With Indonesia’s personal data protection bill under deliberation, this is an opportune time for the country to develop a world-class data protection law — one that addresses the gaps in existing regulations and builds a comprehensive and interoperable framework to raise its position as an attractive investment destination.
ndonesia has huge potential for global businesses. With a vast local market and plenty of unmet consumer demands, a vibrant start-up community and a local pool of tech talent, the country is perfectly situated for companies to set up their bases here.
President Joko “Jokowi” Widodo has laid down ambitious plans for his second term to elevate Indonesia as the world’s fourth or fifth largest economy by 2045. Under his leadership, the government introduced the omnibus bills on taxation and job creation in February 2020 in a bid to simplify investment rules to make it easier to do business in Indonesia while amending the labor laws to attract more investors.
On the periphery, however, investors are also considering when and in what form the personal data protection bill will be passed as another factor in evaluating the extent to which they should engage in Indonesia.
Why does Indonesia need a stand-alone data protection bill?
In today’s digital world, personal data is collected, used and disclosed by service providers all day, every day. For example, an e-wallet app collects personal data for fraud prevention, and then connects the data to offer a rewards program for merchants to improve customer experience. While data flows are actually much more complex than this, it does highlight how often personal data moves from one place to another. Without a framework in place, individuals have less control over their personal data while service providers are not held accountable for the use of their consumers’ personal data.
Due to the globalized supply chain, personal data from other countries also flows through Indonesia. Foreign data protection authorities want assurances that their citizens’ data will still be protected as it flows in and out of the country. The European Union will accord “adequate” status to a country’s level of data protection only after the European Commission deems that the local data regulation has a high standard. Any weak link in today’s global data flow will create vulnerabilities. Therefore, it is important to create interoperable and global frameworks for data protection and level up across-the-board security standards to maintain the confidentiality, integrity and availability of personal data.
The Communications and Information Ministerial Regulation No. 20/2016 governs personal data in electronic systems, which was followed by Government Regulation No. 71/2019 that defines personal data as data that can identify a person directly or in combination with other information obtained both electronically and nonelectronically. However, these rules do not articulate well-defined obligations for data controllers and processors.
Share your experiences, suggestions, and any issues you've encountered on The Jakarta Post. We're here to listen.
Thank you for sharing your thoughts. We appreciate your feedback.