Shortly after the enactment of Law No. 27 of 2022 on Personal Data Protection ("PDP Law") on 17 October 2022 (click here and here to read our previous client alerts on the PDP Law), the Indonesian Constitutional Court received two distinct constitutional review petitions concerning the PDP Law.
As discussed in our previous client alerts, there were ambiguities in the PDP Law, and we mentioned these ambiguities are likely to be clarified through the Law’s implementing regulations, when such regulations are issued. While the government has not issued any implementing regulations for the PDP Law, the Constitutional Court’s rulings clarified some provisions of the Law, namely on personal and household processing of personal data and limitation of data subjects’ rights, specifically with regards to national security and defence.
We discuss these clarifications in more detail below.
Both petitions were filed by individual applicants and essentially, the petitions requested the Constitutional Court to declare specific articles of the PDP Law to be unconstitutional. In the first case, which was filed in October 2022, the applicant (“Applicant 1”) requested the Court to declare the following articles as unconstitutional:
Article 1(4) of the PDP Law on the definition of a Controller;
Article 2(2) of the PDP Law on the personal or household data processing exemption; and
Article 19 of the PDP Law, which delineates the various types of Controllers and Processors.
Applicant 1 expressed the belief that, under Articles 1(4) and 19 of the PDP Law, legal entities were not classified as Controllers. As a result, he cannot engage a legal entity to manage personal data subject to the PDP Law's requirements.
Concerning the exemption outlined in Article 2(2) of the PDP Law, Applicant 1 contended that such an exemption might inadvertently leave small or household-scale businesses, which also process personal data, unregulated. Applicant 1 emphasised the significant presence of these businesses in Indonesia, particularly within the e-commerce sector. He worried that, due to the exemption, if any data breaches were to occur in these businesses, they would not be held accountable under the PDP Law.
Additionally, Applicant 1 highlighted the lack of clarity surrounding the scope of the exemption in Article 2(2) of the PDP Law. Consequently, he believed that his constitutional right to legal certainty, as guaranteed under Article 28D(1) of the Indonesian Constitution, had been violated.
Meanwhile, in the second case, which was filed in November 2022, the applicant (“Applicant 2”) requested the Court to declare Article 15(1)(a) of the PDP Law on limitations of certain data subjects’ rights as unconstitutional. This Article allows specific data subjects’ rights to be limited if it relates to data processing activities pertaining to defence and national security matters. Nonetheless, Applicant 2 argued that the PDP Law fails to clearly define "defence and national security", and consequently, this lack of clarity has infringed upon Applicant 2's constitutional rights as a citizen, resulting in a violation of his entitlement to legal certainty.
In both cases, the Court determined that it has jurisdiction to hear these cases, and that the applicants have a legal standing to file the petitions. However, the Court also found that the applicants' arguments regarding the merit of the cases lack legal justification. Consequently, the Court denied the petitions in their entirety and therefore, the provisions that the applicants sought to have annulled by the Court remain valid, as the Court found no inconsistencies between these provisions of the PDP Law and the Constitution.
Personal and household exemption
For the first case, the Court clarified that data processing by an individual for personal or household activities is not subject to the PDP Law if such processing is conducted for non-commercial purposes.
Additionally, the government offered valuable guidance on how to apply for the personal and household exemption under Article 2(2) of the PDP Law in its defence of this case. For personal and household data processing activities to be exempted from the PDP Law, such processing activities must have these characteristics:
Defence and national security
In the second case, the government offered clarification on the restrictions for certain data subject rights, as outlined in Article 15(1) of the PDP Law, with respect to defence or national security. It is essential to interpret this Article in conjunction with Article 15(2) of the PDP Law, which stipulates that data processing concerning defence or national security must occur within the framework of implementing a legislative requirement, i.e. implementing a law that regulates defence or national security.
The government gave several examples of these laws, namely Government Regulation in lieu of Law No. 1 of 2002 on the Eradication of Terrorism, Law No. 3 of 2002 on State Defence, Law No. 34 of 2004 on the Indonesian National Army, Law No. 12 of 2005 on the Ratification of the International Covenant on Civil and Political Rights, Law No. 17 of 2011 on State Intelligence, and Law No. 23 of 2019 on the Management of National Resources for State Defence.
These recent Constitutional Court rulings have shed light on ambiguous provisions in the PDP Law, offering essential guidance to individuals, organisations, and public bodies.
By addressing concerns surrounding the personal and household exemption, and clarifying the limitations of data subject rights in the context of defence and national security, the Court has fostered a more transparent and comprehensive understanding of the law. Pending the issuance of the implementing regulations of the PDP Law, these rulings will contribute to the effective implementation of the PDP Law and empower stakeholders to navigate the legal landscape of data protection in Indonesia with more confidence.
 Case No. 108/PUU-XX/2022.
 Case No. 110/PUU-XX/2022.