The bill is expected to provide legal certainty for the industry to process and transfer data. It will be the first Indonesian law to provide a comprehensive set of provisions for the protection of personal data, not only electronically, but also non-electronically; and it will set out the rights and obligations of the stakeholders involved.

Comprehensive and consistent data protection regulation is a key tool for both governments and companies in today’s world, as part of the protection against cyber-risk, and to answer the growing concerns of citizens. Furthermore, legal certainty is a key driver to fostering private investment for both local and global investors. In modern data protection regimes, global convergence on higher standards is occurring.

The European Union’s General Data Protection Regulation, for example, has risen what used to be considered the necessary “minimum standards”. With the extent of international digital economies and cross-borders transfer of personal data growth, it is a necessity for minimum standards of data protection to be agreed and for international flows of personal data to be consistent with them.

One key pillar to ensure legal certainty and consistency in the data protection regime is the establishment of an independent data protection authority (DPA). However, based on the PDP bill submitted by the government to the House on Jan. 28, 2020, there is no specific provision to ensure that an independent DPA will be put in place. The bill stipulates all enforcement powers in the hands of the communication and information minister, who would have the authority to regulate personal data processing, receive reports on data personal breaches, render administrative sanctions for non-compliance, and implement government measures for personal data protection.

The independence of data protection authorities is an essential feature of effective data protection shared by all modern data protection regimes around the world. Of 143 countries with data privacy laws, only 10 countries do not have an independent DPA that is separate from a government body (see Graham Greenleaf, PL&B IR 2021). Some of them are in Asia, but only Taiwan purports to regulate public sector privacy without a separate DPA, and is examining creating one. Singapore and Malaysia have DPAs which are not independent of the ministry in which they are based, but they are administratively separate from it.

These countries with advanced experience of data protection implementation show that it is most effective when the DPA is independent and empowered, and staffed with high-level experts having prior exposure from both private and public sectors.

The effective implementation of privacy rules depends, to a large extent, on oversight and enforcement by an independent supervisory authority which should essentially enjoy a level of independence similar to the one granted to the judiciary. In general terms, to benefit from citizen as well as business confidence, it is very important that the DPA’s decision-making power be independent of any direct or indirect external influences of the government and private sectors.

From an industry point of view, when it comes to ensuring compliance with the law, having an independent well-equipped supervisory authority is a precondition to ensuring the consistent enforcement across cases, a key aspect of fair competition, as well as the credibility of the authority as neutral arbiter to efficiently adjudicate conflicts related to data protection.

For proper implementation and guidance in the fast-moving and highly complex environment in the digital sphere, close collaboration and partnership between private sector and the DPA is also highly needed.

Experience from various countries (not only European Union, but also Korea or Japan) shows that supervisory authorities typically have recourse to a broader and more flexible "toolbox" as compared to the courts as they can use both "soft" instruments (such as advice, recommendations or warnings) and orders (injunctions, sanctions). By doing so, they are able to take into account the feedback received from business (through public consultations) as well as insights gained through monitoring and enforcement activities.

The use of such instruments in Indonesia would also help to ensure legal certainty and adaptability to the evolving technological and economic conditions. It can be the key success factor, both for private sector (by better compliance, clearer directions, ability to get guidance and give feedback on specific business needs or practices) and for the country (by better understanding of business needs, effective regulation, enhanced collaboration with international authorities); and the Indonesian supervisory authority could develop general guidelines to ensure the uniform interpretation and application of the rules across the country.

The independent DPA is not only valuable for business; it is actually essential for the confidence of the general public. It secures citizens’ trust in the system and provides an accessible point of contact to answer individual queries and handle their complaints without having to go through lengthy and costly court proceedings.

An independent DPA can help to strengthen the position of individuals’ vis-à-vis business operators in an area of fundamental rights. Such authority also serves as an intermediary between individuals and business, and helps find the appropriate solutions beyond the confrontational context of a court room.

An independent Indonesian DPA would be perceived as a neutral and trusted agency, and therefore accepted as both a regulator and mediator/arbiter for conveying complaints outside the court proceedings.

EuroCham Indonesia recently organized a webinar on the value of a modern data protection regime to Indonesia’s industries, with active, broad participation from various Indonesian leading businesses and entities. All participants acknowledged the effort put by the government in finding the balanced formulation of regulatory framework in such a complex environment.

One of the key takeaways from the discussion was that it would be in the interest of Indonesian business to put in place an independent DPA, as it would enable a “virtuous dynamics” of cooperation between business, citizens, the DPA and government. Business also wish to further enhance the ongoing provisions by setting good grounds for more fruitful collaboration between public and private sectors in the process.

Having an independent authority opens the way for Indonesia to participate in international enforcement cooperation on data protection issues through the various networks of independent supervisors. This is important for cross-border cases, and even more for participation in the regulatory dialogues at international level and the shaping of global standards.

Last but not least, putting an independent and well-resourced DPA in place would also be a key to attract foreign investment, especially in the fast developing digital/data area. The more Indonesian data protection law converges with international standards, the easier it will be for companies and investors to operate effectively in Indonesia.

 ***

The writer is head of Technology Working Group at EuroCham Indonesia. The views expressed are personal.