Indonesia finally passes personal data protection law
Indonesia has finally passed its personal data protection law which has been under discussion since 2016. The government believes the new bill will be key amid a series of data security breaches in the country.
Indonesia’s House of Representatives earlier this month approved the Personal Data Protection Bill (PDP), paving the way for its ratification on Tuesday. The country now joins other Southeast Asian jurisdictions that have dedicated personal data protection laws, including Singapore and Thailand.
Communications and Information Technology Minister Johnny G. Plate hailed the approval as an important and essential step in boosting connectivity and progress in the local digital sector. Plate said laws to protect personal data would help strengthen and facilitate the handling of data security breaches, according to the statutory board and the state-run news agency, Antara.
Indonesian President Joko Widodo highlighted last week the urgent need relevant departments to coordinate and investigate alleged personal data breaches. The National Cybersecurity and Encryption Agency on September 13 said he was investigating claims made by hackers, nicknamed “Bjorka”, that they had access to data from several government websites, presidential letters and confidential intelligence agency documents.
The same hackers said in August that they obtained information from SIM card users, including their national ID number and contact details.
In the same month, the personal data of 17 million customers of the public electricity supplier PT PLN (Persero) was leaked, as was the data of 26 million customers of Telkom Indonesia’s internet and digital TV service, IndiHome.
The security breaches underscored the urgent need for the data protection bill to maintain public trust, especially as personal information was needed for public services and processed digitally, Antara said. National Identity Card (NIK) numbers, for example, were often used for online application registration and to process the purchase of train tickets.
Citing statistics from Surfshark, Antara said Indonesia ranked third among the countries most affected by data breaches in the third quarter of 2022, with 12.7 million local accounts compromised.
Speaker of the House of Representatives Puan maharani said Monday: “This PDP Bill will provide legal assurance that every citizen, without exception, [has full control] on their personal data. So there won’t be any more tears from people over online loans they don’t ask for, or doxxing that makes people feel uncomfortable.”
Maharani said spin-off rules, including the creation of an oversight agency to protect the public’s personal data, could be formed immediately after the bill is ratified.
She added that it would serve as a guide for ministries, agencies and policy makers to maintain a robust national digital security environment.
The bill is also expected to consolidate all existing and additional regulations into one. Indonesia currently has 32 laws governing the protection of personal data.
Inspired by the European Union’s General Data Protection Regulation (GDPR), Indonesia’s PDP bill includes various global components that are not included in its local regulations, such as sensitive personal data and responsible of data protection. The bill will regulate all forms of data processing, including acquisition and collection, storage, updating and correction, as well as deletion, according to André Rahadianpartner and founding member of the law firm Hanafiah Ponggawa & Partners (Dentons HPRP).
Under the PDP Bill, for example, personal data controllers will be required to update and correct errors in personal data within 24 hours of receiving a request to do so. The bill also specifies the underlying documents or circumstances under which personal data can be transferred outside of Indonesia, such as prior approval from the owner of the personal data and bilateral international agreements.
This includes company penalties up to 2% of an organization’s annual turnover and up to six years in prison for those found to have broken the law.
Indonesia has an estimate 220 million internet users.
The country is also expected to account for 40% of e-commerce gross merchandise value (GMV) in Southeast Asia in 2021, at $70 billion, according to the Southeast Asia 2021 e-Conomy report, which covers six regional markets: Singapore, Malaysia, Vietnam, Indonesia, Thailand and the Philippines. The study also revealed that 80% of Indonesians had made at least one online purchase.