Indonesia Parliament passes long-awaited data protection law

Users are entitled to compensation for data breaches and can withdraw consent to use their data. PHOTO: REUTERS

JAKARTA - Indonesia’s Parliament on Tuesday passed into law a personal data protection Bill that will impose corporate fines and jail terms of up to six years on those who mishandle data.

This comes as the country saw massive data leaks in recent years, including those involving the details of 1.3 billion registered mobile phone numbers, 105 million voters, and over 200 million citizens in the Healthcare and Social Security Agency’s database, as well as a log of President Joko Widodo’s correspondence. 

Under the new law, a body that reports to the President will be set up to formulate policies pertaining to personal data protection, oversee their implementation, and punish data handlers for breaking rules on personal data collection or distribution.

The body will also impose a maximum fine of 2 per cent of a corporation’s annual revenue, and its assets could also be confiscated or auctioned off. 

Those who falsify personal data can face up to six years in jail and fines of up to six billion rupiah (S$563,300).

People will also have the right to withdraw their consent to the use of their data and receive compensation for data breaches. 

All sectors are given an adjustment period of two years, but the law did not elaborate on how any violation would be tackled during the period. 

Mr Abdul Kharis Almasyhari, deputy chairman of the Parliament’s Commission overseeing intelligence and information, said the law will serve as “a strong legal basis” for the state to guarantee the protection of personal data. 

Communication and Informatics Minister Johnny Plate said the passage of the Bill marked the start of “a new era in the management of personal data of the public, especially in the digital sphere”.

The Bill, which adopted some principles and aspects of the European Union’s 2018 General Data Protection and Regulation, had been deliberated by the House of Representatives since 2016, with contentious issues such as financial penalties and control of the oversight body dominating the debate. 

Indonesia is the fifth South-east Asian country to have a specific law on personal data protection, after Singapore, Malaysia, Thailand and the Philippines.

The new law will push government institutions as well as companies to improve their cyber security, experts said.

Information technology security has yet to become a priority in the development of Indonesia’s electronic systems, digital forensic expert Ruby Alamsyah told The Straits Times.

And in the event of a data leak, all electronic system providers - both government and private entities - continue with their operations without conducting proper probes and going through legal processes.

“Both reasons have led to massive data leaks. With the personal data protection law, there are many rules... and significant financial penalties,” he said. 

“I am sure private companies and government institutions are not willing to be fined or face economic losses if they experience security breaches.” 

The new law finds more urgency as Indonesia’s digital economy is set to grow to US$146 billion (S$206 billion) by 2025, according to the latest report by Google, Singapore's Temasek and global business consultant Bain & Co. 

Last week, the country set up a special data protection task force to safeguard data, especially state-related details, from hacking. 

Join ST's Telegram channel and get the latest breaking news delivered to you.