Support Centre

Indonesia

Summary

Law: Personal Data Protection Law (only available in Indonesian here) ('PDPL')

Regulator: There is no general data protection authority at present.

Summary: Currently, Indonesia takes a patchwork approach to personal data protection legislation, with provisions related to data privacy appearing in several different pieces of legislation. In particular, Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions (only available in Indonesian here) ('the Electronic Information Law') provides certain data privacy rights. In addition, the Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems ('Kominfo Regulation 20') establishes significant data protection requirements for electronic system providers, and Government Regulation No. 71 of 2019 regarding the Implementation of Electronic Systems and Transactions (only available in Indonesian here) ('GR 71') outlines the procedural guidelines for the Electronic Information Law.

The PDPL creates a singular, comprehensive approach to personal data protection. The PDPL establishes a dedicated institution responsible for administering the PDPL and introduces notable obligations for data controllers and processors. Following its ratification on 20 September 2022, the PDPL entered into force, on 17 October 2022. Article 74 of the PDPL provides that controllers, processors, and any other parties related to the processing of personal data will have two years from the date of promulgation to comply with the PDPL.

Insights

On January 2, 2024, the Indonesian Government officially enacted Law No. 1 of 2024 on the Second Amendment to Law No. 11 of 2008 on the Electronic Information and Transactions (the Electronic Information Law) (the amendment). 

The revision of the Electronic Information Law was driven by a desire to establish a greater sense of public justice and legal certainty. The need for this revision became apparent as the prior version led to multiple interpretations and controversies within the community. The amendment reflects the Government's commitment to adapting to the changing landscape of digital transactions and online activities within the country. Overall, the Electronic Information Law is designed to protect individual rights in online spaces, regulate electronic transactions, and employ punitive measures to uphold its provisions. 

Specifically, the amendment made changes to various provisions in the previous draft. These changes include enhancing the protection of minors in electronic systems access and specifying the governing law for international electronic contracts. Teguh Darmawan, from Hogan Lovells, discusses the key highlights of the amendment to the Electronic Information Law.  

Chalid Heyder, Teguh Darmawan, and Andera Rabbani, from Hogan Lovells, examine Indonesia's changing personal data protection landscape by discussing the newly published draft of the government regulation implementing the Personal Data Protection Law (PDP Law). This Insight article covers essential aspects such as data classification, Data Protection Impact Assessments (DPIA), the role of Data Protection Officers (DPO), offshore data transfers, mandatory breach notifications, and the forthcoming personal data protection Agency, highlighting key administrative sanctions and their implications.

On 20 September 2022, the House of Representatives ratified the final draft of the Personal Data Protection Act1 which, once formally enacted into law, will become the Law on Personal Data ('the Law'). The Law is expected to unify Indonesia's patchwork of data protection legislation, which is currently limited to electronic information and systems, namely Law No. 11 of 2008 on Electronic Information and Transactions and Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems. OneTrust DataGuidance provides an overview of the Law and its key provisions, with part one covering the scope of application, key definitions and principles, legal bases for processing, and rights of data subjects, and part two covering controller and processor obligations, data transfers, and enforcement and entry into force of the Law.

On 20 September 2022, the House of Representatives ratified the final draft of the Personal Data Protection Act1 which, once formally enacted into law, will become the Law on Personal Data ('the Law'). The Law is expected to unify Indonesia's patchwork of data protection legislation, which is currently limited to electronic information and systems, namely Law No. 11 of 2008 on Electronic Information and Transactions and Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems. OneTrust DataGuidance provides an overview of the Law and its key provisions, with part one covering the scope of application, key definitions and principles, legal bases for processing, and rights of data subjects, and part two covering controller and processor obligations, data transfers, and enforcement and entry into force of the Law.

Feedback