Heaptalk, Jakarta — Indonesia’s House of Representatives chalks out history by passing the law regulating personal data protection (20/09). Under this law, companies or a person that violate the law can be imposed sanctions up to trillion rupiahs.
Data Privacy Bill Article 70 contains a criminal charge in the form of fines 10 times larger than the maximum punishment imposed, as well as other additional criminal charges,” stated the Minister of Communication and Information, Johnny G Plate, during the press conference (20/09).
Johnny’s statement is referred to article 70, which reads, “In case of criminal acts performed by corporate, a criminal charge can be imposed to management, controller, commanding officer, beneficial owner, and/or corporate”.
Under this new regulation, administration sanctions also can be applied to the data controller who breaks the regulation. A privacy data controller, in this case, is defined as a person or public agency, or international organization that takes action both alone or together in deciding the intention and controlling the privacy data processing.
Data control that violates the law will be subject to administrative sanction that is regulated in article 57, which contains: a written warning, temporary suspension of privacy data processing activity, privacy data deletion and annihilation, and an administrative fine.
“The administrative sanction is a fine with the maximum value of 2% from annual revenue or annual earning of the violation variable,” stated Johnny.
Referred to in article 70, the fine can be doubled to ten times. Corporates also can be subject to the additional charge, including:
- Profit seizure and/or assets acquired or earnings generated from criminal activity.
- The freezing of corporate business, partially or entirely.
- Permanent ban on performing a certain activity.
Other sanctions, in case of corporate failure to pay the fines during the stipulated period, the wealth or earnings will be confiscated and auctioned by the prosecutor. If the number remains insufficient, the sanction will be replaced with imprisonment for a specific period determined by the judge.
If the number of wealth or earnings confiscated and auctioned is inadequate, the corporate will be subject to the substitute sanction in the form of the freezing of their partial or whole business activities for five years. The duration for this freezing action is stipulated by the judge.
In addition to corporate, this law also regulates sanctions for an individual who contributes to the data privacy breach, or hacker. The law says:
- Every person who purposely violates the law by obtaining or collecting personal data that does not belong to oneself to benefit oneself, that caused loss to the subject of the personal data, will be sentenced to the statutory maximum of five years in prison and/or paying sanction maximum Rp5 billion.
- Every person who purposely violates the law and reveals personal data that does not belong to oneself is sentenced to the statutory maximum of four years in prison and/or paying a fine maximum of Rp4 billion.
- Every person who purposely violates the law and uses personal data that does not belong to oneself is sentenced to the statutory maximum of four years in prison and/or paying a fine maximum of Rp5 billion.
- Every person who purposely violates the law and fabricates fake personal data to benefit oneself or others that cause any loss to others is sentenced to the statutory maximum of six years in prison and/or paying a fine maximum of Rp6 billion.