Data Privacy Imperatives in Business: How Indonesia’s PDP Law has Evolved to Accommodate the AI, Healthcare, and Financial Services Sectors

PDP law in a nutshell

In 2022, the Indonesian Parliament passed Law No 27 of 2022 on Personal Data Protection (the “PDP Law”), which is designed to serve as the overarching law on personal data protection. The PDP Law is largely modelled on the EU’s General Data Protection Regulation (GDPR), regarded as the “gold standard” for personal data protection worldwide, thus demonstrating further effort by the Indonesian government to bring data protection into line with the industry standard.

In addition to the PDP Law, several existing laws and regulations related to personal data protection remain in force, provided that they do not conflict with the PDP Law. Accordingly, the implementation of personal data protection is subject to the following laws and regulations:

• PDP Law;
• Law No 11 of 2008 on Electronic Information and Transactions, last amended by Law No 1 of 2024 (the “EIT Law”);
• Government Regulation No 71 of 2019 on the Provision of Electronic Systems and Transactions (GR 71/2019);
• Minister of Communication and Informatics (MCIT) Regulation No 20 of 2016 on Personal Data Protection in Electronic Systems (“MR 20/2016”); and
• other sector-specific regulations.

The PDP Law has an extraterritorial effect, meaning that overseas-based organisations (including individuals, public entities and international organisations) would also be subject to prosecution in Indonesia should they violate the PDP Law, and it would apply to non-compliance in processing personal data of an Indonesian citizen, either offshore or onshore.

The PDP Law has not yet been effectively enforced as it provides for a two-year grace period after its enactment, which lapses on 17 October 2024. Following the enactment of PDP Law, the Indonesian government has been preparing a draft Implementing Regulation of Law No 27 of 2022 on Personal Data Protection (the “Draft GR PDP”), which is planned to be enacted in 2024. The Draft GR PDP is expected to bring clarity to numerous aspects of the PDP Law that are essentially regulated in only a very broad manner.

Some of the notable provisions under PDP Law include the following.

Types of personal data

The PDP Law defines “personal data” as “any data related to an individual (natural person), whether identified or capable of being identified independently or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means.” The individual is referred to as a “data subject”.

The PDP Law further categorises personal data as general personal data (name, gender, nationality, religion, marital status, or personal data that together can identify a person) and specific personal data (data on health, biometric or genetic, and criminal records; data on children; financial data; and/or other data in accordance with the laws and regulations). There is no particular differentiation in treatment of the processing of general or specific personal data. However, the processing of specific personal data would trigger additional obligations, such as the need to perform a Data Protection Impact Assessment and appoint a Data Protection Officer.

Data controller and data processor

PDP Law expressly differentiates between “data controller” and “data processor”, which is a new concept under Indonesian laws. A data controller determines the purpose and controls the personal data processing; while a data processor processes the personal data on behalf of the data controller. A data controller is fully accountable and liable to the data subject for the processing of their personal data. However, a data processor is only independently liable if it processes personal data in a manner that deviates from the data controller’s instruction, order or purpose.

Lawful basis for processing of personal data

PDP Law acknowledges several legal bases for personal data processing: (i) consent; (ii) contractual necessity; (iii) compliance with a data controller’s legal obligations; (iv) protection of the vital interests of the data subject; (v) public interest, for the provision of public services or for the exercise of lawful authority; and (vi) legitimate interest.

We observe that the above legal bases are very similar to the concept adopted by the EU GDPR.

Rights of data subjects

The PDP Law acknowledges a data subject’s right to obtain information, and the right to rectify, access, halt processing, delete or destroy personal data, withdraw consent, object to automated decision-making, and the right to suspend or restrict processing.

The PDP Law further mandates that data subjects’ rights must not be implemented in an absolutist manner: they can be adjusted if considered prejudicial to certain interests (national defence and security, or to law enforcement, etc).

Cross-border data transfer

PDP Law introduces layered requirements to allow data controllers to transfer personal data outside Indonesian territory, namely:

• the country receiving the transfer of personal data has an equal or higher level of personal data protection than afforded under the PDP Law (“Adequacy of Protection”);
• in the absence of Adequacy of Protection, an adequate level of binding personal data protection must be available (“Appropriate Safeguards”);
• in the event that neither Adequacy of Protection nor Appropriate Safeguards are present, consent for the cross-border data transfer must be given by the data subject.

The three bullet points above must be assessed and implemented in sequence. To date there is no indication that an official approved list of countries that meet the Adequacy of Protection requirements will be published.

Further, under MR 20/2016, cross-border data transfer must be co-ordinated with the MCIT by submission of cross-border personal data transfer reports (before and after the transfer).

Data protection authority

The PDP Law mandates the formation of a Data Protection Authority that is tasked to act as regulator, supervisor, and executor in data protection matters by the President. To date, this authority has yet to be formed, and thus its tasks and obligations are currently performed by the MCIT.

Development of PDP Law implementation in sectoral regulations

Artificial intelligence (AI)

While there is no specific regulation on the use of AI at the moment, MCIT issued Circular Letter No 9 of 2023 on Ethics of Artificial Intelligence (CL 9) on 19 December 2023 in an attempt to provide general guidance for business undertakings when utilising AI-based programs.

In summary, CL 9 contains the following salient items:

• general definitions, general guidelines for values, ethics, and control of consulting, analysis and programming activities with AI basis by business undertakings and electronic systems operators (ESOs);
• emphasis that the CL 9 is applicable to: (i) business undertakings operating under Indonesian Standard Business Classification (KBLI, similar to ISIC) 62015 on AI-Based Programming Activities; (ii) ESOs in public scope; and (iii) ESOs in private scope; and
• emphasis on the ethical use of AI by adhering to the principles of inclusivity, humanity, safety, accessibility, transparency, credibility and accountability, personal data protection, sustainable development and environment, and protection of intellectual property.

Additionally, the Financial Services Authority (Otoritas Jasa Keuangan) (OJK) has issued a Code of Ethics for Responsible and Trustworthy AI in the Financial Technology Industry which applies to financial technology providers. The Code also stipulates principles of AI utilisation in the financial services industry, which includes: beneficial, fair and accountable, transparent and explicable, and robust and secure principles.

Healthcare

Healthcare has rapidly evolved over the years to include the use of various technologies, including AI, particularly triggered by the COVID-19 pandemic. At the moment, Indonesia does not have a specific regulation that stipulates data protection in the healthcare sector. However, healthcare providers are also subject to the provisions of the PDP Law.

Minister of Health (MOH) Regulation No 24 of 2022 on Medical Records stipulates that medical records may be stored in digital-based storage media at healthcare facilities, which includes servers, certified cloud computing and any other certified digital-based storage media. For storage purposes, the healthcare facilities are permitted to co-operate with an ESO that has onshore data storage facilities, provided that the ESO obtains a recommendation from the relevant department of the MOH.

Financial services

Financial services, as one of the most heavily regulated and supervised sectors – being an anchored sector with different subsectors including banking and finance, capital markets, insurance, etc, – has been playing a critical role as a benchmark in implementing data protection for other sectors/industries. With over two-thirds of the world’s population now connected with business undertakings’ financial services and engaged in a variety of transactions, there is increased concern around data security, both from customers (corporate and retail) and regulators.

In light of this, the OJK recently issued OJK Regulation No 22 of 2023 on Consumer and Public Protection in the Financial Services Sector (POJK 22), which includes provisions on personal data protection. Most of the personal data protection provisions under POJK 22 mirror the provisions under the PDP Law, for example:

• POJK 22 requires financial services providers to provide access to consumers to obtain a copy of their data and/or information. This is to comply with data subjects’ access rights under the PDP Law; and
• if a financial services provider transfers consumers’ data and/or information offshore, they must fulfil the layered requirements under the PDP Law.

It is noteworthy that POJK 22 also recognises other lawful bases aside from consent, consistent with the PDP Law. This is also reflected under Article 22 of the POJK 22 which prohibits financial services providers from using personal data and/or information, unless they have secured the appropriate lawful basis specified under the PDP Law.

Nevertheless, given that financial services providers are subject to the PDP Law and POJK 22, this creates a dilemma for financial services providers, as hypothetically, they would be subject to sanctions under both regulations for the same conduct. This condition is viewed as imposing unnecessary pressure on financial services providers, as well as unjustly imposing a level playing field when compared with other business undertakings outside the financial services sector.

Update on data breaches

In the past year, Indonesia suffered major data breaches, in both the public and private sectors. The most famous data leak involved Bjorka, an infamous hacker who leaked 34 million Indonesian passports and 18.5 million items of data from the Manpower Social Security Programme (BPJS Ketenagakerjaan) participants. Bjorka was also behind a leak of data from 1.3 billion SIM cards in 2022.

These recurring data breaches in Indonesia demonstrate vulnerabilities of the Indonesian cybersecurity policies and system, as well as a lack of supervision and enforcement in respect of perpetrators of data breaches. A regulation issued by the National Cyber and Crypto Agency (BSSN) on information security management obligations for ESOs is in place, as well as general cybersecurity requirements under the PDP Law and other existing regulations. However, in practice, the level of compliance with these obligations and requirements is still inadequate, thereby raising the risk of cybersecurity attack.

Currently, the Indonesian legal framework on data breaches merely requires data breaches to be reported to the MCIT and notified to the data subjects, whilst cybersecurity incidents that do not involve a data breach should be notified to the regulator and law enforcement authorities. Below are two regulatory regimes in relation to data breach and notification of cybersecurity incidents.

• PDP Law – upon “failure to protect personal data”, the data controller must notify both the affected data subject and the Data Protection Authority within 72 hours. The term “failure to protect personal data” means failure to protect an individual’s personal data concerning the confidentiality, integrity, and availability of personal data, including security breaches (intentional or not), leading to destruction, loss, alteration, disclosure, or unauthorised access to personal data sent, stored, or processed.
• Electronic system operation regulations (GR 71/2019 and MR 20/2016) – an ESO must: (i) report to the relevant ministries/institutions and law enforcement authorities at the first opportunity in the event of system failure or interference with serious impact as a result of a third-party action against an electronic system, and (ii) notify data subjects if there is a failure of personal data protection in its electronic system.

Likely implementation of the PDP Law

As briefly touched upon above, in anticipating effective enforcement of the PDP Law in October this year, the Indonesian government has been preparing an implementing regulation of the PDP Law as the Draft GR PDP. This is expected to shed some light on general requirements under the PDP Law, although the draft also confers some authority to the Data Protection Authority (which has yet to be formed) to regulate certain matters.

Some notable provisions under the Draft GR PDP include the following.

Requirements for reliance on lawful bases

Upon the issuance of PDP Law, express consent is not necessarily required for personal data processing. Data controllers may rely upon other appropriate lawful bases such as contractual necessity, legal obligations, or vital, public, or legitimate interest.

The Draft GR PDP provides further guidance or requirements on reliance upon the lawful bases, including the following.

• Express consent – if the data subject refuses to provide their consent, a data controller cannot refuse to provide their goods or services to the data subject (as long as their provision does not involve any personal data processing). Further, a data controller must implement steps to identify its users to implement the relevant personal data protection measure (including for services for children and persons with disabilities).
• Contractual necessity – in relying on contractual necessity, the agreement that serves as a basis for the personal data processing must: (i) obtain valid express consent from the data subject, (ii) fulfil the relevant personal data protection measures given to the data subject, (iii) consider the risk impact of personal data processing on the data subject, (iv) consider the balance of interest between the data subject and data controller, and (v) acknowledge the rights of a data subject in processing personal data. Should a data subject not provide their express valid consent to an agreement, the personal data processing is deemed to be null and void.
• Legitimate interest – this lawful basis can only be relied upon if the data controller: (i) has carried out an analysis of the needs, objectives and balance between the rights of data subjects and the interests of the data controller, and the results show that the data controller has a legitimate interest in processing personal data, and (ii) has carried out an assessment that the processing of personal data to fulfil other legitimate interests does not have a legal impact or harm the data subject – meaning that the data controller has established steps and has taken them to reduce the impact of the processing of personal data.

With regard to AI technology, this requirement would be substantial to be considered by AI technology providers as well as users. In practical terms, the use of personal data for the purpose of AI learning, creation of output, as well as the use of such output for feedback. Hence, the processing of personal data using AI must:

• implement the data protection principles under the PDP Law effectively;
• rely on an appropriate lawful basis for processing; and
• implement necessary safeguards throughout all stages of the processing.

For example, the users of a generative AI platform (such as ChatGPT), must ensure that they have secured the appropriate lawful basis for processing, such as obtaining consent from the person in the picture, prior to processing the personal data using AI platforms. 

Definition of children

Despite data on minors being classified as a special category, the PDP Law does not provide an exact definition for children within the context of personal data. Currently, the definition varies and is scattered throughout several regulations. For instance, under the Indonesian Civil Code, a child is defined as a person below 21 years old and not previously married, whilst Law No 23 of 2002, as amended by Law No 35 of 2014 on Child Protection, defines a child as a person below 18 years old. The Draft GR PDP provides clarity on this issue as it defines a child as a person below 18 years old and not previously married.

There are no exceptions to the requirement of obtaining parental or guardian consent in the use of personal data of minors under the PDP Law, including for financial services, healthcare, and the use of AI software for education or entertainment purposes. Therefore, all service providers must verify that: (i) all use of services by minors has obtained the necessary consent from the parents or legal guardians; and (ii) an individual who authorises the provision of the service to the minor is genuinely the parent/legal guardian of the child.

Cross-border data transfer

As stated above, the PDP Law provides that a data controller may transfer personal data offshore should they fulfil the layered requirements of Adequacy of Protection, Appropriate Safeguards, or consent of the data subjects.

With the rapid development of technology, cross-border data transfer has become an important part of data processing. The risk in transferring financial and health data also increases exponentially. Data controllers are expected to be fully responsible for implementing appropriate security measures in the processing of data transfer. Particularly, in the financial services sector, the POJK 22 would mainly govern cross-border transfer of customers’ information.

For the transfer of individual customers’ information, the financial services providers must comply with personal data protection laws and regulations, including those that are determined by the OJK. In this case, according to the PDP Law, the transfer of individual’s personal data must be based on:

• Adequacy of Protection;
• Appropriate Safeguard; or
• the data subject has provided their consent.

For the transfer of corporate customers’ information, the financial services provided must be based on:

• Adequacy Protection as determined by the OJK;
• Appropriate Safeguard deemed as acceptable by the OJK, in which POJK 22 provides further details on what would constitute Appropriate Safeguards, such as bilateral agreement, binding corporate rules, and standard contractual clauses determined by the OJK; or
• securing consent from the customer.

The Draft GR PDP stipulates that Adequacy of Protection is determined by assessing the following circumstances regarding the recipient’s country of domicile: (i) the existence of personal data protection legal regulations, (ii) a personal data protection supervisory agency or authority, (iii) international commitments or other obligations arising from legally binding conventions or instruments, or from its participation in multilateral or regional systems related to personal data protection. The list of approved countries will be determined by the Data Protection Authority.

If a data controller uses Appropriate Safeguard as the basis for transferring personal data abroad, the Draft GR PDP provides that it can be: (i) an agreement between the sender’s domicile country with the recipient’s domicile country, (ii) standard personal data protection contractual clauses, (iii) binding company regulations for a group of companies, or (iv) other adequate and binding personal data protection instruments recognised by the Data Protection Authority.

In transferring personal data offshore, a data controller or data processor is also subject to additional obligations, such as recording and mapping the personal data transfer cycle and its implications, as well as ensuring that the transferred personal data is sufficient, relevant, and limited according to the purpose of the transfer.

In August 2023, the MCIT created a dedicated website to seek public participation to provide input on the Draft GR PDP, and it garnered 1,989 inputs from the public. As the grace period of the PDP Law expires this October, we anticipate the Draft GR will be issued in the near future. Nonetheless, it is unclear whether there will be delays in this timeline, in view of the 2024 Legislative Election of a new legislature.

On the formation of the Data Protection Authority, the MCIT previously stated in late January this year that the target for operation was by mid-term 2024. However, as this authority is mandated to the President, it is unclear whether the new leadership elected via the 2024 presidential election will delay the plan.