DATA SUBJECT ACCESS REQUEST: WHAT INDONESIA CAN LEARN AND OPERATIONALISE IN 2024?

Abstract

The enactment of the Indonesian Personal Data Protection (PDP) Law is in line with the nation’s position as the most promising digital economy in Southeast Asia. The PDP Law, amongst others, introduces Data Subject Access Request (DSAR), a cornerstone mechanism to exercise data subject rights mirroring the European Union General Data Protection Regulation (GDPR). However, major causes of DSAR failure are predominantly triggered by resource constraint, lack of fundamental understanding, and technical gap when responding to such requests. In practice, DSAR management is time consuming and taxing since organisations shall manage numerous and complex requests within a tight timeline. By way of comparative analysis, we explore the concept of data subject rights, specifically the Rights to Access. Through observations and constructive responses by global data protection professionals, academics and non-lawyers, this paper alluded that similar failure scenario might occur in Indonesia when PDP Law grace period ended in 2024 – if the causes are not addressed and mitigated. Apropos, in safeguarding data subjects’ right, we assert that DSAR under the PDP law might bring disproportionate impracticality, hence there is demand for a robust consultation and holistic regulatory implementation. We also propose to consider a harmonized DSAR ASEAN framework for future proofing cross-border payment, in 2024 and beyond.