New Report on Limits of “Consent” in Indonesia’s Data Protection Law
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the seventh in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Indonesia, including:
- notice and consent requirements for processing personal data;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Indonesia’s Data Protection Landscape
Currently, Indonesia has no comprehensive data protection law, though draft legislation in the form of a Personal Data Protection Bill (PDP Bill) was introduced in Indonesia’s Parliament in 2020. Under Indonesia’s existing law, provisions on personal data protection can be found in several different sectoral laws and regulations, including the digital, health, and finance sectors.
Role and Status of Consent as a Basis for Processing Personal Data in Indonesia
Indonesia’s existing laws rely heavily on consent as a mechanism for privacy self-management.
Consent serves as the primary or default justification for collecting, using, and disclosing personal data, subject to narrow exceptions and, at least in some sectors, other data protection principles, such as data minimization, purpose specification, and lawfulness and fairness of data collection.
It is also usually mandatory to obtain data subjects’ express consent as existing laws and regulations generally do not recognize implied or inferred forms of consent.
In the digital sector, operators of electronic systems must obtain consent in written form in the Indonesian language and provide information on the purpose and objective of data collection before collecting and processing personal data. It remains unclear whether laws and regulations provide alternative legal bases beyond consent for processing personal data.
In the health sector, consent is required to use personal data and/or medical records in health research and must generally be informed and recorded in written form. Data subjects must be provided with clear information on the purpose, method, and risks of the research, and the possible research outcomes, including any potential negative impact on them.
In the financial sector, banks, insurance providers, and peer-to-peer lenders must obtain written consent from consumers before providing or disclosing consumer information to any third party, unless applicable laws and regulations provide otherwise. Peer-to-peer lenders must also obtain consent to collect and process personal data and must ensure the confidentiality and integrity of the personal data, transactional data, and/or financial data from the time that such data is collected until it is erased.
Looking to the future: legal bases for processing in the PDP Bill
Compared with Indonesia’s existing laws, the current draft of the PDP Bill provides several legal bases for processing personal data.
One such basis is consent, which must be:
- specific to one or more purposes communicated to the data subject; and
- recorded (though consent may be given in writing or verbally).
Apart from consent, the current draft of the PDP Bill provides for other legal bases which apply where the processing of personal data is:
- for the performance of a contract to which the data subject is a party;
- to fulfill a request of the data subject prior to entering into a contract; or
- to comply with a statutory obligation that weighs on a data controller;
- to protect the vital interests of the data subject;
- in exercise of the data controller’s authority under applicable laws and regulations;
- to fulfill the data controller’s obligation to provide services in the public interest; or
- to fulfill other legitimate interests, after balancing the data controller’s and data subject’s respective interests.
However, note that since the PDP Bill has not yet been enacted, these provisions are still subject to change.
Read the previous reports in the series here.