Indonesia’s New Data Protection Rules Move Toward Passage

By Michael S. Carl and Revaldi N. Wirabuana

After a number of data breaches underlined the urgency of comprehensive data protection rules, Indonesia expects to pass a data protection law in 2020, despite the ongoing COVID-19 pandemic and associated lockdowns.

On January 24, 2020, Indonesian President Joko Widodo signed a draft law on personal data protection (the “PDP Draft Law”). The PDP Draft Law, considered to be a “final draft”, is now being discussed by the House of Representatives and several government officials have told the press they expect the draft law to be enacted this year.

Background

Indonesia, a developing country, is in the process of digitalizing its economy. The number of internet users and mobile connections in the country has increased significantly over the last several years, coinciding with the rapid development of e-commerce and digital portal applications in Indonesia. A large amount of investment, foreign and domestic, has poured into existing tech startups as well as new startups with new business models to monetize this rapidly developing sector.

A consequence of the rapid development of the digital economy has been an unprecedented flow of personal data, accompanied by ever greater risks to the security of that personal data.

The Indonesian House has highlighted the following incidents concerning data security:

  • In September 2019, approximately 156,000 Indonesian citizens were victims of a breach of passenger data at Malindo Air, a member of the Lion Air group.
  • In early 2018, there was a personal data breach during the registration of mobile subscriber identification module (“SIM”) cards. The registration process required all SIM cards to be registered using the user’s Citizenship Registration Number (Nomor Induk Kependudukan) or Family Certificate (Kartu Keluarga). More than 300 million numbers had already been registered when the data breach was discovered.
  • In March 2020 there was a breach involving the medical records of the first Indonesians confirmed to have contracted COVID-19.

Development of PDP Regulations in Indonesia

The government of Indonesia has attempted to keep regulatory pace with the development of electronic information and transactions. Its first step was the enactment of Law No. 11 of 2008, as amended by Law No. 19 of 2016 regarding Electronic Information and Transactions (the “EIT Law”). The government then enacted several implementing regulations for the EIT Law, including Government Regulation No. 71 of 2019 regarding the Provision of Electronic Systems and Transactions (“GR 71/2019”).

However, Indonesia has yet to issue a “primary regulation” for the protection of personal data. The EIT Law and GR 71/2019 contain provisions discussing PDP, but these provisions are relatively brief and vague in nature. The closest Indonesia has come is Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems (“MOCI Reg 20/2016”). While MOCI Reg 20/2016 provides a more detailed breakdown of the rights and obligations involving PDP, it lacks the regulatory power that a law has, such as imposing criminal sanctions.

We understand that the House has been discussing a law on data protection since 2012, a typically lengthy process for such a sensitive and important matter. And since the submission of the PDP Draft Law, we understand that there have been a series of meetings with and among the House and the MOCI regarding the substance of the draft.

Looking Forward

The preparation of the PDP Draft Law has also involved the active participation of the MOCI. Based on materials presented by the MOCI’s Director General of Informatic Application on April 28, 2020, it appears that as part of the next steps for the implementation of the PDP Draft Law, the MOCI is looking into the following matters:

  • Establishing an institution to supervise the implementation of the PDP Draft Law.
  • Preparing guidelines and implementing regulations for the PDP Draft Law. This may include an implementing regulation on data protection officers.
  • Developing a data protection office ecosystem including training and the preparation of training modules for data protection officers. Based on this, it appears the MOCI intends for data protection officers to be standardized by an institution under the MOCI.
  • Education to increase public awareness of the importance of personal data protection by collaborating with, among others, business actors, associations, the community, civil society, and academics.

This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.