The Government is considering a definitive law on data protection (Draft Data Protection Law). The Draft Data Protection Law adopts many concepts from the EU's General Data Protection Regulation. However, not all concepts of the GDPR are adopted, leading to concerns on how these concepts will be implemented in Indonesia (noting that data privacy awareness and the data privacy environment in Indonesia are not as advanced as in the EU).

In terms of coverage, the Draft Data Protection Law has an extraterritorial provision, which is similar to the 2008 Electronic Information and Transactions Law.

The key points in the Draft Data Protection Law are as follows:

1. The definition of "personal data" remains broad, i.e., any data on an individual that is identified and/or can be identified on its own or if combined with other information, either directly or indirectly through electronic and/or non-electronic systems.

2. The Draft Data Protection Law differentiates between general personal data and specific personal data (this is like the concept of sensitive personal data in other jurisdictions). However, it is not entirely clear how the two types of personal data will be treated differently (and this will need to be addressed through implementing regulations).

3. The Draft Data Protection Law differentiates between data controllers (i.e., parties that collect personal data and obtain consent) and data processors (i.e., parties that process personal data).

In terms of responsibility, the Draft Data Protection Law provides that a data controller will be the responsible party for any data processing activities as long as the appointed data processor conducts the data processing activities in accordance with the instructions from the data controller. Otherwise, the data processor will be responsible.

This is different from the previous draft of the Draft Data Protection Law, under which data controllers and data processors both had the same responsibilities to ensure the protection of personal data in data processing activities.

4. The Draft Data Protection Law introduces more strict requirements on conducting offshore data transfers.

For transfers to occur, the following requirements must be met: (i) the receiving country or international organization must have data privacy protection that is at least as strong as in Indonesia, (ii) there must be a contractual arrangement between the Indonesian data controller and the offshore receiving party, and (iii) there must be an international agreement between Indonesia and the country of origin of the receiving party. It remains to be seen how quickly Indonesia would conclude agreements, or whether the third requirement would be immediately enforced.

5. The Draft Data Protection Law prohibits the monetization and/or profiling of personal data without consent.  

6. The Draft Data Protection Law imposes more severe sanctions if there is a violation by a company. These sanctions include (i) criminal sanctions on the company and/or its management, (ii) maximum criminal penalties that are three times those that apply for individuals and (iii) confiscation of cash and assets, prescriptive orders, suspension of activities, and business closure.

The Draft Data Protection Law has been included in the 2019 list of prioritized laws in the National Legislation Program. However, the Draft Data Protection Law has not yet been submitted to the Parliament (all laws must be approved by the Parliament before they can be issued).

With the upcoming reshuffle in the Cabinet and the new Parliament in October, the Draft Data Protection Law is likely to be passed after October 2019.