President Joko Widodo officially ratified Law No. 27 of 2022 on Personal Data Protection (PDP Law) on 17 October 2022, which has been expected for a long time, ever since the first draft was released for public comment on 28 January 2020. Before the PDP Law was ratified, personal data protection regulation in Indonesia was not codified under a particular law. Instead, it was regulated in more than 30 different laws and regulations, in particular those regarding electronic systems. While they provided fairly comprehensive regulations on personal data protection, it was difficult for people to hold companies accountable for misusing their personal data due to the lack of a specific comprehensive law regulating it.

The PDP Law sets forth the rights and responsibilities of individuals as the 'data subjects' and any individuals, public entities or international organizations as the personal data 'controllers' and 'processors', as defined in Article 1 of the PDP Law. Many of the core aspects of the PDP Law, such as definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures and controller-processor relationships are similar to other personal data protection laws around the world - most notably the EU's General Data Protection Regulation (GDPR). However, there are a few provisions that are distinct to the law in Indonesia. For instance, Article 2 paragraph (1) of the PDP Law includes a broad exterritorial scope provision that will apply to any person, public body or international organization carrying out activities within the scope of the PDP Law, not only within the jurisdiction of Indonesia, but also outside the jurisdiction of Indonesia that have a legal impact on the jurisdiction of Indonesia or data subjects who are Indonesian citizens located outside the jurisdiction of Indonesia.

Although the government will need to further regulate key provisions in subsequent regulations, the PDP Law establishes a comprehensive foundation to govern data processing activities in Indonesia. As to the compliance period, Article 74 of the PDP Law requires data controllers, processors and other parties related to personal data processing to comply with the provisions of PDP Law within no later than two years (except for the criminal provisions that will come into force immediately) once the PDP Law comes into effect, which will occur when it receives presidential assent or when the time window to receive assent expires. Regarding other relevant laws and regulations previously issued in relation to personal data protection, they shall be deemed applicable as long as they do not contravene the PDP Law, as set out in Article 75 of the PDP Law.

The PDP Law defines “personal data” as the data of any person who is identified or can be identified individually or in combination with other information, directly or indirectly through an electronic or non-electronic system. Furthermore, Article 4 of the PDP Law identifies a number of categories of general personal data which, by definition, would not be categorized as specific personal data. These include a person's full name, gender, citizenship, religion, and marital status, as well as data that is combined with other data to identify an individual. Whereas specific personal data includes personal data information such as biometrics, health information, genetics, criminal record, children's data, personal finance and any other data in accordance with the regulation. In the explanatory note of the PDP Law on Specific Personal Data, it explains that the above data may potentially cause loss and damage to the data subject.

In order to legally process personal data, Article 20 of the PDP Law sets out six legal bases for processing personal data (whether specific or of a general nature), namely:

1. obtaining an explicit agreement or consent from the data subject;
2. fulfilling the agreement obligation and requests of the data subject;
3. protecting the vital interest of the data subject.
4. fulfilling the data controllers' obligations based on the prevailing laws and regulations;
5. implement tasks for the public interest, public services or implementation of controllers;
6. fulfilling the legitimate interests in terms of the purpose and needs of data processing and balancing the interests of the controller with the rights of the data subject.

It is expected that the PDP Law will have a significant impact on the regulatory mechanism of the transfer and protection of personal data, considering that Indonesia has the fourth largest population in the world. The PDP Law has established the appropriate characterizations of data subjects, which, as a result, will further identify the rights and obligations of the data subjects in relation to the protection and transfer of personal data. The PDP Law has established much greater clarity than the previous laws and regulations with regard to personal data protection in Indonesia.

Schinder Law Firm is one of many corporate law firms in Indonesia with many experienced and professional civil lawyers and investment lawyers in its arsenal, making it one of the top consulting firms in Indonesia. It is prepared to help your company understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. The Privacy, Data Protection, and Cybersecurity practice group at Schinder Law Firm is a pioneer in providing data privacy law services in Indonesia. Feel free to contact us at info@schinderlawfirm.com for further consultation.

Author: Dewi Susanti