On September 20, 2022, Indonesia’s parliament ratified the Personal Data Protection Act (the “Act”). The Act is the first comprehensive data protection law to be enacted in Indonesia and will come into effect on a date set by the Minister of State Secretariat. Organizations subject to the Act will have two years to come into compliance with the Act’s requirements.

The Act requires entities (whether public or private) that handle Indonesian residents’ personal data to ensure the protection of the data in their systems. The Act also will impose sanctions for the mishandling of personal data, including prison terms of up to six years for falsifying personal data for personal gain.

The Act provides the Indonesian president with the authority to create an oversight body to levy fines for violations of the Act. Fines of up to two percent of an entity’s annual revenue may be levied for violations of the Act. Additionally, those in violation of the Act may have their assets confiscated or be imprisoned for up to five years.

Under the Act, Indonesian residents will be able to claim compensation for breaches of their personal data and will be provided certain privacy rights, including the rights of access, deletion and restriction. Read the law (in Indonesian).