Indonesia passes personal data protection bill into law

Global technology development has contributed to a rapid growth of the digital economy in Indonesia. Digital applications and marketplaces are already widely used in the country. As a result, the use and storage of personal data for digital services has greatly increased.

Also due to this development, Indonesia faced severe data breaches recently. For example, data of 26 million customers of Telkom Indonesia’s internet and digital TV service IndiHome were leaked this year. Another incident is the data breach at the Indonesian Healthcare and Social Security Agency in May 2021, where personal data of insured persons were sold in an online forum. In 2019, the country’s State Cyber and Crypto Agency (BSSN) recognised more than 98 million cyberattacks.

The new law improves the protection of personal data

In September 2022, the Indonesian House of Representatives (DPR RI) successfully passed a personal data protection bill into law. It will help to better protect Indonesian consumers’ personal data. The law addresses, among others, the definition of personal data, the rights of the data owner, the obligations of data controllers and processors, the role of data protection officers, as well as sanctions.

The Ministry of Communications and Informatics (KOMINFO) will be responsible for the supervision of personal data governance through Electronic System Operators (ESO). According to Minister Johnny G. Plate, the new law marks a new era in the management of personal data in Indonesia. It strengthens the rights of data owners and includes sanctions for electronic system providers in case of a data protection breach or other malpractice in handling personal data.

The law also contains explicit stipulations on data transfers, similar to those of the EU General Data Protection Regulation (GDPR). Regarding cross-border transfer of personal data, the data controller may only transfer the personal data to a country with an adequate or higher level of data protection than Indonesia. The data controller must also assure the data subject that there is a legally binding instrument in place to protect personal data; or the data controller must have obtained the data subject's consent to transfer their personal data abroad. As data is moving extraterritorially and extrajudicially, crossing national boundaries, this is highly important. Minister Plate emphasised that the legal framework must be internationally compatible.

Rules and sanctions create strong incentives for data protection

Under the new legislation, personal data controllers are now required to update and correct errors in personal information within 24 hours after receiving the request to do so. They are also obliged to delete personal data in the event that the data is no longer necessary or if the personal data subject has withdrawn consent to the processing of the data.

Data handlers can now be sanctioned with up to five years imprisonment for leaking or misusing private information. Individuals who falsify personal data for their own benefit can be punished with up to six years in prison. Corporate fines can be as high as two percent of the company’s annual revenue in case of a data leak. In addition, assets of the company could be confiscated or auctioned off.

These sanctions create strong incentives for the protection of personal data in Indonesia.