Personal Data Protection Bill ratified on 20 September 2022

After years of deliberation and amendments, the Personal Data Protection Bill was approved by President Joko Widodo on 17 October 2022, formally enacted as Law No. 27 of 2022 on Personal Data Protection (“PDP Act”). As Indonesia’s first comprehensive set of rules on personal data protection, the PDP Act is a welcomed move amidst the spate of data security breaches in Indonesia, including breaches relating to government firms and institutions.

With portions of the PDP Act mirrored after the requirements under the General Data Protection Act (“GDPR”), a measured approach seems to be taken in relation to the requirements under the PDP Act.

We understand that there is also a 2-year implementation period upon the law coming into force, to allow all personal data controller, personal data processors, and all other parties related to the processing of personal data some time to comply with the requirements under the PDP Act.

We set out below our understanding of some of the key features of the PDP Act that organisations should be aware of:

• Extraterritorial reach: The PDP Act will apply to every person, public agency, and international organisation that performs a legal act regulated under the PDP Act, and that is either (a) located within Indonesia, or is (b) located outside the jurisdiction of Indonesia but the action has legal consequences (i) within the Indonesian jurisdiction and/or (ii) related to personal data of Indonesiancitizens located outside Indonesia.
• Legal bases for processing: The PDP Act mandates all personal data controllers to “have” the bases of personal data processing. These legal bases seem generally aligned with existing data protection practices, and include (a) obtaining specific consent for the specific purpose(s), (b) fulfilment of the obligations in an agreement where the personal data subject is a party to such agreement, or to fulfil the request of a personal data subject when entering into an agreement, (c) fulfilment of the personal data controller’s legal obligations in accordance with the provisions of laws and regulations, (d) fulfilment of the protection of the vital interests of the personal data subject, (e) carrying out tasks in the context of public interest, public services, or exercising the authority of a personal data controller pursuant to the law and regulations, and/or (f) fulfilment of other legitimate interests, taking into account the objectives, needs, and balance of interest of the personal data controller and the rights of the personal data subject.
• Personal data subject rights: Subject to certain exceptions, a personal data subject has the following rights under the PDP Act –
• Data Breach Notification: In the event of a failure of personal data protection (i.e. a failure to protect a person's personal data in terms of confidentiality, integrity, and availability of personal data, including security breaches, whether intentional or unintentional, leading to destruction, loss, alteration, disclosure, or unauthorized access to personal data sent, stored or processed), a data controller must submit a written notification no later than 3 x 24 hours (i.e. 72 hours) to personal data subjects and the relevant government institution responsible for the implementation of personal data protection. The notification must contain information on the disclosed personal data, when and how such personal data is disclosed, and the efforts to handle and recover the data by the personal data controller. The personal data controller may be required to notify the public of the failure to protect personal data in certain cases. Further provisions relating to the government institution mentioned above shall be stipulated in a separate presidential regulation.
• Appointing a data protection officer: Appointing a personal data protection officer is required where a personal data controller or personal data processor carries out the personal data function as follows:
• Data transfers: Personal data transfers between personal data controllers within Indonesia are allowed, and both the transferor and transferee are required to protect such transferred personal data pursuant to the requirements under the PDP Act.
• Administrative sanctions: In the event of a violation of the relevant requirement(s) under the PDP Act, the following administrative sanctions may be imposed:
• Specific prohibitions: The following are prohibited uses of personal data under the PDP Act:

The information provided above does not, and is not intended to, constitute legal advice and / or a translation of the PDP Act; information, content, and materials stipulated above is based on our reading of the legislation and are for general informational purposes only.