Part 3 - Personal Data Violators: Between Administrative and Criminal Sanctions

Understanding the legal implications concerning the transfer of personal data, administrative and criminal sanctions, as well as dispute resolution mechanisms to safeguard privacy and minimize risks in the digital era within Law No. 27 of 2022 on Personal Data Protection.

1. The transfer of personal data is differentiated based on the location of the personal data controller, namely within and outside the jurisdiction of Indonesia;
2. Personal data controllers are required to provide adequate protection for transferred data to mitigate the risks of data misuse and privacy breaches;
3. Administrative sanction is given as a form of warning against personal data violations;
4. There are provisions of criminal sanctions against the collection, disclosure, unauthorized use of personal data, and forgery of personal data.

PDP Law regulates in detail the transfer of personal data which is categorized based on the location of the personal data controller, where the personal data controller is required to provide adequate protection for personal data that is transferred or received. Regarding dispute resolution, the PDP Law regulates the settlement mechanism through various authorized institutions, namely through arbitration, courts, or other dispute resolution institutions, where the trial is conducted in a closed-door setting to protect the parties’ private data.

In addition, the PDP Law also regulates the imposition of administrative sanctions and criminal sanctions for violations related to personal data violations.

The PDP Law regulates the transfer of personal data into two categories, namely within the jurisdiction of Indonesia and outside the jurisdiction of Indonesia. These categories are based on the location of the personal data controller.

A transfer of personal data occurs within Indonesia when the personal data controller transfers data to another entity also located within the territory of Indonesia. Meanwhile, a transfer of personal data outside of Indonesia occurs when personal data is sent to entities located outside the territory of Indonesia.

In both categories, the personal data controller is obliged to provide adequate protection for the transferred and received personal data, by considering (i) the basis for processing personal data, and (ii) the usage purpose. This is aimed at minimizing the risks of data misuse and information leakage.

PDP Law enforces administrative sanctions as a form of admonishment and warning against the processing of personal data that lacks a legal basis, violates obligations regarding compliance with the purpose of personal data processing, and violates the requirement to obtain consent from data subjects.

Administrative sanctions can range from written warnings, temporary suspension of personal data processing, deletion, or destruction of personal data, to administrative fines. These fines can reach up to 2% of the annual revenue or income based on the type of violation.

In the event of disputes related to personal data violations, the PDP Law regulates the mechanism for resolution through various authorized institutions, namely arbitration, court, or other dispute resolution bodies.

Court proceedings in cases of personal data violations are conducted in a closed manner to protect the privacy of individuals and the confidentiality of personal data. Furthermore, these proceedings also consider valid forms of evidence according to the law, including electronic evidence and electronic documents.

Some actions that can result in criminal penalties include unauthorized acquisition or collection of personal data, disclosure of personal data, unauthorized use of personal data, and falsification of personal data.

The criminal threats include imprisonment and fines, the amount of which is in accordance with the level of the offense committed, ranging from a maximum imprisonment of 4 years and a maximum fine of Rp4,000,000,000.-, to a maximum imprisonment of 6 years and a maximum fine of Rp6,000,000,000.-.

PDP Law aims to ensure ethical standards and an appropriate level of security. Through a diverse range of administrative sanctions, the PDP Law highlights prevention and warnings aimed at violators, while criminal sanctions ensure penalties commensurate with the level of violation.