Indonesia finally passes personal data protection law

After years of deliberation, the largest Southeast Asian market ratifies personal data protection bill, which will apply to local businesses as well as international corporations that handle data of Indonesian consumers.
Written by Eileen Yu, Senior Contributing Editor

Indonesia finally has passed its personal data protection law that has been in discussions since 2016. The government believes the new Bill will be critical amidst a spate of data security breaches in the country. 

Indonesia's House of Representatives earlier this month approved the Personal Data Protection (PDP) Bill, paving the way for its ratification on Tuesday. The country now joins other jurisdictions in Southeast Asia that have dedicated personal data protection laws, including Singapore and Thailand. 

Communications and Informatics Minister Johnny G. Plate had hailed the approval as a milestone and key to driving connectivity and advancements for the local digital sector. Plate said laws to safeguard personal data would help boost and facilitate the management of data security breaches, according to statutory board and state-owned news agency, Antara.

Indonesian President Joko Widodo last week underscored the urgent need for relevant ministries to coordinate and investigate alleged breaches of personal data. The National Cyber and Encryption Agency on September 13 said it was investigating claims made by hackers, dubbed "Bjorka", that they had access to the data of several government websites, presidential letters, and confidential documents from the intelligence agency. 

The same hackers in August said they obtained information from SIM card users, including their national identification number and contact details.

That same month, personal details of 17 million customers of state-run electricity provider PT PLN (Persero) were leaked as were the data of 26 million customers of Telkom Indonesia's internet and digital TV service IndiHome.

The security breaches highlighted the urgent need for the data protection bill to maintain public trust, especially as personal information was required for public services and processed digitally, said Antara. Identity card numbers (NIKs), for example, often were used for registration of online apps and to process the purchase of train tickets.

Citing stats from Surfshark, Antara said Indonesia ranked third as the country most affected by data breaches in the third quarter of 2022, with 12.7 million local accounts compromised.

House of Representatives Speaker Puan Maharani said Monday: "This PDP Bill will provide legal assurance that every citizen, without exception, [has full control] over their personal data. Thus, there will be no more tears from the people due to online loans that they don't ask for, or doxxing that makes people uncomfortable." 

Maharani said derivative rules, including the establishment of a supervisory agency tasked to protect the public's personal data, could be formed immediately after the Bill was ratified. 

She added that it would serve as a guide for ministries, agencies, and policy makers to main a robust national digital security environment.

The Bill also is expected to bring together all existing and additional regulations into one. Indonesia currently has 32 laws governing the protection of personal data. 

Modelled on European Union's General Data Protection Regulation (GDPR), Indonesia's PDP Bill comprises various global components that are not included in its local regulations, such as sensitive personal data and data protection officer. The Bill will regulate all forms of data processing, including acquisition and collection, storing, updating and correcting, as well as deleting, according to Andre Rahadian, a partner and founding member of law firm Hanafiah Ponggawa & Partners (Dentons HPRP). 

Under the PDP Bill, for instance, personal data controllers will be required to update and correct errors in personal data within 24 hours after receiving the request to do so. The Bill also specifies underlying documents or circumstances under which personal data may be transmitted outside Indonesia, such as pre-obtained approval of the personal data owner and bilateral international agreements. 

It includes corporate penalties of up to 2% of an organisation's annual revenue and up to six years jail terms for those deemed to have breached the law. 

Indonesia has an estimated 220 million internet users.

The country also was projected to account for 40% of Southeast Asia's 2021 e-commerce gross merchandise value (GMV), at $70 billion, according to the 2021 e-Conomy Southeast Asia report, which covers six regional markets: Singapore, Malaysia, Vietnam, Indonesia, Thailand, and the Philippines. The study also revealed that 80% in Indonesia had made at least one purchase online.


Editorial standards