The Indonesian Government recently issued a draft Personal Data Protection Law (“PDP Bill”) for further discussion and deliberation by the House of Representatives. The following is a comparative summary between the PDP Bill and the existing personal data regulations (i.e. Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”) and Regulation of the Minister of Communication and Informatics No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (“MOCI Reg 20/2016”).
NO. | ISSUE | MOCI REG 20/2016 | GR 71/2019 | PDP BILL |
NEW CONCEPTS AND SUBJECT MATTER | ||||
1. | Further subdivision of the concept of Personal Data into General Personal Data and Specific Personal Data | MOCI Reg 20/2016 does not make such distinction between General Personal Data and Specific Personal Data
Only the concept of Personal Data is used and defined. |
GR 71/2019 does not make such distinction between General Personal Data and Specific Personal Data
Only the concept of Personal Data is used and defined. |
The PDP Bill classifies personal data into 2 categories:
|
2. | Obligation to appoint an officer specifically designated to take charge of data protection | MOCI Reg 20/2016 does not specify such obligation. | GR 71/2019 does not specify such obligation. | In certain cases, for example: (i) in the public services sector, or (ii) in a situation where the main activity of the Personal Data Controller is concerned with the processing of Specific Personal Data in large scale, both the Personal Data Processor and the Personal Data Controller must appoint an officer specifically designated to perform the function of Personal Data protection. |
3. | Concepts of Personal Data Controller and Personal Data Processor | The concepts of Personal Data Controller and Personal Data Processor are not found in
MOCI Reg 20/2016. Only the concept of Electronic System Operator is used. The term Electronic System Operator is defined as any person, state official, business entity, or society that provides, manages and/or operates an electronic system in its own interests and/or in the interests of others). |
The concepts of Personal Data Controller and Personal Data Processor are not found in
GR 72/2019. Like MOCI Reg 20/2016, only the concept of Electronic System Operator is used in GR 71/2019. |
The PDP Bill introduces the concepts of Personal Data Controller and Personal Data Processor.
Personal Data Controller means the party that determines the purpose of and that exercises primary control over the personal data processing, while Personal Data Processor means the party that conducts the data processing on behalf of the Personal Data Controller. The Personal Data Processor may process any Personal Data only on the instruction of the Personal Data Controller, or otherwise the Personal Data Processor will be fully liable for all actions it has taken in connection with such Personal Data. |
4. | Form of consent from personal data owners | Consent from the personal data owner must be in writing. | Consent from the personal data owner must be in writing. | Consent from the personal data owner can be obtained either verbal recorded or in writing. |
5. | Right of personal data owners to complete their data prior to data processing | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | Under the PDP Bill, personal data owners have the right to complete their data before the data are processed. |
6. | “Deletion” vs. “Destruction” of personal data and the grounds for exercising such right | Under MOCI Reg 20/2016, the conditions for deletion and destruction are the same, namely:
|
Under GR 71/2019, the grounds for “deletion” of personal data are discussed in the context of “right to erasure” at the request of personal data owners, if any of the following conditions arises:
GR 71/2019 also recognizes the “right to delisting”, i.e. removal of the relevant personal data from a search engine. GR 71/2019, however, does not specify the grounds for such delisting, but instead requires the personal data owner to obtain a district court order to exercise the right. |
The PDP Bill sets out the specific grounds for each “deletion” and “destruction” of personal data.
|
7. | Right to file an objection to decisions based on automatic profiling | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill provides for such right in Art. 10. |
8. | Opt-in or opt-out of pseudonym processing of personal data for certain purposes | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill provides for such right in Art. 11. |
9. | The right of personal data owners to postpone or limit the processing of personal data. | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill provides for such right in Art. 12. |
10. | Pre and Post notification obligations of the Personal Data Controller to personal data owners in the event of merger, spin-off, acquisition, or amalgamation. | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill requires the Personal Data Controller to provide personal data owners with both prior and subsequent notifications in the event of merger, spin-off, acquisition, or amalgamation. |
11. | Criminal sanction against unlawful acquisition or collection of personal data (or if such acquisition or collection results in damage to personal data owners). | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill imposes imprisonment for a maximum of 5 (five) years or a maximum penalty of IDR 50 billion for unlawful acquisition or collection of personal data (Arts. 51(1) and 61(1)). |
12. | Criminal sanction against unlawful disclosure of personal data | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill imposes imprisonment for a maximum of 2 (two) years or a maximum penalty of IDR 20 billion for unlawful disclosure of personal data (Arts. 51(2) and 61(2)). |
13. | Criminal sanction against unlawful utilization of personal data | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill imposes imprisonment for a maximum of 7 (seven) years or a maximum penalty of IDR 70 billion for unlawful utilization of personal data (Arts. 51(3) and 61(3)). |
14. | Criminal sanction against falsification of personal data | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill imposes imprisonment for a maximum of 6 (six) years or a maximum penalty of IDR 60 billion for falsification of personal data (Arts. 54(1) and 64(1)). |
15. | The right of personal data owners to rectify false information and/or inaccuracy of their personal data | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 is silent on this matter. | The PDP Bill provides for such right in Art. 7. |
16. | Right of personal data owners to receive compensation | MOCI Reg 20/2016 is silent on this matter. | GR 71/2019 does not expressly specify such right. However, it imposes a general obligation on Electronic System Operators to implement risk management and to protect their users from any damage arising from their operation. | The PDP Bill provides for the right of personal data owners to claim and receive compensation for any damage that may arise from a breach of personal data. |
17. | Offshore personal data transfer by Indonesia-domiciled parties. | MOCI Reg 20/2016 requires pre and post notifications to the Ministry of Communication and Informatics in the event of offshore personal data transfer by Indonesia-domiciled parties. | GR 71/2019 is silent on this matter. | Unlike MOCI Reg 20/2016, the PDP Bill does not require pre and post notifications to the Ministry of Communication and Informatics for offshore data transfer.
However, in respect of such offshore personal data transfer, the PDP Bill (Art. 49) lays down the following requirements:
|
18. | The right of data subjects to update their personal data | Under MOCI Reg 20/2016, data subjects have the right to update their personal data | GR 71/2019 is silent on this matter. | The PDP Bill (Art. 7) allows data subjects to update their personal data.
In addition, Art. 34 of the PDP Bill requires the Personal Data Controller to update the information within 1×24 hours after receiving a request from the data subject to rectify the information. |
If you have further inquiries about this newsletter, please reach out to us at info@wplaws.com or any of our lawyers.