Background

The Government has issued a new version of a draft personal data protection law, which has extraterritorial reach.

The draft law contains many provisions which are already law in other countries. Some of the key provisions in the draft law are set out below.

General and Specific Personal Data

The draft law distinguishes between two categories of Personal Data:

(a)  general Personal Data (i.e., can be obtained from the public domain or has been disclosed)

(b)  specific Personal Data (i.e., specific data covered by laws and regulations)

Personal Data is defined as any data about a person that can identify automatically the person or when combined with other information directly or indirectly obtained through electronic and/or non-electronic systems, can identify a person.

Controller and Processor

The draft law differentiates between a Controller (who collects and manages Personal Data), and a Processor (who processes Personal Data on behalf of a Controller). This is a new feature for Indonesia.

Consent Requirement and Use of Personal Data

The draft law states that Controllers must obtain written consent from the legal owner of the Personal Data in order to manage and transfer their specific Personal Data, which should only be given after a Controller provides sufficient information to the owner.

Specific Personal Data can be managed by a Controller without prior written consent from the owner:

(a)  if required under the laws and regulations or for law enforcement

(b)  for the purpose of well being, safety and security of the owner (including for medical reasons)

(c) if the specific data has come into the public domain due to the owner's actions

(d) if needed to enter into an agreement with the owner Apart from consent, other requirements on cross-border data transfer (e.g., such as there being the same level of protection in the receiving country) must also be followed.

Notification on Breach

Controllers also have an obligation to notify any owner whose Personal Data has been disclosed inadvertently. The Draft Law does not state when the notice should be given.

Requirements to Delete or Destroy Personal Data

The Draft Law distinguishes between Personal Data deletion and Personal Data destruction. Deletion is applicable for Personal Data that is processed electronically, while destruction is applicable for Personal Data that is not processed electronically.

Strengthening Privacy Protection

The draft law has increased the protection for data privacy. Owners can make a written request to the Controller to stop using their Personal Data for direct marketing activities.

Commission

The draft law introduces a privacy commission as a specific implementing body that will monitor and ensure compliance with the law.

The above matters will mean that Indonesian law takes an additional step to ensuring the data privacy of its citizens. However when the draft law will be enacted is uncertain as the draft law is not on the current legislative agenda.