Indonesia is one of the countries in Asia with an inadequate legal framework on personal data protection despite the fact that nearly 65% of Indonesians are online.
Research conducted by the Open Data Lab Jakarta examines the existing personal data protection legal framework in Indonesia, identifies the challenges in providing a comprehensive legal framework, and explores the strategies of government, the business sector, as well as of civil society to comply with the regulations.
The research explored the implementation of the existing law and the challenges and opportunities for the implementation of the future data protection law.
This research found that despite the existing regulations on personal data protection, implementation is still somewhat toothless. Further, there are three main challenges in the implementation of a personal data protection legal framework in Indonesia:
- First, the regulatory challenges. The existing regulations do not explain the principles upon which privacy and data protection rules are based. There is a lack of information on how to process personal data and what are the purpose limitations of using personal data. The lack of principles has made the business sector refer more to the European Union’s General Data Protection Regulations (GDPR) and Personal Data Protection Act (PDPA) rather than existing regulations.
- Second are the institutional challenges. There is no single institution or agency that regulates or is in charge of personal data protection governance. The settlement of cases and complaints on personal data breaches and misuse are spread across various government institutions. The existence of an institution in charge could help in the monitoring of the implementation of personal data protection regulations as well as providing assistance for cases and complaints related to data breaches and misuse.
- The third challenge is cultural. There is an urgent need to increase the awareness around the importance of personal data to citizens. Many citizens still do not see personal data and privacy as an inherent part of their citizens’ rights. This has normalized cases on personal data misuse, which are in turn often under-reported. Understanding the cultural characteristics of citizens is important to help construct culture-sensitive implementation strategies for a personal data protection legal framework.
Read the full report.