Indonesia passes long-awaited privacy bill

The bill was first proposed in 2014, but deliberations dragged on over the status of a prescribed oversight agency.

Dio Suhenda and Nur Janti

Dio Suhenda and Nur Janti

The Jakarta Post

2019_02_21_65984_1550714843._large-1.jpg

Lawmakers passed into law on Tuesday a long-awaited privacy bill that grants citizens more control over their personal information online and seeks to spur cybersecurity improvements amid a recent string of digital attacks in the country.(Shutterstock.com/Boiko Y)

September 22, 2022

JAKARTA – Lawmakers passed into law on Tuesday a long-awaited privacy bill that grants citizens more control over their personal information online and seeks to spur cybersecurity improvements amid a recent string of digital attacks in the country.

The passage of the Personal Data Protection Law was formalized at a House of Representatives plenary session led by deputy speaker Lodewijk Paulus, with all House party factions approving the bill.

“Today is a historic moment that has been eagerly awaited,” Communications and Information Minister Johnny G. Plate said at the meeting, adding that the legislation was an embodiment of the government’s commitment to protecting citizens’ private data.

He said the law would help improve data protection standards in the country’s technology industry and would strengthen global recognition of the country’s data protection efforts.

The law requires data controllers and processors – whether public or private – to ask for permission to collect and share data and to give users information on why and how they will use the data. Controllers and processors must also make efforts to ensure the security of the data, including by setting up firewalls and encryption systems. They will have two years to comply, and it remains unclear how data breaches will be addressed before the deadline.

The bill was first proposed in 2014, but deliberations dragged on over the status of a prescribed oversight agency. The government and lawmakers came to a consensus earlier this month that the agency’s role would be outlined generally in the law, that it would answer to the President and that the details of the institutional design would be left to the executive.

The agency is responsible for establishing the details of data protection policies, resolving disputes outside the court system and imposing administrative sanctions and fines on data controllers or processors that breach the rights of data subjects.

“[The law] is but a first step in a long journey to have a personal data protection [system] that is ideal,” Johnny told reporters after the meeting, adding that the formation of the new agency would have to wait for a decree from President Joko “Jokowi” Widodo.

Sanctions

The law outlines two categories of sanctions. The first is administrative and includes operating suspensions and non-judicial fines for offending data handlers in both the public and private sector. The fines can reach 2 percent of the annual revenue of the non-compliant data controller or processor.

The second category, criminal penalties, are for individuals and companies that are found guilty by a court of illegally collecting, using, selling or publicizing personal data. The penalties may include prison time.

But critics say it is possible that neither administrative nor criminal sanctions will be suitable for public institutions that control or process personal data – compounding concerns that non-compliant public institutions might remain untouched by the law.

“The 2 percent [fine] is only logical for private corporations since it will be deducted from their annual earnings,” said Wahyudi Djafar of the Institute for Policy Research and Advocacy (Elsam). “For state institutions, the most logical thing is to have their budget slashed by 2 percent, but this is not outlined in the regulation yet.”

Wahyudi noted his concern that the government would keep the agency on a tight leash to prevent it from acting decisively against offending public institutions. He also questioned the wisdom of suspending the operations of a state-owned data controller, which could cause public services to grind to a halt.

Rizki Natakusumah, a member of the House Commission I overseeing intelligence and information, said the law’s sanctions would also be applicable to state-owned data controllers, particularly in light of recent digital attacks that are thought to have compromised millions of pieces of personal information collected by state organizations.

Indonesia saw at least five data breaches in August alone. Data belonging to customers of state-owned electricity company PLN and IndiHome, an internet service provider owned by state-owned telecommunications firm Telkom, were among the information sold on hacking forum Breach Forums. Earlier this month, data on more than 1 billion registered Indonesian SIM cards were reportedly stolen. The Communications and Information Ministry has denied that the leak was from the ministry.

More recently, a pseudonymous hacker called Bjorka claimed to have put 679,180 documents up for sale on the hacking forum Breach Forums, which he said contained records of letters and documents sent by and to President Jokowi, including confidential letters from the State Intelligence Agency (BIN).

scroll to top