Increased usage of technology to ease business does not come without its challenges. While technology also benefits stakeholders, escalating cases of personal data breach and leak from private and public sector stakeholders are becoming more common and an obstacle to overcome. Personal data protection is an issue that includes matters relating to customers, which is the stakeholder that needs to be protected in regard to confidentiality of personal data. The lack of a main legal instrument addressing personal data protection is an urgent matter for the Government of Indonesia to soon issue the Personal Data Protection Law, especially for stakeholders to tackle the challenges of personal data protection in Indonesia.
Currently, personal data protection is regulated under Government Regulation Number 71 of 2019 on Electronic System, Transaction and Minister of Communications and Informatics Regulation Number 20 of 2016 on Protection of Personal Data in Electronic System and other related sectoral regulations. In order to harmonize and strengthen the regulation of personal data protection in Indonesia, primary regulation (payung hukum) that accommodates specific provisions on personal data protection is needed.
Rancangan Undang-Undang Perlindungan Data Pribadi (“RUU PDP”) was a government initiative prioritized to be discussed in the House of Representatives of the Republic of Indonesia back in 2019. By October 2019, RUU PDP has undergone the harmonization process.1 In just under three years, the latest update on RUU PDP by July 2022 is that Commission I of the House of Representatives is targeting for the final discussion of RUU PDP to be finalized before the G20 Indonesian Presidency, where they remain in the process of discussing Issue Inventory List (Daftar Inventarisasi Masalah).2
The main provisions in RUU PDP that shall be highlighted, as finalized in the latest draft of the bill in January 2020, are as follows:
Applicability of the Law
RUU PDP clearly states to who the law is applicable, and where it is applicable. Although generally, an Indonesian law is applicable to citizens residing in the Republic of Indonesia, it is stipulated explicitly that the data protection law is applicable to every person, public entity, and organization/institution carrying out legal acts as stipulated in this particular law, whether within the territory of the Republic of Indonesia, that has legal repercussions in the territory of the Republic of Indonesia, and/or personal data owner who is of Indonesian citizenship residing outside of the territory of the Republic of Indonesia.
Processing and Transfer of Personal Data
Processing of personal data shall be based on explicit consent from the data owner for purposes that have been conveyed to the data owner. In order to obtain explicit consent from the data owner, the controller shall provide information to the data owner in relation to: (i) legality of personal data processing; (ii) purposes of personal data processing; (iii) type and relevance of the personal data being processed; (iv) retention period of the documents that accommodate personal data; (v) details of the information being collected; (vi) period of personal data processing; and (vii) the rights of the personal data owner. However, RUU PDP stipulates several exceptions for such provision, for example in the event that the processing of personal data is carried out for public interest, explicit consent from the data owner does not necessarily need.
In regards to the transferral of personal data outside the Indonesian territory, there are several criteria that must be fulfilled, namely: (i) the country where the personal data controller is domiciled or the international organization that receives the transfer of personal data has the level of personal data protection equal to or higher than RUU PDP; (ii) there are international agreements between countries; (iii) there is a contract between the personal data controllers that has standards and/or guarantees for the protection of personal data in accordance with RUU PDP provisions; and/or (iv) obtain approval from the personal data owner.
Controller and Processor
Prior to RUU PDP, there is no separation between controller and processor. the separation of roles between controller and processor is newly introduced in RUU PDP, as well as its obligations.
The controller is defined as the party who determines the purpose of Personal Data collection and exercises control over Personal Data processing (“Controller”). Meanwhile, Processor is the party that performs Personal Data processing on behalf of the Controller (“Processor”). Among the many obligations, a Controller is obliged to end the processing of personal data if it has already reached the retention period, the purpose for personal data collection has been reached, or the personal data owner requested for the processing to end. On other hand, the Processor may only process Personal Data based on the instruction of the Controller.
Rights of Personal Data Owner
RUU PDP provides clear stipulations on the rights of personal data owners in its entirety. There are eleven articles stipulating the rights of a personal data owner.
Rights of personal data owner include but are not limited to (i) the right to obtain information on identity, basis of legal interest, the purpose of the request and use of personal data, and accountability of parties requesting personal data; (ii) the right of erasure, end processing, and/or destroying their personal data; (iii) the right to withdraw consent to the processing of personal data that has been given to the Controller; and (iv) the right to claim and receive compensation for the violation of personal data.
Data Protection Officer
Data Protection Officer is very newly regulated under RUU PDP. In certain circumstances, the Controller/Processor shall appoint an officer that carries out the function of data protection (“Data Protection Officer”). Data Protection Officer may be an internal division of the Controller/Processor or external parties.
Administrative and Criminal Sanctions
The two kinds of sanctions that can be imposed upon parties who do not comply with RUU PDP are administrative and criminal sanctions. The administrative sanctions are generally addressed for non-compliance, while criminal sanctions are imposed on serious violations of personal data such as the illegal acquisition of personal data.
Seen as the dire situation in which RUU PDP needs to be passed immediately, it does not mean that RUU PDP has no more room for improvement. Several issues are still apparent, including (i) there are no clear stipulations on the retention period, whether it will be referred to sectoral regulation or other related regulation, which may cause confusion to stakeholders to determine the retention period; (ii) the criteria for Data Protection Officer has not clearly been mentioned under RUU PDP (whether it should obtain certain certification or fulfil certain criteria related to data protection); and (iii) RUU PDP does not mention any compulsory measures that shall be fulfilled by Controller/Processor in order to ensure the level of security of their system (for instances the use of pseudonymisation and encryption of personal data).
Cintya Shifwah Saraswati I firstname.lastname@example.org
Naura Nabila I email@example.com