Indonesia’s Personal Data Protection Law: Prepare for the coming Implementation Regulation (1)

We published a newsletter regarding Preparation for the coming Implementation Regulation at Indonesia’s Personal Data Protection Law. To view PDF version, please click the following link.

→Indonesia’s Personal Data Protection Law: Prepare for the coming Implementation Regulation (1)

Indonesia’s Personal Data Protection Law:
Prepare for the coming Implementation Regulation (1)

October 2023
One Asia Lawyers Indonesia Office
Koji Umai, Lawyer (Japan)
Yusuke Tomofuji, Lawyer (State of New York, USA)
Prisilia Sitompul, Lawyer (Indonesia)

1. Introduction

On October 17, 2022, the Personal Data Protection Law No. 27 of 2022 (“PDP Law”), the first comprehensive law on personal data protection, was announced and came into effect.[1] With the advent of the PDP Law, Indonesia now has its first legislation governing the protection of personal data across all sectors, while previously only the area of the electronic system was regulated by the so-called EIT Law (Electronic Information and Transaction Law No. 11 of 2008 (including its amendment (Law No. 19 of 2016)) and its related regulations. However, the PDP Law stipulated a two-year transition period since its enactment and left many of the provisions to be determined in detail by its implementing regulations which will be issued later. Therefore,  the issuance of the implementing regulation has been awaited.

Under these circumstances, on August 30, 2023, approximately one year after the enactment of the PDP Law, a draft of implementing regulation of the PDP Law (the “Draft Regulation”) was finally published[2].

This Draft Regulation, consisting of 245 articles and 10 chapters, extensively covers various facets of data protection, including Data Processing (Art. 9-36), Rights and Obligations (Art. 37-180), Cross-border Transfer (Art. 181-196), Authority of the PDP Agency (Lembaga PDP) (Art. 199-212), Administrative Sanctions (Art. 213-226), and Dispute Resolution and Procedural Law (Art. 227-244). Although this Draft Regulation may induce broad discussions and its content may change before the finalization, it is essential for business players, especially non-Indonesian corporations operating in Indonesia, to pay attention to these detailed regulations to ensure compliance with the PDP Law and its implementing regulation.

For this purpose, we, One Asia Lawyers, would like to discuss the details of the PDPA and the Draft Regulation on a monthly basis. We hope our discussion will be helpful to most readers.

This month, we picked the following topics.

2. Personal Data Protection Official

(1) PDP Law

Like the PDP laws of other jurisdictions, to ensure the implementation of the obligation imposed on business players, PDP Law of Indonesia stipulates that Personal Data Controller and Personal Data Processor shall appoint an official who is in charge of protection of personal data.

Art. 53.1 of PDP Law stipulates that such official shall be appointed in the following situations:

1. when the Personal Data is for the benefit of public services;
2. when the Personal Controller’s core activities require regular and systematic monitoring of Personal Data on a large scale, and such requirement arises out of the nature, scope and/or purpose of such core business; and
3. when the Personal Data Controller’s core activities consist of processing of specific Personal Data and/or Personal Data related to crimes on a large scale.

Art. 54.1 of PDP Law stipulates the obligations of such officials as inform, advice, monitoring and coordination.

However, details including what kind of obligation are imposed on those who appoint such officials, especially Personal Data Controller, are not stipulated in PDP Law; hence, the issuance of the implementation regulation was long awaited.

(2) Draft Regulation

The Draft Regulation define such officials as “Personal Data Protection Official” (Art. 1.24)

Article 165 to 169 of the Draft Regulation provides articles related to the Personal Data Protection Officials. Regarding the required skill set, although this is almost the same in Art. 53.2 of PDP Law, Art. 165.2 of the Draft Regulation stipulates the required elements; Personal Data Protection Official shall be appointed based on professionalism, knowledge of the law, Personal Data Protection practices, and ability to fulfill their duties. When it comes to the degree of elements, Art. 165.3 states that we still need to wait for the announcement as below:

• Art. 165.3 Provisions regarding the professionalism and competence of Personal Data Protection Officials who carry out Personal Data Protection functions are further regulated in a Regulation of the PDP Agency.

Regarding the duties related to Personal Data Protection Official, Art. 167-169 stipulate obligations of both Personal Data Protection Official and those who appoint the said officials (Personal Data Controller and Personal Data Processor). This adds that Personal Data Controller and Personal Data Processor shall prepare the environment where the Personal Data Official can implement his duties properly (Art. 168) and the Personal Data Protection Official’s obligation to work with the unit which is in charge of the protection of the Personal Data, so that a technical and operational measures to protect personal data can be implemented (Art. 169).  

3. Similarities with GDPR[3]

The PDP Law is strongly influenced by the GDPR, and similarities can be found in many provisions.

The three criteria for appointing a Personal Data Protection Official under Article 53 of the mentioned PDP Law are similar to those in the GDPR’s Article 37(1) for mandating a Data Protection Officer (“DPO”)

In addition, when conducting a Personal Data Protection Impact Assessment[4], the PDP Law gives the Personal Data Protection Official to play the role of providing advice and monitoring its implementation (Article 167(1)(c) of the Draft Regulation), and the GDPR provides for the similar content in Article 39(1)(c) of the GDPR[5].

Furthermore, the obligation of the Data Protection Official to act as a point of contact (narahubung) for issues related to the processing of personal data (Article 167(1)(d) of the draft Regulation) is also provided in the GDPR (Article 37(7) GDPR)[6] .

With regard to the aforementioned competence requirements for Personal Data Protection Official, Article 37(2) of the GDPR stipulates that the DPO must be appointed on the basis of professional qualifications, in particular, expertise in data protection law and, the practice and the ability to carry out his/her duties as DPO. Article 53(3) of the PDP Law and Article 165(2) of the Draft Regulation, as discussed in Section 3.(2) of this letter, are considered to be stipulated in light of the above GDPR provisions.As mentioned above, there are still many unclear points regarding the personal data protection controller in light of the Draft Regulation, and it would be beneficial to review these points in light of the treatment under the GDPR as well as to confirm the trend of the PDP Commission Regulation.

4. Conclusion

We discussed the PDP Law and the Draft Regulation in detail in section 2. above, and the similarities with the GDPR in section 3. As stated in section 1. above, One Asian Lawyers would like to discuss the details of the PDPA and the Draft Regulation on a monthly basis.

To conclude the newsletter of this month, we would like to make general notes for the PDP Law.

(1) Grace Period

The PDP Law stipulates two years as a grace period for the implementation and adaptation of a system in line with the PDP Law (Article 74 of the PDP Law). Therefore, it is necessary to closely monitor future discussions regarding this Draft Regulation to ensure the development of a system in line with the PDP Law and its regulations.

(2)  PDP Law and EIT Law

PDP Law Article 75states that “Upon the effective enforcement of this Law, all provisions of laws and regulations that regulate Personal Data Protection shall remain valid insofar as it does not conflict with the provisions of this Law.”

This article may have been stipulated in anticipation of the EIT Law and its regulations which regulate personal data through electronic system. As discussed above, handling of personal information via electronic systems has been under the EIT Law. Based on Article 75 of the PDP Law, it can be interpreted that the EIT Law and its regulations are still in effect as long as it does not conflict with the PDP Law; thus, it is recommended to keep an eye on the EIT Law and its regulations even after the two-year grace period of the PDP Law.

[1] For the content of PDP Law, please kindly refer to our newsletter of October 2022 (https://oneasia.legal/8947) (Please be noted that only Japanese version is available.)

[2] Following the release of the Draft Regulation, the Ministry of the Communication and Information issued a press release on 31 August. The press release states that the public can provide comment on this Draft Regulation. (https://www.kominfo.go.id/content/detail/51157/siaran-pers-no-256hmkominfo082023-tentang-susun-aturan-pelaksana-kominfo-buka-partisipasi-publik-lewat-laman-pdpid/0/siaran_pers)

[3] General Data Protection Regulation of European Union.

[4] Personal Data Protection Impact Assessment is the assessment of the possible effects which may arise out of personal data processing if such processing could pose a high risk (Article 127 of the PDP Law (In Article 35 of the GDPR, there is a similar article)). (Article 127 of the PDP Law (Article 35 of the GDPR has similar provisions)).

[5] However, the GDPR provides that the provision of advice and monitoring of the performance of the DPO shall be carried out “where requested” and such language is not found in the PDP Law.

[6] However, under the GDPR, DPOs are required to publish contact information for the processing of personal data, but this wording cannot be found in the PDP Law or in this Draft Regulation.