Upon the issuance of the PDP Law in October 2022, Indonesia entered a new era of personal data protection. Through the PDP Law, the public is expected to understand the importance of personal data protection. The PDP Law generally governs the provisions pertaining to personal data protection, while the technical and detailed provisions are expected to be further incorporated into a government regulation.

By the end of August 2023, the Indonesian government, specifically the Ministry of Communication and Informatics (MOCI), published the draft of government regulation on the implementing regulation of the PDP Law (Draft). This Draft is expected to provide more clarity on the implementation of the PDP Law noting that as of the date of this article, we are approaching the end of the transitional period of the PDP Law on October 2024.

Although the Draft is still being reviewed by the Indonesian government and might be subject to change, it consists of 188 pages and 245 articles. Below is our summary of several notable topics under the Draft.

Classification of personal data: specific personal data

Under the PDP Law, Indonesia now recognizes two classifications of personal data, namely specific and general personal data. The scope of specific personal data includes the following:

a) health data;
b) biometrics;
c) genetics data;
d) crime records;
e) children's data;
f) personal financial data; and/or
g) other data in accordance with the prevailing laws.

Specifically for point (g) above, the Draft provides further details, explaining that the determination of 'other data' relies on the consideration of personal data processing activity which could incur a greater impact on the data subject, which covers:

• discriminatory conduct against the data subject;
• material and/or immaterial losses of the data subject; or
• other impacts that are contrary to the laws and regulations.

Processing of specific personal data falls into the high-risk category, which requires the data controller to implement a DPIA prior to processing such activity.  Further discussion on DPIA will be provided below.

Classification of personal data: general personal data

Under the PDP Law and the Draft, coverage of general personal data includes:

• full name;
• sex;
• citizenship;
• religion;
• marital status; and
• combined personal data that are used to identify an individual.

The identification of personal data by combining the types of general personal data, as mentioned under point (f) above, can be achieved through the following methods:

• direct reference, which is a combination of linking the same unique data in two different systems to identify a person;
• mapping reference, which is the combination of linking different unique data in two different systems with a mapping between the unique data to identify a person;
• triangulation, which is a combination connecting unique data with several other data longitudinally, that is, when connected, intersections can be found between these data to identify a person; and
• other forms of combination.

It is worth noting that the combination methods described above could also include personal data that is publicly available.

DPIA

The data controller is required to undertake the DPIA if it processes personal data with the potential for a high-risk impact on the data subject. This includes:

• automated decision-making that has legal consequences or a significant impact on the data subject;
• processing of specific personal data;
• large-scale processing of personal data;
• processing of personal data for systematic evaluation, scoring, or monitoring activities of the data subject;
• processing of personal data for matching activities or merging a group of data;
• the use of new technology in the processing of personal data; and/or
• processing of personal data that restricts the exercise of the data subject's rights.

It is critical to understand that the DPIA must be carried out prior to the processing activities conducted by the data controller. Under the Draft, the DPIA should at least contain the following:

• a systematic description of the personal data processing activities and the purposes of the personal data processing, including the interests of the data controller of this processing;
• an assessment of the necessity and proportionality between the purposes and activities of the personal data processing;
• an assessment of the risks to the protection of the rights of the data subject; and
• the measures that the data controller uses to protect the data subject from the risks of personal data processing.

If the data controller has a DPO within its organization, it shall consider and record the DPO's input when implementing the DPIA. Further details regarding the DPO will be provided below.

Additionally, there are other data controller's obligations with respect to the DPIA, namely the data controller shall:

• revisit the DPIA should there be a change in the risk of personal data processing activities;
• implement measures as highlighted in point (d) above during the processing activities; and
• record the DPIA as well as measures as highlighted in point (d) above.

DPO

The Draft underlines the data controller and data processor's obligation to appoint a DPO in the event of:

• processing of personal data for public service purposes;
• engaging in core activities that involve regular and large-scale systematic monitoring of personal data; and
• conducting large-scale processing of personal data related to specific personal data and/or criminal offenses.

The points (a) to (c) above must be met collectively. If not, the current view is that the DPO is not mandatory. However, it is worth noting that the practical implications may change when the Draft is formally enacted into a government regulation.

The appointment of a DPO, as mentioned earlier, is based on their professionalism, legal knowledge, expertise in data protection practices, and capacity to perform their duties. Furthermore, the data controller and/or data processor must appoint the DPO based on their organizational structure, size, and needs. The DPO may be an individual or several persons from inside and/or outside the data controller and/or data processor.

It is explicitly stated that the minimum task of DPO must encompass the following:

• inform and advise the data controller or data processor to comply with the provisions in the laws and regulations in the field of personal data protection;
• monitor and ensure compliance with the provisions of laws and regulations in the field of personal data protection and policies of the data controller or data processor;
• provide advice on the assessment of the impact of personal data protection and monitor the performance of data controller and data processor; and
• coordinate and act as a contact person for issues related to the processing of personal data processing.

In the context of the tasks assigned to the DPO, the data controller and data processor are required to:

• involve the DPO in all personal data processing matters correctly and in a timely manner;
• ensure the DPO has reporting access to the highest level of management;
• ensure the DPO operates objectively and is protected from dismissal or penalties for performing duties according to laws and regulations;
• provide adequate resources for DPO's duties and expertise;
• ensure that the DPO has appropriate access to processing activities;
• provide appropriate access to other services to obtain essential information relating to the processing of personal data;
• seek advice from the DPO when conducting a DPIA; and
• documenting details and activities of the DPO.

Offshore personal data transfer

Prior to the enactment of the PDP Law, Indonesia recognized and permitted offshore personal data transfers. As a rule of thumb, the main requirements for a data controller to undertake the offshore data transfer are:

• ensure the data controller and/or data processor that receives the personal data has a protection level that is equal to or higher than those under PDP Law;
• if point (a) cannot be met, the data controller is required to have there is adequate and binding protection or similar to Binding Corporate Rules (BCR) under the General Data Protection Regulation (GDPR); and/or
• in the event that points (a) and (b) cannot be fulfilled, the data controller is required to obtain consent from the data subject on the transfer.

With respect to point (a), the Draft further specifies that the determination of whether a country is equal or has a higher level of personal data protection will be conducted by a personal data protection agency (Agency) which has yet to be established as of the date of November 2023. It is also expected that the Agency will issue a list of countries deemed to have equal or higher levels of personal data protection.

Notwithstanding the absence of the aforementioned list of countries, the Draft has underlined the framework for making such determinations. This framework involves assessing whether the receiving country possesses the following:

• a personal data protection legal framework;
• an agency whose duty is to oversee or supervise the implementation of personal data protection; and
• whether the receiving country has international commitments or is legally bound by conventions, international agreements, or other multilateral or regional related to personal data protection.

Currently, it is unclear how to undertake the abovementioned identification measures. It could potentially involve a self-assessment conducted by the data controller. If it is determined that the receiving country is not equal or has less level of data protection than Indonesia, the data controller must guarantee that there is adequate and binding personal data protection (similar to BCR under GDPR).

If both obligations still cannot be fulfilled, the data controller would need to ask for consent from the data subject to perform the offshore personal data transfer. The transfer can only be done if:

• the cross-border transfer is non-recurring;
• the transfer involves a limited number of data subjects;
• the transfer is necessary for the purpose of fulfilling provisions that do not override the interests or the rights of data subjects;
• the data controller has assessed the risks and implemented appropriate measures; or
• the data controller has informed the PDP Agency and the data subject regarding the transfer activity and the legitimate interests fulfilled by the transfer.  

Mandatory notification of personal data protection failure

In the event of personal data protection failure or breach, data controllers are required to notify the data subject and the Agency within a maximum of 72 hours from the moment the data controller becomes aware with certainty, properly, and reasonably of such incident. The notification must at least include the following information:

• details of the disclosed personal data;
• when and how the personal data was disclosed;
• the impact and the recovery efforts in handling the failure of personal data protection; and
• contact person.

It is important to emphasize that if no disclosure of personal data occurred during the breach, the Draft specifies that the data controller is exempted from filing the notification as above.

The Draft also introduces a new obligation for the data controller to notify the breach to public if it meets any of the following criteria:

• disrupted provision of public services;
• has a serious impact on the public's interests; or
• the data controller cannot ensure that the data subject received the notification directly as a result of the breach.

In addition to the above, the Draft also requires the data controller to record the breach and establish and enforce policies, procedures, and/or guidelines relating to the prevention and handling of personal data breaches.

Indonesia's future personal data protection Agency

To further regulate the Agency's role in supervising the implementation of personal data protection in Indonesia, the Draft specifies that the Agency's responsibilities include:

• formulating and stipulating policies in the field of personal data protection;
• supervising the compliance of data controller to the relevant regulations;
• imposing administrative sanctions for violations committed by the data controller and/or data processor;
• assisting law enforcement officials (i.e., by providing opinions and recommendations) in handling allegations of personal data criminal offenses as referred to in this bill;
• cooperating with personal data protection institutions of other countries in order to resolve alleged violations of cross-border personal data protection;
• conducting an assessment of the fulfillment of the requirements for the transfer of personal data outside the jurisdiction of the Republic of Indonesia;
• issuing orders as a follow-up to the results of supervision for data controllers and/or data processors;
• publishing the results of the supervision of personal data protection in accordance with the provisions of laws and regulations;
• receiving complaints and/or reports regarding alleged violations of personal data protection;
• conducting examination and tracking of complaints, reports, and/or supervision results on the alleged violation of personal data protection;
• summoning and presenting any person and/or public body related to the alleged violation of personal data protection;
• requesting data, information, and documents from any person and/or public entity related to the alleged violation of personal data protection;
• summoning and presenting experts required in the examination and investigation related to the alleged violation of personal data protection;
• conducting examination and search of electronic systems, facilities, spaces, and/or places used by the data controller and/or data processor, including obtaining access to data and/or appointing third parties;
• requesting legal assistance to the prosecutor's office in the settlement of disputes over personal data protection.

Noting the above tasks, it is essential to closely monitor the formal establishment of the Agency which, as of November 2023, has not yet been formed by the Indonesian government. 

Administrative sanctions

In line with the PDP Law, the Draft specifies that administrative sanctions will be then imposed by the Agency for non-compliance to the provisions relating to personal data protection. These administrative sanctions include:

• issuing a written reprimand;
• temporary suspending personal data processing activities;
• ordering the deletion or destruction of personal data; and/or
• imposing administrative fines, the maximum amount of which shall be 2% of the annual revenue or annual receipts, in relation to the violation variables, such as impact, duration, type and number of affected data/person, and the scale of business.

The imposition of administrative sanctions shall be carried out by considering the data controller's or data processor's extent or effect of the breach, the business continuity, compliance history, and clear considerations and reasons.

Regarding the imposition of administrative fines by the Agency, if the non-compliant data controller or data processor is not willing to pay the determined amount, the Agency is authorized to coordinate with other law enforcers to collect such fines, to be further stored as non-tax state income.

It is important to note that the information provided above may still be subject to changes, as the Draft has not reached its final form. It is advisable to closely monitor the development of the Draft, as it will have an impact on the way businesses navigate their conduct to ensure compliance with the prevailing laws and regulations.

Chalid Heyder Office Managing Partner
[email protected]
Teguh Darmawan Counsel
[email protected]
Andera Rabbani Associate
[email protected]
Hogan Lovells, Indonesia