The Indonesian government ratified a draft of the new omnibus Personal Data Protection law (“PDP Law”) on 20th September 2022. This PDP Law is intended to unify the protection of personal data into a single comprehensive legal regime for Indonesia.
PDP Law also provides the additional rights for the data privacy subject from the previous regulations such as the Minister of Communication and Information Regulation No. 20 of 2016 on the Personal Data Protection on Electronic System (“Regulation No. 20/2016”) and the Law No. 11 of 2008 on the Electronic Information and Transaction (“EIT Law”)
This PDP Law will also establish a dedicated institution operating under the President of Indonesia. This institution will later formulate provisions relating to the implementation of personal data protection, supervise the implementation of personal data protection, enforce administrative law, and facilitate dispute resolution.
This PDP Law is due to come into force on a date set by the Ministry of State Secretariat or 30 days from 20th September 2022. Parties who engage in the data processing activities are obliged to comply with the new law no later than 2 (two) years.
The impact to investors of Indonesian companies who collect personal data
From the perspective of international investors going into Indonesia, this significant development could provide both positive and, to a lesser extent, negative impact on how they could proceed to invest into Indonesian companies.
It is important to have some form of legal regime to protect personal data. This has been demonstrated by many countries in Asia setting up personal data laws in their countries, establishing networks of co-operation, private enterprises setting standards of minimum conduct and other related action.
So, as a positive development. Indonesia has levelled up its laws to protect personal data with some degree of detail and structure. The familiarity of the proposed mechanisms with data protection laws of other countries would only serve to ease harmonisation of the implementation of the concepts for international transfers of data.
It also means investors of Indonesian companies must add compliance with the PDP Law as part of the due diligence process. Investors into Indonesian companies should also consider proper due diligence to ensure their Indonesian target companies have full compliance with such provisions and have in place proper remedial action for those unable to comply before completion.
Some of the salient features of the new PDP Law
In this respect, some provisions in the new PDP Law appear to stand out: -
1) Anyone who collects and or uses personal data is either a Data Controller or Data Processor. There must be some recognised basis for data processing by the Data Controllers, namely: -
(a) Express consent from the Data Subject pursuant to a notification of purpose for such collection.
(b) Fulfilment of contractual obligations to which the Data Subject is a party.
(c) Fulfilment of the legal obligations of the Data Controller in accordance with the applicable laws.
(d) Protection of the Data Subject’s vital interests.
(e) Implementation of tasks in the public interest, or the implementation of the authority of the Data Controller in accordance with the applicable laws; and/or
(f) Fulfilment of other legitimate interests which shall be carried out by balancing the Data Controller’s interests and the Data Subject’s rights.
2) The Data Controller is required to carry out a Data Protection Impact Assessment (DPIA) if the Personal Data processing carries a high potential risk for the Data Subject.
3) In certain given circumstances, a Data Controller and Data Processor may be required to appoint a Data Protection Officer.
4) The PDP Law allows the cross-border transfer of Personal Data from a Data Controller to a Data Controller and/or Data Processor outside Indonesia if:
(a) The recipient’s country has an adequate or higher level of Personal Data protection than that stipulated in the PDP Law; and failing that
(b) There exists an adequate level of binding Personal Data protection; and failing that
(c) The consent of the Data Subject for the cross-border data transfer has been obtained.
The implementation of cross-border data transfer is to be further regulated by a Government Regulation.
5) Data Controllers are required to make the following notifications: -
(a) Controllers that fail to protect Personal Data are required to submit written notification no later than 3 x 24 hours to the Data Subject and Institution. This notification shall at least contain: (i) the disclosed Personal Data; (ii) when and how the Personal Data was disclosed; and (iii) efforts to handle and recover the disclosed Personal Data by the Personal Data Controller.
(b) If a Data Controller performs a merger, separation, acquisition, consolidation, or dissolution of a legal entity, it is required to submit a notification of the transfer of Personal Data to the Data Subject. The notification must be submitted prior to the aforementioned corporate actions. Further provisions regarding the procedures to deliver a notification shall be regulated in a Government Regulation.
6) Finally, the PDP Law provides the following prohibitions and sanctions in relation to violations of the law:
(a) There cannot be unlawful obtaining, collecting or disclosure of Personal Data of others
(b) There cannot be use of the Personal Data of others in a manner that contravenes the law; and
(c) No false Personal Data or fake Personal Data must be created with the intention of benefiting themselves or other persons that may cause harm to other persons.
The punishment for such contravention is severe, with hefty fines, administrative sanctions, and even criminal sanctions possible.
The impact on overseas companies who collect personal data from Indonesia
Except for a few specific exceptions (including aspects of the financial sector) this PDP law shall apply to: -
(a) Any person (whether an individual or corporation), public agency, and international organisation that carries out legal actions in Indonesia.
(b) Any person who carries out legal actions outside of Indonesia.
The description of the scope of the PDP law means that any offshore or overseas entity that processes personal data as set out above will be subject to the PDP law.
How should companies prepare now?
Since the relevant parties have about two years to ensure compliance with the PDP Law, it would be prudent for parties to consider the following measures: -
(a) Ensure that all processing of Personal Data has a lawful basis recognised under the PDP Law
(b) Keep records on all activities relating to Personal Data processing.
(c) Comply with the requests of Data Subjects with respect to their Personal Data (unless exempted);
(d) Carry out a DPIA before performing high-risk Personal Data processing.
(e) Have in place and implement adequate technical operational guidelines for the security of Personal Data.
(f) Oversee the processing of Personal Data by other parties that are controlled by the organisation.
(g) Appoint a DPO if the conditions are met.
(h) Have in place a notification protocol to inform the Data Subject and the relevant authority in the event of the failure to protect Personal Data in accordance with the required timelines.
(i) Notify the Data Subject in the event of a corporate action (merger, spin-off, acquisition, consolidation, or dissolution); and
(j) Comply with orders from the relevant authorities.
It remains to be seen how much the PDP Law would be enforced in Indonesia, but this is a positive step to see how seriously they take personal data protection and a most welcome development to bring certainty to a hitherto uncertain environment of the handling of personal data in Indonesia.