The long wait is over. The House of Representatives has finally ratified the draft law on personal data protection. The draft law was passed into Law No. 27 of 2022 on Personal Data Protection (the “Privacy Law”) and has come into effect since 17 October 2022. This Privacy Law, whose provisions were prepared taking into account some considerations and principles in the European General Data Protection Regulation (“GDPR”), is Indonesia’s first “umbrella regulation” on personal data protection. Not only will the Privacy Law provide protection to Indonesian citizens, but it also will provide more legal certainty to any parties dealing with personal data.
For those who had been following the long and dynamic deliberations on the draft of the law on personal data protection until the Privacy Law was enacted, the Privacy Law has refined some provisions regulated in the draft law submitted by the government to the House of Representatives in January 2020 (the “2020 Draft Law”) through amongst others the addition of new definitions of personal data protection and international organization, the refinement of the definitions of data controller and data processor, the addition of provisions on the processing of the personal data of children and the disabled, etc.
Without going into too much detail, here are some of the key points of the Privacy Law that could be of interest.
1. Extra-Territorial Nature of the Privacy Law
The Privacy Law applies to any parties, public entities and international organizations performing legal acts within the domain of the Privacy Law in and outside of Indonesia. For the latter, the legal acts must have legal impact in Indonesia and/or on an Indonesian citizen abroad.
Even though its enforcement may face some challenges, the extra-territorial nature of the Privacy Law would provide comprehensive protection to Indonesian citizens.
2. Data Controller and Data Processor
The terms “data controller”1 and “data processor”2 in the Privacy Law have been refined if compared to those in the 2020 Draft Law. However, the substance remains similar to that provided under the GDPR.
It is apparent from the Privacy Law that a data processor may or may not be appointed in the processing of personal data, and unless the data processor acts beyond the instructions from and the purpose determined by the data controller, the data controller should be responsible for the processing of personal data undertaken by the data processor.
3. Classifications of Personal Data
Personal data is classified into specific data3 and general data4. These classifications were first introduced in the 2020 Draft Law and mirror the approach taken in the GDPR. Unlike the coverage of specific data under the 2020 Draft Law, specific data under the Privacy Law no longer covers sexual orientation and political view.
The provisions of the Privacy Law generally apply to both classifications of personal data. However, there are a couple of requirements under the Privacy Law that have a specific reference to specific data. These requirements are as follows:
a. the requirement for data controllers to perform a data protection risk assessment; and
b. the requirement for data controllers and data processors to appoint a data protection officer.
Note that there are also other criteria that should be observed before any of the above requirements kicks in.
4. Legal Basis for Processing Personal Data
As was first introduced in the 2020 Draft Law, taking the grounds for the processing of personal data under the GDPR, the Privacy Law also provides the following legal basis for processing personal data other than the consent of the data subject:
a. for compliance with an agreement to which the data subject is a party or the data subject’s request to comply with an agreement;
b. the data controller’s compliance with its obligations under the laws and regulations;
c. the protection of the data subject’s vital interests;
d. the data controller performing its duties related to public interests, public services or the exercise of the data controller’s authority in accordance with the laws and regulations; and/or
e. the compliance with other lawful interests while considering the purposes, needs and interests of both the data controller and the data subject’s rights.
Specifically for the processing of personal data with the consent of the data subject, the Privacy Law provides that consent must be given explicitly (in writing and verbally using a voice recording), electronically or nonelectronically.
5. The Rights of Data Subjects
The Privacy Law provides that a data subject has certain rights, which reflect the principles of and some of the rights protected by the GDPR. These rights are amongst others the right to be informed; the right to complete, update and/or correct personal data; the right to access and obtain a copy of personal data; the right to end the processing of, erase and/or destroy personal data; the right to object; the right to not have one’s data processed automatically; the right to delay or limit personal data processing; the right to file a complaint and to receive compensation; and the right to data portability.
The exercise of the above rights is exempt if the data is required for the purpose of national defense and security, law enforcement, state administration, the supervision of the financial or monetary sector, payment systems or financial systems stability or statistic and scientific research.
Read full article here.
* * * * *
This article is prepared by Kurniawan Tanzil and Septiani Pratiwi of SHIFT as an overview on the topic discussed and therefore, should not be relied upon as legal advice in any case. We accept no liability whatsoever for any loss or damage, whether due to inaccuracy, error, omission or any other cause. We will be pleased to respond to any questions you may have on this article or advise further on certain aspects of this article or other related matters.
1 Data controller is any party, public entity and international organization acting individually or jointly in determining the purpose of and controlling the processing of personal data.
2 Data processor is any party, public entity and international organization acting individually or jointly in processing personal data on behalf of the data controller.
3 Specific data covers health data and information, biometric data, genetic data, criminal records, children’s data, private financial data and/or other data provided under the laws and regulations.
4 General data covers full name, gender, nationality, religion, marital status and/or combined personal data which identifies a person.