Security

Indonesia’s Personal Data Protection Law: Taking Inspiration from Europe and the US

Thursday, November 24, 2022

Indonesia recently passed its first personal data protection law, which will take effect in October 2024. The legislation was inspired by the efforts of the United States and the European Union, writes Luther Lie of Harvard Law School, who considers whether its implementation will also follow the US and EU initiatives.

Indonesia’s Personal Data Protection Law: Taking Inspiration from Europe and the US

Credit: Pop Tika / Shutterstock.com

After six years of delay, Indonesia’s House of Representatives finally passed the Personal Data Protection (Pelindungan Data Pribadi, or PDP) Bill. On October 17, 2022, President Joko Widodo signed what is the country’s first comprehensive law on personal data protection, which will come into effect in October 2024.

The PDP law authorizes the president to create an overarching agency that would be empowered to regulate and oversee personal data protection and impose administrative sanctions on a corporation for non-compliance. Administrative sanctions include a fine of up to two percent of the company’s annual revenue. Criminal sanctions carry a prison sentence of up to six years and/or an IDR6 billion (US$383,000) fine. The legislation also gives individuals the right to access, delete, and rectify their personal data.

Indonesia’s personal data protection initiative comes at a time when major economies have been making moves on this critical global issue. US President Joe Biden recently signed an executive order on “Enhancing Safeguards for United States Signals Intelligence Activities”. This is a critical building block for the European Union-US Data Privacy Framework. Privacy Shield 2.0, as it is also known, replaces the EU-US Data Privacy Shield that was annulled by the EU Court of Justice in its Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (2020) decision. The European Commission in Brussels is now considering whether the American privacy regime is “adequate” – that is, if it is essentially equivalent to the privacy standards guaranteed in the EU. Schrems, an Austrian lawyer, and other privacy activists will likely bring Privacy Shield 2.0 in court, possibly putting in jeopardy US$1 trillion in transatlantic data flows.

Widodo and Biden: Indonesia’s personal data protection law comes at a time when the US and EU have been making moves on this critical global challenge (Credit: Adam Schultz/The White House)

The right to privacy originated in the US when in 1890 two lawyers, Samuel Warren and Louis Brandeis, wrote an article “The Right to Privacy” in the Harvard Law Review. They argued for a common-law tort for privacy violations, which US courts eventually recognized. The privacy right is contained in the Fourth Amendment of the US Constitution, which is applicable to government searches and seizures. Meanwhile, the US Privacy Act of 1974 includes a congressional finding that privacy is a fundamental right.

Who will ensure compliance?: President Widodo launches a metaverse app, Jakarta, October 28, 2022 (Credit: Lukas/BPMI of Presidential Secretariat)

Who will ensure compliance?: President Widodo launches a metaverse app, Jakarta, October 28, 2022 (Credit: Lukas/BPMI of Presidential Secretariat)

Indonesia has no equivalent to the Fourth Amendment right to privacy. Like the Privacy Act, however, the PDP law includes a congressional finding that privacy is a fundamental right and that the legislation is underpinned by the 1945 Constitution of the Republic of Indonesia, which guarantees everyone a fundamental right to protect his or her dignity and honor, among others.

Indonesia’s legal framework of personal data protection is not only inspired by the US but also by the EU. The Academic Manuscript (Naskah Akademik) on the PDP Bill, which as with any bill was published before it was introduced, explicitly stated that it drew lessons from privacy right developments in those two jurisdictions.


In drawing comparisons, I would make three points about the PDP law:

First, the PDP law encompasses all sectors. Like the EU’s General Data Protection Regulation (GDPR), it is a comprehensive legislation that is sector blind. Given that Indonesia started its data privacy regime by taking a sectoral approach, it will be interesting to see how this law will interact with existing sectoral privacy legislation.

Second, the PDP law authorizes the president to create a data protection agency. Unlike the US, which continues to depend on the Federal Trade Commission (FTC), Indonesia has chosen to establish an organization that would be solely responsible for regulating, overseeing, and enforcing personal data protection, instead of continuing to rely on the Ministry of Communication and Information Technology.

Finally, the PDP law requires certain data controllers and processors to appoint a data protection officer (DPO). This is a GDPR-inspired concept. We must, however, see this in light of case law in the US state of Delaware. Indonesian corporate governance, including laws regarding an officer’s fiduciary duty to a corporation and its shareholders, is modeled after the US regime, which is largely based on Delaware corporate law.

The Court of Chancery in Georgetown, Delaware: The US state's case law has been influential in setting the American corporate governance regime (Credit: Antony-22)

The Court of Chancery in Georgetown, Delaware: The US state's case law has been influential in setting the American corporate governance regime (Credit: Antony-22)

The PDP law requires a DPO to inform, advise on risk, oversee operations, and ensure corporate compliance with the legislation. A DPO must not only ensure such compliance but also mitigate any risks for such non-compliance. This is essentially the duty to monitor or the duty of oversight over a company’s operations, which was decided in the 1996 Delaware Court of Chancery case In re Caremark. With more recent case law, this fiduciary duty has also come to mean, as described in the judgement in the 2019 Delaware Supreme Court case Marchand v Barnhill, “a good faith effort – i.e., try – to put in place a reasonable board-level system of monitoring and reporting.” Marchand’s standard is higher than Caremark’s because it requires the board to set up such a system. It will be interesting to see if the PDP law’s DPO provisions will similarly require such a good faith effort as interpreted in Marchand.

The above points show how the Brussels Effect – how multinational companies have come to adopt EU standards in their global operations – is real. We also see a new trend: “Brussels Effect 2.0” – in which the EU has inspired other countries to emulate EU standards in their regulation, particularly on data privacy. In a sense, the EU has come to influence the world when it comes to regulation.

Regulating personal data is important, because it concerns one’s privacy. It must not, however, come at the cost of technological innovation and growth. Perhaps, that is one of the reasons that the US has adopted a wait-and-see stance when it comes to such regulation. After all, there needs to be a balancing between privacy and technology. As Harvard Law School Lecturer on Law Alan Raul argued in his article “Digital Governance: Regulating Privacy and Data Protection for Emerging Technologies”, “privacy and data protection rights must be proportionate and balanced against other fundamental rights.”

Opinions expressed in articles published by AsiaGlobal Online reflect only those of the authors and do not necessarily represent the views of AsiaGlobal Online or the Asia Global Institute

Author

Luther Lie

Luther Lie

Harvard Law School, Harvard University

Luther Lie is a master of laws student at Harvard Law School. He founded and was president of the Indonesian Center for Law, Economics and Business. He holds a bachelor’s degree in law from the University of Indonesia.


Related Articles
Related Articles