Indonesia's new data-protection law changes the country's privacy landscape

Once it became clear that Indonesia’s personal data-protection bill, or PDP, was finally going to be passed after several delays, lawyers started poring over the latest available draft to determine how their clients would have to adjust their operations to comply with the new requirements.

Data privacy isn’t a new concept in Indonesia, with data-protection policies already in place covering 30 different rules and regulations. But the new law, which has now been signed by President Joko Widodo, will create some significant changes to how companies will handle the personal data they control.

Based heavily on the European Union’s General Data Protection Regulation, or GDPR, Indonesia’s law outlines the rights of data subjects — including the right to sue and receive compensation when personal data is processed without an adequate legal basis. Under current regulations, this legal basis refers to consent; but in line with the GDPR, Indonesia’s PDP recognizes legitimate interests as a basis for doing so.

The law also makes a distinction in the definition of data controller and a data processor and outlines their respective obligations, which include appointing data-protection officers, or DPOs, if the company meets certain criteria and submitting notifications within 72 hours of a data breach.

Companies can also face administrative sanctions of up to 2 percent of annual income or revenue under the law and, unlike the GDPR, erring individuals can face criminal sanctions of up to six years in jail.

But before companies start appointing DPOs and deleting consent forms, several implementing regulations and guidelines will first have to be issued by the government to clarify the broad language of the law.

Key changes

The reduced reliance on consent is one of the major changes the PDP law will create.

“Based on current regulations, consent is the only way for you to process the personal data. With the new law, companies will have options,” Danny Kobrata, a partner at K&K Advocates and co-founder of the Indonesian Privacy Practitioner Association, told MLex.

For example, it could be to “protect the vital interests of the data subject,” similar to what the GDPR says, or for “other legitimate interests” that balance the interests of the personal data controller and the rights of the personal data subject.

But these will still need to be explained by an implementing regulation or guideline, lawyers say, otherwise companies could try to interpret these for their own interests.

“Before we get clarity from the data-protection authority, the conservative approach would still be to continue seeking consent,” a Jakarta-based lawyer specializing in technology-related issues told MLex.

When it comes to which companies will need to appoint a DPO, the law says that this is required of data controllers and processors that manage data for public services, or those that involve the regular and systematic monitoring of data subjects on a large scale — again, using language similar to the GDPR.

“In some cases, it could be pretty clear, particularly for companies in the financial sector like banks, hospitals, digital platforms — they obviously need a DPO,” Kobrata said. But there are cases where the answer might not be so straightforward.

Cross-border transfers

As the current president of the G20, Indonesia has been prioritizing talks on cross-border data flows and data free flow with trust. In fact, this is widely seen to be one of the reasons the government made sure to pass the PDP law before the G20 leader’s summit it will host in Bali in November.

The country’s current regulations require written consent from the data subject and coordination with the Ministry of Communications and Informatics before any personal data is transferred outside the country.

But the PDP law now has cross-border transfer provisions similar to the GDPR, wherein transfers are allowed to jurisdictions with equal or higher levels of protection, or if the transfer is covered by a bilateral treaty or an agreement that imposes sufficient standards of protection, or if the data controller obtained consent from the data subject.

Again, the data protection authority will have to define which jurisdictions have equal or higher levels of protection than Indonesia. But practitioners welcome the removal of the requirement to coordinate or report to the ministry.

With only a two-year transition period written into the law, it is apparent that getting the data-protection authority established as soon possible is needed.

But even with the law now enacted, the president will still have to issue another regulation creating the authority, before work can begin on actually setting it up and appointing people to it. Only after that will the implementing regulations be drafted, and clarity on all these questions be provided.

However, the Jakarta-based technology lawyer said that companies can now start conducting their gap analysis.

“At least now we have clear definitions of what specific personal data is regulated in the law and we have certainty in terms of the liabilities of the data controller and the data processor. These distinctions did not exist prior to the law,” he said.

“If companies stay in a wait-and-see position until the regulator is established, that might take several months or even more than a year.”