NO&T Asia Legal Review
Nearly a year following the enactment of Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), the Ministry of Communications and Information Technology of the Republic of Indonesia (“MOCI”) on 31 August 2023 published the draft of the government regulation (“GR Draft”) regarding the implementation of PDP Law for public discussion and consultation.
The period for public comments was closed on 25 September 2023 (extended from 14 September 2023). The public was encouraged to share feedback by creating an online account and submitting their inputs through a dedicated website established by MOCI (www.pdp.id). The GR Draft is expected to come into force in October 2024.
The issuance of the GR Draft aimed to provide a comprehensive framework and further clarification on the PDP Law. Nonetheless, we note that some provisions still lack a clear explanation.
The GR Draft spans over 188 pages, comprising a total of 10 chapters and 245 articles that specifically address the following topics:
Key provisions of the GR Draft include the following:
In addition to specific personal data listed in the PDP Law, this GR Draft broadens the definition of personal data by adding “other data in accordance with the provisions of laws and regulations”. It stipulates that “other data” is classified as specific personal data if it potentially can create more significant harm to personal data subjects, such as discrimination, material/non-material loss, or a violation of the law. However, the GR Draft does not provide further explanation for calculating material/non-material loss, including the method to determine the extent of “more significant harm” to personal data subjects. MOCI in coordination with the PDP Agency established under the PDP Law shall have the authority and discretion to determine and designate additional data as ‘other data’.
The GR Draft sets out more specific obligations for a personal data controller. For instance, in order to enhance the security and convenience of personal data subjects, the personal data controllers are required to set up a communication line that allows the personal data subject to communicate directly with the personal data controller. In addition, the GR Draft also requires the personal data controller to establish a policy for personal data processing and an agreement with the personal data processor which sets out statutory minimum provisions as regulated under the GR Draft.
The GR Draft also provides further details on how the personal data controller can obtain consent from personal data subjects, including through electronic measures (e.g., columns and other consent features) which is not addressed yet in the PDP Law.
The GR Draft elaborates further on the rights of personal data subjects to file a claim and request for compensation from a personal data controller in case of error or negligence in personal data processing.
The claim can be in the form of material and non-material claims. Material claims include financial compensation equivalent to the losses incurred by personal data subjects. The amount of material claim that a personal data subject can file will be determined by the appointed party authorized to resolve the dispute outside court or by a panel of judges. On the other hand, non-material claims include corrective actions or other measures aimed at restoring the protection of personal data.
PDP Law requires the personal data controller to notify the personal data subject in the event of merger, separation, acquisition, amalgamation and/or dissolution of the personal data controller. Under the GR Draft, it is further specified that the notification must occur prior to the completion of such corporate actions. Additionally, both the previous and new data controller shall enter into an agreement that governs the rights and obligations of each party with respect to the transferred personal data.
It is worth noting that the GR Draft does not elaborate on the formation of the PDP Agency despite the mandate already provided under Article 58 of the PDP Law. Consequently, it remains silent on the specific procedures to establish the PDP Agency.
Notwithstanding the above, the GR Draft elaborates on the scope of authority vested in the PDP Agency, as follows:
The GR Draft provides that in the event of a personal data breach or any failure to protect personal data, the personal data controller who is responsible for the data’s protection is required to promptly report the failure or breach to the PDP Agency and the affected personal data subjects. This report shall be submitted within a maximum period of 3 x 24 hours (i.e., 72 hours) from the moment the personal data controller becomes aware of the failure or breach. The GR Draft clarifies that no notification is required if the failure or breach does not lead to the disclosure or leakage of personal data.
The current PDP Law permits the transfer of personal data to other countries as long as the data controller or the data processor as the transferor can ensure that the receiving country has an equal or higher level of personal data protection. However, the PDP Law does not specify the criteria for assessing the adequacy of such personal data protection level.
The GR Draft finally provides specific benchmarks to meet such requirements, as follows:
Additionally, the GR Draft stipulates that in the event the requirements cannot be fulfilled, the personal data controller must ensure that the receiving country has adequate and binding personal data protection measures. It can be ascertained through the existence of:
The GR Draft also introduces new mandates relating to cross border data transfer whereby the personal data controller is required to perform risk assessment and a legal instrument assessment prior to processing the personal data transfer. In this regard, personal data controller and/or personal data processor must assess the necessity of the data transfer and its impact on the rights of personal data subjects. In addition, the GR Draft provides the possibility of personal data transfer as ordered by a court decision, tribunal or decision of a third country administrative authority. It is important to note that such personal data transfer is only allowed if there is an underlying international agreement with the requesting country which justifies the transfer of personal data.
In order to improve the protection of personal data subjects, the GR Draft provides standard forms and clauses for mandatory agreement and documents in processing personal data, which include:
The PDP Law sets out that the administrative fines for non-compliance can reach up to 2% of a company’s annual revenue or an amount determined based on violation variables. The GR Draft further specifies the variables for calculating fines:
The GR Draft introduces an alternative dispute settlement forum that allows the personal data subjects and the personal data controllers and/or processors to report the disputes to the PDP Agency. The facilitation of dispute settlement by the PDP Agency must prioritize mediation. A detailed mediation procedure is set out under the GR Draft.
As the GR Draft is subject to public inputs which have been solicited by the MOCI, it is highly likely that further changes will be made before the final draft is approved by the President. In the meantime, businesses are advised to proactively review and align their data processing practices with the GR Draft to avoid potential sanctions as well as to foster trust among personal data subjects.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
(August 2024)
Keiji Tonomura, Minh Thi Cao Koike, Hiroya Nadamoto, Anju Yamamoto (Co-author)
(July 2024)
Yasushi Kudo, Tsubasa Watanabe, Hayato Maruta (Co-author)
Keiji Tonomura, Akira Komatsu, Chie Komiya, Simon Clemens Wegmann (Gleiss Lutz) (Co-author)
(May 2024)
Keiji Tonomura, Minh Thi Cao Koike, Yoshiteru Matsuzaki, Masahiro Kondo (Co-author), Yukiko Konno (Contributor)
Rashmi Grover
Ario Putra Pamungkas
Shohei Sasaki, Salin Kongpakpaisarn, Thunyapuck Saicharoen (Co-author)
Yothin Intaraprasong, Poonyisa Sornchangwat, Naruenad Charoenpakdee (Co-author)
Rashmi Grover
Ario Putra Pamungkas
Shohei Sasaki, Salin Kongpakpaisarn, Thunyapuck Saicharoen (Co-author)
Yothin Intaraprasong, Poonyisa Sornchangwat, Naruenad Charoenpakdee (Co-author)
Ario Putra Pamungkas
Anastasia Jessica Maureen
(April 2024)
Justin Ee (Comments)
Ichsan Montang, Anastasia Jessica Maureen (Co-author)