Indonesia to Have Personal Data Protection Agency

TheIndonesia.id - The Personal Data Protection (PDP) Agency will work under the President, thus it will be answerable to the head of state, Communication and Information Minister Johnny G. Plate has said. The establishment of the agency is following Articles 58 through 60 of the PDP Law, which was ratified by the Indonesian House of Representatives (DPR RI) on Tuesday, he informed.

The agency will carry out several tasks, including the formulation and stipulation of PDP policies and strategies, supervising PDP implementation, enforcing administrative sanctions against PDP violators, as well as facilitating the out-of-court settlement of PDP disputes, he said.

The minister informed that there will be two types of sanctions. The first is administrative sanctions outlined in Article 57 of the PDP Law. They include written warnings, temporary prohibition of personal data processing activities, destruction of personal data owned by violators, and/or administrative fines.

"The sanctions will be imposed on the personal data controller or processor if they violate the PDP Law, including not processing personal data according to the use of the data as well as not preventing unauthorized data access," Plate said.

The second type of sanctions is criminal provisions outlined in Articles 67 through 73 of the law, which include a maximum fine of Rp4 billion to Rp6 billion and maximum imprisonment of 4 to 6 years.

The sanctions will be imposed on individuals or corporations who commit prohibited acts, including collecting personal data that does not belong to them to benefit themselves and/or other parties, disclosing personal data that does not belong to them, as well as falsifying personal data, which can cause harm to others.

Article 69 of the law also regulates additional penalties, including the confiscation of profits and/or assets obtained from the criminal acts as well as the obligation of the violators to pay compensation to victims of a personal data breach.

Furthermore, in Article 70 of the PDP Law, it is regulated that the penalty will be 10 times higher than the initial fine of Rp4 billion to Rp6 billion if the crime is committed by a corporation.

Violators who falsify personal data will be sentenced to six years and/or a fine of Rp60 billion, meanwhile, the ones who sell or buy personal data will be sentenced to five years and/or a fine of Rp50 billion. Additional punishment will involve the freezing of the corporation’s business or the complete dissolution of the company.

The minister said that the implementation of the PDP Law is the first step in the long road to improving personal data protection in Indonesia.
"We encourage the participation of all stakeholders, all government agencies and law enforcement officers, to successfully implement the PDP Law to establish a new era in personal data management in Indonesia and build a safe digital space in Indonesia," he added.