Petitioner Eric Cihanes attending the Petition Revision Hearing on the Judicial review of Law Number 27 of 2022 on Personal Data Protection, Tuesday (12/11) at the Courtroom. Photo by MKRI/Ifa.

---

JAKARTA, MKRI - The Petitioners of Case Number 151/PUU-XXII/2024 have revised their petition to review the constitutionality of Article 53 paragraph (1) of Law Number 27 of 2022 on Personal Data Protection (PDP Law). In the revision of their petition, Eric Cihanes (Applicant I) and Garin Arian Reswara (Applicant II) outlined a comparison regarding the mandatory appointment of a Personal Data Protection Officer (PPDP) known as Mandatory Appointment of Data Protection Officer (DPO) in several countries as well as comparisons to European Union countries that are subject to regulations related to the General Data Protection Regulation (GDPR).

“Either from the comparison of countries or to the GDPR instrument, the options are only two, if it does not use the word “or”  then it requires all data controllers to appoint PPDP so that the scope is clearer,” Eric said in the petition revision hearing on Tuesday, November 12, 2024, at the Courtroom.

The countries referred to include Singapore, Thailand, Malaysia and Korea. Of the four countries, only Thailand formulates the rules by using the word “or” so that the criteria for PPDP appointment requirements in the Thai PDP Act are formulated alternatively. Meanwhile, Singapore, Malaysia, and Korea require each data controller to appoint its PPDP to ensure compliance with the PDP regulations.

Meanwhile, the Petitioners said that since its enactment in 2016, the GDPR has become the gold standard in regulating PDP in many countries other than EU member states, including Indonesia. Many articles in Indonesia's PDP Law are similar to the GDPR, including Article 53 paragraph (1) of the PDP Law, which is being challenged for constitutionality in the petition.

However, the regulation regarding the obligation to appoint a DPO/PPDP in the GDPR is regulated using the word “or” so that the criteria for the requirement to appoint a DPO/PPDP in the GDPR is also formulated alternatively. Meanwhile, according to the Petitioners, the criteria for Article 53 paragraph (1) of the PDP Law can be fulfilled alternatively or cumulatively.

Therefore, they requested to change the word “and” to “and/or” in the formulation of Article 53 paragraph (1) of the PDP Law in order to expand the scope of data controller and data processor organizations that are obliged to appoint PPDPs. This is because, according to the Petitioners, the wider presence of PPDPs, especially for data controllers and data processors that perform high-risk personal data processing, is directly proportional to the level of compliance of data controllers and data processors with their obligations, which in turn will increase the level of protection and guarantee of the constitutional rights and data subjects.

On the other hand, the Panel of Justices, led by Justice Arief Hidayat, accompanied by Justice Daniel Yusmic P Foekh and Justice Arsul Sani, highlighted Petitioner II's absence in today's hearing. This is because the petition does not state that Petitioner I can attend alone and has received authorization to represent Petitioner II in the hearing.

Also read: Personal Data Protection Law Challenged

In the preliminary hearing, the Petitioners explained their petition that questioned the phrase “and” at the end of the sentence of letter b in Article 53 paragraph (1) of the PDP Law related to the provision on the obligation of the personal data controller and processor in assigning an official or officer who performs the function of personal data protection. Article 53 paragraph (1) of the PDP Law reads Personal Data Controller and Personal Data Processor shall appoint an official or officer who performs the function of Personal Data Protection in the case of (a) processing of Personal Data for the benefit of public services; (b) the core activities of the Personal Data Controller have the nature, scope, and/or purpose that require regular and systematic monitoring of large-scale Personal Data; and (c) the core activities of the Personal Data Controller consist of large-scale processing of Personal Data for specific Personal Data and/or Personal Data related to criminal offenses.” 

To the Petitioners, the cumulatively formulated criteria for assigning PPDP have narrowed the scope of the data controller and data processor organization, which is obligated to assign PPDP. In this case, the Petitioners argued, the data controller and data processor organization that only satisfy one or two criteria of the requirements provided in Article 53 paragraph (1) of the PDP Law are not obligated to assign PPDP. It is despite each criterion in each item in the article a quo is a criterion for personal data processing activities categorized as personal data processing that has a high potential risk to personal data subjects, which is also emphasized in Article 34 paragraph (2) of the PDP Law.

The presence of PPDP plays an essential role in ensuring the implementation of personal data protection; PPDP is present to supervise the compliance of a Data Controller and/or Data Processor organization in relation to personal data protection under the PDP Law, especially in terms of compliance with its obligations. In addition, the rules of obligation are, of course, followed by the regulation of sanctions that can be imposed on parties who do not carry out these obligations, the sanction instrument which in this case is used to encourage compliance with the obligation to appoint a PPDP in the norms of the article a quo.

Thus, the use of the word “and” in formulating the details of the requirements in Article 53 paragraph (1) of the PDP Law has limited the obligation to assign PPDP only to Data Controller and Data Processor organizations that simultaneously meet all criteria. Thus, this reduces the usefulness of the Article, which contains the norm of obligation, and also the connection with Article 57 of the PDP Law, which is the norm of sanctions for violating the norm of obligation in Article 53 paragraph (1) of the PDP Law.

In their petitum, the Petitioners request the Court to declare Article 53 paragraph (1) of the PDP Law contrary to the 1945 Constitution and has no binding legal force as long as the phrase “and” is not interpreted with “and/or”.

Penulis: Mimi Kartika
Editor: Lulu Anjarsari P.
Humas: Fauzan Febriyan

Translator: Rizky Kurnia Chaesario (NL)

Disclaimer: The original version of the news is in Indonesian. In case of any differences between the English and the Indonesian versions, the Indonesian version will prevail.

---