The House of Representatives of the Republic of Indonesia, which is the main national legislative body of the state, has recently passed the Law concerning Personal Data Protection. Pending to Executive Assent by President Joko Widodo, which will be followed by official numbering and publication in the State Gazette, the law will be Indonesia’s first national legislation that is specifically designated to address personal data privacy. Previously, some privacy concerns have been partially addressed in several legislations, including Law no 11 of 2008 concerning Electronic Information and Transaction (as amended by the Law no. 19 of 2016), Law no. 39 of 1999 concerning Human Rights, Law no. 14 of 2008 concerning Open Public Information, and Law no. 23 of 2006 concerning Administration of Populace.
The law to protect personal data itself was initiated back in 2012 by the government, although it was only in 2019 that a bill was finalized and later formally introduced to the parliament on January 24, 2020. Almost three years later, the law was eventually passed on 20 September 2022 with sixteen chapters and seventy-six articles – four articles more than was contained in the initial bill.
Under the new law, “personal data” is defined as “identified or identifiable data of an individual, either independently or in combination with other information, direct or indirectly through electronic or non-electronic system”. The law further categorizes “personal data” based on its characteristics. General personal data shall include full name, gender, nationality, religious affiliation, marital status, and/or combined personal data used to identify a person; whereas specific personal data comprises medical records, biometrics, genetic information, criminal records, children data, personal financial information, and/or other data pursuant to applicable laws and regulations.
Everyone – including herein is corporate entities – is prohibited by the new law from unlawfully gathering or collecting personal data other than his/her own, for the purpose of benefiting him/herself or others in the manner that is prejudicial to the rightful subject of the personal data in question. Similar prohibition is also applicable against unlawful disclosure of personal data other than his/her own. Violation against either prohibition is regarded as criminal act that could lead to maximum sentence of five years imprisonment or IDR 5 billion fine. Up to six years imprisonment and IDR 6 billion fine could also be sentenced against anyone who deliberately create fake personal data or falsify personal data for his/her own benefit. Corporate entities who are found guilty of engaging in infringing activities under the new law could also be severely sanctioned, which could range from formal warning, suspension of data collecting activities, confiscation of assets, termination of business, up to liquidation of the company.
Apart from administrative as well as criminal sentences against infringers of personal data protection as mentioned above, owner of personal data is also entitled to take legal action and seek for damages against anyone who violates his / her personal data in the manner that is restricted or prohibited by the law. Aside from the conventional avenue through the court of law, settlement of disputes under this new law can also use alternative dispute resolutions.
The timing for the passing could not be more appropriate, since in the recent months Indonesians had been plagued by incidents where millions of personal data previously collected by certain local companies as part of mandatory requirements for services were allegedly leaked on the internet. It is interesting to see how effective this new law can be in providing security and protection of personal data, particularly to prevent the occurrence of such incidents in the future.