On 20 September 2022, Indonesia's parliament passed its long-awaited personal data protection law that has been in the works since 2016. At the time, the specific details of the new personal data protection law were not available until the official text of the legislation was published on 18 October 2022.
Since the official text has been published, we can now shed some light on the key provisions of Indonesia's personal data protection law, with key features including:
- imposing obligations on data controllers and data processors;
- recognising lawful grounds for organisations to process data apart from obtaining consent from data subjects;
- requiring organisations to appoint a data protection officer;
- requiring organisations to conduct data protection impact assessments in certain situations; and
- data breach notification.
Additionally, the new data protection law also has extra-territorial scope as it covers personal data of Indonesian subjects outside of Indonesia if it is processed in Indonesia or if outside provided that such processing has legal impact in Indonesia.
Organisations have a two-year transitional period (i.e. by 2024) to prepare for the full implementation of this new data protection law. During this period, businesses will need to establish their personal data protection compliance processes and procedures to comply with the requirements of Indonesia's new data protection law.
In this regard, businesses who have in place existing personal data protection frameworks may have some of their work cut out for them in designing processes - they should be aware of the nuances in Indonesia's new data protection laws and ensure that their processes and procedures adequately account for these.
The new personal data protection law will be a game changer for Indonesia’s vibrant tech scene and may spur greater innovation yet – this is a space I will be closely watching in the next couple of years!