The Indonesian Government recently issued a draft Personal Data Protection Law (“PDP Bill”) for further discussion and deliberation by the House of Representatives. The following is a comparative summary between the PDP Bill and the existing personal data regulations (i.e. Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”) and Regulation of the Minister of Communication and Informatics No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (“MOCI Reg 20/2016”).

 

NO. ISSUE MOCI REG 20/2016 GR 71/2019 PDP BILL
NEW CONCEPTS AND SUBJECT MATTER
1. Further subdivision of the concept of Personal Data into General Personal Data and Specific Personal Data MOCI Reg 20/2016 does not make such distinction between General Personal Data and Specific Personal Data

Only the concept of Personal Data is used and defined.

GR 71/2019 does not make such distinction between General Personal Data and Specific Personal Data

Only the concept of Personal Data is used and defined.

The PDP Bill classifies personal data into 2 categories:

  1. General Personal Data, which include, among others, a person’s full name, gender, nationality, religion, and/or any other personal data which is combined to identify a person.
  2. Specific Personal Data, which include, among others, a person’s medical record, biometric data, genetic data, sexual orientation, political view, criminal record, child data, financial.
2. Obligation to appoint an officer specifically designated to take charge of data protection MOCI Reg 20/2016 does not specify such obligation. GR 71/2019 does not specify such obligation. In certain cases, for example: (i) in the public services sector, or (ii) in a situation where the main activity of the Personal Data Controller is concerned with the processing of Specific Personal Data in large scale, both the Personal Data Processor and the Personal Data Controller must appoint an officer specifically designated to perform the function of Personal Data protection.
3. Concepts of Personal Data Controller and Personal Data Processor The concepts of Personal Data Controller and Personal Data Processor are not found in

MOCI Reg 20/2016.

Only the concept of Electronic System Operator is used.

The term Electronic System Operator  is defined as any person, state official, business entity, or society that provides, manages and/or operates an electronic system in its own interests and/or in the interests of others).

The concepts of Personal Data Controller and Personal Data Processor are not found in

GR 72/2019.

Like MOCI Reg 20/2016, only the concept of Electronic System Operator is used in GR 71/2019.

The PDP Bill introduces the concepts of  Personal Data Controller and Personal Data Processor.

Personal Data Controller means the party that determines the purpose of and that exercises primary control over the personal data processing, while Personal Data Processor means the party that conducts the data processing on behalf of the Personal Data Controller.

The Personal Data Processor may process any Personal Data only on the instruction of the Personal Data Controller, or otherwise the Personal Data Processor will be fully liable for all actions it has taken in connection with such Personal Data.

4. Form of consent from personal data owners Consent from the personal data owner must be in writing. Consent from the personal data owner must be in writing. Consent from the personal data owner can be obtained either verbal recorded or in writing.
5. Right of personal data owners to complete their data prior to data processing MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. Under the PDP Bill, personal data owners have the right to complete their data before the data are processed.
6. “Deletion” vs. “Destruction” of personal data and the grounds for exercising such right Under MOCI Reg 20/2016, the conditions for deletion and destruction are the same, namely:

  • Expiry of the retention period; or
  • Request from the personal data owner.
Under GR 71/2019, the grounds for “deletion” of personal data are discussed in the context of “right to erasure” at the request of personal data owners, if any of the following conditions arises:

  • The personal data have been obtained and processed without the proper consent;
  • The consent has been retracted;
  • The personal data have been unlawfully obtained and processed;
  • The purpose of obtaining the personal data is no longer aligned with the initial agreement and/or laws and regulations;
  • The utilization period under the agreement and/or laws and regulations is expired; and/or
  • The display of the personal data causes damage to the personal data owner.

GR 71/2019 also recognizes the “right to delisting”, i.e. removal of the relevant personal data from a search engine. GR 71/2019, however, does not specify the grounds for such delisting, but instead requires the personal data owner to obtain a district court order to exercise the right.

The PDP Bill sets out the specific grounds for each “deletion” and “destruction” of personal data.

  1.  Grounds for deletion:
    • The personal data is no longer relevant to the initial purpose of data processing;
    • The consent has been retracted;
    • The personal data owner requests such deletion; or
    •  The personal data has been unlawfully obtained.

    The deleted data should be recoverable at the written request of the personal data owner, provided that the request is made within the retention period.

  2. Grounds for destruction, among others:
    • The personal data is no longer of value;
    • The retention period is expired; or
    • The personal data owner requests such destruction.

    In contrast to GR 71/2019, the PDP Bill does not discuss the personal data owner’s right to delisting.

7. Right to file an objection to decisions based on automatic profiling MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill provides for such right in Art. 10.
8. Opt-in or opt-out of pseudonym processing of personal data for certain purposes MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill provides for such right in Art. 11.
9. The right of personal data owners to postpone or limit the processing of personal data. MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill provides for such right in Art. 12.
10. Pre and Post notification obligations of the Personal Data Controller to personal data owners in the event of merger, spin-off, acquisition, or amalgamation. MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill requires the Personal Data Controller to provide personal data owners with both prior and subsequent notifications in the event of merger, spin-off, acquisition, or amalgamation.
11. Criminal sanction against unlawful acquisition or collection of personal data (or if such acquisition or collection results in damage to personal data owners). MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill imposes imprisonment for a maximum of 5 (five) years or a maximum penalty of IDR 50 billion for unlawful acquisition or collection of personal data (Arts. 51(1) and 61(1)).
12. Criminal sanction against unlawful disclosure of personal data MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill imposes imprisonment for a maximum of 2 (two) years or a maximum penalty of IDR 20 billion for unlawful disclosure of personal data (Arts. 51(2) and 61(2)).
13. Criminal sanction against unlawful utilization of personal data MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill imposes imprisonment for a maximum of 7 (seven) years or a maximum penalty of IDR 70 billion for unlawful utilization of personal data (Arts. 51(3) and 61(3)).
14. Criminal sanction against falsification of personal data MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill imposes imprisonment for a maximum of 6 (six) years or a maximum penalty of IDR 60 billion for falsification of personal data (Arts. 54(1) and 64(1)).
15. The right of  personal data owners to rectify false information and/or inaccuracy of their personal data MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. The PDP Bill provides for such right in Art. 7.
16. Right of personal data owners to receive compensation MOCI Reg 20/2016 is silent on this matter. GR 71/2019 does not expressly specify such right. However, it imposes a general obligation on Electronic System Operators to implement risk management and to protect their users from any damage arising from their operation. The PDP Bill provides for the right of personal data owners to claim and receive compensation for any damage that may arise from a breach of personal data.
17. Offshore personal data transfer by Indonesia-domiciled parties. MOCI Reg 20/2016 requires pre and post notifications to the Ministry of Communication and Informatics in the event of offshore personal data transfer by Indonesia-domiciled parties. GR 71/2019 is silent on this matter. Unlike MOCI Reg 20/2016, the PDP Bill does not require pre and post notifications to the Ministry of Communication and Informatics for offshore data transfer.

However, in respect of such offshore personal data transfer, the PDP Bill (Art. 49) lays down the following requirements:

  1. The country of domicile of the Personal Data Controller or the international organization receiving the Personal Data must have the same or higher level of security for personal data protection;
  2. There is an international agreement between the receiving country and Indonesia;
  3. There is a contract between the Personal Data Controller and the offshore Personal Data Controller, with standard personal data protection in accordance with the provisions of the PDP Bill; and/or
  4. The personal data owner’s consent has been obtained.
18. The right of data subjects to update their personal data Under MOCI Reg 20/2016, data subjects have the right to update their personal data GR 71/2019 is silent on this matter. The PDP Bill (Art. 7) allows data subjects to update their personal data.

In addition, Art. 34 of the PDP Bill requires the Personal Data Controller to update the information within 1×24 hours after receiving a request from the data subject to rectify the information.

If you have any question on the subject matter, please do not hesitate to address it to W&P Team: [email protected][email protected]