Indonesia’s Personal Data Protection Bill: Overview, Key Takeaways, and Context

The authors thank Zacky Zainal Husein and Muhammad Iqsan Sirie from Rajah & Tann Indonesia for their insights.

Overview

On September 20, 2022, Indonesia’s House of Representatives passed the Personal Data Protection Bill (PDP Bill) (note: linked Bill is in Indonesian). This is the first step towards enactment of the PDP Bill as law. The second step was Presidential assent, which happened on October 17, 2022, and signifies the enactment and coming into force of the law. 

Prior to the passage of the PDP Bill (from hereon referred to as the “PDP Law”) (Act No. 27 or 2022), Indonesia lacked a comprehensive personal data protection law. Instead, provisions on personal data protection were distributed across more than 30 different laws and regulations. A first draft of the PDP Law was released for public comment on January 28, 2020. Between January 2020 and September 2022, the PDP Law underwent numerous rounds of consultation and amendment, culminating in the release of a near-final draft on September 5, 2022, and a final draft on September 20, 2022. 

The PDP Law establishes responsibilities for the processing of personal data and rights for individuals in a manner similar to other international data protection laws. Many of its core aspects, including definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures, and controller-processor relationships, share some overlap with other laws around the world – most notably the EU’s General Data Protection Regulation (GDPR). However, there are a few notable components unique to the Indonesian context. For instance, the PDP Law includes a broad exterritorial scope provision that will apply to organizations as long as their processing activities have legal consequences in Indonesia or cover Indonesian citizens outside of Indonesia. 

Additionally, the PDP Law broadly exempts the financial services sector, imposes stricter requirements on controllers such as broad record-keeping obligations for processing activities, and has unique provisions on the use of facial recognition technologies. Special categories of data (what the PDP Law refers to as “specific personal data”) explicitly include children’s data and personal financial data. For specific data subject requests, such as access, rectification, and restriction, organizations only have 72 hours to respond.

Data localization, which was introduced in a previous draft, has been replaced by the general obligation for controllers to ensure data transferred across borders remains protected to a standard commensurate with the PDP Law. As for enforcement and sanctions, the PDP Law includes a large spectrum of avenues – from a private right of action for any violations of the law, to administrative fines and criminal penalties. For instance, the law sanctions “intentionally creating false data” with a criminal sentence of up to six years.

Lastly, the structure and function of the data protection authority (DPA), which will be set up after the PDP Law comes into force, may carry unique features, as many details of its operation will be issued at a later date. 

While authorities will need to clarify key provisions in subsequent regulations, the PDP Law creates a comprehensive foundation to govern data processing activities in Indonesia. As Indonesia is one of the largest countries in the world, the PDP Law will likely have an impact on data protection both in the regional context of the Asia-Pacific and the global context. Organizations will have a two-year transition period to comply (except for the criminal provisions that will come into force immediately) once the PDP Law goes into effect, which will occur when it receives Presidential assent or when the time window for receiving assent expires.

1. Scope, Covered Actors, Broad Extraterritorially

The PDP Law applies to persons, public bodies, and international organizations that process personal data or otherwise perform legal acts recognized under the law in the jurisdiction of Indonesia (Art 2). Persons refer to both natural individuals and corporations (natural and legal persons), while public bodies are organizations that fulfill core administrative functions and receive some funds from state budgetary agencies. Non-governmental organizations (NGOs) may also be considered public bodies if part or all of their funds come from the state. International organizations refer to bodies that are recognized as subjects of international law and have the capacity to make international agreements. 

Like other data protection laws inspired by the GDPR, the PDP Law applies extraterritorially to covered actors outside of Indonesia (Art 2). However, unlike other laws, this extraterritorial effect applies as long as the processing of personal data has legal consequences (i) in Indonesia or (ii) for personal data subjects of Indonesian citizens outside of Indonesia. This applicability covers more processing activities than typically seen in other data protection frameworks. 

Similar to other data protection laws, the PDP Law distinguishes between “Personal Data Controllers” and “Personal Data Processors.” “Controllers” refer to any person, public body, or international organization acting individually or together to determine the purpose and exercise control of personal data processing. Article 1 defines a processor as the party that processes personal data on behalf of the controller. 

Much like other data protection laws, the PDP Law requires processors to perform the processing based on an agreement with the controller under its supervision. However, the PDP Law leaves the ultimate responsibility for data processing with the controllers unless processing occurs outside the agreement, in which case it is the responsibility of the processor. Notably, some obligations of the controllers extend to processors following specific provisions in the PDP Law (see Section 5).

Article 51(4) explicitly permits processors to engage other organizations in sub-processing arrangements – but requires that they obtain written consent from the controller before involving other processors. It is unclear if generalized consent to the use of sub-processors would satisfy this requirement, though this may be clarified in forthcoming regulations.

Normative Grounds of the Law and Data Processing 

Added in the final draft of the PDP Bill, Article 3 provides normative grounds for processing, as well as indicates the high-level principles policymakers had in mind when promulgating the law. These include a principle of “Protection” (this is clarified in the explanatory section of the PDP Law to mean that every instance of processing of personal data should be carried out by “providing protection to the personal data subject for his/her personal data and the personal data from being misused”), legal certainty, public interest, expediency, prudence, balance, accountability, and confidentiality. The bases provide insight into the enforcement goals of the PDP Law and ground its provisions in specified rationales and objectives. 

The PDP Law applies primarily to the processing of personal data, which refers to the “collection, analysis, storage, improvement and renewal, announcement, transfer, dissemination, disclosure, and deletion of data” (Art 16). This definition shares broad congruence with definitions of data processing seen in other laws. Note the law seems to provide a closed list of what constitutes processing and does not include an open reference to information as such or provide examples.

2. Covered Data: Broad definition of “personal data” and novel categories of “specific data”

In the PDP Law, “personal data” is defined broadly and refers to data which, independently or in combination with other data, identifies or can identify an individual, whether directly or indirectly or through electronic or non-electronic systems. Note the Explanatory Memorandum clarifies that this includes both mobile numbers and IP addresses. This definition is similar in scope to equivalent definitions in other major data protection laws internationally, including the definition of “personal data” in Article 4(1) of the GDPR.

Like many global data protection frameworks, the PDP Law distinguishes between personal data of a general nature and categories of sensitive personal data, which the PDP Law terms “specific personal data” and defines as personal data which, if processed, may result in a greater impact (including harm and discrimination) to the personal data subject (Art. 4).

Notably, unlike other personal data protection frameworks, the PDP Law also identifies a number of categories of “personal data of a general nature” which, by definition, would not qualify as specific personal data. These include a person’s full name, gender, citizenship, religion, and marital status, as well as data that is combined with other data to identify an individual.

The categories of specific personal data include:

• Health data – defined as individual records or information relating to physical health, mental health, or health services. Note regulators may offer additional clarity to this term in future measures;
• Biometric data – defined as an individual’s physical, physiological, or behavioral characteristics that enable unique identification, including facial images, fingerprints, and DNA;
• Genetic data – defined as any kind of characteristic of an individual that is acquired during early prenatal development;
• Criminal records – defined as written records of a person who has committed or being charged for an unlawful act, including police records;
• Children’s data – the law does not specify the age range in which a person is considered a child; and
• Personal financial data – includes, but is not limited to, savings, deposits, and credit card data, as well as other data identified in other laws and regulations.

The PDP Law imposes additional safeguards for processing of specific personal data, including mandatory data protection impact assessments (DPIAs) and data protection officers (DPOs) for large-scale processing (see Section 4 below). 

3. Lawful Grounds for Processing and Consent Requirements

Article 20 of the PDP Law establishes six legal bases for processing personal data (whether specific or of a general nature), namely:

• Consent of the personal data subject to process the data for a specific purpose;
• Performance of obligations under a contract between the personal data controller and the personal data subject;
• Performance of a controller’s legal obligations;
• Protection of a personal data subject’s vital interests;
• Undertaking a task in the public interest or in exercise of legal authority; and
• Fulfillment of a legitimate interest, taking into account purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.

These bases are similar to those in Article 6 of the GDPR and, like their equivalents in that law, are placed on an even level – no single legal basis takes precedence over any of the others.

Consent Requirements

The PDP Law also contains detailed requirements for controllers to demonstrate that they have obtained valid consent. A request for consent must be accompanied by certain prescribed information, clearly distinguishable from other matters, and in a format that is easily understandable and accessible. The consent itself must be explicit, informed, specific to a purpose, and recorded.

The PDP Law also contains specific provisions for consent in several contexts where the personal data subject may lack legal capacity. Consent for processing a child’s personal data must be obtained from the child’s parents or legal guardians. Note the Law does not provide an age for defining a child. Further, consent for processing the personal data of a person with disabilities may be obtained either from the person or from the person’s guardian. The PDP Law recognizes that further requirements for such processing may be found in future regulations.  

In addition to requiring a legal basis for processing of personal data, the PDP Law also requires controllers to adhere to enumerated data protection principles. In particular, organizations must process personal data in a limited, specific, transparent, and lawful manner. Additionally, a specific purpose for processing must be identified and communicated to the data subject, and processing must be accurate, secure, transparent, and responsible. Articles 20-49 of the PDP Law provide further details as to how personal data controllers should operationalize these principles (see Obligations of controllers below). 

4. Obligations of Controllers

Data controllers must abide by a series of obligations outlined in the PDP Law, including adhering to lawful grounds for processing and notification requirements, following data protection principles, responding to data subject requests, and implementing accountability and security measures. 

As an overarching requirement, data controllers must identify an appropriate legal ground for processing personal data. If they rely on consent, further obligations apply (see Section 3 above). Article 21 requires the controller to provide information to data subjects on the legality, the purposes, the type, and the relevance of processing. Additionally, the controller must be able to show that consent is valid (Art 24) and, if withdrawn, end any processing operation in a specified time period (Art 40). If consent is withdrawn, the controller has to also delete the personal data (Art 43).

Data Protection Principles

Controllers must process data in accordance with data protection principles (some of which reflect the Fair Information Practice Principles – “FIPPs”) which outline the following obligations:  

• Data controllers must process personal data in a limited, specific, lawful, and transparent manner (Art 27). 
• Data controllers must process personal data in accordance with a stated purpose (Art 28).
• Data controllers must ensure the accuracy, completeness, and consistency of the personal data they process (Art 29), including notifying the data subject of any correction they make in response to a request (Art 30).  
• Organizations must also operationalize the principle of security of the processing (Art 16(2)(e)) through appropriate technical measures (Art 35) and ensure confidentiality of data (Art 36). 
• Controllers must also ensure accountability by recording all processing operations and taking other measures to demonstrate responsibility of processing (Art 31). Note the obligation to record all processing activities is broader  than other data protection laws.

While the Principles are similar to those in other comprehensive data protection laws, including the GDPR and its Article 5, the Law does not have an explicit principle to data minimization. However, a certain correspondence for it can be found in the requirements that personal data must be processed in a limited, specific manner. The list of principles in the PDP Act also misses some form of the principle of fairness.

Data Subject Access Requests

Subject to notable exceptions, controllers must respond to data subject access requests and uphold other data subject rights (see Section 7 below). When a data subject requests access, the controller must give the subject access to the personal data, as well as provide a track record of the processing operations related to the subject (Art 32). With respect to requests to delay or restrict processing, the data controller must notify the data subject of this action (Art 41) unless an exception applies or a written agreement with the subject specifies otherwise. For access, rectification, and delaying requests, the controller has 72 hours from receiving the request to respond to the data subject.  Notably, while the right of the data subject to access their own data is provided for in Article 7, the conditions under which access must be provided are listed separately in Chapter VI, which is dedicated to the obligations of the controller.

In cases when the data subject requests to end processing, the processing has reached the retention period, or the purposes have been achieved, the data controller must end the processing operations (Art 42). Additionally, controllers must delete or destroy personal data if the data subject requests it or has withdrawn consent, when the personal data is no longer necessary for the original purpose of processing, or when controllers process data through unlawful means (Art 43). In both cases of deletion or destruction of personal data, the controller has to notify the data subject (Art 45). 

Accountability Measures, DPIAs, and DPOs

Data controllers have additional obligations such as those to supervise each party involved in the processing of personal data that is under the controller’s control (Art 37), notify in writing both the data subject and the DPA in the case of unauthorized disclosure of the data and thus failure to protect it (Art 46), and notify the data subject before the controller (in the form of a legal entity) proceeds with any mergers, separations, acquisitions, consolidations, or dissolutions (Art 48). Finally, data controllers are obliged to implement the DPA’s order in the context of implementing the PDP Law.

Controllers also carry internal reporting obligations, such as the requirement to keep a track record of all processing obligations to facilitate data subjects exercising their rights. Under Article 34, controllers must conduct a data protection impact assessment (DPIA) whenever processing of personal data has a high risk of harming the data subject, which includes:

• Automated decision-making that has legal consequences or a significant impact on the data subject;
• Processing of specific personal data;
• Large-scale processing of personal data; 
• Processing for systematic evaluation, scoring, or monitoring activities;  
• Processing for matching activities or merging a group of data;
• The use of new technology; and 
• Processing that restricts the exercise of data subject rights. 

Article 53 of the PDP Law also contains obligations for organizations to appoint a data protection officer (DPO) in specified conditions. These include when (i) processing personal data for public services, (ii) the core activities of the controller require regular and systematic monitoring of personal data on a large scale, or (iii) the core activities of the controller consist of large-scale processing for specific personal data or data related to criminal offenses. 

The PDP Law does not contain any requirements for choosing DPOs except that they must be a professional and have knowledge of the law. DPOs must advise the controller on compliance, monitor and ensure that processing falls within the ambit of the PDP Law, assess the impact of processing, and act as a contact person for issues related to the processing.

Security and Data Breach Notification

Article 35 specifies security measures organizations must adopt to protect personal data, including preparing and implementing technical, operational measures and employing a risk-based approach to determine the level of appropriate security for data. Controllers likewise have a duty to prevent personal data from being accessed unlawfully (Art 39). Note that the PDP Law does not specify further security measures but instead defers to future regulations to fill out additional detail. 

In the event of a security breach, controllers must submit written notification no later than three days to the affected data subject and the DPA. The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm (Art 46). Finally, controllers may have to notify the public of the breach in certain cases. Like other substantive provisions of the PDB Law, future regulations will specify additional information and trigger events.

Exceptions to Processing Obligations

Similar to the case of data subject rights, Article 50 sets the conditions that exempt certain processing activities from obligations under the law when such activities involve (i) national defense or security interests, (ii) law enforcement, (iii) public interests in the context of state administration, or (iv) the financial services sector, monetary and payment systems, and financial system stability carried out in the context of state administration. This last exception is a unique feature of Indonesian data protection law. 

The Explanatory Memorandum provides additional detail as to the circumstances that trigger these conditions. For instance, the law enforcement exception applies primarily to investigation and prosecution processes, while public interests include the implementation of census administration, social security, tax, customs, and licensing services. 

While these exceptions may be construed broadly, the PDP Law limits them to the following processing activities in an exhaustive list of specific cases. Note that many of these obligations relate to data subject rights. In the case of certain exempt processing obligations, data controllers are not obliged to:

• Update or correct errors and inaccuracies (Article 30);
• Provide access to the data subject as well as a track record of the processing operations (Art 32);
• Maintain the confidentiality of personal data (Article 36);
• Terminate the processing (Art 42);
• Delete personal data (Art 43), unless the personal data has been processed by unlawful means, in which case the exception does not apply;
• Destroy personal data on the basis of a data subject request (Art 44);
• Notify the data subject about the deletion or destruction of the data (Art 45); or
• Notify the data subject in the event of a failure of data protection due to disclosure (Art 46).

5. Some Controller obligations extend to Processors

Article 52 attaches a number of data controller obligations to processors as well, including:

• Ensuring accuracy, completeness, and consistency of personal data, including “conducting verification” (Art 29);
• Recording all processing activities. (Art 31);
• Ensuring the security of personal data by implementing appropriate technical and operational measures based on the risk posed by the data (Art 35);
• Maintaining confidentiality of personal data (Art 36);
• Supervising all parties involved in the processing of personal data (Art 37); 
• Protecting data from unauthorized processing (Art 38); and
• Preventing unlawful access of personal data (Art 39).

Finally, processors share the obligation to appoint a DPO if the processing activity meets the qualifying criteria (described above). Article 53(3) specifically notes that a DPO “may come from inside and/or outside the personal data controller or the personal data processor.”

6. Specific Processing Restrictions (Facial Recognition, Children’s Privacy, Persons with Disabilities, ADM)

The PDP Law restricts the processing of personal data in specific circumstances.

Facial Recognition Technology – Article 17 requires controllers that use facial recognition technology or install visual data processing devices in public places to do so only for the purposes of security, disaster prevention, or traffic information analysis. Additionally, organizations must notify the public that such technology is in use in areas where they have installed devices and do not use facial recognition to identify a person. However, these requirements do not apply to the activities of law enforcement or the prevention of criminal offenses. 

Children’s Data – Article 25 states that controllers must process children’s personal data in a special manner and obtain the consent of the child’s parent or guardian. Note the law does not specify an age threshold for children. Rather, regulators will likely promulgate rules on children’s data in future regulations.   

Persons with Disabilities – Article 26 states that controllers must also process the data of persons with disabilities in a specified manner and obtain the consent of the person or the guardian to conduct processing activities. Additional regulations will specify further conditions, including how and through what means controllers must communicate with persons with disabilities. Note that the law does not define persons with disabilities.

Automated Decision-Making – Article 10 specifies that data subjects have the right to object to ADM, including profiling that gives rise to legal consequences or has a significant impact on the data subject. This language, which mirrors the GDPR, does not seem to be construed as a general prohibition against qualifying ADM. The PDP Law does not define when its use creates legal consequences or carries a significant impact on individuals. The use of ADM may also trigger a DPIA.

7. Nine Data Subject Rights: From Access to Delay of Processing, to Portability

The PDP Law enumerates nine personal data subject rights and obligates controllers to guarantee those rights as a fundamental data protection principle under the law (Arts 5-15). These rights include: 

• A right to obtain information about the clarity of identity, the basis of legal interests, the purpose of the request and use of personal data, and the accountability of the party requesting personal data (Art 5)  This right expresses the ‘principle of transparency’ found under Article 16(2)(a);
• The right to access and obtain a copy of the data subject’s personal data free of charge, except for certain conditions that require a fee. (Art 7); 
• A right to rectification in which the data subject may complete, update, or correct errors and inaccuracies of their personal data (Art 6). This right corresponds to the accuracy principle (Art 16(2)(d));
• The right to end processing, delete, or destroy their personal data (Art 8). This right reflects the deletion principle (Article 16(2)(g)); 
• The right to delay or restrict processing (Art 11). Data subjects may only exercise this right in a proportional manner to the original purpose of processing; 
• The right to withdraw consent in cases where it is provided as a legal basis for processing (Art 9);
• The right to object to decision-making measures that are based solely on automated processing, including profiling, and give rise to legal consequences or have a significant impact on the personal data subject (Art 10). The PDP Law illustratively defines profiling as the activity of identifying a person with their employment history, economic condition, health, personal preferences, interests, reliability, behavior, location, or movements electronically; 
• The right to data portability, which allows the data subject to obtain and use their personal data in a form commonly used or readable by electronic systems as well as send their data to other controllers (Art 13). Subsequent regulations will specify this right further; and 
• The right to sue and receive compensation in cases where controllers violate the law (Art 12).

Data subjects must submit a registered request to the controller to exercise the rights to rectify data, to have access and obtain a copy of the data, the right to end the processing and delete or destroy personal data, the right to withdraw consent, the right to object to automated decision measures based solely on automated processing, and the right to delay or restrict processing (Article 14).

Similar to general processing obligations, the PDP Law also includes a number of exceptions to the rights (Art 15(1)) (see Section 4 above). While these exceptions kick in under similar conditions, such as for the purposes of national security, law enforcement, or public interests, the PDP also recognizes an exception for statistical and scientific research purposes, which it does not define or further clarify (Art 15). Finally, note that Article 33 stipulates controllers must refuse a rectification or access request if it endangers the security, physical, or mental health of the data subject or other persons.

8. Cross-Border Data Transfers: Possible to jurisdictions with equal or higher level of protection, or on the basis of consent

Article 56 of the PDP Law governs transfers of personal data outside of Indonesia. Similar to other data protection laws with international data transfer requirements, the PDP Law requires controllers to ensure that the country where the data recipient is located has a level of data protection equal to or higher than the PDP Law. 

The PDP Law further requires that controllers, where the law of the recipient country does NOT provide an equal or higher standard, “ensure that there is adequate and binding Personal Data Protection.” The specifics of how this might be achieved are not set forth in the Bill, but Article 56(5) notes that further provisions regarding the transfer of personal data will be included in a separate regulation. It remains to be seen whether this forthcoming regulation will include standardized contractual language or whitelist particular data processing activities such as pseudonymization and encryption for data transfer purposes. 

The PDP Law includes a broader consent exception to its “adequacy” requirement than many other laws. Article 56(4) requires organizations to “obtain the consent of the personal data subject” for transfers where neither the destination country’s laws nor the controller can guarantee an equivalent or higher level of data protection to the PDP Law, but does not explicitly restrict the use of this exemption. In contrast, Article 49 of the GDPR and other similar laws expressly limit the circumstances under which a controller may rely on a data subject’s consent to transfer personal information to a non-adequate jurisdiction without “appropriate safeguards” and impose additional transparency requirements on controllers seeking to do so.

9. Enforcement – Data Protection Authority, Processes, and International Cooperation

Articles 58-61 of the PDP Law cover the establishment of the Indonesian data protection authority (DPA) and its roles and responsibilities. While relatively brief, these articles are important for setting out the identity and contours of the Indonesian DPA. Art 58 provides that the DPA will implement the PDP Law and report to the Indonesian President, which will create the institution within the Executive branch of the government. While the PDP Law specifies some of the function, competence, and processes of the DPA, further details will be set in future regulations (Art 58(5)). 

The Indonesian DPA will have four key functions: (i) policy, strategy, and guidance formulation; (ii) supervision of the implementation of the PDP Law; (iii) administrative law enforcement against violations; and (iv) facilitating out-of-court dispute resolution. Article 60 specifies the bounds of the Indonesian DPA’s authority and competence, which in broad terms include:

• Supervising compliance of data controllers;
• Imposing administrative sanctions for violations committed by data controllers and data processors;
• Assisting law enforcement officials in handling allegations of personal data-related criminal offenses under the PDP Law;
• Cooperating with foreign DPAs to resolve alleged cross-border violations of the PDP Law;
• Publishing the results of the implementation of the PDP Law;
• Receiving, investigating and tracking complaints and reports about alleged PDP Law violations;
• Summoning and presenting experts, where needed, to examine and investigate alleged violations;
• Conducting checks and searches of electronic systems, facilities, spaces, and places used by data controllers and data processors, including obtaining access to data and appointing third parties; and
• Requesting legal assistance from Indonesia’s Public Prosecution Service to settle disputes under the PDP Law.

Further details as to procedures and processes for implementing these powers will be provided in future regulations (Art 61). 

Finally, Article 62 stipulates that the Indonesian Government (and not just the Indonesian DPA) will have the ability to conduct international cooperation activities on personal data with other governments and international organizations. Such international cooperation shall be carried out as provided under the laws, regulations, and principles of international law. This indicates that Indonesia will engage with other governments on key data protection issues, including possible negotiations around cross-border data flows and cybercrime.

10. Penalties, Civil Liability, and Criminal Liability

The PDP Law imposes a tiered system for administrative sanctions, including civil and criminal penalties that increase depending on the severity of the penalty. In addition to provisions prohibiting the unlawful collection, use, or disclosure of personal information that may harm data subjects, individuals and organizations must not create false personal data that benefits them at the harmful expense of others.

Administrative Sanctions and Civil Liability

Under the PDP Law, the DPA may issue the following administrative sanctions: (i) a written warning; (ii) temporary suspension of processing activities; (iii) forced deletion of personal data; and/or (iv) administrative fines of a maximum of 2% annual revenue or sales of the data controller. The PDP Law does not stipulate a detailed fine structure for organizations’ civil offenses beyond the 2% annual revenue ceiling nor provides guidance on the process for disputing or appealing a fine. Rather, the DPA will specify such procedures in subsequent regulations.

Criminal Liability

Courts will impose criminal liability on both individuals and organizations in two particular circumstances: when they intentionally collect, disclose, or use personal data that does not belong to them to benefit themselves at the harmful expense of others (Art 65), and when they intentionally create false personal data to benefit themselves or which may result in harm to others (Art 66).

• Unlawful Collection, Disclosure, or Use – Under Article 67, a person that unlawfully collects or uses personal data that falls under the criminal provisions of the law could receive maximum imprisonment of five years and/or a maximum fine of 5 billion rupiah. Those that disclose information, in the same manner, may face up to four years in jail and/or a maximum fine of 4 billion Rupiah. In all circumstances, authorities may confiscate profits or assets obtained from the criminal offense (Art 69). 
• Unlawful Creation of False Data – Article 68 imposes a similar penalty for individuals and organizations that intentionally create false data. In these circumstances, a court may impose a six-year term of imprisonment, a maximum fine of 6 billion rupiah, and/or confiscate assets obtained in the illegal act. 

While corporations may only be fined for criminal offenses, the PDP Law specifies that managers, high-ranking officers, or certain owners of the corporation could be incarcerated and personally fined for their actions (Art 70). However, corporations could receive a fine ten times the amount of the maximum fine imposed on an individual or corporate officer and be subject to other punishments including:

• Seizure of profits or assets obtained in the criminal offense; 
• Revocation of licenses, business operations, or physical offices; and/or 
• Dissolution of the corporation or permanent ban on certain operations.

The PDP Law stipulates procedures and timelines for complying with a criminal penalty, including punishments for failing to pay or resolving disputes in auctioned property. 

As a reminder, individuals also have a “right to sue and receive compensation” in cases where controllers violate the law, according to Art 12 of the PDP Law (see Section 7). 

Concluding Notes

Indonesia’s new law expands comprehensive protection of personal data to approximately 275 million people. Substantively, the law fits well in the big picture that is becoming the Global Privacy landscape, with landmark features like lawful grounds for processing, principles of processing inspired by FIPPs, a strong set of data subject rights – including in relation to ADM, accountability, broad scope of application and extraterritoriality. However, it maintains some specificity, and it enriches the landscape with unique features, like specifically defining “personal data of a general nature” in opposition to “specific data”, or criminalizing the intentional creation of false data. 

Notably, the Indonesian Data Protection Law also shows that data localization proposals can also lose terrain, not only advance. The passing of the PDP Law is significant, and it proves that Asia Pacific is one of the most vibrant regions of the world when it comes to data protection and privacy regulation. The adoption of the PDP Law also comes as Indonesia is holding the Presidency of G20 this year – while the data protection world is keeping an eye on India and its back-and-forth efforts to pass a comprehensive data protection law as it prepares to take over the G20 Presidency next year.