Indonesia appears ready to enact a new law on the protection of personal data. A draft law on personal data protection (“PDP Draft Law”) has been signed by President Joko Widodo and is being discussed by the House of Representatives. Several government officials have been quoted in the media saying they expect the PDP Draft Law to be passed and enacted in 2020.
This article looks at some of the key changes contemplated by the PDP Draft Law. Note that while it seems the draft is near passage, it is still subject to further revision.
Key Changes for Personal Data Owners
The last version of the PDP Draft Law contains 72 articles and 15 chapters. A common element in the PDP Draft Law is its adoption of various terms, rights, obligations, and other provisions contained in the European Union’s General Data Protection Regulation (“GDPR”). In past informal discussions with officials at the Ministry of Communication and Informatics, the officials consistently referred to the GDPR as a model regulation for PDP matters. So it is not surprising that some of the provisions of the GDPR have made their way into the PDP Draft Law.
Under the draft law, personal data owners would provide their personal data to “data controllers” and “data processors”. A data controller will determine the purpose and control the processing of personal data, while a data processor will process the personal data on behalf of the data controller. These terms are found in the GDPR.
We note that the PDP Draft Law contains additional elucidation on the rights and obligations of the parties involved in the collection and utilization of personal data.
Rights and Obligations of Personal Data Owners
The PDP Draft Law regulates several rights of personal data owners, all of which are rights enshrined in the GDPR. These rights include, but are not limited to:
- The right to access one’s personal data;
- The right to correct any mistake/inaccuracy in personal data;
- The right to erase, terminate the processing of and/or destroy personal data;
- The right to withdraw previously granted consent for the processing of personal data;
- The right to object to the automated processing of personal data based on profiling; and
- The right to suspend or limit the processing of personal data proportional to the purpose of processing.
Compared with other rights of personal data owners under the PDP Draft Law, the above rights are unique because, under the PDP Draft Law, these rights shall be enforced based on a written request from the personal data owner to the data controller. The PDP Draft Law is silent on sanctions if the data controller does not comply with such a request. This is one of the concerns that has been raised by the House of Representatives.