Personal Data Protection Authority Institute

The Personal Data Protection Authority (Lembaga Pelindungan Data Pribadi) is a future executive agency formed by the Indonesian government, working directly under the President of Indonesia. The agency will be tasked with information privacy safeguarding, personal data protection, and enforcing laws related/regarding to the personal data protection.

History
The call for establishment of an institution to protect data privacy had been sounded since 2016. Establishment of such institution deemed very needed to protect the constitutional rights of Indonesian citizens for information privacy protection and safeguarding national interests over the personal data protection.

During the formulation of the Bill of Personal Data Protection, there is an issue regarding to whom will be vested with power to safeguard and enforce the law regarding the personal data protection. There was discussed whether the Ministry of Communication and Information Technology, National Cyber and Crypto Agency, or a separate independent agency under the office of the President of Indonesia that will be vested with such power.

On 20 September 2022, the Bill of Personal Data Protection passed by the People's Representative Council and signed into law by Joko Widodo on 17 October 2022 as Law No. 27/2022 (Law on Personal Data Protection). When the bill passed into law, it later known that the third option is chosen instead giving such powers to the pre-existing agencies/ministries. Article 58, 59, and 60 of the Law No. 27/2022 detailed the agency establishment, mandate, and authorities.

On 26 January 2024, Ministry of Communication and Information Technology confirmed that the agency targeted to be established on Mid 2024. The agency expected to be a spin-off of the ministry body.

Powers
As mandated by Article 59 Law No. 27/2022, the agency mandated to:


 * 1) Formulate and establish the policies and strategies for personal data protection, which will be used as standards and guide to the personal data subject, controller, and processor.
 * 2) Supervise of the personal data protection implementation.
 * 3) Law enforcing administrative violation of the personal data protection laws, including the violations against the Law No. 27/2022 itself and its derivative regulations.
 * 4) Facilitate dispute resolution outside the court.

As mandated by Article 60 Law No. 27/2022, the agency possessed authorities as follows:


 * 1) Formulation and establishment of policies and strategies for personal data protection, which will be used as standards and guide to the personal data subject, controller, and processor.
 * 2) Supervision of the personal data protection implementation.
 * 3) Administrative law enforcement for the violation of the personal data protection laws, including the violations against the Law No. 27/2022 itself and its derivative regulations.
 * 4) Assisting the preexisting law enforcement agencies in Indonesia in handling alleged criminal acts against the laws.
 * 5) Establishing cooperation with other countries' data protection authorities.
 * 6) Assessing compliance requirements for transfer of personal data outside the region the laws of the Republic of Indonesia.
 * 7) Issuing orders in order to follow up the supervisory results of the Personal Data Controller and/or Personal Data Processors.
 * 8) Publishing the results of the implementation of supervision.
 * 9) Protection of Personal Data in accordance with the laws.
 * 10) Receiving complaints and/or reports regarding allegations there is a violation of Personal Data Protection
 * 11) Investigating over complaints, reports, and/or monitoring results against allegations of violations of the personal data protection laws.
 * 12) Summoning and presenting Everyone and/or public bodies related to alleged violations of the personal data protection laws.
 * 13) Requesting information, data, and documents from every related person and/or public Body alleged to violate personal data protection laws
 * 14) Summoning and presenting the necessary experts in investigations and investigations related to allegations of violations of personal data protection laws.