Indonesia’s Ministry of Communications and Information (Kominfo) is working against the clock to finalize regulations stemming from Law No. 27 of 2022, which pertains to Personal Data Protection. Several implementing regulations, including government, presidential, and ministerial regulations, need to be issued to fully implement the law by October next year.
Efforts are underway to complete the government and presidential regulations by the end of this year. In early September, Kominfo released a draft of the Government Regulation on Personal Data Protection for public input. The deadline for submitting input was September 26, 2023. Records show that there were 81 written submissions made through the dedicated public consultation platform for the data protection law.
The process of formulating these regulations faces challenges due to a corruption case related to the base transceiver station (BTS) megaproject, which has had a significant impact on Kominfo’s leadership. At least four Kominfo officials, including former Minister Johnny G. Plate, have been named as suspects. Additionally, individuals from the private sector have also faced allegations. Investigations into this case, estimated to have caused losses of IDR 8 trillion to the state, are still ongoing.
Key points of the government regulation on data protection
Key highlights of the draft government regulation on Personal Data Protection include provisions related to extraterritoriality, data processing agreements and consent, response to data issues, the obligation to establish data processing and audit policies, a mechanism for compensation claims, responsibilities for data accuracy, terms and conditions for cross-border data transfers, and administrative sanctions.
Regarding extraterritoriality, the regulation will apply to individuals, public entities, and international organizations processing personal data outside Indonesia’s legal jurisdiction if it has legal consequences within Indonesia or pertains to Indonesian data subjects.
The draft regulation emphasizes the importance of including data processing terms in agreements and obtaining valid consent from data subjects. These agreements must ensure data protection measures, assess risks adequately, balance data subject interests, and uphold data subjects’ rights during data processing.
The draft regulation also outlines response times for addressing inaccuracies and mandates that data controllers inform data subjects of data deletions or destruction, providing reasons and effective dates for such actions.
Compensation, accuracy obligation, and sanction
Furthermore, the new government regulation will allow data subjects to request compensation for violations of their personal data. Data controllers must ensure the accuracy of data provided by data subjects and conduct verification processes to maintain data accuracy.
The draft regulation also includes provisions for imposing sanctions on data controllers for violations, in the form of fines of up to two percent of the data controller’s annual revenue or income.
