Indonesia appears ready to enact a new law on the protection of personal data. A draft law on personal data protection (“PDP Draft Law”) has been signed by President Joko Widodo and is being discussed by the House of Representatives. Several government officials have been quoted in media reports saying they expect the PDP Draft Law to be passed and enacted in 2020.
This article looks at some of the key changes contemplated by the PDP Draft Law. Note that while it seem the draft is near passage, it is still subject to further revision.
Processing Personal Data – Retention Period
The PDP Draft Law mentions several times the existence of a retention period for personal data that a “data controller” must abide by. A data controller is defined in the draft as a party that determines the purpose and controls the processing of personal data.
For example, the PDP Draft Law provides that in processing personal data, data controllers are obliged to, among other things, erase/delete personal data after the retention period has lapsed or at the request of the personal data owner. Prior to obtaining the consent of a personal data owner for the collection and utilization of their data, a data controller must inform the personal data owner of its retention period for the personal data. A data controller also is required to cease all processing of personal data once the retention period has lapsed.
Despite the above provisions, the PDP Draft Law is silent on how long a retention period should be. Lawmakers in the House have expressed concern that there will be no legal certainty if the duration of the retention period is not stipulated in the PDP Draft Law, resulting in a hodgepodge of retention period policies among companies. With input from lawmakers, the government may decide to stipulate a specific data retention period in the new law, although as far as we are aware the House has not suggested how long the retention period should be.
Consent of Data Owners
Previous regulations that touched on personal data protection have emphasized the importance of obtaining the consent of personal data owners prior to collecting or utilizing their personal data. The PDP Draft Law provides further elaboration on this point, including the stipulation that such consent must be provided either in writing or through a verbal recording. It also provides a clear list of information that a personal data owner must receive prior to granting their consent. The PDP Draft Law also regulates that a data controller is required to show evidence that the personal data owner has provided their consent for the collection and use of their personal data.
The House’s concern is that the PDP Draft Law is silent as to whom data controllers should show the evidence of consent. It is also silent on whether the data controller is required to actively demonstrate such evidence or whether it is only required to show the evidence when requested by a government institution or a third party. Despite this concern, we note that lawmakers have not provided their view on which party or organization data controllers should be required to demonstrate this evidence of consent.
Cross-Border Transfer of Personal Data
The existing provisions on the cross-border transfer of personal data, under Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems, are vague and not being enforced by the government or the MOCI. The PDP Draft Law seeks to further regulate this matter by providing the requirements for a legal cross-border transfer of data. Under the PDP Draft Law, a data controller in Indonesia may transfer personal data to an offshore data controller provided that:
- The jurisdiction of the offshore data controller or international organization receiving the transferred data has an equal or higher level of personal data protection as the PDP Draft Law;
- There is an international agreement between Indonesia and that jurisdictional;
- There is an agreement between the Indonesian and offshore data controllers containing personal data protection standards and guarantees in accordance with the terms of the PDP Draft Law; and/or
- The personal data owner has consented to the transfer.
Lawmakers have expressed some concern with the lack of standard regarding what is considered an “equal or higher level of personal data protection”. Also, the use of “and/or” in the above list seems to indicate that the conditions above are alternative in nature, which may give rise to a situation where the consent of the personal data owner is not required for the cross-border transfer of their personal data if any of the other elements are fulfilled.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.