Written by: Tommy Des Mulianta, Associate Director, Speyside
Indonesian Personal Data Protection Law: What does it mean for the private sector?
After a series of lengthy and detailed discussions, the Indonesian Parliament (DPR) has recently adopted Personal Data Protection Law. Once the President signs off on the law, it will officially enter the force. This is a monumental achievement, signalling a new era of data protection in Indonesia that protects people’s data and information, both in online and offline environments.
Major data breaches have become incredibly commonplace in Indonesia. The recent leak of personal details of 105 million Indonesians made the headlines extensively in September 2022, reiterating the urgent need to protect people’s data and information security. While the Law will cover both public and private sectors, it is critical to address the rights and obligations of the private sectors. The Law, nonetheless, generally displays a positive development for the industry.
Firstly, Indonesia would now have a more integrated, transparent, and clear data protection governance. The Law provides clarity over the definition and classification of personal data, the rights of the data owner, the data controller and data processors’ roles and obligations, sanctions, and enforcement, among others. The industry has been anxiously awaiting such a regulatory framework to be adopted as there is no standard for addressing more than 33 different overlapping personal data protection regulations across sectors.
The Law also reflects a more open and relaxed data transfer regulation, including cross-border data, which undoubtedly puts the country on the same governance level as the more advanced data protection regimes, such as the EU and Singapore. This would be vital as the Indonesian digital ecosystem accelerates an unpreceded level, heavily relying on data exchanges. Start-ups and digital tech companies would now be assured that access to cross-border data would not be restricted.
Despite these positive developments, several key challenges can potentially undermine business activities in the implementation of this Law.
As a start, there remains a lack of clarity in many provisions, such as the processing of high-risk data, the requirement for Data Protection Officer (DPO), and enforcement mechanisms. While Government Regulations to address these provisions would be developed, the limited direction from the Law toward these provisions could potentially create undesirable outcomes by applying more restrictions and additional layers, compliance and extensive bureaucratic process that will likely hamper innovation and growth in the digital economy.
At the same time, the Law also imposes a hefty corporate penalty for administrative and criminal sanctions, which is a maximum of two percent of the income for administrative sanctions and ten times the maximum personal criminal sanction. On top of that, there is a requirement for data processors and controllers to develop a fast response team that corrects inaccurate data or limits and stops processing data within three 24-hour windows. Business entities may find it challenging to comply with these requirements and risk being penalized easily, especially if they are in the early stages of digitalizing their operations and undertaking work offline.
Meanwhile, the institution that oversees the implementation of the Personal Data Protection Law would also be further defined through the Presidential Regulation. As such, the body would primarily serve under the President directly, of which there is still a possibility that the body to be supervised by or attached to a relevant ministry or agency, such as the ICT Ministry or National Cyber and Crypto Agency (BSSN). In this case, it would potentially raise concerns over independence and impartiality of treatment between the public and private sectors.
Finally, there could also be confusion on the implementation of this Law beyond the transition period as it allows other Laws and Regulations that have already regulated personal data protection to coexist if they do not contradict. In the absence of a strong authority body to streamline and govern the personal data protection regulation in the country, the merit of having such a Personal Data Protection Law could be inconsequential as each sector may still have its own data protection regulations.
In order for the Law to be fully operationalized, there will be technical regulations for its implementation aimed at driving clarity on data owners, subject rights, privacy impact assessment, data privacy officer, supervision body authorities, and sanctions. However, the Law only provides a two-year transition period for business entities to adapt and adjust their business operations.
This time span is too short, especially as the government has yet to issue the necessary derivative regulations. Business entities could start or establish their internal task force to reflect and align their data processing activities sooner than later as to avoid any potential legal and compliance issues once the Law is fully operationalized. At the same time, business entities should proactively seek updates and push for public consultations in drafting the implementation policies to ensure the industry’s voice is reflected in the regulations.