Compensation Claims in the event of Personal Data Protection Violations by Personal Data Controllers

Nearly four years after the enactment of Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), the implementing Government Regulation has been circulated ("PDP GR Draft")[1] but has not yet been officially issued. Nonetheless, the PDP Law already signals key mechanisms that are expected to be further elaborated in the forthcoming implementing regulation.

One such mechanism is the right of personal data subjects to claim compensation for violations in the processing of their personal data. Although this right is already recognised under the PDP Law, specifically under Article 12 thereof, its practical implementation remains uncertain pending the issuance of the PDP GR Draft.

Against this backdrop, the circulated PDP GR Draft provides an early indication of how such compensation claims may be implemented in practice. This ARMA Update therefore examines the proposed framework governing the right of personal data subjects to seek compensation from personal data controllers in the event of personal data protection violations.

Providing Claims due to Violations by the Personal Data Controller

The PDP Law itself has set out the rights of Personal Data Subjects, along with the principles and obligations which must be adhered to in conducting Personal Data processing. In case of any violation to such processing of Personal Data of the Personal Data Subjects, as mentioned in the above, one of the rights that can be pursued is to file a claim for such violation.

Article 115 of the PDP GR Draft mirrors the provision in Article 12 of PDP Law where Personal Data Subjects is able to claim compensation from the Personal Data Controller, whether based on error or negligence of the Personal Data Controller, in the processing of Personal Data about himself/herself. These compensations can be in the form of material and non-material compensation.[2]

Material compensation consists of the payment of a sum of money equivalent to the losses suffered by the Personal Data Subject, whereas non-material compensation consists of remedial actions or other measures, other than the payment of a sum of money, to restore the protection of the Personal Data of the Personal Data Subject to the condition prior to the processing violation.[3]

In submitting a compensation claim, the PDP GR Draft appears to distinguish between the threshold for filing a claim and the substantiation of the compensation amount. A Personal Data Subject is required to submit evidence that a violation of personal data processing has occurred and has affected them, without first having to prove the actual loss suffered. However, to support the amount or form of compensation requested, the Personal Data Subject must also provide information and supporting evidence on the material or non-material loss suffered, evidence that their personal data was processed by the relevant Personal Data Controller, and evidence relating to the personal data affected by the personal data protection failure.[4]

Obligation of Providing Compensation Communication Channel

As a response to accommodate the compensation claims by the affected Personal Data Subjects, Personal Data Controllers are obligated to provide a communication channel specifically for addressing such claims.[5] Additionally, the Personal Data Controller is required to form a compensation policy which is informed through a Personal Data Protection Notice which, at a minimum, set out the procedures for submitting claims, the types of compensation available, the circumstances under which claims may be rejected, the timeframe for processing or rejecting claims (i.e., 3 x 24 hours), and the relevant contact information for the Personal Data Protection Officer where the violation involves a Personal Data Processor.[6] One important thing that also needs to be ensured is that the Personal Data Protection Notification must be provided in Indonesian language in a concise and clear format.[7]

Determination of Compensation Amount

In the event of a breach, it may be difficult to determine the exact amount of compensation to cover the damages received by the Personal Data Subject. However, Article 119 of the PDP GR Draft accommodates that there are 2 (two) parties who are authorized to determine the compensation amount, (i) a party in which selected by both the Personal Data Controller and the Personal Data Subject, in the event both parties agree to settle the dispute using measures outside of the court; or (ii) a judge from a competent court ("Authorized Parties").[8]

In determining the appropriate compensation amount, the Authorized Parties must consider various factors, including the nature and extent of the violation, the resulting losses and benefits obtained by the Personal Data Controller, the duration and frequency of the violation, the Personal Data Controller's financial condition, any sanctions imposed, and the remedial measures taken before and after the incident.[9]

Refusal of Compensation Request

If a Personal Data Controller or Processor refuses to provide compensation or provides compensation that does not align with the request of the Personal Data Subject, the latter may submit a dispute resolution request to the Personal Data Protection Agency ("PDP Agency"). Through this mechanism, the parties may seek an agreement regarding the form and amount of compensation, as well as specific measures aimed at ensuring that the losses suffered by the Personal Data Subject will not occur or reoccur in the future.[10]

With respect to the PDP Agency, as of the date of this ARMA Update, the Government has only circulated a draft Presidential Regulation on its establishment, which has yet to be formally issued. Accordingly, the PDP Agency has not yet been formally established or become operational.

Although the implementing Government Regulation has not yet been issued, businesses may nevertheless consider taking proactive steps to align their internal data protection practices with the proposed framework. In particular, companies may begin reviewing and updating their personal data processing notices and internal policies to incorporate provisions relating to compensation mechanisms and other requirements contemplated under the draft regulation.