News, insights and resources for data protection, privacy and cyber security leaders

Developments in Indonesia’s Personal Data Protection

Indonesia is one of the most rapidly growing economies in South East Asia. Pundits have identified Technology, Media and Telecommunication (TMT) as among the sectors that are powering this growth. As is commonly the case, the rapid growth has not been followed by robust development on the regulatory side, particularly in the case of specific rules regarding personal data protection.


State of Indonesia’s Personal Data Protection

In order to address this issue, as well as providing umbrella legislation, the Indonesian Government, through the Minister of Communication and Information Technology (“MOCIT”), has taken the initiative to submit a Personal Data Protection Bill (the “PDP Bill”) for further deliberation in the Indonesian parliament.

In addition, in a move which has been termed ‘an interim measure’ pending the enactment of the PDP Bill, the MOCIT has also drafted a Regulation on Personal Data Protection in the Electronic Systems (the “PDP Regulation”). This should not be taken lightly as most of the personal data traffic and exchanges are occurring in the electronic space.

This article will discuss the definition of personal data under the PDP Bill and Draft PDP Regulation, and how they compare with the definition of a sectoral regulation, as well as identifying other potential implications. Considering the status of both regulations, our analysis will not be exhaustive and is subject to the final form of the proposed regulations.


Personal Data Definition

The PDP Bill defines personal data differently from how it is currently defined under a prevailing law. An example of such law is Law No. 24 of 2013 regarding Citizen Administration, as amended by Law No. 24 of 2013 (the “Citizen Administration Law”); the comparison is as follows:

PDP BillCitizen Administration Law
“Every data regarding the life of a person, whether identified and/or can be identified separately or in combination with other information, either directly or indirectly, through electronic and/or non-electronic systems”“Certain personal data of which the accuracy is kept, treated, and maintained, and of which the confidentiality is protected”


The elucidation of the PDP Bill further elaborates personal data as:

a living person’s personal data, including but not limited to full name, passport number, photo or video, telephone number, electronic mail address, fingerprint sample, DNA profile, and so forth, which can be used in combination to enable the identification of a specific person that can lead to illicit disclosure which may weaken his/her right to privacy

The definition of personal data under the Citizen Administration Law is also used in other legislations, including regulations pertaining to the electronic systems and transactions, as well as the Draft PDP Regulation. The definition of personal data under the Citizen Administration Law is viewed as overly generic for the purposes of personal data protection as the definition fails to set the parameters on what constitute personal data, causing uncertainty on which type of data is considered personal and therefore deserves protection.

Should the PDP Bill be adopted, there will be a shift from the definition provided under the Citizen Administration Law to the more specific definition under the PDP Bill. We believe the definition under the PDP Bill will provide better clarity and a greater degree of certainty as to what is considered as personal data.

The definition of personal data under the PDP Bill is also closer to that applied in other jurisdictions. For example, the definition of personal data from the European Union is as follows:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity


Sensitive Personal Data

A particular feature of the PDP Bill is the introduction of a new classification of personal data, i.e. sensitive personal data.  The PDP Bill defines sensitive personal data as:

personal data that requires special protection, which covers data relating to a person’s religion/beliefs, health, physical and mental condition, sexual matters, personal finance, and other personal data that could potentially harm and detrimental to the privacy of the data’s subject

The classification of sensitive personal data is purposely restrictive. It can only be collected, processed and disclosed based on written consent from the person that it relates to, and specifically under the following circumstances:

  • Protection of the person in question;
  • Employment, medical, and law enforcement purposes;
  • Requested by authorized institutions for the purpose of performing its functions based on prevailing laws and regulations; or
  • Is in the public domain due to actions undertaken by the person in question.

While the ‘sensitive’ classification appears to provide an additional layer of personal data protection, the provisions regarding sensitive private data under the PDP Bill may cause complications and confusion in practice because what is considered as ‘sensitive’ is subjective in nature and may vary from one person to another. For example, for many Indonesians, details regarding their religion or belief is not regarded as sensitive and is even clearly stated in their identity card.

The Government might want to reconsider how sensitive personal data is determined. The right to define this might be better reserved for the individual citizen as opposed to being designated by the State. The fact that the right given to the State to add sensitive personal data is open ended (see definition), may also lead to concerns of State abuse in the future. Every person has the right to decide which of their personal data is treated as private and confidential and therefore prohibited from being processed or disclosed to other parties. We note that this approach is what is currently provided in the Draft PDP Regulation. We believe this is a better approach to deciding on the issue of a person’s right to privacy and the use of personal data; i.e. by handing the right of determination to the individual.



Zacky Zainal Husein

Zacky Zainal Husein, who has more than 20 years’ experience in the Indonesian legal sector, holds a bachelor of law degree from the University of Indonesia, a master’s degree in law from Georgetown University in Washington DC, and a master’s degree in public management from the National University of Singapore/Harvard University. Previously, Zacky was Group Head Legal at one of Indonesia’s largest cellular providers, PT Indosat Tbk, where he led a team of in-house lawyers during a period of continued expansion in the Indonesian telecommunications sector. Before taking up employment with PT Indosat Tbk, Zacky served as a member of the Reducing Emissions from Deforestation and Forest Degradation (REDD+) Task Force, a body that is directly accountable to the President of Indonesia. Prior to that, he practiced law successively in a number of top-tier Jakarta law firms, and manages legal reform and anti-corruption program with a noted international development organization.

Latest posts by Zacky Zainal Husein

    Andin Aditya Rahman

    Andin Aditya Rahman commenced his career in law in 2012 as a legal analyst in one of Indonesia’s popular legal website and online publisher, during which he strengthened his analytical skills and was exposed to vast amount of knowledge regarding Indonesian laws and regulations. Prior to joining Assegaf Hamzah & Partners in 2015, he also worked at a premiere law firm in Jakarta, specializing in various sectors, including plantation, mining, forestry, financial services, telecommunication and media, and e-commerce. Andin obtained his law degree from the Faculty of Law of Airlangga University in 2012. While in law school, he participated in debating competitions and moot courts, including the Philip C. Jessup International Moot Court Competition and International Humanitarian Law Moot Court Competition, as well as co-founding an organization in his alma meter specializing in international moot courts, in which he still actively participates in to coach the new members and teams.

    Latest posts by Andin Aditya Rahman

      Leave A Reply

      Your email address will not be published.

      Pin It on Pinterest

      Share This