Norman Harsono and Faris Mokhtar – Data operators could face up to five years in jail and a maximum fine of 5 billion rupiah ($337,000) for leaking or misusing private information, according to Indonesia's new data privacy bill set to be passed by parliament this week.
Institutions may collect personal information for a specific purpose but must erase the record once that purpose has been met, according to a copy of the draft law obtained by Bloomberg. Relevant parties have two years to comply with the rules once it becomes law.
Indonesia is under pressure to pass the law to improve its cyber security as breaches at companies and government institutions intensified in the past year. Just a few days ago, the country's National Cyber and Encryption Agency said it's investigating an alleged data leak of 105 million Indonesians. Earlier this month, authorities were investigating a data leak relating to mobile phone SIM cards that involved more than two million lines of data being released.
The Personal Data Protection bill states that consent must be obtained from each individual for records such as name, gender, and medical history, with a clear agreement in place on how the data will be used, along with accountability measures. Each person has the right to withdraw their consent and receive compensation for any breaches. Anyone that fabricates personal data may face up to six years in jail and as much as 6 billion rupiah in fines.
Enacting the data privacy law is even more important as Indonesia's digital economy is set to grow to $146 billion by 2025, according to the latest report by Alphabet Inc.'s Google, Singapore's Temasek Holdings Pte. and global business consultants Bain & Co. Cloud data provider PT DCI Indonesia said in March a new project to set up a data center in Bintan will only proceed once the government issue a regulation on data safety and protection.
"The new law is overdue and will, if administered correctly, be a much-needed boon for Indonesia's large and growing tech sector," said Joel Shen, who heads the technology practice in Asia for global law firm Withers.
Disagreements over the establishment of a new data protection oversight agency had held up the legislative process for months, said Almasyhari. Lawmakers argued that the agency must be independent, while the government wanted it to be managed under the ministry of communications and information technology. The two sides finally agreed to let the President design and control the agency, while parliament lays out its role.
The agency's independence can only be safeguarded if the selection of its members is carried out in an open and accountable manner, said D. Nicky Fahrizal, a researcher at the Jakarta-based Centre for Strategic and International Studies. "Then, we must also examine the extent of the President's power within the institution," he told Bloomberg on Monday.
The passing of the bill would make Indonesia the fifth Southeast Asian country to have a specific law on personal data protection after Singapore, Malaysia, Thailand and the Philippines.