The Privacy, Data Protection and Cybersecurity Law Review: Indonesia


The 1945 Constitution of the Republic of Indonesia (the Constitution) grants various rights related to privacy. Although the right to privacy is not explicitly mentioned in the Constitution, it is embodied in the right to personal protection, freedom of religion, freedom of expression, and other similar rights granting personal protection to the individual. These rights serve as a foundation for the legislative and regulatory approach to respecting individuals' privacy in existing laws and regulations that are currently scattered within sectoral regulations.

Indonesia is currently on the verge of passing its first Personal Data Protection Act. The Personal Data Protection Bill (the PDP Bill) is an effort to fill the void in the existing regulatory framework on personal data protection. At present, the issues of privacy, personal data protection and cybersecurity are embodied in an array of general and sector-specific laws. Each supervisory authority for industry-specific sectors has the power to enact its own regulations, including regulations related to privacy and personal data protection. However, no significant enforcement has arisen from the sector-specific laws on personal data protection. The most relevant enforcement regarding violation of personal data protection was brought by the Indonesian National Police (the Police) under Law No. 11 of 2008 on Electronic Information and Transaction as lastly amended by Law No. 19 of 2016 (Law 11/2008), in conjunction with Law No. 23 of 2006 on Population Administration as lastly amended by Law No. 24 of 2013 (Law 23/2006).2 The PDP Bill is expected to provide clear guidance on enforcement as well as better protection of individuals' personal data.

The submission of the PDP Bill3 and the Cybersecurity and Resilience Bill (the Cybersecurity Bill) to the Indonesian House of Representatives (DPR')4 signifies the development of policies on personal data protection, privacy, and cybersecurity. Despite the fact that discussion of the PDP Bill is prioritised over the Cybersecurity Bill (which is postponed until next year),5 this decision shows that the DPR is responding to public concern on the security of their personal data following several data breach incidents that happened recently.

Given its scope, the PDP Bill is expected to strengthen protection of the right to privacy.6 This is because the Indonesian judicial system can only recognise and enforce fundamental rights under the Constitution that have been transposed into effective laws. A trial-stage court has limited authority to interpret provisions of law if it is not explicitly written, even if the Constitution grants such rights. The similar approach is taken by law enforcement agencies in implementing the law. When individuals believe their fundamental rights granted by the Constitution are violated by certain provisions of a law, a judicial review mechanism can be filed to the Constitutional Court, a specific court adjudicating conflict between applicable laws and the Constitution.

The authority of the Constitutional Court on the protection of privacy rights can be found in its decisions about government surveillance powers, and specifically on government-backed interception. The Constitutional Court has revised provisions on interception several times to protect individuals' human rights and provide legal certainty, and requires that interception can only be carried out by a law enforcement authority.7

The development and dynamic of regulatory framework improvement cannot be separated from the role played by non-government entities. A number of civil society organisations (CSOs) have advocated the interest of the public by organising a series of public awareness activities, conducting public surveys, facilitating dialogue with government and industry groups, and even filing lawsuits to the relevant courts. Self-regulatory industry groups also play a significant role in bridging the gap between industries' best practices and regulations through creating industry codes of conduct and often meeting with regulators.

All in all, the involvement of multi-stakeholders in developing a regulatory framework on personal data protection, privacy, and cybersecurity is significant. However, it is indisputably important that every stakeholder educate the public on their rights, to ensure any law pertaining to the issues can be implemented properly in practice, especially given that the right to privacy itself is not commonly known by the majority of the public in Indonesia.

The year in review

The year 2021 has shed light upon some parts of the world with the relaxation of various restrictions in social movement, as an effect of massive vaccination and other covid-19 related treatment. However, this is not yet the case for Indonesia, which, at the time of writing, is still struggling with a new variant of covid-19. Against this backdrop, the government of Indonesia continues to impose social movement restrictions, urging the public to conduct daily activities online.8 As a result, the growth of online interaction has been inevitable, followed by an increase in public awareness of online interaction as well as increase in the vulnerability of online security, personal data, and privacy.

In May 2021, the public was surprised by a personal data breach incident that involved more than 200 million Indonesians. The personal data of the Indonesian citizens, originating from the National Health Insurance Agency (BPJS), had been stolen and offered up for sale by alleged hackers. The offers were made on an online hacking forum where an account with the username Kotz claimed to have the personal data of 279 million people, including their detailed personal information. Kotz offered access to such data for 2 bitcoins (roughly 1 billion rupiahs).9 The Ministry of Communication and Informatics (MCI) is currently investigating this case along with the National Cyber and Crypto Agency and the Indonesian National Police.

Interestingly, data breach cases are not just involving Indonesian personal data. In March 2021, the East Java Regional Police arrested members of a cybercrime syndicate that phished US citizens by setting up a fake US state government agency. The perpetrators used the bogus website to ask for US citizens' social security numbers to claim for Social Security Fund Relief provided by the US government in response to covid-19. Their actions were eventually terminated following a joint investigation carried out by the Indonesian National Police and the US Federal Bureau of Investigation.10

On the regulatory side, the government is still in the process of completing the Indonesian PDP Bill. At the time of writing, the Bill is still being discussed and the government and parliament are attempting to agree on the form that the Indonesian Data Protection Authority will take. Also, the government has recently passed Law No. 11 of 2020 on Job Creation (Law 11/2020), which amends dozens of laws to support Indonesian economic growth. The regulations that are amended by Law 11/2020 include Law No. 36 of 1999 on Telecommunications, which revises provisions on telecommunications infrastructure to support the growth of the Indonesian digital ecosystem through enabling spectrum-sharing between spectrum licence-holders, Analog Switch-Off for frequency farming and re-farming, and other measures. This will no doubt increase Indonesian online activities, increasing the importance of better personal data, privacy, cybersecurity and digital ecosystem governance.

Regulatory framework

i Privacy and data protection legislation and standards

At present, Indonesia does not have an overarching personal data protection law. The regulations on personal data protection are scattered within several sectoral laws and regulations. Many of the laws and regulations overlap, resulting in the absence of a comprehensive and integrated concept of personal data protection. However, the Indonesian government and parliament are currently discussing the PDP Bill, which is expected to be passed in the next two to three months.

Primarily, the provisions on personal data protection are regulated by Law 11/2008; GR 71/2019; Ministry of Communication and Informatics Technology Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (MCI 20/2016); and Ministry of Communications and Informatics Regulation No. 5 of 2020 on Electronic System Provider for Private as lastly amended by Ministry of Communications and Informatics Regulation No. 10 of 2021 (MCI 5/2020) (collectively referred as the PDP Regulations). The above laws and regulations cover the general provisions on personal data processing requirements of electronic systems.

Other personal data and privacy obligations are distributed across several laws and sectoral regulations including, for example:

  1. the Criminal Code, which provides various sections that punish confidentiality breaches and trade secrets that may implicate personal data use or disclosure; and
  2. Law No. 36 of 1999 on Telecommunication, which requires any telecommunications service provider to maintain confidentiality of any receipt or information delivered by their customers.

The current PDP Regulations do not recognise the concept of 'data controller' and 'data processor'. Both data controllers and data processors are considered as electronic system providers (ESP),11 and theoretically share the same responsibilities regardless of whether the organisation is considered as a controller or processor in other jurisdictions. The concept of 'data controller'12 and 'data processor'13 will be recognised under the PDP Bill, bearing similar concepts to those embedded in European Union General Data Protection Regulation (GDPR), with the expectation of properly implementing fair information practice principles14 that are implicitly recognised by the current PDP Regulations.

Unlike GDPR, there is no classification of personal data under current PDP Regulations. Any data or information that identifies or may identify an individual is considered as personal data.15 However, the PDP Bill will recognise two classifications of personal data: general16 and specific personal data.17

Separately, the PDP Regulations stipulate that an ESP's failure to comply with PDP Regulations may subject that ESP to administrative sanctions, namely, written warning, administrative fine, temporary suspension, removal from the ESP registry and access termination. Under the PDP Bill, non-compliance may result in an administrative fine and criminal sanctions, which also opens up the possibility of a civil claim.

To ensure compliance, the laws and regulations require an ESP to provide an audit record on all electronic system activities that are under its management. It may be used for the purposes of supervision, law enforcement, dispute resolution, verification, testing and other examinations.

ii General obligations for data handlers

GR 71/2019, MCI 20/2016,and MCI 5/2020 require ESPs to meet the following obligations.

ESP registration

Article 6 of GR 71/2019 and Article 2 of MCI 5/2020 requires ESPs to register themselves to the MCI. This includes foreign ESP that has no local establishment in Indonesia. The registration must be completed before the users make use of the electronic system. However, foreign ESPs are currently unable to register themselves to the MCI as the registration system is still under development.

Certification of electronic systems

Article 28 Paragraph (a) of MCI 20/2016 requires ESPs to certify their systems in accordance with the relevant laws and regulations. This obligation is further strengthened by National Cyber and Crypto Agency Regulation No. 8 of 2020 on Security Systems in Electronic System Provisions (NCCA 8/2020), which requires ESPs to obtain electronic system security certification.

Obligations to the collected personal data

Article 28 of MCI 20/2016 stipulates that an ESP shall ensure the validity, legality, confidentiality, integrity, relevancy and appropriateness of data for the purpose of personal data processing.18

Obligations to data owner

Article 28 of MCI 20/2016 requires an ESP to provide data subjects with the following:

  1. an audited track record of any electronic systems operated by the ESP;
  2. access or opportunity for the data subject to exercise their rights;
  3. the option for a third party to allow or to forbid the data subject's personal data to be published, distributed, disclosed or utilised, or a combination of these; and
  4. the right to have personal data destroyed upon request by the data subject.

Requirement to obtain consent

Pursuant to Article 14 of GR 71/2019 in conjunction with Article 6 of MCI 20/2016, personal data owner consent is required for any personal data collection. An ESP is required to inform the data owner of the purpose of collection upon obtaining consent. An ESP may only obtain the consent of the personal data owner by means of an Indonesian-language consent form.

Data breach notification

Article 14 Paragraph (5) of GR 71/2019 in conjunction with Article 28 Paragraph (c) of MCI 20/2016 specifically requires an ESP to provide written notification to personal data owners in the event of personal data breach. Such notification may be provided electronically if the data subject has provided their approval upon the collection of personal data.

Contact person obligation

Article 28 Paragraph (d) of MCI 20/2016 stipulates that the ESP is required to provide a contact person who is accessible to data owners to facilitate the management of individuals' personal data. Further, Article 25 of MCI 5/2020 specifies that foreign ESPs must appoint at least one contact person domiciled in Indonesia who will facilitate an access request on the electronic system or electronic data for supervisory and criminal law enforcement purposes. However, the implementation remains unclear. The criteria of the contact person and sanctions for non-compliance are yet to be regulated.

iii Data subject rights

The PDP Regulations grant data subjects several rights, such as:

  1. the right to obtain access to or the opportunity to change or update his or her personal data;
  2. the right to receive his or her personal data history that has been provided to an ESP; and
  3. the right to request the removal of any irrelevant personal data from the ESP's electronic system.

The exercise of such requests and rights should be conducted without interfering with personal data management and should conform with the applicable laws and regulations. Even though the PDP Regulations do not stipulate the enforcement of such right, the PDP Bill provides that the request must be submitted in writing to the data controller.

iv Specific regulatory areas

Specific to the health sector, Law No. 36 of 2009 on Health and Ministry of Health Regulation No. 269/Menkes/Per/III/2008 of 20008 on Medical Records would apply. They regulate all activities associated with storing patient medical records that involve doctors and medical workers.

Whereas in the financial sector, Law No. 7 of 1992 on Banking as amended by Law No. 10 of 1998 and Financial Services Authority Regulation No. 38/POJK.93/2016 on Risk Management in the Use of Information Technology by Commercial Banks as amended by Financial Services Authority Regulation No. 13/POJK.03/2020 would apply on the processing of personal and financial data by banks. Additionally, Financial Services Authority Regulation No. 1 of 2013 on Consumer Protection in Financial Services provides general provision on consumer data by financial services, and Financial Services Authority Regulation No. 77 of 2016 on Information Technology-based Peer-to-Peer (P2P) Lending Provider regulates the obligation of P2P in personal data processing activities. Specific to payment system services, Bank of Indonesia Regulation No. 22/23/PBI/2020 on Payment Systems regulates the security standards that the payment system provider must comply with; among others: application of the personal data protection principle; implementation of cybersecurity standards; and the requirement to establish a data centre for financial transaction processing activities.

The maintenance and protection of personal data related to population data19 is governed by Law No. 23 of 2006 on Population Administration. This Law governs the processing and collection of personal data of Indonesian ID cardholders, who theoretically are almost all Indonesian, under the MHA. Meanwhile, Law No. 14 of 2008 on Public Information Disclosure provides protection regarding public information that may contain personal data. Public entities are prohibited from granting any request that may potentially disclose such information.

Particularly regarding personal data protection provisions in the telecommunications sector, Law No. 36 of 1999 on Telecommunications, as amended by Law No. 11 of 2020 on Job Creation and its implementing MCI Regulation No. 5 of 2021 on Telecommunications Service (MCI 5/2021), requires a telecommunications service operator to maintain the confidentiality of the personal data or identity of the subscribers unless otherwise specified by law. Furthermore, Article 154 of MCI 5/2021 also regulates the use of biometrics data as personal data for registration for prepaid SIM cards. The biometrics data include, but are not limited to, face recognition, finger print recognition and iris recognition.

v Technological innovation

There have been several innovations related to data privacy in Indonesia. However, there only a few regulatory frameworks or standards have been fully implemented in response to the innovations, such as use of cookies, internet of things, facial recognition and biometric data.

The PDP Regulations have no information on the use of cookies. However, the use of cookies is recognised under the Indonesian Advertising Ethics (IAE).20 The IAE stipulates that data collection through cookies should be informed to the individual. If cookies gather personal data, consent is required from the data subject.

Meanwhile, regarding the internet of things, there are no provisions that specifically address the issue of personal data protection for the internet of things. So far, regulation relating to the internet of things is limited to the standardisation and use of radio frequencies, specifically to the use of low power wide area (LPWA) networks as regulated under Directorate General of Resources and Post Equipment and Informatics Regulation No. 3 of 2019 on Technical Requirements for Telecommunication Equipment of Low Power Wide Area.

The Analog Switch Off provision under Law 11/2020 will, in principle, migrate analogue TV and radio broadcasting to digital broadcasting. As a result, Indonesia will gain digital dividends through freeing up spectrum frequency that was previously used for broadcasting activities for telecommunications services provision. The use of wider spectrum frequency allocation for telecommunications services provision may enable farming and re-farming of frequency to harness 5G access in Indonesia. At the implementation level, there are now two telecommunications service providers, Telkomsel and Indosat, that are approved to provide 5G service after being tested by the MCI.21

Biometrics data and facial recognition will be recognised as specific personal data under the PDP Bill; however, it remains unclear whether specific personal data would receive any extra protection under the PDP Bill.

International data transfer and data localisation

i Cross-border data transfer

Article 22 of MCI 20/2016 requires that the transfer of personal data must be coordinated with the MCI. In practice, coordination is carried out by submitting a personal data transfer implementation plan (transfer plan) and report (transfer report) to the MCI, as well as by requesting advocacy from the MCI, if deemed necessary. The transfer plan must contain the following information at least:

  1. the country of the data recipient;
  2. the full name of the data recipient;
  3. the date of the transfer implementation; and
  4. the background to or purpose of the transfer.

Upon completion of the transfer, the ESP is required to submit a transfer report to the MCI that contains the result of the transfer plan implementation.

The PDP Bill stipulates slightly different requirements for the cross-border transfer of personal data. Pursuant to the PDP Bill, transfer of personal data outside of Indonesia may be conducted under the following conditions:

  1. the designated country has an adequate or higher level of protection of personal data;
  2. the existence of a treaty between the countries;
  3. the existence of a contract between data controllers; and
  4. that consent has been obtained from the data subject.

ii Data localisation

GR 71/2019 recognises two classifications of ESP: public ESP and private ESP. A public ESP is obliged to process, manage or collect electronic systems and electronic data within the Indonesian jurisdiction, unless the required technology to store such data is not available in Indonesia. Unlike public ESPs, private ESPs can manage, process or store electronic systems and electronic data outside of the Indonesian jurisdiction. However, the ESP is obliged to provide access to the electronic system and data for supervisory purposes (i.e., to law enforcement agencies and the relevant authorities). There are some sectoral regulations (i.e., in the financial service sector) that require an ESP to establish a data centre and disaster recovery centre if it serves a certain purpose.

Company policies and practices

MCI 20/2016 and GR 71/2019 require ESPs to ensure that they have taken the necessary technical and organisational measures to comply with the applicable laws and regulations. The technical and organisational measures are performed through the following activities:

  1. certification of electronic systems used by the ESP;
  2. implementing an internal personal data protection policy in processing the personal data;
  3. raising employee awareness to ensure the protection of personal data in the electronic system managed by the ESP; and
  4. organising employee training for the prevention of personal data breach in the electronic system managed by the ESP.

The PDP Bill also stipulates similar requirements. Data controllers and data processors are obliged to prepare and apply any necessary operational technical measures to protect the personal data from personal data disturbance or interference, and to determine the level of personal data security by taking into account the nature of and risks concerning the personal data.

Discovery and disclosure

An interception or request for disclosure is considered as lawful if it is carried out for the purpose of law enforcement at the request of the Indonesian police, prosecutor's office or other law enforcement institutions as stated by the applicable laws and regulations.

Article 221 of the Indonesian Criminal Code stipulates that if any person or entity refuses to cooperate with a law enforcement agency, such act can be considered as an obstruction of justice or law enforcement efforts and is subject to criminal sanction. On the other hand, there is no clear provision or established practice for disclosure requests arising out of the civil litigation process. However, in practice, there is also the possibility for parties to a proceeding to demand disclosure of data from counterparts to challenge the grounds of their argument.

At present, there has been no information published on request for data disclosure submitted by a foreign jurisdiction that has been fulfilled by the Indonesian authorities, or on the attitude towards such a request. In theory, any disclosure and discovery on criminal matters may be requested by a foreign government as regulated under Law No. 1 of 2006 on Mutual Legal Assistance on Criminal Matters. However, given the absence of specific provisions on cross-border personal data transfer related to requests from foreign governments, coordination requirements for cross-border transfer as stipulated under MCI 20/2016 may be applicable. There is no regulation on disclosure related to civil proceedings.

Public and private enforcement

i Enforcement agencies

Pending enactment of the PDP Bill, the MCI is currently the primary authority to regulate, supervise, and enforce the PDP Regulations. The MCI has the authority to issue administrative sanctions, including removal of entities from electronic system provider lists, temporary suspension of business activities, imposing administrative fines and revocation of business licences connected to any violation of the PDP Regulations. The MCI is also authorised by Ministry of Communication and Informatics Regulation No. 19 of 2014 on the Handling of Internet-based Negative Content to block access to apps and websites that violate applicable laws and regulations.

The authority of the MCI is limited to personal data, privacy and cybersecurity, which are not regulated by other specific sector authority. Specific to the financial industry, the Indonesian Central Bank/Bank Indonesia, and Financial Services Authority (OJK) are in charge of the governance of personal data on financial activities. The MHA has the authority to protect population data comprised of personal data stored in Indonesian ID cards and the Ministry of Health is responsible for the regulation of medical personal data.

Enforcement actions by the MCI often do not result in criminal procedures, as it usually blocks access to apps or websites that go against the applicable laws and regulations. Meanwhile the OJK has been actively enforcing its authority by revoking various licences and requesting blocking of access of unauthorised peer-to-peer lending providers that violate the personal data of its users. Several such providers have been referred to the Police for criminal proceedings.

If a criminal investigation is required, the above authorities will handle the investigation in cooperation with the Police. The Police will lead the investigation and hand over the case to the prosecution, if applicable. The enforcement power of the Police may extend to raid actions leading to arrest and seizure of goods and individuals. There is, however, no provision on authorities to audit under the applicable laws.

ii Recent enforcement cases

Regarding data breach incidents suffered by several marketplaces, there has been no official information regarding investigation activities. However, one of the marketplaces has filed a report regarding data breach to the MCI as required under MCI 20/2016. For enforcement carried out by the OJK, publicly available sources indicate that OJK has ordered the cessation of business activities and blockage access, assisted by the MCI, for the processing of consumers' personal data without proper authorisation.22

Regarding criminal proceedings, as mentioned above, the East Java Regional Police have arrested members of a cybercrime ring in connection with criminal proceedings involving the phishing of a US citizen. It was then discovered that the suspects had set up a fictitious US state government agency that requested US citizens' social security numbers in order to assist with a claim for Social Security Fund Relief from the US government in response to the covid-19 pandemic. The covid-19 aid programme has lost US$60 million as a result of the swindle. The suspects could face up to nine years in prison if found guilty.23

iii Private litigation

In general, any individual has the right to file an administrative lawsuit by administrative decree24 issued by an administrative body or authority25 to administrative court or by civil lawsuit, over loss suffered due to the actions of the authority or other entities to the civil court. Subject to the applicable conditions, each lawsuit allows its party to file appeal to a higher court and even to the Supreme Court. According to Article 97 of Law No. 5 of 1986 on Administrative Judiciary as lastly amended by Law No. 51 of 2009, a court decision in an administrative lawsuit may instruct revocation of the relevant administrative decree, issuance of a new administrative decree, rehabilitation and indemnity payment. Meanwhile in a civil lawsuit, the decision of the court may require that compensation for the damage be made in the form of a fine, the transfer of ownership of certain goods or prohibition to perform certain acts toward the losing party.

In recent years, private litigation has been opted by number of litigants to bring lawsuits for data breach. In 2020, a massive data breach case involving one of Indonesia's top companies, Tokopedia, was presented before an Indonesian court. The Indonesian Consumer Community (KKI) filed a lawsuit against Tokopedia and the MCI concerning a data breach involving 15 million Tokopedia customers. In their claim, KKI asked the MCI to withdraw Tokopedia's Electronic System Operator licence and require the company to pay an 100 billion rupiahs administrative punishment. This is a significant case because it is one of the first data breach cases before an Indonesian court.26

Considerations for foreign organisations

As Indonesian PDP Regulations are currently developing, and the PDP Bill is being discussed, foreign organisations must anticipate revision of existing rules and laws.27

While the PDP Regulations do not impose data localisation requirements, and allow cross-border transfer, legitimate basis for processing is one of the major issues foreign organisations need to be aware of. If the GDPR provides options other than consent to legitimate basis, the PDP Regulations still require consent as the basis for processing, although this may change upon enactment of the PDP Bill. This requirement may be concerning to various foreign organisations that have adjusted their practice to fit with the GDPR. Notwithstanding this, the PDP Regulations apply to any organisation processing Indonesian personal data located in Indonesia and abroad, which requires every organisation to obtain consent to process any Indonesian personal data.

The PDP Regulations and PDP Bill have extraterritorial application. This principle, as stated in Article 2 of Law 11/2008, stipulates that Law 11/2008, including its implementing regulations, is applicable to any individual and any organisation located in Indonesia or abroad that has a legal impact on Indonesian territory or abroad that is detrimental to Indonesian interests. A similar provision is also stipulated in the PDP Bill. Accordingly, since processing Indonesian personal data has a legal impact on Indonesian individuals, Indonesian interests or both, the PDP Regulations and PDP Bill will also apply to foreign organisations.

Cybersecurity and data breaches

i Cybersecurity standards

MCI 20/2016 requires an ESP to ensure that the electronic system being used to process the personal data is certified. The hardware used by an ESP to process any personal data should also be certified by providing relevant certifications or other similar evidence.

GR 71/2019 also requires an ESP to conduct an electronic system worthiness test. This test can be performed over all components or parts of the components in an electronic system pursuant to characteristic or protection and the strategic nature of the electronic system. However, there has been no implementing regulation on this matter. Further, NCCA 8/2020 requires ESPs to obtain electronic system security certification. Certification is based on the classification of the electronic system, which is divided into three categories: strategic, high-level and low-level. An ESP must conduct self-assessment to determine which classification it will fall into. Despite the classification, the ESP would still be required to obtain ISOIEC 27001 for their electronic system.

ii Data breach notification

If a personal data breach incident occurs, the ESP has an obligation to notify the data subject, and the law enforcement agency and supervisory authority (e.g., the MCI) if the breach or disruption of the system has a serious impact on the electronic system.

Notification must be sent to the data subject within 14 days after the personal data breach becomes known by the ESP. The ESP should ensure that the data subject receives the notification if the breach may potentially harm the data subject. The notification should include reasons or causes of the failure to protect the confidentiality of personal data. The notification may be carried out electronically if the data subject has granted approval for such notification during the collection of personal data. The notification to the law enforcement and supervisory authority should be made in the first instance upon discovering such breach or disruption of the system.

iii Data protection officer

The current PDP Regulations do not require an ESP to appoint a data protection officer (DPO). However, the PDP Bill requires data controllers and data processors to appoint a DPO if:

  1. they process personal data for public interest;
  2. the controller's core activities regarding the personal data require constant, regular and systematic monitoring of the data on a large scale; or
  3. the core activities consist of large-scale processing of specific personal data or personal data related to criminal offences.

iv Data retention

Generally, MCI 20/2016 stipulates that the retention period for personal data in an electronic system be a minimum of five years if there are no specific sectoral regulations that stipulate otherwise.


Several developments in the Indonesian market related to digital issues can be expected in the forthcoming years. The Ministry of Health has provided telemedicine services for covid-19 infected individuals who are in self-quarantine through the Pedulilindungi app. Although the app is currently only available in Jakarta and its neighbouring areas, it is expected that the services will expand throughout Indonesia.28 Regarding cryptocurrency, although it remains prohibited as a transaction payment, Indonesia is aiming to launch a crypto exchange by the end of 2021 to further grow crypto-asset trading activities.29

Furthermore, the Indonesian Stock Exchange recently issued a statement claiming that two unicorn start-up companies will conduct initial public offerings this year, showing that relevant regulations on initial public offerings for start-up companies must be put in place.30 On communication infrastructure development, PT Telkom Indonesia (Telkom), as a state-owned enterprise, stated that they will start construction of the Bifrost submarine cable communication system in 2022 in cooperation with Facebook and Keppel Telecommunications & Transportation Limited; this is expected to increase Indonesia's digital connectivity.31

With the increasing use and dependency on technology and the upcoming emerging technologies in Indonesia, the current applicable laws and regulations would be further challenged on handling such development. There may be an increase in issuance of new regulations to accommodate the rapid development of technology, and to ensure consumers' protection. It will be interesting to see if the regulations will interact with the European Union General Data Protection Regulation; California Consumer Privacy Act; Asia-Pacific Economic Cooperation Cross-Border Privacy Rules, and other cross-border privacy frameworks set up by other countries.

The DPR is in the middle of finalising the PDP Bill. Many expect that the PDP Bill will be passed in the next couple of months. The PDP Bill will serve as an umbrella law to ensure the protection of personal data, especially in this digital economy era with its vast development of information and technology. The PDP Bill may provide a two-year grace period, to allow existing ESPs that have been actively processing personal data to fully comply with all the requirements stipulated under the PDP Bill.

The PDP Bill will play a vital role in the protection of personal data as it will encourage and strengthen the position of the national telecommunications and technology industry, as well as development of the Indonesian economy in general. Being the first personal data protection law in Indonesia, the PDP Bill will provide strict conditions and obligations to data controllers and processors regarding the collection and processing of personal data. Compliance with the PDP Bill shall ensure protection of consumers' data, which could increase the element of trust that consumers have in companies. As the enactment of the PDP Bill remains unclear due to a deadlock on supervisory authority matters, companies will have longer to prepare for compliance with the Bill.

It is still unclear how the PDP Bill, if enacted, will interact with other jurisdictions' personal data, especially the GDPR and the California Consumer Privacy Act (CCPA), regarding cross-border transfers and multi-jurisdiction operations – especially with the recent Data Protection Commission v. Facebook Ireland decision of the Court of Justice of the European Union, which adds an extra layer of requirement on cross-border transfers from the EU to third-party countries. Indonesia may be required to provide an adequate level of protection before any transfer can happen, potentially hampering the multi-jurisdiction operations of data controllers and processors. Meanwhile, for the CCPA, the impact remains to be seen since its applicability scope is quite limited and the enforcement actions were only initiated in July 2020.


1 Danny Kobrata is a partner and Rahma Atika is an associate at K&K Advocates.

2 Haryanto A and Briantika A, 'Polisi Tangkap Penjual Data Nasabah Dan Data Kependudukan' (15 August 2019), accessed 20 July 2020.

3 'DPR Terima Surpres Jokowi Soal RUU Perlindungan Data Pribadi' (13 February 2020), accessed 21 July 2020.

4 '7 Masalah RUU KKS Yang Akan Disahkan DPR' (26 September 2019), accessed 18 July 2020.

5 Andi Nugroho, 'Baleg DPR: Komisi I Fokus RUU PDP, RUU KKS Dipindah 2021' (1 July 2020), accessed 24 July 2020.

6 Achmad Nasrudin Yahya, 'RUU PDP Dinilai Hanya Berupaya Lindungi Data Pribadi, Bukan Warga Negara' ( 6 February 2020), accessed 19 July 2020.

7 Elucidation of Law No. 11 of 2008 Preamble.

8 CNN Indonesia, 'Rencana PPKM Darurat di Tengah Ancaman Gelombang Kedua Covid',, accessed 12 July 2021.

9 A Muh Ibnu Aqil, 'Alleged breach of BPJS data points to Indonesia's weak data protection: Experts',, accessed 12 July 2021.

10 The Jakarta Post, 'Indonesian hackers arrested over $60 million US COVID-19 scam',, accessed on 14 July 2021.

11 Article 1 Paragraph (4) defines ESP as any person, state administrator, business entity, and the public that provides, manages, or operates electronic systems individually or jointly to electronic system users for their own purposes or for other parties' purposes.

12 Article 1 Paragraph (3) of the PDP Bill defines 'data controller' as a party that determines the purposes and means of the processing of personal data.

13 Article 1 Paragraph (4) of the PDP Bill defines a data processor as a party that processes personal data on behalf of a controller.

14 Article 14 Paragraph (1) of GR 71/2019 in conjunction with Article 2 of MCI 20/2016.

15 Article 1 Paragraph 29 of GR 71/2019 defines personal data as any data on a person that is identified or may be identified individually or combined with other information both directly and indirectly through an electronic system or non-electronic system.

16 The general personal data includes: full name, gender, citizenship, religion, or other combined data that can identify an individual.

17 The specific personal data would include: health data and information, biometric data, genetics, sexual orientation, political views, crime records, data on minors, personal finances, and other data in accordance with the applicable laws and regulations.

18 Article 14 of GR 71/2019 stipulates that personal data processing shall consist of acquisition and collection; processing and analysis; retention; improvement and update; display, announcement, transfer, dissemination and disclosure or deletion or destruction.

19 Article 1(10) of Law 23/2006 defines population data as structured individual data or aggregated data resulted from civil recordation and citizen registration activities.

20 IAE serves as the general advertising guidelines. It applies to any kind of advertising activities on all media, including the internet. The IAE is a form of industry self-regulation; therefore, it is not a part of the legal hierarchy in Indonesia. Nonetheless, it serves as a guideline on advertising activities and is adhered to among entrepreneurs in Indonesia.

21 Sudibyo, 'Another Milestone for Indosat-Ready To Launch 5g Services To Empower Economic Recovery', (16 June 2021),, last accessed on 11 July 2021; 'Telkomsel launches first commercial 5G in Indonesia', (31 May 2021),, last accessed on 12 July 2021.

22 Franedya R, 'OJK Tutup 133 Fintech Ilegal Ini, Minta Kominfo Blokir' (10 October 2019), accessed 1 August 2020.

23 See footnote 10.

24 Article 1 (3) of Law 5/1986 defined 'administrative decree' as a written stipulation that is issued by an administrative body of official, which contains an administrative legal act based on prevailing laws and regulations, which is concrete, individual, and final and that establishes legal effect upon a person or civil legal entity.

25 Article 1(2) of Law 5/1986 defines 'administrative body of official' as a body of official that undertakes governmental affairs based on prevailing laws and regulations.

26 Asih DN, 'Tokopedia Tanggapi Gugatan Rp100 M Soal Data Pengguna Bocor' (CNN Indonesia 11 June 2020), accessed 18 July 2020.

27 Andi Saputra, 'Data Pribadi Konsumen Bocor, Tokopedia Digugat Rp 100 Miliar',, accessed 19 July 2021.

28 CNN Indonesia, 'Layanan Covid-10 Gratis dari Telemedisin Diperluas ke Bodebek',, accessed on 14 July 2021.

29 Lorenzo Anugrah Mahardika, 'Cihuy! Bursa Kripto Indonesia Diluncurkan Akhir 2021',, accessed on 14 July 2021.

30 Ade Miranti Karunia, 'Bos BEI Ungkap 2 atau 3 Unicorn Bakal IPO Tahun ini',, accessed on 14 July 2021.

31 Leo Dwi Jatmiko, 'Pembangunan SKKL Telkom (TLKM)-Facebook Dimulai pada 2022',, accessed on 14 July 2021.

The Law Reviews content