Loading...
A CLOSER LOOK AT INDONESIA’S PRIVACY RIGHTS
by Setyawati Fitrianggraeni, Sri Purnama
INTRODUCTION
Constituted as a form of personal protection, it is necessary to provide a legal basis to provide security for personal data, based on the 1945 Constitution of the Republic of Indonesia.[1] Law Number 27 of 2022 on Personal Data Protection (PDP Law) was passed in October 2022 in Indonesia. PDP Law gives a two-year period for relevant parties to comply with its provisions, which means that this ‘grace period’ will end in October 2024. The Law aims to ensure citizens’ right to personal protection, raising public awareness, and ensuring recognition and respect for the importance of personal data protection.[2]
Balancing the protection of people’s privacy with data-driven economic growth is the central challenge for Indonesia’s digital economy. Data is ubiquitous and comprises any economic activity taking place online. Until now, Hootsuite (We Are Social) 2022 data shows that 204.7 million Indonesians use the internet, and 93.5 per cent are active social media users. The development of the digital world has also spawned several new cultures and behaviours, from uploading anything to online transactions.[3] The digital economy is more than 15% of global GDP and is growing twice as fast as the physical world’s GDP.[4]
DEFINITION AND SCOPE OF PERSONAL DATA
Personal Data are data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly, through an electronic or non-electronic system.[5] According to PDP Law, personal data shall consist of Specific and General Personal Data.[6] Specific Personal Data of a specific nature shall include:[7] a. health data and information; b. biometric data; c. genetic data; d. crime records; e. child data; f. personal financial data; and/or g. other data in accordance with provisions of laws and regulations. Then, General Personal Data shall include:[8] a. full name; b. gender; c. citizenship; d. religion; e. marital status; and/or f. combined Personal Data to identify a person.
Personal data can vary widely across different sectors. In practice, these also include all data that can be assigned to a person in any kind of way.[9] For example, in financial sector personal data may include bank account details, credit card information, transaction records, income statements, and credit scores used for financial assessments.[10] In the healthcare sector, medical records, prescriptions, patient histories, and biometric data such as fingerprints or iris scans used for patient identification are categorized as personal data. Other than that, the employment sector encompasses personal data such as resumes, job applications, payroll information, performance evaluations, and disciplinary records. These examples illustrate the diverse nature of personal data collected and processed across various sectors in Indonesia in accordance with PDP Law.
RIGHTS OF DATA SUBJECTS
Based on PDP Law, Data Subjects’ Rights regulate Section IV comprising of 11 Articles. There are several Data Subjects’ Rights,[11] i.e., the right to obtain information regarding identity clarity[12], the right to complete, update and/or correct errors and/or inaccuracies in Personal Data[13], the right to access and obtain a copy of Personal Data[14], the right to end processing, delete, and/or destroy Personal Data[15], the right to withdraw consent to the processing of Personal Data[16], the right to object a decision-making action[17], the right to delay or limit the Personal Data processing[18], the right to sue and receive compensation for violations of the processing of Personal Data[19], the right to obtain their personal data from data controllers in a commonly used or machine-readable format[20], and the right to use their personal data and transmit it to other data controllers, provided that the systems used can communicate securely in accordance with the principles of personal data protection as stipulated in this law.[21]
In relation to Data Subjects’ Rights there are consent requirements for processing data which must be complied with by the data controller. Personal Data Controller must have a basis for Personal Data Processing.[22] There are 6 (six) basis must include for personal data processing[23] which can be obtained from the consent of Data Subjects. A request for consent must be accompanied by certain prescribed information, clearly distinguishable from other matters, and in a format that is easily understandable and accessible. The consent itself must be explicit, informed, specific to a purpose, and recorded.
COMPARATIVE ANALYSIS
The rights of Data Subjects under the General Data Protection Regulation (GDPR) and the PDP Law are similar, as the PDP Law was a benchmarking result from the GDPR. Both frameworks address rights such as the right to be informed, access to data, data correction, data deletion, and restrictions or refusal of data processing.
However, a key difference between the GDPR and the PDP Law is how they handle the limitation or exclusion of these rights. The GDPR outlines specific requirements for such limitations, including: (a) the purpose of processing or the category of the processing; (b) categories of personal data; (c) the scope of the restrictions introduced; (d) safeguards to prevent misuse or unlawful access or transfer; (e) controller specifications or controller categories; (f) the applicable storage and custody period, taking into account the nature, scope, and purpose of processing or processing category; (g) risks to the rights and freedoms of data subjects; and (h) the right of the data subject to be notified of the restriction, unless doing so would be detrimental to the purpose of the restriction.[24] This detailed approach ensures consistent protection and prevents authorities from taking arbitrary actions. In contrast, the PDP Law lacks clear and detailed regulations on implementing these limitations or exclusions.[25]
CHALLENGES AND LIMITATIONS
Potential conflicts can arise between data subjects’ rights and data controllers’ obligations under personal data protection laws. For instance, while data subjects have the right to request rectification of their personal data, data controllers may be obligated by other legal requirements to retain certain data for compliance or legal purposes. This can create a conflict where data subjects seek deletion of their data,[26] but data controllers must balance this with their legal obligations to retain records.[27]
Another potential conflict arises in cases where data subjects object to automated decision-making processes, yet data controllers may argue that such processes are necessary for efficient operations or are legally justified.[28] Moreover, ensuring data security and preventing unauthorised access to personal data[29] may sometimes conflict with data subjects’ rights to access and obtain their data promptly. Resolving these conflicts requires careful consideration of data subjects’ rights and the legitimate interests or obligations of data controllers, often necessitating clear policies, transparent communication, and adherence to legal standards to protect personal data while respecting data subjects’ rights.[30]”
Furthermore, the enforcement of data protection laws faces additional hurdles when data subjects enter into contracts without fully understanding their content.[31] This issue, where individuals consent to terms and conditions without comprehensive reading, complicates efforts to ensure informed consent, which is a cornerstone of personal data protection. Addressing this challenge requires not only clear and accessible contract language but also enhanced public education on the importance of understanding contractual obligations related to personal data.
CONCLUSION
Indonesia’s PDP Law, set to be enacted in October 2024, aims to protect its citizens’ privacy by defining personal data and outlining individuals’ rights over their data. This law is crucial because it helps Data Subjects control their information in a world where internet use is widespread. Moreover, the PDP Law regulates several data subjects’ rights. By allowing individuals to access and control their data, the law builds trust and ensures that the benefits of the digital economy do not compromise personal privacy. This is essential for balancing economic growth with protecting Data Subjects’ rights in the digital era.
REFERENCES
Law Number 27 of 2022 on Personal Data Protection.
The General Data Protection Regulation.
Egnyte, “Financial Privacy: What is it?”, https://www.egnyte.com/guides/financial-services/financial-data-protection#:~:text=Examples%20of%20financial%20information%20that,third%2Dparty%20credit%20analysis%20firms accessed on 21 July 2024.
Intersoft Consulting, “GDPR Personal Data”, https://gdpr-info.eu/issues/personal-data/#:~:text=For%20example%2C%20the%20telephone%2C%20credit,address%20are%20all%20personal%20data accessed on 21 July 2024.
Lina Miftahul Jannah, “Personal Data Protection Act and Challenges to Its Implementation”, https://fia.ui.ac.id/en/uu-perlindungan-data-pribadi-dan-tantangan-implementasinya/ accessed on 21 July 2024.
Tim Hukumonline, “Wajib Tahu, ini 9 Hak Pemilik Data Pribadi dalam UU PDP”, https://www.hukumonline.com/berita/a/hak-pemilik-data-pribadi-lt637870f3686aa/#! accessed 22 July 2024.
Valentina Ancilia Simbolon and Vishnu Juwono, “Comparative Review of Personal Data Protection Policy in Indonesia and The European Union General Data Protection Regulation”, Publik (Jurnal Ilmu Administrasi), 11 (2): 2022, p.182-183.
World Economic Forum, “Why Digital Trust is Key to Builging Thriving Economies”, accessed on 21 July 2024.
[1] Point b of Consideration, Law Number 27 of 2022 on Personal Data Protection.
[2] Point c of Consideration, Law Number 27 of 2022 on Personal Data Protection.
[3] Lina Miftahul Jannah, “Personal Data Protection Act and Challenges to Its Implementation”, https://fia.ui.ac.id/en/uu-perlindungan-data-pribadi-dan-tantangan-implementasinya/ accessed on 21 July 2024.
[4] World Economic Forum, “Why Digital Trust is Key to Building Thriving Economies”, accessed on 21 July 2024.
[5] Article 1 point 1 of Law Number 27 of 2022 on Personal Data Protection.
[6] Article 4 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[7] Article 4 paragraph (2) of Law Number 27 of 2022 on Personal Data Protection.
[8] Article 4 paragraph (3) of Law Number 27 of 2022 on Personal Data Protection.
[9] Intersoft Consulting, “GDPR Personal Data”, https://gdpr-info.eu/issues/personal-data/#:~:text=For%20example%2C%20the%20telephone%2C%20credit,address%20are%20all%20personal%20data accessed on 21 July 2024.
[10] Egnyte, “Financial Privacy: What is it?”, https://www.egnyte.com/guides/financial-services/financial-data-protection#:~:text=Examples%20of%20financial%20information%20that,third%2Dparty%20credit%20analysis%20firms accessed on 21 July 2024.
[11] Tim Hukumonline, “Wajib Tahu, ini 9 Hak Pemilik Data Pribadi dalam UU PDP”, https://www.hukumonline.com/berita/a/hak-pemilik-data-pribadi-lt637870f3686aa/#! accessed 22 July 2024.
[12] Article 5 of Law Number 27 of 2022 on Personal Data Protection.
[13] Article 6 of Law Number 27 of 2022 on Personal Data Protection.
[14] Article 7 of Law Number 27 of 2022 on Personal Data Protection.
[15] Article 8 of Law Number 27 of 2022 on Personal Data Protection.
[16] Article 9 of Law Number 27 of 2022 on Personal Data Protection.
[17] Article 10 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[18] Article 11 of Law 27 of 2022 on Personal Data Protection.
[19] Article 12 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[20] Article 13 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[21] Article 13 paragraph (2) of Law Number 27 of 2022 on Personal Data Protection.
[22] Article 20 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[23] See Article 20 Paragraph (2) of Law Number 27 of 2022 on Personal Data Protection stated:
“The basis for Personal Data processing as referred to in paragraph (1) shall include:
- an explicit valid consent from Personal Data Subjects for 1 (one) or several specific purposes that the Personal Data Controller has submitted to Personal Data Subjects;
- fulfilment of agreement obligations if a Personal Data Subject is a party or to fulfil the request of the Personal Data Subject at the time of agreeing;
- fulfilment of the legal obligations of the Personal Data Controller in accordance with provisions of laws and regulations;
- fulfilment of the protection of vital interests of the Personal Data Subject;
- carrying out duties in the context of public interest, public services, or exercising the authority of the Personal Data Controller based on laws and regulations; and/or
- fulfilment of other legitimate interests by taking into account the purposes, needs, and balance of interests of the Personal Data Controller and the rights of the Personal Data Subject.”
[24] Article 23 paragraph 2 of the General Data Protection Regulation.
[25] Valentina Ancilia Simbolon and Vishnu Juwono, “Comparative Review of Personal Data Protection Policy in Indonesia and The European Union General Data Protection Regulation”, Publik (Jurnal Ilmu Administrasi), 11 (2): 2022, p.182-183.
[26] Article 43 paragraph (1) point c of Law Number 27 of 2022 on Personal Data Protection.
[27] Article 50 paragraph (1) of Law 27 of 2022 on Personal Data Protection:
“The obligations of a Personal Data Controller as referred to in Article 30, Article 32, Article 36, Article 42, Article 43 paragraph (1) letter a to letter c, Article 44 paragraph (1) letter b, Article 45, and Article 46 paragraph (1) letter a, shall be exempted for:
- the interests of the national defense and security;
- the interests of law enforcement process;
- public interest in the context of state administration; or
- the interests of supervision of the sectors of financial services, monetary, payment system, and financial system stability carried out in the context of state administration.”
[28] Personal Data Controllers are required to assess the impact of Personal Data Protection in cases where Personal Data processing has a high potential risk to Personal Data Subjects, including automated decision-making that has legal consequences or significant impacts on Personal Data Subjects. See, Article 34 paragraph (1) and (2) point a of Law Number 27 of 2022 on Personal Data Protection.
[29] Article 39 of Law Number 27 of 2022 on Personal Data Protection.
[30] Article 20 paragraph (2) letter f of Law Number 27 of 2022 on Personal Data Protection.
[31] For example, there are according to the CPRC Report, most Australians (94%) do not read all privacy policies that apply to them. See, Katharine Kemp, “It’s rational that 94% Australians do not read all privacy policies that apply to them”, UNSW, https://www.unsw.edu.au/newsroom/news/2018/05/it-s-rational-that-94–of-australians-do-not-read-all-privacy-po accessed on 12 August 2024.
DISCLAIMER :
This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:
No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.
Accuracy and Completeness: Anggraeni and Partners strives to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaims any liability for any errors or omissions in the articles.
No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.
No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.
No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.
By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.
For further information, please contact:
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
S.F. Anggraeni
Managing Partner
Sri Purnama
Junior Legal Research Analyst
Research Group Transnational Litigation and Tort Law
