Indonesia Passes A Really Great Data Privacy Law

Indonesia legislators Tuesday passed the data protection bill, making data handlers liable for up to five years in jail and a maximum fine of 5 billion rupiah ($334,000) for leaking or misusing private information. Reuters have the details:

The bill’s passage comes after a series of data leaks and probes into alleged breaches at government firms and institutions in Indonesia, from a state insurer, telecoms company and public utility to a contact-tracing COVID-19 app that revealed President Joko Widodo’s vaccine records.

Lawmakers overwhelmingly approved the bill, which authorises the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data.

The biggest fine is 2% of a corporation’s annual revenue and could see their assets confiscated or auctioned off. The law includes a two-year “adjustment” period, but does not specify how violations would be addressed during that phase.

The legislation stipulates individuals can be jailed for up to six years for falsifying personal data for personal gain or up to five years for gathering personal data illegally.

Users are entitled to compensation for data breaches and can withdraw consent to use their data.

Noris Ismail, Managing Director of Breakwater Solutions has this to say:

     “Indonesia experienced a rollercoaster journey and huge learning & relearning curve whilst drafting and debating the Bill. It’s not surprising given President Joko Widodo’s vision to accelerate Indonesia’s digital economy transformational journey (being the 4thpopulous nation in the world which contributed 40% of Southeast Asia’s 2021 e-commerce gross Merchandise Value (GMV), at $70 billion based on the 2021 e-Conomy Southeast Asia report) and mushrooming reported data breach cases in public and private sectors. Like other evolving data privacy legislative landscape in ASEAN Member States, some of the requirements partly mirror the GDPR (but with Indonesia gravitas, persona, and legislative identity). Global organisations that are processing Indonesian dataset (inside or outside Indonesia) have 2 years to kicking off assessment and remediation leading to ‘Business As Usual (BAU)’ implementation phase. Some organisations might accelerate the latter due to lessons learned from the GDPR experience and journey – subject to existing governance, business strategy, growth, process and data processing activities. Some organisations might require a tactical approach to assess top 5-10 risks and prioritise to remediate leading to aspired defensible compliance positions (due to resource, budget, and technology constraints). Pushing forward to 2 years, we’re very keen to learn Indonesia Personal Data Protection Act (PDPA)’s regulatory enforcement approach and their ‘global data interoperability’ guidance notes particularly in data localisation and PDPA adequacy determinations (from Indonesia’s lens, in addition to, the European Commissions’ lens). It might take more than 2 years and beyond to progress, evolve and mature”

Hopefully, this sort of sort of bill gets copied in other places as this will hopefully help to reduce the number of data leaks that we see.

Leave a Reply