Indonesia passes ambitious data protection law, following series of leaks

Indonesia has passed a long-awaited data protection bill, which authorises the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data.

The passing of the legislation follows a number of data leaks and alleged breaches that have impacted government firms as well as a state insurer, a telecoms company and a public utility. Last year, a contact-tracing app leaked Indonesian President Joko Widodo’s Covid vaccine records.

With the new move, Indonesia has become the fifth country in South-East Asia to have specific legislation on personal data protection after Singapore, Malaysia, Thailand and the Philippines.

The legislation includes strict consequences for data handlers that leak or misuse private information, such as fines of up to 2 per cent of a corporation’s annual revenue, and prison sentences of up to six years. The law includes a two-year “adjustment” period, but does not specify how violations would be addressed during that phase.

Under the new rules, victims of this data misuse would be entitled to compensation for data breaches and can withdraw consent to use their data.

Abdul Kharis Almasyhari, a member of the commission overseeing the law, said it would mean the state was ensuring the protection of the personal data of its people, while the communications minister, Johnny G Plate, said the bill’s passage “marks a new era in the management of personal data in Indonesia, especially on the digital front.”

“One of the obligations for electronic data organisers, whether public or private, is to ensure protection of personal data in their system,” Plate told reporters.

The law has been in the works since 2016 and was held up by debate about financial penalties and control of the oversight body, lawmakers said. Authorities have said the law was based on the European Union’s data protection legislation, which the UK is currently working to revise. 

The Department for Digital, Culture, Media and Sport (DCMS) said the planned reforms will remove the “prescriptive requirements” of data laws inherited from the EU and give organisations greater flexibility to protect personal data in “more proportionate ways”. The UK’s new data bill is also expected to increase fines for nuisance calls and texts, allow for a digital births and deaths registry in England and Wales, and facilitate the flow and use of personal data for law enforcement and national security purposes, among other changes.