Introduction of the Official Personal Data Protection Act (UU PDP)
Introduction of the Official Personal Data Protection Act (UU PDP)
In the digital age, protecting personal information is paramount, especially with the widespread use of the Internet and social media. As individuals increasingly share information online, they become vulnerable to threats such as data theft, identity fraud and cyber-attacks. Protecting personal data ensures that sensitive information is not exposed to unauthorised access or misuse, helping to maintain privacy and security in an environment where digital threats are ever-present.
The Personal Data Protection Act (Undang-Undang Perlindungan Data Pribadi/ UU PDP) is a regulation designed to protect the privacy and security of individuals' personal data. Its primary objective is to provide robust protection against unauthorised use, unwarranted disclosure and potential misuse of personal information.
In addition, the law aims to promote transparency in data use, empower individuals with the right to control their personal data, and establish clear responsibilities for organisations and entities involved in the collection, management and processing of such data.
Personal Data Protection Law in Indonesia
In Indonesia, the protection of personal data is governed by Law No. 27 of 2022, known as the Personal Data Protection Law (UU PDP). This legislation, which was enacted on 17 October 2022, defines personal data as any information relating to an individual that can be identified either independently or in conjunction with other data, whether through electronic or non-electronic systems.
The Personal Data Protection Act (UU PDP) establishes the Personal Data Protection Agency (Lembaga Pengawas PDP), a state institution appointed by and reporting directly to the President. The Agency (Lembaga Pengawas PDP) acts as a regulator, dispute resolution facilitator and enforcer of administrative compliance with the PDP Act. It also plays a strategic role in managing international cooperation and overseeing the assessment of international transfers of personal data.
The PDP Law will officially come into force in 2024. In preparation for its full implementation, the government is drafting a complementary government regulation (PP), which is currently under public consultation. As a result, all parties involved, including data owners, controllers and processors, need to familiarise themselves with the requirements set out in the PDP Law.
Prohibitions under the Personal Data Protection Act
The recently ratified draft of the PDP Law outlines four key prohibitions relating to personal data under the PDP Law:
1. The prohibition of obtaining or collecting personal data without authorisation with the intention of obtaining personal or external benefits that may harm the data subject. (Article 65 of the PDP Law).
2. The prohibition of unauthorised disclosure of personal data with the intention of obtaining personal or external benefits that could harm the data subject. (Article 65 of the PDP Law).
3. The prohibition of the unauthorised use of personal data with the intention of obtaining personal or external benefits that could harm the data subject. (Article 65 of the PDP Law).
4. The prohibition of creating or falsifying personal data with the intention of obtaining personal or external benefits that could harm others. (Article 66 of the PDP Law).
Legal Sanctions in the Personal Data Protection Law (UU PDP)
Law No. 27 of 2022 not only deals with the protection of personal data and the establishment of the Personal Data Protection Agency, but also establishes sanctions and penalties for violations of the PDP Law. These sanctions apply to electronic system operators (PSE) in the public, private, individual and corporate sectors.
The draft PDP Law provides for two categories of sanctions for those who violate personal data regulations. The first category is aimed at controllers or processors of personal data who fail to comply with the PDP Law, for example, by processing data for purposes other than its intended use or by failing to prevent unauthorised access to the data.
Legal sanctions under the PDP Law are divided into four types. The first is administrative sanctions, as set out in Article 57, which may include a written warning. The second is the temporary suspension of the processing of personal data. The third sanction is the deletion or destruction of personal data. Finally, there are administrative fines, which, depending on the nature of the offence, can amount to up to 2% of the annual turnover or income.
The second category relates to individuals or companies that engage in prohibited activities, such as collecting personal data that does not belong to them for their own benefit or the benefit of others, unlawfully disclosing personal data, or falsifying personal data for profit, resulting in harm to others. These acts are punishable under Articles 67 to 73 of the PDP Law, including fines ranging from IDR 4 to 6 billion and imprisonment for up to 4 to 6 years.
In addition, Article 69 provides for additional penalties, which may include the confiscation of profits or assets derived from the crime and the payment of compensation. In cases where the offence is committed by a legal entity, Article 70 of the PDP Law provides for fines of up to 10 times the original penalty, as well as the possibility of imposing other additional penalties.
Falsifying personal data is punishable by up to 6 years in prison and/or a fine of Rp60 billion. Engaging in the sale or purchase of personal information carries a penalty of up to 5 years in prison or a fine of Rp50 billion. Companies found guilty of violating these regulations may face additional criminal penalties, including confiscation of profits and assets, suspension of some or all business operations, or even dissolution of the company.
The Personal Data Protection Act (Undang-Undang Perlindungan Data Pribadi/ UU PDP) is a regulation designed to protect the privacy and security of individuals' personal data. Its primary objective is to provide robust protection against unauthorised use, unwarranted disclosure and potential misuse of personal information.
In addition, the law aims to promote transparency in data use, empower individuals with the right to control their personal data, and establish clear responsibilities for organisations and entities involved in the collection, management and processing of such data.
Personal Data Protection Law in Indonesia
In Indonesia, the protection of personal data is governed by Law No. 27 of 2022, known as the Personal Data Protection Law (UU PDP). This legislation, which was enacted on 17 October 2022, defines personal data as any information relating to an individual that can be identified either independently or in conjunction with other data, whether through electronic or non-electronic systems.
The Personal Data Protection Act (UU PDP) establishes the Personal Data Protection Agency (Lembaga Pengawas PDP), a state institution appointed by and reporting directly to the President. The Agency (Lembaga Pengawas PDP) acts as a regulator, dispute resolution facilitator and enforcer of administrative compliance with the PDP Act. It also plays a strategic role in managing international cooperation and overseeing the assessment of international transfers of personal data.
The PDP Law will officially come into force in 2024. In preparation for its full implementation, the government is drafting a complementary government regulation (PP), which is currently under public consultation. As a result, all parties involved, including data owners, controllers and processors, need to familiarise themselves with the requirements set out in the PDP Law.
Prohibitions under the Personal Data Protection Act
The recently ratified draft of the PDP Law outlines four key prohibitions relating to personal data under the PDP Law:
1. The prohibition of obtaining or collecting personal data without authorisation with the intention of obtaining personal or external benefits that may harm the data subject. (Article 65 of the PDP Law).
2. The prohibition of unauthorised disclosure of personal data with the intention of obtaining personal or external benefits that could harm the data subject. (Article 65 of the PDP Law).
3. The prohibition of the unauthorised use of personal data with the intention of obtaining personal or external benefits that could harm the data subject. (Article 65 of the PDP Law).
4. The prohibition of creating or falsifying personal data with the intention of obtaining personal or external benefits that could harm others. (Article 66 of the PDP Law).
Legal Sanctions in the Personal Data Protection Law (UU PDP)
Law No. 27 of 2022 not only deals with the protection of personal data and the establishment of the Personal Data Protection Agency, but also establishes sanctions and penalties for violations of the PDP Law. These sanctions apply to electronic system operators (PSE) in the public, private, individual and corporate sectors.
The draft PDP Law provides for two categories of sanctions for those who violate personal data regulations. The first category is aimed at controllers or processors of personal data who fail to comply with the PDP Law, for example, by processing data for purposes other than its intended use or by failing to prevent unauthorised access to the data.
Legal sanctions under the PDP Law are divided into four types. The first is administrative sanctions, as set out in Article 57, which may include a written warning. The second is the temporary suspension of the processing of personal data. The third sanction is the deletion or destruction of personal data. Finally, there are administrative fines, which, depending on the nature of the offence, can amount to up to 2% of the annual turnover or income.
The second category relates to individuals or companies that engage in prohibited activities, such as collecting personal data that does not belong to them for their own benefit or the benefit of others, unlawfully disclosing personal data, or falsifying personal data for profit, resulting in harm to others. These acts are punishable under Articles 67 to 73 of the PDP Law, including fines ranging from IDR 4 to 6 billion and imprisonment for up to 4 to 6 years.
In addition, Article 69 provides for additional penalties, which may include the confiscation of profits or assets derived from the crime and the payment of compensation. In cases where the offence is committed by a legal entity, Article 70 of the PDP Law provides for fines of up to 10 times the original penalty, as well as the possibility of imposing other additional penalties.
Falsifying personal data is punishable by up to 6 years in prison and/or a fine of Rp60 billion. Engaging in the sale or purchase of personal information carries a penalty of up to 5 years in prison or a fine of Rp50 billion. Companies found guilty of violating these regulations may face additional criminal penalties, including confiscation of profits and assets, suspension of some or all business operations, or even dissolution of the company.