- From e-lending to personalised business recommendations, there is a growing supply of customized digital services that require companies to acquire, process and store personal data. Meanwhile, these data remain the property of individuals and their owners have the right to control and manage their own data.
- The Indonesian House of Representatives is deliberating a Personal Data Protection Bill initiated by the Ministry of Communication and Informatics (MOCI). The draft Bill grants data owners a full range of rights to control and manage their personal data. It makes companies responsible for demonstrating compliance.
- The Bill suspends the rights of data owners in case their data are needed for national defense and security, law enforcement, state administration, supervision of the financial or monetary sector, payment systems, or financial system stability. These exemptions provide the government with unrestrained access to personal data. There should be specific definitions and limitations to government access, mandating transparency on the purpose of the exemption and the period of data storage.
- The PDP Bill should follow a risk-based approach. High risk areas should be those involving systematic and extensive activities to profile individuals, to process special categories of data, and to monitor publicly accessible areas. Those who plan to engage in these activities should have to consult with the supervisory authority in Indonesia before conducting the activity. They need to conduct a detailed privacy impact assessment and notify potentially affected individuals in the case of a data breach.
- The draft PDP Bill, however, foresees the supervisory function by a government line ministry, which can cause conflicts of interest. The supervisor authority for data privacy should rest with an independent commission.
- Since digital service companies constantly need to innovate, they often face uncertainties whether they are in breach of data privacy regulations. To mitigate this risk, the government should consider implementing a regulatory sandbox to facilitate the compliance of new technologies with existing data privacy regulations, and to co-create new policies similar to the Singaporean Personal Data Protection Commission (PDPC) when it tested and amended Singapore’s PDP Act.