Nigel Cory, Washington, DC – On Sept. 20, Indonesia ratified its first comprehensive data privacy legislation – the Personal Data Protection (PDP) Law, which has the potential to constitute a solid, well-designed foundation for its digital economy.
While the notorious hacker "Bjorka's" release of personal information pressured policymakers to act, it thankfully didn't lead to knee-jerk reactions like data localization, where policymakers force firms to only store data within a country's borders in the mistaken belief that it leads to better data privacy or cybersecurity (it doesn't).
Indonesia's PDP Law is of regional and global significance, not just for its avoidance of localization, but because of its potential to become a model of pragmatic and flexible cross-border data flows.
At the heart of the PDP Law is the crucial "accountability principle", which means that all organizations operating in Indonesia will be held responsible for managing Indonesian data regardless of where the data is. Legal responsibilities move with the data.
While this may sound like common sense, other jurisdictions like the European Union try and make other countries responsible for protecting European personal data by forcing them to harmonize their privacy law to theirs. It associates geography with data privacy via adequacy decisions, where Europe judges whether a country is "adequate" protect European personal data.
In 20-plus years, only a handful of countries have been deemed adequate as part of prescriptive and painstaking negotiations. Understandably, many countries don't want to be judged by European policymakers as if Europe's approach to privacy is the only one.
It is one thing to adopt and adapt parts of their privacy law, but it's simply unrealistic to force other countries to copy and paste your laws.
The accountability principle is the foundation for a reasonable approach to managing data in an interconnected global digital economy. It's a simple fact that international trade involving consumers cannot occur without collecting and sending personal data across borders – such as names, addresses, billing information, etc. It's important not just for "tech" firms but for firms in all sectors.
While Indonesia's PDP Law avoided data localization, it has enacted it in other areas (like the financial sector) and is still considering it in other areas (public service providers). Localization is a costly and misguided policy.
The Information Technology and Innovation Foundation's (ITIF) new report shows that if Indonesia enacted all proposed localization policies, after five years trade volumes would decline by an estimated 5.8 percent, imports decline 6.9 percent, and import prices increase 2 percent. That Indonesia's overall trade volumes decrease in line with imports suggests that exports are also affected as these imports are used as intermediate inputs in domestic production and trade.
To Indonesian policymakers' credit, the PDP Law took an interesting, sequenced approach to cross-border data flows that could be a model for other countries. Starting at the top, if the foreign country has a data privacy law at the same or a higher level than Indonesia, Indonesian personal data can flow there. Firms would need to do an assessment.
Next down, if a country-level assessment isn't appropriate, organizations can assess whether there is an "adequate level of binding personal data protection". While it's unclear exactly what this means, it's feasible to see authorities reviewing and approving an evolving set of legal tools for organizations to use as a legal basis for transfers.
Such tools could be standardized contracts or contractual language (such as the ASEAN Model Contractual Clauses), technical tools (like the use of pseudonymization and encryption), and current and new regional and global personal data transfer frameworks, like the new Global Cross-Border Privacy Regime. Finally, organizations can rely on a broad exemption that allows transfers if a data subject provides consent.
The PDP Law's potential to become a model for data transfers depends on implementing regulations right. However, there's reason for hope. Indonesia's policymakers were open and responsive to constructive feedback during the PDP bill drafting process. Hopefully, this continues.
A pragmatic, sequenced, and flexible approach to data flows paves the way for Indonesia to mutually recognize evolving data privacy regimes and tools, even at the inter-governmental level (e.g., like the United Kingdom). It also allows Indonesia and its neighboring countries to treat each other with respect and dignity in dealing with a shared issue of which there is no one single approach, but many shared principles and comparable approaches.
Whether it's ASEAN, APEC, or other groupings, Indonesia can support and work with others through best practices and data protection resources in a coordinated effort to tackle this global phenomenon.
Indonesian Communication and Information Minister Johny Plate was right in stating that the PDP Law makes Indonesia a leader in global data governance and that it's consistent with the Group of 20's Data Free Flow With Trust initiative – another accountability-based initiative.
However, whether Indonesia realizes its future digital potential depends on getting the data transfer provisions right and connecting them with global initiatives and best practices.
[The writer is associate director of trade policy at the Information Technology and Innovation Foundation (ITIF).]