Update on the Implementing Regulation for Indonesia’s Personal Data Protection Law

More than a year after the Indonesian government issued the Personal Data Protection Law (“PDP Law”), it has finally drafted an implementing regulation to elaborate on details and provisions. This draft broadens the definition of specific personal data, while also outlining conditions for cross-border data transfers.

Following our Advisory on the PDP Law (see it here), we now examine the progress of the forthcoming Government Implementing Regulation of Law No. 27 of 2022 on Personal Data Protection (“Draft GR”) formulated by the Ministry of Communication and Informatics (“MOCI”). The Draft GR is expected to be issued by the end of this year and we will continue to provide updates on its development.

The scope of the Draft GR covers the following areas:

1. personal data;
2. processing of personal data;
3. rights and obligations;
4. cross-border personal data transfers;
5. international cooperation;
6. authority of the Personal Data Protection Agency (“PDP Agency”);
7. administrative sanctions; and
8. dispute resolution and procedural law.

Key Provisions of the Draft GR

Provision: Determination of specific personal data

Remarks:

The Draft GR introduces “the determination of other data in accordance with the laws and regulations” in addition to the specific personal data listed in the PDP Law. This expansion broadens the interpretation of specific personal data.

Through this Draft GR, the government explains that the “other data” is classified as specific personal data if it has the potential to cause significant harm to personal data owners, such as discrimination, material/non-material loss, or a violation of the law.

However, the Draft GR does not provide further clarification on how to calculate material or non-material loss or the methods for determining the extent of harm to personal data owners.

Provision: Claims and compensation requests

Remarks:

The Draft GR further elaborates on the rights of personal data owners to file claims and request compensation from a personal data controller in cases of errors or negligence in personal data processing.

Such claims can take the form of material and non-material claims. Material claims involve seeking financial compensation equivalent to the losses incurred by the personal data owner, while non-material claims involve corrective actions or other measures aimed at restoring the protection of personal data.

The amount of material compensation that can be claimed by a personal data owner will be determined by the appointed party authorized to resolve the dispute outside court or by a panel of judges.

Provision: Supervisory actions of the personal data controller for personal data processing by third parties

Remarks:

The Draft GR requires the personal data controller to prepare a policy for personal data processing and create an agreement with the personal data processor.

The Draft GR sets forth statutory minimum provisions that must be regulated under both the policy and the agreement.

Provision: Merger, separation, acquisition, or consolidation of the personal data controller

Remarks:

Under the PDP Law, the personal data controller is required to notify the personal data owner in the event of a merger, separation, acquisition, or consolidation of the personal data controller. The Draft GR further specifies that this notification must occur before the completion of these corporate actions.

Additionally, the previous personal data controller and the new personal data controller are required to establish an agreement that governs the rights and obligations of each party concerning the transferred personal data.

Provision: Authority of the PDP Agency

Remarks:

The Draft GR also governs the authority of the PDP Agency, which covers the following:

1. formulating and determining personal data protection policies and strategies.
2. supervising the provision of personal data protection.
3. conducting administrative law enforcement to prevent violations of the PDP Law.
4. facilitating alternative dispute resolution.

Provision: Reporting requirements to the PDP Agency

Remarks:

In the event of any failure to protect personal data, the personal data controller responsible for the data’s protection must report the failure to the PDP Agency.

This report must be submitted within 72 hours from the moment the controller becomes aware of the failure. The personal data owner must also be notified of the failure within the same timeframe.

Provision: Cross-border data transfer requirements

Remarks:

The PDP Law imposes several requirements for cross-border data transfers. One of these requirements is that the recipient’s country must have an equal or higher level of personal data protection.

Under the Draft GR, the specific threshold for meeting this requirement will be determined by the PDP Agency and will depend on the following factors:

1. whether the receiving country of the personal data controller or processor has its own personal data protection law.
2. the presence of a personal data protection supervisory authority or agency in the receiving country of the personal data controller or processor.
3. whether the receiving country of the personal data controller or processor has made an international commitment or adheres to other obligations through conventions or instruments, as well as participation in relevant personal data protection multilateral or regional systems.

The Draft GR further stipulates that if the requirement for equal or higher-level personal data protection cannot be met, the personal data controller must ensure that the recipient has adequate and binding personal data protection. This can take the form of (i) international agreements between the transferring and receiving countries, (ii) standard contract clauses for personal data protection, (iii) binding group company policies, or (iv) other instruments deemed adequate and binding by the PDP Agency.

The standard clauses mentioned in (ii) must, at a minimum, cover the following matters:

1. basis for processing personal data;
2. personal data protection clause;
3. notification obligations in case of a failure to protect personal data; and
4. obligation to conduct due diligence on other parties receiving the transferred personal data.

The binding group company policies in (iii) may only be used for cross-border data transfers that are conducted within the same group of companies.

If the above-mentioned requirements, such as having an equal or higher level of personal data protection or establishing adequate and binding personal data protection, cannot be met, consent from the personal data owner may serve as a fallback option. However, this consent option applies only under the following limited circumstances:

1. the transfer is not recurring.
2. the transfer involves a limited number of personal data owners.
3. the transfer is necessary to comply with provisions that do not supersede the interests or rights and freedoms of the personal data owner.
4. the personal data controller has assessed the associated risks and implemented appropriate protection measures.
5. the personal data controller has informed both the PDP Agency and the personal data owner about the transfer activities and the compelling legitimate interest for conducting the transfer.

Additional provisions on the transfer of personal data based on consent will be elaborated further in the PDP Agency’s regulations.

Provision: Alternative dispute settlement

Remarks:

The Draft GR introduces an alternative dispute settlement forum in which the personal data owner and the personal data controller or processor can report disputes to the PDP Agency.

The Draft GR also encourages the personal data owner and the personal data controller or processor to settle disputes through mediation provided by an appointed mediator. A detailed mediation procedure is outlined in the Draft GR.

Provision: Administrative fines

Remarks:

Under the PDP Law, administrative sanctions for non-compliance include fines, which can reach up to 2% of a company’s annual income or an amount determined by violation variables. The Draft GR outlines the following variables for calculating fines:

1. any negative impact resulting from the violation.
2. the duration of the violation.
3. the type of personal data affected.
4. the number of individuals affected.
5. the process of discovering the violation.
6. the level of transparency and cooperation displayed by the personal data controller during the investigation.
7. the scale of the business operated by the personal data controller or processor.
8. the financial capacity of the personal data controller or processor.
9. other relevant factors considered by the PDP Agency.

What’s next?

According to the Draft GR, the PDP Agency will issue regulations that provide further details on:

1. the imposition of postponements and restrictions on processing personal data.
2. cross-border agreements.
3. standard clauses of personal data protection agreements.
4. further technical requirements for personal data transfers and other technical provisions.

However, to date, the PDP Agency has not yet been established.

Furthermore, despite the Draft GR containing detailed provisions on personal data protection, it has not specified a minimum retention period for personal data but still defers to existing laws and regulations.

As the Draft GR is still subject to public consultations, it is highly likely that several changes will be made before the final draft is approved by the President. In the meantime, personal data controllers can start reviewing their internal company policies and agreements to ensure compliance with the requirements and obligations related to the collection of personal data, from both their customers and their employees, as outlined in the PDP Law and Draft GR.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If you have any questions, please contact:

1. Heru Mardijarto, Partner – heru.mardijarto@makarim.com
2. Mira Ayu Lestari, Associate - mira.ayu@makarim.com
3. Hana Riris Mayrin Veranda, Associate - hana.veranda@makarim.com

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

^{M&T Advisory is a digital publication prepared by the Indonesian law firm, Makarim & Taira S. It informs generally on the topics covered and should not be treated as legal advice or relied upon when making investment or business decisions. Should you have any questions on any matter contained in M&T Advisory, or other comments in general, please contact us at the emails provided at the end of this article.}