Personal Data Protection Law And Two Year Transition Period
The House of Representatives has passed the Personal Data Protection Bill (PDP) into law this week. Indonesia is said to be the fifth country in ASEAN to have a comprehensive personal data protection legal umbrella. This new law is expected to strengthen trust and recognition of Indonesia’s leadership in global data governance. The PDP Law gives people the right to know what information data controllers and processors – whether public or private – are collecting about them, why they are collecting that data and with whom they are sharing it. Data handlers must ensure the rights of data subjects and the security of their data, including by setting up firewalls and encryption systems. The Indonesian Government will have two years to build the system. And those that breach rules on distributing or gathering personal data may face administrative fines of up to 2 percent of their annual revenue or have their operation suspended by a data protection supervisory agency. The law also regulates criminal penalties, including prison time and fines, for any individuals and companies that are found guilty by a court of collecting, using, selling or publicizing personal data by illegal means. Apart from the lengthy process of ratification, the next question is whether the PDP Law can address the various problems of personal data protection in Indonesia.
Executive Director of the Institute for Community Studies and Advocacy (ELSAM) Wahyudi Djafar said, in general the substance of the PDP Law has followed the general standards and principles of personal data protection that apply internationally, but the implementation of this law has the potential to be problematic, weak in law enforcement procedures, as a result of strong political compromises, especially with regard to the PDP Supervisory Agency. Learning from the practice in many countries, the key to the effective implementation of the PDP Law lies with the data protection authority, as a supervisory agency, which will ensure the compliance of data controllers and processors, as well as ensure the fulfillment of the rights of data subjects. Especially when the PDP Law is binding not only on the private sector, but also public bodies (ministry/institution), then the independence of this authority becomes absolute, to ensure firmness and fairness in law enforcement of the PDP. Under the new PDP Law, the Supervisory Agency will be in the form of a Non-Ministerial Government Institution that is responsible and report directly to the Indonesian President, of which its independency is considered rather subjective.
It is increasingly problematic with the inequalities of sanctions that can be applied to the public and private sectors. In the event of a violation, the public sector may only be subject to administrative sanctions, while the private sector can also be subject to administrative fines of up to 2% of the total annual income, in addition to being subject to criminal penalties.
The PDP Law as comprehensive data protection legislation, is not the final solution to all personal data protection issues and cybersecurity threats, including a series of incidents of personal data leakage, but increasingly shows in-depth PDP issues in Indonesia. The two-year transition period is considered very limited to synchronize various regulations related to data protection, which have been spread across various sectors.
