Cross-Border Data Transfer in Indonesia 2023

May 9, 2023
DENNY RAHMANSYAH AND AGUNG KURNIAWAN SIHOMBING After almost a decade of discussion, Indonesia finally passed its personal data protection law in September 2022. Law No. 27 of 2022 dated 17 October 2022, regarding Personal Data Protection (PDP Law) becomes Indonesia’s umbrella regulation for personal data protection, both in electronic and non-electronic form. The PDP Law also applies extraterritorially to any personal data processing that has an impact in Indonesia and/or affects Indonesian citizens outside of Indonesia’s jurisdiction. Consisting of 16 chapters and 76 articles, the PDP Law regulates the main principles of personal data protection, the rights of personal data subjects, and the obligations of Personal Data Controllers (Data Controller) and Personal Data Processors (Data Processor). It also regulates sanctions (administrative and criminal) for violations of the law. Despite being a comprehensive regulation, most of the provisions of the PDP Law require implementing regulations to be fully implemented. The PDP Law provides a two-year transitional period, beginning 17 October 2022, for Data Controllers, Data Processors, and other parties involved in data processing activities to adjust their data processing practices to the requirements under the PDP Law. One of the provisions in the new law that lacks clarity concerns cross-border data transfers, an issue of great importance in the digital age. Noting the lack of clarity in the PDP Law, this article will provide a brief overview of the current practice applicable under MOCI Reg. 20/2016 and offer a comparison with the General Data Protection Regulation (GDPR) of the European Union (EU), which was referred to heavily during the drafting of the PDP Law. Personal Data Under The PDP Law...

Indonesia’s FSA Launches Revamp of Capital Markets Rules, Including First Ever Code for Voluntary Corporate Privatizations

April 14, 2021
After the passage of more than 15 years since its last major overhaul of capital-markets rules, the Indonesian Financial Services Authority (Otoritas Jasa Keuangan / “OJK”) has issued an important new instrument that updates the requirements and procedures that regulate the organization, governance, and activities of (i) capital-market institutions and support professions, and (ii) public companies. While much of the new regulation constitutes a codification of existing rules, it also arms the OJK with a number of significant new powers, and incorporates the OJK’s first-ever set of written rules on how public companies may voluntarily be taken private. The new regulation, OJK Regulation No. 3/POJK.04/2021 (“Reg. 3”),[1] was issued and entered into effect on 22 February 2021. In this ABNR Update, we focus on the issues of corporate privatization, shareholdings by investment managers, and controllers of public companies. But first an explanatory note on terminology – a public company in Indonesia is any company that has at least 300 shareholders and a minimum paid-up capital of IDR 3 billion (USD 206,000), or such other number of shareholders and/or quantum of paid-up capital as may be stipulated by the OJK. Meanwhile, a listed company is a public company whose shares are listed on the Indonesia Stock Exchange. Thus, not all public companies are listed companies, but all listed companies must be public companies. A. Procedures and Requirements for Corporate Privatization (Voluntary and Involuntary) The most notable feature of Reg. 3 in relation to public companies is its introduction of new rules governing how a company may voluntarily go private. This marks the first time in Indonesia that such written procedures...