Indonesia – Personal Data Protection Bill adopted

The PDP Bill will modernise and harmonise Indonesia’s current data protection regulatory landscape. It provides for establishment of a personal data protection authority (the PDP Authority) which will be directly responsible to the President and have a broad range of power, ranging from enacting policy, supervising compliance to the PDP Bill and imposing administrative sanctions for breaches.  The bill also introduces familiar GDPR-like concepts, such as controller and processor roles, data protection officers, and sensitive data. The PDP Bill further creates rights of data subjects, including the right to be informed about processing of personal data, to access and rectify personal data, withdraw consent and restrict processing. It provides for various controller and processor obligations, including an obligation to report a personal data breach to the PDP Authority data subjects within 72 hours. 

Violations of the PDP Bill are subject to administrative fines of up to 2% of the company’s annual revenue and criminal sanctions of up to six years imprisonment or a fine of IDR 6 billion (approx. EUR 405,000) for certain offences.

The PDP Bill provides for a two-year period for organisations to become compliant.

The press releases are available here and here, the latest draft of the PDP Bill and the legislative file (all in Indonesian only).