A Brief look Into Indonesia’s Personal Data Protection Bill

It should be no surprise that in this increasingly digitalized age, personally identifiable information has become a widely traded currency within the vast economy which is the internet. It is then only a natural response that worldwide online privacy standards are being further defined and enforced, with the EU’s 2016 General Data Protection Regulation (GDPR) law being seen as a golden standard by which to follow. With the rest of the world moving in this direction, Indonesia seeks to also do the same. Although the country, which has around 260 million active internet users (The fourth largest worldwide Internet population), is quite late in working the GDPR into the framework of its own laws, Indonesia’s government nonetheless seeks to speed up its legislative process, and hopefully will make the ‘Personal Data Protection’ Bill the first law to be passed during the 2020 period, despite its very late status on the global sage, with 126 countries already having adopted the GDPR.

Also Read: The Code behind the Malware: The Digital DNA of a Computer Virus

The draft of the bill, which is currently under review, is an offshoot of the EU’s 2016 GDPR, and its regulations function within the EU’s 2016 bill’s framework. One such provision, which is strongly tied to the GDPR’s stated policies, is the enforcement of Data Sovereignty. This accounts for the privacy rights that everyday citizens have when accessing sites, and entails the ability for netizens to object to the decisions otherwise enforced by the accessed website, and importantly, to be forgotten by the website they are accessing, making the collection of personally identifiable data (Which includes HTTP Cookies) a major priority.

How Cookies are Defined within the Bill

HTTP Cookies, or Web Cookies, are minute bits of information which record an individual’s personally identifiable data when using a website. This data can include anything from pages visited & buttons clicked to stored passwords & credit card details. Visitors to any website have such information stored within their computers or mobile devices. This stored data is to assist servers in translating your online behavioral patterns into the website when interfacing with it, and also to track your behavior on the site for marketing purposes and  to further improve the website’s general functionality. Some functions include remembering your username & password, and suggesting content that you’ll be likely to click on based on your preferences.

Although specific regulations regarding the management of Cookie data is not specifically defined in regards to the PDP Bill’s provisions, it is nonetheless inferred that the specific term is applied under the umbrella concept of Personal Data.  Further indicating this is the fact that the GDPR, the universally adopted EU law which the PDP Bill is based on, had already defined Cookies as ‘Personal Data.’ Two specific stipulations exist in regards to this: in order for the cookie data to be subject to the regulations of the GDPR, it must firstly be able to identify a user in some way. Secondly, companies must receive the consent of the user if they are to further process their data.


Although the actual application of the Personal Data Protection Bill will not be given to any agency specifically designed for it, nonetheless, its enforcement shall be the responsibility of Indonesia’s already existing Minister of Communications and Informatics, a title currently held by Johnny G Plate. Through such means, the MoCI will supervise the bill’s implementation impose criminal penalties should it be breached. The Bill also defines regulations in regards to the financial, as well as the IT sectors, and enforces that such entities work closely with the Financial Services Authority.

Under its guidelines, the unauthorized collection, storage, promotion and analysis of data will be accountable through penalties which will include a first warning, a suspension of website activities, or a visible notification on the website itself. In a worst case scenario, privacy breaches will result in criminal penalties, such as a fine of up to Rp. 100 billion and eight years imprisonment, although the Ministry of Communication and Informatics has not detailed what kind of abuses would have to be prosecuted in order to levy the maximum punishment.

Also Read: Digital Media’s Impact on Human Cultural Evolution

Steps Towards Compliance

The widespread adoption of the GDPR’s regulations has upped worldwide standards in regards to protecting the privacy of netizens. Indeed, with IT privacy evolving into a human rights issue, the implications of these changes will not only exist in paper, but also in how personal data will be culturally comprehended: personal Information will no longer be a recourse taken, analyzed and disseminated for free, without consequence, as was the case previously. In this sense, it will be necessary for organizations and businesses to familiarize themselves with such standards and incorporate them into their practices.

  • The most prominent issue is consent. Data collectors must make sure that a way for users to give them consent in regards to processing their data is made clear. For Cookies specifically, before a user lands on a website, they should be made aware of the implications of doing so, and further give their consent in this regard.


  • Furthermore, information that is displayed regarding how their data will be processed must be transparent and unambiguous, meaning the language used must be precise and comprehensible. Specifically, data collectors must explain how and why their personal information is being handled.


  • Further, there exist a number of other important requirements that might not be currently well defined by the overarching provisions of existing privacy laws. For example, a user must give his or her true consent before entering a website, as opposed to consent under a specific condition imposed by data collectors, such as in regards to using a service or fulfilling a contract. Also, the user should have the right to take back his or her constant in the same swift manner as it was given.

Logique Digital Indonesia: Making Your Website/App

Logique Digital Indonesia is a professional IT company offering a wide variety of IT related services, such as application development, website creation, web design, SEO services, and much more. If you are currently planning to develop a website or an application, please contact us or click on Our Services to get more information about what we offer.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts