Indonesia's Personal Data Protection Law (PDPL): Are you compliant?

Sameer Ahirrao -

Most countries are now implementing laws to protect data privacy, with regulations covering every phase of data handling, including collection, processing, sharing, storage, transfer, and disposal. On October 17, 2020, Indonesia followed suit by enacting a comprehensive Personal Data Protection Law.

This article provides a brief overview of the main aspects of Indonesia's data protection laws and their impact on businesses operating within the country or engaging with its citizens.

Who is required to comply with personal data protection regulations in Indonesia?

Indonesia's data protection law applies to any entity—whether an individual, private or public organization, or government body—handling personal information in the country. It also extends to businesses outside Indonesia if their activities have legal implications within the country. In other words, both local and international companies dealing with Indonesian consumers must adhere to Indonesia's data privacy regulations.

In essence, any company managing the data of Indonesian residents, no matter where it operates, must comply with the law.

The Indonesia Personal Data Protection Law, along with other relevant industry-specific regulations, applies across all sectors. However, these rules are only relevant to data processing done for business purposes and do not cover personal or domestic data processing.

Given Indonesia's significant role in the global market and its growing economy, it is essential for businesses to make the necessary operational adjustments to comply with the country's data protection laws.

What are the key Indonesian data protection laws you should be aware of?

Before 2020, Indonesia's data protection framework was fragmented and lacked a comprehensive, unified law. Instead, there were various sector-specific regulations.

Article 28(g) of the Constitution of the Republic of Indonesia provides protection for personal property, which has been interpreted to include personal data.

Several data protection provisions applied specifically to electronic system providers, including the 2008 Electronic Information and Transactions Law, the 2016 Electronic Information Law, and the 2016 Protection of Personal Data in Electronic Systems Law. The Electronic Information Law requires consent for the use of personal data unless stated otherwise.

Additional sector-specific regulations include:

  • The 2006 Demography Law, amended in 2013 by the Demographic Administration Law.
  • The 2022 Ministry of Health Regulations, which safeguard the privacy of personal medical information.
  • The 2020 Bank of Indonesia Regulation, which mandates banks and related institutions to protect consumer information.
  • The 2022 Financial Services Authority Regulation, which requires financial service institutions to secure and protect customer data.

The Personal Data Protection Law (PDPL) now serves as the main reference for personal data protection in Indonesia. However, the sectoral laws mentioned above remain in force as long as they do not conflict with the PDPL.

The Personal Data Protection Law of 2020

The PDPL was introduced at a crucial time, addressing the pressing need for data protection reforms. With fifteen chapters and seventy-two articles, the law offers thorough guidelines on every aspect of personal data protection in Indonesia. It details the rights of data owners, the duties of data controllers and processors, and the proper methods for collecting, storing, processing, and transferring personal data.

Key concepts of the PDPL:

The PDPL defines personal data as any information that can be used, either by itself or in combination with other data, to directly or indirectly identify an individual. It also identifies "specific personal data," which includes sensitive information such as health, financial, genetic, and biometric details.

Scope of personal data:

Along with the defined "specific personal data" in the PDPL, the Draft Regulation introduces a process that allows the government to broaden this category. The Ministry, in collaboration with the PDP Agency, can classify additional types of data as "specific personal data" if they pose a significant risk to data subjects, such as discrimination, financial or non-financial loss, or legal violations. It also specifies that personal data includes information available in the public domain. This provision gives the government the flexibility to expand its oversight, which could create uncertainty for businesses over time.

The rule of consent:

Consent is a fundamental requirement for data processing. According to Articles 22 and 23, controllers must obtain explicit, written, and valid consent from data subjects. For consent to be considered valid, the subject must be informed about the purpose, type, relevance, and duration of the data processing. They must also be made aware of their rights and assured that their data will be used lawfully.

Principles of processing:

Article 3 of the PDPL outlines the following principles for data processing:

  • Protection: Measures must be taken to prevent misuse or unauthorized access to personal information.
  • Legal Certainty: All processing activities must comply with legal requirements.
  • Public Interest: Data protection must consider state administration, national defense and security, and the broader interests of society.
  • Benefit: The management of personal information should promote public and national welfare.
  • Prudence: Controllers, processors, and supervisory bodies must exercise caution to avoid potential losses.
  • Balance: The right to data protection should be weighed against legitimate state interests in the public interest.
  • Accountability: Those involved in data processing must act responsibly and be accountable to regulatory bodies and data subjects.
  • Confidentiality: Personal information must be protected from unauthorized access and manipulation.

Obligations of controllers and processors:

The PDPL differentiates between data controllers and processors, assigning them both distinct and shared responsibilities. A controller is any individual or organization with the authority to manage the processing of personal data. A processor is any person, public entity, or international organization that processes data on behalf of the controller, either independently or in collaboration. Generally, the controller is accountable for the processor's actions, provided they follow the controller's instructions.

Obligations of Controllers:

Controllers have extensive duties under the PDPL, detailed in Articles 20 to 50. In addition to having a legal basis for processing, obtaining the subject's consent, and respecting their rights, controllers must:

  • Maintain a record of all data processing activities.
  • Conduct a data protection impact assessment, particularly when handling high-risk data.
  • Keep personal information confidential and restrict access to it.
  • Supervise all parties involved in processing personal data under their control.
  • Halt or delay processing if the data subject withdraws consent or requests a postponement, within 72 hours of receiving the request.
  • In case of a data breach or failure, notify the subject, relevant regulatory bodies, and the public within 72 hours, as required by law.

However, Article 50 allows for exceptions to these requirements in certain situations, such as for national defense and security, law enforcement, public interest, or other matters of state administration.

Obligations of processors:

Articles 51 and 52 outline the obligations for both controllers and processors, which are largely similar. Additionally, processors have specific responsibilities, including:

  • Ensuring personal data is accurate, complete, and complies with applicable laws and regulations.
  • Implementing both operational and technical measures to protect personal data.
  • Safeguarding data from any processing that violates legal provisions.

Appointment of a data protection officer:

Article 53 outlines circumstances that may necessitate the appointment of a Data Protection Officer (DPO) for controllers and processors. This includes situations where processing is done on a large scale, for public purposes, in a highly organized manner, or in relation to criminal activities.

The DPO's role is to ensure that operations adhere to data protection principles and help prevent breaches. The DPO can be either an internal employee or an external third party and serves as the intermediary between the controlling party and the data subjects.

Penalties for non-compliance:

Failing to fully comply with data sovereignty regulations in Indonesia can lead to severe legal consequences, including both civil and criminal penalties as detailed in Articles 67 to 69 of the PDPL.

  • Individuals who illegally obtain data for profit can face up to five years in prison, a fine of up to IDR 5 billion ($331,741), or both.
  • Those guilty of willfully and unlawfully disclosing personal information may be sentenced to up to four years in prison, a fine of up to IDR 4 billion ($265,322), or both.
  • Using another person’s data for illegal purposes can result in up to five years in prison or a fine of IDR 5 billion, or both.
  • Falsifying or altering personal data with intent to harm can lead to a six-year prison sentence or a fine of up to IDR 6 billion ($397,977).

Corporations cannot face imprisonment but can be fined. For fairness, fines for individuals can be multiplied up to ten times.

Additional penalties for corporations may include:

  • Forfeiture of assets and income from the crime.
  • Suspension of business operations as determined by the government.
  • Long-term prohibition on specific business activities.
  • Complete or partial closure of business operations.
  • Fulfillment of pending obligations.
  • Compensation payments to affected individuals.
  • License revocation.
  • Dissolution of the corporation.

Cross-border data transfer requirements

Transferring data outside Indonesia is tightly controlled. According to Indonesian privacy law, the receiving country must provide a level of protection equivalent to or greater than what the PDPL offers.

If this condition isn’t met, the transfer may still proceed if the controller can demonstrate that the recipient has acceptable data protection standards.

If neither condition is satisfied, the transfer can only occur with the data subject’s consent.

Article 21(a) of Kominfo Regulation 20 outlines additional requirements for electronic system providers. They must report the transfer to Kominfo, detailing the receiving country and entity, the frequency, purpose, and outcomes of the transfer.

While these transfer rules might seem straightforward, non-compliance can lead to significant consequences for businesses.

How Ardent Privacy helps to comply with Indonesia PDPL?

Ardent Privacy offers solutions that can help organizations comply with Indonesia's Personal Data Protection Law (PDPL) by addressing key requirements around data privacy and protection. Here's how:

1) Data Discovery and Mapping: Ardent Privacy provides tools to discover, classify, and map personal data across various data stores. This is crucial for complying with the PDPL's requirements for identifying and managing personal data, ensuring that organizations know where personal data resides and how it is being processed.

2) Data Minimization and Deletion: The platform enables organizations to implement data minimization strategies, reducing the amount of personal data they store and process. This helps in complying with PDPL's principles of data minimization and purpose limitation. Additionally, it offers features to automate the secure deletion of unnecessary or obsolete personal data, which is essential for meeting the retention policies stipulated by the PDPL.

3) Privacy Impact Assessment (PIA): Ardent Privacy can assist in conducting Privacy Impact Assessments, which are necessary to evaluate the risks associated with the processing of personal data. This aligns with the PDPL's requirement for assessing potential risks to data subjects and implementing appropriate measures to mitigate those risks.

4) Consent Management: The platform supports consent management, allowing organizations to capture, manage, and track consent from data subjects. This is important under the PDPL, as it requires explicit consent for processing personal data and mandates that organizations keep records of consents obtained.

5) Data Subject Rights Management: Ardent Privacy helps organizations manage data subject requests, such as requests for access, correction, and deletion of personal data. The PDPL grants several rights to data subjects, and organizations must have processes in place to respond to these requests in a timely manner.

6) Reporting and Documentation: The platform provides robust reporting capabilities, enabling organizations to generate documentation that demonstrates compliance with PDPL. This is crucial for audits and regulatory reviews, where organizations must show that they are adhering to data protection obligations.

7) Data Protection by Design and by Default: Ardent Privacy encourages the implementation of privacy-by-design principles, ensuring that data protection measures are embedded into business processes and systems from the outset. This proactive approach aligns with the PDPL's emphasis on data protection by design and by default.

By leveraging these capabilities, Ardent Privacy helps organizations align with the requirements of Indonesia's PDPL, reducing the risk of non-compliance and enhancing overall data protection practices.