Indonesia’s First Comprehensive Legal Framework for Personal Data Protection

The long wait is over. The House of Representatives has finally ratified the draft law on personal data protection. The draft law was passed into Law No. 27 of 2022 on Personal Data Protection (the “Privacy Law”) and has come into effect since 17 October 2022. This Privacy Law, whose provisions were prepared taking into account some considerations and principles in the European General Data Protection Regulation (“GDPR”), is Indonesia’s first “umbrella regulation” on personal data protection. Not only will the Privacy Law provide protection to Indonesian citizens, but it also will provide more legal certainty to any parties dealing with personal data.

For those who had been following the long and dynamic deliberations on the draft of the law on personal data protection until the Privacy Law was enacted, the Privacy Law has refined some provisions regulated in the draft law submitted by the government to the House of Representatives in January 2020 (the “2020 Draft Law”) through amongst others the addition of new definitions of personal data protection and international organization, the refinement of the definitions of data controller and data processor, the addition of provisions on the processing of the personal data of children and the disabled, etc.

Without going into too much detail, here are some of the key points of the Privacy Law that could be of interest.

1. Extra-Territorial Nature of the Privacy Law

The Privacy Law applies to any parties, public entities and international organizations performing legal acts within the domain of the Privacy Law in and outside of Indonesia. For the latter, the legal acts must have legal impact in Indonesia and/or on an Indonesian citizen abroad.

Even though its enforcement may face some challenges, the extra-territorial nature of the Privacy Law would provide comprehensive protection to Indonesian citizens.

2. Data Controller and Data Processor

The terms “data controller”¹ and “data processor”² in the Privacy Law have been refined if compared to those in the 2020 Draft Law. However, the substance remains similar to that provided under the GDPR.

It is apparent from the Privacy Law that a data processor may or may not be appointed in the processing of personal data, and unless the data processor acts beyond the instructions from and the purpose determined by the data controller, the data controller should be responsible for the processing of personal data undertaken by the data processor.

3. Classifications of Personal Data

Personal data is classified into specific data³ and general data⁴. These classifications were first introduced in the 2020 Draft Law and mirror the approach taken in the GDPR. Unlike the coverage of specific data under the 2020 Draft Law, specific data under the Privacy Law no longer covers sexual orientation and political view.

The provisions of the Privacy Law generally apply to both classifications of personal data. However, there are a couple of requirements under the Privacy Law that have a specific reference to specific data. These requirements are as follows:

a. the requirement for data controllers to perform a data protection risk assessment; and

b. the requirement for data controllers and data processors to appoint a data protection officer.

Note that there are also other criteria that should be observed before any of the above requirements kicks in.

4. Legal Basis for Processing Personal Data

As was first introduced in the 2020 Draft Law, taking the grounds for the processing of personal data under the GDPR, the Privacy Law also provides the following legal basis for processing personal data other than the consent of the data subject:

a. for compliance with an agreement to which the data subject is a party or the data subject’s request to comply with an agreement;

b. the data controller’s compliance with its obligations under the laws and regulations;

c. the protection of the data subject’s vital interests;

d. the data controller performing its duties related to public interests, public services or the exercise of the data controller’s authority in accordance with the laws and regulations; and/or

e. the compliance with other lawful interests while considering the purposes, needs and interests of both the data controller and the data subject’s rights.

Specifically for the processing of personal data with the consent of the data subject, the Privacy Law provides that consent must be given explicitly (in writing and verbally using a voice recording), electronically or nonelectronically.

5. The Rights of Data Subjects

The Privacy Law provides that a data subject has certain rights, which reflect the principles of and some of the rights protected by the GDPR. These rights are amongst others the right to be informed; the right to complete, update and/or correct personal data; the right to access and obtain a copy of personal data; the right to end the processing of, erase and/or destroy personal data; the right to object; the right to not have one’s data processed automatically; the right to delay or limit personal data processing; the right to file a complaint and to receive compensation; and the right to data portability.

The exercise of the above rights is exempt if the data is required for the purpose of national defense and security, law enforcement, state administration, the supervision of the financial or monetary sector, payment systems or financial systems stability or statistic and scientific research.

6. The Obligations of Data Controllers and Data Processors

The Privacy Law provides certain obligations that must be performed by data controllers and data processors. However, like in the case of the exercise of the rights of data subjects, the performance of certain obligations of data controllers is also exempt if the data is required for the purpose of national defense and security, law enforcement, state administration or the supervision of the financial or monetary sector, payment systems or financial systems stability, which is done in the context of the enforcement of a law.

7. Data Protection Officer

A data protection officer must be appointed if (i) the processing of personal data is done for public service purposes, (ii) the characteristics, scope and/or purposes of the main activities of the data controller require the regular and systematic supervision of personal data in large scale and (iii) the main activities of the data controller comprise the processing of personal data in large scale for specific data and/or personal data related to a crime.

The basic duties of a data protection officer are (i) to inform and give advice to the data controller or the data processor to comply with the provisions of the Privacy Law, (ii) to monitor and ensure compliance with the Privacy Law and the policies of the data controller or the data processor, (iii) to give advice on the personal data protection risk assessment and to monitor the data controller and the data processor’s performance and (iv) to coordinate and act as a contact person for issues related to the processing of personal data.

8. Transfer of Personal Data

A transfer of personal data can be done between data controllers in Indonesia or between a data controller in Indonesia and a data controller and/or a data processor abroad. However, for the latter, the Privacy Law provides that the country in which the data controller and/or the data processor are domiciled must have better or at least the same personal data protection level. Otherwise, the data controller must ensure that there is adequate and binding personal data protection in that country. If none of the foregoing requirements in relation to cross-border data transfers can be satisfied, the consent of the data subject must be obtained. It will be interesting to know how personal data transfers (and other matters provided under the Privacy Law) will be further regulated in the implementing regulations of the Privacy Law and whether the existing requirements, such as coordination with the Minister of Communication and Informatics, will remain applicable. By far, obtaining the consent of the data subject would seem to be more feasible than ensuring the existence of better or the same personal data protection level or the existence of adequate and binding personal data protection.

9. Miscellaneous

a. An institution, which will be accountable to the President, will be formed to organize the protection of personal data. Under the Privacy Law, the institution will carry out regulatory, supervisory, law enforcement and dispute settlement functions.

b. Administrative and criminal sanctions will be imposed for any violations of the Privacy Law. In addition, the confiscation of the perpetrator’s profits and/or wealth obtained and resulted from the crime and compensation may also be imposed. The administrative sanctions are written warnings, a temporary suspension of the processing of personal data, the deletion or elimination of personal data and an administrative fine (maximum 2% of the perpetrator’s annual income or revenue), while the criminal sanctions are imprisonment (ranging from four to six years) and a fine (ranging from Rp4,000,000,000 to Rp6,000,000,000). If the perpetrator is a corporation, a fine of maximum 10 times the relevant maximum fine may be imposed on the corporation and there may also be additional criminal sanctions such as freezing of all or part of the corporation’s business, permanent prohibition from taking certain actions, closure of all or part of the corporation’s place(s) of business and/or activities, revocation of license, dissolution of the corporation, etc.

c. The deadline for data controllers, data processors and other parties related to the processing of personal data to comply with the provisions of the Privacy Law is 17 October 2024.

_____________

Footnotes

¹ Data controller is any party, public entity and international organization acting individually or jointly in determining the purpose of and controlling the processing of personal data.

² Data processor is any party, public entity and international organization acting individually or jointly in processing personal data on behalf of the data controller.

³ Specific data covers health data and information, biometric data, genetic data, criminal records, children’s data, private financial data and/or other data provided under the laws and regulations.

⁴ General data covers full name, gender, nationality, religion, marital status and/or combined personal data which identifies a person.

* * * * *

This article is prepared by Kurniawan Tanzil and Septiani Pratiwi of SHIFT as an overview on the topic discussed and therefore, should not be relied upon as legal advice in any case. We accept no liability whatsoever for any loss or damage, whether due to inaccuracy, error, omission or any other cause. We will be pleased to respond to any questions you may have on this article or advise further on certain aspects of this article or other related matters.