Indonesia's parliament has this week passed into law a personal data protection bill. Apparently modelled on European Union legislation, it is widely reported to be a response to a number of data leaks and alleged breaches at government firms and institutions in Indonesia.
Among institutions allegedly affected by the leaks and breaches have been a state insurer, a telecoms company and a public utility. However, possibly the most high-profile leak has involved a contact-tracing Covid-19 app that revealed the president's vaccine records.
Reuters reports that lawmakers have overwhelmingly approved the bill, which authorises the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data. There will also be compensation for data breaches and the opportunity for individuals to withdraw consent for data use.
Penalties include corporate fines and in certain cases imprisonment. The biggest fine is 2% of a corporation's annual revenue. A corporation could also see its assets confiscated or auctioned off. The law includes a two-year ‘adjustment’ period, though how that works in practice is not clear.
As for imprisonment, individuals can be jailed for up to six years for falsifying personal data for personal gain or up to five years for gathering personal data illegally.
While some feel the law would force companies to improve their data protection, Reuters notes that there have been questions as to whether it will encourage government bodies to improve their data handling.