On Tuesday, 20 September 2022, a plenary meeting of Indonesia’s Peoples Representatives Council (Dewan Perwakilan Rakyat / “DPR”) has agreed to pass the Personal Data Protection Law Draft to be promogulated as Law. This plenary meeting is follow-up from the approval at the Level I discussions held by the DPR on 7 September 2022.
However, at this point, the number and official text of the Personal Data Protection Law have not yet been issued and officially circulated, as it must first be announced to the State Journal (Lembaran Negara) and State Gazette (Berita Negara) to ensure that the Law is considered publicized to the public.
The new Personal Data Protection Law (Undang-undang Perlindungan Data Pribadi) (“PDP Law”) will act as the umbrella law to regulate on personal data protection in Indonesia. The PDP Law itself defines data protection as the overall efforts to protect personal data in a series of data protection to guarantee the constitutional rights of the personal data subject. Before the enactment of the PDP Law, regulations on personal data protection are provided (among others) in the less-thorough Minister of Information and Technology (“MCIT”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems.
B. Highlight of the Law
The PDP Law sets out to introduce provisions ensuring protection of personal data, by providing obligations to personal data controllers and personal data processors, prohibitions, and sanctions for violation. The Law introduces provisions on:
- Rights of personal data subjects;
- Obligations of personal data controllers and personal data processors;
- Transfer or personal data within and outside of the jurisdiction of Indonesia;
- Prohibitions and penal sanctions for violations, including for corporations;
- Establishment of data protection agency.
This PDP Law applies to all persons, public body, and international organizations which engages in any legal act as governed by the PDP Regulation;
- Located within the jurisdiction of Indonesia;
- Located outside the jurisdiction of Indonesia, with legal consequences:
- Inside the jurisdiction of Indonesia; and/or
- With legal consequences for Personal Data Subject of Indonesian citizens located outside of the jurisdiction of Indonesia.
The PDP Law explicitly excludes applicability for processing of personal data by private persons in personal or household activities.
C. Key Provisions
Below is the definition of key parties under the PDP Law:
Types of Personal Data
The PDP Law stipulates that the personal data consist of:
- Specific personal data, including health information and data, biometric data, genetic data, criminal records, child data, personal financial data, and/or other data under the provision of laws and regulations;
- General personal data, which includes full names, gender, citizenship, religion, marital status, and/or personal data that may be combined to identify a person.
Rights of Personal Data Subjects
The PDP Law provide the rights of personal data subjects, which includes among others:
- Acquire information on the full identity, legal basis and purpose of personal data requests and utilization, and accountability of the party requesting the personal data;
- Complete, update, and/or rectify errors and/or inaccuracy of personal data;
- Have access and obtain a copy of personal data concerning himself/herself in accordance with laws and regulations;
- Cease processing, delete, or destroy its personal data in accordance with laws and regulations;
- Withdraw consent to processing of personal data by a personal data controller;
- File objection to a decision made based on automatic processing which provides a profile of a person;
- Claim and recover damages for breach of personal data in accordance with laws and regulations;
- Obtain and/or utilize personal data concerning himself/herself in a structured, commonly used and/or readable format by an electronic system;
- Transmit its personal data to another personal data controller to the extent that the system may safely communicate with the principles of data protection under the PDP Law.
Personal Data Processing
The PDP Law stipulates that the coverage of Personal Data Processing includes:
- Acquisition and collection;
- Processing and analysis;
- Ratification and update;
- Display, publication, transfer, dissemination, or disclosures; and/or
- Deletion or destruction.
The processing of personal data must be conducted within the principles of personal data protection. Further provisions on the implementation of personal data processing will be regulated under a government regulation.
Obligations of Personal Data Controllers and Personal Data Processors
The PDP Law provides the obligations of personal data controllers and personal data processor which encompasses any private persons, public bodies, and international organizations.
The main obligation is to ensure protection of personal data is the responsibility of personal data controllers, which controls and conduct processing of personal data. This means that businesses that has control or possession over personal data must adhere and fulfil the regulatory compliance set out under this PDP Law.
Obligations of Personal Data Controller
The PDP Law provides several obligations for personal data controllers which includes:
- Having a basis for personal data processing;
- Conduct limited, specific, legally valid, and transparent process of personal data;
- Process personal data within the purpose for which the personal data is processed.
- Ensure the accuracy, completeness, and consistency of personal data in accordance with the prevailing law and regulations;
- Update and rectify errors and/or inaccuracy of personal data within 3 x 24 hours after receipt of request to update and/or rectification of personal data;
- Inform the result of update and/or rectification to the personal data subject
- Record the entire activities in the processing of personal data;
- Refuse to provide personal data subject access to personal data in certain circumstances.
- Conduct impact assessment of personal data protection if the personal data processing contains a high-risk potential to the personal data subject;
- Protect and ensure security of personal data processed.
- Maintain confidentiality of personal data in conducting personal data processing.
- Supervise any party involved in the processing of personal data under the control of the personal data controller.
- Protect personal data from unauthorized processing;
- Protect personal data from unauthorized access;
- Cease process of personal data if the personal data subject withdraws consent to process personal data.
- Postpone and limit the process of personal data within 3 x 24 hours after receiving a request for postponement and limitation of processing of personal data;
- Cease process of personal data in certain circumstances.
- Delete personal data in certain circumstances.
- Destroy personal data in certain circumstances.
- Deliver a written notice within 3 x 24 hours to the personal data subject and MCIT in case of a failure of personal data protection.
- Take responsibility for processing of personal data and shall meets its responsibilities in fulfilling its obligations fulfil the principles of personal data protection.
- Send a notice of transfer or personal data to the personal data subject in case of mergers, demerger, acquisitions, consolidation.
Obligations of Personal Data Processors
Aside from obligations of personal data processors, the PDP Law also regulates the obligation of personal data processors, if a personal data controller appoints a personal data processor, which is to conduct processing of personal data in consideration of the personal data processing stipulated under the PDP Law. However, all processing of data by the personal data processor still falls under the responsibility of the personal data controller. While doing the data processing, as personal data processor may collaborate with other personal data processor upon prior consent from the personal data controller.
Personal Data Officers and Officials
Personal data controllers and personal data processors must also appoint an official or officer which to conduct personal data protection functions in certain scenarios, such as:
- The processing of personal data is for the interest of public service.
- The core activity of the personal data controller has the characteristics, scope, and/or purpose which requires constant and systematic monitoring of personal data in a large scale; and
- The core activity of the personal data controller consists of personal data processing in a large scale for specific personal data and/or personal data relating to criminal offences.
Transfer of Personal Data
The PDP Law also regulates on the transfer of personal data, which consist of (i) transfer of personal data within the jurisdiction of Indonesia and (ii) transfer of personal data outside the jurisdiction of Indonesia. The PDP Law allows for personal data controllers to transfer personal data to other personal data controllers and obliges the receiving personal data controller to conduct protection.
Aside from transfer of personal data within Indonesia, the PDP Law also allows transfer of personal data to outside of Indonesia. However, (i) the transferring personal data controller must ensure that the country of destination of the personal data has a more strict or at least equal to the level of personal data protection under the PDP Law and If such obligation is not fulfilled, the (ii) transferring personal data controller must ensure that there is an adequate and binding personal data protection. When both obligations are not fulfilled, the transferring personal data controller must obtain the consent of the personal data subject. The PDP Law stipulates that further details regarding transfer of personal data outside of Indonesia will be regulated under a government regulation.
Violation to certain provision under the PDP Law may be subject to administrative sanctions in the form of: (a) written reprimands; (b) temporary suspensions on personal data processing activities; (c) deletion or destruction of personal data; and/or (d) administrative fines. The maximum administrative fines amount shall be 2% (two percent) of the annual income or revenue towards the violation variable.
Prohibitions in the Use of Personal Data and Penal Sanctions
The PDP Law also introduces several prohibitions in the use of personal data. Violation to such prohibitions may be subject to penal sanctions. Below are the prohibitions in the use of personal data and the applicable penal sanctions under the PDP Law:
Aside from the penal provision stipulated, the PDP Law also stipulates that a defendant may be imposed additional penal sanction through appropriation of his/her profits and/or assets acquired or the proceeds from the criminal offense conducted and payment for compensation.
Other than the above, the PDP Law also provides various sanction towards the breach that the Government can imply.
While the promulgation of the PDP Law brings Indonesia one step closer to having a general data protection regulation, further implementing regulations are still necessary to fully implement the regulation, including government regulations to regulate on (i) transfer of personal data outside Indonesia, (ii) processing of personal data, and (iii) rights of personal data subject, as well as presidential regulation to establish the personal data agency.
The enactment of the PDP Law not only impacts personal data subjects, but it will also give more significant impact for business and corporations as it will add new obligations and compliance fulfilment in conducting their business activities, specifically when a business controls personal data in conducting business activities.
For Further Information, Please Contact:
MetaLAW, Legal Consultant, Jakarta, Indonesia