Update 10:27 - November 04, 2022
Law Number 27 of 2022 concerning Personal Data Protection
REGULATORY APPROACH TO PERSONAL DATA PROTECTION AND HOW IT IMPACTS THE BUSINESS ACTORS
On 20 September 2022, the House of Representatives passed the much-anticipated bill on Personal Data Protection Law. Subsequently, on 17 October 2022, the President of the Republic of Indonesia enacted it into Law No. 27 of 2022 concerning Personal Data Protection Law (“PDP Law”).
This Law aims to protect and guarantee the basic rights of Indonesian citizens to privacy as mandated by Article 28G paragraph (1) of the Constitution. It also aims to protect the public when accessing services from corporations, public agencies, international organizations, and government as well as encourage the growth of digital economy, information, and communication technology industry.
2. Key Provisions
Consisting of 16 Chapters and 76 Articles, PDP Law sets out the provisions regarding the types of personal data, subject of personal data, rights of personal data subject, personal data controller, personal data processor, personal data processing, data protection officers, personal data transfer, supervisory authority, dispute resolution, and procedure law, administrative and criminal sanctions. We summarise below the key provisions:
Article 1 point 1 of PDP Law defines personal data as data related to the individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through electronic or non-electronic systems. Based on the definition herein, personal data only includes the data of individuals.
b. Extraterritorial Effect
In addition to being applicable in the territory of Indonesia, PDP Law also has extraterritorial effect. Pursuant to Article 2 paragraph (1) letter b of PDP Law, it is applicable to any persons or entities outside Indonesian jurisdiction if [their actions] have legal consequences on Indonesian jurisdiction and/or Indonesian Subject of Personal Data outside Indonesian territory. Consequently, any foreign entity whose business activity has an impact on Indonesia’s market or carries out its business activity in Indonesia, either directly or indirectly, is subject to PDP Law.
c. Types of Personal Data
PDP Law categorises personal data into general and specific data. General Personal Data includes full name, gender, nationality, religion, marital status and/or personal data combined to identify a person. While Specific Personal data includes health data and information, biometric data, genetic data, crime records, child data, personal financial data and/or any other data in accordance with the prevailing laws and regulations.
The difference between General Personal Data and Specific Personal Data lies in the manner of its processing. The processing of Specific Personal Data is categorised as personal data processing that has high potential risk and thus requires assessment of the impact of personal data protection (DPIA), as further described in section e (Personal Data Controller) below. Processing of Specific Personal Data on a large scale also requires involvement of involving a Data Protection Officer. These requirements do not apply to a General Personal Data.
d. Subject of Personal Data and its Rights
The subject of personal data is an individual to whom personal data is attached (“Subject of Personal Data”). PDP Law grants the Subject of Personal Data several rights, among others, the rights related to personal data processing, rights to object the decision-making actions based only on automatic personal data processing, rights related to restrictions related to the processing of personal data, and rights to file a claim and receive compensation in case there is a violation of personal data processing. Further implementing regulations on these will be issued.
In connection with the rights granted to the Subject of Personal Data above, PDP Law provides particular roles, namely personal data controller and personal data processor as follow:
i. Personal Data Controller
Personal data controller is any person, public agency, and international organization that acts individually or jointly in determining the objectives and exercising the processing of personal data. Article 20 of PDP Law requires personal data controller to have a basis for processing personal data. In processing personal data, it must have a proof of consent from the subject of personal data. In addition, a personal data controller is required to process the personal data in accordance with the purpose of personal data processing and to record all activities of personal data processing (Record of Processing Activity or ROPA).
PDP Law also requires a personal data controller to conduct assessment of the impact of personal data protection (DPIA) in the event of the processing of personal data that potentially has a high risk to the subject of personal data, i.e., the processing of Specific Personal Data, processing of Personal Data on a large scale, processing of Personal Data for evaluations activities, scoring, or systematic monitoring against Subject of Personal Data, processing of Personal Data for matching activities or merging a group of data, using new technology in processing Personal Data, and/or processing of Personal Data which limits the exercise of rights of the Subject of Personal Data. PDP Law also provides the time limit to notify the subject of personal data for certain actions that must be carried out by the personal data controller in certain situations, for example in the event of a failure of Personal Data protection, the Personal Data Controller must notify the Subject of Personal Data in writing within 3 days.
The term ‘personal data controller’ in the PDP Law is newly introduced concept. PDP Law indicates the role of the personal data controller, which means that there is a legal certainty about who controls the personal data.
ii. Personal Data Processor
In addition to personal data controller, PDP Law designates another role, i.e, ‘personal data processor’. Personal data processor is defined as is any person, public agency, and international organization that acts individually or jointly in processing personal data on behalf of the personal data controller.
The personal data processor is required to perform personal data processing based on the instructions from the personal data controller. If the personal data processor performs the processing of personal data outside of the instructions and purposes set by the personal data controller, the personal data processor must be responsible for such processing.
PDP Law emphasises the role of a personal data processor, which was not regulated in the detail in Law number 11 of 2008 as lastly amended by Law number 19 of 2016 on Electronic Information and its implementing regulation, Ministry of Communication and Informatics Regulation No. 20 of 2016 concerning Personal Data Protection in Electronic Systems. With clearer roles of the parties involved in personal data processing, arguably it is easier to identify to which party – data controller or data processor) violation of data processing is attributable.
e. Personal Data Processing
Personal data processing activities include acquisition and collection, processing and analysis, storage, repair/correction and update, appearance, announcement, transfer, dissemination, or disclosure; and/or deletion or destruction of the personal data. In line with Article 18 (1) of the Law, personal data processing can be carried out by 2 or more personal data controllers subject to the following requirements:
i. There is an agreement between the personal data controllers providing the roles, responsibilities, and relationship between the personal data controllers;
ii. There are interconnected purposes and ways of processing personal data that are mutually determined; and
iii. There is a jointly appointed contact person.
PDP Law also specifically regulates the proceeding of personal data of children and person with disabilities. Processing personal data of children must obtain consent from their parents in accordance with the prevailing laws and regulations. Meanwhile, processing personal data of person with disabilities is conducted through specific communication [method] and must obtain consent from the respective person or his/her custodian.
f. Data Protection Officer
Personal data controller and personal data processor are required to appoint a data protection officer if:
i. Processing of personal data is for the benefit of public services;
ii. The core activity of the personal data controller has the nature, scope, and/or objectives that require regular and systematic monitoring of personal data on a large scale; and
iii. The core activity of the personal data controller consists of processing personal data on a large scale for personal data of a specific nature and/or personal data related to criminal acts.
Furthermore, the data protection officer the following duties:
g. Transfer of Personal Data
Personal data transfer can be carried out by personal data controller within or outside Indonesian jurisdiction. In the event of transfer of personal data outside Indonesian jurisdiction, the personal data controller is obliged to ensure that the country of the personal data controller and/or personal data processor receiving the personal data transfer has a level of protection at least equal if not higher than that stipulated under PDP Law.
h. Supervisory Authority
PDP Law mandates the launch of a special agency tasked with the protection of personal data. Reporting directly to the President, this agency will be authorised to, among others, formulate and determine policies with respect to personal data protection, supervise the compliance of the personal data controller, impose administrative sanctions for violations of personal data protection by the personal data controller and/or personal data processor. Details on the establishment of this agency will be regulated further under a presidential regulation.
i. Dispute Resolution and Procedure Law
Settlement of personal data protection disputes is carried out through arbitration, courts, or other alternative dispute resolution institutions in accordance with the prevailing laws and regulations.
PDP Law also reinforces the existing principle that electronic information and/or electronic document are means of evidence in addition to the existing means of evidence under Indonesian procedural law.
j. Administrative Sanction
Violation of various obligations of personal data controller and personal data processor such as failure to show evidence of consent given by the Subject of Personal Data for the purpose of processing personal data under Article 24 of PDP Law carries administrative sanctions in the form of:
– Written warning;
– Temporary cessation of personal data processing activities;
– Deletion or destruction of personal data; and/or
– Administrative fines (subject to a maximum of 2 (two) percent of annual income or annual receipts for variable violations).
k. Criminal Sanction
In addition to the administrative sanctions, violations of several provisions under PDP Law carry criminal sanctions. For example, any person who intentionally and unlawfully discloses Personal Data that does not belong to him/her will be punished with imprisonment for a maximum of 4 years and/or a fine for a maximum of IDR4 billion.
l. Transitional Provisions
Article 74 of PDP Law provides a 2-year grace period for business entity that is considered as Personal Data Controller, Personal Data Processor and other parties related to Personal Data Processing to adjust in order to comply with PDP Law.
Additionally, all laws and regulations regarding personal data protection issued before PDP Law are still valid as long as the provisions are not contrary to PDP Law.
3. Impact on Business Actors
The Issuance of PDP Law is expected to increase public trust, especially amidst recent personal data breaches. Further, PDP Law is seen as one of the efforts to enhance international trust in Indonesia to foster trade, industry, and foreign investment.
The enactment of the PDP Law will have an impact on business actors in the field of information technology that collect and process personal data, such as e-commerce, education, health as well public sector through e-government. Business actors will have more definite guidelines for protecting and processing their customers’ personal data. In turn, this may enhance customers’ trust in business actors.
In the near future, the Government will also issue a Government Regulation and Presidential Regulation as implementing regulations of the PDP Law, which will further regulate in detail the implementation of PDP Law.
For further information, please contact :
Harvardy, Marieta & Mauren
Menara Global – 7th Floor
Jln. Gatot Subroto Kav. 27 Jakarta Selatan 12950, Indonesia
Phone: +62 21 5292 0918 / 0919
This article is intended for general information only. It is not intended to be, nor should it be construed as, legal advice applicable to your particular situation. You should seek the advice of legal counsel of your choice before acting upon any of the information in this article.