The Personal Data Protection Law passed by the Indonesian parliament in September 2022 prohibits the unlawful collection and use of data. That aligns with the standards of the EU GDPR, but private data controllers that have allegedly violated the law have only three days to erase data. The EU GDPR grants controllers one to three months. Decisions will be adjudicated by the yet-to-be-established Personal Data Protection Agency — but there will be no time for investigations, due process or appeals.
Indonesian policymakers generally view the government’s ability to access private data as part of the country’s internet and data sovereignty. Jakarta does not force private companies to maintain onshore data centres, but the Indonesian Minister for Communication and Informatics stated in June 2022 that ‘data is related to the sovereignty of a country, [and] it is geostrategic in nature’.
Offshore data transfers are expected to become further complicated to facilitate government access to data that originates in Indonesia. Without sufficient time and due process, this will expand government power at the expense of individual data privacy and freedom.
VIA East Asia Forum