NO&T Asia Legal Review
After a long wait and several public discussions, the government of Republic of Indonesia finally enacted the Law No. 27 of 2022 on Personal Data Protection on 17 October 2022 (“PDP Law”). Prior to the enactment of the PDP Law, some regulations contained certain provisions concerning personal data protection, among others: Government Regulation No. 71 of 2019 on the Implementation of Electronic System and Transaction (“GR 71/2019”) and Regulation of Minister of Communication and Informatics No. 20 of 2016 on Personal Data Protection in Electronic System (“MOCI Regulation 20/2016”). While these regulations have some provisions on personal data protection, the scope such regulations are not comprehensive enough to cover all matters related to personal data. Therefore, it was necessary for Indonesia to implement one comprehensive personal data protection law to regulate all matters pertaining to data protection, in line with the global trend, especially after the enactment of the GDPR in the European Union.
The PDP Law defines personal data as any data relating to an identified or identifiable natural person who can be identified on the basis of such data or in combination with other information, either directly or indirectly, through an electronic or non-electronic system. This definition is similar to the definition provided under the GR 71/2019.
What is new under the PDP Law is the classification of personal data, where the PDP Law classifies personal data into two categories, namely general personal data and specific personal data. The PDP Law has specifically listed samples for each category. General personal data includes full name, gender, nationality, religion, marital status, and/or a combination of personal data that identifies a person (for example: mobile phone numbers and IP addresses). While specific personal data includes health information, biometric data, genetic data, criminal records, child’s data, financial information, and/or any other data which is considered as sensitive data under prevailing laws and regulations.
Based on this classification, the treatment of general personal data and specific personal data is different. The PDP Law regulates that in the event a data controller or data processor collects or processes specific personal data, it is required to carry out assessment of impact on personal data protection, and if the processing of specific personal data is conducted on a large scale, the data controller and data processor must appoint a data protection officer who will be in charge of the security of the specific personal data.
Data subject is an individual who owns personal data. As the owner of personal data, a data subject has certain rights given under the PDP Law, including but not limited to (i) right to receive information about the clarity of the identity, legal interests and purpose for which his/her personal data is requested and will be used, (ii) right to complete, renew, and rectify the incorrectness of his/her personal data, (iii) right to have an access to his/her personal data, (iv) right to discontinue the processing, delete and destroy the personal data, and (v) right to withdraw his/her consent with respect to the processing of personal data.
The PDP Law also introduces new terminology namely data controller and data processor. Essentially, data controller is the party that determines the purpose of the processing of personal data, while data processor is the party that processes data personal data on behalf of data controller. The differentiation follows the concept that is currently applied in other countries, whereby it is common that a company that wishes to collect and process data (i.e. data controller) appoints a third party service provider (i.e. data processor) to do so on its behalf.
Since data processor is only acting for and on behalf and upon the instructions of data controller, the processing of personal data will be the responsibility of the data controller. As such, the obligations related to personal data under the PDP Law will be mainly imposed on the data controller, such as: obtaining consent from data subject prior to the processing, ensuring the security of personal data, or notifying data subject in the event of failure of personal data protection. The data processor will only be responsible if it is acting beyond the instructions of the data controller. Thus, it is advisable to create a detail and comprehensive agreement between data controller and data processor.
The “processing” of personal data includes the activities of collecting, processing, analyzing, storing, correcting, displaying, announcing, transferring, disseminating, or destructing of personal data. If a data controller wishes to carry out the processing of personal data, it needs to secure a consent from the data subject to do so. The consent can be requested for certain action or covering all actions that may be done by the data controller. From practical perspective, it is advisable for data controller to secure consent for all activities at the time the personal data is collected so that it will not be required to request a consent for different purposes in the future. The consent must be prepared in Bahasa Indonesia in writing or recorded consent, either electronically or non-electronically.
In addition to consent from data subject, there are other legal basis that can be applied for the processing of personal data, namely:
a. Contractual obligation, namely when the processing of personal data is necessary for the performance of a contract that involves data subject as a party or to fulfil the data subject’s request before entering into a contract;
b. Legal obligation, where the processing of personal data is required to comply with the law applicable to the data controller;
c. The processing of personal data is necessary to protect vital interests of the data subject;
d. Protection of public interest; and/or
e. Legitimate interest, where the processing of personal data is necessary for the legitimate interest of the data controller considering its purposes, needs, and the balance between the data controller’s interests and data subject’s rights.
The PDP Law regulates that the data controller must perform data protection impact assessment in the event that the processing of personal data has a high risk potential to the data subject, among others:
a. Processing of specific personal data;
b. Processing of personal data on a large scale;
c. Processing of personal data for a systematic evaluation, scoring, or monitoring of a data subject;
d. Processing of personal data for matching or combining a group of data; and/or
e. The use of new technologies in the processing of personal data.
Moreover, certain data controllers and data processors are required to appoint data protection officer who will supervise the compliance with PDP Law, inform and give advice to data controller or data processor related to data protection impact assessment, and act as the contact person for any issues related to the processing of personal data. The data protection officer can be an employee of the data controller or data processor or an external person, but the PDP Law does not regulate the specific requirements for a person to be appointed as the data protection officer.
More detailed rules related to data protection impact assessment and data protection officer will be regulated under the Government Regulation.
One of the most common issues that foreign companies operating in Indonesia have with respect to personal data protection is the procedure of transferring personal data outside Indonesia, for example, when the Indonesian subsidiaries wish to share the information on their customers with overseas headquarters. This has been regulated under MOCI Regulation 20/2016, but the implementation is not clear to date. MOCI Regulation 20/2016 explains that the transfer of personal data outside Indonesia must be done through a coordination with the MOCI but so far MOCI has not prepared any guidelines or formal procedures to do so. It appears this condition is abolished under the PDP Law. The PDP Law only requires that the data controllers who wish to transfer personal data outside Indonesia must ensure that the receiving country has a similar or higher level of personal data protection. This requirement, however, can be set aside if the data controller can ensure sufficient and binding personal data protection, or if it cannot be fulfilled, the data controller has secured consent from the data subject.
The PDP Law also introduces new requirement with respect to personal data due to corporate action. Data controllers which intend to conduct a merger, consolidation, acquisition, spin-off, or dissolution must notify data subject on the transfer of personal data before and after the completion of corporate action. The notification can be given either directly to data subject or through a newspaper announcement.
The PDP Law applies extra-territorially, which means it not only applies within the territory of Republic Indonesia, but also apply outside Indonesia where the processing of personal data has legal impact within Indonesian territory and/or relates to Indonesian data subjects who are located outside Indonesia.
PDP Law applies to the processing of personal data by individuals, private entities, public entities, or international organization for any purpose, except in the case of personal or household activities. However, there is no further explanation on what activities are considered as “personal or household activities”.
The PDP Law provides two types of sanctions for violation, namely administrative sanction and criminal sanction. Administrative sanctions may be imposed due in case of violation related corporate action requirement, appointment of data protection officer requirement, and other administrative requirements. Administrative sanction can be given in the form of written warnings, temporary suspension of data protection activities, deletion of personal data, and/or administrative fines for maximum 2% of the annual revenue against the violation variable.
Criminal sanction may be imposed in case of violation of prohibition to unlawfully collect personal data with the intention to get benefit, prohibition to unlawfully disclose personal data, prohibition to unlawfully use personal data, or prohibition to make or use false personal data to benefit him/herself. The criminal sanction will be in the form of imprisonment ranging from 4 to 6 years, and/or monetary penalty of maximum IDR 6billion.
After its enactment, the PDP Law will be the main reference for personal data matters in Indonesia, and consequently all existing laws and regulations that have certain provisions related to personal data must be brought in line with the provisions set out in the PDP Law. If there are any conflicting rules between the PDP Law and other regulations on the same subject matter, the provision of PDP Law shall prevail. The PDP Law is enforced as of the enactment date, i.e. 17 October 2022. However, the government has provided a transition period of two years for data controllers or data processors or any relevant parties to adjust their policies, practices, or internal rules in accordance with the PDP Law.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
Win Shwe Yi Htun
Win Shwe Yi Htun
Shunsuke Minowa, Shohei Naka, Poonyisa Sornchangwat, Nuttida Doungwirote (Co-author)
Akemi Suzuki, Takeshi Hayakawa (Co-author)
Keiji Tonomura, Masaki Mizukoshi, Uchu Takehara, Hitomi Kono (Co-author)
Win Shwe Yi Htun
Patricia O. Ko
Win Shwe Yi Htun
Patricia O. Ko