In April 2023, in two separate judgments, the Constitutional Court clarified the interpretation of some provisions in Law No. 27 of 2022 on Personal Data Protection, i.e., provisions on personal or household processing of personal data and on the limitations of a data subject’s rights in relation to national security and defense.
The draft of the Indonesian Personal Data Protection Law was approved to become law by the Indonesian Parliament (Dewan Perwakilan Rakyat Republik Indonesia) on 20 September 2022. With this approval, we are nearing the end of the process of an ambitious piece of legislation, which took several years to get approval. For several years, Indonesia has only relied on various diverse regulations that contain privacy provisions without one comprehensive umbrella law on personal data protection.
Until recently, there was no clear deadline for the registration obligation imposed on offshore or foreign private electronic system operators (ESOs) under Minister of Communication and Informatics (MOCI) Regulation No. 5 of 2020 on Private Electronic System Operators, as lastly amended by MOCI Regulation No. 10 of 2021 (“MOCI Regulation 5”).
When MOCI Regulation 5 was first enacted, there was a six-month transitional period for private ESOs to conduct ESO Registration after the regulation became effective on 24 November 2020. However, in practice, the Indonesian Online Single Submission (OSS) system was not yet able to accommodate registration applications by offshore private ESOs. As a result, the timeline for ESO Registration was further extended to become six months after the OSS system became effective.
On 22 June 2022, the MOCI held a press conference to announce that the six-month period was counted from 21 January 2022 (deemed as the date on which the OSS system became effective), and that therefore the deadline for ESO Registration would be 20 July 2022.