In drawing comparisons, I would make three points about the PDP law:
First, the PDP law encompasses all sectors. Like the EU’s General Data Protection Regulation (GDPR), it is a comprehensive legislation that is sector blind. Given that Indonesia started its data privacy regime by taking a sectoral approach, it will be interesting to see how this law will interact with existing sectoral privacy legislation.
Second, the PDP law authorizes the president to create a data protection agency. Unlike the US, which continues to depend on the Federal Trade Commission (FTC), Indonesia has chosen to establish an organization that would be solely responsible for regulating, overseeing, and enforcing personal data protection, instead of continuing to rely on the Ministry of Communication and Information Technology.
Finally, the PDP law requires certain data controllers and processors to appoint a data protection officer (DPO). This is a GDPR-inspired concept. We must, however, see this in light of case law in the US state of Delaware. Indonesian corporate governance, including laws regarding an officer’s fiduciary duty to a corporation and its shareholders, is modeled after the US regime, which is largely based on Delaware corporate law.