Following the passing of the long-awaited Personal Data Protection Law (“PDPL”) in Indonesia, on 31 August 2023, the Ministry of Communications and Information Technology published the draft government regulation (“Draft Regulation”) on the implementation of the PDPL for public consultation. The public consultation will close on 14 September 2023. The Draft Regulation is expected to come into effect in October 2024.
Summary of the key themes of the Draft Regulation:
- Scope of personal data: In addition to the list of “specific personal data” set out in the PDPL, the Draft Regulation introduces a mechanism for the government to expand the scope of “specific personal data”. The Ministry, in consultation with the PDP Agency, may designate other data as “specific personal data” if it has the potential to cause greater harm to data subjects, such as discrimination, material/immaterial loss and contravention of the law. It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.
- Consent to data processing: Similar to the position taken under other data protection laws in Asia, data processing can be based on consent (though other bases of data processing are also available). Where consent is used, the data subject must be provided with a privacy notice and explicit lawful consent must be obtained.
With regard to children or persons with disabilities, consent should be obtained from the parents/guardians of the children and from either the disabled persons or their guardians.
Interestingly, a child is defined as any unmarried person under the age of 18. Controllers are also required to take measures to identify persons with disabilities. These provisions may lead to some uncertainty as to whether mere reliance on a data subject’s declaration is sufficient or whether a more proactive approach, such as verification and active monitoring, is required.
- Data subject rights: The Draft Regulation also sets out in detail the rights of data subjects and the timelines for responding to requests. For example, controllers must respond to data subject requests within “3 x 24” hours. This is a very short timeframe that is usually only applied in data breach notification scenarios in other jurisdictions in Asia.
- Cross-border data transfers: The PDPL already provides that data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia.
The Draft Regulation clarifies that the PDP Agency will be the authority to make the determination and the PDP Agency may in the future establish a list of jurisdictions meeting that threshold. If the receiving jurisdiction does not meet the threshold, measures similar to those adopted by other jurisdictions in Asia, such as cross-border agreements, standard contract clauses and binding group company regulations, must be put in place.
We expect the PDP Agency to provide more details on these practices, such as standard wordings and templates, in the future. Nonetheless, if these requirements are not met, the consent of the data subject could be used as a fallback in limited circumstances. In any event, controllers will be required to carry out a risk assessment and a legal instrument assessment prior to the transfer.
- Redress and out-of-court dispute resolution: The Draft Regulation places great emphasis on the redress for data subjects and the alternative dispute resolution mechanism in the event of breach.A data subject has the right to sue for violations, whether based on fault or negligence on the part of the controller, and receive material compensation, such as a sum of money, or non-material compensation, such as remedial measures. In particular, the Draft Regulation expressly gives priority to mediation among other dispute resolution mechanisms, and even provides for a Professional Mediation Institution that is equipped with expertise in data protection and certified in accordance with the Draft Regulation.
Alternatively, breaches of data protection may be punished by administrative fines up to 2% of the annual revenue or annual receipts of the violation. However, it is uncertain whether the percentage cap will be imposed on the local entity or on the group globally.
What next – practical steps
While the Draft Regulation signifies Indonesia’s commitment to strengthening its data protection framework in line with global standards, we expect that compliance with the data protection law in Indonesia could be challenging given the onerous obligations and uncertainty.
Given the PDPL will come into force in October 2024 and it now seems likely that the Draft Regulations will also come into effect at around the same time, we recommend that businesses prioritise the following:
- review existing data flows and the categories of data which are being collected and processed;
- consider existing mechanisms for obtaining consent;
- review processes for responding to data subject requests and data breach notification;
- review processes for conducting data protection impact assessments.