Indonesia has finally passed its Personal Data Protection Law, which has been under discussion since 2016. The government believes the new law will be crucial amid a spate of data breaches in the country.
Indonesia’s House of Representatives approved the Personal Data Protection Act (PDP) earlier this month, paving the way for its ratification on Tuesday. The country now joins other jurisdictions in Southeast Asia that have their own personal data protection laws, including Singapore and Thailand.
Communications and Informatics Secretary Johnny G. Plate had hailed the approval as a milestone and key to fostering connectivity and progression for the local digital sector. Plate said laws protecting personal information would help promote and facilitate data breach management, according to the statutory board and state news agency Antara.
Indonesian President Joko Widodo last week underscored the urgent need for relevant ministries to coordinate and investigate alleged personal data breaches. The National Cyber and Encryption Agency said on September 13 that it was investigating claims by hackers nicknamed “Bjorka” that they had access to data from several government websites, letters from the President and confidential Secret Service documents.
The same hackers said in August they had obtained information from SIM card users, including their national identification number and contact details.
In the same month, personal data of 17 million customers of state-owned electricity provider PT PLN (Persero) and the data of 26 million customers of Telkom Indonesia’s internet and digital TV service IndiHome were leaked.
The security breaches highlighted the urgent need for data protection law to uphold public trust, particularly as personal data is required for public services and processed digitally, Antara said. For example, National Identity Card numbers (NIKs) were widely used to register online apps and to process train ticket purchases.
Citing statistics from Surfshark, Antara said Indonesia was the country hit hardest by data breaches in the third quarter of 2022, ranking third with 12.7 million local accounts compromised.
Speaker of the House Puan Maharani said on Monday: “This PDP law gives legal assurance that every citizen, without exception [has full control] about their personal information. So there will be no more tears from people over online lending that they don’t ask for or doxxing that makes people uncomfortable.”
Maharani said derived rules, including the establishment of an oversight body charged with protecting the public’s personal information, could be formed immediately after the bill’s ratification.
She added that it would serve as a guide for ministries, agencies and policymakers to maintain a robust national digital security environment.
The bill is also expected to consolidate all existing and additional regulations into one. Indonesia currently has 32 personal data protection laws.
Modeled on the European Union’s General Data Protection Regulation (GDPR), Indonesia’s PDP law includes various global components that are not found in local regulations, such as: B. sensitive personal data and data protection officers. According to Andre Rahadian, a partner and founding member of the law firm Hanafiah Ponggawa & Partners (Dentons HPRP), the bill will regulate all forms of data processing, including capture and collection, storage, updating and correction, and erasure.
For example, under the PDP Act, personal data controllers must update and correct errors in personal data within 24 hours of receiving a request to do so. The draft law also specifies underlying documents or circumstances under which personal data may be transferred outside of Indonesia, such as: B. Prior consent obtained from the owner of personal data and bilateral international agreements.
It includes corporate penalties of up to 2% of an organization’s annual revenue and up to six years in prison for those alleged to have broken the law.
Indonesia has an estimated 220 million internet users.
According to the e-Conomy Southeast Asia 2021 report, which covers six regional markets: Singapore, Malaysia, Vietnam, the country is expected to account for 40% of Southeast Asia’s e-commerce gross merchandise value (GMV) in 2021, at US$70 billion , Indonesia, Thailand and the Philippines. The study also found that 80% in Indonesia had made an online purchase at least once.