Indonesia is making a move toward modern data protection law at last. The largest ASEAN (Association of South-East Asian Nations) country in population and GDP, Indonesia currently has no consolidated data protection law.
The draft regulation for the protection of personal data in electronic systems would be Indonesia's first comprehensive data protection law. The Draft Bill, now up for debate in the House of Representatives, would narrow the gap between Indonesia and its more modern neighbors Singapore and Malaysia. It is likely the bill will be enacted soon.
It addresses private data and sensitive data, permitted uses, transfer, and protection of data through each stage of processing. Rights of the data subjects and obligations of the users are described. Of interest is the inclusion of government agencies in the regulations, along with the private sector.
Affected agencies would be the Directorate General of Immigration, which manages passport data; the Financial Services Authority, which regulates financial sector data; the Bank Indonesia, which regulates banking data; the Indonesian Consumers Foundation, which regulates protection of consumer data; the National Archives; and the Ministry of Health, which regulates health data and archives.
There are proposed guidelines which would affect the use of software in "public services", but the definition of public services is unclear. The guidelines would require the software to be registered with the Ministry of Communications and Information Technology, as well as meet administrative and technical requirements for reliability and security.
In the case of a violation, people would be able to file a complaint to a dispute resolution agency, and if the dispute was not resolved the individuals could file suit. The wording in the Draft Bill seems to be introducing a new state agency when it references a "dispute resolution body".
There are several other aspects that are unclear in the draft version of the law, including requirements for some servers to be located in Indonesia. This would apply to providers of the undefined "public services".
Another oddity with unclear implications would allow individuals to distinguish which of their personal details were confidential and which weren’t. And some have noted that while civil sanctions are mentioned there is no criminal liability for violations.
Hopefully the final draft will address any inconsistencies and provide clarification, bringing Indonesia into the fold with modern data protection.