1. Failure to Appoint a Data Protection Officer (DPO): The company collected personal data from over 100,000 customers and used it for its core business operations but did not appoint a DPO as required by law. This failure hindered the company’s ability to address data breaches effectively.
2. Inadequate Security Measures: The company lacked appropriate security measures as mandated by the PDPA, leading to data leaks to call center gangs and causing widespread damage.
3. Failure to Report Data Breaches: The company ignored complaints from data subjects and delayed reporting the breaches to the PDPC, preventing timely remediation.

In addition to the 7 million baht fine, the second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.

This administrative fine is the first of its kind imposed on a major private company by the second expert committee since the PDPA came into effect. It aligns with the principles of the European Union’s General Data Protection Regulation (GDPR).

Minister Prasert emphasized that the fine aims to protect the public from call center scams and data leaks, which have been major issues in Thailand over the past two years. The fine serves as a warning to both public and private entities to report data breaches to the PDPC as required by law. This case sets a standard for handling data leaks in the future.

The minister also noted that this enforcement action will raise awareness among public and private sectors about the importance of complying with the PDPA. It is part of broader measures to combat call center scams that misuse personal data. Additionally, these measures will help mitigate the damage to data subjects and build public trust in the use of personal data online.

Summary of the key themes of the Draft Regulation:

• Scope of personal data: In addition to the list of “specific personal data” set out in the PDPL, the Draft Regulation introduces a mechanism for the government to expand the scope of “specific personal data”. The Ministry, in consultation with the PDP Agency, may designate other data as “specific personal data” if it has the potential to cause greater harm to data subjects, such as discrimination, material/immaterial loss and contravention of the law. It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.

• Consent to data processing: Similar to the position taken under other data protection laws in Asia, data processing can be based on consent (though other bases of data processing are also available). Where consent is used, the data subject must be provided with a privacy notice and explicit lawful consent must be obtained.

With regard to children or persons with disabilities, consent should be obtained from the parents/guardians of the children and from either the disabled persons or their guardians.

Interestingly, a child is defined as any unmarried person under the age of 18. Controllers are also required to take measures to identify persons with disabilities. These provisions may lead to some uncertainty as to whether mere reliance on a data subject’s declaration is sufficient or whether a more proactive approach, such as verification and active monitoring, is required.

• Data subject rights: The Draft Regulation also sets out in detail the rights of data subjects and the timelines for responding to requests. For example, controllers must respond to data subject requests within “3 x 24” hours. This is a very short timeframe that is usually only applied in data breach notification scenarios in other jurisdictions in Asia.  

• Cross-border data transfers: The PDPL already provides that data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia. 

The Draft Regulation clarifies that the PDP Agency will be the authority to make the determination and the PDP Agency may in the future establish a list of jurisdictions meeting that threshold. If the receiving jurisdiction does not meet the threshold, measures similar to those adopted by other jurisdictions in Asia, such as cross-border agreements, standard contract clauses and binding group company regulations, must be put in place.

We expect the PDP Agency to provide more details on these practices, such as standard wordings and templates, in the future. Nonetheless, if these requirements are not met, the consent of the data subject could be used as a fallback in limited circumstances. In any event, controllers will be required to carry out a risk assessment and a legal instrument assessment prior to the transfer.

• Redress and out-of-court dispute resolution: The Draft Regulation places great emphasis on the redress for data subjects and the alternative dispute resolution mechanism in the event of breach.A data subject has the right to sue for violations, whether based on fault or negligence on the part of the controller, and receive material compensation, such as a sum of money, or non-material compensation, such as remedial measures. In particular, the Draft Regulation expressly gives priority to mediation among other dispute resolution mechanisms, and even provides for a Professional Mediation Institution that is equipped with expertise in data protection and certified in accordance with the Draft Regulation.

Alternatively, breaches of data protection may be punished by administrative fines up to 2% of the annual revenue or annual receipts of the violation. However, it is uncertain whether the percentage cap will be imposed on the local entity or on the group globally.

What next – practical steps

While the Draft Regulation signifies Indonesia’s commitment to strengthening its data protection framework in line with global standards, we expect that compliance with the data protection law in Indonesia could be challenging given the onerous obligations and uncertainty.

Given the PDPL will come into force in October 2024 and it now seems likely that the Draft Regulations will also come into effect at around the same time, we recommend that businesses prioritise the following:

• review existing data flows and the categories of data which are being collected and processed;
• consider existing mechanisms for obtaining consent;
• review processes for responding to data subject requests and data breach notification;
• review processes for conducting data protection impact assessments.