Developments Seen in Indonesia’s Privacy Law

(This article has been published on Privacy Laws & Business International Report Issue No. 139,

Advances in modern technology with the capacity to collect, analyse and distribute information from individuals have brought about both convenience and efficiency in many sectors. However, these major developments have significantly impacted the privacy of personal information, which gave rise to issues regarding the necessity of providing legal protection for the right to be made aware of what constitutes personal data, as well as the right to be let alone.[1] As new technologies are developed, such as advances in medical research, healthcare, telecommunication, transportation and financial transactions, the need for such legal protection becomes more apparent as they dramatically increase the flow of personal information.

The mentioned technological advances have pressured the inclusion of privacy into a right that is believed to belong justifiably to every person; a human right. Of all human rights, privacy is perhaps the most difficult to define and explain. Privacy, however, can be classified as a fundamental (albeit not absolute) human right as contained under Article 12 of the Universal Declaration of Human Rights, which states explicitly that “no one should be subjected to arbitrary interference with his privacy, family, home or correspondence, not to attach on his honor or reputation. Everyone has the right to the protection of the law against such interference or attack.[2]

In western countries, the protection of personal data and information has long become a focused issue in relation to modern human life, and as a result, they have a more specific and complete set of regulations in place that describe and protect the privacy of personal data and information of their citizens, albeit with a few differences in design. The European Union (“EU”) has two fundamental policies in relation to privacy and data protection, namely 1) The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,[3] and 2) The Data Protection Directive (EU Directive 95/46/EC).[4] As a comparison, the United States of America (“U.S.”) has no single instrument that provides complete protection of privacy or personal data. Instead, the legal basis for the right to privacy and personal information protection is contained under different state constitutions and laws,[5] and a number of court decisions.[6]

The vital role of the right to privacy and personal information protection is not limited to the western world. The significance of the right to privacy and data protection is also inevitably applicable to Indonesia as the faster development of technology and revolution of the way we communicate in this modern world is indiscriminate in nature. Legal protection and certainty is of utmost importance to ensure that every person maintains their right to be let alone, and to safeguard the protection of personal data and information.

However, as a developing country, Indonesia has implemented a discrepant focus on obtaining the latest of technologies, which is apparent from the fairly large number of users, rather than establishing specific regulations on privacy and data protection, and the dispersion of provisions on personal data protection in various sectorial legal frameworks, such as Law No. 23 of 2006 regarding Citizen Administration, as amended by Law No. 24 of 2013 (“Citizen Administration Law”), Law No. 7 of 1992 regarding Banking, as amended by Law No. 10 of 1998, and Law No. 36 of 1999 regarding Telecommunication.

This dispersion renders the protection of private ineffective in functioning appropriately to remain relevant along with technological developments associated with privacy and data protection. Such is quite concerning considering that Indonesia is a member of the Asia-Pacific Economic Cooperation (“APEC”), which has established the APEC Privacy Framework. Indonesia is also a potential member of the Organization for Economic Co-operation and Development (“OECD”),[7] which has firmly established the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.

From the elaboration above, it is apparent that the right to privacy and data protection is of critical importance to Indonesia as such is not only a fundamental human right that must be safeguarded, but also to secure international relations with other countries and international organizations.

In light of such importance, the government has initiated the Draft Bill on the Protection of Personal Data (“Draft Bill”), which was planned to be included into the 2016 Priority National Legislative Program[8] but has been delayed until next year at the earliest. The Draft Bill has yet to be deliberated by the House, which means that it could be subject to further changes as discussion at the House progresses (the version of the Draft Bill obtained for the purpose of this article is dated 15 October 2015). Should the Draft Bill be passed by the House, it will be the first umbrella legal instrument for Indonesia’s privacy protection framework, serving as reference to the prevailing laws and regulations in other sectors that stipulate protection for personal data.


The Draft Bill stipulates provisions on various aspects in regard to the protection of personal data, including classification and definition of personal data, details on how personal data are protected, obligations of personal data administrators, personal data transfers, and video-surveillance devices. The Draft Bill also provides specific purposes that are, in principal, exempted from having to respect a person’s right to privacy under certain conditions.


Despite the importance of a clear-cut definition of what is constituted as personal data, currently prevailing laws and regulations fail to stipulate this matter in detail. Designed to be as Indonesia’s privacy umbrella law, it is expected that a definition of private would be stated in detail, stipulating which personal information, such as full name, gender, religion, marital status, birthplace, and the like, of a person is considered as private and confidential, including a compilation of provisions in sector-based laws and regulations that regulate this matter (for example, a person’s financial details maintained by banks).

However, no such details are found in the Draft Bill. The Draft Bill only provides so far a different definition of personal data compared to the existing definition under the Citizen Administration Law, and classifies personal data into two categories: regular personal data and sensitive personal data.


The new definition of personal data under the Draft Bill is more expansive compared to the existing definition under the Citizen Administration Law. Below is a comparison between the definitions.

Draft Bill

Citizen Administration Law

“Every data regarding the life of a person, whether identified and/or can be identified separately or in combination with other information, either directly or indirectly, through electronic and/or non-electronic systems”[9] “Certain personal data of which the accuracy is kept, treated, and maintained, and of which the confidentiality is protected”[10]

Arguably, this disparity in defining personal data could be as a result from having a different ultimate purpose; the Draft Bill is designed to be the umbrella law for the protection of private which requires a broader definition, whereas the Citizen Administration Law is mainly intended for the relevant government bodies to administer the data of Indonesian citizens, requiring protection from possible abuse by the government.

Regular and Sensitive Personal Data

As mentioned above, certain personal data is further classified as sensitive personal data, which is defined as “personal data that requires special protection, which covers data related to a person’s religion/beliefs, health, physical and mental condition, sexual matters, personal finance, and other personal data that could potentially harm and detriment the privacy of the data’s subject.”[11]

Sensitive personal data can only be collected, processed, and disclosed based on written consent from the person that it relates to, and specifically for the following purposes:[12]

  1. Protection of the person in question;
  2. Employment, medical, and law-enforcement purposes;
  3. Requested by authorized parties for the purpose of performing its functions based on prevailing laws and regulations; or
  4. Is in the public domain due to actions undertaken by the person in question.

Other than these provisions, the Draft Bill does not add any further details regarding sensitive personal data. There is no further elaboration on which personal fdata is considered sensitive (specifically concerning other personal data that could potentially harm and detriment the privacy of the respective person, according to the definition of sensitive personal data provided under the Draft Bill). Furthermore, the Draft Bill does not elaborate the so-called special protection in the definition of sensitive personal data or the procedures to claim such protection.


Personal data protection under the Draft Bill covers the phases of personal data management quite comprehensively, from its collection to deletion.


Of critical importance to the protection of personal data, the Draft Bill stipulates procedures that must be complied by personal data administrators in collecting and managing personal data.

The Draft Bill applies to all personal data administrators, including individuals, legal entities, business entities, government institutions, public agencies, or community organizations that carry out activities relating to personal data (such as, collecting, processing, and analysing), whether manually or using automatic data processing tools, in a structured manner and uses a data storage system.[13]

Prior to the collection of any personal data, the personal data administrator must obtain the consent of the owner of the respective personal data and disclose the following information:[14]

  1. Legality of the personal data administrator (proof that it is duly established with proper government documentations);
  2. Purpose of collecting his/her personal data;
  3. Types of personal data that will be administered;
  4. Retention period of documents that will contain the personal data;
  5. Details on what information is being collected;
  6. Period of time the personal data will be administered and procedures in deleting the personal data; and
  7. Right of the owner of the personal data to refuse to provide consent.

This requirement to secure consent of the personal data owner is exempted if mandated as such by law, required to draft a contract with the personal data owner, or necessary to ensure the safety or economic interests of the personal data owner.[15]

The personal data owner can withdraw his/her consent at any time, and the personal data administrator cannot prevent or prohibit the personal data owner from doing so, and must comply to such request.[16]


After collection, the personal data owner still retains various rights over his/her personal data collected by the personal data administrator. This includes the right to access the personal data, and also modify, update or correct any inaccuracies.[17]

If the owner wishes to access his/her personal data, the personal data administrator must entertain this request and also provide a log history relating to the administration of the personal data in question over the past year. This request can be denied if it harms the safety or health of the personal data owner or any other individual, will reveal another person’s personal data, or is against state interests.[18]


Personal data can be erased if the retention period has expired, it has served its purpose, or such is requested by the respective owner. The deletion of personal data must also be in accordance with prevailing laws and regulations, and not relevant to any case proceeding.[19]


A personal data administrator must have a policy on the management of personal data, and a standard operating procedure (“SOP”) covering steps that must be taken to protect the personal data from damage or unlawful modification, disclosure, and processing, and the level of security needed to protect the personal data. A personal data administrator must also have an internal policy regarding the protection of personal data information, which must be disclosed publicly.[20]

Moreover, the personal data administrator must have an adequate security system to protect the personal data from any unlawful access. This is important to be duly complied with, considering that an owner of personal data may claim for damages for any losses due to unlawful use of their personal data.[21]

In case of any personal data leak, the personal data administrator must notify the respective owner regarding:[22]

  1. Which personal data was revealed;
  2. Time and sequence of events that lead to the personal data leak;
  3. Efforts by the personal data administrator to address the personal data leak; and
  4. Contact information of the personal data administrator.


In addition to the above actions that require consent, the Draft Bill also obligates personal data administrators to obtain consent from the owner in transferring his/her personal data to another domestic party or overseas, unless an exemption is required based on a written notification from the Central Information Commission (Komisi Informasi Pusat).[23]

The Draft Bill also requires the personal data administrator to enter into an agreement with the personal data recipient overseas. However, this is not required if:[24]

  1. Indonesian government has entered into an agreement regarding the exchange of personal data with the government of the country where the personal data is being transferred to; or
  2. Country where the Servers are located implements a similar or higher level of protection for personal data as the Draft Bill.


A matter previously unregulated specifically in Indonesia’s legal framework addressed by the Draft Bill is in regard to the use of video-surveillance devices.

The Draft Bill prohibits the use of such devices in public areas that might violate an individual’s right to privacy, unless it is in accordance with prevailing laws and regulations or undertaken for the purpose of preventing or investigating criminal offences. The Draft Bill also exempts video-surveillance devices installed for the purpose of preventing fires and accidents, as well as traffic management.[25]

In areas where a video-surveillance devices are installed, the operator must prominently display an information sign that states there are video-surveillance devices installed in the area.[26]


Although the right to privacy is an inherited human right, there are exceptions to this right under the Draft Bill, including national security and law enforcement. The right to privacy of a person is also exempted for news reporting, and scientific and statistic purposes, provided that the personal data is obtained from published information. Specifically for news reporting, the personal data must be obtained with the consent of the respective owner.[27]


The Draft Bill clearly provides a few new concepts concerning the protection of personal data, including a different definition compared to that provided by the Citizen Administration Law, and a novel classification of personal data, namely sensitive personal data. Unfortunately, the current version of the Draft Bill does not elaborate further regarding sensitive personal data, and the supposedly special protection of sensitive personal data or the procedures to claim such protection, rendering this classification of personal data to be opaque.

Under the current version of the Draft Bill, critical fundamental rights are given to personal data owners, including the authority to request the deletion of their personal data, and to modify, update or correct any inaccuracies. The main form of protection given by these rights is the consent requirement, which will at least provide control to the respective owner of the personal data. This will prove to be essential for guaranteeing the right to privacy in Indonesia, a protection that has been, despite serving critical importance in today’s digital age where borders between public and private are gradually being blurred, severely lacking and left behind.



[1] Olmstead v. United States, 277 U.S. 438 (1928); an excerpt of the dissenting opinion of Justice Louis Brandeis states: “They conferred, as against the Government, the right to be let alone – the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the Government upon the privacy of the individual, whatever means employed, must be deemed a violation…

[2] For the official text, see:

[3] For official text, see:

[4] For official text, see:

[5] Constitution of the State of California, Art. 1 §1; California Security Breach Information Act (S.B. 1386); Constitution of the State of Florida, Art. I §23; Constitution of the State of Montana Art. 2 §10

[6] Olmstead v. United States, 277 U.S. 438 (1928) and Goldman v. United States, 316 U.S. 129, which were overruled by Katz v. United States, 389 U.S. 347 (1967); Kyllo v. United States, 533 U.S. 27 (2001); Griswold v. Connecticut, 381 U.S. 479 (1965)

[7] For the potential membership of Indonesia to the OECD, see:

[8] GATRAnews, “Kemkominfo Siapkan RUU Perlindungan Data Pribadi,” 6 October 2015

[9] In Bahasa Indonesia: “Setiap data tentang kehidupan seseorang baik yang teridentifikasi dan/atau dapat diidentifikasi secara tersendiri atau dikombinasi dengan informasi lainnya baik secara langsung maupun tidak langsung melalui sistem elektronik dan/atau non elektronik.” See: Article 1 (1) of the Draft Bill

[10] In Bahasa Indonesia: “Data perseorangan tertentu yang disimpan, dirawat, dan dijaga kebenaran serta dilindungi kerahasiaannya.” See: Article 1 (22) of the Citizen Administration Law

[11] In Bahasa Indonesia: “Data pribadi yang memerlukan perlindungan khusus yang terdiri dari data yang berkaitan dengan agama/keyakinan, kesehatan, kondisi fisik dan kondisi mental, kehidupan seksual, data keuangan pribadi, dan data pribadi lainnya yang mungkin dapat membahayakan dan merugikan privasi subjek data.” See: Article 1 (3) of the Draft Bill

[12] Draft Bill, Art. 7 (2)

[13] Draft Bill, Art. 4 jo. Art. 1 (9) jo. Art. 1 (6)

[14] Draft Bill, Art. 15 (1) and (2)

[15] Draft Bill, Art. 15 (4)

[16] Draft Bill, Art. 16 (1)

[17] Draft Bill, Arts. 8, and Art. 9 jo. Art. 22

[18] Draft Bill, Art. 21 (1) and (3)

[19] Draft Bill, Arts. 11 (2), and 27 (1)

[20] Draft Bill, Arts. 19, 20, and 26

[21] Draft Bill, Arts. 25, and 12

[22] Draft Bill, Art. 29

[23] Draft Bill, Art. 35 jo. Art. 36 jo. Art. 1 (12)

[24] Draft Bill, Art. 32

[25] Draft Bill, Art. 28 (1) and (2)

[26] Draft Bill, Art. 28 (3)

[27] Draft Bill, Art. 14


The information contained in this website is for general information purposes only, and is not intended to be taken as legal advice or opinion or replace a formal consultation with a legal counsel.

The views and opinions expressed in this website, unless expressly stated otherwise, are my own and written by me. They do not represent the views or opinions of my current workplace nor any other parties that I may have connections with.

The information contained in this website is compiled from various reliable sources. However, despite best intentions to keep the information updated and correct, I do not make any representations or warranties of any kind whatsoever, express or implied, regarding the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under my control, whether with respect to their nature, content or availability. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website online and running smoothly. However, I shall not be responsible or liable for the website being temporarily unavailable due to technical issues beyond my control.


2 thoughts on “Developments Seen in Indonesia’s Privacy Law”

Leave a Reply

Your email address will not be published. Required fields are marked *