The authors thank Zacky Zainal Husein and Muhammad Iqsan Sirie from Rajah & Tann Indonesia for their insights.
On September 20, 2022, Indonesia’s House of Representatives passed the Personal Data Protection Bill (PDP Bill) (note: linked Bill is in Indonesian). This is the first step towards enactment of the PDP Bill as law. The second step was Presidential assent, which happened on October 17, 2022, and signifies the enactment and coming into force of the law.
Prior to the passage of the PDP Bill (from hereon referred to as the “PDP Law”) (Act No. 27 or 2022), Indonesia lacked a comprehensive personal data protection law. Instead, provisions on personal data protection were distributed across more than 30 different laws and regulations. A first draft of the PDP Law was released for public comment on January 28, 2020. Between January 2020 and September 2022, the PDP Law underwent numerous rounds of consultation and amendment, culminating in the release of a near-final draft on September 5, 2022, and a final draft on September 20, 2022.
The PDP Law establishes responsibilities for the processing of personal data and rights for individuals in a manner similar to other international data protection laws. Many of its core aspects, including definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures, and controller-processor relationships, share some overlap with other laws around the world – most notably the EU’s General Data Protection Regulation (GDPR). However, there are a few notable components unique to