Regulatory Alert : Overview of The Draft Regulation of Personal Data Protection in Indonesia 2023
BACKGROUND
In the proactive move to solidify the foundation of personal data protection, the Indonesian government has introduced the Draft Regulation,[1] a comprehensive framework designed to operationalise the provisions of Law Number 27 of 2022 on Personal Data Protection, known as the Personal Data Protection (PDP) Law. While this regulation has not yet been officially enacted, its extensive scope–consisting of 245 articles and 10 chapters–underscores the government’s commitment to regulating aspects such as data processing, the rights and obligations of data subjects, and the authorities of PDP Agencies, alongside mechanisms for resolving disputes. It is imperative for stakeholders to closely examine and prepare for the anticipated changes. This preliminary insight offers a valuable opportunity to align with the emerging PDP landscape, ensuring readiness to adapt to the regulatory environment once it takes effect.
KEY REQUIREMENTS
The Draft Regulation sets out specific obligations for data controllers and processors. These range from obtaining explicit consent for data processing, ensuring data accuracy, and promptly correcting errors to notifying subjects and relevant authorities in case of data breaches. Furthermore, there are stringent rules around overseas data transfers, requiring equal or higher levels of data protection than Indonesian laws. Understanding and complying with these obligations is critical.
- Basis for Data Processing: Controllers must process data based on explicit consent, contractual obligations, or other legitimate grounds. Explicit consent must be informed and clear.[2] For minors or persons with disabilities, consent must be obtained from parents or guardians.[3]
- Data Processing Principles: Data processing should be limited to specific purposes and conducted transparently. The accuracy, completeness, and consistency of data must be ensured through regular verification.[4]
- Data Subject Rights: Controllers must promptly inform data subjects of any changes in the processing information. Data subjects have the right to access their data, request updates or corrections, and demand the cessation or deletion of their data under certain conditions.[5]
- Data Security and Breach Notification: Controllers and processors must implement measures to protect data from unauthorised access and ensure confidentiality. In case of a data breach, controllers are required to notify affected subjects and relevant agencies within a specified timeframe.[6]
- Record Keeping and Supervision: All data processing activities must be documented and supervised to prevent unlawful processing. Data processors must act according to the instructions of the controllers.[7]
- Overseas Data Transfers: Data transfers outside Indonesia require that the receiving party provides a level of protection equal to or higher than Indonesian law or that adequate and binding data protection measures are in place. Controllers must obtain approval from data subjects before transferring their data overseas.[8]
- Appointment of Data Protection Officers: Entities involved in large-scale processing or processing of sensitive data must appoint data protection officers to oversee compliance with PDP regulations.[9]
- Compliance and Accountability: Controllers bear full responsibility for compliance and must demonstrate accountability in adhering to PDP principles. They must also comply with any orders from PDP Agencies regarding the organisation and protection of personal data.[10]
By adhering to these requirements, entities can not only avoid administrative sanctions but also strengthen their data governance and foster trust among data subjects.
IMPLICATIONS
PDP Agencies are empowered to enforce compliance by imposing administrative sanctions for non-compliance. These include written warnings, temporary suspensions of data processing activities, data erasures, and administrative fines. The severity of sanctions corresponds to the level of the violation, the compliance history of the entity, and other relevant factors. Below is the closer look of the potential implications.
- Enhanced Data Protection Standards: The Draft Regulation sets a high bar for data protection, compelling organisations to adopt robust data security and privacy measures.
- Legal and Financial Risks: Non-compliance can lead to substantial legal and financial repercussions, including administrative fines and temporary suspensions of data processing activities.
- Breach Notification Requirements: The obligation to notify relevant parties in case of a data breach introduces additional operational pressures and could have reputational consequences if not appropriately managed.
- Appointment of Data Protection Officers: Entities processing large-scale data must appoint dedicated data protection officers, creating new roles and responsibilities within organizations.
- Potential Business Disruptions: In cases of non-compliance, the imposed sanctions, such as temporary suspensions of processing activities, can lead to significant business disruptions.
Overall, the Draft Regulation has the potential to significantly reshape the landscape of personal data protection in Indonesia, aligning it with global standards but also imposing substantial new obligations on entities that process personal data. Compliance is not only a legal requirement but also an essential element of business reputation and consumer trust.
CONSIDER
Organisations functioning as data controllers and processors must meticulously adhere to the obligations outlined in the Draft Regulation. They should thoroughly assess their data processing activities, ensure adequate protection measures, and establish clear protocols for addressing potential data breaches.
CONCLUSION
The Draft Regulation marks a significant advancement in Indonesia’s data protection landscape. It imposes comprehensive obligations on entities handling personal data and provides a structured approach to enforcing compliance. Entities should proactively review and align their data processing practices with the Draft Regulation to avoid potential sanctions and foster trust among data subjects.
DISCLAIMER :
This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:
No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.
Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.
No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.
No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.
No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.
By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.
For further information, please contact:
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law.
S.F. Anggraeni
Managing Partner
Sri Purnama
Junior Legal Research Analyst
Jericho Xafier Ralf
Trainee Associate
Footnote :
[1] The Draft Regulation referenced in this document pertains to the version dated 31 August 2023, as obtained from the official website of the Kementerian Komunikasi dan Informasi (Ministry of Communication and Information Technology) of Indonesia, accessible at https://pdp.id/rpp-ppdp/1. Please note that subsequent amendments or updates to the Draft Regulation may have occurred after this date. Readers are advised to consult the latest version of the document for the most current information.
[2] Article 44 and Article 45 of the Draft Regulation.
[3] Article 40, Article 52, Article 53 of the Draft Regulation.
[4] Article 24 – Article 36 and Article 80 Draft Regulation.
[5] Chapter IV of the Draft Regulation.
[6] Article 24 of the Draft Regulation.
[7] Article 12 of the Draft Regulation.
[8] Chapter V of the Draft Regulation.
[9] Article 166 of the Draft Regulation.
[10] Article 167 of the Draft Regulation.