Indonesia has enacted a new data protection law, effective October 17, 2022, the Personal Data Protection Act (PDPA, here in Indonesian and here as machine translation in german).
The PDPA has extraterritorial effect – it applies to the processing of personal data within Indonesia, but also outside Indonesia, provided that the processing has legal consequences in Indonesia, or Indonesian citizens outside Indonesia:
Article 2
(1) This Act shall apply to all persons, public bodies and international organizations that… Legal acts make, which are governed by this Act:
a. which are located in the Territory of the Republic of Indonesia are located; and
b. outside the jurisdiction of the Republic of Indonesia, which is legal consequences has:
1. within the jurisdiction of the Republic of Indonesia; and/or
2. For personal data of Indonesian citizens outside the territory of the Republic of Indonesia
2. this Act shall not apply to the processing of personal data by natural persons in the course of private or domestic activities.
The idea of also regulating processing outside the territory if it affects nationals does not necessarily correspond to the idea of the principle of territoriality as understood in Europe, but also applies in other states, for example Nigeria, where strict data protection law along the lines of the GDPR applies. Art. 1.2 of the Nigeria Data Protection Regulation 2019:
1.2 SCOPE OF THE REGULATION
a. this Regulation applies to all transactions intended for the processing of Personal Data, to the processing of Personal Data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria;
b. this Regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria;
c. this Regulation shall not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction.
However, it cannot be completely dismissed as a non-European specialty. The French Loi Informatique et Libertés for example sees in Art. 3(II) for the national transposition law to apply to the processing of the data of persons residing in France:
Article 3
I – Sans préjudice, en ce qui concerne les traitements entrant dans le champ du règlement (UE) 2016/679 du 27 avril 2016, des critères prévus par l’article 3 de ce règlement, l’ensemble des dispositions de la présente loi s’appliquent aux traitements des données à caractère personnel effectués dans le cadre des activités d’un établissement d’un responsable du traitement ou d’un sous-traitant sur le territoire français, que le traitement ait lieu ou non en France.
II – Les règles nationales prises sur le fondement des dispositions du même règlement renvoyant au droit national le soin d’adapt ou de compléter les droits et obligations prévus par ce règlement s’appliquent dès lors que la personne concernée réside en France, y compris lorsque le responsable de traitement n’est pas établi en France.
Toutefois, lorsque est en cause un des traitements mentionnés au 2 de l’article 85 du même règlement, les règles nationales mentionnées au premier alinéa du II sont celles dont relève le responsable de traitement, lorsqu’il est établi dans l’Union européenne.
The legislative justification for this is interesting:
3 – Le législateur a choisi d’instaurer un critère de rattachement territorial particulier pour les spécificités
françaises, traduisant un choix politique de la France, teinté de souverainisme, qu’il est possible de
résumer de la manière suivante.
4 – Par principe, les spécificités françaises s’appliquent ” dès lors que la personne concernée réside en
France “, et ce ” y compris lorsque le responsable de traitement n’est pas établi en France “. Ce
critère de rattachement exorbitant (lieu de résidence des personnes concernées) confère un large
rayonnement au droit français, écartant les droits des autres États membres. Ce choix, qui peut
paraître curieux, est apparu opportun au législateur français, car ” plus protecteur pour les personnes
physiques concernées, qui n’ont alors pas à s’interroger sur le droit applicable dans un autre État membre de l’Union, lequel n’est bien souvent pas accessible dans leur langue “.
Art. 139 IPRG is no different – here, too, the home law of the person concerned may be applied, at least if this local involvement was to be expected:
1 Claims arising from infringements of personality rights by the media, in particular by the press, radio, television or other public information media, are subject to the following provisions Choice of the injured party:
a. the law of the country in which the Aggrieved has his habitual residence, provided that the tortfeasor had to expect the occurrence of the event in that state;
b. the law of the country in which the Originator of the violation has its establishment or habitual residence, or
c. the law of the country in which the Success of the infringing act occursprovided that the injuring party had to expect the occurrence of the success in this state.
2 The right of reply […]. 3 Paragraph 1 is also applicable to claims arising from infringement of personality through the editing of Personal data as well as from impairment of the right of access to personal data.