Legal Analysis of Law No. 27 of 2022 Concerning Personal Data Protection, and the Urgency of Its Implementation in Society

By : A.M Oktarina Counsellors at Law Contributors
Drafted by : Khaifa Muna Noer uh’dina, S.H.
Reviewed by : Noverizky Tri Putra Pasaribu S.H LL.M (Adv)

Recently the President of the Republic of Indonesia Joko Widodo has passed a new Law On October 17, 2022, namely Law Number 27 of 2022 Concerning the Protection of Personal Data, which is commonly shortened to UU PDP, this UU PDP is a law for standards Protection of Personal Data in general, whether processed electronically or non-electronically. This Law only applies to Every Person, Public Agency, and International Organizations who carry out legal actions within the jurisdiction of the Republic of Indonesia and does not applyprocessing of Personal Data by individuals in personal or household activities.The provisions in Law Number 27 of 2022 concerning Protection of Personal Data aim to increase effectiveness in the implementation of personal data protection and also to protect and guarantee the basic rights of citizens related to personal protection, guarantees to get services from Corporations, Public Agencies, International Organizations and the Government, encouraging the growth of the digital economy and the information and communication technology industry, as well as supporting the increase in the competitiveness of the domestic industry.

This regulation on Personal Data Protection will make a major contribution to creating order and progress in the information society. This Personal Data Protection Law is a mandate from Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia which states that, “Everyone has the right to protection of himself/herself, family, honor, dignity and property under power, and are entitled to a sense of security and protection from the threat of fear to do or not do something that is a human right”. The issue of Personal Data Protection arises because of concerns about violations of Personal Data that can be experienced by individuals and/or legal entities. Such violations can cause material and non-material losses.

The exercise of the rights of Personal Data Subjects as referred to in Article 14 must be submitted through a registered application submitted electronically or non-electronically to the owner of personal data. Except for the interests of national defense and security, the interests of the law enforcement process, the public interest in the context of administering the state, the interests of supervising the financial services sector, monetary, payment systems and financial system stability carried out in the framework of administering the state, the interests of statistics and scientific research. The controller of personal data is required to process Personal Data in a limited and specific manner, lawfully, transparently and also perform processing of Personal Data in accordance with its purpose.

In the Personal Data Protection Act, there are several articles that can be the focus, which we have examined in several points, namely as follows:

1. Article 4 : Types of Personal Data

• Personal Data consists of:

1. Specific Personal Data; and
2. General Personal Data.

• Specific Personal Data as referred to in paragraph (1) letter a includes:

1. Health data and information;
2. Biometric data;
3. genetic data;
4. Crime record;
5. child data;
6. Personal financial data; and/or
7. Other data in accordance with the provisions of the laws and regulations.

• General Personal Data as referred to in paragraph (1) letter b includes:

1. Full name;
2. Gender;
3. Citizenship;
4. Religion;
5. Marital status; and/or
6. Personal Data combined to identify an individual.

Referring to the Article above, that Article 4 related to the Personal Data Protection Act covers it in general. Where in the distribution of types of personal data can be classified as 2 types, namely as personal data that is specific and general. Personal data included in this personal data protection law, it can be said in general that it has accommodated technological developments as well as personal data issues in Indonesian society, where the law in Indonesia prior to the existence of this personal data law did not explicitly regulate types of personal data. Therefore Article 4 is appropriate and has a positive impact on this law.

1. Article 16 : Processing of Personal Data

• Processing of Personal Data includes:

1. Acquisition and collection;
2. Processing and analysis;
3. Storage;
4. Repairs and updates;
5. Appearance, announcement, transfer, distribution, or destruction.

• Processing of Personal Data as referred to in paragraph (1) is carried out in accordance with the principles of Personal Data Protection including:

1. Collection of Personal Data is limited and specific, lawful and transparent;
2. Processing of Personal Data is carried out according to its purpose;
3. Processing of Personal Data is carried out by guaranteeing the rights of the Personal Data Subject;
4. Processing of Personal Data is carried out accurately, completely, not misleading, and can be accounted for;
5. Processing of Personal Data is carried out by protecting the security of Personal Data from unauthorized access, unauthorized disclosure, unauthorized modification, misuse, destruction and/or loss of Personal Data;
6. Processing of Personal Data is carried out by notifying purposes and processing activities, as well as the failure of Personal Data Protection;
7. Personal Data is destroyed and/or deleted after the retention period ends or based on the request of the Personal Data Subject, unless otherwise stipulated by laws and regulations; and
8. Processing of Personal Data is carried out in a responsible and clearly demonstrable manner.

Referring to the article above, namely Article 16 of the Personal Data Protection Act, which discusses the processing of personal data, which in our opinion the contents of the article have the potential for error to occur because the contents of Article 16 do not state how the terms and/or what can prove clear steps that can be taken to be able to carry out the processing of personal data. So this becomes a new challenge for professions that require personal data and personal data.

1. Prohibition on the Use of Personal Data

Article 65 :

• Everyone is prohibited from unlawfully obtaining or collecting Personal Data that does not belong to them with the intention of benefiting themselves or others which can result in loss of Personal Data Subjects.
• Everyone is prohibited from unlawfully disclosing Personal Data that does not belong to him.
• Everyone is prohibited from unlawfully using Personal Data that does not belong to him.

Article 66 :

“Every person is prohibited from making false Personal Data or falsifying Personal Data with the intention to benefit themselves or others which can cause harm to other people.”

Referring to the article above regarding the prohibition on the use of personal data, in our opinion, the existence of this article is very helpful for security for the community and also reduces the occurrence of cases of misuse of personal data belonging to other people. But based on our opinion, it’s a little regretful considering the points contained in this article do not accommodate professions that require the collection of data and privacy belonging to other people who request services from that profession. For example, like an advocate who wants to find out about the case being handled and of course requires data and identities of the parties related to the problem. This of course has the potential to cause new problems considering that personal data is very necessary to exist,

Criminal provisions

The enactment of this personal data protection law also regulates the imposition of sanctions for anyone who violates the contents of this legislation. Everyone is prohibited from falsifying personal data with the intention of benefiting themselves and causing harm to others. Criminal sanctions that will be imposed if there is misuse of personal data, using other people’s personal data for self-interest, as referred to in Article 67 paragraph (1) get criminal sanctions with a maximum imprisonment of 5 (five) years and/or a maximum fine 5,000,000,000.00 (five billion rupiah). If the act of violating these laws and regulations is carried out by a corporation, then the punishment that can be imposed on the corporation is only a fine. The fine imposed on the corporation is a maximum of 10 (ten) times the maximum fine imposed. If the convict does not pay the fine within the period as stipulated in Article 71 paragraph (1) or (2) then the convict’s assets or income can be confiscated and auctioned off by the Prosecutor to pay off the unpaid fine. And corporations will be subject to alternative punishment in the form of freezing part or all of the corporation’s business activities for a maximum period of 5 (five) years. If the convict does not pay the fine within the period as stipulated in Article 71 paragraph (1) or (2) then the convict’s assets or income can be confiscated and auctioned off by the Prosecutor to pay off the unpaid fine. And corporations will be subject to alternative punishment in the form of freezing part or all of the corporation’s business activities for a maximum period of 5 (five) years. If the convict does not pay the fine within the period as stipulated in Article 71 paragraph (1) or (2) then the convict’s assets or income can be confiscated and auctioned off by the Prosecutor to pay off the unpaid fine. And corporations will be subject to alternative punishment in the form of freezing part or all of the corporation’s business activities for a maximum period of 5 (five) years.

Conclusion

Basically, this Personal Data Protection Act actually accommodates the good intentions of the government as a regulator in creating laws that are progressive and in accordance with the times. However, in practice, of course, the enforcement of this regulation will encounter its own challenges. Therefore, in the implementation of this regulation, as we have described above, there are several good and bad opinions from the personal data protection law. Therefore, synergy and coordination between the community and the government are needed. So that the purpose of the formulation of this regulation can complement legal regulations in the field of personal data protection, which in the end can be of benefit to the people of Indonesia.