UPDATE: DRAFT IMPLEMENTING REGULATIONS OF INDONESIA PERSONAL DATA PROTECTION LAW
インドネシア法弁護士
フィエスタ ヴィクトリア
NEWS ALERT: INDONESIA PERSONAL DATA PROTECTION LAW
On 20 September 2022 the Indonesian Parliament finally passed the Personal Data Protection Bill that had been discussed for more than 8 years. The Bill has been formally promulgated as law by publication in the State Gazette, has taken into effect from 17 October 2022 (“PDP Law”). The Government believes that the new PDP Law is crucial to help raise the level of data protection in Indonesia to the same level as other countries that have adopted a more developed data protection rules and regulations amidst a sequence of data security breaches in the country, including recent hackings to the Government’s system that gained access to sensitive Government’s information. Modelled on European Union's General Data Protection Regulation (GDPR), Indonesia's PDP Law regulates all forms of data processing, including acquisition and collection, storing, updating and correcting, as well as deleting. The PDP Law is designed to be the foundation of Indonesian data protection regulations, which hopefully could provide a more consistent and unified basis for protection of personal data across all business sectors. It was not necessarily the case with the previous data privacy regulations, that took a more sectoral approach, hence spread across different sets of regulations.
ENGLISH-ARTICLES
PROFILE
Personal Data: Definition and General Concept
“Personal Data” is any data related to an individual (natural person) or “Data Subject” that is identified or identifiable independently or in combination with other information, directly or indirectly, through the use of an electronic system and/or non-electronic means”.
Personal Data is classified into:
a. General Personal Data, which includes:
ⅰ. Full name;
ⅱ. Gender;
ⅲ. Nationality;
ⅳ. Religion;
ⅴ. Marital status; and/or
ⅵ. Personal Data that is combined to identify a person.
b. Specific Personal Data, which includes:
ⅰ. Data and information on health;
ⅱ. Biometric data;
ⅲ. Genetic data;
ⅳ. Criminal records;
ⅴ. Children’s data;
ⅵ. Personal financial data; and/or
ⅶ. Other data in accordance with the laws and regulations.
Highlights
A few notable requirements/changes introduced by the PDP Law:
- Exterritorial effect: any overseas-based organizations (including individuals, public entities and international organizations) are subject to the requirements under the PDP Law if they engage in any activities that may affect Indonesian individuals overseas or activities that may create an impact on Indonesia.
- Data Controller vs Data Processor [1], previous data privacy regulations did not distinguish between the two.
- Obligation to appoint an officer to run the data protection function in certain events determined by the law, such as, if the main operations of a Data Controller require large-scale, frequent and systematic monitoring of Personal Data.
- Data Controller’s obligation to carry out a Data Protection Impact Assessment when processing Personal Data with a high potential risk to Data Subjects.
- New layered requirements for Cross-Border Data Transfer (transfer of Personal Data outside Indonesia territory): (i) to assessto assess whether the receiving country has an equal or higher level of Personal Data protection than afforded under the PDP Law (“Adequacy of Protection”); (ii) in the absence of Adequacy of Protection, to ensure that there is sufficient protection for personal data that binds the recipient in such receiving country; and (iii) in the absence of (i) and (ii), to obtain a consent from a Data Subject. There is no explanation on how or who should determine if a country has an Adequacy of Protection.
- Obligation to notify Data Subjects both pre and post notifications regarding corporate actions, such as a merger, acquisition, spin-off, consolidation or dissolution.
- Establishment of an independent data protection authority under the supervision of the President.
Sanctions
Incompliance with the requirements of the PDP Law may result in administrative sanctions of written warnings, a temporary ban on personal-data processing, deletion or destruction of Personal Data, and/or administrative fines.
In addition, certain criminal offenses under the PDP Law are subject to imprisonment and/or fines, and/or the following additional sanctions:
a. Seizure of assets obtained or generated from the crime;
b. Freezing of all or part of the corporation’s business;
c. Permanent prohibition on carrying out certain actions;
d. Closure of all or part of the corporation’s business premises and activities;
e. An order to carry out an obligation that has been neglected;
f. Payment of compensation;
g. Revocation of license; and/or
h. Dissolution of the corporation.
Note
Organizations have 2 years grace period to adjust their operations in line with the PDP Law’s requirements. It is advised to reassessed your Personal Data protection policies and practices to ensure they are in compliance with the new PDP Law. There is no specific timeline on the issuance of the implementing regulations.
Please let us know if you have further questions or require our assistance on this matter.
For further information on the above, please contact this form.
Click here for the Japanese translation article.
[1] A Data Controller determines the purpose and controls the Personal Data processing. A Data Processor processes the Personal Data on behalf of the Data Controller.
The information provided in this article does not, and is not intended to, constitute legal advice and is for general informational purposes only. Readers of this article should contact an attorney to obtain advice with respect to any particular legal matter.
