The Indonesian government has recently prepared a Draft Bill on the Protection of Private Data (“Data Bill”), which is to be discussed by the House of Representatives. This will be the first modern data privacy laws (the previous Electronic Transactions law and regulations are out of date now).

The Data Bill seeks to protect private data by governing standards around data management and transfer. Provisions relate to:

  1. Two types of private data; sensitive and normal private data. Sensitive private data refers to religion/beliefs, health, physical and mental status, sex life, financial position. Normal private data refers to data identification information.  Sensitive data has much narrower permitted uses (e.g. employment, protection, medical, law enforcement, or it is public domain) and requires consent.
  2. Management of private data by organizations including corporations that engage in the gathering and storage of private data. There are specific consent requirements. Data users are subject to various disclosure requirements (presumably local language notifications), relating to the organization, the purposes of the data collection, types of data, and time periods. There are obligations on data users to disclose to data owners, to take security steps to protect it, and restrictions on data transfer (consent is required unless there are contracts or international agreements).
  3. Usage of video-surveillance devices;
  4. The role of the Information Commission in protecting private data; and
  5. Transfers of private data.

The Data Bill appears to set out a modern data regime and the House will debate and is expected to enact it soon.