Indonesia’s House of Parliament (DPR) today ratified a landmark law on data protection and cyber security, the passage of which had stalled since 2016.
The matter took on renewed urgency after a hacker, who goes by the handle Bjorka, repeatedly exposed the country’s cyber security shortcomings in recent weeks while embarrassing top government officials.
The motion to pass the Personal Data Protection Bill (RUU PDP) was unanimously approved by the 295 lawmakers present at the plenary session today.
The Personal Data Protection Law (UU PDP), which contains 76 articles, aims to give comprehensive protection on personal data online, as well as strengthen the country’s cyber security.
Among the criminal sanctions contained in UU PDP is five years’ imprisonment and an IDR50 billion (US$3.3 million) fine for unlawful collection of others’ personal data. When said data is used as a means to criminal activity, the violator may face up to seven years in prison and a fine of IDR70 billion (US$4.67 million).
The sale and/or purchase of personal data is a crime punishable by up to five years in prison and a fine of IDR50 billion.
Prior to its ratification, an alliance of freedom of speech advocacy groups, comprising the likes of SAFEnet, the Alliance of Independent Journalists, and the Jakarta Legal Aid Foundation, expressed concerns about the final draft of the bill.
One of the alliance’s major concerns is the lack of an independent body to enforce data protection measures as outlined in the bill. The alliance did not express confidence that the government is up to the task in terms of the law’s enforcement, considering that major data breaches, including the recent leak of 1.3 billion Indonesian SIM card data, happened under their watch.