Indonesia Promises Its Own GDPR in the Wake of Data Scandals

simultaneously strainous.jpeg

Numerous data leaks, breaches and hacks have been on the rise over the past few years involving local and foreign players, such as Facebook. These incidents have pushed the Government of Indonesia to finalize its Data Privacy Protection Draft Bill. After working on the draft for nearly two years, the government hopes to submit it to parliament for deliberations in early 2019. We sat with Semuel Abrijani, the man behind the draft and the Director General of Information and Applications at the Ministry of Communication and Information. Here are the key takeaways from interview:  

The Ministry of Communication and Information is preparing the Data Privacy Protection Draft Bill for the following reasons:

  • In order to fill the legal void on data privacy protection, since the existing law on Electronic Transmission (ITE Law of 2016) lacks such protections.

  • Recent data breaches and misuse of data from Facebook along with other companies have increased public awareness on data privacy issues and the need for a new data privacy law.

  • To boost growth, the government hopes to make a transition to a digital economy and sees data privacy protection as an important step in the process.

The draft bill, if passed, will act as a data privacy umbrella law for all of the relevant existing sectoral regulations.

90% of the draft bill’s content mirrors the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR provides consumer rights when it comes to data privacy protection. Among the rights that it regulates, it requires data controllers to seek users’ consent before sharing information and provides the “right to be forgotten” so that consumers data can be “deindexed” from search engines, such as Google. (The draft bill defines data controllers as companies or organizations that collect and control user data, such as a bank, a social networking platform, or a mobile service provider, etc.)

The Indonesian version will be different from the EU GDPR in these following areas:

  1. Definition of personal data: The definition of personal data will be based on Indonesia’s Civil Administration Law which lists 31 identity items (e.g. identity card number, full name, birthplace and date, as well as fingerprints and iris scan records).

  2. Safe Harbour: There will be some protections for data controllers. For example, the draft bill includes a “safe harbour policy”. Which means data controllers may be exempted from liability if they have took all of the precautionary measures required by the law.

  3. No Mandatory disclosure for breaches/leaks: Unlike the EU GDPR, the current draft bill does not require companies or organizations to report data breaches/leaks within a certain period of time.

Sanctions in the draft bill applies universally without classifying the size of business. (The EU GDPR classifies financial sanctions based on the size of the business, where bigger and more profitable companies are subject to higher fines and can base the fine on a company’s global revenue). The Indonesian current draft includes:

  • Administrative sanctions: The government can temporarily or permanently cease operations of companies or organizations.

  • Financial sanctions:

  1. Fines for a breach: up to IDR 25 billion or around USD 1,75 million

  2. Fines for data transfers without approval: up to IDR 50 billion or USD 3,4 million.

  3. The government also considers fining data controllers based on the number of users affected by the data breach/leak.

  • There’s a possible criminal sanction up to 7 years also in prison for violators.

  • Many of these sanction clauses have not been finalized and will likely change before the draft is submitted to parliament.

Although the government has sought input from civil society organizations while drafting the Data Privacy Protection draft bill, the business community has yet to be involved at this stage, something that is worrisome and could slow deliberations once the bill is in the parliament.

Progress on the draft bill has been slow-going since the government began working on it in 2016. Some lawmakers had even stated that it might be best for the House to take over the drafting process.

Director General Semuel tells us that the draft bill is currently being revised for the final time and is ready to be included in the National Legislative Priority List or Prolegnas in January 2019. The Prolegnas is annual list of bills that will be deliberated by the House.

Commission I who oversees this draft bill in parliament has coordinated with the government to include this bill on the Prolegnas, sources say. However, no official announcement has been made so we will have to wait for official confirmation.

Parliament only has from January-September 2019 to deliberate and pass this bill before their term ends and once the new 2019-2024 parliament is sworn in, they would have to start all over again. So the draft bill needs to be as complete as possible to avoid unnecessary changes and stall the deliberation process.

The business community should provide their input to the government as soon as possible and have their data privacy concerns heard before this bill enters parliament. 

Shawn Corrigan