activities; (d) closure of all or part of the business premises and/or activities of the corporation; (e) fulfillment of the neglected obligation; (f) payment of compensation; (g) revocation of licenses; and/or (h) dissolution of the corporation.
L. Transition Period
Pursuant to the PDP Law, Controllers, Processors, and other relevant parties who process Personal Data have two years to comply with the provisions of the PDP Law.
Once the transition period has elapsed, organizations must comply with all the provisions of the PDP Law. In ensuring compliance with the law, organizations must at least do the following:
- ensure that all processing of Personal Data has a lawful basis;
- verify the accuracy, completeness and consistency of Personal Data;
- keep records on all activities relating to Personal Data processing;
- comply with the requests of Data Subjects with respect to their Personal Data (this is unless there are circumstances under which the rights of the Data Subject and/or the obligations of the Data Controller are exempted);
- carry out a DPIA before performing high-risk Personal Data processing;
- prepare and implement adequate technical operational guidelines for the security of Personal Data;
- oversee the processing of Personal Data by other parties that are controlled by the organization;
- appoint a DPO if the conditions are met;
- notify the Data Subject and the Institution in the event of the failure to protect Personal Data. Such notification must be provided at the latest 3 x 24 hours from when the organization is aware of the failure;
- notify the Data Subject in the event of a corporate action (merger, spin-off, acquisition, consolidation, or dissolution); and
- comply with orders from the relevant authorities.