Indonesia’s Personal Data Protection Law: Taking Inspiration from Europe and the US

After six years of delay, Indonesia’s House of Representatives finally passed the Personal Data Protection (Pelindungan Data Pribadi, or PDP) Bill. On October 17, 2022, President Joko Widodo signed what is the country’s first comprehensive law on personal data protection, which will come into effect in October 2024.

The PDP law authorizes the president to create an overarching agency that would be empowered to regulate and oversee personal data protection and impose administrative sanctions on a corporation for non-compliance. Administrative sanctions include a fine of up to two percent of the company’s annual revenue. Criminal sanctions carry a prison sentence of up to six years and/or an IDR6 billion (US$383,000) fine. The legislation also gives individuals the right to access, delete, and rectify their personal data.

Indonesia’s personal data protection initiative comes at a time when major economies have been making moves on this critical global issue. US President Joe Biden recently signed an executive order on “Enhancing Safeguards for United States Signals Intelligence Activities”. This is a critical building block for the European Union-US Data Privacy Framework. Privacy Shield 2.0, as it is also known, replaces the EU-US Data Privacy Shield that was annulled by the EU Court of Justice in its Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (2020) decision. The European Commission in Brussels is now considering whether the American privacy regime is “adequate” – that is, if it is essentially equivalent to the privacy standards guaranteed in the EU. Schrems, an Austrian lawyer, and other privacy activists will likely bring Privacy Shield 2.0 in court, possibly putting in jeopardy US$1 trillion in transatlantic data flows.

Widodo and Biden: Indonesia’s personal data protection law comes at a time when the US and EU have been making moves on this critical global challenge (Credit: Adam Schultz/The White House)

The right to privacy originated in the US when in 1890 two lawyers, Samuel Warren and Louis Brandeis, wrote an article “The Right to Privacy” in the Harvard Law Review. They argued for a common-law tort for privacy violations, which US courts eventually recognized. The privacy right is contained in the Fourth Amendment of the US Constitution, which is applicable to government searches and seizures. Meanwhile, the US Privacy Act of 1974 includes a congressional finding that privacy is a fundamental right.

In drawing comparisons, I would make three points about the PDP law:

First, the PDP law encompasses all sectors. Like the EU’s General Data Protection Regulation (GDPR), it is a comprehensive legislation that is sector blind. Given that Indonesia started its data privacy regime by taking a sectoral approach, it will be interesting to see how this law will interact with existing sectoral privacy legislation.

Second, the PDP law authorizes the president to create a data protection agency. Unlike the US, which continues to depend on the Federal Trade Commission (FTC), Indonesia has chosen to establish an organization that would be solely responsible for regulating, overseeing, and enforcing personal data protection, instead of continuing to rely on the Ministry of Communication and Information Technology.

Finally, the PDP law requires certain data controllers and processors to appoint a data protection officer (DPO). This is a GDPR-inspired concept. We must, however, see this in light of case law in the US state of Delaware. Indonesian corporate governance, including laws regarding an officer’s fiduciary duty to a corporation and its shareholders, is modeled after the US regime, which is largely based on Delaware corporate law.

The above points show how the Brussels Effect – how multinational companies have come to adopt EU standards in their global operations – is real. We also see a new trend: “Brussels Effect 2.0” – in which the EU has inspired other countries to emulate EU standards in their regulation, particularly on data privacy. In a sense, the EU has come to influence the world when it comes to regulation.

Regulating personal data is important, because it concerns one’s privacy. It must not, however, come at the cost of technological innovation and growth. Perhaps, that is one of the reasons that the US has adopted a wait-and-see stance when it comes to such regulation. After all, there needs to be a balancing between privacy and technology. As Harvard Law School Lecturer on Law Alan Raul argued in his article “Digital Governance: Regulating Privacy and Data Protection for Emerging Technologies”, “privacy and data protection rights must be proportionate and balanced against other fundamental rights.”