Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
Indonesia’s long awaited law on Personal Data Protection (Law No. 27 Year 2022) (“PDPL”) finally came into force on 17 October 2022. With its extraterritorial coverage, the PDPL also applies to processing activities outside Indonesian jurisdiction so long as the activities have legal effect or consequences within Indonesia and/or towards Indonesian data subjects outside Indonesia. It classifies personal data into specific and general categories. The PDPL regulates various personal data processing activities, emphasizing principles such as limited and transparent data collection, accurate processing, and security measures. Transitional provisions set a two-year compliance period for entities involved in personal data processing.
PDPL and GDPR
The PDPL is equally close and different from the GDPR.
Both regulations have adopted a broad definition of “personal data” and have created different categories of data based on their sensitivity. The PDPL adopts a similar extraterritorial approach than the GDPR, applying to any entity that processes personal data of Indonesian citizens, whether they are or not in Indonesia and to entities outside of Indonesian jurisdiction who have an impact within Indonesia.
Also, they both aim to safeguard individuals’ rights, emphasizing the importance of protecting personal data as a human right by prioritising transparent and accountable data processing and ensuring individuals are informed.
The PDPL is however critically different from the GDPR concerning the powers of the regulatory bodies. While the Indonesian law gives substantial powers to the government to formulate policies, supervise implementation and enforce sanctions, the GDPR relies on independent authorities.
Moreover, the PDPL highlights promoting the growth of the digital economy and information technology industry alongside personal data protection, reflecting a dual focus on development and privacy, while the GDPR focuses on protection of individual rights.
Cross-Border Data Transfer Requirements
Under the PDPL, data controllers transferring personal data abroad, must ensure that the recipient country has a level of data protection equivalent or higher than their own. While the GDPR emphasises adequacy decisions, the PDPL focuses on ensuring the receiving entity’s protection level. Moreover, the PDPL introduces the possibility of obtaining approval from the relevant data subject if equivalent protection is not assured, a provision not explicitly present in the GDPR.
The PDPL sets forth administrative sanctions to ensure compliance. These sanctions are designed to encourage organisations to adhere to the principles and comply with the obligations outlined in the PDPL. The severity of the sanction depends on the nature and extent of the violation, aiming at balancing enforcement with the goal of promoting responsible and lawful personal data processing.
| Legislation: | Law No. 27 Year 2022, Personal Data Protection Law Sector specific regulation: Banking / Financial Services |
| Regulator | Ministry of Communication and Informatics of the Republic of Indonesia |
| Scope | Extra-territorial Any entity processing Indonesian personal data whether they are within or outside of Indonesia. |
| Definition of personal data | Personal data means any data related to identified or identifiable individuals, separately or in combination with other information, directly or indirectly, through an electronic or non-electronic system. Sensitive personal data includes 1. Health and information data; 2. Biometric data;genetic data; 3. Criminal records;children’s data; 4. Personal financial data; and/or 5. Other data in accordance with provisions of laws and regulations. |
| Parties involved in the processing of data | Controller: means any person or corporation, public institution and international organisation acting individually or jointly that determine the purposes and have control over personal data processing activities. Processor: means any person or corporation, public institution and international organisation acting individually or jointly in processing personal data on behalf of the Controller. |
| Principles under the PDPL | 1. Lawful, fair and transparent processing 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Integrity, security and confidentiality 6. Lawful retention 7. Ensuring data subjects’ rights 8. Accountability |
| Rights of data subjects | 1. Right to obtain information 2. Right to complete, update and/or rectify errors or inaccuracies 3. Right to access data or copies of dataRight to terminate the processing, deletion or disposal of data 4. Right to withdraw consent 5. Right to object against automated decision-making 6. Right to restrict processingRight to file a lawsuit 7. Right to obtain, use or transfer their data 8. Right to complain to the relevant data protection authority(ies) |
| Security | The Controller and Processor are required to protect and ensure the security of the processed personal data. This shall be achieved through: a) preparing and implementing operational technical measures to protect personal data from disruption in the data processing; b) determining the security level of personal data by taking into account the nature and risks of the processed personal data; c) andusing a security system for the processed personal data and/or processing personal data using an electronic system in a reliable, secure and responsible manner. |
| Requirement for consent | Children: Under the PDPL, processing children’s personal data requires the consent of their parent or legal guardian. The PDPL defer the authority to set out the age of consent to other laws. Based on Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014, a child is an individual who has not reached the age of 18 years. |
| Cross-Border Data Transfer | Cross-border data transfer can be carried out if one of the following conditions is fulfilled: – the transferor must ensure that the recipient’s country has an equivalent or higher standard of personal data protection than the PDP Law; – if the above condition in letter a is not met, the transferor must ensure the existence of an adequate and binding instrument (e.g., standard contractual clause); or – if the above conditions in letters a and b are not met, the transferor must obtain the data subjects’ consent. |
| Breach notification | In the event that a data breach occurs, the Controller is required to submit a written notification to the affected data subjects and the Indonesian DPA no later than three days from the occurrence of the data breach. In certain circumstances, the data breach shall also be notified to the public if it disturbs public services and/or has a material impact on the public interest. The notification shall contain the following items: – the disclosed data; – the time and reason of the breach; and – the remedy measure carried out by the Controller. |
| Penalties/ sanctions | I) written warning II) temporary suspension of the data processing activity III)erasure or destruction of personal data; and/or VI) an administrative fine in the maximum amount of two per cent of annual income or annual receipt of the violation variable |
