Coming Soon: Indonesia’s Personal Data Protection Agency

One of the forthcoming developments from the enactment of Indonesia’s Personal Data Protection Law (PDP Law) on 17 October 2022 is the establishment of a new data protection institution that will be formed by and directly accountable to the president.

The Personal Data Protection Agency (PDP Agency) will have substantial authority to implement and enforce personal data protection measures. Its responsibilities include formulating policies and strategies for personal data protection, supervising implementation of personal data protection, imposing administrative sanctions for non-compliance with the PDP Law, and facilitating alternative dispute resolutions.

In implementing personal data protection measures, the PDP Agency is also granted the authority to issue orders, receive complaints or reports, conduct investigations into complaints, reports or supervision findings, summon individuals or public entities, and request information, data or documents regarding alleged violations of personal data protection.

The PDP Agency will be established through a presidential regulation, while procedures detailing the implementation of the agency’s authorities will be set out in a government regulation, as mandated by the PDP Law.

Nearly 18 months after the enactment of the PDP Law, the Ministry of Communications and Informatics (MOCI) is still working to establish the PDP Agency. Recent online media reports indicate the agency will be formed in the second quarter of 2024. This timeline has also been confirmed during our recent informal discussion with an official of the MOCI.

What’s Next?

The impending establishment of an independent institution to supervise the implementation of personal data protection in Indonesia should bring greater legal certainty for stakeholders, including businesses.

Personal data controllers, processors and any related parties must adjust their practices to align with the provisions of the PDP Law by 17 October 2024. They will need to ensure compliance across all stages of personal data processing, including the collection, analysis, storage, correction/updating/displaying, publication/announcement, transfer, transmission, disclosure, deletion and removal of personal data.

Both personal data controllers and processors must ensure full compliance with their obligations outlined in the PDP Law. For personal data controllers, this includes informing personal data subjects about the purpose and legality of data processing, obtaining their consent, processing the data in a limited, specific, legal and transparent manner, and promptly notifying them if there’s a breach of confidentiality. For personal data processors, the requirements include obtaining approval from the controllers before processing personal data, keeping records of all processing activities, ensuring data security, maintaining confidentiality, and preventing unauthorized access.

Once the PDP Agency is formed, it will serve as an independent institution dedicated to addressing issues regarding personal data protection and its enforcement. The agency will have the authority to handle violations of personal data protection. For instance, in cases of personal data leaks or violations, any concerned party will be able to report the matter to the agency.

Given its broad authority, the PDP Agency may summon individuals or public entities and request information and data from them. It will also be able to conduct investigations into the electronic systems and facilities used by personal data controllers or processors and obtain access to any data related to alleged violations.

The PDP Agency will also have the authority to impose sanctions for non-compliance with the PDP Law. These sanctions may include issuing a written warning, temporarily suspending personal data processing activities, deleting or removing personal data, or imposing administrative penalties. Such penalties could amount to 2% of a company’s annual income or an amount determined based on violation variables, which will be further regulated by government regulations.

With Indonesians increasingly entrusting their personal interactions to online platforms, which remain susceptible to data breaches, we eagerly anticipate further developments in the establishment and operation of the PDP Agency. The new agency’s enforcement of the PDP Law is expected to provide data subjects with greater protection from infringements by data controllers and processors. These more stringent protection measures are also expected to gradually mitigate the incidence of personal data leaks and violations. 

-----

Click the "download file" button to read the PDF version.

If you have any questions, please contact:

1. Heru Mardijarto, Partner – heru.mardijarto@makarim.com
2. Mira Ayu Lestari, Associate - mira.ayu@makarim.com

_{M&T Advisory is a digital publication prepared by the Indonesian law firm, Makarim & Taira S. It informs generally on the topics covered and should not be treated as legal advice or relied upon when making investment or business decisions. Should you have any questions on any matter contained in M&T Advisory, or other comments in general, please contact us at the emails provided at the end of this article.}