Indonesia has finally passed a law on the protection of personal data, which has been under discussion since 2016. The government believes that the new bill will be decisive in the face of massive data security breaches in the country. Indonesia’s House of Representatives approved the Personal Data Protection (PDP) bill earlier this month. The country now joins other Southeast Asian jurisdictions with specific data protection laws, including Singapore and Thailand. Communications and Informatics Secretary Johnny G. Plate hailed the approval as a milestone and key to promoting connectivity and progress in the local digital industry. According to the Statutory Council and the state-owned news agency Antara, the Board said that the personal data protection laws will help make it easier and easier to handle data security breaches.
Indonesian President Joko Widodo last week stressed the urgent need for relevant authorities to coordinate and investigate potential breaches of personal data. The National Cybercrime and Encryption Agency announced on September 13 that it was investigating hackers known as “Bjorka” who claimed they had access to data from several government websites, presidential letters and secret intelligence documents. The same hackers announced in August that they had obtained information from SIM card users, including their ID numbers and contact information.
In the same month, the personal data of 17 million customers of state-run electricity supplier PT PLN (Persero) was leaked, along with 26 million customers of Telkom Indonesia’s Internet and digital TV service IndiHome.
Antara said the security breach shows the urgent need for a data protection law to maintain public trust, especially when personal information is needed and processed digitally to provide public services. For example, Identity Card Numbers (NIKs) are often used to register online applications and process train ticket purchases. This PDP bill will provide legal certainty that all citizens without exception have [full control] over their personal data.
House of Representatives Speaker Puan Maharani said derivative provisions could be introduced once the bill is approved, including the creation of an oversight body tasked with protecting the public’s personal data. She added that it will serve as a guide for ministries, agencies and policy makers to maintain a strong national digital security environment.
The bill is also expected to consolidate all existing provisions and additional provisions. Indonesia currently has 32 laws governing the protection of personal data.
Indonesia’s PDP law is modeled after the EU’s General Data Protection Regulation (GDPR) and includes various global components that are not covered by its local regulations, such as sensitive personal data and data protection officers. Andre Rahadyan, partner and founder of law firm Hanafiah Ponggawa & Partners (Dentons HPRP), said the bill would regulate all forms of data processing, including acquisition and collection, retention, updating and correction, and deletion.