After six years of delay, Indonesia’s House of Representatives finally passed the Personal Data Protection (Pelindungan Data Pribadi, or PDP) Bill. On October 17, 2022, President Joko Widodo signed what is the country’s first comprehensive law on personal data protection, which will come into effect in October 2024.

The PDP law authorizes the president to create an overarching agency that would be empowered to regulate and oversee personal data protection and impose administrative sanctions on a corporation for non-compliance. Administrative sanctions include a fine of up to two percent of the company’s annual revenue. Criminal sanctions carry a prison sentence of up to six years and/or an IDR6 billion (US$383,000) fine. The legislation also gives individuals the right to access, delete, and rectify their personal data.

Indonesia’s personal data protection initiative comes at a time when major economies have been making moves on this critical global issue. US President Joe Biden recently signed an executive order on “Enhancing Safeguards for United States Signals Intelligence Activities”. This is a critical building block for the European Union-US Data Privacy Framework. Privacy Shield 2.0, as it is also known, replaces the EU-US Data Privacy Shield that was annulled by the EU Court of Justice in its Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (2020) decision. The European Commission in Brussels is now considering whether the American privacy regime is “adequate” – that is, if it is essentially equivalent to the privacy standards guaranteed in the EU. Schrems, an Austrian lawyer, and other privacy activists will likely bring Privacy Shield 2.0 in court, possibly putting in jeopardy US$1 trillion in transatlantic data flows.