Indonesia has joined other ASEAN countries in enacting a law to regulate data protection. The Personal Data Protection Law (PDPL) was approved by the House of Representatives of the Republic of Indonesia on September 20, 2022, after several weeks of concern over repeated data breaches. The new law will codify the scattered provisions governing personal data protection and safeguard individual rights in the digital era.
Key Provisions of the PDPL
The PDPL comprises 16 chapters and 76 legal provisions. Its key provisions include:
Enforceability beyond Indonesian Jurisdiction
The PDPL applies to Personal Data Controllers and Personal Data Processors in Indonesia, as well as those who commit acts in other jurisdictions that would impact Personal Data Subjects in Indonesian territory and/or Indonesian nationals abroad.
Classification of Personal Data
Personal Data is classified into two types: Specific Personal Data and Public Personal Data. Specific Personal Data includes health information, biometric data, genetic information, criminal records, information on minors, personal financial information, and other information as defined. Public Personal Data includes full name, gender, nationality, religion, marital status, and/or combined Personal Data to identify a person, e.g. telephone numbers and IP addresses.
Rights of Personal Data Subjects
Personal Data Subjects have several rights, including the right to clarify the identity, interest, purpose, and accountability of the party requesting their Personal Data; the right to access, complete, update, and/or correct their Personal Data; the right to terminate, erase, or destroy their Personal Data; the right to withdraw consent; the right to decline profiling activity; and the right to postpone or restrict the processing of their Personal Data.
Notification of Data Breaches
If a data breach occurs, affected Personal Data Subjects and the Data Protection Authority must be notified in writing within 72 hours. The notification must include details of the affected Personal Data, confirmation of the time and manner of the breach, details of the breach management, and any recovery attempts already undertaken.
Compulsory Appointment of Personal Data Protection Officer
Organizations must appoint a Personal Data Protection Officer if: (1) the processing of Personal Data is for the public interest; (2) the core activity of the organization, or Personal Data Controller of the information, requires systematic and regular supervision of large-scale Personal Data; and/or (3) the core activity of the organization or Personal Data Controller involves the processing of high-volume specific and/or crime-related Personal Data.
Transfer of Personal Data
Transfer of Personal Data is permissible between two Personal Data Controllers and/or between a Personal Data Controller and a Personal Data Processor within Indonesian territory. The transferor and recipient must protect the Personal Data. Transfer beyond Indonesian territory may also occur if the Personal Data Controller confirms that the country in which the recipient resides has equivalent or higher standards of data protection than Indonesia, or if an adequate level of protection is put in place. If these requirements are not met, consent from the Personal Data Subject for the transfer of the Personal Data is mandatory.
Administrative and Penal Sanctions
The Data Protection Authority may take action against any violation of the PDPL and impose administrative sanctions, such as formal warnings, temporary suspensions of Personal Data processing activities, orders to eradicate or destroy Personal Data, and/or fines not exceeding 2% of annual revenue or income of the organization or Personal Data Controller. Certain criminal behaviors, such as the unlawful collection of Personal Data by an individual for personal benefit or the misappropriation and disclosure of Personal Data, may result in imprisonment of up to 6 years and fines not exceeding IDR 6 billion. Similar sanctions may also be imposed on corporations and their management, controller, commanding officer, beneficial owner, and/or the corporation itself.
In conclusion, the passing of Indonesia’s Personal Data Protection Law is a significant step toward protecting the privacy and personal data of its citizens. The law not only establishes guidelines for data processing, but it also places the responsibility on organizations to ensure the security and confidentiality of personal data. With the increasing use of digital technology and data-driven businesses in Indonesia, the need for such legislation is crucial. The Personal Data Protection Law will provide a framework for individuals and organizations to understand their rights and obligations regarding personal data, ultimately fostering trust in the digital ecosystem.