If you are doing business in Indonesia or your website and mobile app are accessible to Indonesian users, you must comply with the new Indonesian Privacy Law, the Personal Data Protection (PDP) law when you collect and process Indonesians’ personal data.
Whether your business is located in Indonesia, your global website is accessible to users from Indonesia, or you run an e-commerce store, you will likely be subject to the new law.
This article covers the new requirements and how you can comply to avoid fines.
- New Indonesia privacy law in a nutshell
- Does the new law apply to your business?
- What are the main requirements and how to comply?
- Do you need consent for cookies?
- GDPR VS Indonesian privacy law
- How Didomi can help
- Frequently Asked Questions (FAQ)
New Indonesia privacy law in a nutshell
On 17.10.2022, The Indonesian President signed the Personal Data Protection Bill (PDP) into law. This made Indonesia the fifth South-Asian country that passed its own specific data privacy law, alongside Singapore, Malaysia, Thailand, and the Philippines.
Previously, Indonesia had various laws and regulations that addressed aspects of personal data protection and that applied to specific sectors, collectively referred to as PDP Regulations. These PDP Regulations included Law No. 11 of 2008 on Electronic Information and Transactions and ‘Kominfo Regulation 20’.
However, this new PDP Law is the first comprehensive data protection law that addresses a wide variety of issues such as:
Data controller and data processor obligations
Data subject rights
Special categories of data and how they can be processed
Appointment of data protection officer
Monetary fines and imprisonment for violating the law
While the PDP Law aims to give individuals more control over their personal data, there was another factor behind the passing of the law: Increasing data security threats.
Considering the growing cyber threat landscape, it is not surprising that violation of the new law is subject to up to 5 years of imprisonment.
Does the new law apply to your business?
The new law may apply to your business activities in a variety of situations. For instance, when you collect, use, or process the personal data of Indonesian individuals via your website or send marketing emails or SMS texts, you may have to comply.
However, you must always assess if you fall under the new law's material and territorial scope.
Material scope of Indonesia's new Personal Data Protection (PDP) law
Indonesia PDP Law applies when an individual, business, entity, or international organization processes personal data or sensitive data.
Personal data is defined broadly and includes any information that can directly or indirectly identify an individual.
For instance, an IP address, name, and email address can be examples of personal data.
When you collect, analyze, use, store, sell or delete this personal data, the new law’s requirements will apply.
Territorial Scope of Indonesia's new Personal Data Protection (PDP) law
When one of the following conditions occurs, you will be subject to the PDP Law:
- Involve legal consequences within the territory of Indonesia;
Affect Indonesian citizens in and outside of the territory of Indonesia
Is there a transitionary period?
Organizations or persons subject to the Law must bring their data processing activities into compliance within two years after the Law becomes applicable.
What are the main requirements and how to comply?
If you are already familiar with the requirements of the EU General Data ProtectionRegulation (GDPR), dealing with the Indonesian Privacy Law will not be too difficult.
PDP Law was drafted based on the GDPR and it contains highly similar obligations and provides individuals with extensive data subject rights just like the GDPR.
Here are the key requirements and how you can comply:
You must identify a lawful basis to process personal data
When you collect, use, sell or delete personal data, you must identify and rely on one of the seven lawful bases to justify the data processing.
While consent of the data subject is one of the legal bases, there is no hierarchy between these legal bases. Therefore, it is your responsibility to ensure that you rely on the correct basis for each data processing activity.
These legal bases are as follows:
Consent of the individual
The legitimate interest of the data controller or data subject
Fulfillment of contractual obligation
Compliance with your legal obligations imposed by law
Protection of data subject’s vital interest
Exercise of authority given to the data controller by law
Fulfillment of a public service obligation to which the data controller is subject in the public interest
You must obtain consent as specified in the Law
Although there is no hierarchy between the legal bases and consent is not superior to other legal bases, it is likely that certain processing activities will require the consent of individuals.
Just like the EU GDPR, the PDP Law of Indonesia requires you to obtain consent from the data subject in a specific manner. In particular, consent must fulfill the following requirements:
When you ask for consent, you need to provide individuals with certain information such as the purpose of data collection and the legal basis you choose to rely on. Furthermore, you should provide this information in a clear and easily accessible format;
Consent must be explicit and informed. Furthermore, it should be for a specific purpose such as the use of an email address to send promotional emails or the collection of basic personal details for account creation;
You need to document and record that you obtained valid consent.
You must implement appropriate security measures
Article 35 of the PDP Law states that organizations must take a risk-based approach to data security and identify and implement appropriate organizational and technical security measures to ensure the protection of personal data.
Furthermore, article 39 requires organizations to protect personal data from unauthorized access.
However, the PDP Law does not list specific measures that organizations must implement.
You must satisfy data subject requests
Under the PDP Law, you must respond to and satisfy valid data subject requests when individuals exercise one of the following nine data subject rights:
A right to obtain information
The right to access and obtain a copy of the data subject’s personal data free of charge (Art 7);
A right to rectification of personal data
The right to end processing, delete or destroy their personal data
The right to delay or restrict processing (Art 11)
The right to withdraw consent
The right to object to decision-making measures(Art 10)
The right to data portability
The right to sue and receive compensation for violations.
You must process data in accordance with data protection principles
When you carry out personal data processing activities, you need to comply with data protection principles.
These principles include:
Personal data must be processed in a limited, specific, lawful, and transparent manner (Art 27);
You must only process personal data in accordance with the purpose you disclosed (Art 28);
You must ensure the accuracy, completeness, and consistency of the personal data you process as required by article 29;
You must ensure the security of personal data processing by implementing appropriate measures;
In accordance with the accountability principle, you need to record all processing activities and implement other measures.
Data breach notifications
When a data breach occurs, you need to inform both affected individuals and the data protection authority within three days and provide the following information:
Types of personal data affected,
How the breach took place,
What types of measures you've implemented to minimize the effects.
Do you need consent for cookies?
Since cookies contain personal data, you must ensure that you comply with all requirements when you place cookies that process personal data.
For example, you need to identify a lawful basis to use various cookie types such as “functional,” “analytics,” and “advertisement” cookies.
GDPR VS Indonesian Privacy Law
The PDP Law is inspired by the EU GDPR and they are highly similar in terms of data subject rights, fundamental principles, security requirements, and legal bases.
However, there are differences between the GDPR and the Indonesia privacy law (PDP law) that you should be aware of:
The financial industry is largely exempt from the PDP Law’s requirements;
PDP Law introduces more detailed requirements for keeping records of processing activities compared to the GDPR;
PDP Law explicitly addresses the use of facial recognition technologies whereas GDPR does not refer to it
Under the PDP Law, financial data and data concerning children fall under the scope of “specific personal data.” GDPR, however, does not include these as sensitive data;
Under the GDPR, data controllers must respond to data subject requests within 1 month. The PDP Law, however, states that controllers must handle access, rectification, and restriction requests within 72 hours.
How Didomi can help
If you want to satisfy all PDP Law requirements and safely handle Indonesian people’s data, you need to start by relying on a legal basis to justify your data processing activities. Consent is one of the most common legal bases you will rely on, and it can justify the use of third-party advertising and analytics cookies, ad personalization, and email marketing.
However, you must obtain consent as specified by the PDP Law and be able to prove that you obtained consent lawfully. With a Consent management Platform to collect consent in a PDP-compliant manner and to keep a record of all consent obtained.
Customer privacy has to become a priority for brands, and for businesses operating in Indonesia, this means complying with the PDP Law.
Frequently Asked Questions (FAQ)
What is the new Indonesian Personal Data Protection (PDP) law and when was it enacted?
The PDP law, signed by the Indonesian President on 17.10.2022, is Indonesia’s first comprehensive data protection law aimed at providing individuals more control over their personal data and addressing data security threats.
It outlines various obligations for data controllers and processors, and stipulates penalties including monetary fines and imprisonment for violations.
Who needs to comply with the new PDP law?
Any business, entity, or individual processing personal data of Indonesian individuals, regardless of whether they are located in Indonesia or their global website/e-commerce store is accessible to Indonesian users, needs to comply with the PDP law.
What are the main requirements of the PDP law?
Key requirements include identifying a lawful basis for data processing, obtaining explicit and informed consent when necessary, implementing appropriate security measures, satisfying data subject requests, processing data in accordance with data protection principles, and notifying both affected individuals and the data protection authority in case of a data breach.
How does the PDP law relate to cookies?
The PDP law does not explicitly mention cookies, but since cookies can process personal data, compliance with the law’s requirements is necessary when using cookies that process personal data.
This includes identifying a lawful basis for using various cookie types and adhering to the law's guidelines for data processing.
What is the difference between the EU GDPR and the Indonesian PDP law?
Both laws share similarities in terms of data subject rights, fundamental principles, security requirements, and legal bases.
However, differences include exemptions for the financial industry in the PDP Law, more detailed requirements for keeping records of processing activities, explicit mention of facial recognition technologies, and different time frames for responding to data subject requests.
What are the penalties for violating the PDP law?
Violation of the new law is subject to up to 5 years of imprisonment. Specific monetary fines might also be applicable.