On October 17, 2022, Indonesia’s Personal Data Protection Act (Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi) (PDP Act) came into force. The law, which governs the processing of personal data by organizations within and outside of Indonesia, aims to guarantee the privacy rights of Indonesian citizens while encouraging the growth of Indonesia’s digital economy and communications technology sector. To do so, the act sets out obligations for individuals, corporations, public agencies, and international organizations with respect to the control, use, and processing of personal data. According to the Future of Privacy Forum, Indonesia’s PDP Act bears some similarities to the European Union’s General Data Protection Regulation (GDPR). However, there are some differences with respect to applicability and territorial scope.
The Indonesian government introduced the final draft of the PDP bill on January 28, 2020. The bill’s passage by the House of Representatives on September 20, 2022, reportedly became urgent following the leak of personal data and information by a hacker group known as “Bjorka.” The group allegedly leaked and sold on dark sites the private data of millions of Indonesian citizens “taken from databases of Indonesia’s private companies, state-owned enterprises, and even state agencies and ministries.” The case highlighted issues associated with Indonesia’s existing data protection framework.
Before the PDP Act’s enactment, the collection and use of data was governed by a number of different laws and regulations, including Law No. 11 of 2008 concerning Electronic Information and Transactions, which was amended in 2016, and a 2016 ministerial regulation on the protection of personal data in electronic systems. The PDP Act brings the regulation of data under one law.
Because Indonesia is one of the largest countries in the world, the Future of Privacy Forum considers that “the PDP Law will likely have an impact on data protection both in the regional context of the Asia-Pacific and the global context.” Article 62 of the act allows Indonesia to cooperate with other governments and international organizations on matters of data protection.
Definitions and Application
Article 4 of the act splits the definition of personal data into two categories. Personal data that is specific in nature includes genetic data, crime records, health data, biometric data, personal financial data, and data relating to children. Personal data that is general in nature is data on matters of gender, citizenship, full names, marital status, and religion, as well as personal data that can be combined to identify someone.
The act applies to personal data controllers (pengendali data pribadi), being any person, public entity or international organization that acts in controlling personal data, as well as personal data processors (prosesor data pribadi), including public entities or international organizations involved in processing personal data on behalf of personal data controllers. (PDP Act arts. 1(4), (5) & 19.)
Article 2 specifies that the act applies to everyone, including public agencies and international organizations, if they carry out acts regulated under the law. With respect to territorial scope, the law covers acts that take place within Indonesia, acts that take place outside Indonesia if there are legal consequences within Indonesia, and acts that affect Indonesian citizens regardless of where that citizen is located.
Data Privacy Rights
The rights of personal data subjects (subjek data pribadi) are set out in articles 5 to 13 of the act. For example, articles 7, 8, and 9 allow personal data subjects to access their personal data, withdraw consent with respect to processing of data, terminate processing, and destroy personal data.
Article 10 allows personal data subjects to object to decision-making based solely on automated processing, including profiling in circumstances where such automated processing may have legal consequences or a “significant impact” on the individual.
Article 15 does limit these rights in circumstances where data may be used for national security and defense, for law enforcement, for public interest, in cases relating to statistics and scientific research, and in certain cases within the financial sector.
Data Processing
Under article 16, processing of personal data includes the collection and acquisition of data; the processing and analysis of data; updating and fixing data; the dissemination, disclosure and transfer of data; and the deletion or destruction of data. Article 20 requires that processing be authorized, whether through express consent, through contractual obligations, in line with legal obligations, in the “execution of duties in the interest of public services,” or in fulfilment “of other legitimate interests.” The act sets out requirements with respect to obtaining consent for the processing of data in articles 23 to 25.
Once authorization has been obtained, processing must be undertaken in a manner that is transparent and, among other things, protected from unauthorized access, disclosure, misuse, destruction, or alteration. (Art. 16.) To facilitate transparency, article 21 requires that personal data controllers provide information on the legality and purpose of processing data, including details on the relevance of data, the information to be collected, and the overall retention period. Once the relevant retention period has ended, data must be destroyed or deleted. Data must also be destroyed or deleted upon the request of the personal data subject. (Art. 16.)
Penalties for Prohibited Use of Data
Chapters XIII and XIV detail how personal data should not be used. Article 65 prohibits anyone from obtaining or collecting personal data if this is done to benefit themselves or others. Under article 66(2), everyone is prohibited from disclosing personal data that does not belong to them. Article 66 prohibits the creation of false personal data for the purposes of obtaining a benefit or causing harm to others.
Administrative sanctions in the form of written warnings, temporary suspensions of processing, destruction or deletion of data, and administrative fines may be issued under chapter VIII of the act. Under article 57, companies may be fined up to 2% of their annual income for a breach of the act.
Penalties with respect to unauthorized use are set out in chapter XIV of the act. Under article 67, for example, any person who obtains or collects data that does not belong to them in a manner that is against the law, and does so with the intent of obtaining a benefit, may be sentenced to imprisonment for up to five years or fined 5 billion rupiah (about US$318,330). The same penalties apply if a person willfully and unlawfully uses personal data that is not their property. In addition, article 12 allows personal data subjects to seek compensation if their rights under the act have been violated.
Implementation of the Act
Now that the law has come into effect, the Future of Privacy Forum states that organizations have a two-year transition period to comply with the act from the date of presidential assent. According to law firm Baker McKenzie, “[t]he Ministry of Communication and Informatics (Kementerian Komunikasi dan Informatika) is currently the supervisory authority” on matters relating to data protection and compliance. It is expected that “a new data protection authority will be established” in the next few years.
Prepared by Nabila Buhary, Legal Research Fellow, under the supervision of Kelly Buchanan, Chief, Foreign, Comparative, and International Law Division II
Law Library of Congress, December 19, 2022
Read more Global Legal Monitor articles.