Indonesian-German exchange on data protection policy

Germany and Indonesia recognise data protection as a fundamental framework condition for digitalisation. In October 2022, Indonesia issued the new Personal Data Protection (PDP) law which is the countrie’s first comprehensive law on data protection affecting businesses, the public sector as well as civil society. Germany’s data policy framework includes the General Data Protection Regulation (GDPR) of the European Union (EU), data sovereignty initiatives, data ethics guidelines and strategies for promoting data sharing and interoperability, among others.

Heiko Wildner from the German Federal Ministry for Digital and Transport (BMDV) opened the meeting and emphasised the crucial role of data protection for cross-border data flow. Ichwan Makmur Nasution from the Indonesian Ministry of Communications and Informatics (MCI) highlighted in his opening remarks that data protection can help to prevent data leakages and data breeches. According to Ichwan, the new PDP law will also lead to greater civil data sovereignty, meaning more control by citizens over their personal data.

Germany’s federal data protection policy and Indonesia’s Personal Data Protection Law

Hessen’s Deputy Data Protection Commissioner Lisa-Marie Lange shined light on data protection policy within Germany and the EU. She outlined the structure and different roles of the supervising data protection authorities, as well as the monitoring function and interplay of the supranational GDPR regulation and federal data protection regulation of Germany. Lange explained that there is no direct hierarchy between the EU and the federal government of Germany as participating agents.

Ulfah Diah, policy analyst at MCI, gave a comprehensive update on the newly issued Personal Data Protection (PDP) law in Indonesia. The law clearly regulates the processing of personal data by the public and private sector, both nationally and internationally. According to Diah, the law also promotes a new culture of data protection, as organisations are obliged to start good governance processes for reducing, assessing and monitoring personal data.

Discussing practical implications of data protection regulation

Following the presentations, a range of experts discussed the implementation of the data protection policies in both countries. The panel included representatives from government, business and academia. The discussion focused, among other topics, on the effects of data protection regulation on small and medium-sized enterprises (SMEs), the role of data protection officers and cross-border data flow.

From an Indonesian perspective, it was stressed that the implementation of the new data protection policy increases compliance costs and the lack of professional talent poses difficulties to handle the complex tasks of a data protection officer. However, both sides agreed that it is important to promote a data protection culture and to raise awareness within the industry, among employees and in civil society.

Data protection in evolving digital ecosystems

Industry stakeholders highlighted the need to innovate regulative approaches as the ecosystem evolves. They also underlined the importance of enabling transnational cross-border data flows. Indonesia is currently moving towards an approach of open transfer, which was identified as a positive sign. Nonetheless, cross-border data flows remain challenging: There are concerns about the need to obtain consent and assurance on data localisation and residency.

We thank all participants for this interesting discussion. The Indonesian-German Digital Dialogue will continue to provide a multi-stakeholder platform for the exchange of common challenges and opportunities for the digital transformation of both countries.