Breaches of personal data are unfortunately common news in Indonesia as it occurs on a widespread and frequent basis in not only the public sectors, but also in private sectors.
Recent examples of major data breaches include the government’s Electronic Health Alert Card (eHAC) application in August 2021, the data breach of the Healthcare and Social Security Agency (BPJS Kesehatan) in which users’ personal data were sold on an online forum using Bitcoins in May 2021, and not to mention an older data breach – jeopardising more than 15 million users – of one of Indonesia’s unicorn companies, Tokopedia, in May 2020.
The ongoing global advancement of technology has undisputedly contributed to the rapid development of the digital economy in Indonesia. As a result, the number of electronic means used to distribute, store, and utilise personal data of Indonesian users for digital services has seen an unprecedented increase, particularly during the COVID-19 pandemic. As chair of the first G20 Digital Economy Working Group, Indonesia is expected to highlight substantive digital issues (including in the field of personal data protection) and reflect a solution or approach to regulate such issues in a more conducive manner.
Despite this, as it currently stands, we have yet to see major overhauls in Indonesian regulations governing personal data, as we observe a scattered regulation, and a long-awaited personal data protection bill (henceforth: ‘PDP Bill’) that is yet to be ratified despite entering the House of Representatives’ Priority National Legislation Program in 2021.
As a reference, under the current regulatory environment, personal data protection is mainly regulated under several separate regulations, namely Law No. 11 of 2008 on Electronic Information and Technology (as amended) (henceforth: ‘EIT Law’), Government Regulation No. 71 of 2019 on Electronic Systems Providers, Minister of Communication and Informatics (MoCI) Regulation No. 20 of 2016 on Personal Data Protection, and MoCI Regulation No. 5 of 2020 on Electronic Systems Providers in the Private Sector (as amended).
Unfortunately, these regulations do not cover or regulate data breaches in sufficient detail, and the regulations become complicated and scattered, as respective sectoral regulators (such as the Financial Services Authority, or Otoritas Jasa Keuangan) also regulate the protection of personal data.
In light of the above, this article focuses on the mechanisms which the PDP Bill offers to deal with personal data breaches, and consequently, the urgency of ratifying this PDP Bill.
Data Breach Mechanisms under the PDP Bill
The PDP Bill introduces a more detailed and significant change in dealing with data breaches when compared to the current regulatory environment of Indonesia. One of the key changes concerns data breach notifications. Under the current regulation, in the occurrence of a personal data breach, Indonesian law only requires Electronic System Providers (ESPs, namely entities acting as data processors controller, such as the government or private companies) notify the data owner in writing within 14 (fourteen) days after the ESP becomes aware of such breach. Further, the ESP is only required to inform the reasons for the breach.
In contrast, the PDP Bill has significantly shortened the notification period to 3x24 hours and added an additional obligation for the ESP to also inform what data have been compromised and also the handling and recovery efforts that will instantly be undertaken by the ESP in relation to the compromised data. This shorter time period and additional information requirement encourage the ESP to take much faster and more transparent action in handling the data breaches. As a result, the risk of larger impacts due to an occurrence of data breaches can be mitigated as data owners can request their personal data to be taken down from the relevant website/application.
The PDP Bill also displays a tougher stance by imposing progressive sanctions for ESPs’ failure to notify customers about a data breach. Sanctions come in the form of a written warning, temporary suspension of data processing activities, the deletion of personal data, and an administrative fine.
Further, the PDP Bill provides more detailed penalties to further deter third parties from obtaining personal data through illegal means (such as hacking). The PDP Bill differentiates three types of prohibition in the use of personal data, namely:
- Obtaining and collecting personal data for self or other’s profit illegally, which causes losses to the data owner;
- Illegally disclosing personal data of others; and
- Illegally using personal data of others.
Depending on the three actions, sanctions are imposed ranging from two to seven years imprisonment or a fine ranging from IDR 50 billion to IDR 70 billion. This is in stark contrast to EIT Law which only prohibits unauthorized access to computers or electronic systems, and provides a lower nominal fine of IDR 600 million to IDR 800 million.
The Additional Layer of Protection to Data Owners in the PDP Bill
The PDP Bill also regulates in more detail the right of data owners to revoke their consent to process personal data. Under the current regulation, relevant regulations merely regulate the basic principle that data owners can revoke their consent. But under the PDP Bill, when a data owner files a request to revoke their consent, this will require the ESP to stop processing the personal data no later than 3x24 hours after receiving the request.
Further, the PDP Bill also provides an additional right for data owners to request the limitation or postponement of processing data which the relevant ESP is required to comply with within 2x24 hours after receiving such request. And, in the context of a data breach, data owners may revoke their consent preventing ESP from processing their data any further.
Further, the PDP Bill also introduces a new requirement to perform pre- and post- notification to the data owner in case the ESP undertakes corporate actions, such as a merger, acquisition, and consolidation. This requirement is not present under the current relevant Indonesian laws and regulations. And so, considering today there are many start-ups receiving fundraising from foreign investors, the PDP Bill would also be one of the pivotal regulations that have to be complied with in relation to such corporate actions. The introduction of this requirement in the PDP Bill provides more legal certainty and accountability to the relevant data owners.
With the introduction of several new provisions that regulate data protection, it is important for Indonesia to enact the PDP Bill as soon as possible to handle any data breaches that are occurring at frequent rates in today’s digital age, motivate and hold accountable data processors to improve their data protection policies, and provide more legal certainty for data owners, and provide more time to enact the relevant implementing regulations.
Writers of the article:
Ardhitia Prawira Rusyadi
Ardhitia is an associate in Soemadipradja & Taher. He has obtained his Bachelor of Laws degree with cum laude from Universitas Gadjah Mada in 2018, majoring in business law. Ardhitia has acted for both Indonesian and foreign clients in a variety of general corporate, commercial transactions & technology, media & telecommunication transactions. Ardhit obtained a licensed as a Data Protection Officer from the Indonesian Association of Data Privacy Professionals (Asosiasi Profesional Privasi Data Indonesia, or APPDI).
Raditya is an associate in Soemadipradja & Taher. He obtained his Bachelor of Laws degree with cum laude from Universitas Gadjah Mada in 2019, majoring in business law. Raditya has acted for Indonesian and foreign clients in a variety of general corporate, commercial and technology, media and telecommunication transactions.