The Personal Data Protection Law gives people the right to know what information data controllers and processors – whether public or private – are collecting about them, why they are collecting that data and with whom they are sharing it. Data handlers must ensure the rights of data subjects and the security of their data, including by setting up firewalls and encryption systems. They will have two years to comply and build the system. And those that breach rules on distributing or gathering personal data may face administrative fines of up to 2 percent of their annual revenue or have their operation suspended by a data protection oversight agency.

The law also regulates criminal penalties, including prison time and fines, for any individuals and companies that are found guilty by a court of collecting, using, selling or publicizing personal data by illegal means.

Experts and activists said that the law was a “necessary” start toward improving cybersecurity in the country, particularly since it covers a wider definition of personal data, the rights of data subjects and obligations of data handlers.

But they also said that there was a potential for government overreach, particularly since the law left the institutional design of the oversight agency to the discretion of the President, including where the institution stands within the executive hierarchy, its structure, who heads it and details of its task.

The law only regulates the general scope of authority of the agency, such as establishing the details of data protection policies, resolving disputes outside the court system and imposing administrative fines and assisting law enforcement bodies in the investigation of criminal cases related to the illegal use of data.

Read also: Data protection bill threatens firms with ‘exorbitant’ fines

Wahyudi Djafar of the Institute for Policy Research and Advocacy (Elsam) said the lack of a clear outline of the authority of the oversight agency might make it partisan in favor of state interests and could make the law implementation problematic.

“Especially because the law binds not only the private sector but also state bodies, the independence of the oversight agency must be absolute so it can act decisively and fairly when enforcing the law,” Wahyudi said.

He said provisions on criminal sanctions were too vague, particularly on what could be considered “illegal means”, and might lead to overcriminalization.

A coalition of civil groups, consisting of the Alliance of Independent Journalists (AJI) among other organizations, are worried that a “vague” provision that makes revealing other people's personal data by unlawful means a crime might be used to target journalists.

“Let’s say if there is a public figure that wants to run in the 2024 legislative election but has a poor track record. Would it be against the law to inform the public about it?" the coalition said on Tuesday.

Read also: Critics question data protection authority in privacy bill

They said that the newly passed law should take cues from the European Union’s General Data Protection Regulation (GDPR), which clearly states that the freedom of expression and information, including for journalistic purposes, is exempted from personal data protection.

Indonesia's privacy law exempts data protection for five purposes, including for “public interest in the context of governance", but it does not include journalism.

“The public interest referred to in the article is unclear and very discriminatory, since it is too accommodating of state interests, but does not accommodate the interests of the public in general and especially for journalistic work,” the group said.

The passing of the law on Tuesday came amid a series of data breaches, including those allegedly impacting state-owned companies, with millions of pieces of personal information from customers potentially taken.

Popular

To my horror, it’s just a movie!

RI, Australia strengthen partnership on taxing crypto assets

Pentagon chief congratulates Prabowo on being elected President