2022 INDONESIAN DATA PROTECTION LAW OVERVIEW
The Indonesian government, on 17 October 2022, passed Law No. 27 of 2022 concerning the Personal Data Protection Law (the “PDPA”). This article seeks to give an overview of the 2022 Indonesian Personal Data Protection Act (PDPA).
Outline of this overview is as follows:
a) Principles for data processing
b) Legal basis for data processing
c) Obtaining consent from data subject
d) Accuracy and updating personal data
e) Data breach
f) Data processor
g) Transfer of data outside Indonesia
h) Data Protection Impact Assessment
i) Data protection officer
j) Sanction for beaches
k) Grace period for implementation
Principles of data processing
Similar to the EU GDPR, Article 16 Paragraph (2) of the PDPA provides for the following principles of data protection:
• Lawfulness principle
• Purpose limitation
• Data minimization
• Storage limitation
• Integrity and confidentiality
Legal basis for data processing
Article 20 Paragraph (2) PDPA which mirrors Article 6 of the General Data Protection Regulation (GDPR) sets out potential legal bases for data processing, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.
The key principle is that data can only be processed according to the purpose(s) to which data subjects have consented to. Articles 22 – 24 PDPA address the requirement for obtaining consent.
The provision requiring consent from data subjects appears similar to those under GDPR to some extent.
However, the PDPA does not clarify whether the click-wrap method of recording consent will be recognized. This can be a concern because Indonesian judges still take a traditional view of valid agreement as a document containing the terms of agreement with a wet ink signature on the document. Of late, regulations have been passed to allow for electronic signatures where the users have enrolled with a local certifying authority to certify such signatures. The regulations also recognize uncertified signatures (Article 60, Government Regulation No. 71 of 2019 on Administration of Electronic Systems and Transactions). As it stands now, the legal framework recognizes certified electronic signatures and uncertified electronic signatures (coming to mind would be DocuSign). However, there is still uncertainty in the legality of signifying assent to terms and conditions using the click-wrap method.
See this page for further discussion: Electronic Contract Best Practices: Indonesia
Disclosure in consent
The disclosure necessary for obtaining consent is set out in Article 21 of PDPA – key information includes:
• The purpose of Personal Data processing
• The retention period of documents containing Personal Data
• The details regarding the Information collected
• The period of Personal Data processing
• The rights of the Personal Data Subject
The data subject needs to be notified of any change in the above.
Accuracy and updating
Under one of the principles discussed above, data controllers are obliged to process data “in an accurate, complete, not misleading, up-to-date and accountable manner”. Article 29 of PDPA obliges the data controller to conduct verification of data.
Data controllers are required to update and correct errors in personal data within 72 hours after receiving the request for such updates/corrections – Article 30 of PDPA.
In this regard, note that the Data Controller must provide access to data subjects within 72 hours upon request from data subjects – Article 32 PDPA.
Data subjects are to be notified within 72 hours of any data breach – Article 46 of PDPA Law.
See this page for further discussion: Data Controller responsibility in the event of data breach
Although the PDPA acknowledges the role of data processors, data controllers still have the duty to supervise data processors (Article 37 of PDPA). Responsibility to prevent unauthorized access still remains the responsibility of the data controller (Article 39 of PDPA), and this appears to be the case even if a data processor has been appointed.
Transfer of data outside Indonesia
Transfer of data out of Indonesia (Article 56) is permitted if:
a) The destination country has in place data protection Law that is on par or impose "higher" than Indonesia's data protection law; or
b) Data controller ensures that "there is adequate and binding personal data protection"; or
c) Obtain consent of data subject.
The (b) above presumably means that the data controller needs to at least have in place adequate assurance from the overseas entity that is receiving the data. This should be looked at on a case-by-case basis.
See this page for further discussion: Rouse - Cross border data transfer - Indonesia
Data Protection Impact Assessment
Data Protection Impact Assessment is required under Article 34 of PDPA. Although this requirement seems to be inspired by GDPR requirement, it seems to have gone broader in coverage - impact assessment is required when “processing personal data on large scale" or when the processing involves "matching or combining groups of data". These terms seem potentially broader in scope – broader than the scope contemplated by the EU GDPR. Article 34(3) provides for further implementing regulations which hopefully would clarify when such assessments are required.
Data protection officer
Data controllers are required to appoint a data protection officer – Article 53 of PDPA. At this point, there is no registration requirement of the data officer. However, the relevant provision provides for further implementing regulations to be passed with respect to the appointment of data protection officer.
The PDPA creates the following offenses that are punishable by fine and/or imprisonment:
• Unlawfully obtains or collects Personal Data that does not belong to them with the intention to benefit themselves or other persons (Article 67(1) of PDPA)
• Intentionally and unlawfully discloses Personal Data that does not belong to them (Article 67(2) of PDPA)
• Who intentionally and unlawfully uses Personal Data that does not belong to them (Article 67(3) of PDPA)
• Intentionally create false Personal Data or falsify Personal Data with the intention to benefit themselves or other persons (Article 68 of PDPA)
Management and/or beneficial owners could also be liable under these provisions (Article 70 Paragraph (1) of PDPA).
The specter of criminal sanction underscores the need to have in place the framework of proving that consent for the collection of data has been secured – see the discussion above regarding click-wrap and consent.
The aggrieved party may seek compensation from the defaulting data controller – Article 12 of PDPA.
The court may also impose sanctions such as payment of compensation, suspension of business, confiscation of profits, partial or complete shutdown /cessation of business, and dissolution of the company (Article 70 Paragraph (4)). In the case of a fine, the amount can be up to two (2) percent of the company turnover (Article 57 Paragraph (3) of PDPA).
The sanction of imprisonment is one significant area where the Indonesian PDPA departs from the EU's GDPR which provides for administrative fines, correction orders, and compensation but not imprisonment.
Data controllers have two years from the passing of the law (17 October 2022) to comply with the provision of the PDPA.
What businesses should do?
Other related articles: