Years in the making, Indonesia’s first comprehensive data protection law was finally passed by lawmakers on Sept. 20 as the COVID-19 pandemic prolonged the bill’s already thorny deliberations. That made Indonesia the fifth country in Southeast Asia to have its own data regulatory framework.

Lawyers say the new law, which is yet to be ratified at the time of printing, puts Indonesia’s data security govern-ance on par with international practice and will burnish its booming digital economy. But regulatory updates are needed to facilitate the development of advanced technologies.

WHY IS INDONESIA’S NEW DATA LAW SIGNIFICANT?

The long-awaited passage of the Personal Data Protection Act came amidst an uptick in data breaches and fraudulent activities in Indonesia’s cyber sphere in recent years. Even the COVID-19 vacci nation records of President Joko Widodo have fallen prey to leaks, which prompted the authorities to fortify the anaemic data security regime of the world’s fourth populous country.

“With the fast development of technology, the use of personal data now becomes broader and more varied as human interactions are replaced by automated systems,” says Daniel Pardede, a senior M&A partner at HHP, the Indonesia member firm of Baker McKenzie.

Inevitably, with this rapidly evolving trend come loopholes exploited by irresponsible parties to gain illicit access to private information. Last month, the personal data of 105 million Indonesians, among them several public figures, was allegedly leaked after the General Elections Commission was believed to be compromised. Relentless breaches plaguing organisations spanning public and private sectors also frustrate Indonesia’s digital ambitions.

“This is where the necessity comes and the issue the new law is trying to address, i.e., to regulate the use of personal data and provide an umbrella on the data privacy practice in Indonesia while also reflecting on some other jurisdictions that already have a data privacy law before Indonesia,” says Pardede.

WHAT CHANGES IS THIS LAW EXPECTED TO EFFECT?

As a symbol of the government’s seriousness in addressing these issues, the PDP law introduces the criminalisation of certain data offences. Following a two-year grace period, data controllers could become liable for up to five years of imprisonment for leaking or misusing private information. Individuals who falsify personal data for gain, meanwhile, may face up to six years in jail and be fined as much as 6 billion rupiah ($395 million).

Moreover, the PDP law’s effect is not confined within national borders, with data handlers and processors outside Indonesia set to be held accountable as long as a “legal impact” is acknowledged.

“The law will introduce concepts that have been implemented in several other jurisdictions, such as in the European Union countries through the General Data Protection Regulation,” explains Adhika Wiyoso, an associate M&A partner at HHP. “Those include the classification of general and specific personal data, the concept of data controller and processor, and the requirement to appoint a data protection officer.” Notable changes also include the establishment of a specific data protection oversight authority, the control of which is set to come under the president.

Wiyoso also underscores the shift of emphasis in data processing from owners’ consent to the accepted grounds. “The old requirement established a rigid standard where anything must be based on consent. There was little room for flexibility, for example, when using personal data for an urgent purpose related to a data owner’s vital interest.”

Furthermore, the introduction of the term “personal data subject” in distinction to “personal data owner” as well as a streamlined process for cross-border data transfers have signified the government’s determination to step up its data governance with international rigour.

Pardede is bullish about the positive impact of the law, which he believes will showcase to other regional and global economies the legal clarity and systematic guidance on Indonesia’s data privacy practice. “In the long run, Indonesia can be seen as a country that provides the same or at least a similar level of data protection compared with other countries that have implemented a more robust data protection regime,” he adds.

HOW SHOULD REGULATIONS KEEP PACE WITH INDONESIA’S DIGITAL GOVERNANCE?

As the largest economy in Southeast Asia, Indonesia is well-positioned to spearhead its economic recovery from the pandemic with an ambitious digital transformation agenda and a flourishing tech sector. With the authorities bent on capitalising on the growth momentum, lawyers are cognisant of measures that can be taken to support the digital industry in the long run.

“The government will need to be able to provide easier licensing process,” says Pradede, adding that regulations will need to keep up with the evolution of advanced technologies in order to establish legal certainty in the digital realm. Better infrastructure and the expansion of foreign investments, Pradede predicts, will follow as the Internet industry continues to mature.