ACTIO INSIGHT

Image Source: Canva

A CLOSER LOOK AT INDONESIA'S

PRIVACY RIGHTS
 A Closer Look At Indonesia's Privacy Rights
By Setyawati Fitrianggraeni, Sri Purnama

INTRODUCTION
Constituted as a form of personal protection, it is necessary to provide a legal basis to ensure
security for personal data, based on the 1945 Constitution of the Republic of Indonesia.[1] Law
Number 27 of 2022 on Personal Data Protection (PDP Law) was passed in October 2022 in Indonesia.
PDP Law gives a two-year period for relevant parties to comply with its provisions, which means that
this 'grace period' will end in October 2024. The Law aims to ensure citizens' right to personal
protection, raising public awareness, and ensuring recognition and respect for the importance of
personal data protection.[2]

Balancing the protection of people’s privacy with data-driven economic growth is the central
challenge for Indonesia’s digital economy. Data is ubiquitous and comprises any economic activity
taking place online. Until now, Hootsuite (We Are Social) 2022 data shows that 204.7 million
Indonesians use the internet, and 93.5 percent are active social media users. The development of
the digital world has also spawned several new cultures and behaviors, from uploading anything to
online transactions.[3] The digital economy is more than 15% of global GDP and is growing twice as
fast as the physical world’s GDP.[4]

DEFINITION AND SCOPE OF PERSONAL DATA

Personal Data are data regarding individuals who are identified or can be identified separately or in
combination with other information, either directly or indirectly, through an electronic or non-
electronic system.[5] According to PDP Law, personal data shall consist of Specific and General
Personal Data.[6] Specific Personal Data of a specific nature shall include:[7] a. health data and
information; b. biometric data; c. genetic data; d. crime records; e. child data; f. personal financial
data; and/or g. other data in accordance with provisions of laws and regulations. Then, General
Personal Data shall include:[8] a. full name; b. gender; c. citizenship; d. religion; e. marital status;
and/or f. combined Personal Data to identify a person.

Personal data can vary widely across different sectors. In practice, these also include all data that
can be assigned to a person in any kind of way.[9] For example, in financial sector personal data
may include bank account details, credit card information, transaction records, income statements,
and credit scores used for financial assessments.[10] In the healthcare sector, medical records,
prescriptions, patient histories, and biometric data such as fingerprints or iris scans used for patient
identification are categorized as personal data. Other than that, the employment sector
encompasses personal data such as resumes, job applications, payroll information, performance
evaluations, and disciplinary records. These examples illustrate the diverse nature of personal data
collected and processed across various sectors in Indonesia in accordance with PDP Law.

[1] Point b of Consideration, Law Number 27 of 2022 on Personal Data Protection.

[2] Point c of Consideration, Law Number 27 of 2022 on Personal Data Protection.
[3] Lina Miftahul Jannah, “Personal Data Protection Act and Challenges to Its Implementation”, https://fia.ui.ac.id/en/uu-perlindungan-data-
pribadi-dan-tantangan-implementasinya/ accessed on 21 July 2024.
[4] World Economic Forum, “Why Digital Trust is Key to Building Thriving Economies”, accessed on 21 July 2024.
[5] Article 1 point 1 of Law Number 27 of 2022 on Personal Data Protection.
[6] Article 4 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[7] Article 4 paragraph (2) of Law Number 27 of 2022 on Personal Data Protection.
[8] Article 4 paragraph (3) of Law Number 27 of 2022 on Personal Data Protection.
[9] Intersoft Consulting, “GDPR Personal Data”, https://gdpr-info.eu/issues/personal-
data/#:~:text=For%20example%2C%20the%20telephone%2C%20credit,address%20are%20all%20personal%20data accessed on 21 July 2024.
[10] Egnyte, “Financial Privacy: What is it?”, https://www.egnyte.com/guides/financial-services/financial-data-
protection#:~:text=Examples%20of%20financial%20information%20that,third%2Dparty%20credit%20analysis%20firms accessed on 21 July 2024.

ACTIO INSIGHT
 A Closer Look At Indonesia's Privacy Rights
RIGHTS OF DATA SUBJECTS
Based on PDP Law, Data Subjects’ Rights regulate Section IV comprising of 11 Articles. There are
several Data Subjects’ Rights,[11] i.e., the right to obtain information regarding identity clarity[12],
the right to complete, update and/or correct errors and/or inaccuracies in Personal Data[13], the
right to access and obtain a copy of Personal Data[14], the right to end processing, delete, and/or
destroy Personal Data[15], the right to withdraw consent to the processing of Personal Data[16], the
right to object a decision-making action[17], the right to delay or limit the Personal Data
processing[18], the right to sue and receive compensation for violations of the processing of
Personal Data[19], the right to obtain their personal data from data controllers in a commonly used
or machine-readable format[20], and the right to use their personal data and transmit it to other
data controllers, provided that the systems used can communicate securely in accordance with the
principles of personal data protection as stipulated in this law.[21]

In relation to Data Subjects’ Rights there are consent requirements for processing data which must
be complied with by the data controller. Personal Data Controller must have a basis for Personal
Data Processing.[22] The PDP Law regulates six grounds for personal data processing, [23] one of
which is the consent of Data Subjects. A request for consent must be accompanied by certain
prescribed information, clearly distinguishable from other matters, and in a format that is easily
understandable and accessible. The consent itself must be explicit, informed, specific to a purpose,
and recorded.

COMPARATIVE ANALYSES
The rights of Data Subjects under the General Data Protection Regulation (GDPR) and the PDP Law
are similar, as the PDP Law was a benchmarking result from the GDPR. Both frameworks address
rights such as the right to be informed, access to data, data correction, data deletion, and
restrictions or refusal of data processing.

However, a key difference between the GDPR and the PDP Law is how they handle the limitation or
exclusion of these rights. The GDPR outlines specific requirements for such limitations, including: (a)
the purpose of processing or the category of the processing; (b) categories of personal data; (c) the
scope of the restrictions introduced; (d) safeguards to prevent misuse or unlawful access or transfer;
(e) controller specifications or controller categories; (f) the applicable storage and custody period,
taking into account the nature, scope, and purpose of processing or processing category; (g) risks to
the rights and freedoms of data subjects; and (h) the right of the data subject to be notified of the
restriction, unless doing so would be detrimental to the purpose of the restriction.[24] This detailed
approach ensures consistent protection and prevents authorities from taking arbitrary actions. In
contrast, the PDP Law lacks clear and detailed regulations on implementing these limitations or
exclusions.[25]

[11] Tim Hukumonline, “Wajib Tahu, ini 9 Hak Pemilik Data Pribadi dalam UU PDP”, https://www.hukumonline.com/berita/a/hak-pemilik-data-
pribadi-lt637870f3686aa/#! accessed 22 July 2024.
[12] Article 5 of Law Number 27 of 2022 on Personal Data Protection.
[13] Article 6 of Law Number 27 of 2022 on Personal Data Protection.
[14] Article 7 of Law Number 27 of 2022 on Personal Data Protection.
[15] Article 8 of Law Number 27 of 2022 on Personal Data Protection.
[16] Article 9 of Law Number 27 of 2022 on Personal Data Protection.
[17] Article 10 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[18] Article 11 of Law 27 of 2022 on Personal Data Protection.
[19] Article 12 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[20] Article 13 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[21] Article 13 paragraph (2) of Law Number 27 of 2022 on Personal Data Protection.
[22] Article 20 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection.
[23] See Article 20 Paragraph (2) of Law Number 27 of 2022 on Personal Data Protection stated:
“The basis for Personal Data processing as referred to in paragraph (1) shall include:
a. an explicit valid consent from Personal Data Subjects for 1 (one) or several specific purposes that the Personal Data Controller has submitted
to Personal Data Subjects;
b. fulfilment of agreement obligations if a Personal Data Subject is a party or to fulfil the request of the Personal Data Subject at the time of
agreeing;
c. fulfilment of the legal obligations of the Personal Data Controller in accordance with provisions of laws and regulations;
d. fulfilment of the protection of vital interests of the Personal Data Subject;
e. carrying out duties in the context of public interest, public services, or exercising the authority of the Personal Data Controller based on laws
and regulations; and/or
f. fulfilment of other legitimate interests by taking into account the purposes, needs, and balance of interests of the Personal Data Controller
and the rights of the Personal Data Subject.”
[24] Article 23 paragraph 2 of the General Data Protection Regulation.
[25] Valentina Ancilia Simbolon and Vishnu Juwono, “Comparative Review of Personal Data Protection Policy in Indonesia and The European
Union General Data Protection Regulation”, Publik (Jurnal Ilmu Administrasi), 11 (2): 2022, p.182-183.

ACTIO INSIGHT
 A Closer Look At Indonesia's Privacy Rights
CHALLENGES AND LIMITATIONS
Potential conflicts can arise between data subjects' rights and data controllers' obligations under
personal data protection laws. For instance, while data subjects have the right to request
rectification of their personal data, data controllers may be obligated by other legal requirements to
retain certain data for compliance or legal purposes. This can create a conflict where data subjects
seek deletion of their data,[26] but data controllers must balance this with their legal obligations to
retain records.[27]

Another potential conflict arises in cases where data subjects object to automated decision-making
processes, yet data controllers may argue that such processes are necessary for efficient operations
or are legally justified.[28] Moreover, ensuring data security and preventing unauthorised access to
personal data[29] may sometimes conflict with data subjects' rights to access and obtain their data
promptly. Resolving these conflicts requires careful consideration of data subjects' rights and the
legitimate interests or obligations of data controllers, often necessitating clear policies, transparent
communication, and adherence to legal standards to protect personal data while respecting data
subjects’ rights.[30]''

Furthermore, the enforcement of data protection laws faces additional hurdles when data subjects
enter into contracts without fully understanding their content.[31] This issue, where individuals
consent to terms and conditions without comprehensive reading, complicates efforts to ensure
informed consent, which is a cornerstone of personal data protection. Addressing this challenge
requires not only clear and accessible contract language but also enhanced public education on the
importance of understanding contractual obligations related to personal data.

CONCLUSION
Indonesia's PDP Law, set to be enacted in October 2024, aims to protect its citizens' privacy by
defining personal data and outlining individuals' rights over their data. This law is crucial because it
helps Data Subjects control their information in a world where internet use is widespread.
Moreover, the PDP Law regulates several data subjects' rights. By allowing individuals to access and
control their data, the law builds trust and ensures that the benefits of the digital economy do not
compromise personal privacy. This is essential for balancing economic growth with protecting Data
Subjects' rights in the digital era.

[26] Article 43 paragraph (1) point c of Law Number 27 of 2022 on Personal Data Protection.
[27] Article 50 paragraph (1) of Law 27 of 2022 on Personal Data Protection:
“The obligations of a Personal Data Controller as referred to in Article 30, Article 32, Article 36, Article 42, Article 43 paragraph (1) letter a to
letter c, Article 44 paragraph (1) letter b, Article 45, and Article 46 paragraph (1) letter a, shall be exempted for:
a.the interests of the national defense and security;
b.the interests of law enforcement process;
c.public interest in the context of state administration; or
d. the interests of supervision of the sectors of financial services, monetary, payment system, and financial system stability carried out in the
context of state administration.”
[28] Personal Data Controllers are required to assess the impact of Personal Data Protection in cases where Personal Data processing has a
high potential risk to Personal Data Subjects, including automated decision-making that has legal consequences or significant impacts on
Personal Data Subjects. See, Article 34 paragraph (1) and (2) point a of Law Number 27 of 2022 on Personal Data Protection.
[29] Article 39 of Law Number 27 of 2022 on Personal Data Protection.
[30] Article 20 paragraph (2) letter f of Law Number 27 of 2022 on Personal Data Protection.
[31] For example, there are according to the CPRC Report, most Australians (94%) do not read all privacy policies that apply to them. See,
Katharine Kemp, "It's rational that 94% Australians do not read all privacy policies that apply to them", UNSW,

ACTIO INSIGHT
 A Closer Look At Indonesia's Privacy Rights
REFERENCES

Law Number 27 of 2022 on Personal Data Protection.

The General Data Protection Regulation.

Egnyte, “Financial Privacy: What is it?”, https://www.egnyte.com/guides/financial-

services/financial-data-
protection#:~:text=Examples%20of%20financial%20information%20that,third%2Dparty%20credit%20an
alysis%20firms accessed on 21 July 2024.

Intersoft Consulting, “GDPR Personal Data”, https://gdpr-info.eu/issues/personal-

data/#:~:text=For%20example%2C%20the%20telephone%2C%20credit,address%20are%20all%20persona
l%20data accessed on 21 July 2024.

Lina Miftahul Jannah, “Personal Data Protection Act and Challenges to Its Implementation”,
https://fia.ui.ac.id/en/uu-perlindungan-data-pribadi-dan-tantangan-implementasinya/ accessed on
21 July 2024.

Tim Hukumonline, “Wajib Tahu, ini 9 Hak Pemilik Data Pribadi dalam UU PDP”,
https://www.hukumonline.com/berita/a/hak-pemilik-data-pribadi-lt637870f3686aa/#! accessed
22 July 2024.

Valentina Ancilia Simbolon and Vishnu Juwono, “Comparative Review of Personal Data
Protection Policy in Indonesia and The European Union General Data Protection Regulation”,
Publik (Jurnal Ilmu Administrasi), 11 (2): 2022, p.182-183.

World Economic Forum, “Why Digital Trust is Key to Builging Thriving Economies”, accessed on
21 July 2024.

ACTIO INSIGHT
 A Closer Look At Indonesia's Privacy Rights

For further information, please contact:

WWW.AP-LAWSOLUTION.COM
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427

S.F. Anggraeni
Managing Partner
[email protected]

Sri Purnama
Junior Legal Research Analyst
[email protected]

ACTIO INSIGHT