The spirit of the government-proposed personal data protection bill is to give citizens control over their data “like it’s their property” despite being stored and processed by various organizations in Indonesia, the Communications and Information Ministry (Kominfo) director general in charge of drafting the bill, Semuel Abrijani Pangerapan, told The Jakarta Post.

The bill will affect how data is managed for a wide range of stakeholders, from the big tech companies, banks and other financial institutions, to micro, small and medium enterprises operating on e-commerce platforms, as well as individual consumers.

“It is impossible for our data not to be shared in this digital era. You carry out one transaction. Let’s say Tokopedia. How many will own your transaction data? Four institutions at a minimum,” Semuel, aka Semmy, said in a recent interview.

The latest draft bill obtained by the Post stipulates that data handlers must lay out information in advance when collecting personal data such as those related to data retention, purpose, deletion and all the rights the individuals have over the data (Article 23).

Among other important points in the bill are the “right to be forgotten” (Article 37), which enables personal data owners to remove all their data stored with organizations that manage their data. There is also a requirement for personal data handlers to grant access to data owners within three days of such request (Article 31).

“Without this law, there is no guarantee for the public against such transaction data being misused,” added Semmy, director general for applications and informatics at Kominfo, who was previously the chairman of the Indonesia Internet Service Provider Association (APJII).