Summary of the key themes of the Draft Regulation:

• Scope of personal data: In addition to the list of “specific personal data” set out in the PDPL, the Draft Regulation introduces a mechanism for the government to expand the scope of “specific personal data”. The Ministry, in consultation with the PDP Agency, may designate other data as “specific personal data” if it has the potential to cause greater harm to data subjects, such as discrimination, material/immaterial loss and contravention of the law. It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.

• Consent to data processing: Similar to the position taken under other data protection laws in Asia, data processing can be based on consent (though other bases of data processing are also available). Where consent is used, the data subject must be provided with a privacy notice and explicit lawful consent must be obtained.

With regard to children or persons with disabilities, consent should be obtained from the parents/guardians of the children and from either the disabled persons or their guardians.

Interestingly, a child is defined as any unmarried person under the age of 18. Controllers are also required to take measures to identify persons with disabilities. These provisions may lead to some uncertainty as to whether mere reliance on a data subject’s declaration is sufficient or whether a more proactive approach, such as verification and active monitoring, is required.

• Data subject rights: The Draft Regulation also sets out in detail the rights of data subjects and the timelines for responding to requests. For example, controllers must respond to data subject requests within “3 x 24” hours. This is a very short timeframe that is usually only applied in data breach notification scenarios in other jurisdictions in Asia.  

• Cross-border data transfers: The PDPL already provides that data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia. 

The Draft Regulation clarifies that the PDP Agency will be the authority to make the determination and the PDP Agency may in the future establish a list of jurisdictions meeting that threshold. If the receiving jurisdiction does not meet the threshold, measures similar to those adopted by other jurisdictions in Asia, such as cross-border agreements, standard contract clauses and binding group company regulations, must be put in place.

We expect the PDP Agency to provide more details on these practices, such as standard wordings and templates, in the future. Nonetheless, if these requirements are not met, the consent of the data subject could be used as a fallback in limited circumstances. In any event, controllers will be required to carry out a risk assessment and a legal instrument assessment prior to the transfer.

• Redress and out-of-court dispute resolution: The Draft Regulation places great emphasis on the redress for data subjects and the alternative dispute resolution mechanism in the event of breach.A data subject has the right to sue for violations, whether based on fault or negligence on the part of the controller, and receive material compensation, such as a sum of money, or non-material compensation, such as remedial measures. In particular, the Draft Regulation expressly gives priority to mediation among other dispute resolution mechanisms, and even provides for a Professional Mediation Institution that is equipped with expertise in data protection and certified in accordance with the Draft Regulation.

Alternatively, breaches of data protection may be punished by administrative fines up to 2% of the annual revenue or annual receipts of the violation. However, it is uncertain whether the percentage cap will be imposed on the local entity or on the group globally.

What next – practical steps

While the Draft Regulation signifies Indonesia’s commitment to strengthening its data protection framework in line with global standards, we expect that compliance with the data protection law in Indonesia could be challenging given the onerous obligations and uncertainty.

Given the PDPL will come into force in October 2024 and it now seems likely that the Draft Regulations will also come into effect at around the same time, we recommend that businesses prioritise the following:

• review existing data flows and the categories of data which are being collected and processed;
• consider existing mechanisms for obtaining consent;
• review processes for responding to data subject requests and data breach notification;
• review processes for conducting data protection impact assessments.

Indonesia’s long-awaited Personal Data Protection Law (“PDPL”) finally came into force on 17 October 2022, helpfully consolidating and clarifying the personal data protection framework in Indonesia.

Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make compliance a priority.

The law is primarily consent-based. Key things to note include:

• Extra-territorial effect. The PDPL applies to all personal data processing activities of individuals, corporations, public bodies and international bodies:
  • • within Indonesia; or
    • outside of Indonesia, which: (i) has legal consequences in Indonesia, or (ii) affects Indonesian citizens located outside of Indonesia.
• Data Subject Rights. Under the PDPL these include the: (i) right to obtain details of data processing; (ii) right to correct or supplement personal data; (iii) right to access and obtain a copy of personal data; (iv) right to request deletion of personal data; (v) right to withdraw consent; (vi) right to refuse automated decision-making; (vii) right to restrict data processing; (viii) right to bring civil action for violation of the PDPL, and (ix) right to data portability. For some specific rights, businesses only have 72 hours to respond.
• Data Protection Impact Assessment. These are required where data processing involves a high potential risk to the data subject.
• Data Protection Officer (DPO). For certain data processing activities, data controllers and processors must appoint a DPO.
• Overseas Data Transfers. Data controllers transferring personal data outside of Indonesia must ensure that the recipient country has a level of data protection at least equal to that required under the PDPL. Otherwise, data controllers must ensure there is adequate data protection. If neither can be achieved, the data controller must obtain consent from the data subject for the overseas data transfer. It is anticipated that data localisation measures in certain industry sectors will remain, at least in the short term.
• Sanctions. These include written warnings, temporary suspension of personal data activities and deletion or destruction of personal data. Most notably, the PDPL introduces fines of up to 2% of the annual revenue of the data controller. In addition to these administrative sanctions, criminal sanctions include a prison sentence of up to six years and fines of up to Rp 6 billion (approximately USD 385,000) for the most serious offences.