Indonesia joins its Southeast Asian neighbors, Singapore, Malaysia, Thailand, and the Philippines, with its adoption of a comprehensive data protection law. The new measure, the Personal Data Protection Law (“PDPL”), which appears to have taken inspiration from the European General Data Protection Regulation (“GDPR”) was long anticipated after the various sectors of the country, from government to the financial services industry, have been hit by a barrage of security incidents.
Key Dates: The new law entered into force on October 17, 2022 but there is a two year transition period.
Scope: The PDPL applies to all personal data processing activities of individuals within Indonesia and outside of Indonesia where the processing has legal consequences in Indonesia or impacts Indonesian citizens located outside of Indonesia.
Key Requirements: As noted, we can see a number of commonalities between the PDPL and the GDPR. Among the key requirements of the PDPL are the following:
- The PDPL establishes a number of data processing principles, including the duty to notify data subjects of personal data processing activities.
- Under the new law, controllers must have a legal basis for processing personal data.
- The PDPL establishes special rules for the processing of special categories of information which includes: health data/information, biometric data, genetic data, criminal records, child data, personal financial data, and other data.
- The PDPL also grants extensive data subject rights including: (a) the right to information about data processing activities; (b) the right to correct personal data; (c) the right of access to personal data; (d) the right to request deletion of personal data; (e) the right to withdraw consent; (f) the right to refuse automated decision-making; (g) the right to restrict data processing; (h) the right to bring civil action for violation of the PDPL, and (i) the right to data portability.
- The PDPL mandates a Data Protection Impact Assessment where data processing involves a high potential risk to the data subject and for certain data processing activities, data controllers and processors must appoint a DPO.
- The new law also regulates cross border data transfers. In the absence of adequate protections in the destination country, data controllers must obtain consent from the data subject for the data transfer.
- The PDPL also addresses data breaches and imposes an obligation to make requisite notifications with 72 hours.
Penalties: The PDPL carries heavy civil and criminal penalties. Entities may be fined up to 2% of their annual revenue. In addition, serious offenses include the potential for criminal charges which include lengthy imprisonment.
Although there is a two year transition period, given the numerous and burdensome requirements and the law’s broad geographic reach, entities that are likely to be subject to the law should promptly undertake to assess their obligations under the law and begin to prepare to comply.