Following our last update, the government of Indonesia finally enacted Law No. 27 of 2022 regarding Personal Data Protection effective on 17 October 2022 (the PDP Law). The official text of the law was published on 18 October 2022.
We set out below some of the key provisions of the PDP Law.
Definition and types of personal data
PDP Law defines personal data as ‘any data regarding an identified person or a person that can be identified either individually or in combination with other information, directly or indirectly, by using electronic and/or non-electronic systems’. Personal data is further categorized into general and specific personal data. General data would cover information which is generic in nature and would often be listed in the Indonesian identify card, such as a person’s name, gender, nationality, religion and marital status. Specific personal data includes data such as medical information, biometrics, genetics, criminal records, child data, and/or personal financial data. The key distinction between the two types of personal data would relate to the degree of their risks and requirements that must be fulfilled with respect to processing these two types of personal data – which is further discussed below in the section regarding data protection impact assessment and data protection officer.
Scope and applicability
The PDP Law provides a far-reaching scope for its applicability where it includes any individuals, corporations, public institutions (e.g., executive, legislative or judicative branch that relates to the state operation) and international institutions that control and/or process personal data. In this regard, the PDP Law confirms its extra-territorial scope as it would also cover any personal data of Indonesian subjects outside of Indonesia either being processed in Indonesia or outside of Indonesia provided that such processing has legal impact in Indonesia.
The PDP Law does not, however, apply to individuals who process personal data for personal or household use.
Rights of personal data subjects
The PDP Law stipulates that personal data subjects have the right to obtain information concerning the identity and accountability of the party that requests or collects its personal data as well as to know the purpose and usage of such request or collection. A personal data subject may further alter, update or change its personal data as well as end, terminate and/or erase its personal data. However, these rights are subject to exemptions when facing the interest of national security and defence, law enforcement, public interest in relation to state operation, supervisory activities by financial/monetary authority in relation to state operation or statistic and scientific research.
Controller and processor of personal data
PDP Law further specifies two subjects, with two separate functions, responsible for personal data, being: (i) Controller, any party (including individuals, public bodies and international organisations) who determines the purpose and controls the processing of personal data; and (ii) Processor, any party who processes personal data.
The distinction of Controller and Processor would be relevant in their respective obligations, liabilities and compliance requirements. Businesses would need to be aware of their respective status in any personal data processing activity.
Primarily, a Controller would need to determine the purpose of data processing based on lawful grounds and a Processor must conduct its affairs as directed by the Controller. In principle, the Controller is responsible for the processing of personal data by the Processor. However, in the event of breach of the Controller’s directive, the Processor will be liable for such processing of personal data.
Lawful grounds for processing personal data
The processing of personal data covers any use of personal data, such as collection, management, analysis, storage, revision, updating, display, announcement, transfer, dissemination, disclosure, deletion and termination of any personal data.
Prior to the PDP Law, consent was the primary ground for processing personal data. The PDP Law maintains that requirement of consent, which has to be express either in writing or recorded (either electronically or manually). In addition to consent, the PDP Law recognises other lawful grounds for processing personal data, namely for (i) fulfilment of contractual obligation, (ii) fulfilment of legal obligation of the Controller, (iii) protection of vital interest of the data subject, (iv) conduct of duty for public interest, public service or lawful authority of the Controller as well as (v) the fulfilment of other lawful interest(s).
Data protection officer and impact assessment
A new provision introduced by the PDP Law is in relation to the appointment of a data protection officer (DPO) and the implementation of a data protection impact assessment (DPIA). Businesses should appoint a DPO whenever personal data is processed for public interest, any systemic monitoring of personal data on a large scale and any large scale processing of specific and/or crime related personal data. A DPO has the duty to advise on data privacy requirements and compliance – including the mitigation of any data privacy breach. In particular, the DPO would need to advise on the implementation of DPIA and act as the data privacy liaison officer in the company (whether the company is acting as a Controller or Processor). The PDP Law does not stipulate the requirement for a DPO to be certified. However, the qualifications for appointing a DPO include assessment of a person’s professionalism, legal knowledge and capabilities in the area of data privacy practice.
A DPIA should be implemented for any ‘high risk’ processing of personal data, such as when there is any processing of personal data involving (i) specific personal data, (ii) automatic decision making, (iii) any large scale processing, (iv) systemic evaluation, scoring and monitoring, (v) combination of certain data, (vi) use of new technology, and/or (vii) the limiting of the rights of data subjects.
It must be noted that the PDP Law does not provide further elucidation of each of the above conditions. For example, it is not clear what would constitute large scale data processing. We expect that further elucidations and requirements on DPIA and DPO would be addressed in implementing regulations of the PDP Law.
Requirements for cross-border personal data transfer
In general, the PDP Law allows for personal data transfer by a Controller within and outside Indonesian territory. Particularly for cross-border personal data transfer, personal data Controller must ensure that the receiving party’s country has an equal or better personal data protection standard. If not, then personal data Controller must ensure an adequate and binding effort for personal data protection. In the event that both conditions are not met, then Controller must obtain consent from the relevant personal data subjects.
Notification for data breach
Prior to the PDP Law, the requirement for notification for data breach is set out under the implementing regulations of Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended. With the PDP Law now enforced, a Controller or Process must, within 72 hours of the occurrence of a data breach, file a written notice to the data subject and the data protection authority. The notice should include (i) information on the affected data; (ii) when and how the breach occurred; and (iii) measures to mitigate the breach. A public announcement may be required if public interest is at stake.
The PDP Law specifies administrative and criminal sanctions, depending on the type of violation. Administrative sanctions range from warning letters, temporary suspension of data processing activities, deletion of personal data and/or administrative fines (amount not specified). Criminal sanctions range from monetary penalty of IDR4-6 billion (which could be up to 10 times the amount if the crime is done by a corporation) and/or imprisonment of 4-6 years as well as seizure of profits, payment of damages and other sanctions against corporations violating the PDP Law provisions.
Miscellaneous and closing
Another key provision of the PDP Law is the introduction of a data protection authority. Currently, the Ministry of Communication and Informatics is the supervising authority and regulator for operation of electronic system operators and transactions as well as personal data protection compliance. The ministry’s authority on data protection matters will likely be assumed by the data protection authority under the PDP Law. Whilst the name of the data protection authority is not yet determined, the PDP Law stipulates that the authority would be established by a presidential regulation and report directly to the president. We expect further details on the authority’s role and duties would be addressed in the implementing regulations.
Finally, the PDP Law has a two year transitional period after its enactment i.e. by October 2024. We also expect that within that period the president would establish the data protection authority. Businesses would need to conduct internal assessment on their personal data protection compliance and adjust their relevant practices/policies within the transitional period before relevant provisions of the PDP Law are fully enforced.
We will continue to monitor and report any development on the implementing regulations under the PDP Law. Another alert on how the PDP Law compares to the GDPR and other data protection regimes will be issued as the second part of this publication.