An Indonesia data protection law that has been in development since 2016 includes some of the harshest penalties yet seen in national data privacy regulations, allowing for prison time for illegally obtaining or falsifying data along with large fines and the potential for asset forfeiture. Residents of Indonesia will also be granted a right to compensation for data breaches.
However, in spite of these terms, some privacy analysts remain unconvinced that the law will be effective. The central issue is that there are existing privacy protection terms scattered throughout a number of other laws that potentially conflict with the new bill, yet the new bill makes clear that these existing terms remain valid.
Indonesia data protection law finally emerges, patterned after European Union legislation
The Indonesia data protection law took some eight years to come to fruition, with contentious ongoing debate about what government body should oversee the new regulations and exactly how strong the penalties should be. A recent wave of cyber attacks and data breaches in the country seems to have prompted legislative action; Kaspersky reports that the country experienced 11.8 million cyberattacks in the first quarter of 2022, a 22% increase from the prior year, and the country has become the leading target for ransomware attacks in Southeast Asia. This includes data breaches of various government agencies, one of which exposed the vaccination records of President Joko Widodo. Stats from SurfShark indicate that Indonesia now has the third-highest rate of data breaches in the world.
Regulation oversight has fallen to the executive branch, with the President slated to form an oversight body tasked with determining and administering fines. Similar to the EU’s General Data Protection Regulation (GDPR), which the Indonesia data protection law drew from substantially, there is a maximum potential fine of 2% of global annual turnover for violations. The Indonesia data protection law also allows for the possibility of asset seizure, with these resources sent to auction to cover fine amounts.
Knowing violations of the law could also lead to jail time. Maximum penalties include six years for falsifying personal data for personal gain, and five years for illegal gathering of personal data. Data subjects are guaranteed the right to withdraw consent to use of their data, and can seek compensation for loss from data breaches. They are also guaranteed the right to have errors in stored data corrected, with organizations required to make requested changes within 24 hours.
Other countries will also want to take note of the Indonesia data protection law’s terms, as another element borrowed from the GDPR is the principle of transfer partner adequacy. There was some existing law of this nature in the country, but it has undergone changes in recent years; data localization requirements were repealed for the private sector in 2021, and the new bill makes some changes to existing requirements for consent to transfer personal data overseas.
The Indonesia data protection law makes it the fifth country in Southeast Asia to address data privacy and data breaches with a national-level bill; it joins Singapore, Malaysia, Thailand and the Philippines in adopting this level of regulation.
Questions remain about effective protection of personal privacy from data breaches
As some legal researchers point out, one of the primary conflicts that held up the Indonesia data protection law for years was a power struggle between the legislative and executive branches. The executive will form the body that ends up enforcing the law, but it will have to navigate assorted existing laws and regulations that pose potential conflicts. It remains to be seen if these existing laws will be revised (or simply overridden) in the interest of streamlining the ability to enforce the new terms.
There could also be intra-government territorial struggles, as many of the agencies presently tasked with enforcing these scattered privacy terms have a great deal of independence and function in a decentralized way. There will also be a two-year “adjustment” phase allowing organizations to come into compliance with the new regulations as the government gradually rolls out implementation. However, the bill does not specify how (or if) violations will be addressed during this period.
Addressing privacy issues of any sort in Indonesia can be legally complicated as the country’s constitution makes no specific mention of privacy rights; certain rights have instead been scattered throughout a variety of laws. The government has signed on to a variety of international human rights compacts that endorse personal privacy, but has also raised concerns due to several instances of surveillance over the past decade. The government was found to be using the FinFisher spyware in 2012, and began implementing an automated “deep packet inspection” censorship system in 2017 that blocks websites the government deems pornographic or “reprehensible.”