Law No. 27 of 2022 on Personal Data Protection (“Personal Data Protection Law” or “PDPL”) was enacted by the Government of Indonesia on 17 October 2022. Article 74 of the PDPL provides for a 2 year transitional period for businesses to comply with the provisions of the PDPL. In August 2023, the Ministry of Communication and Informatics (“MOCI”) published the draft of the Government Regulation on the Implementing Regulations of the PDPL (“Draft Implementing Regulations”). The Draft Implementing Regulations provide some clarity for businesses planning to get ready for the PDPL.
To assist businesses with compliance by October 2024, we provide an overview of the PDPL and its requirements, and the Draft Implementing Regulations.
A. Key Definitions
Key definitions under the PDPL include the following:
- Personal Data: Data about an identified or identifiable individual individually or in combination with other information either directly or indirectly through electronic or non-electronic systems.
- Personal Data Controller: Any person, public body and international organisation acting individually or jointly in determining the purposes and exercising control of the processing of Personal Data.
- Personal Data Processor: Any person, public body and international organisation acting individually or jointly in the processing of Personal Data on behalf of a Personal Data Controller.
- Personal Data Subject: An individual to whom Personal Data is attached.
- Person: An individual or corporation.
- Processing of Personal Data: This includes (a) acquisition and collection; (b) processing and analysing; (c) storage; (d) improvement and renewal; (e) appearance, announcement, transfer, dissemination, or disclosure; and (f) deletion or destruction.
B. Scope of Application
Article 2 of the PDPL confirms that the PDPL has extraterritorial application. It applies to every Person, Corporation, Public Body, or International Organisation located within Indonesia, or outside Indonesia if its actions have legal consequences (a) in Indonesia; or (b) for Indonesian citizens living outside Indonesia. This means that when dealing with the personal data of Indonesian citizens located anywhere, the PDPL will apply.
C. Categories of Personal Data
Article 4 of the PDPL classifies personal data into two distinct categories: (a) Personal Data of a general nature and (b) Specific Personal Data.
Personal Data of a general nature includes:
- full name;
- gender;
- citizenship;
- religion;
- marital status; and
- data that when combined can be used to identify an individual.
Specific Personal Data includes:
- health data and information;
- biometric data;
- genetic data;
- criminal records;
- child data;
- financial data; and
- any other data in accordance with the PDPL provisions and any subsequent regulations.
The Draft Implementing Regulations clarify that data referred to within item (g) under Specific Personal Data may be designated after conferring with the upcoming PDPL Data Protection Regulator (“Regulator”). Such data should have the potential to cause significant impact to Personal Data Subjects such as (a) discriminatory actions; (b) material and/or immaterial losses; and (c) other impacts that are contrary to statutory regulations.
D. 8 Principles for Processing
Article 16 of the PDPL requires Personal Data Controllers to comply with 8 principles for Personal Data Processing. These are:
- collecting Personal Data in a limited, transparent, and lawful manner;
- processing Personal Data according to the defined purpose;
- guaranteeing the rights of Personal Data Subjects;
- ensuring Processing is accurate, up-to-date, and not misleading;
- maintaining the security of Personal Data by safeguarding it against unauthorised access, illegal disclosure, unauthorised modification, misuse, destruction, and/or deletion;
- disclosing the purpose of the processing and any Personal Data protection failures;
- deleting Personal Data after the end of the retention period or at the request of the Personal Data Subject; and
- ensuring Processing is done responsibly and can be clearly proven.
E. Lawful Bases for Processing
Under the PDPL, organisations may only Process Personal Data under lawful bases which can generally be divided into (a) consent and (b) other lawful bases.
Consent
Articles 20 and 22 of the PDPL state that consent from the Personal Data Subject must be explicit, be in written or recorded format, and can be obtained either electronically or non-electronically. Based on the PDPL, implied or deemed consent, or verbal consent, appears to be insufficient as lawful bases to process Personal Data and organisations will likely require opt-in consent.
Article 21 of the PDPL states that if the Processing is based on consent, the Personal Data Controller is required to provide the following information to the Personal Data Subjects whose Personal Data is being processed: (a) the legality of the Processing; (b) the purposes of Processing; (c) the type and relevance of the Personal Data that will be processed; (d) the retention period; (e) the details of the information collected; (f) the period of Processing; and (g) the rights of the Personal Data Subject. Article 24 of the PDPL requires the Personal Data Controller to have proof of consent from the Personal Data Subject before initiating their Personal Data Processing activities. These requirements will likely make consent difficult to rely on unless the Personal Data Controller is able to meet these requirements at the time of obtaining consent.
Other Lawful Bases
Article 20 of the PDPL prescribes the other lawful bases for the Processing of Personal Data, including where it is necessary to fulfil:
- the contractual obligations of the Personal Data Controller or a Personal Data Subject’s request when entering into an agreement with the Personal Data Subject;
- the Personal Data Controller’s obligations under laws and regulations;
- the protection of the Personal Data Subject’s vital interests;
- the performance of duties in the context of the public interest, public service, or the exercise of the authority of the Personal Data Controller based on law and regulations; and
- the Personal Data Controller’s legitimate interests as balanced against the rights of the Personal Data Subject.
F. Personal Data Subjects Rights
Some of the rights that Personal Data Subjects have under the PDPL are:
- Right to Information (Article 5 of the PDPL): Personal Data Subjects have the right to obtain information (a) to clarify the identity of the Personal Data Controller or Personal Data Processor; (b) to determine the lawful basis for Processing their Personal Data; (c) determine the purpose of the request and use of their Personal Data; and (d) about the accountability of the party requesting their Personal Data.
- Right to Modification of Data (Article 30 of the PDPL): Personal Data Subjects have the right to request modifications to Personal Data that has become outdated, incomplete, or incorrect since it was collected. Upon such request, the Personal Data Controller has 72 hours to correct any discrepancies and thereafter inform the Personal Data Subject that the correction has been completed.
- Right to Withdraw Consent (Articles 9, 40 and 43 of the PDPL): Personal Data Subjects have the right to withdraw their consent to the Processing of their Personal Data at any time. Once consent is withdrawn, the Personal Data Controller and Personal Data Processor must stop the processing of the Personal Data Subject’s Personal Data within 72 hours. They must also delete all Personal Data that has been collected on the Personal Data Subject to date.
- Right to Data Portability (Article 13 of the PDPL): Personal Data Subjects have the right to obtain their Personal Data in a format commonly used or readable by electronic systems. Personal Data Subjects can further use and send this data to other personal data controllers. This comes with the caveat that the data must be transferred in a secure manner in accordance with all other PDPL provisions. These rights effectively grant data subjects the ability to port their data from one system to another, preventing users from being trapped into being users of a single system or company.
G. Personal Data Controller Obligations
We discuss 2 key obligations that Personal Data Controllers must comply with below.
Personal Data Transfer Requirements
Under Article 55 of the PDPL, Personal Data Controllers may transfer Personal Data from Indonesia subject to compliance with the PDPL obligations. The Personal Data Controller must ensure that the jurisdiction that the Personal Data is transferred to has an equal or higher level of data protection obligations as compared to the PDPL. If that jurisdiction does not meet this requirement, the Personal Data Controller transferring the Personal Data must either obtain the consent of the Personal Data Subject or must ensure there is adequate and binding data protection.
Article 185 of the Draft Implementing Regulations provides examples of adequate and binding data protection including: (a) agreements between the country of residence of the Personal Data Controller who transfers Personal Data with the country of residence of the Personal Data Controller and/or Personal Data Processor who receives the transfer of Personal Data; (b) standard Data Protection contractual clauses; (c) company regulations binding within a company group; and (d) any other instrument recognised by the Regulator.
At present, no standard contractual clauses have been provided for and no countries have been identified as meeting the standard. This is likely to be clarified in the next few months.
Data Breach Notification Requirements
Under Article 46 of the PPDL, Personal Data Controllers must notify impacted Personal Data Subjects and the Regulator within 72 hours after becoming aware of a data breach.
The notification must include (a) the Personal Data that was impacted; (b) when and how the Personal Data was impacted; and (c) efforts undertaken by the Personal Data Controller to handle the data breach. The Personal Data Controller may also be required to inform the public regarding the data breach. However, there is no guidance released as to when this is required.
Based on the guidance currently available, it appears that data breaches would be notifiable as long as there is any security breach leading to the destruction, loss, alteration, disclosure, or the unauthorised access of Personal Data that is sent, stored, or processed, but this may become clearer closer to the end of the transitional period.
H. Penalties and Enforcement
Under Articles 57, 67 and 68 of the PDPL, the penalties imposed by the Regulator varies based on the wrong committed:
- Unlawful Collection or Use of Personal Data: Anyone who unlawfully collects or uses Personal Data can be subject to a maximum fine of 5 billion Indonesian Rupiahs (approximately USD 300,000) and/or up to 5 years’ imprisonment.
- Unlawful Disclosure of Personal Data: Anyone who discloses the Personal Data of Indonesian citizens without their consent or intentionally misuses such data can be subject to a maximum fine of 4 billion Indonesian Rupiahs (approximately USD 240,000) and/or up to 4 years’ imprisonment for each offence.
- Falsifying Personal Data: Anyone who falsifies Personal Data with the intent to benefit oneself or another organisation or individual, while causing harm to others, can be subject to a maximum fine of 6 billion Indonesian Rupiahs (approximately USD 365,000) and/or up to 6 years’ imprisonment.
- Personal Data Protection Failure: In the event of a personal data protection failure, the PDPL provides for administrative sanctions, including (a) a written warning; (b) temporary suspension; (c) deletion of Personal Data; and (d) administrative fines of up to 2% of the Personal Data Controller or Processor’s annual revenue based on the relevant violation variable.
Article 225 of the Draft Implementing Regulations clarify that “violation variable” calculations are based on the following factors:
- the negative impact resulting from the violation;
- the duration of the violation;
- the type of Personal Data involved;
- the number of people impacted;
- the violation discovery process;
- the level of openness and co-operation of the Personal Data Controller during the investigation process;
- the scale of the Personal Data Controller’s or processor’s business;
- the ability of the Personal Data Controller or Processor to pay; and
- other relevant considerations as released under upcoming regulations.
Aside from the punishments referred to under the unlawful collection, use, disclosure and falsification of Personal Data, Article 69 of the PDPL states that additional sanctions may be imposed in the form of (a) confiscation of income and/or assets obtained or resulting from the criminal offence and (b) payment of any compensation.
Personal Data Subjects affected by non-compliance with PDPL obligations may also separately claim for damages under Article 12 of the PDPL.
Article 119 of the Draft Implementing Regulations clarify that in determining the amount of compensation, the court (or a party mutually agreed and appointed by the Personal Data Controller and the relevant Personal Data Subject(s)) must consider:
- the degree of malicious intent or expected harm;
- the amount of loss involved;
- the economic benefits that the Personal Data Controller has gained as a resulted of the violation;
- the fine amount for the violation;
- the duration and frequency of the violation;
- the Personal Data Controller’s assets;
- the Personal Data Controller’s efforts to obtain personal information after the violation; and
- the Personal Data Controller’s efforts to mitigate the Personal Data Subject’s losses.
Click here for a copy of the PDPL (Indonesian version only).
Click here for a copy of the Draft Implementing Regulations (Indonesian version only).
The information provided above does not, and is not intended to, constitute legal advice pertaining to the PDPL and Draft Implementing Regulations; information, content, and materials stipulated above is based on our reading of the PDPL and Draft Implementing Regulations and are for general informational purposes only.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.