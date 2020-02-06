The Ministry of Communication and Information Technology (‘Kominfo’) announced, on 28 January 2020, that the draft of the Personal Data Protection Act (‘the PDP Bill’) has officially been submitted by the President of Indonesia, Joko Widodo, to the Chairperson of the Indonesian House of Representatives (‘DPR’) by means of Presidential Letter No. R-05/Pres/01/2020 of 24 January 2020. In particular, the PDP Bill would apply to both public and private sectors, including individuals, public agencies, and organisations/institutions.

Definition of personal data

The PDP Bill divides ‘personal data’ into two categories, namely, personal data, which is ‘general in nature,’ and personal data that is ‘specific.’ The former includes an individual’s full name, gender, citizenship, religion, and/or personal data that is combined to identify the individual. The latter concerns health data and information, biometric data, genetic data, data concerning sexual life or orientation, political views, criminal records, children’s data, personal financial data, and/or other data in accordance with statutory provisions. However, the PDP Bill does not explicitly state that specific data is subject to stricter requirements.

Data subjects’ rights

Under the PDP Bill, the rights of the personal data owner include, among others:

the right to request information about the identity, basic legal interests, the purpose of requesting and using personal data, and the accountability of the party requesting personal data;

the right to access his/her personal data;

the right to update and/or correct errors and inaccuracies concerning his/her data;

the right to terminate the processing of, or delete/destroy, his/her personal data;

the right to object to profiling;

the right to postpone or limit the processing of personal data;

the right to obtain and use personal data; and

the right to obtain and transmit personal data.

Legal basis

The PDP Bill outlines that the processing of personal data would be subject to obtaining valid, written or verbal, approval from the personal data owner for one or several specific purposes. Requests for approval must be clearly distinguishable from other matters, made in a format that is understandable and easily accessible, as well as use simple and clear language. In addition, in the event where the personal data owner withdraws his/her approval for processing personal data, the personal data controller must stop processing such personal data.

Alternatively, the personal data controller may rely on one of the six legal bases listed in the PDP Bill. These include the necessity to fulfil of a contractual obligation, a legal obligation, or an obligation in the public interest, to protect legitimate/vital interests of the personal data owner, to exercise authority in line with the statutory provisions, or to fulfil other legitimate interests of personal data controller.

Accountability and record-keeping obligations

Similarly to the EU’s General Data Protection Regulation (Regulation (EU)2016/679) (‘GDPR’), the PDP Bill would require personal data controllers to implement technical and organisational measures to ensure the security of personal data, considering the nature of the data and associated risks. Moreover, the PDP Bill would impose record-keeping obligations on personal data controllers, and oblige them to ensure that the appointed processors are properly supervised, and only act on their instructions.

The PDP Bill also notes that in certain cases, a personal data controller and a personal data processor must appoint an official or officer responsible for personal data protection.

International data transfers

The PDP Bill prescribes that a personal data controller may transfer personal data outside Indonesia, provided that the recipient ensures protection for personal data that is equal or higher than that provided by the PDP Bill, there is an international agreement between the relevant countries, or a contract implementing safeguards between the controllers in place, or the approval of the owner of personal data is obtained.

Way forward

Kominfo highlighted, on 28 January 2020, that once the PDP Bill is passed, Indonesia will become the fifth country in Southeast Asia to have enacted the rules relating to personal data protection, and that the PDP Bill will become the national standard for the protection of personal data in Indonesia. In addition, Kominfo announced, on 29 January 2020, that the public is invited to participate in giving responses, views and input to the Government to complete the discussion process on the PDP Bill with the DPR.

