Indonesia - Personal Data Bill – Comparative Summary Between Personal Data Bill And Existing Personal Data Regulations.

Legal News & Analysis - Asia Pacific - Indonesia - Telecommunications, Media & Technology

Asia Pacific Legal Updates

 

3 April, 2020

 

 Indonesia - Personal Data Bill – Comparative Summary Between Personal Data Bill And Existing Personal Data Regulations.

 

The Indonesian Government recently issued a draft Personal Data Protection Law (“PDP Bill”) for further discussion and deliberation by the House of Representatives.

 

The following is a comparative summary between the PDP Bill and the existing personal data regulations (i.e. Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”) and Regulation of the Minister of Communication and Informatics No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (“MOCI Reg 20/2016”).

 

NO. ISSUE MOCI REG 20/2016 GR 71/2019 PDP BILL
NEW CONCEPTS AND SUBJECT MATTER
1. Further subdivision of the concept of Personal Datainto General Personal Data and Specific Personal Data MOCI Reg 20/2016 does not make such distinction between General Personal Dataand Specific Personal Data

 

Only the concept of Personal Datais used and defined.

GR 71/2019 does not make such distinction between General Personal Dataand Specific Personal Data

 

Only the concept of Personal Datais used and defined.

The PDP Bill classifies personal data into 2 categories:

 

  1. General Personal Data, which include, among others, a person’s full name, gender, nationality, religion, and/or any other personal data which is combined to identify a person.
  2. Specific Personal Data, which include, among others, a person’s medical record, biometric data, genetic data, sexual orientation, political view, criminal record, child data, financial.
2. Obligation to appoint an officer specifically designated to take charge of data protection MOCI Reg 20/2016 does not specify such obligation. GR 71/2019 does not specify such obligation. In certain cases, for example: (i) in the public services sector, or (ii) in a situation where the main activity of the Personal Data Controller is concerned with the processing of Specific Personal Data in large scale, both the Personal Data Processor and the Personal Data Controller must appoint an officer specifically designated to perform the function of Personal Data protection.
3. Concepts of Personal Data Controllerand Personal Data Processor The concepts of Personal Data Controller and Personal Data Processor are not found in

 

MOCI Reg 20/2016.

Only the concept of Electronic System Operator is used.

The termElectronic System Operator  is defined as any person, state official, business entity, or society that provides, manages and/or operates an electronic system in its own interests and/or in the interests of others).

The concepts of Personal Data Controller and Personal Data Processor are not found in

 

GR 72/2019.

Like MOCI Reg 20/2016, only the concept of Electronic System Operator is used in GR 71/2019.

The PDP Bill introduces the concepts of  Personal Data Controller and Personal Data Processor.

 

Personal Data Controller means the party that determines the purpose of and that exercises primary control over the personal data processing, while Personal Data Processor means the party that conducts the data processing on behalf of the Personal Data Controller.

The Personal Data Processor may process any Personal Data only on the instruction of the Personal Data Controller, or otherwise the Personal Data Processor will be fully liable for all actions it has taken in connection with such Personal Data.

4. Form of consent from personal data owners Consent from the personal data owner must be in writing. Consent from the personal data owner must be in writing. Consent from the personal data owner can be obtained either verbal recorded or in writing.
5. Right of personal data owners to complete their data prior to data processing MOCI Reg 20/2016 is silent on this matter. GR 71/2019 is silent on this matter. Under the PDP Bill, personal data owners have the right to complete their data before the data are processed.
6. “Deletion” vs. “Destruction” of personal data and the grounds for exercising such right Under MOCI Reg 20/2016, the conditions for deletion and destruction are the same, namely:

 

  • Expiry of the retention period; or
  • Request from the personal data owner.
Under GR 71/2019, the grounds for “deletion” of personal data are discussed in the context of “right to erasure” at the request of personal data owners, if any of the following conditions arises:

 

  • The personal data have been obtained and processed without the proper consent;
  • The consent has been retracted;
  • The personal data have been unlawfully obtained and processed;
  • The purpose of obtaining the personal data is no longer aligned with the initial agreement and/or laws and regulations;
  • The utilization period under the agreement and/or laws and regulations is expired; and/or
  • The display of the personal data causes damage to the personal data owner.

GR 71/2019 also recognizes the “right to delisting”, i.e. removal of the relevant personal data from a search engine. GR 71/2019, however, does not specify the grounds for such delisting, but instead requires the personal data owner to obtain a district court order to exercise the right.

The PDP Bill sets out the specific grounds for each “deletion” and “destruction” of personal data.

 

  1.  Grounds for deletion:< >The personal data is no longer relevant to the initial purpose of data processing;The consent has been retracted;The personal data owner requests such deletion; or The personal data has been unlawfully obtained.Grounds for destruction, among others:< >The personal data is no longer of value;The retention period is expired; orThe personal data owner requests such destruction.The country of domicile of the Personal Data Controller or the international organization receiving the Personal Data must have the same or higher level of security for personal data protection;
  2. There is an international agreement between the receiving country and Indonesia;
  3. There is a contract between the Personal Data Controller and the offshore Personal Data Controller, with standard personal data protection in accordance with the provisions of the PDP Bill; and/or
  4. The personal data owner’s consent has been obtained.
18. The right of data subjects to update their personal data Under MOCI Reg 20/2016, data subjects have the right to update their personal data GR 71/2019 is silent on this matter. The PDP Bill (Art. 7) allows data subjects to update their personal data.

 

In addition, Art. 34 of the PDP Bill requires the Personal Data Controller to update the information within 1×24 hours after receiving a request from the data subject to rectify the information.

 

NEW_DeaconsHKLogo

For more information, please contact:

 

Sinta Dwi Cestakarani, Walalangi & Partners (W&P) 

scestakarani@wplaws.com