Personal Data Protection is an important issue Representatives through President Letter Number: in the digitalization era, and it is essential to R-05/Pres/01/2020.1 The PDP Draft Bill provides legal regulate data protection under the law as a form certainty to guarantee and protect the rights of of recognition and guarantee of the protection of the citizens’ right to privacy. Personal Data Protection in Indonesia is currently regulated under the Minister of Communication and Informatics Regulation Number 20 of 2016 concerning Protection of Data Protection in Electronic Systems (MoCI Regulation 20/2016) and Government Regulation Number 71 of 2019 concerning Organization of Electronic Systems and Transactions (GR 71/2019).
However, to provide a legal framework that further guarantees the personal data protection, the Government has officially submitted the Protection Data Protection Final Draft Bill (PDP Draft Bill) on the 24 January 2020 to the House of Personal Data Owners, such as:
(i) the right to request information regarding the underlying purpose for the acquisition and use of personal data;
(ii) the right to access their personal data;
(iii) the right to complete, update, or correct their personal data;
(iv) the right to terminate, delete, and/or eliminate their personal data;
(v) the right to revoke their consent for the use of their personal data;
(vi) the right to delay or limit the processing of their personal data; and
(vii) the right to file lawsuits and obtain compensation in relation to violations of personal data.2
As a side note, there are some exceptions to the protection of these rights, for instance in the interest of national defense and security, the law enforcement process, public interest, supervision of the financial services sector, and official scientific research conducted by the state.3
To ensure that the rights of the Personal Data Owners as stated above can be protected, the PDP Draft Bill also stipulates that the Personal Data4 Controller must maintain the confidentiality of the Personal Data and must obtain written or verbal approval beforehand from the Personal Data Owner through electronic or non-electronic means before they can carry out data processing.
In order to obtain such approval, the Personal
Data Controller is required to provide information concerning the legality and purpose of data processing,5 type and relevance of the personal data, a document retention period, details regarding the information collected, a processing period, and the rights of the Personal Data owner.6 However, there are exceptions of such approval in certain circumstances as follows:
that the Personal Data Owner is a party or fulfillment of request from Personal Data Owner to comply with the agreement;
Further, PDP Draft Bill also stipulates that Personal Data Controller and Personal Data Processors
are required to appoint Personal Data Protection Officers8 in certain cases, for example for the interest of public services, for the main activity of Personal Data Controller that requires regular and systematic monitoring of Personal Data on a large scale, and where the processing of Personal Data is for a specific and/or related to a criminal offence.9 Personal Data Protection Officers have the duty to inform and provide advice to the Personal Data Controller or Personal Data Processor regarding the compliance with the PDP Draft Bill, to supervise the compliance with the PDP Draft Bill, and to cooperate with relevant parties concerning the personal data protection.10
The PDP Draft Bill also stipulates administrative sanctions for several offences through written notices, temporary termination of Personal Data processing activities, removal or elimination of Personal Data, compensation, and/or administrative fines.11 In addition to administrative sanctions,
there are also several violations that are subject to criminal sanctions or imprisonment, for instance collection of personal data that causes harm to the Personal Data Owner, unlawful disclosure and use of the Personal Data, forgery of Personal Data for commercial purposes, and unlawful trade of personal data.12 SPA/YAN