Indonesia’s PDP Law is of regional and global significance, not just for its avoidance of localization, but because of its potential to become a model of pragmatic and flexible cross-border data flows.
At the heart of the PDP Law is the crucial “accountability principle”, which means that all organizations operating in Indonesia will be held responsible for managing Indonesian data regardless of where the data is. Legal responsibilities move with the data.
But as Nigel Cory writes in the Jakarta Post, this may sound like common sense, but other jurisdictions like the European Union try and make other countries responsible for protecting European personal data by forcing them to harmonize their privacy law to theirs. It associates geography with data privacy via adequacy decisions, where Europe judges whether a country is “adequate” protect European personal data.
The PDP Law’s potential to become a model for data transfers depends on implementing regulations right. However, there’s reason for hope. Indonesia’s policymakers were open and responsive to constructive feedback during the PDP bill drafting process. Hopefully, this continues.
Read the op-ed.
