At the moment, Indonesia does not have a comprehensive personal data protection regulation. What does exist is a multitude of laws and regulations in many sectors governing personal data protection.
Some of the most prominent personal data laws and regulations are as follows:
- Law No. 11 of 2008 on Electronic Information and Transactions as amended by Law No. 19 of 2016 and supplemented by the Constitutional Court Decisions Nos. 5/PUU-VIII/2010 and 20/PUU-XIV/2016.
- Government Regulation No. 71 of 2019 on Implementation of Electronic Systems and Transactions.
- Minister of Communications and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems.
In 2020, the Personal Data Protection Bill was introduced.
Quoting the official English translation of the Ministry of Communications and Informatics’ Strategic Plan 2020–2024, the bill is dubbed “a legal instrument that needs to be immediately established in Indonesia’s legal system. It will constitute a manifestation of recognition and protection of fundamental human rights and respond to the need to protect individual rights regarding personal data, especially in this digital era. Personal data protection is one of the human rights that is part of personal self-protection as mandated in Article 28G paragraph (1) and Article 28H paragraph (4) of the 1945 Constitution.”
For the most part, the bill resembles the EU General Data Protection Regulation. New concepts transplanted from the GDPR include:
- Division between the role of controller and processor.
- Extraterritorial application.
- General and specific/sensitive types of data.
- Rights of data subjects being introduced, such as right of access, right to rectification, right to erasure, right to data portability and right to object.
- Data protection officer.
The public has anticipated the entry into force of the bill so many times already. Countless webinars and seminars were held throughout 2020 and 2021 by the House of Representatives, the Ministry of Communications and Informatics, and many NGOs and professional associations. However, even until early January this year, we have not seen any significant progress.
One of the thorniest issues that stalls progress concerns whether Indonesia should follow in the footsteps of the EU member states by having an independent public DPA. On the one hand, the government would like to put the DPA under the auspices of the Ministry of Communications and Informatics, whereas the House of Representatives prefers to set up an independent DPA separate from the Ministry of Communications and Informatics.
It must be noted that in 2020, Indonesia President Joko Widodo abolished underperforming taskforces, bodies, committees and state institutions. This tendency toward having a leaner administration is said to be one of the reasons behind the government’s insistence on not agreeing to the proposal to have an independent DPA.
Looking ahead, the future is bright. The bill is included in the 2022 Prioritized National Legislation Program and, despite having not announced any expected date of entry into force, one of the officials from the Ministry of Communications and Informatics — quoted by a reliable news outlet at the end of January — said the government and the House of Representatives are “finalizing the bill,” though they did not specify what this “finalization” actually entails.
Photo by Muhammad Rizki on Unsplash