logo

Indonesia’s draft law on data protection to bring clarity to regulation of data handling and e-commerce

In order to keep pace with the rapid advancement of technology and growing number of users of technology-based services in Indonesia, particularly in e-commerce industries, a stronger legislative framework is needed to protect personal data and ensure the public’s right to personal data protection. To date, the Indonesian government has yet to issue a law that specifically regulates the protection of personal data. That said, the government has recently passed the draft Law on Personal Data Protection (PDP Bill), in response to this growing need. However, the PDP Bill is currently being discussed at length in the House of Representatives, and there is no indication of when it will be enacted.

Currently, personal data protection regulations in Indonesia can be found incorporated in several laws and regulations, including Law No. 7 of 1992 as amended by Law No. 11 of 2020 concerning Job Creation (Banking Law) and Law No. 11 of 2008 on Electronic Information and Transactions as amended by Law No. 19 of 2016 (ITE Law). The use of personal data in electronic systems is governed by the ITE Law and its implementing regulations. These regulations—namely (i) Government Regulation No. 71 of 2019 on the Organization of Electronic Systems and Transactions and (ii) Ministry of Communication and Informatics Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems—take a more detailed approach in stating the requirements for the protection of personal data by electronic system providers. To learn more about data protection under Regulation No. 20 of 2016 of the Ministry of Communication and Informatics, please see our article available here.

Ratification of the PDP Bill is expected to ensure that, in conjunction with the current regulations, adequate protection of personal data is provided for. Based on the European Union’s General Data Protection Regulation (GDPR), the PDP Bill includes international concepts not covered by current regulations, such as data controller, data processor, sensitive personal data, data protection officer, and so forth.

At present, principle of data processing and transmission is inherently linked with this rising digital era, especially the e-commerce ecosystem. The PDP Bill regulates all forms of data processing including:

  • Acquisition and collection
  • Processing and analyzing
  • Storing
  • Updating and correcting
  • Displaying, announcing, transferring, disseminating
  • Disclosing
  • Deleting or destroying

Although current personal data regulations already include the concept of updating and correcting personal data, the PDP Bill embodies it as a part of personal data processing. Under the PDP Bill, the personal data controller is required to update and correct errors and inaccuracies in personal data no later than 24 hours after receiving the request to update and/or correct personal data. The personal data controller is obliged to inform the personal data owner of the outcome of such request.

Data transmission is another critical feature regulated by the PDP Bill. Previously, the regulations only covered the transmission of personal data from the Republic of Indonesia to outside the Republic of Indonesia in a rigid manner. On the other hand, the PDP Bill specifies the underlying documents under which personal data may be transmitted outside the Republic of Indonesia, namely under the following circumstances:

  • The country where the personal data controller is domiciled or the international organization that receives the transfer of personal data has a personal data protection level that is equal to or higher than that stipulated in the PDP Bill.
  • There are international agreements between the countries.
  • There is a contract between personal data controllers that prescribes standards and guarantees for the protection of personal data equivalent to the protection offered by the PDP Bill.
  • Approval of the personal data owner has been obtained.

In addition, the PDP Bill now facilitates the transmission of personal data to the Republic of Indonesia and also goes so far as to specify the conditions for personal data transmission when a company is going through a merger, acquisition, spinoff, or dissolution. This is relatively new concept, as it is not covered by present regulations.

Through the PDP Bill, the government manifests its commitment to the strengthening of personal data protection in Indonesia in the public interest. The public prosecutor’s office as a state attorney will be authorized to act on behalf of the state against violations of the protection of personal data both domestically and abroad. In addition, society may also play a role, either directly or indirectly, in supporting the implementation of personal data protection by way of education, training, advocacy and dissemination. Ultimately, the PDP Bill and the new concepts that will hopefully be introduced through its enactment will offer clarity on personal data protection in Indonesia, as one of the world’s most avid users of digital technology, particularly in the e-commerce sector. Once enacted, we anticipate that implementing regulations will soon follow, creating comprehensive laws designed to protect individuals’ personal data rights as well as reforms in the treatment of personal data for e-commerce stakeholders and customers.

Source: https://www.jdsupra.com/legalnews/indonesia-s-draft-law-on-data-5705018/