It has been widely reported that Indonesia aims to promulgate the Personal Data Protection Bill in August. One of the issues that stalled promulgation was whether Indonesia should have an independent body supervising personal data protection. With this issue now resolved by deferring the exact form of the supervisory body to the Indonesian president by way of a presidential decree, another issue might arise after the bill’s promulgation: the possibility of conflicting views on personal data protection regulations.

Conflicting data privacy provisions between the new bill and existing laws

The potential conflicts may stem from Article 71 of the PDPB, which states when the Personal Data Protection Law enters into force, all provisions of the current laws and regulations governing personal data protection shall remain applicable so long as they are not contrary with provisions under the PDPL.

The problem with the above provision is that currently, there are so many provisions pertaining to personal data protection scattered across scores of laws and regulations in multiple sectors. How exactly to convince the regulator (which is undecided whether it will be an independent body or a body under the Ministry of Communications and Informatics) that one does not contravene the provisions under the forthcoming PDPL shall remain a mystery.

For companies with in-house legal counsel and those using external counsel, locating conflicting provisions between existing laws and regulations and the forthcoming PDPL might seem like a walk in the park. But the same situation might not apply to individuals or companies without the assistance of legal counsel.

It might be more fitting if the PDPB expressly declares certain provisions in scores of existing laws and regulations to be ineffective upon promulgation of the bill. This is similar to what Indonesia’s Job Creation Law did by rendering many provisions under so many existing laws and regulations ineffective after the Job Creation Law entered into force.

The drafting method behind the Job Creation Law is now known as the Omnibus Law on Job Creation. Pursuant to Article 64(1b) of Law No. 13 Year 2022 on Formulation of Laws and Regulations (second amendment to Law No. 12 Year 2011) (“Law 13/2022”), the omnibus method formulated laws and regulations by adding, changing, or revoking content across multiple sectors of law into one bill.

One may argue that to avoid confusion and clearly define scope, an omnibus method of drafting the PDPB is necessary. Given that the bill’s early draft predates the new Law 13/2022 where the omnibus method is recognized as one of the many ways to draft a regulation, it might be difficult for the government and Parliament to scrap the current draft of the bill and go back to square one to draft a completely new draft Omnibus Law on Personal Data Protection.

Another less controversial method of avoiding potential conflicts would be amending laws and regulations that govern personal data protection in some of their provisions to adhere to the PDPL and erase conflicting existing provisions. To date, there are more than 40 laws and regulations in Indonesia that govern personal data protection. Amending these laws and regulations will undoubtedly take plenty of time, and it is difficult to say how much time would be needed to carry out these painstaking processes.

Another alternative, albeit via litigation, is judicial review of any laws and regulations below the level of a law by the Supreme Court or judicial review of all laws by the Constitutional Court. This could mean a potential review of numerous provisions scattered in various laws and regulations regarding personal data protection.

Conflicting views between supervisory body and other bodies

Although the PDPL is envisaged to be an all-encompassing law to govern data protection issues, it seems this may be a utopian dream as many sectors — especially in banking and finance under the supervision of the Financial Services Authority (known as the Otoritas Jasa Keuangan) — are prone to governing themselves with specific rules that might differ from other sectors. It remains to be seen whether there is any provision under the latest PDPB draft that addresses this issue.

Of course, we can only hope, the personal data protection supervisory body (be it independent or not) does not have different views with the OJK or any other bodies on how to regulate personal data protection in certain sectors. Such scenario is indeed not impossible to occur.

Presidency deciding the supervisory body independence

The president will be in charge of deciding the independence of the supervisory body for issues involving the protection of personal data in Indonesia. Whether the body will be independent of any ministries or placed under an existing ministry — most likely the Ministry of Communications and Informatics (MoCI) — is one of the major questions that has yet to be answered.

According to Institute for Policy Research and Advocacy Executive Director Wahyudi Djafar, if the supervisory body is placed under the MoCI, then the MoCI will act both “as player and referee.” As a consequence, it will be difficult for the supervisory body to regulate and supervise the MoCI's compliance with PDPL as part of its supervision duties. Another reason why an independent supervisory body is more desired is because, according to the July 2022 publication from the Asia Society Policy Institute, the current practice of enforcement by the MoCI is “said to have been a ‘conspicuous failure,’ with only warnings issued in the past and to no deterrent effect.” Additionally, there is a “desire to have a leaner administration, rather than multiple agencies that would drive up costs.”

The president is now given a wide latitude to exercise his power in deciding whether he wants the Personal Data Protection Supervisory Body to be completely independent from any ministry or not. According to Bobby Adhityo Rizaldi, a member of the First Commission of the Indonesian House of Representatives, a presidential decree will likely be issued within a year or two from now. Given that there is an upcoming presidential election in 2024, it is very likely that any presidential decree to establish the Personal Data Protection Supervisory Body will only be issued after the presidential election takes place considering the busy year ahead political parties and presidential candidates. Furthermore, it is uncertain whether President Joko Widodo will exercise his power right before he steps down.

Conclusion

It seems that Indonesia will have a long way to resolve the residual issues discussed above. However, the fact that Indonesia is resolute in having the Personal Data Protection Bill passed this year is already a good work. For privacy practitioners, this is high time to provide valuable input to the Indonesian government to make sure the government is aware of these residual issues before too late.