The government of Indonesia has finally announced the issue of the long-awaited Personal Data Protection Law (PDP Law). Prior to the issue of the PDP Law, Indonesia did not have any specific and codified personal data protection law. Previously, various provisions regarding data protection were scattered throughout many pieces of legislation. The PDP Law is the first of its kind that specifically regulates personal data protection in Indonesia. It was widely known that discussion of the PDP Law had been stagnant for a long period of time after it was firstly introduced as a draft in 2016.
From the latest draft bill made available to public, it appears that there are several key provisions of the PDP Law that will become points of interest. Firstly, the PDP Law will set out legal grounds for processing of personal data in Indonesia. It is expected that the PDP Law will stipulate the requirements for offshore transmission of personal data, which has been a cause for concern in Indonesia. Further, the PDP Law will introduce a new government body supervising the implementation of the PDP Law – it is still unclear whether the new government body will be separate from the Ministry of Communication and Information. From an enforcement perspective, it is also predicted that the PDP Law will set out enhanced criminal sanctions, in the form of both imprisonment and penalties/fines, which can apply to both individuals and corporations.
As at the time of this Alert, the House of Representatives had not published the official text of the PDP Law to the public. It appears that the legislation process still awaits signing by the President. It is expected that the legislation process will be completed within 30 days after the official announcement – 20 October 2022.
We will provide full coverage of the key provisions of the PDP Law once the official text has been released to the public by the House of Representatives.