Indonesia Privacy Law Compliance for International Companies/Organisations

Home About Us Services and Solutions Experts PDP Readiness Pre-Check Blogs Contact Us

ByAwaludin Marwan

27 Jan 2024

Sumber: https://pixabay.com/illustrations/cyber-security-information-security-3400657/

Indonesia Privacy Law Compliance for International Companies/Organisations

Introduction

On October 17, 2022, Indonesia officially enacted its long-awaited personal data regulation under Law No. 27 of 2022.¹ The promulgation of Law No. 27 of 2022 provides a clear framework for the protection of personal data in Indonesia which has long been absent. The Law No. 27 of 2022 shall apply to every person, public agency and international organisations that are: (1) located within the jurisdiction of the Republic of Indonesia, and (2) located outside the jurisdiction of the Republic of Indonesia, which its actions has legal consequences within the jurisdiction of the Republic of Indonesia, and/or has legal consequences for personal data subject of Indonesian citizens outside the jurisdiction of the Republic of Indonesia.²

Upon the effective enforcement of Law No. 27 of 2022, every party subject to this law must adjust its personal data processing to comply with the provisions under the law by no later than 2 (two) years from the enactment date.³

International Companies and Organisations as Data Controller or Processor

Law No. 27 of 2022 distinguishes at least three main actors in data processing: the personal data subject, personal data controller and personal data processor. The personal data subject refers to the individual on which the personal data are associated with (“Personal Data Subject”).⁴ A personal data controller is every person, public agency and international organisation that acts individually or jointly in determining purposes and exercising control over the processing of personal data (“Controller”).⁵ While a personal data processor is every person, public agency and international organisation that acts individually or jointly in personal data processing on behalf of a personal data controller (“Processor”).⁶

Accordingly, international companies and organisations, both the ones residing inside or outside Indonesia, who control or conduct personal data processing are subject to the obligations under Law No. 27 of 2022 either as Controllers or Processors.

Some compliances for International Companies and Organisations

As subjects under Law No. 27 of 2022, international companies and organisations are bound to various obligations in data processing. In essence, they are obliged to process the personal data that they have obtained in a limited and specific manner, lawfully and transparently.

Detailed provisions regarding the Controller and Processor’s obligations are stipulated under Article 20 until 52 of Law No. 27 of 2022. We can categorise the obligations into three main stages of data processing; the early, middle and final stage, as summarised in Table 1 below. Failure to comply with these obligations will be punished with administrative sanctions and/or criminal sanctions. The administrative sanctions can be in the form of written reprimand, temporary suspension of personal data processing activities, erasure or removal of personal data and/or administrative fines. While the criminal sanctions can be in the form of imprisonment of maximum of five (5) years and/or fine up to IDR5,000,000,000 (five billion rupiah).

Table 1: Compliance Obligations of Data Controller and Processor under Law No. 27 of 2022

Early Stage (Applies to Controller and Processor)	Middle Stage (Applies to Controller and Processor, unless specified otherwise below)	Final Stage (Only applies to Controller)
Have a basis for personal data processing, which includes obtaining an explicit valid consent from Personal Data Subjects for one (1) or several specific purposes.⁷	Process personal data in a limited and specific manner, lawfully and transparently.⁸	Delay and limit the personal data processing either partially or entirely no later than 3 x 24 hours from the date when the Controller receives the request for delay and limitation of the personal data processing.⁹
	Carry out the personal data processing with the agreed purpose of data processing.¹⁰	Terminate personal data processing in the event that:¹¹ a. it has reached the retention period; b. the purpose of Personal Data processing has been achieved; or c. there is a request from the Personal Data Subject; or d. the personal data subject withdraws their consent to the personal data processing.
	Ensure the accuracy, completeness and consistency of personal data in accordance with the provisions of laws and regulations.¹²	Delete personal data in the event that:¹³ a. the Personal Data are no longer necessary for the achievement of purposes for the Personal Data processing; b. the Personal Data Subject has withdrawn their consent to the Personal Data processing; c. there is a request from the Personal Data Subject; or d. Personal Data are obtained and/or processed in an unlawful manner.
	Update and/or correct error and/or inaccuracies in personal data no later than 3x24 hours form the time the Controller receives a request to update or correct the personal data. ¹⁴ (Note: Only applies to Controller)	Destroy personal data in the event that:¹⁵ a. the retention period has expired and is described as being destroyed based on the archive retention schedule; b. there is a request from the Personal Data Subject; c. not related to the settlement of the legal process of a case; and/or d. personal data are obtained and/or processed in an unlawful manner.
	Protect and ensure the security of personal data by: 1. Preparing and implementing operational technical measures to protect personal data and determine the security level; ¹⁶ 2. Maintaining the confidentiality of the personal data; ¹⁷ 3. Supervising each party involved in the data processing; ¹⁸ 4. Protect personal data from unauthorised processing;¹⁹ and 5. Prevent the personal data from being accessed illegally ²⁰	In the event of a failure of personal data protection, the Controller must provide a written notification no later than 3 x 24 hours to: ²¹ a. the Personal Data Subject; and b. the agency responsible for organising personal data protection as defined under Law No. 27 of 2022.
	Record all personal data activities.²²
	Provide access to the personal data subject.²³ (Note: only applies to Controllers)

Cross border data flow

One of the important aspects of data protection is whether a data controller could transfer such data to other jurisdictions. Law No. 27 of 2022 regulates cross border data transfer in Chapter VII. Cross border data transfer is one of the types of data transfer. If a data controller would like to transfer data to other jurisdictions, there are steps that must be considered.

Controller shall ensure the data transfer receiver in other jurisdictions has a similar or higher level of protection as regulated in Law No.27 of 2022.
If it’s not fulfilled, the Controller shall ensure that the data transfer receiver has at least sufficient and binding mechanism.
If both of those cannot be fulfilled, the Controller must obtain the consent from the Personal Data Subject.

Currently it requires further elaboration and stipulation on several aspects such as the meaning of ‘similar’ , ‘higher level’, ‘sufficient mechanism’. Without such clarification it will be difficult to perform cross border data transfer.²⁴ As of August 2023, the Government Regulation draft on Law No. 27 of 2022 (“GR Draft”) incorporated the further elaboration on such a term. The draft specifically mentions that requirements number 1 on ‘similar’ or ‘higher level’ of data protection means ‘similar’ or ‘higher’ standard to the Law No. 27 of 2022. The process to assess whether other jurisdictions have ‘similar’ or ‘higher’ standards will be under the authority of the Data Protection Body to regulate. The GR Draft currently mentions that the assessment will be based on 3 elements. First, the States who receive personal data transfer (“Receiving States”) have personal data protection regulation. Second, the Receiving States have a data protection body or any authority to supervise personal data protection. And third, the Receiving States must have international commitment or any obligation based on any internationally binding instruments as well as their activities in multilateral or regional systems on personal data protection. Ideally a guideline and/or list of requirements and approved jurisdiction will be provided by the Data Protection Body.

Further, on the basis of ‘sufficient and binding mechanism’ the GR Draft also provides 4 instrument that could suffice such standards, those are:

State-level Agreement between the sender of personal data and receiver of personal data (this could be Controller and/or Processor);
Standard clause on personal data protection;
Company regulation that is binding to a group of companies; and/or
Other sufficient and binding instruments acknowledged by the Data Protection Body.

At last, the GR Draft limits the requirement if data transfer must be conducted through consent. It is limited only if the data transfer is not a repetitive action, the transfer only involve limited numbers of Personal Data Subject, the transfer is required to fulfil a provision which does not overrule the rights and interest of data subject, the data controller has assessed the risk and implement necessary protection measures and has informed to the Data Protection Body and Personal Data Subject on the transfer.

Technicalities on this matter are crucial to support business activities. Nevertheless it depends on the promulgation of GR Draft and establishment of the Data Protection Institution, also the timeline of its readiness to fully operate.

Data Protection Officer for International Organisations/ Companies

The position of data protection officer (DPO) has a significant role in ensuring data privacy compliance within international organisations/ companies. Law No. 27 of 2022 stipulates that international organisations can be classified as a controller that has a responsibility for data privacy compliance. In accordance with Article 1 (4), the definition of controller is individual, legal entity and international organisations that should appoint a data protection officer. The assignment of DPO becomes a primary requirement once the international organisations/ companies proceed with one of three conditions.

Processing privacy data for public services;
Controller has a processing privacy data activity with a certain type, scope, purpose that requires regular and systematic observation based on large-scale privacy data;
Controller has a processing privacy data activity involving sensitive (specific) data or privacy data which is related to criminal records.

If the international organisations/ companies act on one of these three conditions, they should assign a DPO. The first condition may not apply to international organisations/ companies due to the public service tasks belonging to government institutions. International organisations/ companies are seldom seen in providing public services and do not act as government institutions such as departments or ministries. However, they may act on the second and third condition above.

An international organisation/ companies are required to appoint a DPO once they have processed privacy data on a large scale. Unfortunately, GDPR does not define how many numbers of large-scale as well as Indonesia Privacy Law No. 27 of 2022. One piece of information may be referred to as large-scale if more than 5,000 persons.²⁵ However these numbers are still under discussion and will vary depending on jurisdiction and region in Europe. In the Netherlands, the threshold lies at 10,000 patients in the healthcare sector.²⁶

In Indonesia, an international organisation and company may have a list of partners, vendors, clients, employees, and customers who should be protected. Therefore, they are required to assign a DPO. Moreover, an international organisation and company collect sensitive data, they have to manage their privacy compliance. Is it possible to assign a DPO who does not stay in Indonesia? Perhaps international organisations/ companies already have their own DPO from their headquarters.

Indonesia Privacy Law does not define the location of DPO. However, DPO can become a contact person to communicate with authority. It will be difficult if the DPO lives abroad. Moreover, the legal knowledge will be limited as well as the language barrier may cause other challenges.

The position of DPO is quite important to supervise the business operation and give advice for green or red light decisions.²⁷ They have to ensure the privacy law compliance within an organisation.²⁸ Therefore, selection of DPO and status of employment must be a special one.²⁹ Their role tackles over socio-technical risks in everyday scenarios.³⁰

Conclusions

Indonesia has started the quest for better personal data protection by promulgating Law No. 22 of 2022. However, questions and multi-interpretation remain. How to conduct data transfer? What does it mean by large-scale data? Is DPO an obligation for companies? are some of the questions that must be discussed more by the privacy scholars and professionals as well as the authority. It could also be an opportunity for companies to influence the implementation of these developments from a practical perspective. A homework to prepare various implementing requirements must be completed by the Indonesian government while also balancing the need of protection and supporting business activities.

Writer:

Awaludin Marwan, SH, MH, MA, PhD, Founder & CEO HeyLaw, Lecturer Bhayangkara Jakarta Raya University

Fachry Hasani Habib, SH, LLM, Privasimu Expert, Lecturer Prasetiya Mulya University

Aussielia Amzulian, SH, LLM, Privasimu Expert, Lecturer Prasetiya Mulya University

Intan Refina, SH, Privasimu Researcher

Source:

¹https://pro.hukumonline.com/a/lt634faa1f1a76b/law-on-personal-data-protection-finally-comes-into-force/ , accessed on January 11, 2024.

²Law No. 27 of 2022 on Personal Data Protection, Article 2.

³ibid, Article 74.

⁴ibid, Article 1 (6).

⁵ibid, Article 1 (4).

⁶ibid, Article 1 (5).

⁷Law No. 27 of 2022 on Personal Data Protection, Article 20 (1) and (2).

⁸ibid, Article 27.

⁹ibid, Article 41.

¹⁰ibid, Article 28.

¹¹ibid, Article 40 and 42.

¹²ibid, Article 29.

¹³ibid, Article 43.

¹⁴ibid, Article 30.

¹⁵ibid, Article 44.

¹⁶ibid, Article 35.

¹⁷ibid, Article 36

¹⁸ibid, Article 37.

¹⁹ibid, Article 38.

²⁰ibid, Article 39.

²¹ibid, Article 46.

²²ibid, Article 31.

²³ibid, Article 32.

²⁴Article 56 paragraph (5) on transfer of personal data to other jurisdictions will be stipulated further in the future Government Regulation. Government Regulation (Peraturan Pemerintah) serves as a detailed form of Law (Undang-Undang) when it is mandated by the Law.

²⁵https://edps.europa.eu/sites/edp/files/publication/20-08-19-informal_consultation_on_dpias_en_0.pdf, accessed on January 9, 2024

²⁶https://autoriteitpersoonsgegevens.nl/actueel/ap-geeft-uitleg-over-grootschalige-gegevensverwerking-in-de-zorg, accessed on January 2024

²⁷Koops, B.-J. (2014). The trouble with European data protection law. International Data Privacy Law, 4(4), 250–261.

²⁸Aurimas Sidlauskas. The Role and Significance of the Data Protection Officer in the Organisation. Socialiniai Tyrimai, 2021, Vol 44 (1), pp. 8-28

²⁹Pawel Fajgielski. The Termination of Employment Contract of a Data Protection Officer under GDPR: Commentary on the Judgment of the Court of Justice. Studia Juridica Lublinensia Vol. 32, 2, 2023

³⁰Francesco Ciclosi & Fabio Massaci. The Data Protection Officer: A Ubiquitous Role That No One Really Knows. 2022, IEEE Computer and Reliability Societies