Navigating the Regulatory Landscape: Ensuring Data Privacy Protection in Indonesia

In the digital era, data privacy has become a critical concern for individuals and businesses alike. In Indonesia, the government has taken significant steps to ensure the protection of personal data. This article explores the regulatory landscape of data privacy in Indonesia and provides insights into the latest developments in this area.

The New Era for Personal Data Protection in Indonesia

The Indonesian Government issued Law No. 27 Year 2022 on Personal Data Protection (PDP Law) on 17 October 2022. The PDP Law serves as the umbrella law for the application and implementation of personal data protection in Indonesia. It provides more significant, stringent, and integrated protection compared to previously scattered regulations.

The PDP Law applies to any person (including individuals and corporations), public entities, and international organizations residing in Indonesia, or in a foreign jurisdiction, if any legal impact occurred within the territory of Indonesia and/or if the subject of the personal data is an Indonesian citizen. The PDP Law is effective from the date of its enactment on 17 October 2022, but it provides a transition period of two years for the Personal Data Controller, Personal Data Processors, and other relevant parties to adjust and comply with the law.

Key Provisions of the PDP Law

The PDP Law distinguishes the previously known electronic system provider into Personal Data Controllers (Data Controllers) and Personal Data Processors (Data Processors)11. The Data Controllers determine the purpose and control the processing of personal data, while the Data Processors act on behalf of the Data Controllers to perform the processing of personal data.

In the event of a data breach, the Data Controllers must deliver written notification no later than 3 x 24 hours to the personal data subjects and to the authority. This is a much stricter rule, whereas previously the notification period of a data breach was 14 (fourteen) days.

Preparing for the New Personal Data Protection Law

The Ministry of Communications and Information Technology published the draft government regulation on the implementation of the PDP Law for public consultation. The Draft Regulation is expected to come into effect in October 2024.

The Draft Regulation introduces a mechanism for the government to expand the scope of "specific personal data". It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.

Conclusion

Navigating the regulatory landscape of data privacy in Indonesia requires a deep understanding of the PDP Law and its implications. As Indonesia moves towards a more stringent and integrated approach to data privacy protection, businesses must stay informed and prepared to comply with the new regulations. The PDP Law marks a new era for personal data protection in Indonesia, ensuring that individuals’ data privacy rights are upheld in the digital age.