Indonesia: Prohibitions, Restrictions Under Indonesia's Personal Data Protection Draft Law

A draft law on personal data protection ("PDP Draft Law") has been signed by Indonesian President Joko Widodo and is being discussed by the House of Representatives. Several government officials have been quoted in the media saying they expect the PDP Draft Law to be passed and enacted in 2020.

This article looks at some of the key changes contemplated by the PDP Draft Law. Note that while it seem the draft is near passage, it is still subject to further revision.

Prohibitions and Restrictions

The PDP Draft Law, being a law (undang-undang), is able to provide criminal sanctions in the event of violations, as allowed under Article 15 of Law No. 12 of 2011 regarding the Formulation of Laws and Regulation. Thus, several articles in the PDP Draft Law are dedicated to prohibitions and restrictions.

In particular, the PDP Draft Law prohibits any person or party from obtaining or collecting another person's personal data for the benefit of themselves or another party in an unlawful manner or to the detriment of the personal data owner. That said, lawmakers in the House of Representatives have suggested that the term "for the benefit of themselves or another party" be removed because the standard is unclear.

The PDP Draft Law also provides that an "association of business actors" will prepare guidance to regulate the behavior of data controllers and data processors. The PDP Draft Law defines a data controller as a party that determines the purpose and controls the processing of personal data, and a data processor as a party that processes the personal data on behalf of the data controller.

However, the House is reportedly of the opinion that the PDP Draft Law should contain provisions to prevent business actors acting in bad faith when preparing the guidance. The PDP Draft Law, for example, is notably silent on the definition or standard of an "association of business actors" that is allowed to create such guidance.

Data Protection Officers

Another novel element of the PDP Draft Law is the requirement that data controllers and data processors appoint a data protection officer. Data protection officers would be appointed based on their professionalism, knowledge of the legal aspects and practice of personal data protection, and the ability to fulfill their obligations, which are as follows:

. Inform and advise data controllers and data processors on compliance with the PDP Law;
. Supervise and ensure compliance with the PDP Law and the policies enacted by the data controllers and data processors;
. Assess the impact of personal data protection measures and supervise the performance of data controllers and data processors; and
. Coordinate and act as a contact person for issues related to the processing of personal data, including but not limited to any mitigation of risks related thereto.

Lawmakers' concern in this matter is the lack of clarity regarding who can be appointed as a data protection officer, e.g. a government body or a private individual; the work mechanisms and accountability of data protection officers; a coordinating entity for these officers; and sanctions applicable to data protection officers if they are responsible for a personal data breach. That said, the PDP Draft Law provides that further provisions on data protection officers will be forthcoming in a government regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.