Many opinions voiced in the media and by privacy enthusiasts reestablished and piqued the urgency of passing a single comprehensive privacy law, at the time part of ongoing deliberations between the House of Representatives and the Communications and Information Ministry. After two years of deliberation, we seem to be losing the momentum in welcoming the personal data protection bill as well as in raising public awareness on safeguarding personal data in digital spaces, so-called privacy awareness. Privacy experts hope that immediately enacting such regulation will enable better ways to redress data privacy violations.

We are, as legal consultants on corporate issues, often asked by clients and prospects about how the government enforces compliance with data privacy regulation, how data breaches or privacy violations are handled or supervised by authorities and data subjects and what the maximum fines and available remedies are for data subjects, as well as how a company can limit its liability in the subject matter.

These questions, which are mostly submitted by foreign entities, may arise because in other countries, for example, in Europe and Singapore, any privacy breach may cause financial damages against a company’s turnover. They, therefore, take data privacy compliance seriously in their business operations.  

In light of this, we briefly elaborate on the current guidance and provisions for stakeholders in data privacy regulation and the current plans or initiatives if a bill has not yet been issued that year.

At the end of 2021, there were two interesting focus group discussions (FGD) about the personal data protection bill and the proposed mechanism to impose administrative sanctions for data privacy violations.

First, an FGD was held by the HukumOnline law portal asking key questions about, among other things, which authority between the Communications and Information Ministry and an independent supervisory body would be the most appropriate for supervising, monitoring and controlling the implementation of personal data protection for providers of an electronic system in both the private and public sectors.   

The second FGD, held by the Communications and Information Ministry, focused on the proposed mechanism for imposing administrative fines for data privacy violations based on existing applicable laws. According to the ministry’s presentation, the fine would be imposed on electronic system providers (ESP) that violate data privacy provisions based on Government Regulation No. 71/2019.

The amount of the fine would be determined by a mathematical formula calculated by the multiplication of the infringement type index, given point of each infringement, weighted percentage and tariff, for example of Rp 1 million (US$ 69.59).

As an illustration, one infringement of the data protection principle is multiplied by 100 points, which is then multiplied by 75 percent – the weighted percentage – and the resulting calculation of 750 total points is the points of infringement. The fine would be 750 times Rp 1 million, equaling Rp 75 million. Of course, the above formulation considers ESP’s business size, whether it was micro, small, medium or large. This Rp 75 million fine is an illustration for a medium-sized business with an accumulated turnover well above Rp 2.5 billion but below Rp 50 billion.

The above administrative fine calculation will not be imposed until the Finance Ministry approves and enacts a new government regulation on nontax state revenue, expected to be enacted this semester, so there is time for concerned stakeholders to give their input on the proposal.

Another related milestone will be the grand design of the data protection officer (DPO) ecosystem, a policy document covering analysis and a road map for key tasks, competency and related matters on the DPO role. We note the intention of the information ministry that the designation of the DPO will be a requirement in the near future. In this regard, we suggest ESPs prepare or reestablish their DPO designation on the basis of professional qualities and expert knowledge of data protection laws and practices.  

Furthermore, we acknowledge a contested issue behind the unfinished discussion of the data protection bill, among others, concerning the position of the data protection authority (DPA) as discussed in the FGD held by HukumOnline. Apart from the position of the DPA, we suggest changing the angle of discussion to how the DPA can act with appropriate independence in performing its tasks and exercising its powers. We should explore legal arrangements so that even if the DPA is under the information ministry, for example, the board structure and decision-making process of the DPA could be held proportionally independently.

Either under the information ministry or the President, the DPA should be positioned insofar that it can perform in an independent manner covering the supervision and control of both private (e.g. business) and public (e.g. government institution) entities. Resolving the contestation could then be achieved by exploring solutions based on the following questions: It is necessary for the bill to mention “independence”? How can independence be achieved if the DPA is under the Communications and Information Ministry? How are positions in the DPA filled, including dismissal and staggered elections? And how is a DPA decision made collectively by the board of the DPA?

While Indonesia has not yet issued the above bill, the protection of personal data is currently practiced in a limited scope based on Government Regulation No. 71/2019 and its provisions. However, several provisions under the regulation require further official guidance from the Communications and Information Ministry to avoid questionable implementation of data privacy compliance in private and public entities, in particular on the condition of lawfulness for personal data processing.

 ***

Both writers are privacy and data protection lawyers at Assegaf Hamzah and Partners. The views expressed are their own.