Personal Data Protection (PDP) Law of Indonesia
The Personal Data Protection (PDP) Law, officially designated as Law No. 27 of 2022 concerning Personal Data Protection, is a pivotal legal framework in Indonesia that governs safeguarding personal data. This comprehensive law, enacted on 17 October 2022, has far-reaching implications for data controllers, data processors, and all relevant entities involved in personal data processing within the country.
An International Standard
The PDP Law is closely modelled on the European Union’s General Data Protection Regulation (GDPR), aligning Indonesia with globally recognised data privacy standards. It establishes a coherent and structured approach to personal data protection, marking a significant departure from the previous regulatory landscape characterised by fragmented sector-specific regulations.
Pre-PDP Law Era
Before the PDP Law’s enactment, Indonesia relied on a combination of several regulations, including Law No. 11 of 2008 on Electronic Information and Transactions (EIT Law), Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions, and Ministerial Regulations such as No. 5 of 2020 on Private Sector Electronic System Operators. These regulations predominantly pertained to protecting personal data processed through electronic systems and collectively constituted the “General Data Protection Regulations.”
Sector-Specific Regulations
Various sectors in Indonesia also had their own data protection provisions. For example:
- Telecommunications Sector: The Telecommunications Law prohibited information tapping and imposed strict confidentiality requirements on telecommunications service operators.
- Public Information Sector: The Public Information Law restricted the disclosure of personal rights-related information and banned the disclosure of private information, encompassing sensitive categories like medical records and financial data.
- Banking and Capital Markets Sectors: Banking and Capital Markets Laws regulated data privacy, particularly for individuals and corporations. These laws imposed specific obligations, such as obtaining prior approval for data transfer outside Indonesia.
Coexistence and Transition
Existing sector-specific regulations remain in force unless they conflict with the PDP Law. The PDP Law prescribes a two-year transition period ending on 17 October 2024, during which data controllers and processors must align their practices with its provisions. It is expected that implementing regulations will be issued to facilitate compliance, and a dedicated institution, the PDP Agency, will oversee and enforce data privacy measures in line with the PDP Law.