Indonesia is one of the most rapidly growing economies in South East Asia. Pundits have identified Technology, Media and Telecommunication (TMT) as among the sectors that are powering this growth. As is commonly the case, the rapid growth has not been followed by robust development on the regulatory side, particularly in the case of specific rules regarding personal data protection.
State of Indonesia’s Personal Data Protection
In order to address this issue, as well as providing umbrella legislation, the Indonesian Government, through the Minister of Communication and Information Technology (“MOCIT”), has taken the initiative to submit a Personal Data Protection Bill (the “PDP Bill”) for further deliberation in the Indonesian parliament.
In addition, in a move which has been termed ‘an interim measure’ pending the enactment of the PDP Bill, the MOCIT has also drafted a Regulation on Personal Data Protection in the Electronic Systems (the “PDP Regulation”). This should not be taken lightly as most of the personal data traffic and exchanges are occurring in the electronic space.
This article will discuss the definition of personal data under the PDP Bill and Draft PDP Regulation, and how they compare with the definition of a sectoral regulation, as well as identifying other potential implications. Considering the status of both regulations, our analysis will not be exhaustive and is subject to the final form of the proposed regulations.
Personal Data Definition
The PDP Bill defines personal data differently from how it is currently defined under a prevailing law. An example of such law is Law No. 24 of 2013 regarding Citizen Administration, as amended by Law No. 24 of 2013 (the “Citizen Administration Law”); the comparison is as follows:
|PDP Bill||Citizen Administration Law|
|“Every data regarding the life of a person, whether identified and/or can be identified separately or in combination with other information, either directly or indirectly, through electronic and/or non-electronic systems”||“Certain personal data of which the accuracy is kept, treated, and maintained, and of which the confidentiality is protected”|
The elucidation of the PDP Bill further elaborates personal data as:
a living person’s personal data, including but not limited to full name, passport number, photo or video, telephone number, electronic mail address, fingerprint sample, DNA profile, and so forth, which can be used in combination to enable the identification of a specific person that can lead to illicit disclosure which may weaken his/her right to privacy
The definition of personal data under the Citizen Administration Law is also used in other legislations, including regulations pertaining to the electronic systems and transactions, as well as the Draft PDP Regulation. The definition of personal data under the Citizen Administration Law is viewed as overly generic for the purposes of personal data protection as the definition fails to set the parameters on what constitute personal data, causing uncertainty on which type of data is considered personal and therefore deserves protection.
Should the PDP Bill be adopted, there will be a shift from the definition provided under the Citizen Administration Law to the more specific definition under the PDP Bill. We believe the definition under the PDP Bill will provide better clarity and a greater degree of certainty as to what is considered as personal data.
The definition of personal data under the PDP Bill is also closer to that applied in other jurisdictions. For example, the definition of personal data from the European Union is as follows:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
Sensitive Personal Data
A particular feature of the PDP Bill is the introduction of a new classification of personal data, i.e. sensitive personal data. The PDP Bill defines sensitive personal data as:
personal data that requires special protection, which covers data relating to a person’s religion/beliefs, health, physical and mental condition, sexual matters, personal finance, and other personal data that could potentially harm and detrimental to the privacy of the data’s subject
The classification of sensitive personal data is purposely restrictive. It can only be collected, processed and disclosed based on written consent from the person that it relates to, and specifically under the following circumstances:
- Protection of the person in question;
- Employment, medical, and law enforcement purposes;
- Requested by authorized institutions for the purpose of performing its functions based on prevailing laws and regulations; or
- Is in the public domain due to actions undertaken by the person in question.
While the ‘sensitive’ classification appears to provide an additional layer of personal data protection, the provisions regarding sensitive private data under the PDP Bill may cause complications and confusion in practice because what is considered as ‘sensitive’ is subjective in nature and may vary from one person to another. For example, for many Indonesians, details regarding their religion or belief is not regarded as sensitive and is even clearly stated in their identity card.
The Government might want to reconsider how sensitive personal data is determined. The right to define this might be better reserved for the individual citizen as opposed to being designated by the State. The fact that the right given to the State to add sensitive personal data is open ended (see definition), may also lead to concerns of State abuse in the future. Every person has the right to decide which of their personal data is treated as private and confidential and therefore prohibited from being processed or disclosed to other parties. We note that this approach is what is currently provided in the Draft PDP Regulation. We believe this is a better approach to deciding on the issue of a person’s right to privacy and the use of personal data; i.e. by handing the right of determination to the individual.