UPDATE: DRAFT IMPLEMENTING REGULATIONS OF INDONESIA PERSONAL DATA PROTECTION LAW

About a year after the Personal Data Protection (“PDP”) Law[1] was introduced, the Government released a draft Government Regulation, meant to implement and to give clearer instructions on data processing not covered in the PDP Law (“Draft Regulation”). This Draft Regulation contains 245 articles aimed at elucidating various aspects outlined in the PDP Law.
Understanding this new rule is crucial, especially as the PDP Law as re-affirmed in this Draft Regulation extends its reach beyond national borders, affecting individuals, public bodies, and international entities processing data within or outside Indonesia's jurisdiction.
Key highlights of the Draft Regulation encompass multiple chapters focusing on aspects like defining "specific personal data," the introduction of a legitimate interest assessment, and delineating requirements for high-risk data processing.

Expanded Scope of Personal Data

For instance, the Draft Regulation introduces an expanded scope of "specific personal data," allowing the Ministry of Communication and Informatics (MOCI), along with the PDP Agency under the PDP Law to extend the classification "specific personal data" beyond what is explicitly listed in the PDP Law. This includes data that might potentially cause harm to data subjects, such as discriminatory data or those leading to material or immaterial loss.

Moreover, the Draft Regulation listed the categories of 'general personal data,' as per the mentioned law. In addition to that, the Draft Regulations provides methods of combining Personal Data for identification, either through direct references, reference mapping, triangularization, and other combinations. The process of combining personal data for identification purposes encompasses using publicly available data sources. This inclusion allows for the use of information available in the public domain for such identification purposes.

Legal Basis When Processing Personal Data Further Elaborated

Under the PDP Law as well as the Draft Regulation, when processing personal data, a data controller may rely upon these lawful bases: consent, contractual necessity, compliance with a data controller’s legal obligations, protection of the vital interests of the data subject, public interest, for the provision of public services or public interests or for the exercise of lawful authority, and lastly, legitimate interest. Businesses and companies must ensure that they have legal basis when processing personal data.

a. Consent

The PDP Law and Draft Regulation demand clear and explicit approval as a valid form of consent either in electronic or non-electronic form. If a data controller would like to use consent to process personal data, they must offer detailed information about the processing: why it is legal, the purpose, the kinds of data involved, how long it will be kept, what information is collected, the timeframe for processing, and the rights of the data subjects. The Draft Regulation specifies that businesses cannot deny services or products if a person declines to allow their data to be processed, as long as the goods or services can be provided without using that person's data. And this refusal by the person won't affect the quality of the services or goods offered by the businesses.

b. Legitimate Interest

Moreover, the Draft Regulation emphasizes the need for a legitimate interest assessment when processing personal data based on this legal basis. However, the definition of legitimate interest and specific guidelines for conducting such assessments are not explicitly provided, leaving room for interpretation.
The Draft Regulation expressly mandates that public bodies acting as personal data controllers are not permitted to use legitimate interests as a basis for processing personal data.

Stringent Requirements of Cross Border Data Transfer

Concerning data transfers outside Indonesia, the Draft Regulation mandates stringent requirements for data controllers. They must confirm that the recipient country maintains data protection standards equal to or higher than Indonesia's laws. It's uncertain whether the responsibility for this assessment lies solely with the PDP Agency or involves other governmental entities, such as the Ministry of Communication and Informatics (MOCI). Additionally, it introduces a rigorous process for high-risk data transfers, requiring thorough assessments and documentation.

If the above criteria are not met, data controllers must establish protective measures. These may include international agreements, standard contract clauses, corporate rules, or other recognized protective instruments approved by the PDP Agency.

Consent from the data subject may be used but only in specific circumstances in cases where these requirements are not fulfilled. Such circumstances include rare and necessary transfers, involving a limited number of individuals, with no override of rights or freedoms, and after a risk assessment.

Additionally, the Draft Regulation introduces a mandate for both risk and legal assessments before data transfer. This differs from the GDPR, where an adequacy decision from the EU authority can exempt a transfer impact assessment.

Remarks

While the Draft Regulation represents a significant stride in safeguarding personal data, it lacks comprehensive detailing in certain areas, such as refining definitions, providing clear guidelines, and specifying assessment methodologies for diverse data processing scenarios. The forthcoming PDP Agency may introduce supplementary regulations. The Ministry of Communication and Informatics (MOCI) initially sought public feedback on the Draft Regulation, indicating the potential for subsequent changes. Anticipating the full implementation of the PDP Law by the end of 2024, it is foreseeable that the Draft Regulation will likely be enforced around the same time. In more recent news, the Ministry of Communication and Informatics (MOCI) mentions that the PDP supervising Agency will be formed around mid-2024[2] . Consequently, it is prudent for businesses to initiate the process of acquainting themselves with these imminent regulatory requirements.

---

[1] Law No. 27 of 2022 concerning Personal Data Protection.
[2] https://www.cnnindonesia.com/teknologi/20240129132212-192-1055704/kominfo-sebut-lembaga-pengawas-pdp-bakal-dibentuk-pertengahan-2024.

Please let us know if you have further questions or may need our assistance on this matter. For further information on the above, about our firm or any other matters, please contact through the form.

The information provided in this article does not, and is not intended to, constitute legal advice and is for general informational purposes only. Readers of this article should contact an attorney to obtain advice with respect to any particular legal matter.