- After much delays, Indonesia is now set to pass its first data privacy law, known as the Personal Data Protection Act (PDP Law).
- The Southeast Asian nation has been witnessing a rise in data breaches of late, hence why it wants to replicate the same data subject rights and personal data processing regulations set by the European Union in their GDPR.
- The possible content of the law is listed below.
Indonesia is home to almost 280 million people, making it the largest and most populous country in Southeast Asia. Yet, the country has no comprehensive data privacy law or regulation that protects Indonesians from misuse of data. Unfortunately though, breaches of personal data in the country are getting more common as it occurs on a widespread and frequent basis in not only the public sectors, but also in private sectors.
There is an urgency, and in fact, a draft of a law, known as the Personal Data Protection Act has actually been officially submitted to the country’s House of Representatives for further debates. According to a report by Bloomberg, Indonesia’s new data privacy bill is supposedly set to be passed by parliament this week. The House Commission I overseeing defense, foreign affairs, informatics and intelligence has been fast-tracking the bill after lawmakers and the government agreed on a sticking point that had been stalling progress since 2014.
After a lengthy back and forth, both sides have come to a compromise regarding the establishment of a data protection oversight agency, which would be set up to answer to the president while offering legislators leeway in determining its scope of authority. Previously, both sides were at odds regarding the agency’s independence; the government wanted the entity to be placed under the Communications and Information Ministry, whereas lawmakers wanted it to be independent to prevent any conflicting interests.
For context, since it was first drafted and proposed by the government in 2014, the bill has been slow to start and was even delayed several times. Then on August 7, recently, the House of Representatives of the Republic of Indonesia announced that the House of Commission I have approved the draft of the Personal Data Protection Act, together with the Government. In particular, according to statements made by the Ministry of Communication and Information on the same day, a number of amendments had been made to the PDP Bill in the process.
In that regard, both the House of Representatives and the Ministry confirmed that the bill will now advance to the next stage of discussions, or a plenary meeting, to be ratified into law.
Why is a Data Privacy Law more urgent now than ever?
In general, privacy and protection of personal data on the Internet have become issues of public concern in Indonesia. There is in fact a growing public distrust of institutions that manage personal data. Amid the absence of a comprehensive legal framework to protect private data, the country has continued to suffer a string of cyberattacks, which has been exacerbated by the pandemic that has increased people’s reliance on digital technologies.
Among the worst of such incidents were the National Health Insurance (JKN) breach, the electronic Health Alert Card leak and the defacing of the National Cyber and Encryption Agency’s (BSSN) website – all of which occurred last year. Just a few days ago, the country’s National Cyber and Encryption Agency said it’s investigating an alleged data leak of 105 million Indonesians. Earlier this month, authorities were investigating a data leak relating to mobile phone SIM cards that involved more than two million lines of data being released.
The data privacy law is even more timely considering Indonesia’s digital economy is set to grow to US$146 billion by 2025, according to the latest report by Alphabet Inc.’s Google, Singapore’s Temasek Holdings Pte. and global business consultants Bain & Co. In response, the EU GDPR is selected as the benchmark for assessment as it is regarded as the toughest privacy law worldwide. In essence, Indonesia will soon follow the same data subject rights and personal data processing regulations set by the EU.
What does the Data Privacy Law entail?
Firstly, the Personal Data Protection bill states that consent must be obtained from each individual for records such as name, gender, and medical history, with a clear agreement in place on how the data will be used, along with accountability measures. Each person has the right to withdraw their consent and receive compensation for any breaches. Anyone that fabricates personal data may face up to six years in jail and as much as 6 billion rupiah in fines.
According to a copy of the draft law obtained by Bloomberg, institutions may collect personal information for a specific purpose but must erase the record once that purpose has been met. Leaking or misusing private information may cause data operators up to five years in jail and a maximum fine of 5 billion rupiah ($337,000).