The enactment of Indonesia’s Personal Data Protection Law (PDP Law) marks the introduction of the country’s first comprehensive personal data protection law. As it uses EU GDPR as the basis, one may find similarities between the two.
The PDP Law applies to legal acts performed both in and outside the Indonesian territory, but for the latter only as far as they affect (a) those in the Indonesian territory, or (b) Indonesian nationals outside the Indonesian territory.
Given its potentially far-reaching consequences, it is important for organisations to understand and assess how and to what extent the PDP Law might impact their existing operations or future conduct of business. We set out below some key points of the law[1] which may be relevant to businesses in general.
Categories of Personal Data
Personal data protection under the PDP Law covers both manual and electronic records, particularly focusing on data (whether alone or in combination with other information) that may, whether directly or indirectly, point to an identified or identifiable individual.
The PDP Law classifies personal data into two main groups: (i) generic data (covering, among other things, name, gender, nationality, religion, marital status), and (ii) specific data (covering, among other things, individual’s health, medical records, biometric, genetic, criminal records, children, financial data). This categorization is important to differentiate between the additional obligations imposed on the personal data controller and those imposed on the personal data processor when it comes to specific personal data.
Subjects of PDP Law
The PDP Law distinguishes between a controller and a processor with respect to personal data.
A ‘controller’ is essentially a party that sets the purpose and exercises control of the processing of personal data, whereas a ‘processor’ is a party that processes personal data on behalf of the controller. As far as the PDP Law is concerned, the controller remains responsible for the processing of personal data, to the extent the process is based on its instruction.
Consent Requirement for Data Processing
As a general rule, the PDP Law requires express consent from a data subject (i.e., an individual) to justify the lawful process of his/her personal data. The consent can be given either in written form or verbally recorded, by electronic or non-electronic means. When requesting consent, the request must contain at least the following mandatory information: (i) purpose of data processing, (ii) details of the information being collected, (iii) retention period, and (iv) rights of the data subject. It is important to note that the consent may be declared void if the request is obscure, is not easily accessible, or is not expressed in simple and clear language.
Apart from the consent from the data subject, other justifications for data processing under the PDP Law are not discussed in this Newsletter.
In relation to the consent, the PDP Law lays the burden of proof on the controller to prove that it has obtained due consent from the data subject when processing the personal data.
To address concerns about the admissibility of consent obtained by electronic means, the PDP Law makes it clear that electronic information and electronic documents are accepted as admissible evidence.
Rights of Data Subjects
The regulatory rights of data subjects include the following. Businesses must carefully observe and ensure these rights are fulfilled:
- seek clarification on the purpose, basis of legal interest, accountability;
- complete, update, or amend their personal data;
- access and make copies of any records of their personal data;
- end the processing of, withdraw, or destroy their personal data; and
- withdraw their consent.
The PDP Law provides a 2-year grace period for controllers to adjust their system to comply with the provisions of the PDP Law, giving them the opportunity to make the necessary adjustments to their electronic system to allow data subjects to update their personal data, withdraw their consent, or enforce other regulatory rights that they have as discussed above.
In the event there is a personal data breach, the controller has to provide a written notification to the relevant data subject and the special commission (to be appointed by Indonesian President, as discussed below) within 3 x 24 hours. The notification must contain at least the handling and recovery efforts.
Localization and Transfer
No provision of the PDP Law requires controllers or processors to locate their data centre and recovery centre onshore.
For transfers of data outside Indonesia, a controller must ensure that the designated jurisdiction at least meets the personal data protection standards set by the PDP Law, or if the standards seem to be less sufficient than those set by the PDP Law, it must obtain prior consent from the relevant data subject.
In case of a merger of two or more legal entities, the PDP Law requires prior notification and post-notification from the relevant companies to each individual regarding the transfer of his/ her data (as the consequence of the merger).
Prohibitions, Administrative and Criminal Sanctions
The PDP Law contains certain prohibitions against the collection, disclosure, use, fabrication, and falsification of personal data.
Incompliance under the PDP Law can attract administrative sanctions and criminal sanctions. Administrative sanctions can range from warnings, suspension of data processing, to fines in the amount of up to 2 (two) percent of a corporation’s annual income.
Whereas criminal sanctions will depend on the crime type. A convicted corporation may face a sanction in the form of a fine up to 10 times the maximum fine specified for the particular offense. Additional sanctions, such as asset confiscation, cessation of business activities, revocation of business licenses, and dissolution, are also possible under the PDP Law.
The PDP Law mandates the Indonesian President to appoint a special commission that is tasked, among others, to receive reports on alleged personal data breaches and facilitate out-of-court settlement when a dispute arises.
Our views
As elaborated above, two most significant effects brought by the PDP Law are (i) the law has more extensive coverage to also encompass Indonesian nationals outside Indonesia and (ii) possibilities of a corporation be subject to administrative and criminal sanctions.
As the PDP Law has set the “umbrella” provisions of the basic and direction of rules, it is interesting to see how details on the practical implementation of the PDP Law would be addressed by the implementing regulations, which we anticipate will be issued during the 2-year transition period. Please rest assured that we will closely monitor these for you and keep you updated on any developments.
If you have further inquiries about this newsletter, please reach out to us at info@wplaws.com or any of our lawyers.
[1] Given that the official copy of the law is not yet published, our note is based on the draft law published on the official government website on 20 September 2022.