Fate of Personal Data Protection
Personal data leaks of Indonesian internet users have occurred because data managers at either government or nongovernmental institutions, do not have personal data protection systems installed.
The House of Representatives (DPR) is to resume deliberating the Personal Data Protection Bill, which is included in the 2021 National Legislation Priority Program.
The bill has hardly received public attention. As a matter of fact, this bill is to provide the legal basis for data protection measures any infringements and other violations of personal data.
The need for legislation at the law level to regulate the protection of personal data is indeed urgent, considering the sophisticated, ever-developing world of technology and digitalization.
It can be said that Indonesia does not have a comprehensive legal regulation to date on personal data. Personal data protection is part of citizens’ right to privacy and must be guaranteed by government.
Urgency
There are several reasons why the Personal Data Protection (PDP) Bill is important. Firstly, poor protection of personal data will enable leaks, misuse and other unscrupulous acts that disadvantage the owner of that data.
Several cases that have stuck out in the public reveal the worrying situation. These include, for instance, the selling of application users’ personal data on the dark web last year, leaking the data of Indonesia’s Covid-19 patients on the dark web, leaking and selling voters’ personal data from the General Election Commissions (KPU), including their names, contact information and national identity number (NIK), on illegal internet forums.
Also read: Agency Data Vulnerable to Hacking
Personal data leaks of Indonesian internet users have occurred because data managers at either government or nongovernmental institutions, do not have personal data protection systems installed.
The absence of such a system is partly due to the absence of a law requiring data administrators to secure the personal data they manage.
On the other hand, internet and technology users are unaware about the need to protect their personal data.
According to the article “19 Alarming Cybercrime Statistic for 2019” published on IT Supply Chain, 76 percent of Indonesian internet users are prone to becoming victims of data fraud.
Internet fraud and other cybercrimes in Indonesia contribute half a trillion US dollars per annum to global losses.
Secondly, given that personal data protection is part of citizens’ right to privacy that must be guaranteed by the state, the use of personal data for any reason is prohibited without the user’s consent.
The PDP Bill stipulates that consent must be obtained from individual users for transferring or managing their personal data.
The PDP Bill stipulates that consent must be obtained from individual users for transferring or managing their personal data.
Individual users have the right to request information about their data, delete their personal data or withdraw consent regarding their personal data, as well as object to the use of their personal data by website administrators for the purpose of profiling.
Once the PDP law is passed, website admin cannot arbitrarily transfer personal data. The right to privacy, which covers personal data, is a human right that must be protected by the state.
Also read: Accelerating the Public’s Digital Literacy
Russel Brown interprets the right to privacy as innate to every individual and that it derives from the right to personal property regarding certain assets.
In the Indonesian legal system, the right to privacy is mandated in Article 1, clause 28G in the 1945 Constitution, which the Constitutional Court has defined as “private affairs” in Constitutional Court Decision No. 50/PUU-VI/2008 on Judicial Review No. 11/2008 regarding Electronic Transactions and Information (ITE).
Notes
Because personal data protection is an important issue, the bill must be formulated thoroughly. The bill has yet to consider several aspects.
Firstly, the proposed clauses on exceptions to personal data protection for certain reasons are broad and vulnerable to multiple interpretations.
The reasons for these exceptions include: (a) national security; (b) in the interest of legal enforcement; (c) in the media interest as regards obtaining personal data from published sources that has user consent; (d) in the interest of scientific researches and statistics, as long as the personal data is obtained from published information (reconfirmation for the interests of research).
National security as a reason for applying an exception needs to be described in detail or must be detailed further in an explanation so it cannot be interpreted according to the interests of the regime in power.
The PDP law must be comprehensive and binding in guaranteeing personal protection.
Every exception must be open, clear, unambiguous and restricted and proportionate to the defined provision. The PDP law must be comprehensive and binding in guaranteeing personal protection.
Secondly, the proposed sanctions overlap with the ITE Law, which could create legal uncertainty in its implementation and enforcement, including on the part of law enforcement apparatus if there are two laws that regulate the same thing.
Matters on illegal access are regulated in Article 46, clause 32 of the ITE Law, while illegal alteration of data is covered in Article 48 of the law.
Thirdly, it is important to form an independent supervisory institution. The PDP Bill, which the House is currently drafting, relegates supervisory authority to government under coordination of the Communications and Information Ministry. This is susceptible to administrative irregularities and state politicking over personal data.
Also read: Indonesia\'s Challenge: Low Literacy, Breached Privacy
For these reason,s it is important to establish an independent supervisory institution consisting of experts who are immune to vested interests. Its absence would only increase the potential risk of personal data mismanagement.
Ratification
Indonesia will become the fifth ASEAN country to have a personal data protection law once the government and the House ratify the bill. The four other countries that have this kind of law are Singapore, Malaysia, Thailand and the Philippines.
The law will regulate the trafficking of personal data at home and abroad. It will also provide a legal basis for guaranteeing individual sovereignty over personal data.
Indonesia urgently needs a law on personal data protection, and the bill must be passed into law soon.
Law enforcement is part of the government’s obligation to guarantee protection of citizens’ privacy as mandated by the Constitution, particularly in the wake of the rampant acts of personal data fraud, which incur economic losses and other disadvantages.
Individual sovereignty over personal data benefits national welfare as a whole. Personal data protection will contribute significantly to the development of Indonesia’s digital economy.
Let us hope that the government and the House will resume deliberations over the PDP Bill and ratify it soon, as scheduled.
Al Araf, Chairman of Centra Initiative and Researcher at Impartial
(This article is translated by Musthofid).