Constitutional Court Upholds Personal Data Protection Law, while Businesses Await Derivative Regulations

After Indonesia’s Constitutional Court upheld contested provisions of the Personal Data Protection Law, the government is now drafting derivative regulations that will provide details on data processing requirements and sanctions for non-compliance with the new law.

The Constitutional Court (Mahkamah Konstitusi) in April handed down two decisions in response to applications for the judicial review of certain provisions of Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”). In Case No. 108/PUU-XX/2022 and Case No. 110/PUU-XX/2022, the Court ruled that the PDP Law is not contrary to the Constitution and therefore it is legally binding.

Following our Advisory on the PDP Law (view it here), this Advisory provides an update on the law’s implementation and its clarification by the Constitutional Court.

The PDP Law sets outs the rights, obligations, and requirements for personal data utilization by both Personal Data Subjects (or owners) and Personal Data Controllers. However, we are still waiting for the implementing regulations that will elaborate on various matters, including requirements and procedures for personal data processing and transfers, as well as administrative sanctions for violations.  

As the PDP Law has a two-year transitional period from its enactment, full compliance is required by 17 October 2024.

In Indonesia, laws and regulations can undergo judicial review to ensure they are not contrary to a higher law and do not jeopardize any party. The Supreme Court has the authority to review regulations against laws, while the Constitutional Court has the authority to review laws against the Constitution.

Following the enactment of the PDP Law, some Indonesian citizens submitted applications for judicial review of the validity of certain provisions of the law, alleging them to be contrary to the Constitution. Specifically, they challenged the definition of a Data Controller, the exemption for personal and household data processing activities, the categories of Data Controllers and Data Processors, as well as the waiver of rights in the interests of national security.

The judicial reviews were filed under Case No. 108/PUU-XX/2022, submitted on 28 October 2022, and Case No. 110/PUU-XX/2022, submitted on 7 November 2022. Below is a summary of the PDP Law provisions contested by the petitioners, as well as the Constitutional Court’s opinion and clarification.

Case No. 108/PUU-XX/2022

• Article 1 (4): A Personal Data Controller is any person, public body or international organization that acts either individually or jointly in determining the purposes and exercising control over the processing of Personal Data.
• Article 2 (2): This Law does not apply to the processing of Personal Data by individuals in personal or household activities.
• Article 19: A Personal Data Controller or Personal Data Processor encompasses: Any person; Public bodies; and International organizations.

Constitutional Court’s Opinion

The provisions are not contrary to the Constitution considering the following:

• Household activities are considered private and fall within the non-commercial sector. The PDP Law clearly limits exceptions to the obligation, so it applies only to personal, private and family-related activities.
• A household cannot be classified as a Personal Data Controller or Personal Data Processor since no business activity is being conducted within the household.
• The PDP Law aims to distinguish between the functions and obligations of commercial enterprises and households.
• If a household activity, such as e-commerce, is profit-oriented, then the obligations and requirements of Personal Data Controllers and Personal Data Processors must be followed.
• Therefore, Article 2 (2) of the PDP Law provides protection for personal data processing by individuals in personal or household activities. This does not violate the right to obtain recognition, guarantees, protection and legal certainty under Article 28D (1) of the Constitution.

Case No. 110/PUU-XX/2022

• Article 15 (1): The rights of Personal Data Subjects as referred to in Article 8, Article 9, Article 10 (1), Article 11, and Article 13 (1) and (2) are exempted for the following purposes: National defense and security interests.

Constitutional Court’s Opinion

The provisions are not contrary to the Constitution, considering the following:

• The principle of the public interest plays a fundamental role in implementing personal data protection and must consider the public interest.
• The allowing for the waiver of Personal Data Subjects’ rights can only be applied in accordance with the law and is limited in scope.

The Constitutional Court’s decisions on the two cases mean the PDP Law remains legally valid and binding in its original form since its enactment in October 2022. 

Therefore, even small-to-micro-scale household businesses engaged in e-commerce activities are not exempt from complying with the obligations of personal data controllers, as stated by the Constitutional Court. The decision clearly states that household parties engaged in commercial activities must fulfill the obligations of personal data controllers and respect the rights of their consumers as Personal Data Subjects.

Further, although there are some concerns over the potential waiver of Personal Data Subjects’ rights in the interests of national defense and security, the Constitutional Court has clarified that this exemption is limited and only applicable when mandated by the law and in the event of threats to the nation’s defense and security, such as terrorism or other such extraordinary crimes.

Indonesia has been hit by a wave of breaches of personal data in recent years, often involving hackers. In May 2023, it emerged that the personal data of employees and customers of Bank Syariah Indonesia (BSI) had been hacked. The case remains under investigation by BSI and the Financial Services Authority.

While such cases have raised concern over the fact that the PDP Law will not be fully implemented until October 2024, the government hopes to introduce to the public its draft derivate regulations on the law by September 2023. Businesses will need sound advice to ensure they adhere to the PDP Law, otherwise they may face an administrative fine of up to 2% of their annual income or revenue for non-compliance.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If you have any questions, please contact:

1. Heru Mardijarto – heru.mardijarto@makarim.com
2. Hana Riris Mayrin Veranda – alfitras.tavares@makarim.com

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

^{M&T Advisory is a digital publication prepared by the Indonesian law firm, Makarim & Taira S. It informs generally on the topics covered and should not be treated as legal advice or relied upon when making investment or business decisions. Should you have any questions on any matter contained in M&T Advisory, or other comments in general, please contact us at the emails provided at the end of this article.}