Last review date: 13 January 2025
The general regulator for data privacy is the Ministry of Communications and Digital (MOCD). Additionally, sectoral authorities, such as Bank Indonesia and the Financial Services Authority (Otoritas Jasa Keuangan - OJK) in the financial sector, regulate specific provisions and requirements applicable only within their respective sectors.
For non-personal data, the relevant authority will depend on the nature of the data. For example, if the data is financial-related, the regulators in the financial sector will oversee such data.
For cybersecurity, the National Cyber and Code Agency (Badan Siber dan Sandi Negara - BSSN) is the regulator, along with the MOCD.
Under the PDP Law, the President needs to establish the data protection authority to supervise data privacy issues in Indonesia.
According to the PDP Law, the data protection authority will have the following duties and responsibilities:
- Formulate and determine the policy and strategy for personal data protection, as well as guidelines for data subjects, data controllers and processors
- Supervise the implementation of personal data protection
- Issue administrative sanctions against any violations
- Facilitate out-of-court dispute settlements
Last review date: 13 January 2025
The MOCD may carry out random investigations to ensure compliance with the requirements for processing (e.g., collection, transfers or disclosures) of personal data, if triggered by individual complaints. To date, there have been no reports of penalties imposed for data breaches under the PDP Law, as the formula for determining penalties has yet to be established). Additionally, no public statements regarding data incidents have been required since the enactment of the PDP Law.
However, the MOCD has urged all relevant parties to focus on complying with the PDP Law now that the transitional period has ended. Key areas of focus include the legal basis for using personal data, data incident requirements, recording of data processing activities, the role of data protection officers, and the requirements for transfers of personal data.
Last review date: 13 January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Rare
In current practice, investigations and enforcement are carried out in the event of data breach.
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 13 January 2025
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
Under the PDP Law, administrative sanctions can be in the form of warning letters, suspension of data processing activities, deletion of personal data, and/or administrative fines. The maximum administrative fine is 2% of the annual revenue against the violation variable (not yet clear on the calculation and the variable).
☒ criminal penalties from regulators and law enforcement
Under the PDP Law, criminal sanctions can be in the form of imprisonment (four to six years) and/or monetary penalty (IDR 4-6 billion, or approximately USD 285,000- USD 430,000). In addition, if the crime is done by a corporation or an entity:
- The criminal sanction can be imposed on the management, controller, instructor or beneficiary owner of the entity and/or the entity itself.
- The criminal sanction that can be imposed on an entity itself is the monetary penalty.
- The monetary penalty that is imposed on an entity is ten times the maximum amount that should have been imposed.
- Additional sanctions can be imposed in the form of seizure of revenue and/or assets that are obtained or as a result of the crime, suspension of business activities, permanent ban of business activities, closure of business activities, fulfillment of breach obligations, compensation payment, revocation of licenses, and/or liquidation of the company.