Indonesia: Personal data protection bill passed into law. Here’s what it entails

• After a year of deliberation, Indonesia’s parliament has finally turned its personal data protection bill into law.
• Data handlers could be punishable up to five years of jail for leaking or misusing private information while individuals falsifying personal data for their gains could be jailed for up to six years under the legislation.
• Corporate fines can be as high as 2% of the company’s annual revenue in case of a data leak and assets of the company could also be confiscated or auctioned off.

Indonesia has had a series of high-profile data breaches in recent months, all while the country was deliberating on their long-awaited data privacy law. This week, after over a year of dialogue, Indonesian legislators finally turned its data protection bill into law, to better protect consumers and the vast trove of data within the country’s territories. 

Up until Tuesday, rules governing personal data in Indonesia have been scattered across myriad financial, telecommunication and employment regulations that have made it tough for consumers to hold businesses to account for misusing their information. Now, with the data protection bill, the largest Southeast Asian market will hold local businesses as well as international corporations liable in the way they handle data of Indonesian consumers.

To recall, Indonesia’s House of Representatives approved the personal data protection bill earlier this month, paving the way for its ratification two days ago. Now, the country now joins other jurisdictions in Southeast Asia that have dedicated personal data protection laws, including Singapore and Thailand. 

“This marks a new era in the management of personal data in Indonesia, especially in digital,” Communications and Information Minister Johnny G. Plate said on Tuesday after the plenary session to legislate the new law. Through the new law, data handlers could be punished up to five years in jail for leaking or misusing private information. Individuals falsifying personal data for their gains could also be jailed for up to six years under the legislation.

Besides individuals, the law also includes corporate fines that can be as high as 2% of the company’s annual revenue in case of a data leak. To top it off, assets of the company leaking personal data could also be confiscated or auctioned off. Under the bill also, personal data controllers will be required to update and correct errors in personal data within 24 hours after receiving the request to do so. The bill also specifies underlying documents or circumstances under which personal data may be transmitted outside Indonesia, such as pre-obtained approval of the personal data owner and bilateral international agreements. 

To put into context how severe data breaches were getting in Indonesia, according to the country’s State Cyber and Crypto Agency (BSSN), there were more than 98 million cyber attacks in 2019, up from 12 million a year earlier. Even for the good part of this year, there had been many high profile incidents, for instance, in August, personal details of 17 million customers of state-run electricity provider PT PLN (Persero) were leaked as were the data of 26 million customers of Telkom Indonesia’s internet and digital TV service IndiHome.

The National Cyber and Encryption Agency on September 13 said it was investigating claims made by hackers, dubbed “Bjorka”, that they had access to the data of several government websites, presidential letters, and confidential documents from the intelligence agency. The same hackers in August said they obtained information from SIM card users, including their national identification number and contact details.

Citing stats from statutory board and state-owned news agency, Antara, Indonesia ranked third as the country most affected by data breaches in the third quarter of 2022, with 12.7 million local accounts compromised. The data protection bill  is even more timely considering Indonesia’s digital economy is set to grow to US$146 billion by 2025, according to the latest report by Alphabet Inc.’s Google, Singapore’s Temasek Holdings Pte. and global business consultants Bain & Co. 

---

---

---

---