Awaiting a new Era of Personal Data Protection
In September 2022, the House of Representatives of the Republic of Indonesia officially passed the Personal Data Protection Law (“PDP Law”) in a plenary session. The enactment of the law marks a new era in the management of personal data in Indonesia, especially in the digital realm. The ratification of the PDP Law goes hand in hand with the prevalence of data leakage which is currently an arising issue in the community as a hacker who calls himself “Bjorka” leaks the personal data of a number of public officials. The ratification and enforcement of the PDP Law will start a new era of regulation of Personal Data Protection in Indonesia.
A. PDP Law Through Stages
The PDP Law, which was recently passed by the House of Representatives of the Republic of Indonesia, has gone through various stages and very constructive discussions and debates. The final draft of the Bill of PDP Law has been discussed since 2016 and has even been included in the National Legislation Program several times until it is finally ratified in 2022. Thus, Indonesia becomes the fifth Southeast Asian country to have PDP Law after Singapore, Malaysia, Thailand and the Philippines. The PDP Law was born out of national interest. This law, in addition to treading on the philosophy and constitution of the country, also applies general principles of law, and realistically applies international practices in various countries. One of them is the General Data Protection Regulation (“GDPR”). GDPR has become a guideline for PDP legislation in various countries in the world, making the PDP Law of our country a global standard. The PDP Law that has been approved by the House of Representatives of the Republic of Indonesia will be sent to President Joko Widodo no later than 30 (thirty) days. After that, with or without the President’s signature, the PDP Law will be included, numbered and promulgated in the State Gazette.
Read more: Discretion as a Legal Practice for Government Officials
B. Substance of the PDP Law
The PDP Law which has been ratified by the House of Representatives of the Republic of Indonesia has the substance as outlined in the following points:
- Types of Personal Data
Article 4 of the PDP Law stipulates that Personal Data is divided into two i.e., general and specific data. General data includes full name, gender, nationality, religion, and marital status. Meanwhile, specific data includes health information, biometric and genetic data, criminal records, child data, personal financial data, and other data in accordance with applicable law. - Personal Data Subject Rights
Article 5 to Article 15 stipulate that the subject of Personal Data is an individual person who has personal data attached to him/her. Some of the rights of the subject of Personal Data are mainly to (a) obtain clarity of identity and the basis for legal interests; (b) gain access to and obtain a copy of personal data; (c) withdraw consent to data processing; (d) delay or limit the processing of personal data; (e) object to the use of personal data, to sue and (f) receive compensation for data processing violations. - Obligations of Data Controller
A data controller is any person, public body, or international organization that acts individually or jointly in determining objectives and exercising control regarding the processing of personal data. Referring to this understanding, government institutions or private institutions that request and process people’s personal data can be categorized as data controllers. Some of the obligations of data controllers, among others, are to (a) show proof of consent from the personal data subject; (b) record all personal data processing activities; (c) protect and ensure the security of personal data; and (d) convey the legality, purpose and relevance of the processing of personal data. - Authority of Personal Data Protection Agency
The PDP Law stipulates that a Personal Data Protection Agency, which is directly responsible to the president, will be formed. Article 59 stipulates that this institution is tasked with carrying out the formulation and stipulation of policies and strategies for protecting personal data. Article 60 regulates its authorities i.e., (i) formulate and stipulate policies in the field of personal data protection; (ii) supervise the compliance of personal data controllers; (iii) impose administrative sanctions for violations of personal data protection and (iv) out-of-court dispute resolution regarding the protection of personal data. - Imposition of Sanctions
There are two types of sanctions for violators of the PDP Law i.e., administrative and criminal sanctions. Article 57 of the PDP Law provides administrative sanctions in the form of (a) written warnings; (b) temporary cessation of personal data processing activities; (c) deletion or destruction of personal data, (d) administrative fine of a maximum of 2% (two percent) of annual income or annual revenue; and/or (e) compensation. Regarding criminal sanctions, the Minister of Communication and Information of Republic Indonesia refers to articles 67 to 73 of the PDP Law i.e., a maximum fine of 4 billion IDR to 6 billion IDR and a maximum imprisonment of 4 (four) years to 6 (six) years which will be imposed on individuals or corporations who commit prohibited acts. Furthermore, Article 69 of the PDP Law also stipulates additional penalties in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts and payment of compensation. Meanwhile, Article 70 of the PDP Law regulates the imposition of a fine of 10 (ten) times the original crime along with the imposition of certain additional penalties if the crime is committed by a corporation.
C. The Current Implementation Progress
Along with the ratification of the PDP Law, which is waiting to be promulgated, the Ministry of Communication and Information of the Republic of Indonesia is preparing a program to socialize the PDP Law. However, the socialization plan is still hindered by the budget allocation, which is still less than the budget needs of the Ministry of Communication and Informatics for 2023.
Socialization in the form of digital literacy must be carried out massively so that the public shares the same understanding of the importance of protecting personal data. Collaborative governance, as well as synchronization with various other laws and regulations, needs to be encouraged to accelerate the achievement of personal data protection objectives.
***
ADCO Law earns the trust to represent clients from multinational companies to emerging entities across a wide range of industries to achieve their business objectives in Indonesia.
ADCO Law as a Law Firm Jakarta assists the clients to structure, organize and implement their business ventures and investments, including structuring and financing.
Should you have more queries regarding this matter, please do not hesitate to contact us
ADCO Law
Setiabudi Building 2, 2nd Floor, Suite 205C
Jl. H.R. Rasuna Said Kav. 62, Setiabudi Karet
Jakarta Selatan, 12920, Indonesia.
Phone : +6221 520 3034
Fax : +6221 520 3035
Email : [email protected]
Disclaimer: This article has been prepared for scientific reading and marketing purposes only from ADCO Law. Accordingly, all the writings contained herein do not constitute the formal legal opinion of ADCO Law. Therefore, ADCO Law should be held harmless of and/or cannot be held responsible for anything performed by entities who use this writing outside the purposes of ADCO Law.