On 20 September 2022, Indonesia’s President and House of Representatives (DPR) approved the Personal Data Protection bill following six years of deliberation.
However, while the PDP bill has been approved by both the President and DPR, it has not yet been signed by the President, who is required by law to ratify the PDP Law within 30 days from its date of approval. The PDP bill will become law (the PDP Law) as soon as signed by the President, or 30 days after such date of approval, whichever occurs first.
The PDP Law will be Indonesia’s first comprehensive set of rules relating to personal data protection, covering both electronic and non-electronic personal data forms. This welcome regulatory development will lead to a higher level of personal data protection in Indonesia’s growing digital economy.
The PDP Law is more closely aligned with international data privacy standards. It also introduces new concepts and removes certain restrictive provisions under the previous regime, including the requirement for both prior and post notifications to the regulator on cross-border personal data transfers.
The new law also goes further by introducing criminal sanctions for certain personal data breaches. In this way, the government is sending a strong message to both individuals and corporations that personal data protection is now being taken seriously in Indonesia.
We set out below our initial observations on the key issues we have identified in the PDP Law.
Extraterritorial Reach
Similar to Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (the EIT Law), the PDP Law purports to have extraterritorial reach, which may impact personal data controllers and processors located outside the jurisdiction of Indonesia.
Article 2 of the EIT Law had provided that the EIT Law would apply to “any person who commits any legal action as governed under this EIT Law, both within the jurisdiction of Indonesia and outside the jurisdiction of Indonesia, which has legal effect within the jurisdiction of Indonesia and/or outside the jurisdiction of Indonesia and which harms the interest of Indonesia.” The wording “harms the interest of Indonesia” was broadly defined in the EIT Law to include “harming the interests of the national economy, strategic data protection, the nation’s dignity and status, state defence and security, sovereignty, citizens, as well as Indonesian legal entities”.
Article 2 of the PDP Law provides a slightly different scope of application compared to the EIT Law since, among other things, it no longer includes the concept of “harming the national interest”. The PDP Law applies to any person, public body or international organisation carrying out a legal action contemplated under the PDP Law, and located:
- within the Indonesian jurisdiction; and/or
- outside the Indonesian jurisdiction which has a legal impact (i) in the Indonesian jurisdiction and/or (ii) for personal data subjects who are Indonesian citizens located outside the Indonesian jurisdiction.
The PDP Law does not elaborate on the term “legal impact”. It remains to be seen whether the anticipated implementing regulations for the PDP Law will provide any further detail on the meaning of this term.
Grounds for Processing Personal Data
Prior to the enactment of the PDP Law, the prevailing laws and regulations on personal data protection in Indonesia arguably placed more of an emphasis on obtaining consent from the personal data “owners” when compared to the PDP Law. The PDP Law broadens the accepted grounds for the processing of personal data and appears to be generally more aligned with international practice.
The PDP Law requires a personal data controller to have grounds for processing personal data. The accepted grounds for processing personal data under the PDP Law include:
- valid and explicit consent from the personal data subject for one or more specific purposes which have been informed by the personal data controller to the personal data subject;
- satisfaction of an obligation in an agreement where the personal data subject is one of the parties, or to satisfy the request of a personal data subject when entering into an agreement;
- satisfaction of a legal obligation of the personal data controller in accordance with laws and regulations;
- satisfaction of protection of personal data subject’s vital interest;
- implementation of tasks for the public interest, public service, or the authorised implementation of the personal data controller based on the laws and regulations; and/or
- satisfaction of other legitimate interests by observing the purpose, needs, and balance of interests between the personal data controller’s interests and the rights of the personal data subject.
Some of the accepted grounds listed above are very broadly drafted, making their precise meaning and application in practice somewhat clear. That being said, what does seem to be clear under the PDP Law is that personal data collection and processing can be carried out without needing to obtain valid and express consent from the relevant personal data subject, provided that the personal data controller can rely on one or more of the grounds for processing personal data described above. This is a significant departure from the previous regime which required that valid and explicit consent of personal data subjects be obtained in almost all circumstances.
That being said, Article 24 of the PDP Law sets out that in processing personal data, personal data controllers are required to present evidence of consent being granted by the relevant personal data subject.
Applicable Exemptions
The PDP Law is not applicable to personal data processing by individuals for personal or household purposes. It also exempts certain data controller obligations for the following interests, in the context of the implementation of laws and regulations.
- national defence and security;
- law enforcement;
- public interest for the purpose of state administration; or
- supervision of the financial services sector, monetary and payment systems, and stability of the financial system being undertaken for the purpose of state administration.
Introduction of Personal Data “Subject”
The PDP Law introduces the term “personal data subject”. A personal data subject is defined under the PDP Law as an individual to whom personal data is attached. Under the previous regime, the term “personal data owner” was used, with largely the same definition as for “personal data subject” under the PDP Law. Considering how many parties are involved in the processing of personal data, granting ownership of personal data to a particular individual may not be appropriate, so the introduction of this new term is better aligned with international practice.
Roles of Data Controllers and Data Processors
The PDP Law categorises the key players related to personal data protection as “personal data controllers”, “personal data processors” and “personal data subjects”. We have already touched on the concept of a personal data subject above.
The term “personal data controller” is briefly mentioned in Government Regulation No. 71 of 2019 on Administration of Electronic Systems and Transactions, but without elaborating on the role and its responsibilities. In general, the PDP Law better defines and separates the roles of data controllers and data processors than under the prior regulations.
Onshore and Offshore Personal Data Transfers
The PDP Law enables personal data controllers to transfer personal data both domestically and offshore more easily.
For domestic transfers, Article 55 of the new law permits personal data controllers to transfer personal data to other data controllers within the Indonesian territory. Both transferor and transferee are required to protect the transferred personal data, as regulated under the PDP Law.
Article 56 of the PDP Law permits personal data controllers to transfer personal data to personal data controllers and/or processors located outside the Indonesian territory if:
- the country in which the personal data controller and/or processor receiving the personal data transfer is domiciled has a degree of personal data protection equal to or higher than that contemplated under the PDP Law;
- in the event that the provision under (a) above cannot be satisfied, the personal data controller is required to ensure that there is adequate personal data protection and such protection is binding in nature; and/or
- in the event that the provisions under (a) and (b) above cannot be satisfied, the personal data subject’s consent has been obtained.
The PDP Law provides for additional provisions related to cross-border data transfers to be regulated by future implementing government regulations.
In contrast to the previous regulatory regime, the PDP Law does not require pre- and post-notification to the Ministry of Communications and Informatics (MOCI) for any cross-border data transfer. This is a significant relaxation of the old requirements applying to Indonesia-based data controllers and processors seeking to transfer personal data out of Indonesia. Again, the new approach is better aligned with international practice.
The PDP Law also implies that so long as the requirements under points (a) and (b) above have been met, a personal data subject’s consent does not have to be obtained for a cross-border data transfer to occur. Under the previous regime, the explicit consent of the personal data subject was needed to transfer personal data across borders.
Notification Requirement for Merger, Spin-off, Acquisition or Consolidation of Legal Entities
Article 48 of the PDP Law requires corporate personal data controllers that wish to carry out a merger, spin-off, acquisition causing a change of control, or consolidation to notify the relevant personal data subjects of any personal data transfer that will arise from such corporate action, both before and after the corporate action has been completed.
The PDP Law provides that the requirement may be satisfied by way of a notification to the personal data subjects or via a public announcement through mass media, whether electronically or non-electronically (eg print media). Furthermore, the PDP Law provides that, in the event a corporate personal data controller is dissolved or liquidated, the storage, transfer, deletion and destruction of personal data must be done in accordance with the provisions of laws and regulations, and must be notified to the relevant data subjects.
Requirement to Appoint Personal Data Protection Officer
Article 53 of the PDP Law requires personal data controllers and personal data processors to appoint officer(s) to carry out the personal data protection function in the following events:
- processing personal data for the interests of public service;
- the core activity of the personal data controller by its nature, scope, and/or purpose requires the orderly and systematic supervision of personal data on a large scale; and
- the core activity of the personal data controller consists of processing personal data on a large scale for personal data that is specific in nature and/or personal data related to criminal activities.
A personal data protection officer is appointed based on professionalism, legal knowledge, personal data protection practice, and capability to fulfil the relevant tasks required of their role. The personal data protection officer may be recruited internally or externally by the personal data controller and/or the personal data processor.
Sanctions for Prohibited Use of Personal Data
The PDP Law sets out clear prohibitions on the use of personal data. Articles 65 and 66 prohibit anyone from:
- unlawfully obtaining or collecting personal data that is not their own with the intention for them or others to personally benefit from the personal data, potentially resulting in damage to the personal data subject;
- unlawfully disclosing personal data that is not their own;
- unlawfully using personal data that is not their own; and/or
- creating fake personal data or falsifying personal data with the intention for themselves or others to personally benefit from such activity and where such activity may result in damage to other persons.
Violators of these provisions may face criminal sanctions – a significant new feature of Indonesia’s personal data protection regulatory framework under the PDP Law.
The PDP Law sets out three types of criminal sanctions for violating the above prohibitions:
- financial penalties – individuals may face a fine of up to Rp 6 billion (USD 400,000) and corporations a fine of up to Rp 60 billion (USD 4 million);
- imprisonment – individuals may face up to six years of incarceration; or
- “other” potential additional penalties that can be imposed on corporations, including the possible seizure of profits/assets derived from a crime; freezing of all or part of a corporation’s business; permanent prohibition to carry out certain actions; closure of place of business and/or activities of a corporation; having to fulfil obligations that had been neglected; an award of damages; revocation of business licences; and/or dissolution of the corporation.
For corporations, the PDP Law provides that criminal sanctions may be imposed on members of management (ie, board of directors), controllers, those giving orders (pemberi perintah) and beneficial owners (among others). The imposition of prison sentences may also extend to these parties.
Through the introduction of these criminal sanctions under the PDP Law, the Indonesian government is sending a strong message to individuals and corporations that personal data protection must be taken seriously in Indonesia.
Article 57 sets out administrative sanctions for violating certain provisions of the PDP Law. These administrative sanctions may be in the form of:
- a written warning;
- temporary suspension of personal data processing activity;
- deletion or destruction of personal data; and/or
- an administrative fine.
Article 57 also allows for administrative fines to be imposed for violating certain provisions of the PDP Law. These fines can be a maximum of 2 percent of the annual revenues of the offending party. This 2 percent threshold is notably lower than that required under the European Union’s General Data Protection Regulation (GDPR), which is set at a maximum of 4 percent of global annual revenues. The administrative fine will be imposed by the supervisory body for personal data protection administration, which is yet to be established (described further below).
Notification Requirement for Breach
In the event of failure by a personal data controller to protect personal data, Article 46 of the PDP Law requires a personal data controller to deliver a written notice to the relevant personal data subject(s) and the supervisory governmental body (as described below) within 3 x 24 hours after any failure to protect personal data. This is much shorter than the 14-day period under the previous regime.
Personal data protection failure is described as failure to protect someone’s personal data in terms of confidentiality, integrity, and availability of personal data, including a security breach, whether intentional or unintentional, which leads to damage, loss, amendment, disclosure, or access that is not valid in relation to the relevant personal data that is sent, stored, or processed.
The written notification must set out details of the disclosed personal data, when and how the personal data was disclosed, and details regarding how the matter is being handled including any relevant recovery efforts made by the personal data controller. In certain cases, among others where the personal data protection failure disturbs public service and/or has a serious impact on the public interest, personal data controllers may also be required to inform the public regarding the personal data protection failure.
Supervisory Body for Personal Data Protection Administration
The PDP Law provides that the Indonesian government will participate in personal data protection administration in accordance with the PDP Law, which is to be done through a governmental body (lembaga) to be stipulated by the President of Indonesia. At this stage, the name, details and discretionary powers of the governmental body are not yet known. The PDP Law provides that further provisions relating to this governmental body will be regulated by a future presidential regulation.
Transitional Period
Under Article 74 of the PDP Law, personal data controllers, personal data processors and other parties relevant to the processing of personal data have up to two years from the date of enactment of the PDP Law to comply with the law.
Article 75 of the PDP Law adds that all existing provisions of laws and regulations which regulate personal data protection will remain valid so long that as they do not contradict the provisions of the PDP Law. A careful process of statutory interpretation will be needed to identify any overlaps and gaps in personal data protection between the old regulatory regime and the new regime under the PDP Law.
As is typical in Indonesia, implementing regulations for the PDP Law can be expected in the coming months. In this regard, please monitor this space for the latest developments in implementation of the PDP Law in Indonesia.
For further information, please contact:
Sakurayuki, Partner, Herbert Smith Freehills
sakurayuki@hbtlaw.com