Background
Historically, Indonesia's data protection measures were fragmented across various regulations and sectors, lacking a unified framework that addressed the complexities of modern data usage.
This changed with the introduction of the PDP Law (Law No. 27 of 2022), which established a comprehensive legal structure to protect personal data across all sectors. Before this, provisions related to data protection were sporadically found in laws concerning electronic information and transactions, consumer protection, and other sectoral regulations in the sector of financial services, healthcare, technology and banking, which did not sufficiently cover all aspects of data privacy and security.
Driving forces behind the enactment of the PDP Law
The push for Indonesia's dedicated Personal Data Protection (PDP) Law was driven by a mix of international trends towards stricter data privacy regulations and domestic challenges, including significant data breaches that exposed vulnerabilities in existing laws. The booming digital economy in Indonesia, marked by an increase in personal data usage, required a robust legal framework to protect the privacy and build trust in digital services, as a result, supporting economic growth.
In shaping the PDP Law, Indonesian lawmakers adapted principles from global standards like the EU GDPR to address both international compliance needs and local challenges.
Key definitions and concepts
This section explores the classification of personal data according to the PDP Law and outlines the specific protections afforded to different categories.
Personal Data
The PDP Law defines "Personal Data" as any information relating to an identified or identifiable individual. This data can be identified or linked to an individual directly or indirectly, through combination with other information, whether processed through electronic systems or non-electronic means. This broad definition encompasses a wide range of data types and emphasizes the law's extensive reach in protecting personal information.
Categories of Personal Data
The PDP Law distinguishes between two main categories of personal data: general and specific (sensitive) personal data. Each category requires different levels of protection due to the varying degrees of privacy concerns they raise.
- General Personal Data includes data typically found on identification documents and other general records. Examples include an individual's full name, gender, nationality, religion, and marital status. While important, the risk associated with the processing of general personal data is considered lower compared to sensitive data.
- Specific Personal Data -regarded as more sensitive- this data includes:
- Health and medical information.
- Biometric and genetic data.
- Criminal records.
- Children’s data.
- Personal financial data.
- Any other data deemed sensitive by law.
The handling of specific personal data is subject to stricter regulatory requirements due to the higher risk it poses to an individual's privacy and security. For instance, processing such data typically demands a thorough data protection impact assessment to evaluate and mitigate risks.
Moreover, organizations processing sensitive data may be required to appoint a Data Protection Officer (DPO) to ensure compliance with the PDP Law, particularly when the processing activities involve large-scale operations or include data relating to criminal actions.
Data Protection principals
To ensure compliance, the PDP Law outlines several key principles that govern the processing of personal data:
- Lawfulness, Fairness, and Transparency: Data must be handled legally, fairly, and in a transparent manner.
- Purpose Limitation: Data should only be collected for explicit, legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data Minimization: Only data that is relevant and necessary for the purposes specified should be processed.
- Accuracy: Personal data must be kept accurate and up-to-date.
- Integrity and Confidentiality: Data must be processed in a way that ensures security, including protection against unauthorized or illegal processing and against accidental loss, destruction, or damage.
Through these provisions, the PDP Law aims to align Indonesia's data protection standards with international norms while addressing specific local privacy concerns, thereby enhancing the trust and safety of digital interactions within the country.
Data subjects’ rights under the PDP Law
Indonesia's PDP Law establishes robust rights for data subjects, designed to empower individuals and ensure their personal information is handled responsibly and transparently. Here we provide a comprehensive list of these rights and illustrate how they apply in real-world scenarios.
Comprehensive List of Rights under the PDP Law
- Right to be Informed: Data subjects have the right to know the identity of the data collector, the legal basis for processing their data, the purposes of data collection, and how their data is being used.
- Right of Access: Individuals can access and receive copies of their personal data held by an entity.
- Right to Rectification: Data subjects can update or correct inaccuracies in their personal data to ensure the information remains accurate and up to date.
- Right to Erasure: Individuals can request the deletion or disposal of their personal data when it is no longer necessary for the purposes it was collected for, or if they withdraw consent.
- Right to Restrict Processing: This right allows individuals to limit how their personal data is used, particularly in cases where the accuracy of the data is contested, or the processing is unlawful.
- Right to Object to Processing: Data subjects can object to data processing in certain circumstances, such as for direct marketing purposes or when processing is based on automated decision-making that affects them significantly.
- Right to Data Portability: Individuals can request a copy of their personal data in a digital format and can transfer their data from one service provider to another.
- Right to Withdraw Consent: At any time, data subjects can withdraw consent previously given for processing their personal data.
- Right to Non-Discrimination: Data subjects can exercise their privacy rights without any form of discrimination or penalty.
- Right to File a Lawsuit and Receive Compensation: If their data privacy rights are violated, individuals have the right to seek legal remedies and compensation.
- Right to Complain: Data subjects can lodge complaints with the relevant data protection authority regarding the handling of their personal data.
- Right to object to automated decision-making, including profiling: Data subjects are allowed to not be subject to a decision if such a decision is based solely on automated processing, including profiling.
Use cases
Case 1: Incorrect personal data
Ayman notices that his date of birth is incorrect on his online banking profile. He uses his Right to Rectification to request the bank update his information, ensuring his personal data remains accurate and relevant.
Case 2: Unwanted marketing emails
After signing up for a newsletter, Hardy starts receiving marketing emails he no longer wishes to receive. He exercises his Right to Object to Processing by opting out of future communications, addressing his right to control how his personal data is used.
Case 3: Data breach notification
Following a data breach at a retail company, customers are notified of the incident. Affected individual, like Kaylana, uses her Right to be Informed to understand the extent of the breach and her Right to Complain to the national data protection authority to seek accountability.
Case 4: Switching service providers
Danur decides to switch to a new fitness tracking service and wishes to transfer his historical health data. He utilizes his Right to Data Portability to move his data securely from the old provider to the new one without hindrance.
Scope, reach, and other protocols of the PDP Law
The PDP Law, Law No. 27 of 2022, is a comprehensive legal framework enacted to safeguard personal data within and beyond the borders of Indonesia. This global reach aligns Indonesia's data protection practices with international standards, notably the European Union’s General Data Protection Regulation (GDPR). It applies to every individual or company, public agency and international organization that performs legal acts as regulated under the PDP Law:
- Within the jurisdiction of the Republic of Indonesia; and
- Outside the jurisdiction of the Republic of Indonesia, provided that such act has legal consequences:
- Within the jurisdiction of the Republic of Indonesia; and/or
- For Personal Data Subject of Indonesian citizens outside the jurisdiction of the Republic of Indonesia.
In this regard, the PDP Law has extra-territorial scope as it would also cover any personal data of any Indonesian outside the jurisdiction of the Republic of Indonesia.
Lawful bases for processing Personal Data
For data processing to be lawful under the PDP Law, it must meet certain criteria such as:
- Obtaining express consent from data subjects for specific purposes;
- Fulfilling contractual obligations;
- Complying with legal requirements;
- Protecting vital interests of the data subject;
- Serving public interests; or
- Legitimate interest.
These bases ensure that personal data is handled in a manner that respects the privacy and integrity of the data subject.
Regulatory authorities
The Indonesian Data Protection Authority (Indonesian DPA) is set to play a pivotal role in the nation's data privacy landscape. The authority is tasked with several crucial functions:
- Policy formulation: The Indonesian DPA will be responsible for creating and enforcing policies and strategies that safeguard personal data.
- Supervision and monitoring: This involves regular oversight of how personal data protection laws are implemented across various sectors.
- Enforcement: The DPA will have the authority to enforce laws and regulations concerning violations of personal data protection.
- Dispute resolution: The authority will also facilitate alternative dispute resolution mechanisms to handle data protection disputes outside of court settings.
Currently, the Ministry of Communication and Informatics (MOCI) temporarily fulfills these responsibilities. MOCI ensures compliance with data protection regulations within the electronic information and transactions (EIT) sector by coordinating data transfer across borders, overseeing data breach notifications, supervising data protection implementations, and enforcing administrative sanctions for non-compliance.
Coordination with sector-specific authorities will be essential, particularly in areas like banking and capital markets where sensitive personal data is prevalent. These bodies include the Financial Services Authority (FSA), which since 2012 and 2013, has been overseeing data privacy in the capital markets and banking sectors respectively.
Additionally, in cases where data protection issues escalate to criminal offenses, law enforcement agencies may step in to address these violations, potentially leading to prosecutions that involve fines or imprisonment.
Stakeholders
The PDP Law identifies several key parties involved in the processing of personal data, including:
- Personal Data Subject: This is the individual to whom the personal data belongs and who benefits from the protections offered by the PDP Law.
- Personal Data Controller: This role is filled by individuals or entities, including public agencies and international organizations, who determine the objectives and manage the processing of personal data, either alone or jointly.
- Personal Data Processor: Similar to the controller, this includes individuals or entities, public agencies, and international organizations that process personal data on behalf of the Personal Data Controller.
- Data Protection Officer (DPO): This individual is designated by the personal data controller and processor to oversee data protection strategies. The DPO may be an internal or external appointee to the organization.
Personal Data Controller (“Controller”) and Personal Data Processor (“Processor”)
The PDP Law outlines roles for (a) Personal Data Controller (“Controller”) and (b) Personal Data Processor (“Processor”). The table below outlines the distinct yet complementary roles of Controllers and Processors under the PDP Law, highlighting their respective duties in the management and safeguarding of personal data:
Obligations |
Controller |
Processor |
Process the personal data lawfully, specifically, and transparently |
Yes |
- |
Process personal data for its stipulated purpose |
Yes |
- |
Ensure accuracy, completeness, and consistency of personal data and verify such data |
Yes |
Yes |
Update and/or correct errors in personal data and notify the data owner of corrections |
Yes |
- |
Record all personal data processing activities |
Yes |
Yes |
Provide access to personal data to the data subjects |
Yes |
- |
Deny access to changes in personal data that could harm the owner, reveal someone else's personal data, or conflict with national security |
Yes |
- |
Conduct a risk impact assessment for personal data that poses a high risk to the owner |
Yes |
- |
Ensure the protection and security of personal data |
Yes |
Yes |
Maintain the confidentiality of personal data |
Yes |
Yes |
Supervise any parties under its control involved in processing personal data |
Yes |
Yes |
Protect personal data from unauthorized processing |
Yes |
Yes |
Prevent illegal access to personal data |
Yes |
Yes |
Stop processing personal data if the subject withdraws consent |
Yes |
- |
Suspend and restrict processing of personal data upon request for delay and limitation |
Yes |
- |
Cease processing of personal data under specific conditions |
Yes |
- |
Delete personal data when certain legal conditions are met |
Yes |
- |
Destroy personal data if required by law |
Yes |
- |
Notify the data owner about the deletion or destruction of personal data |
Yes |
- |
Notify the data owner and supervisory body about failures in personal data protection |
Yes |
- |
Be responsible for the processing and adherence to personal data protection principles |
Yes |
- |
Notify about the transfer of personal data during corporate actions |
Yes |
- |
Execute orders from the supervisory body concerning the protection of personal data |
Yes |
- |
Data Protection Officer (DPO)
The PDP Law has formalized the requirement for certain organizations to appoint a Data Protection Officer (DPO). This role is crucial for ensuring compliance with data protection regulations and acts as a focal point for data protection activities within the organization.
Key functions of the DPO
- The DPO advises the organization on complying with PDP law requirements and best practices, including matters related to data protection impact assessments (DPIA).
- The DPO is responsible for monitoring the organization's data protection policies and their alignment with the PDP Law.
- They conduct training sessions and awareness programs for staff about data protection principles and practices.
- The DPO serves as the liaison between the organization and regulatory authorities for matters relating to data processing.
When is a DPO required?
Organizations are required to appoint a DPO under the PDP Law if they process personal data as part of their core activities that require regular and systematic monitoring of data subjects on a large scale, or if they handle large volumes of sensitive personal data or data related to criminal convictions and offenses.
Sanctions for Non-Compliance
Failing to appoint a DPO where required can lead to administrative sanctions under the PDP Law, which may include fines, written warnings, or even temporary suspension of data processing activities.
Breach notification and remediation
Protocols for breach detection, reporting, and notification
Under Indonesia's PDP Law, stringent protocols have been established to address data breaches. When a data breach occurs, both the data controller and processor are mandated to notify the affected data subjects and the Indonesian Data Protection Authority (DPA) within 72 hours. The notification must include the following details:
- The nature of the breached data;
- The circumstances of the breach;
- The steps taken to mitigate its effects, which include:
- Assessing the scope and impact of the breach;
- Identifying the compromised data; and,
- Taking steps to secure and recover the affected systems.
- If the breach affects public services or has a significant public impact, a broader public announcement may also be required.
Sanctions and enforcement
The PDP Law specifies a range of administrative and criminal sanctions for non-compliance. Administrative penalties may include written warnings, temporary suspension of data processing activities, forced deletion of personal data, and potentially hefty fines.
In addition, if the criminal actions are conducted by a corporation, the maximum fine can be multiplied by up to 10 times, and profits derived from unlawful activities may be seized, and other corporate sanctions could be applied.
Corporate liability and consequences
Corporations found in violation of the PDP Law face significant repercussions. Beyond the direct penalties imposed on the entity, such as fines and operational restrictions, individuals within the organization, including directors or managers, may also be held accountable. This underscores the importance for businesses to ensure rigorous compliance with the law, maintain accurate records of data processing activities, and implement effective data protection measures.
Cross-border data transfer
The PDP Law sets forth specific criteria for the cross-border transfer of personal data from Indonesia, ensuring that such transfers meet stringent data protection standards. These rules are designed to protect personal data when it moves outside of Indonesia's borders:
- The data exporter must ensure that the recipient country offers a level of personal data protection that is equivalent to or exceeds that provided under the PDP Law.
- In the absence of adequate protection in the recipient country, the transferor must ensure that adequate and binding safeguards, such as standard contractual clauses, are in place.
- If neither of the above conditions is met, the transferor must obtain explicit consent from the data subjects for the transfer of their personal data.
- Additionally, the EIT regulatory framework mandates that cross-border data transfers be reported both before and after the transfer, detailing the recipient, the date of transfer, and the purpose. This report is typically submitted annually.
Ensuring compliance with cross-border data protection standards
To comply with these regulations, companies engaged in the transfer of personal data internationally must adhere to the following practices:
- Assessment: Before initiating data transfers, companies must evaluate whether the recipient country's data protection standards are equivalent to those required by the PDP Law.
- Implementation: If the recipient country does not meet the adequacy requirement, the company must implement legally binding safeguards to protect the data.
- Obtaining data subject consent: Where neither adequacy nor safeguards are feasible, explicit consent must be obtained from the data subjects, ensuring they are fully informed of the risks associated with the data transfer.
These rules ensure that personal data originating from Indonesia is protected in accordance with high standards, even when processed abroad. They also mandate cooperation between Indonesian data controllers and international jurisdictions, highlighting the need for a global approach to data privacy.
Furthermore, the specific mechanisms for these transfers, the necessary steps for compliance, and the role of regulatory bodies in supervising these activities are expected to be elaborated in forthcoming government regulations. Until then, companies must navigate these requirements carefully, potentially consulting with the Directorate General for Informatics Application (DITJEN APTIKA) within the Ministry of Communication and Informatics for guidance on compliance and reporting obligations related to cross-border data transfers.
What should companies do to comply with PDP Law?
All personal data controllers, processors, and other relevant entities are required to align their policies and operational procedures with the PDP Law by October 16, 2024. This two-year window, following the law's enactment, provides a necessary period for organizations to make the appropriate internal adjustments, ensuring that their data processing activities conform to the new legal framework.
As Indonesia advances its PDP Law, the government is actively developing and implementing regulations. During this transitional period, companies are advised to engage in self-assessment to determine their role as personal data controllers or processors. Based on this assessment, several preliminary steps should be taken:
- Gap analysis: Organizations should conduct a comprehensive review of their current personal data protection practices against the requirements of the PDP Law, including internal data processing guidelines, data protection policies, and existing contracts with customers, vendors, or other third parties which includes the processing of personal data.
- Updating privacy notices: Companies must revise or draft new privacy notices to ensure transparency about how personal data is handled, making them accessible to external stakeholders.
- Revamping data protection policies: It is essential for companies to update or establish robust data protection policies and guidelines for internal stakeholders to ensure compliance.
- Appointing a Data Protection Officer (DPO): Companies should appoint a DPO, either an internal member or an external consultant, to oversee compliance with the PDP Law. Implementing a privacy management technology platform can also support compliance and enhance data protection measures.
- Data inventory, mapping, and classification: Organizations should conduct thorough data inventories and mapping exercises to classify data based on sensitivity and applicability under the PDP Law, which facilitates more effective data management and protection strategies.
- Implementing privacy by design and default: Companies should integrate privacy into the design stage of any system, service, or product that involves personal data, ensuring that privacy settings are configured at the maximum level of protection by default.
- Data Protection Impact Assessments (DPIAs): Organizations are required to conduct DPIAs for processing activities that pose high risks to the privacy rights of individuals to identify and mitigate risks before any data processing activities are undertaken.
- Managing risks in data processing: Companies must develop strategies to minimize risks associated with the processing of personal data, including implementing secure data processing practices, ensuring data accuracy, and maintaining integrity throughout the data lifecycle.