Indonesia's data protection regime is about to be transformed with a new Draft Bill on the Protection of Private Personal Data (the "Bill"). The chief of public relations for the Ministry of Communications and Information has indicated that the Bill may become law as soon as mid-February 2016, although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives. If passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy and its significance is undoubted.
The current data protection regime is comprised of fragmented regulations scattered among various sources of law, including Law No. 11 of 2008 on Electronic Information and Translation and Government Regulation, Law No. 82 of 2012 on the Implementation of System and Electronic Transactions, as well as various sector-specific regulations. Compared with modern data protection regimes adopted in other countries, Indonesia's existing law has a number of deficiencies. For example:
- The law does not adequately differentiate between (i) entities thatcontrol and entities that process personal data, (ii) recipients and senders of data; (iii) business and non-business data; and (iv) sensitive and non-sensitive data;
- There is no general requirement to inform data subjects of how their personal data will be used;
- There are limited controls in respect of direct marketing;
- There is no mandatory requirement for companies to appoint a data protection officer;
- There are limited provisions to regulate overseas data transfer; and
- The scope of application of the existing law is vague and ill defined.
The draft Bill addresses a number of these issues including:
- New definition of "Sensitive Information": sensitive information refers to data associated with religion, beliefs, physical or mental health, sex life, financial position or any other information that may cause an individual to be discriminated against. Sensitive data can only be used for limited purposes such as for employment, personal protection, medical reasons, or law enforcement. The consent of the data subject is required before sensitive data can be collected.
- Imposing specific notice and consent requirements: Data subjects will also need to be notified as to the identity of the data user, the purpose of data collection, the type of data being collected and the duration of data retention. In addition, companies will be expected to adopt more stringent security measures to protect the collected personal data. Consent will also have to be obtained if companies intend to transfer data to third parties or outside Indonesia.
- New restrictions on the use of video surveillance devices.
- Establishment of an Information Commission that will govern and oversee the protection of private data.
The above is a general framework of the Bill, but details of the specific contents of the Bill are expected to be released once the Bill has been discussed by the House of Representatives. We will continue to monitor developments in relation to the new Bill.