7 Min Read

Indonesia passes new legislation on Personal Data Protection

Read More

By Andrew Robinson, Summer Montague & Hermanto Morlijo


Published 28 February 2023


Following weeks of growing national concern over repetitive data breaches, on 20 September 2022, the House of Representatives of the Republic of Indonesia finally approved the draft Bill on Personal Data Protection into law (the “Personal Data Protection Law”, or “PDPL”).

Indonesia joins Malaysia, Singapore, Philippines and Thailand as the fifth ASEAN country to enact a specific legal instrument regulating data protection. As a jurisdiction with a strong tradition of civil law, a codified body of law enacted by Indonesia is essential to meet and support the needs of private individuals to safeguard their personal data in the era of digitalisation in which more and more organisations are transforming their business processes digitally to drive innovation and efficiency.

The final draft Bill, debated intensively at the parliamentary level for more than two years, comprises 16 chapters and 76 legal provisions. Previous legal provisions governing the protection of personal data in Indonesia had been scattered ad-hoc across various sectoral legislations, e.g. the Law on Electronic Information and Transactions, the Law on Population Administration, the Law on Consumer Protection, and the Law on Public Information Disclosure.

With the passing of the PDPL, those other legislations containing legal substance similar to the PDPL will remain in force provided that the provisions are aligned with and/or not contrary with the PDPL. Otherwise, by virtue of the lex specialis principle, the PDPL will take precedence.

We highlight some of the key principle provisions of the approved Bill:

  1. The enforceability of the PDPL extends beyond Indonesian jurisdiction. The PDPL applies not only towards any Personal Data Controller and Personal Data Processor (defined as any person, whether an individual or a corporation, public body and international organisation) who resides in Indonesia, but also to those who commit acts in other jurisdictions, to the extent that such act(s) would impact on a Personal Data Subject (as defined) in Indonesian territory and/or Indonesian nationals abroad.
  1. Classification of Personal Data. The PDPL classifies Personal Data into two types:
  • Specific Personal Data, which includes: health information, biometric data, genetic information, criminal records, information on minors, personal financial information and other information as defined.
  • Public Personal Data, which includes: full name, gender, nationality, religion, marital status, and/or combined Personal Data to identify a person, e.g. telephone numbers and IP addresses.
  1. Rights of a Personal Data Subject, including (1) the right to clarify the identity, interest, purpose and accountability of the party who requests the Personal Data to be provided; (2) the right to access, complete, update and/or to correct the mistake or inaccuracy of an individual’s Personal Data; (3) the right of an individual to terminate the processing, or to erase and/or to destroy his or her Personal Data; (4) the right to withdraw consent previously given for Personal Data to be processed; (5) the right to decline profiling activity; and (6) the right to postpone or to restrict the processing of Personal Data.
  1. The right to seek legal redress in the event of a breach of an individual’s rights, and the procedures for seeking damages, are to be further codified under a Government Regulation.
  1. Notification of data breach. Notice in writing must be given to affected Personal Data Subject(s) and the Data Protection Authority within 72 hours of a breach. This must include details of the affected Personal Data, confirmation of the time of breach and how it materialised, together with details of the management of the breach and any recovery attempts already undertaken.
  1. Appointment of a Personal Data Protection Officer within the organisation is compulsory if: (1) the processing of Personal Data is carried out for the interest of public service; (2) the core activity of the organisation, or Personal Data Controller of the information, has characteristics and/or purposes requiring systematic and regular supervision of large-scale Personal Data; and/or (3) the core activity of the organisation or Personal Data Controller involves processing of high-volume specific and/or crime-related Personal Data.
  1. Transfer of Personal Data among two Personal Data Controllers and/or between a Personal Data Controller and a Personal Data Processor within Indonesian territory is permissible with the transferor and recipient both having the obligation to protect that Personal Data. Any transfer beyond Indonesian territory may also be conducted providing the Personal Data Controller has already confirmed that the country in which the recipient resides has equivalent or higher standards of data protection than Indonesia. In the alternative the Personal Data Controller must ensure that an adequate level of protection is put in place. In the absence of these requirements, consent from the Personal Data Subject for transfer of the personal data is mandatory.
  1. Administrative and penal sanctions. Under the PDPL, the Data Protection Authority is empowered to take action against any violation of the PDPL provisions and may impose the following administrative sanctions: (a) formal warnings; (b) temporary suspensions of Personal Data processing activities; (c) orders to eradicate or destroy Personal Data; and/or (d) fines not exceeding 2% of annual revenue or annual income of the organisation or Personal Data Controller (to be further codified in a separate Government Regulation). 

Certain criminal behaviours, such as the unlawful collection by an individual of Personal Data with the intent to benefit his own self or other person, or the misappropriation and disclosure of Personal Data and/or the deliberate fabrication of one’s own Personal Data, are subject to imprisonment. The maximum jail term is of up to 6 years for the most serious offence with fines not exceeding IDR 6 billion (approx. USD399,000). Orders to pay compensation and the seizure of assets, profits or proceeds of the crime may also be imposed. In the event the violation is committed by a corporation, similar sanctions may be issued against the management, controller, commanding officer, beneficial owner and/or the corporation itself, including fines of up to IDR 60 billion, in addition to other forms of punishment: seizure of assets / profits / proceeds of criminal act, suspension of business, a permanent ban from carrying out a specific action, the closure of a place of business, specific performance of an obligation, and the revocation of any license and/or dissolution of the corporation.

  1. Those who engage in data processing activities and/or the controlling of Personal Data are obliged to conduct a review and undertake any adjustment of business practices in order to align with and comply with the provisions of the PDPL. Those obligations must be discharged within two years of the date of promulgation of the PDPL.

There have been concerning surges in local data breach occurrences, including the theft and sale of personal information, infiltration of bank accounts and other financial vessels, and fraud by assumed identity. The enactment of the PDPL indicates a new era for data protection practices for Indonesia and a hopeful handbrake against the levels of criminal activity. It illustrates the commitment and priority given by government and the authorities to provide comprehensive measures to support and protect individuals and businesses. However, in a jurisdiction not necessarily known for the seamless introduction of new, or amendment to existing, legislation, particularly in such a digital/tech and borderless arena, it remains to be seen as to how successfully the Indonesian Government will implement, advocate and ultimately enforce the PDPL.