The introduction of Law No. 27 of 2022 regarding Personal Data Protection (“PDP Law”) on October 17, 2022, marked a significant step toward strengthening data protection in Indonesia. Among other actions, the PDP Law calls for the creation of a new data protection body, the Personal Data Protection Agency (“PDP Agency”), which will be an independent body directly accountable to the president.
The PDP Agency will have substantial authority to enforce and implement personal data protection regulations. Its responsibilities will include developing policies and strategies, facilitating alternative dispute resolution processes, issuing directives, handling complaints, conducting investigations, summoning individuals or entities, and requesting information or documents related to alleged data protection violations.
Establishment of the PDP Agency
The establishment of the PDP Agency will be formalized through a presidential regulation, with further procedural details outlined in a government regulation, as stipulated by the PDP Law. This is expected to occur by October 2024. The Ministry of Communications and Informatics (“MOCI”) is in the process of setting up the PDP Agency. The MOCI has allocated funds from the 2024 State Budget for the establishment of the PDP Agency and is currently proposing an initiative permit (Izin Prakarsa) to the President.
Responsibilities and Authorities of the PDP Agency
The PDP Agency will be responsible for formulating and stipulating policies and strategies for personal data protection, which will serve as guidelines for personal data subjects, controllers, and processors. Additionally, it will supervise the implementation of personal data protection, enforce administrative law against violations of the PDP Law, and facilitate out-of-court dispute resolution.
The full scope of the PDP Agency’s authority includes:
- Formulating and establishing policies in the field of personal data protection.
- Supervising the compliance of personal data controllers.
- Imposing administrative sanctions for violations of personal data protection by controllers and processors.
- Assisting law enforcement in handling allegations of criminal acts related to personal data.
- Cooperating with international personal data protection institutions to resolve cross-border violations.
- Assessing compliance with personal data transfer requirements outside Indonesia.
- Issuing directives as a follow-up to the supervision of data controllers and processors.
- Publishing the results of supervision in accordance with laws and regulations.
- Receiving complaints and reports regarding alleged breaches of personal data protection.
- Examining and investigating complaints, reports, and supervision results.
- Summoning individuals and entities in connection with alleged violations.
- Requesting explanations, data, information, and documents from relevant parties.
- Summoning experts for investigations related to alleged violations.
- Examining electronic systems and facilities used by data controllers and processors, including accessing data and appointing third parties.
- Requesting legal assistance from prosecutors to settle personal data protection disputes.
Impact on Companies in Indonesia
Once established, the PDP Agency is expected to provide greater legal certainty for stakeholders, including businesses. The agency will address personal data protection issues and enforce compliance with the PDP Law and clarify the implementation of the PDP Law by issuing regulations. Personal data controllers and processors must align their practices with the PDP Law by October 17, 2024, ensuring compliance at all stages of data processing, from collection to deletion, which must be recorded.
In case of data protection failures, concerned parties will be able to report to the PDP Agency, which will have the authority to summon individuals or entities and request relevant information and data. This includes the authority to investigate electronic systems and facilities used by data controllers or processors and to access data related to alleged violations.
Non-compliance with the PDP Law can result in sanctions imposed by the PDP Agency, including written warnings, temporary suspension of data processing activities, deletion or destruction of data, and administrative fines up to 2% of a company’s annual income.
With the increasing reliance on online platforms in Indonesia, which are vulnerable to data breaches, the establishment of the PDP Agency is eagerly anticipated. Businesses are expected to receive more guidance on compliance with the PDP Law, and the agency’s enforcement is expected to enhance data protection for individuals. (5 June 2024)