House of Representatives Commission I overseeing intelligence and information and the government unanimously endorsed the privacy bill to be passed into law in a plenary session this month before lawmakers go into recess, after finding common ground on the agency’s status late on Wednesday afternoon. They agreed only to determine the roles of the agency in a more general context and that it would answer to the President, but they left its institutional design to the discretion of the President.

Commission I deputy chairman Abdul Kharis Almasyhari said lawmakers opposed the agency being put under the Communications and Information Ministry and preferred not to use the word “independent” to describe the agency.

"I'm not saying ‘independent’ because there is no such word in the bill, but I can confirm that the agency will monitor and oversee the implementation of personal data protection," he said. "We didn't want [the agency] to be under the ministry and finally we found common ground."

Communications and Information Minister Johnny G. Plate also declined to use the word “independent” to describe the agency, stressing that it would be part of the executive whose establishment would be in the hands of the President.

“Don't call it independent, the terminology is not clear. What is certain is that it is within the executive branch, to be appointed by the President and to be regulated in a presidential regulation,” Johnny said.

The draft bill, which contains a total of 76 articles, regulates the general scope of authority of the agency, such as formulating policies on data protection, resolving disputes outside the court system and imposing administrative sanctions and non-judicial fines. The agency is to receive and handle complaints regarding privacy violations, investigate the violations and summon anyone involved in the alleged violations, as well as assisting law enforcement bodies in the investigation of criminal cases related to the illegal use of data.

Details of its task, meanwhile, will be stipulated under a government regulation (PP).

- (-/-)

Will it be effective?

Critics applauded some provisions in the bill as it accommodates the basic principles of personal data protection but questioned the agency's effectiveness as its set up is left to the discretion of the President.

"This bill is good enough but lacks comprehensiveness since there are concerns on the effectiveness of its implementation," Wahyudi Djafar of the Institute for Policy Research and Advocacy (Elsam) said on Thursday.

Wahyudi said the agency should be the key to implementing the prospective data protection law. But he is worried that the government will keep the agency on a tight leash so that the agency will be unable to act decisively against non-compliant public institutions that control and process personal data because the bill does not explicitly stipulate the degree of autonomy the agency has.

"How can the agency investigate and impose penalties against government institutions when it is part of the executive under the President? If the agency is at the same level as a ministry, is it possible for the agency to impose penalties on other ministries?" he said.

He also criticized the bill for not providing clear provisions on how to impose punishments on public authorities that commit personal data breaches. Instead, the bill clearly regulates that individuals or private businesses that are found guilty by a court of collecting, using, selling or publicizing personal data will face imprisonment or fines.

"How strong and how effective it will be, will depend on the President's political will," he said.

Commission I lawmaker Rizki Natakusumah said, however, that the bill clearly stipulated that all data processors and controllers, in both the public and private sector, must comply with the law.

"The question is whether or not the authority is too broad if it is given to an entity under a ministry. We leave it to the President to decide this. I'm still sure the President understands that. Because data breaches do not happen in the private sector only, but also in public institutions," he said.

Repeated data breaches have raised questions about the government’s ability to protect its citizens’ information, among the worst was a cyberattack targeting the Indonesian Child Protection Commission’s (KPAI) database last year.