The House of Representatives of the Republic of Indonesia has legalised the Personal Data Protection Bill (“PDP Bill”) on 20 September 2022. Previously, regulation in relation to personal data protection is regulated only for the scope of electronic system under (among others) Minister of Communication and Informatics Regulation Number 20 of 2016 on Personal Data Protection in Electronic System (“MOCI Regulation”).
PDP Bill classifies 2 (two) types of personal data into: (a) general personal data; and (b) specific personal data (collectively as “Personal Data”). The general Personal Data consists of, inter alia, type of gender, religion, and status of marriage. Meanwhile, the specific Personal Data consists of, inter alia, health information and data, criminal record, and personal financial data. These types of Personal Data are not classified in the MOCI Regulation.
Although the MOCI Regulation provides the provisions regarding the rights of Personal Data owner (e.g. rights towards privacy, complaint for settlement on potential breach, and access to revise or renew the Personal Data in general), the PDP Bill sets new provisions that the rights of Personal Data subject, inter alia, including (a) entitled to revoke the approval on the activity of Personal Data processing, (b) entitled to file objection towards the automatic-based decision which causes legal impact or significant damage (will be further regulated in government regulation), and (c) entitled to file lawsuit and obtain compensation towards the breach of Personal Data processing (will be further regulated in government regulation).
Under the MOCI Regulation, the transfer of Personal Data to overseas territory of Indonesia must conduct coordination with Minister of Communication and Informatics and respective authorised official or institution. This coordination requirement is not regulated in the PDP Bill. The PDP Bill requires the transfer of Personal Data to territory outside of Indonesia, inter alia, must ensure that the destination country which will receive the transferred-Personal Data has the same or higher level of protection towards Personal Data (will be further regulated in government regulation).
As for implementing Personal Data protection, the PDP Bill stipulate that the President of the Republic of Indonesia shall assign such duty to an institution that will be further governed in President Regulation and Government Regulation. The institution will function among others as policy maker, supervisor, administrative law enforcer, and non-court dispute settlement facilitator.
The PDP Bill also provides criminal sanction for illegal collection, disclosure, use, and/or falsification of Personal Data. The sanctions are in form of imprisonment for up to 6 (six) years and/or penalty up to Rp 6,000,000,000 (six billion Rupiah) if it is committed by individual person. Penalty may also be imposed in the form of confiscation of proceeds and/or assets obtained from such criminal act, in addition to payment of compensation.
If the criminal acts are committed by corporation, the criminal sanction may be imposed to the management, controller, executives, beneficial owner, and/or the corporation itself. However, criminal sanction for corporation is only in the form of penalty in maximum 10 (ten) times the amount provided above.
__________________________
Published by: IABF Law Firm
Published on: 27 Sep 2022