Indonesian Privacy Law

Indonesian Privacy Law

On September 20, Indonesian parliament passed a new personal data protection law (PDP) that will provide Indonesian consumers with increased data protections. Reportedly, the new law comes as a response to several data breaches that have occurred in recent months and resulted in “a number of data leaks and alleged breaches that have impacted not just individuals, but also various companies and the government in the country.”

The scope of the PDP law expands beyond those located in Indonesia, as the law applies to those operating outside of the country who have a “legal impact” on the country and its citizens both foreign and domestic. That said, “legal impact”  is reportedly not defined under the PDP. So stay tuned for amendments. Here’s what ADCG knows so far about PDP’s contents and the next steps that need to be taken.

Personal Data Uses

Under the PDP, the grounds for collecting and processing personal data from Indonesian citizens will be expanded beyond those granted in previous regulations. To process personal data, valid and explicit consent must be obtained from the data subject, a previous agreement or legal obligation between the processor, or any third-party must be in place, or processing must be in the interest of the data subject, the public interest, or in furtherance of established laws and regulations.

Personal Data Transfers

The PDP enables personal data controllers and processors to transfer this data in Indonesian territories and across borders without having to notify and receive approval from the Ministry of Communications and Informatics (MOCI) so long as the sending and receiving parties adhere to a standard of personal data protection that would achieve PDP compliance. This agreement differs from previous privacy protection regimes in Indonesia.

Despite the expanded practice of personal data processing, the PDP makes clear that the personal data collected and processed may not be used in a manner that:

  • Benefits the processor or collector, if there is potential that the consumer may incur damage;
  • Discloses or utilizes without previous authorization another’s personal data; or
  • Creates falsities or ambiguities for the purposes of benefiting the processor or collector at the personal data subject’s potential expense.

Corporate Transitions

Although the PDP has relaxed notification requirements for cross-border transfers, the law requires that any time a corporate personal data controller initiates or engages in a merger, acquisition, consolidation, or change of control, the controller must notify the relevant data subjects of the transfers that will arise from the transition. The law does, however, permit this notification to be given via a public announcement made on electronic or non-electronic mass media.


Notably, these requirements will not apply to processors engaged in national defense or security, law enforcement, public interest pursuant to state administration, or regulatory or supervisory actions relating to the financial system.

Data holders who violate the law by leakage or misuse could face up to five years of jail and those who falsify information could face six years under the legislation. Additionally, violating parties who leak consumer information could be assessed fines as high as two percent of the company’s annual revenue or could be subject to their company property being confiscated or auctioned off.

With this new regulation, Indonesia became the fifth country in the Southeast Asian region to establish a data protection regulation, followed by Singapore, Malaysia, Thailand and the Philippines. According to a statement by Communications and Information Minister Johnny G. Plate, “this marks a new era in the management of personal data in Indonesia, especially in digital.”

* * * * * * *

To read our news alerts discussing: Italy takes aim at targeted ads, Michigan introduces its Data Privacy Bill, and a new study reveals the best practices for targeted ads, click here.

This week’s breach report covers breaches of the following companies: Department of Veteran Affairs, focusIT, Inc., LAUSD, American Airlines (updates) and Elbit. Click here to find out more.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Stay tuned for new episodes of ADCG on Privacy & Cybersecurity

podcast. New episodes are generally released each week, here. They can be enjoyed on Spotify and Apple Podcasts. Our most recently released episodes:

79 | Understanding 5G Cybersecurity Issues

78 | The Nexus Between Privacy, Cybersecurity & National Security

77 | Privacy & Cybersecurity Whistleblowers: A New Trend?

Don’t forget to subscribe!

Leave a Reply

Back To Top