Indonesia’s Personal Data Protection Bill was finally approved by the Indonesian Parliament (Dewan Perwakilan Rakyat Republik Indonesia) on September 20, 2022. This approval represents the end of the process of an ambitious piece of legislation, which took several years to be approved.
Until now, Indonesia has relied on various regulations containing privacy provisions, without a comprehensive framework law on personal data protection.
For example, it took eight years for Indonesia’s data protection law to come into being, with controversial debate over which government body would oversee the new regulations and exactly how much punishment would be imposed.
Indeed, a recent spate of cyberattacks and data breaches in the country seems to have prompted the legislative action. The country suffered 11.8 million cyberattacks in the first quarter of 2022, a 22 percent increase from a year earlier, with the country becoming the top target for ransomware attacks in Southeast Asia.
This includes data breaches of various government agencies, one of which exposed President Joko Widodo’s vaccination records. SurfShark statistics indicate that Indonesia now has the third-highest rate of data breaches in the world.
Oversight of the regulation has been placed in the hands of the executive branch, with the president forming an oversight body to determine and administer fines.
Like the European Union’s General Data Protection Regulation (GDPR), which Indonesia’s data protection law was largely modeled after, breaches are punishable by a fine of up to 2 percent of annual turnover. The Indonesian data protection law also provides for the possibility of seizing assets, with these resources being auctioned off to cover the fine amounts.
Indeed, Indonesia’s data protection law provides for some of the harshest penalties ever contemplated in a national data privacy regulation, allowing for jail time for illegally obtaining or tampering with data, as well as heavy fines and the possibility of asset forfeiture. Residents of Indonesia will also be granted the right to compensation in the event of a data breach.
However, despite these provisions, some privacy analysts are not convinced of the law’s effectiveness. The central problem is that there are privacy clauses scattered throughout a number of other laws that could conflict with the new bill. To be continued.
