PDP Law Implementing Regulation Forthcoming, But Data Breach Fines Still Unclear

TILP - Issue 1, March 2024

After multiple data breaches plagued Indonesia in 2023 and more than a year having elapsed since the enactment of Law No. 27 of 2022 on Personal Data Protection Law (“PDP Law”), the government is now preparing to release the law’s first implementing regulation, which will elaborate on fines for data leaks, but the specifics still remain uncertain.

The draft Government Regulation on PDP (“Draft GR”) will regulate various aspects of the PDP Law, including the establishment of the forthcoming PDP Agency and the imposition of administrative sanctions, including fines.

This article looks at the factors that will influence the level of administrative fines and how they will affect entities involved in data leaks.

Administrative fines are mentioned briefly in the PDP Law, which states they will be determined by the PDP Agency and capped at a maximum of 2% of the offending entity’s annual income or revenue, depending on the severity of the violation.

The elucidation of the Draft GR provides further clarity, defining income as the gross economic benefit derived from the entity’s regular activities during a specified period, excluding any equity increase resulting from investor contributions. In simpler terms, income here refers to gross income.

The Draft GR introduces, for the first time, detailed variables of violations, including:

1. the severity of the violation’s adverse effects;
2. the duration of the violation;
3. the type of Personal Data impacted;
4. the number of individuals affected;
5. the process for investigating violations;
6. the level of disclosure and cooperation from the Data Controller during the investigation;
7. the business scale of the Data Controller or Data Processor;
8. the ability of the Data Controller or Data Processor to pay fines; and
9. other relevant considerations.

Unfortunately, the Draft GR does not provide further explanation on the variables nor a formula related to the above variables. Instead, their calculation will be determined by the PDP Agency (as one of its authorities under the PDP Law) based on its own regulations. However, the establishment of the PDP Agency itself is pending and its inception date remains unknown.

Until further implementing regulations are issued, the following is a general summary of the obligations imposed on Data Controllers and/or Data Processors by the Draft GR, violations of which are subject to administrative sanctions:

1. Obtaining explicit consent from Data Subjects for data processing activities (or from a parent or guardian if the Data Subject is a child).
2. Ensuring transparency, accuracy, completeness and consistency of data processing through verification.
3. Updating, rectifying or providing access to Data Subjects within 3 x 24 hours of notification.
4. Notifying Data Subjects in the event of a data breach within 3 x 24 hours.
5. Conducting impact assessments on high-risk Personal Data processing.
6. Appointing a Data Protection Officer.
7. Ensuring the protection and security of Personal Data processing from unlawful processing and unlawful access).
8. Recording all Personal Data processing activities.
9. Complying with international data transfer requirements.

Given the significance of the obligations placed on Data Controllers and Data Processors, as well as the various violation variables introduced, it remains to be seen how the PDP Agency will calculate the formula to determine administrative fines.

The enforcement of administrative fines will be the next big thing, given that the PDP Law is, in theory, also applicable to foreign parties acting as Data Controllers or Data Processors. It will be interesting to see how the government (or PDP Agency) enforces sanctions against foreign parties and how effectively the PDP Agency ensures compliance with data breach reporting by both domestic and foreign Data Controllers and Data Processors.

-----

Click the "download file" button to read the PDF version.

If you have any questions, please contact:

1. Reagan Roy Teguh, Partner - reagan.teguh@makarim.com

_{The Indonesian Legal Perspective by M&T is a digital publication prepared by the Indonesian law firm, Makarim & Taira S. It informs generally on the topics covered and should not be treated as legal advice or relied upon when making investment or business decisions. Should you have any questions on any matter contained in this article,   or other comments in general, please contact us at the emails provided at the end of this article.}