View file in pdf version
Written by:
Victor Juan Tanojo | Nadya Pattiasina | Shahyb Handyanto
Anru33 Introduction
Almost 6 (six) years after being initiated in 2016, the House of Representatives (Dewan Perwakilan Rakyat) of the Republic of Indonesia finally enacted Law No. 27 of 2022 concerning Personal Data Protection (the “PDP Law”) on 17 October 2022. The promulgation of the PDP Law becomes an important milestone in addressing so many personal data breaches and the lack of a legal basis for the enforcement of personal data violations. This Newsflash will discuss the main provisions in the PDP Law that may be useful to consider when dealing with personal data matters in Indonesia.
Provisions of the PDP Law
Scope of the PDP Law
The PDP Law applies to any person (individual or legal entity), public body, or international organization that performs legal acts regulated by the PDP Law, which is either located (a) in the territory of the Republic of Indonesia; or (b) outside the territory of the Republic of Indonesia—but still within (i) the jurisdiction of the Republic of Indonesia, and/or (ii) relating to any Indonesian nationals. However, the PDP Law does not apply to the processing of personal data by individuals for personal purposes.
Types of Personal Data
The PDP Law classifies personal data types into 2 (two) categories, i.e. specific and general personal data, with the details as follows:
Specific Personal Data | General Personal Data | ||||||
a. |
health data and information; |
f. |
personal financial data; and/or |
a. |
full name; |
e. |
marital status; and/or |
The distinctions between the types of personal data are indicative of a scale of seriousness of misuse, depending on data type. Following on from such distinctions, the PDP Law requires an impact assessment in order to process specific personal data.
Rights of Personal Data Subjects & Their Exceptions
Under the PDP Law, each personal data subject is given rights to their own personal data, inter alia the ability to:
- obtain information regarding the details of the identity, legal basis, purpose of the collection and use of personal data, and accountability of the party who requests such personal data;
- complete, update, and/or rectify any incorrect and/or inaccurate personal data;
- access and receive a copy of their personal data;
- terminate the processing of, erase, and/or destroy their personal data;
- revoke his/her consent that was given to the personal data Controller;
- submit objections in respect of any decision-making actions that are solely based on the automatic processing of personal data, including any profiling activities, that results insignificant legal impact to the personal data subject;
- delay/limit the processing of personal data proportionately in accordance with the purpose thereof;
- file a claim and receive compensation for any violation of personal data processing;
- receive, use, and/or transmit his/her personal data from the personal data Controller in the form and structure ordinarily used in electronic systems.
However, the rights above, and the exercise of such rights, can be limited or exempted subject to the implementation of laws and regulations for the following reasons:
- national defense and security interests;
- law enforcement process interests;
- public interest, for the purpose of state administration;
- the interests of supervision of the financial services sector, monetary, payment systems, and financial systems stability carried out in the context of state administration; or
- general statistical and scientific research interests.
However, it is worth emphasizing that the exception to the rights of the personal data subject apply only in the context of implementing the provisions of the law.
Personal Data Controllers and Processors
The PDP Law introduces the concept of (a) Personal Data Controller (“Controller”) and (b) Personal Data Processor (“Processor”). A Controller is a party who determines the purpose, and controls the processing of personal data, while a Processor is a party who processes personal data on behalf of the Controller. In other words, a Processor is a Controller's designated party to process the personal data. Both Controller and Processor can be any person (individual or legal entity), public agency, and international organizations.
We set out below the summary of the obligations of Controller and Processor respectively:
Obligations | Controller | Processor | |
1. | Processing the personal data in a limited and specific manner, lawfully, and transparently | V | - |
2. | Processing the personal data in accordance with the purpose of processing such personal data | V | - |
3. | Ensuring the accuracy, completeness, and consistency of personal data and verify such personal data | V | V |
4. | Updating and/or correcting any errors and/or inaccuracies of personal data and informing such correction to the data owner | V | - |
5. | Recording all personal data processing activities | V | V |
6. | Giving personal data access to personal data subjects | V | - |
7. | Refusing to give access to changes in personal data that can cause harm to the owner, disclosing other people’s personal data, and/or access conflicting with national security | V | - |
8. | Conducting a risk impact assessment on personal data that has a high potential risk to the data owner | V | - |
9. | Protecting and ensuring the security of personal data | V | V |
10. | Maintaining the confidentiality of personal data | V | V |
11. | Supervising any party under its control who is involved in the processing of personal data | V | V |
12. | Protecting personal data from unauthorized processing | V | V |
13. | Preventing personal data from being accessed illegally | V | V |
14. | Terminating the processing of personal data if the personal data subject withdraws their consent | V | - |
15. | Suspending and restricting the processing of personal data after receiving a request for the delay and limitation of the processing of personal data | V | - |
16. | Terminating the processing of personal data when certain conditions have been met | V | - |
17. | Deleting personal data when certain condition as set out under the law occurs | V | - |
18. | Destroying personal data if certain conditions as set out under the law occurs | V | - |
19. | Notifying a deletion and/or destruction of personal data to the data owner | V | - |
20. | Submitting a written notification in the event of failure of personal data protection to the data owner and institution (supervisory body) | V | - |
21. | Responsible for the processing of personal data and implementation of the principles of personal data protection | V | - |
22. | Notifying the transfer of personal data in the event of corporate actions | V | - |
23. | Carrying out an order from the supervisory body in the implementation of personal data protection | V | - |
Officials or Officers Carrying Out Personal Data Protection Functions
The PDP Law stipulates that the Controller and Processor are required to appoint officers who carry out the function of personal data protection if (i) the processing of personal data is carried out for the benefit of public services, (ii) the core activities of the Controller require systematic monitoring of personal data on a large scale, and (iii) the core activities of processing personal data are on a large scale for personal data that are specific and/or processing personal data which related to criminal acts. The officer must provide information, advice, monitor compliance, coordinate, and act as a liaison for issues related to processing personal data.
Transfer of Personal Data
Sometimes, business actors transfer personal data to run their businesses. Under the PDP Law, when business actors carry out Controller functions, they may transfer personal data to other Controllers. Such transfers may be made to other Controller(s) who are located within or outside the territory of Republic of Indonesia. However, if such transfers are made to Controller(s) outside of Indonesian territory, the transferring Controller must ensure that the country where the receiving Controller is located has a level of personal data protection that is equal to or higher than the PDP Law.
Administrative and Criminal Sanctions
In the event of violation of the PDP Law by a Controller or a Processor, administrative sanctions will be applied in the form of (i) a written warning,(ii) temporary cessation of personal data processing activities, (iii) deletion or destruction of personal data, and/or (iv) administrative fines. An administrative fine is determined at a maximum of 2 (two) percent of the annual income or annual revenue of the infringing party. Administrative sanctions are imposed by an institution that the President of Indonesia will later establish according to the PDP Law.
However, any person(s) who commit the following actions are subject to criminal sanctions:
- unlawfully obtaining personal data that does not belong to him/her for the benefit of himself/herself or another person, which may harm the subject of the personal data;
- unlawfully discloses personal data that does not belong to him/her;
- unlawfully using personal data that does not belong to him/her; and
- intentionally creating or falsifying personal data to benefit oneself or others that can cause harm to others.
The criminal sanctions imposed are in the form of imprisonment of between 4 (four) to 6 (six) years and/or a fine in the range of IDR4,000,000,000.00 (four billion rupiah) to IDR6,000,000,000.00 (six billion rupiah) depending on the type of act committed. In addition to being sentenced to criminal sanctions, additional penalties may also be imposed in the form of confiscation of profits and/or assets obtained, criminal act proceeds, and/or payment of compensation.
If a corporation is the infringing party, the punishment may be imposed on the management, controller, beneficial owner, and/or corporation. Meanwhile, the punishment that can be imposed on corporations is only in the form of a fine with a maximum amount of 10 (ten) times the maximum penalty imposed (i.e. maximum IDR40,000,000,000 to IDR 60,000,000,000).
Comparison with GDPR Terms
Based on our analysis, the PDP Law is largely adopted from the European Union’s General Data Protection Regulation (“GDPR”), which is the “gold standard” for personal data protection worldwide. The following table presents a summary comparison between the PDP Law and the GDPR provisions:
No. | Aspect | PDP Law | GDPR |
1. | Types of personal data | V | - |
2. | Lawfulness of processing | V | V |
3. | Restriction on processing of special categories of personal data | - | V |
(restriction on processing of personal data, which aims to record racial, political, or religious data) | |||
4. | Restrictions on the right of personal data subjects | V | V |
5. | Controllers and Processors | V | V |
6. | Independent supervisory authorities | V | V |
7. | Transfer of personal data to international organizations | V | V |
8. | Sanctions | V | V |
9. | Other exemptions from personal data protection (aside from exemptions due to the implementation of the laws and regulations) | - | V |
(GDPR provides an exemption from personal data protection for journalistic purposes and freedom of expression) |
With the many similarities between the PDP Law and GDPR, it appears that the norms of personal data protection in Indonesia will now follow international standards.
Conclusion & Comments
The PDP Law now provides a codified law and guidance on personal data protection in Indonesia. However, for the PDP Law to take full force and be fully effective, we must wait for the further implementing regulations of the PDP Law to get more clarity on some of the critical provisions stipulated therein. This would include matters concerning the determination of the governmental body that will be acting as the supervisory body on the implementation of personal data protection in Indonesia pursuant to the PDP Law.
With the enactment of the PDP Law, all Controllers and Processors (including business actors) are given a maximum period of 2 (two) years (until October 2024) to adjust and comply with the PDP Law. During this transitional period, all business actors dealing with the use of personal data need to start taking steps to carry out internal assessments to adjust their current policies/practices and comply with the provisions of the PDP Law.
Copyright © 2023 HS. All rights reserved.
Disclaimer:
The foregoing material is the property of Hendra Soenardi and may not be used or relied upon by any other party without our prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.