1 of 53

DATA PROTECTION LAW: INDONESIA AND BEYOND

Professor Abu Bakar Munir

13 April 2023

2 of 53

CONCEPT OF PRIVACY

2

Privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, thoughts, feelings, secrets and identity.

The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

Copyright Reserved. © Prof Abu Bakar Munir 2022

3 of 53

OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER (OAIC)

3

Privacy is a fundamental human right that underpins freedom of association, thought and expression, as well as freedom from discrimination. But it’s hard to define. Different countries offer different views, as do individuals.

Generally speaking, privacy includes the right:

to be free from interference and intrusion
to associate freely with whom you want
to be able to control who can see or use information about you

Copyright Reserved. © Prof Abu Bakar Munir 2022

4 of 53

PRIVACY INTERNATIONAL

4

Privacy is a fundamental right, essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built.��Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us. ��Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information.

Copyright Reserved. © Prof Abu Bakar Munir 2022

5 of 53

PRIVACY IN RELIGION

5

Islamic law – privacy principles are revealed or deducted from Qur'an, Sunnah, history and culture.

Doctrine of privacy derived from the inviolability of man and the manifestation of human dignity.

Privacy in various contexts: of home, private correspondence, conversations, prohibition of espionage, strong discouragement of suspicion, concealment of privacy of others & privacy of deceased

Bible has several references to privacy

Jewish law has developed a body of law around the concept of Hezzek re’iyah which means the injury caused by seeing or the injury caused by being seen

Copyright Reserved. © Prof Abu Bakar Munir 2022

6 of 53

PRIVACY IN ISLAM

6

Basic Fundamental Rights in Islam

Right to life
Right to live in dignity
Right to justice
Right to equal protection of law
Right to choice
Right to free expression
Right to privacy
Right to property
Right to basic necessities of life
Right to revolt

Copyright Reserved. © Prof Abu Bakar Munir 2022

7 of 53

THE HOLY QURAN

7

…Do not spy on another

Al-Hujuraat: 12

…Do not enter any house except your own houses unless you are sure of their occupants’ consent

An-Noor:27

… goodness does not consist of entering by the back door; … so enter your houses by the main door

Al-Baqara:189

Copyright Reserved. © Prof Abu Bakar Munir 2022

8 of 53

Cont..

8

Children who have not yet hit puberty should ask permission to come in at three times of day; before the dawn prayer; when you lay your garments aside in the midday heat; and after delivering prayer2

An-Noor:58

Copyright Reserved. © Prof Abu Bakar Munir 2022

9 of 53

HADITH

9

The Prophet once said, “He who looks into a letter belonging to his brother, looks into the hellfire”

“If a man finds another person secretly peeping into his house, and he blinds his eye or eyes as a punishment then he cannot be called to question nor will he be liable to prosecution”

“Come to any one’s door he did not face it squarely, (but faced the right or left corner) and stand with the wall, (that was because there were no curtains on the doors of the houses at that time) asking permission and if he got it enter (the home) otherwise left”

Copyright Reserved. © Prof Abu Bakar Munir 2022

10 of 53

BIBLE – Lays out key principles, the biggest being love.

Proverbs 20:19 “…do not associate with a gossip.”
Romans 1: 29, Corinthians 12:20 – Both differentiate gossip from slander and condemn it as the result of a depraved mind, unfitting for Christians.
1 Timothy 5:13; 2 Thessalonians :11 – Both condemn “busybodies who speak about things not proper to mention.

Confidentiality

Proverbs 11:13 – “He who goes about as a talebearer reveals secrets, but he who trustworthy conceals a matter.”
Proverbs 29: 9-10 – “…don’t reveal the secret of another, lest he who hears it reproach you, and the evil report about you not pass away”…
Matthew 18:15 – “If your brother sins, go and reprove him in private.”

11 of 53

Privacy in Hinduism

The concept of privacy can be traced to the Dharmashatras and ancient text like “Hitopadesha” where it is specifically mentioned that certain matters in relation to worship, family and sex should be protected from disclosure.

12 of 53

PRIVACY AS HUMAN RIGHTS

12

Article 12 Universal Declaration on Human Rights 1948

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Some Other Instruments

Article 17, International Covenant on Civil and Political Rights 1966
Article 16, Conventions on the Rights of the Child 1989
Article 8, European Convention on Human Rights 1950
Article 18, OIC Cairo Declaration on Human Rights in Islam 1990 (Revised in 2020)
Article 4.3, Declaration of Principles on Freedom of Expression in Africa 2002
Article 5, American Declaration of the Rights and Duties of Man
Article 21, ASEAN Human Rights Declaration
The Arab Charter of Human Rights 2004
Etc.

Copyright Reserved. © Prof Abu Bakar Munir 2022

13 of 53

13

Article 21:

No one shall be subjected to arbitrary or unlawful interference with regard to his privacy, family, home or correspondence, nor to unlawful attacks on his honour or his reputation.
Everyone has the right to the protection of the law against such interference or attacks.

Article 18:

Everyone shall have the right to live in security for himself, his religion, his dependents, his honor and his property.
Everyone shall have the right to privacy in the conduct of his private affairs, in his home, among his family, with regard to his property and his relationships. It is not permitted to spy on him, to place him under surveillance or to besmirch his good name. The State shall protect him from arbitrary interference.
A private residence is inviolable in all cases. It w ill not be entered without permission from its inhabitants or in any unlawful manner, nor shall it be demolished or confiscated and its dwellers evicted.

Copyright Reserved. © Prof Abu Bakar Munir 2022

14 of 53

14

The Right to Privacy

Samuel D. Warren and Louis D. Brandeis

Harvard Law Review

Vol. 4, No. 5 15^th Dec 1890

Copyright Reserved. © Prof Abu Bakar Munir 2022

15 of 53

TYPES OF PRIVACY

15

The right to be left alone

Bodily privacy

Privacy of communications

Territorial privacy

Informational privacy

Copyright Reserved. © Prof Abu Bakar Munir 2022

16 of 53

INFORMATION PRIVACY

16

Copyright Reserved. © Prof Abu Bakar Munir 2022

The rights of an individual to have control over his personal information

Information privacy is about promoting the protection of information that says who we are, what we do and what we believe

Informational Privacy = Personal Data Protection

17 of 53

REALITY CHECK

17

The United Nations in 2015 appointed a Special Rapporteur on the right to privacy.
The United Nations Development Group has issued Data Privacy, Ethics and Protection - Guidance Note on Big Data for Achievement of the 2030 Agenda (SDG).
The United Nations General Assembly has adopted Resolutions on The Right to Privacy in the Digital Age.
Data protection has been included in several international trade agreements, i.e., RCEP, TPP, etc.
Data protection regulation has been considered in several high proﬁle cases, i.e. FTC fined Facebook USD 5 Billion, the highest fine.
Numerous countries are drafting new data protection laws or are reviewing existing ones.
Several global and regional organizations have issued (or are developing) multiparty agreements and/or guidelines on data protection - UNICEF has issued a Guideline called The Case for Better Governance of Children’s Data: A Manifesto in 2021, WHO has issued Contact tracing in the context of COVID-19.

Copyright Reserved. © Prof Abu Bakar Munir 2022

Data Protection High on the Agenda

18 of 53

18

“If data is the new oil, then we are all data wells, and potentially valuable ones.”

Michelle Zhou

Copyright Reserved. © Prof Abu Bakar Munir 2022

19 of 53

19

Copyright Reserved. © Prof Abu Bakar Munir 2022

20 of 53

“Privacy is good for business”

Harriet Pearson

IBM Chief Privacy Officer, 1993 - 2012

20

Copyright Reserved. © Prof Abu Bakar Munir 2022

21 of 53

21

Copyright Reserved. © Prof Abu Bakar Munir 2022

22 of 53

22

Copyright Reserved. © Prof Abu Bakar Munir 2022

23 of 53

23

“Privacy will no longer be the merely immaterial or political concept it once was. Instead, privacy will begin to have substantial impacts on businesses’ bottom line. Facebook, for example, loss a whopping $119 Billion in market capitalization in the wake of the Cambridge Analytica scandal because of concerns over privacy.”

Harvard Business Review

Copyright Reserved. © Prof Abu Bakar Munir 2022

24 of 53

24

Copyright Reserved. © Prof Abu Bakar Munir 2022

25 of 53

25

Copyright Reserved. © Prof Abu Bakar Munir 2022

26 of 53

INTERNATIONAL/REGIONAL DATA PROTECTION INSTRUMENTS

26

OECD Guidelines 1980
Council of Europe Convention 1981
EU General Data Protection Regulation 2018
APEC Privacy Framework 2015
ASEAN Framework on Personal Data Protection 2016

Copyright Reserved. © Prof Abu Bakar Munir 2022

27 of 53

27

Copyright Reserved. © Prof Abu Bakar Munir 2022

28 of 53

28

The Law on the Protection of Personal Data No. 6698 (KVKK) - 2016

Law on the Protection of Personal Data ('the Data Protection Law') issued under Resolution No. 151 of 2020

Bahrain Law No. 30 of 2018 promulgating the Personal Data Protection Law (PDPL) - 2019

Law No. (13) of 2016 Concerning Personal Data Protection ("the Data Protection Law")

Personal Data Protection Law (PDPL) - 2021

Federal Decree Law No. 45 of 2021 concerning Personal Data Protection Law (PDPL)

Copyright Reserved. © Prof Abu Bakar Munir 2022

Royal Decree 6/2022 Personal Data Protection Law (PDPL)

Protection of Privacy Law (PoPL) - 2017

Lebanon Law No. 18 on Electronic Transaction and Personal Data - 2018

29 of 53

29

Copyright Reserved. © Prof Abu Bakar Munir 2022

30 of 53

30

Copyright Reserved. © Prof Abu Bakar Munir 2022

31 of 53

PRINCIPLES OF DATA PROTECTION

31

General provisions, definitions and scope

Data protection principles

Rights of data subjects

Grounds for processing of personal data

Obligations of data controllers and processors

Independent supervisory authority

Redress

Copyright Reserved. © Prof Abu Bakar Munir 2022

32 of 53

	Indonesia Personal Data Protection Law 2022	Malaysia Personal Data Protection Act 2010	Taiwan Personal Data Protection Act 2010	Singapore Personal Data Protection Act 2012	Philippines Data Privacy Act 2012	Japan Personal Information Protection Act 2003	Hong Kong Personal Data (Privacy) Ordinance 1995	Korea Personal Information Protection Act 2011	Thailand Personal Data Protection Act 2019	China Personal Information Protection Law (PIPL, 2021)	EU GDPR
Data Protection Principles	✔						✔	✔	✔	✔	✔
Rights of Data Subjects	✔						✔	✔	✔	✔	✔
Special enforcement entity	✔		X				✔	✔	✔	✔	✔
Exemption to public agency	X		X		X	X	X	X	X	X	X
Mandatory data breach notification to the Data Subject	✔	X	✔	✔ (amendment 2020)	✔	✔ (amendment 2020)	Encouraged	✔	✔	✔	✔

Data Protection Law: Indonesia Vs The World

33 of 53

	Indonesia Personal Data Protection Law 2022	Malaysia Personal Data Protection Act 2010	Taiwan Personal Data Protection Act 2010	Singapore Personal Data Protection Act 2012	Philippines Data Privacy Act 2012	Japan Personal Information Protection Act 2003	Hong Kong Personal Data (Privacy) Ordinance 1995	Korea Personal Information Protection Act 2011	Thailand Personal Data Protection Act 2019	China Personal Information Protection Law (PIPL, 2021)	EU GDPR
Mandatory reporting to the Authority	✔	X	X	✔ (amendment 2020)	✔	✔ (amendment 2020)	Encouraged	✔	✔	✔	✔
Differentiate personal data & sensitive data	✔	✔		X	✔	✔	✔	✔	✔	✔	✔
Organisation must designate someone to take charge (DPO)	✔	X	X	✔	✔	X	Encouraged	✔	✔	✔	✔
Registration	X	✔	X	X	X	X	X	X	X	X	X

34 of 53

34

	Indonesia Personal Data Protection Law 2022	Malaysia Personal Data Protection Act 2010	Taiwan Personal Data Protection Act 2010	Singapore Personal Data Protection Act 2012	Philippines Data Privacy Act 2012	Japan Personal Information Protection Act 2003	Hong Kong Personal Data (Privacy) Ordinance 1995	Korea Personal Information Protection Act 2011	Thailand Personal Data Protection Act 2019	China Personal Information Protection Law (PIPL, 2021)	EU GDPR
Civil and criminal remedies	✔	X	✔	✔	✔	✔	✔	✔	✔	✔	✔
Data Protection Impact Assessment	✔	X	X	Encouraged	✔ NPC Circular (2016 -01)	X	Encouraged	✔	✔	Encouraged	✔
Financial penalty by Regulator	✔	X	✔		✔	✔ (amendment 2020)	✔	✔	✔	✔	✔

Copyright Reserved. © Prof Abu Bakar Munir 2022

35 of 53

35

36 of 53

SCOPE OF APPLICATION

36

Applies to all organisations within/outside Indonesia

Does not apply to processing by an individual in relation to personal and household activity

37 of 53

OBLIGATIONS OF DATA CONTROLLER/PROCESSOR

Section	Obligations	Data Controller	Data Processor
20	To have processing policy	✔
21	To inform/provide certain information to data subject -Data Protection/Privacy Policy	✔
24	To show/prove consent has been obtained	✔
25	To process children’s data with the consent of parents or legal guardian	✔
26	To process data of data subject with disability in accordance with the requirements	✔
27	To process limited and specific data lawfully and transparently	✔
28	To process data in accordance with the purpose	✔	✔
29	To guarantee accuracy, completeness and consistency	✔	✔
30	To correct data within 72 hours	✔	✔
31	To record all processing activities (RoPA)	✔
32	To provide access within 72 hours	✔
33	To refuse access in certain circumstances	✔	✔
34	To conduct DPIA in certain circumstances	✔

38 of 53

Section	Obligations	Data Controller	Data Processor
35	To protect personal data	✔	✔
36	To maintain confidentiality of data	✔
37	To supervise processing of data	✔
38	To protect data from illegal processing	✔	✔
39	To prevent data from unauthorised access	✔
40	To cease processing when consent has been withdrawn within 72 hours	✔
41	To delay/postpone/restrict processing within 72 hours	✔
42	To end processing in certain circumstances	✔	✔
43	To destroy data in certain circumstances	✔
44	To destruct data in certain circumstances	✔
45	To inform data subject on the destruction of data	✔
46	To notify the supervisory authority and data subject within 72 hours in case of data breaches. To notify the public about the breach in certain circumstances	✔
47	To prove accountability in observing all the principles	✔
48	To inform the data subject in case of merger/separation takeover etc	✔
49	To carry out the direction of supervisory authority	✔
53	To appoint DPO	✔	✔

39 of 53

RIGHTS OF DATA SUBJECT

39

The right to receive information on the identity of data controller, purpose of collection & usage as well as accountability
The right to update, renew, correct personal data
The right to request for access
The right to request to end the processing and to destroy/destruct data
The right to withdraw consent
The right to object processing for the purpose of automated decision making
The right to delay or limit the processing
The right to take legal action and claim for compensations
The right to data portability

40 of 53

TRANSFER OF DATA TO OUTSIDE INDONESIA

40

In accordance with the PDPL
Data controller must ensure the recipient of the data is located in a country which provide equal or higher protection than the PDPL
If condition (1) is not satisfied, data controller must ensure adequate and binding agreement
If condition (2) and (3) is not satisfied, data controller must obtain the consent of data subject

41 of 53

REMEDIES AND REDRESS

41

Civil action by the data subject
Administrative sanctions

Written warning
Temporary cessation of processing
Deletion or destruction of data
Administrative penalty – maximum 2% of the annual income

Criminal offences

42 of 53

ADMINISTRATIVE SANCTIONS

Section	Provision
20 (1)	Not having data processing policy
21 (1)	Failure to provide certain information to the data subject
24	Failure to show proof consent has been obtained
25	Failure to obtain consent of parents or legal guardian
26	Failure to obtain consent in relations to data subject with disability
27	Failure to comply with the requirements to process data specifically legally and transparently
28	Failure to process data for the purpose it was collected
29	Failure to ensure accuracy, completeness, and consistency of data
30	Failure to renew and correct data
31	Failure to record processing activities
32	Failure to provide access to data subject
33	Failure to refuse access to data

43 of 53

Section	Provision
34	Failure to conduct DPIA
35	Failure to protect data
36	Failure to maintain confidentiality of data
37	Failure to supervise processing of data
38	Failure to protect data from illegal processing
39 (1)	Failure to prevent unauthorised access to data
40 (1)	Failure to cease processing of data
41 (1)	Failure to postpone or limit the processing of data
41 (3)	Failure to inform the postponement or limitation of processing data
42 (1)	Failure to end the processing
43 (1)	Failure to delete data
44 (1)	Failure to destruct data
45	Failure to notify the deletion/destruction of data
46 (1)	Failure to notify data breach
46 (3)	Failure to notify the public about data breach
47	Failure to show accountability and compliance with the principles
48 (1)	Failure to notify data subject in case of merger, separation, takeover, etc

44 of 53

44

Section	Provision
49	Failure to carry out the instruction of supervisory authority
51 (1)	Failure by data processor to process in accordance to instruction of data controller
51 (5)	Failure of data processor to obtain written consent to appoint subcontractor
52	Failure of data processor to fulfil the obligations
53 (1)	Failure to appoint DPO
55 (2)	Failure to protect data when being transferred
56 (2)	Failure to ensure the equal or higher protection is afforded
56 (3)	Failure to ensure adequate and binding agreement to protect data
56(4)	Failure to obtain consent for the transfer

45 of 53

CRIMINAL OFFENCES

45

Section	Offences	Punishment
65 (1)	Obtaining or collecting personal data against the law to make personal profit or the benefit of others	Max 5 years imprisonment and/or penalty of 5 Milliar Rupiah (67 (1))
65 (2)	Disclosure of data against the law	Max 4 years imprisonment and/or penalty of 4 Milliar Rupiah (67 (2))
65 (3)	Using personal data against the law	Max 5 years imprisonment and/or penalty of 5 Milliar Rupiah (67 (3))
66	Falsifying personal data to make profit	Max 6 years imprisonment and/or penalty of 6 Milliar Rupiah (68)

Section 69

Forfeiture of profit and/or wealth derived from criminal offences

Section 70

Officers of the company can be held liable

46 of 53

OFFENCE BY CORPORATE

46

Section 70

Officers of the company can be held liable
Can only be penalised with a fine
Forfeiture of profit and/or wealth derived from offences
freezing of all or part of the assets
Permanent restriction from certain action
Total or partial disclosure of premises
Perform obligation
Pay compensation
Withdrawal of permission
Desolution

47 of 53

SUPERVISORY AUTHORITY (KELEMBAGAAN)

47

To determine and develop data protection policy and strategy as guidance for data subject, data controller, and data processor

To supervise or monitor compliance with PDPL

To enforce administrative rules against the contravention

To facilitate out of court dispute settlement

Duties and functions of supervisory authority

48 of 53

POWERS OF THE SUPERVISORY AUTHORITY

48

To determine and develop policy
To monitor compliance
To administer administrative sanctions
To assist in criminal investigation and prosecution
To co-operate with supervisory authority from other jurisdiction
To carry out assessment on condition for data transfer
To issue direction
To publish report the enforcement of PDPL
To receive and investigate complains
To summon individual or organisation in case of contravention
To request for evidence, data, information, document
To access and examine electronic systems, facilities, data, and/or place
To seek legal assistance from the prosecutor

49 of 53

BIGGEST FINES SO FAR

49

50 of 53

50

51 of 53

51

52 of 53

52

1 of 53

2 of 53

3 of 53

4 of 53

5 of 53

6 of 53

7 of 53

8 of 53

9 of 53

10 of 53

11 of 53

12 of 53

13 of 53

14 of 53

15 of 53

16 of 53

17 of 53

18 of 53

19 of 53

20 of 53

21 of 53

22 of 53

23 of 53

24 of 53

25 of 53

26 of 53

27 of 53

28 of 53

29 of 53

30 of 53

31 of 53

32 of 53

33 of 53

34 of 53

35 of 53

36 of 53

37 of 53

38 of 53

39 of 53

40 of 53

41 of 53

42 of 53

43 of 53

44 of 53

45 of 53

46 of 53

47 of 53

48 of 53

49 of 53

50 of 53

51 of 53

52 of 53

53 of 53