Indonesia data protection law: Are you compliant?

Nearly every country is enacting laws to safeguard data privacy, and every stage of the data’s lifespan is regulated: collection, processing, sharing, storage, transfer, and disposal. On October 17, 2020, Indonesia joined the trend and adopted a comprehensive Personal Data Protection Law.

This article is a quick review of some key provisions of Indonesia’s data protection laws and their effects on businesses operating in the country or dealing with its citizens.

Who needs to comply with personal data protection in Indonesia?

Indonesia’s data protection law applies to any Indonesian individual, private or public corporation, or government agency that deals with personal information. It also applies to businesses operating outside of Indonesia whose operations have legal ramifications within the country. In other words, both domestic and international businesses that do business with Indonesian consumers must comply with Indonesia’s data privacy law.

In summary, regardless of the country they operate, all companies handling the data of Indonesian residents are subject to the law.

The Indonesia Personal Data Protection Law and other relevant sector-specific laws apply to all industries. However, its rules only apply to processing carried out for business purposes. They do not apply to data processing on a personal or domestic scale.

Given its prominent position in the global market and thriving economy, it is worthwhile for businesses to implement the necessary operational changes to comply with data protection in Indonesia.

What Indonesian data protection laws do you need to know?

Prior to 2020, Indonesia’s data protection laws needed to be better defined. In that regard, the nation lacked a comprehensive, unified law. Instead, there were several laws for specific sectors.

Article 28(g) of the Constitution of the Republic of Indonesia provides for the protection of personal property. The word “property” has been interpreted to include a person’s data.

Some personal data protection provisions apply to electronic system providers. These are the 2008 Electronic Information and Transactions Law, the 2016 Electronic Information Law, and the 2016 Protection of Personal Data in Electronic Systems Law. The Electronic Information Law states that, unless otherwise specified, using one’s personal information requires consent. Similarly, the Personal Data Protection in Electronic Systems (Kominfo Regulation 20) reiterates the position that consent is the core foundation of data privacy laws and the prerequisite for all processing activities.

Other sectoral laws are:

• Demography Law of 2006, amended in 2013 by the Demographic Administration Law.
• Ministry of Health Regulations of 2022, which protects the privacy of personal medical information.
• Bank of Indonesia Regulation of 2020 obligates banks and other bodies under the Bank of Indonesia to keep consumer information safe.
• Financial Services Authority Regulation of 2022. applicable to all financial service institutions to protect the confidentiality and security of customers’ data.

The PDPL serves as Indonesia’s primary reference for protecting personal information. However, the above-mentioned laws are still valid as long as they do not conflict with the main law. 

The Personal Data Protection Law of 2020

The enactment of the PDPL was very timely, bringing much-needed reforms to the scene. Its fifteen chapters and seventy-two articles contain detailed provisions on all aspects of

personal data protection in Indonesia. It covers the rights of data owners, the duties of controllers and processors, and the proper methods for collecting, storing, processing, and transferring personal data.

Key concepts of the PDPL:

The PDPL defines personal data as any information that, alone or in combination with other data, can be used to directly or indirectly identify a specific person. There is also “specific personal data,” such as health, financial, genetic, and biometric information.

The rule of consent:

Consent is the prerequisite for data processing. Controllers are required by Art. 22 and Art. 23 to obtain express, written, and valid consent. For consent to be valid, the subject must be made aware of the purpose, type, relevance, and duration of the processing. They must also be informed of their rights and assured that the data will be used for a lawful purpose.

Principles of processing:

Under Art. 3, the PDPL shall be implemented based on the following principles:

• • Protection: Steps must be taken to ensure that subjects’ personal information is not misused or improperly accessed;
  • Legal certainty: This calls for all processing activities to be conducted within the ambit of the law;
  • Public interest: When protecting data, state administration, national defense, and security must all be taken into account, as well as the general public’s or society’s interests;
  • Benefit: Personal information must be governed in a way that advances public welfare and the general welfare of the nation;
  • Prudence: Processors, controllers, and supervisory bodies must exercise due diligence concerning all potential loss-causing factors;
  • Balance: The citizen’s right to data protection must be balanced with legitimate state rights based on public interest;
  • Accountability: Parties involved in data processing must behave responsibly and be answerable to both regulatory bodies and data subjects;

• Confidentiality: Individuals’ personal information needs to be shielded from unauthorized access and manipulation.

Obligations of controllers and processors:

The PDPL distinguishes between data controllers and processors, with separate and common obligations. A controller is any person or organization that has authority over the processing of personal data. A processor is any individual, public entity, or international organization that acts alone or in collaboration to process data on behalf of the controller. The controller is typically responsible for the processor’s actions as long as they comply with his or her instructions.

Obligations of controllers:

Controllers have a very broad range of duties under the PDPL. These can be found in Art. 20 to Art. 50. In addition to having a legal basis for processing, the subject’s consent, and their rights, controllers must also:

1. keep a record of all processing operations;
2. conduct a data protection impact assessment, mainly when working with high-risk data;
3. keep personal information confidential and limit access to it.
4. Supervise each party involved in the processing of personal data that is under their control;
5. Stop or postpone processing if the subject withdraws consent or requests a postponement within 72 hours of receiving the request;
6. If there is a failure or breach, notify the subject, the appropriate regulatory body, and the public within 72 hours, as required by law.

However, under Art. 50, these requirements may be waived in some situations. For example, for national defense and security, law enforcement, the public interest, or any other matter of state administration,

Obligations of processors:

These are contained in Arts. 51 and 52. The obligations mentioned in Art. 52 are essentially the same for both controllers and processors. Apart from those, processors are charged with the following:

• ensuring that personal data is accurate, complete, and consistent with applicable laws and regulations;
• implementing operational and technical measures to secure personal data;
• protecting data from processing contrary to the provisions of the law.

Appointment of a data protection officer:

Art. 53 provides situations that may require controllers and processors to appoint a DPO.

For instance, when processing is carried out on a large scale, for a public purpose, in a highly organized manner, and/or in connection with criminal activity. 

The DPO ensures that operations are conducted to facilitate compliance with protection principles and avoid breaches. They could be a company employee or a third party. The officer acts as a liaison between the controlling party and the data subject.

Penalties for non-compliance:

Failure to attain complete data sovereignty compliance attracts serious legal implications. There are both civil and criminal penalties for violating the Indonesian data localization law. These are provided in Art. 67 to Art. 69 of the PDPL.

A person who illegally obtains another person’s data with the intent of profiting from it faces up to five years in prison or a fine of IDR 5 billion ($331,741), or both. Similarly, those found guilty of willfully and illegally disclosing personal information may be sentenced to up to four years in prison, pay a fine of up to IDR 4 billion ($265,322), or both. Furthermore, anyone who willfully uses another person’s data for illegal purposes faces a maximum sentence of five years in prison or a fine of IDR 5 billion or both. Finally, a person convicted of unlawfully falsifying or altering personal data and endangering others faces a six-year prison sentence or a fine of up to IDR 6 billion ($397,977).

A corporation cannot be imprisoned; it can only be fined. However, for the sake of fairness, the maximum fines for individuals listed above may be multiplied up to ten times. 

Additional penalties may include any number of the following:

• forfeiture of all assets and income derived from the crime;
• suspension of business operations for some time as determined by the government;
• a long-term prohibition on a specific aspect of the business’s operations;
• complete or partial closure of the company’s operations or business location;
• the completion of pending obligations;
• payment of compensation to affected individuals
• revocation of license;
• dissolution of the corporation.

Cross-border data transfer requirements

Transfer outside the Indonesian region is strictly regulated. The main requirement under the Indonesian privacy law is that the receiving country must have a protection level that is similar to or greater than that given by the PDPL.

If this requirement is not met, the controller may nevertheless proceed with the transfer if they have established that the recipient party itself has acceptable personal information protection standards.

If neither of these conditions is met, the transfer can still take place, but only with the data subject’s consent.

Article 21(a) of Kominfo Regulation 20 further regulates cross-border transfers for electronic system providers. According to the Regulation, the ESP wanting to perform a transfer must report to Kominfo (i.e., the relevant regulatory body) the proposed transfer.

The report should include the receiving state’s and receiver’s names, the frequency, the purpose, and the outcome of the transfer.

These transfer rules appear to be simple, but failure to comply with them can have negative consequences for a business.

Data localization by InCountry is the fastest and surest way to achieve full compliance at all times.

How to comply with data protection laws in Indonesia — InCountry’s approach

Compliance with data protection laws is a big deal. Companies that lack the wherewithal to fully effect compliance procedures may be unable to freely do business in Indonesia or expand into new regions, as they should, for fear of heavy sanctions.

InCountry has an immediate and comprehensive solution for data compliance, regardless of the country in which your company operates. With data residency-as-a-service available globally, you can achieve immediate compliance with all data protection laws, no matter where you are.

InCountry is synonymous with security and protection. We ensure that our clients are always in step with all applicable laws.

We are able to do so because: 

• InCountry is always up to date on each country’s residency and localization requirements. We run a certified cloud infrastructure that allows data to be localized in top-tier data centers across the globe. 
• InCountry only employs and provides the best security and protection measures available according to global standards. We use high-level encryption (SHA-256 and AES-256), network isolation, and intrusion detection. Nobody offers information security in the same way as InCountry.
• We only work with the best and most reliable cloud service providers who adhere to security standards, ensuring your data is securely protected throughout its entire lifecycle.

Any questions left? Request a demo with our experts to learn how InCountry can help your company with regulated data.