Introductory to Indonesia’s Newly Enacted Personal Data Protection Law

After an extensive absence of a comprehensive regulation concerning personal data, at long last, the People's Representative Council of the Republic of Indonesia (Dewan Perwakilan Rakyat) passed the long-awaited personal data bill (“PDP Bill”) on 20 September 2022. After the legislative process of the PDP Bill, the President will sign and enact PDP Bill to become a law (“PDP Law”). As we understand that PDP Law aims to protect an individual's rights in accordance with the processing of their personal data. Furthermore, this law also outlines certain rights and obligations of relevant parties such as personal data processor and/or personal data controller. Therefore, this law becomes crucial and significant to the development of information technology in Indonesia.

This ARMA Update will discuss the overview of PDP Law and how it will affect any subject including individuals, companies, local organizations, international organizations, and other parties that conduct activities as referred to in the PDP Law.

Personal data is defined as a data of an individual who is identified or can be identified separately or combined with other information either directly or indirectly through electronic or non-electronic systems (“Personal Data”).

According to PDP Law, there are 2 (two) types of Personal Data, which are general Personal Data (“General Personal Data”) and specific Personal Data (“Specific Personal Data”).

General Personal Data consists of the following:

(i) full name;

(ii) gender

(iii) citizenship;

(iv) religion;

(v) marital status; and/or

(vi) Personal Data combined to identify an individual.

Meanwhile, Specific Personal Data includes as follows:

(i) health data and information;

(ii) biometric data;

(iii) genetic data;

(iv) crime records;

(v) child data;

(vi) personal financial data; and/or

(vii) other data in accordance with the provisions of laws and regulations.

As an individual that has personal data (the “Subject of Personal Data”), those individuals or essentially every human being are entitled to certain rights related to the protection of their personal data. According to PDP Law, Subjects of Personal Data are entitled to (i) gain information about the clarity of identity, legal basis, the purpose of request and usage of personal data, and the accountability of the institution, individual, or corporation that request personal data, (ii) complete, renew, and/or correct any mistake and/or inaccuracy of the personal data belonging to the subject of personal data, (iii) gain access and copy of their personal data, (iv) end the processing of their personal data, delete, and destroy their personal data, (v) retract their consent of their personal data being processed.

Moreover, Subjects of Personal Data are also entitled to file an objection regarding automatic data processing including profiling that may result in a legal consequence against them or automatic data processing that significantly affects them. Subjects of Personal Data are also entitled to proportionally limit and suspend the processing of their personal data as well as filling claims and receiving compensation resulting from wrongdoings done in the processing of personal data. Lastly, they are also able to gain and/or use their personal data received from the personal data controller in a form that can be read by an electronic system, as long as the system could be used to communicate safely and has complied with the principle of data protection according to PDP Law.

However, regardless of their right, PDP Law also regulates certain conditions that might rule out the Subject of Personal Data’s rights. For instance, for the interest of national defense and security, for the purpose of law enforcement, public interest in the context of state administration, supervision in the financial service sector, monetary, payment system, and the stability of the financial system carried out by the state and scientific research.

The processing of Personal Data includes acquisition and collection, processing and analyzing, storage, fixes and updates, appearance, announcement, transfer, dissemination, disclosure, and/or removal or annihilation.

To conduct Personal Data processing, installation of visual data processing equipment in public places and/or in service facilities is allowed under several requirements, which are:

a. for the purposes of security, disaster prevention, and/or traffic administration or collection, analysis, and regulation of traffic Information;

b. must display the Information on the area where the visual data processing equipment has been installed; and

c. not used to identify a person.

Moreover, Personal Data processing can be conducted by 2 (two) or more Personal Data Controllers, in which the parties are required to be bound by a cooperation agreement. In which, Personal Data Controllers must have the same purposes and ways of disclosing Personal Data and should appoint a liaison party which is determined together.

In PDP Law, there are certain basis to process data such as (i) agreements between individuals and data processors, a mandate from a certain regulation, (ii) protection of vital interest of the Subject of Personal Data, (iii) implementation of public interest, public service, and any other interest considering the purpose of data processing and the Subject of Personal Data’s rights.

Before processing the data, Data processors are required to gain prior consent (written or recorded) that is given by the Subject of Personal data. Data processors also have the responsibility to process data transparently, legitimately, and according to the purpose of the data processing. Further, as one of the Subjects of Personal Data’s rights, they are able to (i) request access to their personal data, (ii) suspend the processing of personal data, (iii) delete or (iv) destroy their personal data. In the event the Subject of Personal Data requests such acts, the Data Processors have the obligation to comply within 3x24 hours since the request was made by the Subject of Personal Data.

Moreover, PDP Law also regulates concerning the processing of children's and people with disability’s Personal Data in which both data are specially regulated. Regarding the processing of their Personal Data, it must obtain the consent of the child's parents or guardians in accordance with the provisions of the laws and regulations. In addition, the processing of Personal Data for people with disabilities shall be carried out through communication using certain relevant ways.

In terms of security and confidentiality, Data Processors have an obligation to guarantee the security and confidentiality of personal data by creating a technical standard of procedure to mitigate and prevent a potential threat to the security of the personal data. Moreover, they also have an obligation to determine the level of security of the personal data considering the risk of threats against the personal data as well as the nature of the personal data. In an event where there is a failure in securing personal data, Data Processors are obliged to inform the relevant Subject of Personal Data as well as the institution which conducts the protection of personal data.

In addition, the PDP Law regulates the stoppage of data processing as well as the erasure and eradication of personal data in the event of a request from the Subject of Personal Data and further other conditions.

Further, PDP Law also allows Data Processors to involve other Data Processors in processing data. It is regulated that a Data Processor could be assigned in order to carry out data processing for Data Controllers. In acting as a Data Processor for Data Controllers, Data Processor only process data according to the Data Processor’s instructions whilst complying with all the provisions in PDP Law and obtaining written consent from the Data Controller.

Due to the sensitive nature of personal data, PDP Law regulates that Personal Data Processor and Controller that controls or processes data are required to appoint an officer which focuses on protecting the processed data (“Data Protection Officer”) in the event the Data Processor and Data Controller conducts the following activities:

(i) processing data for public services use;

(ii) the core activities of the Personal Data Controller have a nature, scope and/or purpose that require regular and systematic monitoring of Personal Data on a large scale; and

(iii) the core activities of the Personal Data Controller consist of large-scale processing of Personal Data for Personal Data of a specific nature and/or Personal Data relating to criminal acts.

Moreover, Data Protection Officers are obliged to monitor and inform Personal Data Processors or Controllers to comply and be in line with the provisions in the PDP Law, as well as providing an evaluation towards the impact of the protection of data and monitor the controller’s or processor’s performance in data protection. In addition, Data Protection Officers also coordinate and act as a contact person towards issues related to the processing of data.

In essence, Personal Data Controllers are able to transfer Personal Data within or outside of the jurisdiction of Indonesia. However, the data transfer within Indonesia can only be carried out to another Personal Data Controller. Further, the Personal Data Controller and the party who receives the transfer of Personal Data must undertake the Protection of Personal Data as referred to in the PDP Law.

On the other side, data transfers made outside the jurisdiction of Indonesia can be conducted by Personal Data Controllers to other Personal Data Controllers and/or Personal Data Processors. Nevertheless, there are some requirements that must be complied beforehand, as follows:

a. Personal Data Controller can only transfer the Personal Data to a country that has adequate or higher-level personal data protection compared to Indonesia;

b. Personal Data Controller must ensure that there is adequate and binding instrument regarding Protection of Personal Data (only if point a cannot be fulfilled);

c. Personal Data Controllers must obtain consent from the data subject to transfer their personal data abroad (only if point a and b cannot be fulfilled).

In regards to the protection of Personal Data, the Government may carry out cooperation with governments of other countries or International Organizations. However, any kind of international cooperation must comply with the prevailing law and international law principles.

In general, there are four main violations which could result in criminal sanctions, such as the following:

Criminal Sanction

No Violation Sanction

1. Illegally gaining or gathering/collecting other individual’s personal data with an intention of obtaining personal gain or actions that could lead to the Subject of Personal Data suffering damages. Imprisonment at the longest 5 years and/or a maximum fine of Rp5.000.000.000 (for individuals) and a maximum fine of Rp50,000,000,000 (for corporations).

2. Illegally disclosing other individual’s personal data Imprisonment at the longest 4 years and/or Rp4,000,000,000 (for individuals) and Rp40,000,000,000 (for corporations)

3. Illegally using other individual’s personal data Imprisonment at the longest 5 years and/or a maximum fine Rp5,000,000,000 (for individuals) and a fine for Rp50,000,000,000 (for corporations)

4. Creating fake personal data or replicating personal data with an intent of obtaining personal gain, gain for other people or that could lead to the Subject of Personal Data suffering damages Imprisonment at the longest 6 years and/or a maximum fine Rp6,000,000,000 (for individuals) and fine for Rp60,000,000,000 (for corporations)

Interestingly, PDP Law has also acknowledged corporations as a subject of criminal law in Indonesia. The provision of PDP Law regulates that for such criminal acts, law enforcement agents could charge the corporations, corporation’s policy regulator, administrator (directors, managers, etc), controller of the corporation, beneficial owner, and/or the corporation. This means that law enforcement agents could charge only the corporation, or only the individuals related to the criminal act or both the corporations and the individuals. Corporations are only eligible for fines unlike individuals that can receive sanctions in the form of imprisonment. Other than fines, as an additional punishment, corporations could be partly or wholly frozen, have their license revoked, be permanently prohibited from doing certain acts, be obliged to pay a certain amount of compensation, or be dissolved.

In an event where a corporation is sentenced to pay a certain amount of fee, they are given 1 month that could be extended at the longest for another 1 month to pay the fines. If the corporation is unable to pay those fines, their assets could be seized and put into auction by the Government. If after such acts are done and the corporation is still unable to pay those fines, the corporation’s license could be frozen at the longest for 5 years.

Other than criminal sanctions, the PDP Law also regulates administrative sanctions for certain violations as regulated in the PDP Law. There are 4 (four) types of administrative sanctions which are (i) written warning, (ii) temporary suspension of data processing, (iii) erasure and eradication of personal data and/or, (iv) administrative fine up to 2% annual revenue or sale of the controller.

It is stated that PDP Law will come into force on the date of the promulgation. In this matter, the Personal Data controller, Personal Data processor, and other parties related to the processing of Personal Data, shall conform to the provisions of the processing of Personal Data under this PDP Law no later than 2 (two) years from the time it came into force (sunset period).

However, provisions of the laws and regulations governing the protection of Personal Data, are declared to remain in force as long as they do not conflict with the provisions of this Law.

Authors

Related Updates

Latest Updates