LEGAL UPDATES BY BEPARTNERS
Indonesia’s PDP Bill and Australia’s Data Protection Framework
08 March 2022

The growth of Indonesia’s digital economy and Internet usage require stronger and more uniform legal protections for the personal data of individuals. For many, the answer to Indonesia’s issues with data breaches and lacklustre ministerial enforcement lies in the Personal Data Protection (“PDP”) Bill. The PDP Bill aims to replace the current PDP Regulations, which are a patchwork of general and sector-specific laws and regulations, with a single, comprehensive framework for data protection.

 

Australia’s Privacy Principles, the PDP Bill and the EU GDPR

 

Australia currently operates a nationalised and relatively uniform data protection scheme, contained in the Privacy Act 1988 (Cth). The Privacy Act establishes 13 Australian Privacy Principles (“APPs”) that apply to federal government agencies (including ministers, courts and government departments) and private sector businesses with an annual turnover of $3 million (AUD) or more.[1] Individuals and small business operators with an annual turnover of less than $3 million are largely exempt from the obligations of the Privacy Act.

 

Whilst these 13 APPs overlap somewhat with the EU General Data Protection Regulation (“EU GDPR”) and its objectives, Australia largely declined to model its data protection laws explicitly on the EU GDPR, as many other nations like Brazil, China and India have done. The PDP Bill, on the other hand, was influenced by the EU GDPR; adopting features like the data controllers/data processors distinction and similar data subject rights and personal data processing regulations.[2]

 

If Indonesia were to enact the PDP Bill, it could constitute a national scheme with a potentially broader application than Australia’s Privacy Act. Whilst the APPs apply to government agencies and large businesses (and only very few entities with under $3 million annual turnover), the PDP Bill is expected to apply to all individuals, legal entities, business entities (without a specified revenue threshold like Australia), government institutions and public entities across all sectors whose actions deal with personal data of Indonesian residents. The PDP Bill’s scope – in terms of its legal subjects – thus leans far further towards the EU GDPR than Australia’s Privacy Act.

 

In Australia, state and territory level statutes (such as Victoria’s Privacy and Data Protection Act 2014 and New South Wales’ Privacy and Personal Information Act 1988) either supplement the national law and/or cover different entities (such as state government agencies). The more encompassing personal scope of the PDP Bill therefore could in future provide Indonesia an even more centralised data protection scheme than Australia’s national framework.

 

Could the PDP Bill fix the issue of enforcement?

 

A significant issue with the current PDP Regulations is that the sector-specific system has resulted in a lack of meaningful enforcement. When data protection obligations are scattered across 32 different laws and regulations,[3] discrepancies across these legal instruments can increase the difficulty of proper enforcement.[4] Although penalties exist on paper in the form of fines or even imprisonment, the occurrence of government action on data breaches or leaks is rare.[5]

 

The PDP Bill aims to redress the enforcement issue, not only through clearer guidance on enforcement, but also through its mere existence. This is because although privacy is protected to a degree under Indonesia’s Constitution, the lack of clear and specific legislative laws on data protection has made this constitutional guarantee difficult for courts to enforce.[6] Interestingly, unlike the Australian Constitution, the Indonesian Constitution protects citizens’ right to privacy in Article 28G(1) (“each person shall have the right to the protection of their personal selves, families, respect, dignity, and possessions under their control.”).

 

The PDP Bill would represent a clear and comprehensive incorporation of privacy rights in relation to personal data. If courts can more clearly and uniformly identify data protection rules and obligations, they can more effectively enforce them – through the range of penalties the PDP Bill contains.

 

The issue of an independent regulator

 

The legal community has viewed the PDP Bill with overwhelming optimism. However, one criticism of it is the lack of an independent data protection authority (“DPA”). In its current form, the PDP Bill, like the current PDP Regulations, does not stipulate an independent DPA responsible for enforcing the future law and ensuring compliance, but instead leaves these powers to the Minister of Communication and Informatics (“MOCI”), who is currently responsible for enforcing regulations.[7] As discussed above, these powers are rarely used and have failed to promote deterrence. Concerns have arisen that unless the PDP Bill is accompanied by a separate and specialised independent DPA, inadequate enforcement levels may continue and data controllers and owners may not take properly heed their new obligations.[8]

 

Indonesia would join the club of currently 10 out of 143 nations that have data privacy laws without an independent DPA.[9] Australia’s Office of the Australian Information Commissioner (“OAIC”) constitutes an example of one such independent agency with enforcement powers whose responsibilities often include handling and investigating the complaints of individuals’ against parties including Australian government agencies. It is clear how, if such a complaints-making mechanism were introduced under the PDP Bill, conflicts of interest could arise where complaints against government agencies must be made to a government agency.

 

Although the PDP could be a further-reaching national framework than Australia’s Privacy Act, the lack of an independent regulator risks undermining the regime, which is strong on paper. Under-enforcement could remain problematic and citizens, businesses and other legal subjects may find it more difficult to trust a government-line regulator.[10]

 

Conclusion

 

The Bill would be a positive step toward creating greater nationwide legal certainty on the rights of individuals and obligations of data controllers and processors. Although on paper it would provide clearer guidance on enforcement, the lack of an independent DPA may undermine its efficacy, especially considering the MOCI’s current attitude toward enforcement. On the positive side, however, the Bill has an extensive personal, material and territorial scope that would bring Indonesia in line with contemporary regulatory models like the EU GDPR.

 

©2022. BE Partners. All Rights Reserved

 

[1] Office of the Australian Information Commissioner, ‘Australian Privacy Principles quick reference’ (Web Page, OAIC, Australian Government, 12 March 2014) <www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference>.
[2] Muhammad Firdaus, ‘A Review of Personal Data Protection in Indonesia’ (Research Paper, 8 December 2020) 3, 7 <www.academia.edu/44484088/A_Review_of_Personal_Data_Protection_Law_in_Indonesia>.
[3] Ira Aprilianti, ‘Protecting People: Promoting Digital Consumer Rights’ (Research Paper, Center for Indonesian Policy Studies (CIPS), 15 May 2020) <https://repository.cips-indonesia.org/publications/310040/protecting-people-promoting-digital-consumer-rights#id-section-content>.
[4] Gliddheo Algifariyano Riyadi, ‘Data Privacy in the Indonesian Personal Data Protection Legislation’ (Policy Brief No. 7, Center for Indonesian Policy Studies (CIPS), March 2021) <https://c95e5d29-0df6-4d6f-8801-1d6926c32107.usrfiles.com/ugd/c95e5d_d4dad8abc56341b090a727d438957b57.pdf>.
[5] Danny Kobrata and Rahma Atika, ‘The Privacy, Data Protection and Cybersecurity Law Review: Indonesia’ in Alan Charles Paul (ed), The Privacy, Data Protection and Cybersecurity Law Review (The Law Reviews, 8th ed, 2021) <https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/indonesia>.
[6] Ibid.
[7] Graham Greenlead and Andin Aditya Rahman, ‘Indonesia’s PD Bill Lacks a DPA, Despite GDPR Similarities’ (2020) 164 Privacy Laws & Business International Report 1, 3–7 <http://www5.austlii.edu.au/au/journals/UNSWLRS/2021/10.pdf>.
[8] Muhammad Firdaus, ‘A Review of Personal Data Protection in Indonesia’ (Research Paper, 8 December 2020) 6 <www.academia.edu/44484088/A_Review_of_Personal_Data_Protection_Law_in_Indonesia>.
[9] Graham Greenleaf, ‘Global Data Privacy Laws 2021: Despite Covid delays, 145 laws show DDPR dominance’ (2021) 169 Privacy Laws and Business (PL&B) International Report <https://www.privacylaws.com/reports-gateway/articles/int169/s_int169dplaws2021/>.
[10] For further reading: Antoine Schweitzer-Chaput, ‘Independent Data Protection Authority Matters’, The Jakarta Post (online, 8 June 2021) <https://www.thejakartapost.com/academia/2021/06/08/independent-data-protection-authority-matters.html>.
 

 

RELATED LEGAL UPDATES