The Enactment of Indonesian Personal Data Protection Law

October 17, 2022

On Tuesday, 20th of September 2022, Indonesia’s House of Representative officially ratified the Personal Data Protection Law ("PDP Law"). Personal data protection is now divided across many sectoral laws. As of right now, the Law No. 19 of 2016 amending the Law No. 11 of 2008 concerning information and electronic transactions and its implementing regulations serve as the primary guide for the protection of personal data in electronic systems that are applicable to many industries. However, there are no regulations that are precise and uniform about data protection. 

The PDP Law’s official version has not yet been made widely available. However, below are the highlight of several key-points that are in the PDP Law based on the latest publicly available version.

a. General and Specific Personal Data

The PDP law establishes a new categorization of personal data into "general" and "specific" categories based on Article 4 of PDP Law. Name, sex, nationality, religion, marital status, and other Personal Data that when combined may be used to identify individuals are all considered to be General Personal Data. Medical data and information, biometric data, genetic data, criminal histories, child records, financial records, and other data that may be designated as "Specific" by further law are all examples of specific personal data. 

 

b. Data Controller and Processor

The PDP Law now incorporates into Indonesian Law the widely recognized distinction between "Data Controllers" and "Data Processors." According to the PDP Law, data controllers are the individuals or organizations that choose the reason for and have control over how personal data is processed. The individuals or organizations that process Personal Data on behalf of Data Controllers are known as Data Processors. 

 

c. Data Protection Officer

According to the PDP Law, data controllers and processors are required to appoint a data protection officer if they are processing personal data for public purposes, if their primary activity necessitates an organized and systematic monitoring of personal data on a large scale, and/or if their primary activity involves processing "Specific Personal Data" and/or Personal Data related to crimes on a large scale. This officer will do at the very least the following duties:

  1. informing and providing advice to Data Controllers or Data Processors regarding compliance with the PDP Law; 

  2. monitoring and ensuring compliance with the PDP Law and the internal policies of a Data Controller or Data Processor; 

  3. providing advice regarding the assessment of the impact to Personal Data Protection and monitoring the performance of Data Controllers or Data Processors; as well as 

  4. Coordinating and acting as a contact person for issues related to Personal Data processing. 

 

d. Risk Analysis

The new Law obliges Data Controllers to assess the impact to Personal Data Protection if the processing of Personal Data undertaken by the Data Controller has a high risk of affecting Personal Data Subjects. High risk of processing Personal Data includes:

  1. automatic decision making that has legal consequences or significant impact on the Personal Data Subject;

  2. processing of Personal Data of a specific nature; 

  3. processing of Personal Data on a large scale;

  4. processing of Personal Data for systematic evaluation, scoring or monitoring of Personal Data Subjects;

  5. processing of Personal Data for matching or combining a group of data; 

  6. the use of new technologies in the processing of Personal Data; and/or

  7. processing of Personal Data that limits the exercise of the rights of the Personal Data Subject.

 

e. Criminal and Administrative Sanctions

A violation of the PDP Law that involves personal data protection may result in both administrative and criminal penalties. The unlawful gathering of personal data with the goal to enrich oneself or another, the intentional disclosure of personal data, and the unlawful use of personal data are all considered crimes. Falsifying personal data with the intention of enriching oneself or others is also illegal. The criminal sanctions are in the form of monetary fines (up to Rp6 billion) and imprisonment (up to 6 years). 

Additionally, as stated in Article 57 paragraph (1) of the PDP Law, it enables the administration of sanctions against parties who violate the PDP Law's regulations, with fines not to exceed 2% of annual revenue or income.