Insights on Indonesia's Upcoming Data Privacy Legislation

Insights on Indonesia's Upcoming Data Privacy Legislation

Indonesia's Personal Data Protection Law (PDP Law) is expected to be passed later this year, introducing stringent data protection regulations for entities handling the personal data of Indonesian citizens, both electronically and manually. The PDP Law, which is modelled on the European Union's General Data Protection Regulation (GDPR), encompasses 72 articles across 15 chapters.

The PDP Law aims to protect the personal data rights of Indonesian citizens, regardless of where in the world the data is processed. Any entity that handles such data will be subject to the PDP Law's regulations. During a two-year transition period, entities will be given time to achieve full compliance with the new law.

Entities can prepare for compliance by supervising every party involved in data processing, maintaining records, reporting data breaches, ceasing to process data when data owners revoke consent, preventing unauthorized access to personal data, and supervising every party involved in processing. They can also analyse their current data handling practices, correct existing PDP-related technologies, review contracts with customers and third-parties to include necessary clauses, check reliable sources that post updated PDP requirements and standards, and designate an employee to handle compliance matters going forward.

The PDP Law will separate the roles of data controllers and processors, and introduce new key roles, data ownership rights, and data transfer rules. Cross-border data transfers between controllers will be limited to countries and international organizations that have data protections equal to or higher than Indonesia, and must have an agreement with Indonesia, a contract between personal data controllers that covers personal data protection matters, or the consent of the personal data subject. However, these requirements will not apply to controller-to-processor personal data transfer.

Certain data controllers and processors will be required to designate a Data Protection Officer (DPO), who ensures the security of all personal data handled. Controllers and processors must designate a DPO if they process personal data for the purpose of providing public services, their main activities require regular and systematic monitoring of personal data on a large scale, their main activity consists of processing specific data, including criminal data, on a large scale, or if they are involved in processing personal data for the purpose of providing public services.

Sanctions for non-compliance with the PDP Law will be stiff, including fines of up to US$14.4 million. There will be two types of sanctions for non-compliance - administrative and criminal. Administrative sanctions include written warning, temporary suspension of processing of personal data, deletion of personal data, compensation, or administrative fines. Criminal penalties for individuals range from 20 to 70 Billion Rp (from US$1.4 million to US$4,8 million) and/or imprisonment from 2 to 7 years, depending on the nature of the violation. Corporations can see fines as high as 210 Billion Rp (US$14,4 million), in addition to confiscation of profits or assets, asset freezes, or closure of all or part of the business.

The PDP Law also recognizes two personal data classifications: General and Specific. The PDP Law will provide detailed requirements on reporting obligations, including that both the data owners and the Ministry of Communication and Information Technology (MCIT) must be notified within 72 hours of a data breach. These notifications must detail the compromised data, when and how the data was compromised, and management and recovery efforts.

Entities can also get outside help through specialized services and software solutions to help automate policy-related processes and stay notified on relevant regulatory changes. Companies should already be identifying and resolving any potential challenges to compliance with the PDP Law.

1. To ensure full compliance with the PDP Law, entities must analyze their current data handling practices, designate a Data Protection Officer (DPO) if required, and implement measures such as reporting data breaches, preventing unauthorized access to personal data, and maintaining records.
2. The PDP Law has introduced strict rules for cross-border data transfers, limiting such activities to countries or international organizations with data protections equal to or higher than Indonesia, and requiring agreements, contracts, or the consent of the personal data subject.
3. In preparation for the new PDP Law, businesses should consider utilizing specialized services and software solutions to help automate policy-related processes and stay informed about regulatory changes, as well as identifying and resolving any potential challenges to compliance.

Read also: