By Ryan Mandela and Siti Intan Sekarieva
Background
The phenomenon of globalization allows people to connect and share their personal data digitally which may cause various security issues. Without a powerful data protection law, this issue could violate a user’s right to data privacy and security in the form of data breach, data leak, privacy harms, and so forth. For the purpose of protecting any personal data as well as to establish a sustainable protection system, on 17 October 2022 the Indonesian Government finally enacted Law No. 27 of 2022 concerning Personal Data Protection (“PDP Law”).
PDP Law accommodates personal data protection covering (i) law principles; (ii) types of personal data; (iii) rights of the data owner; (iv) processing of personal data; (v) obligations of personal data controller and personal data processor in personal data processing; (vi) transfer of personal data; (vii) stakeholders; (viii) international cooperation; (ix) public participation; (x) dispute resolution and law proceeding; (xi) prohibition on personal data processing; and (xii) sanctions.
a. Personal Data Coverage
PDP Law defines personal data as any data related to an individual, whether identified or capable to be identified independently or in combination with other information, whether directly or indirectly, through the use of electronic and/or non-electronic systems.[1]
PDP Law categorizes the personal data into 2 (two) types, namely specific personal data and general personal data,[2] as follows:
- Specific Personal Data including health information, biometrics data, genetics data, criminal record, children’s data, personal finance data, and any other data as stipulated in the laws and regulations; and
- General Personal Data including full name, gender, nationality, religion, marital status, and other personal data combined to identify an individual.
The difference between those is related to the level of risks and requirements for personal data processing. Since the Specific Personal Data could potentially cause significant losses and damages to the data owner, it requires an extra treatment effort as anticipated in the data protection impact assessment
b. Personal Data Owner
Under the PDP Law, Personal Data Owner means any individual who has personal data attached to him/her.[3] With regards to their personal information, Personal Data Owner has the right to conduct several activities such as confirming the identity and accountability of the data collector, knowing the purpose and usage of such request or collection, changing, updating, terminating, or demolishing its personal data.
Nevertheless, if there is any interest in national security and defense, law enforcement, public interest in state operation, supervisory activities by financial/monetary authority in relation to state operation or statistic and scientific research, all the above rights could be exempted.
c. Personal Data Processing
Personal Data Processing consists of obtainment and collection, management and analysis, storage, revision and updating, display, announcement, transfer, distribution, or disclosure of any personal data. The implementation of this process must be subject to the procedures and guidelines provided by PDP Law, including all the implementing regulations thereunder.
It is also important to note that the processing of personal data by the processor must be based on written or recorded approval from the data owner or its guardian for special cases related to the minor or disabled person. Furthermore, this process can be conducted by 2 (two) or more data controllers with their consent by also giving the necessary information, for example the purposes and methodologies and appointed liaison party.
d. Controller and Processor of Data
PDP Law regulates the obligations of processor and controller in processing the personal data. The main distinctions between these 2 (two) roles are: (i) Controller determines the purposes of personal data processing; and (ii) Processor conducts personal data processing on behalf of the controller.
As for the data controller or processor, it could be in the form of:[4]
1. |
Any person |
: |
individual or corporation; |
2. |
Public authority
|
: |
executive, legislative, and judicative institution and other institutions having main duty and function related to the state implementation, that partly or all its funds arisen from State Budget (APBN) and/or Regional Budget (APBD), or non-governmental organization, as long the part of whole of its fund coming from APBN and/or APBD, public and/or foreign donation; and |
3. |
International organization |
: |
Organization that is recognized as international legal subject and having capacity to establishing international agreement. |
Furthermore, the controller may transfer personal data to other controllers within or outside the territory of Republic of Indonesia by applying the same degree of protection. In the event that the receivers are located outside the territory of Republic of Indonesia, they must at least have the equal or higher level of data protection. However, such condition is exempted if the data owner approves the transfer of data in advance.
e. Sanction
PDP Law also covers the sanctions depending on the type of violation, as follows:
- Administrative sanctions are imposed due to any failure in complying the requirements of PDP Law, starting from the warning letters up to monetary penalty; and
- Criminal sanctions are imposed to the criminal offender as set out in this Law, whether corporation, organization or individual. The punishment is varied starting from monetary penalty of IDR4 up to 6 billion and/or imprisonment of 4 up to 6 years. Aside from that, there is also additional punishments (i.e. seizure of profits, payment of damages) for certain cases. Please note that the penalty could be 10 times higher and the suspension of business activity up to dissolution are widely opens for offender in the form of corporation.
Conclusion
As explained in the article discussed above, we conclude that the PDP Law has covered the legal aspects required for personal data in Indonesia. This law provides regulation on personal data protection that applies to any individual, public authority, and international organization, within or outside the territory of the Republic of Indonesia. As for data protection processing, PDP Law divides the process into several stages implemented by the controller and/or the processer, which also requires approval from the data owner. Finally, PDP Law also covers administrative and criminal sanctions for personal data violation.
[1] Article 1 paragraph (1) PDP Law
[2] Article 4 PDP Law
[3] Article 1 paragraph (6) PDP Law
[4] Article 1 paragraph (7) jo. paragraph (9) jo. paragraph (10) PDP Law