Indonesia Enacts First Personal Data Protection Law: Key Compliance Requirements

Posted by Written by Ayman Falak Medina Reading Time: 5 minutes

Indonesia’s first data protection law, known as the Personal Data Protection Law, has been closely based on the European Union ‘s General Data Protection Regulations (EU GDPR). The new law clearly states the types of legal basis for obtaining and processing personal data and sets out strict criminal and administrative sanctions for those that break the provisions under the law. These include corporate fines of up to two percent of a company’s annual revenue.

In late September 2022, Indonesia enacted its first-ever Personal Data Protection Law (PDP Law) after years of discussion and postponements. Importantly, the speed of the law’s approval came as the country saw a series of high-profile data breaches in recent months with the National Cyber and Encryption Agency investigating claims by hackers named ‘Bjorka’ that they had access to confidential government data. The PDP Law is closely based on the European Union General Data Protection Regulations (EU GDPR).

Find Business Support
Complete Cybersecurity and Data Compliance Solutions for your Asia Business ⟶

Under Indonesia’s new Personal Data Protection Law, local businesses as well as international companies will be liable for the way they handle the data of Indonesian consumers. The law imposes corporate fines of up to two percent of a company’s annual revenue for cases of data leaks, and individuals can also face a fine of up to 6 billion rupiah (US$400,000).

The number of cyberattacks against Indonesian citizens and institutions in the first quarter of 2022 alone was recorded at 11.8 million, an increase of 22 percent from the same period in 2021. Furthermore, according to a report by Interpol, Indonesia experienced more ransomware attacks than any other country in Southeast Asia.

Before the PDP Law, rules governing the use of personal data were scattered across different laws which made it difficult for consumers to hold businesses accountable for misusing their personal data.

What are the key features of Indonesia’s Personal Data Protection Law?

Personal data subjects, controllers, and processors

Data subjects

The PDP Law introduces the term ‘personal data subject’ which is defined as a person to whom the personal data belongs to. Data subjects are entitled to information as to why their personal data is being requested and how it will be utilized. They can also request that any incorrect personal data be corrected and can withdraw their consent for the processing of their personal data.

Personal data controllers

Data controllers is any person, public body, or organization acting to exercise control over the processing of personal data.

Personal data processors

Data processors is any person, public body, or organization acting to exercise control over the processing of personal data on behalf of data controllers.

Data controllers and processors must ensure the accuracy and security of the processed personal data.

Processing personal data

Under previous prevailing laws, consent from owners was the only recognized legal basis for obtaining personal data. The PDP Law has broadened the legal alternatives for processing personal data. These are:

  1. Contract: The obligation in an agreement where the personal data subject is a party to or to satisfy the requirement for personal data when entering into an agreement;
  2. Legal obligation: The satisfaction of a legal obligation in accordance with Indonesian laws and regulations;
  3. Vital interest: Protection of the data subject’s vital interest;
  4. Consent: An explicit consent obtained from the data subject which relates to one or more of the purposes that has been explained to the data subject;
  5. Legitimate interest: The fulfillment of other legitimate interests by observing the balance between the data controller’s interest and the rights of the data subject; or
  6. Public task: The implementation of tasks in the context of public interest or services, carried out by the data controller in accordance with Indonesian laws and regulations.

Data controllers are required to present evidence of the consent being granted by the data subject when processing the personal data.

Exemptions

The PDP Law is not applicable for the processing of personal data for personal or household activities. Furthermore, other exemptions for the processing of personal data include for:

  • National defense and security purposes;
  • Law enforcement;
  • Public interest in the context of state administration; or
  • The supervision of the financial services sector.

Extraterritorial impact

The PDP Law applies to any person, public body, or international organization carrying out activities within the scope of the PDP Law, and located:

  • Within the jurisdiction of Indonesia; or
  • Outside the jurisdiction of Indonesia but has a legal impact on the jurisdiction of Indonesia or data subjects who are Indonesian citizens located outside of the country’s jurisdiction.

Cross-border personal data transfer

The new law permits data controllers to transfer personal data to data controllers located outside of Indonesia if:

  • The country which the data controller is receiving the personal data has an equal or higher personal data protection mechanisms to Indonesia;
  • In the event that the above provision can be satisfied, the data controllers must ensure there is adequate personal data protection, and which is binding in nature; or
  • In the event neither of the above provisions can be satisfied, the data controller must obtain the consent of the data subject to transfer their personal data abroad.

Appointment of a data protection officer

If the data controller or processor is processing personal data for the interest of the public, supervising personal data on a large scale, or processing personal data related to criminal activities, then they must appoint a data protection officer.

The officer is appointed based on their legal knowledge, personal data protection practices, professionalism, and capability to fulfil this role.

What happens in the case of company mergers, acquisitions, and consolidations?

The relevant data subjects must be notified of company mergers, acquisitions, and consolidations, and any personal data transfer that will arise from such activities.

This can be done by way of personal notification to the data subjects or through the mass media. Also, in the event a data controller is dissolved or liquidated, the storage, transfer, or deletion of personal data must be done in accordance with the law and data subjects must be notified.

Sanctions

Criminal sanctions

The PDP Law clearly states the prohibition on the use of personal data. These are:

  1. A person unlawfully obtaining personal data that does not belong to them with the intention of benefitting themselves or another person, resulting in the loss for the data subject;
  2. A person that unlawfully discloses personal data that is not their own;
  3. A person that unlawfully uses personal data that is not their own; or
  4. The creating of fake personal data where such activity results in damage to other persons.

Violators of the PDP Law can face criminal sanctions of which there are three types:

  1. Penalties: Individuals can be fined up to 6 billion rupiah (US$400,000) and corporations fined up to 60 billion rupiah (US$4 million);
  2. Imprisonment: Individuals can face up to six years of jail; or
  3. Other penalties: These include the seizure of assets derived from the crime, the freezing of the company’s activities, closure of the business, and revocation of business licenses, among others.

These criminal sanctions can be imposed on the management team of companies, controllers, the beneficial owners, or those giving out the orders.

Administrative sanctions

Businesses that violate certain provisions in the PDP Law can receive an administrative sanction in the form of written warnings, the deletion of the personal data, the suspension of the personal data processing activity, or an administrative fine.

The administrative fine can be a maximum of up to two percent of the company’s annual revenue. This is still lower than the fine administered under the EU GDPR which is four percent of a company’s annual revenue.

About Us

ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, Munich, and Esen in Germany, Boston, and Salt Lake City in the United States, Milan, Conegliano, and Udine in Italy, in addition to Jakarta, and Batam in Indonesia. We also have partner firms in Malaysia, Bangladesh, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asia@dezshira.com or visit our website at www.dezshira.com.