ENACTMENT OF THE INDONESIAN DATA PRIVACY LAW: A BREACKTHROUGH IN DATA SECURITY

By Aaron Tirtha

Background

Approaching the twenty-first century, there is a growing demand for digital services ranging in
myriads of online platforms. Specifically, the digital market in Indonesia have been exponentially on
the rise. With an estimated amount of 100 billion to the national economy by 2025, Indonesia by far
leads the digital market industry in the ASEAN region. 1 In such an industry, companies operating in
the digital market will need to acquire and store personal data which belongs to millions of
individuals and organizations. Such circumstances highlight the importance of data protection
framework.

In this regard, the Indonesian 1945 constitution guarantees the citizen’s right to privacy pursuant to
article 28 G (1). However, this right is yet to be crystalized in any consistent implementing law and
regulation. It is true, that there has been some effort to enact such provisions, however it has been
dispersed within 32 different regulations that has even several contradictions. 2 Such “attempts to
regulate” is by no means sufficient to comprehensively regulate the online transactions occurring in
Indonesia.

As a right endowed by every citizen, personal data privacy should allow individuals to determine the
use of their personal data. In reality, these personal data are often collected without the knowledge
of owners by companies or agencies. This undermines the notion of consent which is central in the
data protection framework set forth by numerous jurisdictions and are even indicated beforehand in
the ITE Law.3 Unfortunately, such concept of consent is still too ambiguous to be rendered efficient,
as there have not been little to no elaboration on such mechanisms.

What makes it worse is that with the current mechanisms, there are no provision which allows the
personal data owners to held the parties who transfer their data accountable when the usage of
such data is not in accordance with the initial purpose agreed upon under its terms and conditions. 4
Because of that, these data can be prone to be misused without the consent and knowledge of the
owners.

The fact that there have not been any law and regulation that can administer checks and balances of
such misuse does not help either. Specifically, the question surrounding the rights and obligation of
what these companies have remained unanswered within the current legal framework. Additionally,
1
(Rosadi, 2018)
2
(Aprilianti, 2020).
3
Article 28 of Law No. 11 of 2008.
4
the fundamental question of what ownership of the personal data entails is still unclear, sparking
mass confusion among society.

That is until the Indonesian House of Representatives (DPR) enacted Law No. 27 of 2022 concerning
Data Privacy (hereinafter shall be referred as “DPL”). The regulation deliberated several key points
pertaining to the ownership of data, as well as the rights and obligation surrounding it.

Significance of the Data Privacy Law in an emerging digital economy

As mentioned above, Indonesia is striving to become a global powerhouse in the digital economy
sector. However, for this goal to be materialized, the government must ensure that Indonesians and
foreign persons alike must not have any hesitation with regards to the security of their data privacy.
The absence of legal assurances may hinder Indonesia’s goal of becoming a digital economy
powerhouse.

Key provision within the Data Privacy Law

Ownership of Data

The DPL answers the fundamental question regarding the right entailed by the personal data owner.
In light of this, the DPL established that the owner of the data full authority to control and manager
their personal data. Contrary to this, the DPL prohibits people to obtain or collect personal data
which does belong to them with the intent to benefit themselves or result in potential loss for the
original owner of the data.

Data controller’s obligation during the data collection process

During the data collection process, the data controller are to be compliant to an exhaustive set of
rules when acquiring such data. It is important to note that the legislators intend such list to be
cumulative. During the collection the personal data process, the owner has the right to know the
information regarding clarity of identity, the basis of legal interests, purpose of requesting and using
Personal Data, retention period of the data, and accountability of the party
requesting Personal Data.5 As an additional requirement, the data controller will also have to provide
information surrounding type and relevance of the Personal Data to be processed and rights of
Personal Data Subjects. In fact, the deliberation of the purpose should be the first step of data
collection.6 If the data controller does not comply with the aforementioned obligation, they can be
given administrative sanctions pursuant to article 56.

5
Article 20 (2a) of Law No. 27 of 2022
6
Article 5; Article 16 (f) of Law No. 27 of 2022
This will indeed minimize doubts surrounding the purpose of a requested data. In addition to that,
the DPL ensures that the data collected should not be permanent, rather it shall only be stored
during a specific retention period. This means that when such retention period has elapsed, the data
should be delated.7 To complement this, the owner will also be guaranteed the right to withdraw
their consent to process their personal data which has been priorly given during the retention
period.8 This can be seen as a massive breakthrough, compared to the ambiguous provisions of
consent in the ITE law.

However, the DPL stipulated some exceptions. Such obligations could be waived in the event the
data will be needed for the interests of national defense and security the interests of the law
enforcement process, public interest purposes, and/or the interest of supervising the financial
services sector, monetary, payment systems, and system stability finances carried out in order
state administration.9

Obligation of the data processor

At times, there could be some instances where the data that is controlled by a party, but would end
up being processed by another party different from the controller. This may lead to confusions
regarding which party will bear the responsibility. To answer this, article 51 indicated that In case the
Personal Data Controller designates the Processor Personal Data, the Personal Data Processor is
obliged to do processing of Personal Data by order Personal Data Controller. This means that the
controller of the data will remain responsibility. 10 Such rerouting of data will need consent from the
data controller. If the personal data processor conduct processing of Personal Data outside of orders
and purposes determined by the Personal Data Controller, then the data processor will bear the
responsibility.11

7
Article 16 (2) (g) of Law No. 27 of 2022
8
Article 8 & 9; Article 16 (2) (g-h) of Law No. 27 of 2022
9
Article 50 of Law No.27 of 2022
10
Article 51 (3) of Law No. 27 of 2022
11
Article 51 (6) of Law No. 27 of 2022