The Indonesian Parliament will pass the long-stalled Personal Data Protection (PDP) Bill this week, as reported by Strait Times on September 13. According to the bill, data operators could face up to five years in prison and a maximum penalty of IDR5bn (USD334,400) for leaking or misusing private information. Institutions may collect personal information for a specific purpose but must delete the records once that purpose has been met. The bill also regulates that data operators must obtain consent from each individual for using their records such as name, gender, and medical history, allowing each person to withdraw their consent and get compensation for any breaches.
The legislation came days after Indonesia’s National Cyber and Encryption Agency probed into an alleged data leak of 105m Indonesians, following another major data breach last month involving the private data of over 17m customers of state utility firm PLN. Despite the frequent large-scale data breaches in Indonesia in recent years, it was not until now that the parliament finalizes the long-anticipated PDP Bill. Disagreements over who will run the new data protection oversight agency delayed the legislation. Eventually, the lawmakers and the Indonesian government agreed to put the President in charge of the new agency, while the parliament lays out its role. Enacting a data privacy law becomes even more urgent as Indonesia’s digital economy is about to grow to USD146bn by 2025, according to the latest report composed by Alphabet’s [GOOG:US] Google, Singapore’s Temasek Holdings, and global consulting firm Bain & Co.