October 26, 2022

Indonesia Approves Data Protection Bill: Impact on Travel Rule Compliance

Indonesia Approves Data Protection Bill: Impact on Travel Rule Compliance
  • With Indonesia green-lighting the Personal Data Protection Bill, crypto exchanges and custodians offering services to its citizens, be it within the country or abroad, must obtain explicit consent before collecting, storing, and processing user data for FATF Travel Rule purposes. 
  • Indonesia’s PDP bill has many similar segments to the EU’s GDPR, which includes definitions, obligations, accountability, etc. 
  • Although the PDP bill does not mandate data localization, it demands that cross-border data transfers be undertaken securely and transparently.

Indonesia's House of Representatives gave the go-ahead to the Personal Data Protection Bill (PDP) on September 20th, paving the way for the country's first ever data privacy-focused law. The next step in the loop was a presidential signature, which was granted on October 17th, enacting the bill into law. 

With this, the Virtual Asset Service Providers (VASPs) have their work cut out to comply with the regulation while wading through the brutal crypto winter that has brought the global crypto market down to trillion dollars. 

And therefore, in this article, we will look at the bill's impact on Virtual Asset Service Providers, or VASPs, with respect to the FATF Travel Rule and a solution that can make the VASP compliance journey frictionless. But before that, let's look at what the bill is all about!

What's the Purpose of the bill?

The PDP bill will enable Indonesia to meet the international standards of personal data and rights. As such, it consists of many segments similar to the internationally-recognized personal data protection laws, most notably the EU's GDPR, including definitions, obligations, and accountability, to name a few. 

However, there are more than a few differences as well. For instance, the bill will only apply to foreign entities when they violate Indonesia's laws or handle user data of Indonesians based outside the country.

The Key Factors: PDP Bill & Travel Rule Compliance 

User Consent

The Personal Data Protection Bill mandates that all entities obtain explicit consent before storing and processing the data of Indonesians. 

As such, collecting user data without consent is a serious offence under Indonesia's new data privacy laws and can attract severe penalties, which can be up to 2% of annual revenue. 

Thus, VASPs with Indonesian customers must obtain explicit consent to collect and process FATF Travel Rule data before sharing it with counterparty VASPs for compliance purposes. As a reminder, the FATF Travel Rule is a mandated requirement that countries are implementing where VASPs will have to share details of the originator and beneficiary to transactions.

That’s where Shyft Veriscope comes into the picture, as it simplifies this process by taking consumer consent every time before personal data is shared.

Secure and Transparent Travel Rule Data Processing 

Under Art 16(2) of the bill, organizations must ensure that data transfers are secure and transparent. Thus, VASPs complying with the FATF Travel Rule must use a solution that can process user data securely and transparently. And by doing so, VASPs will not only comply with the recently approved PDP bill but also the FATF Travel Rule as mandated by the country’s regulator BAPPEBTI.

Now, the question is, how can a VASP ensure security when using a FATF Travel Rule solution that stores and routes user data through third-party servers? Moreover, will such a Travel Rule solution take responsibility in case of a breach? And, even more important, who is responsible for detecting if a breach has occurred?

The fact is, in most cases, such Travel Rule Solutions will point out that they are not contractually liable for the breach. Thus, the onus is on VASPs. So, VASPs must understand the legal aspect of data privacy, data security, and consent before choosing a Travel Rule solution.

Simply put, Shyft Veriscope is a true game-changer among all options available in the market as not only are all Travel Rule data transfers on it VASP-to-VASP (i.e. peer-to-peer) but also encrypted with public-private keys that only the transacting VASPs have access to. Moreover, at no point does the FATF Travel Rule data pass through Shyft Network's infrastructure. 

Whilst we are discussing Indonesia here, the new bill is reflective of data privacy laws around the world. So, the implications of Shyft Veriscope’s global solution can be far wider than the 16 million transacting Indonesian users.

No Data is Secured!

IBM's 2022 Cost of a Data Breach Report notes that the entire life cycle of a data breach among mature organizations is 237 days, which includes the total days the organizations spent on identifying (184 days) and containing data breaches (53 days). If this seems like a rather big figure, the early and mid-stage organizations, including decentralized organizations, will likely spend even longer. 

This points to the fact that no data is secured, regardless of the stage or type of organization. In fact, even organizations with best-in-class security can (and do) get hacked. Thus, VASPs must choose a FATF Travel Rule solution that can enable them to mitigate the risks of data breaches, to be able to detect in real time any unwanted attempts to access data and ensure that they prioritize the "Privacy by Design" mechanism, which is one of the fundamental principles of GDPR as well. 

Shyft Veriscope has this in hand - offering VASP-to-VASP data transfer capability, automated VASP discovery, and obtaining explicit user consent to store and process data. It is privacy-by-design, compliance-by-design, frictionless-by-design, and efficiency-by-design.


Crypto exchanges and custodians need a FATF Travel Rule Solution to begin complying with the FATF Travel Rule. Shyft Veriscope is built to meet that requirement, regardless of country or digital asset.  

Visit our website to read more: https://www.shyft.network/veriscope and contact our team for a no-obligation discussion: https://www.shyft.network/contact

Also, follow us on Twitter, LinkedIn, Discord, Telegram, and Medium for up-to-date news from the world of crypto regulations.