After about seven years in the making, on September 20, 2022, the Parliament finally approved the Personal Data Personal Data Protection Bill (the "PDP Bill") during the 5th Plenary Session of 2022-2023 of the Parliament.
In the age where personal data processing activities seem inevitable, the PDP Bill is expected to be the cornerstone and centerpiece of Indonesia's personal data protection regulatory framework. The PDP Bill will serve as an "umbrella" regulation for all personal data processing activities horizontally across all sectors while still allow flexibility for each sector to tailor a specific regulation according to each sectoral characteristic.
At present, the approved version of the PDP Bill has not been circulated publicly. Nevertheless, based on the latest publicly available PDP Bill on September 20, 2022, we note that the PDP Bill will adopt similar concepts found in a more-mature data protection regime (e.g., the European Union's General Data Protection Regulation/GDPR).
Below we highlight several key-concepts that are in the PDP Bill based on the latest publicly available version.
Since an independent supervision is an essential component of the enforcement of data protection law, the PDP Bill gives a mandate for the establishment of a specific supervisory institution (the "Institution") which reports directly to the President. The Institution has myriad of authorities and powers, notably:
- Formulate and determine personal data protection policies;
- Supervise personal data protection compliance;
- Impose administrative sanction against personal data protection violations;
- Assess cross-border data transfer activities.
Separation of "Controller" and "Processor"
Adopting the similar concept to that of the EU's GDPR, the PDP Bill recognizes and separates a "Controller" from a "Processor" within a data processing ecosystem. Both parties are the key-players within the data processing environment as the users of personal data. A Controller is defined as any person, alone or jointly with others, that determines the purposes and has the control over the processing of personal data. Meanwhile, the Processor is defined as any person who processes the personal data on behalf of a Controller.
Newly Formulated Lawful Grounds for Personal Data Processing Activities
One of the most significant changes that will be brought by the PDP Bill is the acknowledgement of other lawful grounds—in addition to the traditional approach that solely relies on "consent"—such as:
- For the performance of a contract;
- Legal duties of a Controller;
- Vital interests of a data subject;
- Public interest and exercise of official authority; and
- Other legitimate interests.
Introduction of "Data Protection Impact Assessment" Obligation
The Data Protection Impact Assessment (DPIA) is required to be carried out by a Controller where the intended personal data processing activities are likely to result in a high risk for the data subjects. The DPIA is carried out to evaluate a potential risk that may occur from a processing activity and identify mitigating steps.
To this end, the PDP Bill stipulates a list of processing activities that may be considered as having a high risk—to which, a DPIA is necessary—namely in cases where:
- Individual automated decision making that may produce legal effects or have similarly significant effects to the data subjects;
- Processing of sensitive personal data;
- Processing of personal data on a large scale;
- Processing of personal data for the purposes of evaluation, scoring, or systematic supervision towards the data subjects;
- Processing of personal data for the purposes of grouping or merging data group;
- The use of new technologies in the processing of personal data; and/or
- Processing of personal data which restrict the enforcement of data subjects' rights.
Appointment of Data Protection Officers
The PDP Bill requires a Controller and a Processor to appoint a Data Protection Officer (DPO), if all of the following conditions apply:
- The processing of personal data is carried out for public interests;
- The nature, scope, and/or purposes of the Controller's core activities require the regular and systematic monitoring of personal data on a large scale; and
- The Controller's core activities consist of processing activities on a large scale towards sensitive personal data and/or personal data related to criminal activities.
A DPO may be an internal person (i.e., a staff member) or an external person (e.g., a consultant/lawyer) as long as the DPO is appointed on the basis of professional qualities, expert knowledge and practice of personal data protection, and the ability to fulfill his/her tasks. In this case, a DPO has the task to:
- Inform and advise the Controller or the Processor to comply with the PDP Bill;
- Monitor and ensure the compliance of the PDP Bill and the relevant policies of the Controller or the Processor, including the assignment, responsibilities, awareness-raising, and training of all the parties involved in the processing activity, as well as related audits;
- Provide advice relating to the data protection impact assessment and monitor the performance of the Controller and the Processor; and
- Coordinate and act as the contact point for issues related to personal data processing activities.
Under the PDP Law, a personal data protection violation may be subject to both administrative and criminal sanctions.
The criminal sanctions are in the form of monetary fines (up to Rp6 billion) and imprisonment (up to 6 years). Meanwhile, in addition to written warnings and temporary suspension of personal data processing activities, the PDP Bill imposes administrative fine up to 2% of the Controller or the Processor's annual income against the relevant violation variable—which will be further regulated an implementing regulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.