Author: Carolyn Bigg, Yue Lin Lee

Indonesia’s long-awaited Personal Data Protection Law (“PDPL”) finally came into force on 17 October 2022, helpfully consolidating and clarifying the personal data protection framework in Indonesia.

Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make compliance a priority.

The law is primarily consent-based. Key things to note include:

  • Extra-territorial effect. The PDPL applies to all personal data processing activities of individuals, corporations, public bodies and international bodies:
      • within Indonesia; or
      • outside of Indonesia, which: (i) has legal consequences in Indonesia, or (ii) affects Indonesian citizens located outside of Indonesia.
  • Data Subject Rights. Under the PDPL these include the: (i) right to obtain details of data processing; (ii) right to correct or supplement personal data; (iii) right to access and obtain a copy of personal data; (iv) right to request deletion of personal data; (v) right to withdraw consent; (vi) right to refuse automated decision-making; (vii) right to restrict data processing; (viii) right to bring civil action for violation of the PDPL, and (ix) right to data portability. For some specific rights, businesses only have 72 hours to respond.
  • Data Protection Impact Assessment. These are required where data processing involves a high potential risk to the data subject.
  • Data Protection Officer (DPO). For certain data processing activities, data controllers and processors must appoint a DPO.
  • Overseas Data Transfers. Data controllers transferring personal data outside of Indonesia must ensure that the recipient country has a level of data protection at least equal to that required under the PDPL. Otherwise, data controllers must ensure there is adequate data protection. If neither can be achieved, the data controller must obtain consent from the data subject for the overseas data transfer. It is anticipated that data localisation measures in certain industry sectors will remain, at least in the short term.
  • Sanctions. These include written warnings, temporary suspension of personal data activities and deletion or destruction of personal data. Most notably, the PDPL introduces fines of up to 2% of the annual revenue of the data controller. In addition to these administrative sanctions, criminal sanctions include a prison sentence of up to six years and fines of up to Rp 6 billion (approximately USD 385,000) for the most serious offences.