How does the enactment of the PDP Law impact the regulatory framework of Indonesia’s data protection regulations?

Referring to the PDP Law’s transitional provision, the existing regulations, which comprise of:

• Law No. 11 of 2008 as amended by Law No. 19 of 2016 on the Electronic Information and Transactions (EIT Law);

• Government Regulation No. 71 of 2019 on the Organisation of Electronic Systems and Transactions (GR 71/2019);

• Minister of Communications and Informatics Regulation No. 20 of 2016 on the Personal Data Protection in Electronic System (MOCI Regulation 20/2016); and

• Other sectoral regulations (e.g. banking, financial services, and health).

Will remain valid as long as it does not contradict with the provisions under the PDP Law.

Will the PDP Law apply to the offshore data controller/processor?

Yes. PDP Law expressly says that it adopts an extraterritorial approach and the provisions thereto will also be applicable to the offshore data controller/processor (individual, corporations, public institutions, and international organisations), and will support legal actions that will result in legal consequences:

• within the jurisdiction of the Republic of Indonesia; and/or

• to Indonesian citizens, as personal data owners, residing outside the jurisdiction of Indonesia.

However, we note that it is still unclear on how to test those thresholds as no further guidelines are available as of the date of this alert.

Any changes on the data localisation requirements?

No. The data controller is still allowed to store the collected personal data either in Indonesia or offshore.

How does the PDP Law change the requirement on obtaining the personal data owners’ consent?

Based on the PDP Law, data collection as well as processing activities shall be based on the personal data owners’ consent obtained through written or recorded means, either electronically or non-electronically and using the Indonesian language.

In addition, the consent form shall be understandable, in an accessible format, and using simple and clear language — if not, the consent will be deemed null and void.

Another notable addition under the PDP Law is that consent of a child and person with disabilities shall be carried out in a specific manner, namely:

• processing of child’s personal data shall be based on the parent and/or legal guardian’s consent;

• processing of personal data of person with disabilities shall be carried out through certain communication methods that are understandable for the data owners;

• processing of personal data of person with disabilities shall be based on the respective data owners and/or legal guardian’s consent.

Next Steps

Another alert will be issued as the second part of Indonesia’s PDP Law publications, which covers the topics of (i) data controller/processor’s obligations, (ii) personal data owners’ rights, (iii) administrative and criminal sanctions, as well as (iv) compliance.

Note:

It is worth noting that the above view might change should the government issue the implementing regulations of PDP Law in the future. This alert cannot be deemed as our formal legal advice.