News and developments
Indonesia Passes Historic Personal Data Protection Bill
On 20 September 2022, Indonesia’s President and House of Representatives (DPR) approved the Personal Data Protection bill following six years of deliberation.
However, while the PDP bill has been approved by both the President and DPR, it has not yet been signed by the President, who is required by law to ratify the PDP Law within 30 days from its date of approval. The PDP bill will become law (the PDP Law) as soon as signed by the President, or 30 days after such date of approval, whichever occurs first.
The PDP Law will be Indonesia’s first comprehensive set of rules relating to personal data protection, covering both electronic and non-electronic personal data forms. This welcome regulatory development will lead to a higher level of personal data protection in Indonesia’s growing digital economy.
The PDP Law is more closely aligned with international data privacy standards. It also introduces new concepts and removes certain restrictive provisions under the previous regime, including the requirement for both prior and post notifications to the regulator on cross-border personal data transfers.
The new law also goes further by introducing criminal sanctions for certain personal data breaches. In this way, the government is sending a strong message to both individuals and corporations that personal data protection is now being taken seriously in Indonesia.
We set out below our initial observations on the key issues we have identified in the PDP Law.
EXTRATERRITORIAL REACH
Similar to Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (the EIT Law), the PDP Law purports to have extraterritorial reach, which may impact personal data controllers and processors located outside the jurisdiction of Indonesia.
Article 2 of the EIT Law had provided that the EIT Law would apply to “any person who commits any legal action as governed under this EIT Law, both within the jurisdiction of Indonesia and outside the jurisdiction of Indonesia, which has legal effect within the jurisdiction of Indonesia and/or outside the jurisdiction of Indonesia and which harms the interest of Indonesia.” The wording “harms the interest of Indonesia” was broadly defined in the EIT Law to include “harming the interests of the national economy, strategic data protection, the nation’s dignity and status, state defence and security, sovereignty, citizens, as well as Indonesian legal entities”.
Article 2 of the PDP Law provides a slightly different scope of application compared to the EIT Law since, among other things, it no longer includes the concept of “harming the national interest”. The PDP Law applies to any person, public body or international organisation carrying out a legal action contemplated under the PDP Law, and located:
The PDP Law does not elaborate on the term “legal impact”. It remains to be seen whether the anticipated implementing regulations for the PDP Law will provide any further detail on the meaning of this term.
GROUNDS FOR PROCESSING PERSONAL DATA
Prior to the enactment of the PDP Law, the prevailing laws, and regulations on personal data protection in Indonesia arguably placed more of an emphasis on obtaining consent from the personal data “owners” when compared to the PDP Law. The PDP Law broadens the accepted grounds for the processing of personal data and appears to be generally more aligned with international practice.
The PDP Law requires a personal data controller to have grounds for processing personal data. The accepted grounds for processing personal data under the PDP Law include:
Some of the accepted grounds listed above are very broadly drafted, making their precise meaning and application in practice somewhat unclear. That being said, what does seem to be clear under the PDP Law is that personal data collection and processing can be carried out without needing to obtain valid and express consent from the relevant personal data subject, provided that the personal data controller can rely on one or more of the grounds for processing personal data described above. This is a significant departure from the previous regime which required that valid and explicit consent of personal data subjects be obtained in almost all circumstances.
That being said, Article 24 of the PDP Law sets out that in processing personal data, personal data controllers are required to present evidence of consent being granted by the relevant personal data subject.
APPLICABLE EXEMPTIONS
The PDP Law is not applicable to personal data processing by individuals for personal or household purposes. It also exempts certain data controller obligations for the following interests, in the context of the implementation of laws and regulations.
INTRODUCTION OF PERSONAL DATA “SUBJECT”
The PDP Law introduces the term “personal data subject”. A personal data subject is defined under the PDP Law as an individual to whom personal data is attached. Under the previous regime, the term “personal data owner” was used, with largely the same definition as for “personal data subject” under the PDP Law. Considering how many parties are involved in the processing of personal data, granting ownership of personal data to a particular individual may not be appropriate, so the introduction of this new term is better aligned with international practice.
ROLES OF DATA CONTROLLERS AND DATA PROCESSORS
The PDP Law categorises the key players related to personal data protection as “personal data controllers”, “personal data processors” and “personal data subjects”. We have already touched on the concept of a personal data subject above.
The term “personal data controller” is briefly mentioned in Government Regulation No. 71 of 2019 on Administration of Electronic Systems and Transactions, but without elaborating on the role and its responsibilities. In general, the PDP Law better defines and separates the roles of data controllers and data processors than under the prior regulations.
ONSHORE AND OFFSHORE PERSONAL DATA TRANSFERS
The PDP Law enables personal data controllers to transfer personal data both domestically and offshore more easily.
For domestic transfers, Article 55 of the new law permits personal data controllers to transfer personal data to other data controllers within the Indonesian territory. Both transferor and transferee are required to protect the transferred personal data, as regulated under the PDP Law.
Article 56 of the PDP Law permits personal data controllers to transfer personal data to personal data controllers and/or processors located outside the Indonesian territory if:
The PDP Law provides for additional provisions related to cross-border data transfers to be regulated by future implementing government regulations.
In contrast to the previous regulatory regime, the PDP Law does not require pre- and post-notification to the Ministry of Communications and Informatics (MOCI) for any cross-border data transfer. This is a significant relaxation of the old requirements applying to Indonesia-based data controllers and processors seeking to transfer personal data out of Indonesia. Again, the new approach is better aligned with international practice.
The PDP Law also implies that so long as the requirements under points (a) and (b) above have been met, a personal data subject’s consent does not have to be obtained for a cross-border data transfer to occur. Under the previous regime, the explicit consent of the personal data subject was needed to transfer personal data across borders.
NOTIFICATION REQUIREMENT FOR MERGER, SPIN-OFF, ACQUISITION OR CONSOLIDATION OF LEGAL ENTITIES
Article 48 of the PDP Law requires corporate personal data controllers that wish to carry out a merger, spin-off, acquisition causing a change of control, or consolidation to notify the relevant personal data subjects of any personal data transfer that will arise from such corporate action, both before and after the corporate action has been completed.
The PDP Law provides that the requirement may be satisfied by way of a notification to the personal data subjects or via a public announcement through mass media, whether electronically or non-electronically (eg print media). Furthermore, the PDP Law provides that, in the event a corporate personal data controller is dissolved or liquidated, the storage, transfer, deletion and destruction of personal data must be done in accordance with the provisions of laws and regulations, and must be notified to the relevant data subjects.
REQUIREMENT TO APPOINT PERSONAL DATA PROTECTION OFFICER
Article 53 of the PDP Law requires personal data controllers and personal data processors to appoint officer(s) to carry out the personal data protection function in the following events:
A personal data protection officer is appointed based on professionalism, legal knowledge, personal data protection practice, and capability to fulfil the relevant tasks required of their role. The personal data protection officer may be recruited internally or externally by the personal data controller and/or the personal data processor.
SANCTIONS FOR PROHIBITED USE OF PERSONAL DATA
The PDP Law sets out clear prohibitions on the use of personal data. Articles 65 and 66 prohibit anyone from:
Violators of these provisions may face criminal sanctions – a significant new feature of Indonesia’s personal data protection regulatory framework under the PDP Law.
The PDP Law sets out three types of criminal sanctions for violating the above prohibitions:
For corporations, the PDP Law provides that criminal sanctions may be imposed on members of management (ie, board of directors), controllers, those giving orders (pemberi perintah) and beneficial owners (among others). The imposition of prison sentences may also extend to these parties.
Through the introduction of these criminal sanctions under the PDP Law, the Indonesian government is sending a strong message to individuals and corporations that personal data protection must be taken seriously in Indonesia.
Article 57 sets out administrative sanctions for violating certain provisions of the PDP Law. These administrative sanctions may be in the form of:
Article 57 also allows for administrative fines to be imposed for violating certain provisions of the PDP Law. These fines can be a maximum of 2 percent of the gross annual revenue or annual income of the offending party. This 2 percent threshold is notably lower than that required under the European Union’s General Data Protection Regulation (GDPR), which is set at a maximum of 4 percent of global annual turnover. The administrative fine will be imposed by the supervisory body for personal data protection administration, which is yet to be established (described further below).
NOTIFICATION REQUIREMENT FOR BREACH
In the event of failure by a personal data controller to protect personal data, Article 46 of the PDP Law requires a personal data controller to deliver a written notice to the relevant personal data subject(s) and the supervisory governmental body (as described below) within 3 x 24 hours after any failure to protect personal data. This is much shorter than the 14-day period under the previous regime.
Personal data protection failure is described as failure to protect someone’s personal data in terms of confidentiality, integrity, and availability of personal data, including a security breach, whether intentional or unintentional, which leads to damage, loss, amendment, disclosure, or access that is not valid in relation to the relevant personal data that is sent, stored, or processed.
The written notification must set out details of the disclosed personal data, when and how the personal data was disclosed, and details regarding how the matter is being handled including any relevant recovery efforts made by the personal data controller. In certain cases, among others where the personal data protection failure disturbs public service and/or has a serious impact on the public interest, personal data controllers may also be required to inform the public regarding the personal data protection failure.
SUPERVISORY BODY FOR PERSONAL DATA PROTECTION ADMINISTRATION
The PDP Law provides that the Indonesian government will participate in personal data protection administration in accordance with the PDP Law, which is to be done through a governmental body (lembaga) to be stipulated by the President of Indonesia. At this stage, the name, details and discretionary powers of the governmental body are not yet known. The PDP Law provides that further provisions relating to this governmental body will be regulated by a future presidential regulation.
TRANSITIONAL PERIOD
Under Article 74 of the PDP Law, personal data controllers, personal data processors and other parties relevant to the processing of personal data have up to two years from the date of enactment of the PDP Law to comply with the law.
Article 75 of the PDP Law adds that all existing provisions of laws and regulations which regulate personal data protection will remain valid so long that as they do not contradict the provisions of the PDP Law. A careful process of statutory interpretation will be needed to identify any overlaps and gaps in personal data protection between the old regulatory regime and the new regime under the PDP Law.
As is typical in Indonesia, implementing regulations for the PDP Law can be expected in the coming months. In this regard, please monitor this space for the latest developments in implementation of the PDP Law in Indonesia.
26 September 2022
By Cellia Cognard, Sakurayuki, Brandon Van Slyke and Dessy Arisanti
HBT Website Link: https://www.hbtlaw.com/latest-thinking/indonesia-passes-historic-personal-data-protection-bill