The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Advisory Board, KnowledgeNet Chapter Chair and Young Privacy Professional applications are now open. (Leadership positions are for members only. Join today.)
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.
P.S.R. 2022 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
It has been widely reported that Indonesia aims to promulgate the Personal Data Protection Bill in August. One of the issues that stalled promulgation was whether Indonesia should have an independent body supervising personal data protection. With this issue now resolved by deferring the exact form of the supervisory body to the Indonesian president by way of a presidential decree, another issue might arise after the bill’s promulgation: the possibility of conflicting views on personal data protection regulations.
The potential conflicts may stem from Article 71 of the PDPB, which states when the Personal Data Protection Law enters into force, all provisions of the current laws and regulations governing personal data protection shall remain applicable so long as they are not contrary with provisions under the PDPL.
The problem with the above provision is that currently, there are so many provisions pertaining to personal data protection scattered across scores of laws and regulations in multiple sectors. How exactly to convince the regulator (which is undecided whether it will be an independent body or a body under the Ministry of Communications and Informatics) that one does not contravene the provisions under the forthcoming PDPL shall remain a mystery.
For companies with in-house legal counsel and those using external counsel, locating conflicting provisions between existing laws and regulations and the forthcoming PDPL might seem like a walk in the park. But the same situation might not apply to individuals or companies without the assistance of legal counsel.
It might be more fitting if the PDPB expressly declares certain provisions in scores of existing laws and regulations to be ineffective upon promulgation of the bill. This is similar to what Indonesia’s Job Creation Law did by rendering many provisions under so many existing laws and regulations ineffective after the Job Creation Law entered into force.
The drafting method behind the Job Creation Law is now known as the Omnibus Law on Job Creation. Pursuant to Article 64(1b) of Law No. 13 Year 2022 on Formulation of Laws and Regulations (second amendment to Law No. 12 Year 2011) (“Law 13/2022”), the omnibus method formulated laws and regulations by adding, changing, or revoking content across multiple sectors of law into one bill.
One may argue that to avoid confusion and clearly define scope, an omnibus method of drafting the PDPB is necessary. Given that the bill’s early draft predates the new Law 13/2022 where the omnibus method is recognized as one of the many ways to draft a regulation, it might be difficult for the government and Parliament to scrap the current draft of the bill and go back to square one to draft a completely new draft Omnibus Law on Personal Data Protection.
Another less controversial method of avoiding potential conflicts would be amending laws and regulations that govern personal data protection in some of their provisions to adhere to the PDPL and erase conflicting existing provisions. To date, there are more than 40 laws and regulations in Indonesia that govern personal data protection. Amending these laws and regulations will undoubtedly take plenty of time, and it is difficult to say how much time would be needed to carry out these painstaking processes.
Another alternative, albeit via litigation, is judicial review of any laws and regulations below the level of a law by the Supreme Court or judicial review of all laws by the Constitutional Court. This could mean a potential review of numerous provisions scattered in various laws and regulations regarding personal data protection.
Although the PDPL is envisaged to be an all-encompassing law to govern data protection issues, it seems this may be a utopian dream as many sectors — especially in banking and finance under the supervision of the Financial Services Authority (known as the Otoritas Jasa Keuangan) — are prone to governing themselves with specific rules that might differ from other sectors. It remains to be seen whether there is any provision under the latest PDPB draft that addresses this issue.
Of course, we can only hope, the personal data protection supervisory body (be it independent or not) does not have different views with the OJK or any other bodies on how to regulate personal data protection in certain sectors. Such scenario is indeed not impossible to occur.
The president will be in charge of deciding the independence of the supervisory body for issues involving the protection of personal data in Indonesia. Whether the body will be independent of any ministries or placed under an existing ministry — most likely the Ministry of Communications and Informatics (MoCI) — is one of the major questions that has yet to be answered.
According to Institute for Policy Research and Advocacy Executive Director Wahyudi Djafar, if the supervisory body is placed under the MoCI, then the MoCI will act both “as player and referee.” As a consequence, it will be difficult for the supervisory body to regulate and supervise the MoCI’s compliance with PDPL as part of its supervision duties. Another reason why an independent supervisory body is more desired is because, according to the July 2022 publication from the Asia Society Policy Institute, the current practice of enforcement by the MoCI is “said to have been a ‘conspicuous failure,’ with only warnings issued in the past and to no deterrent effect.” Additionally, there is a “desire to have a leaner administration, rather than multiple agencies that would drive up costs.”
The president is now given a wide latitude to exercise his power in deciding whether he wants the Personal Data Protection Supervisory Body to be completely independent from any ministry or not. According to Bobby Adhityo Rizaldi, a member of the First Commission of the Indonesian House of Representatives, a presidential decree will likely be issued within a year or two from now. Given that there is an upcoming presidential election in 2024, it is very likely that any presidential decree to establish the Personal Data Protection Supervisory Body will only be issued after the presidential election takes place considering the busy year ahead political parties and presidential candidates. Furthermore, it is uncertain whether President Joko Widodo will exercise his power right before he steps down.
It seems that Indonesia will have a long way to resolve the residual issues discussed above. However, the fact that Indonesia is resolute in having the Personal Data Protection Bill passed this year is already a good work. For privacy practitioners, this is high time to provide valuable input to the Indonesian government to make sure the government is aware of these residual issues before too late.
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200