Introduction

The past few months have been especially alarming in Indonesia’s cybersecurity landscape. A data breach discovered on 21 August 2022 saw the stealing of 1.3 billion SIM Card data, consisting of national identity number (NIK). NIK is especially sensitive as it is linked to users’ personal data, phone number, telecommunication provider and SIM Card’s registration date.

This massive data breach incident was committed by Björka, who later instigated other scandalous cybercrimes such as stealing confidential data from state bodies (including the General Elections Commissions [KPU]) and doxing public officials.

Regrettably, the Coordinating Minister for Political, Legal, Security Affairs Mahfud MD, one of the doxed officials, responded with a statement lacking sensibilities in the subject of personal data protection. He stated that “I am not troubled or concerned. My personal data is not confidential. You may grab it from Wikipedia (Google), the back cover of books I’ve written and from LHKPN KPK. My personal data is open (to the public), no need to be leaked.”

Fundamentally, personal data protection is a subset of the right to privacy. Prof Daniel J. Solove from the Law School of the George Washington University argues that one of the elements of the right to privacy is secrecy. In the context of Indonesia, the right to privacy is constitutionally protected in Article 28G (1) of the 1945 Constitution. It is also guaranteed by the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, both of which have been adopted by the country.

Unfortunately, Björka’s series of data breach is not the first in Indonesia. During Covid-19 pandemic, we experienced a multitude of incidents including Tokopedia, BRI Life, Social Security Administrative Body (BPJS), Diponegoro University, e-HAC and others.

Thus, a pertinent question arises: how does the government of Indonesia protect personal data of everyone in the country? Answering this requires a scrutiny of the laws and regulations, public policy, as well as the government’s response to answer such fundamental concern.

Laws and Regulations on Personal Data Protection

Indonesia has been responding to data breach incidents with insufficient legal instruments for the whole time. The country has only utilized the following three instruments: 1) the Electronic Information and Transactions Law (ITE Law); 2) Government Regulation No. 71 Year 2019 on Electronic System and Transaction Operation (GR 71/2019), and 3) Minister of Communication and Information Technology Regulation No. 20 Year 2016 on Protection of Personal Data in Electronic Systems (Permenkominfo 20/2016).

Why are these not enough? First, the ITE Law does not focus on personal data protection and only dedicates limited sections on personal data, one of which states that “the use of each information through electronic media which related to individual personal data should be done by the consent of that individual, unless otherwise stipulated by laws and regulations.” In practice, the ITE Law is often only used to criminalize legitimate expression against individuals (particularly public officials), the business sector and the government.

Second, the GR 71/2019 was originally a derivative of the ITE Law, so it does not diverge radically from the ITE Law.

Third, the Permenkominfo 20/2016 is merely a minister’s regulation, which has lesser authority. According to Article 7 (1) of the Laws on the Establishment of Laws and Regulations, a minister regulation lies outside the laws and regulations hierarchy. Such regulations tend to have effect on government officers only.

On 20 September 20, 2022, the House of Representatives and the President of the Republic of Indonesia passed the Personal Data Protection Act (PDPA) and will soon come into force on the date of its promulgation (within 30 days of its passing, according to the Laws on the Establishment of Laws and Regulations). This step is breath of fresh air for Indonesians with personal data protection, despite some footnotes to the content and scope of the PDPA.

According to the press release by Advocacy Coalition on Personal Data Protection (KA-PDP), there are 10 critical issues on PDPA. One of the major weaknesses is the establishment of the Data Protection Authority (DPA) which will be under the control of the government. It will surely be ineffective considering that the law applies not only to the private sector but also to the public sector such as the government. The government’s dual role will thus be marked with a conflict of interest. On one hand, the government is the very institution that enforces and supervises the personal data protection law, but on the other hand the government is also the object of the supervision because its bodies or agencies could be a data controller or data processor. Furthermore, some of DPA’s responsibilities such as supervisory, administrative sanctioning and investigation would be hard to implement if the DPA is controlled by the government. That is why the DPA should be independent – without it, the enactment of the PDPA would be lacking effectiveness.

Reluctance, Half-Hearted Response and Buck Passing

The aforementioned e-HAC data breach incident illustrates the government’s ineptitude in responding to this problem. The first e-HAC data breach incident was discovered by vpnMentor on 15 July 2021, which they tried to convey to the Ministry of Health on 21 and 26 July 2021, but did not receive any response. The follow-up to the incident was only carried out a month later on 24 August 2021, when vpnMentor informed the findings to the National Cyber and Encryption Agency (BSSN). On 30 August 2021, vpnMentor published findings related to the occurrence of e-HAC data breach. The next day, the Ministry of Health responded by stating that the data breach occurred in the old e-HAC application, which had not been in use since July 2021, the exact month when vpnMentor discovered the data breach for the first time.

This account shows that the government will take a further step only if there is a massive and public information about data breach, insinuating their lack of consideration towards users’ rights. The statement “which has not been used” was especially questionable, considering the timing of the data breach detection in July 2021, which means the old application and its stored data were still in use at the time. Regardless, the Ministry of Health should have carried out thorough investigation from the first time the breach was reported, since medical data is sensitive data and thus, requires protection.

Moreover, medical data is defined as all data pertaining to the health status of a data subject which reveals information relating to the past, present and future of the data subject’s physical or mental health status (EU GDPR). Hence, the term “which has not been used” may indicate that the application’s stored data include the past and present health status of the users’ – the Ministry of Health should thus take responsibility for that breach. Unfortunately, the Ministry and the application’s developer has failed to notify users of the data breach until now.

In this and other incidents, the government seem puzzled as to how best to solve the issue. The core problem is the sectoral regulation in regulating personal data protection. There are so many sectors and actors inside—they usually pass responsibilities to each other. According to a yet to be published ELSAM study in 2020, there are at least 46 sectoral regulations (spread in multiple sectors such as health, telecommunication, administration and others) which are related to data protection.

Furthermore, the government does not tackle the root of the problem. The government’s responses thus far are limited to: 1) the blocking of sites and/or accounts that hack the system; 2) investigation, but one that is not transparent and accountable, and; 3) frequent buck passing among relevant bodies or agencies, including National Cyber and Crypto Agency (BSSN), the Ministry of Communication and Information Technology (Kominfo) and others. To solve the root of the problem, however, the government should improve on data protection governance, build an ecosystem of laws and regulations centered on the interests of data subjects, and establish the personal data protection infrastructure.

Government’s Response to Björka

Against this backdrop, it is then not a surprise that the government’s response to Björka’s hacktivism was reactive and insufficient, further accentuating the poor data protection ecosystem in Indonesia.

Kominfo  released Press Release No. 377/HM/KOMINFO/09/2022 on 1 September 2022 in response to Björka’s activities. It states that the source of the personal data was not from within Kominfo, highlighting the Ministry’s denial of responsibility. Moreover, the response by the Head of BSSN was even more bizarre. He stated that Indonesians should remain calm because none of the electronic systems was attacked. These statements are problematic since evidently users’ personal data was misappropriated and potentially misused by unauthorized actors. Here there is a lack of emphasis by the government on the rights of the data subjects. Furthermore, after massive attacks from Björka, the government established an emergency response team which consists of BSSN, Kominfo, the National Police and the State Intelligence Agency (BIN), but this seems to be a reactive action and it remains to be seen whether the team would address the core problem effectively.

The passing of PDPA should not be seen as the final answer to all data breach incidents that could amount to a national crisis as Björka has demonstrated. Rather, it should be considered as a first step to a more effective response. The government wants to have a complete authority in carrying out the measures, but history and users would judge whether it has the capacity and capability to do so.

Introduction

One of the most pertinent questions in Indonesia today is whether data controllers can securely store users’ personal data. This is evident from past data breaches, which have yet to be resolved definitively. These cases, among others, include Tokopedia, Lion Air Group, e-Hac, and the Social Security Agency for Health (BPJS Kesehatan). Unfortunately, the government’s responses have been lacklustre with none of the government bodies involved in cybersecurity wanting to claim responsibility and have resorted to finger-pointing. In Indonesia, these bodies include the Ministry of Communication and Information, Cyber Police, and National Cyber Security Body. These together with negative public sentiments towards rising living costs have further declined trust towards the government.  

Against this backdrop, a new actor arose and casted a strong spotlight on the elites. A hacker (or a group of hackers?) with the handle “Björka” gained prominence by not only gaining access to troves of personal data, but also revealed sensitive information that further instilled shock and awe among the public. These included doxing several ministers, revealing the president’s confidential letters and stealing data from critical government agencies such as the Election Commission and the State Electricity Company. 

Regardless of the government’s denial and the authenticity of the data Björka stole, the hacker has successfully unmasked the government’s ineptitude to address a cybersecurity crisis.

Twisted Chain of Executive Command

The Head of the National Cyber Security Body explained that Björka’s attacks were still categorized as low-level offences. However, simultaneously,  President Joko “Jokowi” Widodo convened several bodies such as the Ministry of Communication and Information, the National Police, the National Cyber Security Body, and the Intelligence to bring Björka to justice. Such convening by the president goes against Björka’s hacktivism to be classified as a low-level offence. Additionally, the gravity of this offence led to the creation of a task force.

However, the creation of this task force is perceived to simply be a public relations exercise. To date, the Minister of Communication and Information Johnny G Plate and Coordinating Minister of Political, Legal, and Security Affairs Mahfud MD have yet to explain how this task force operated. Additionally, the DPR has not received any details on how exactly the government will be addressing the Björka conundrum. With such uncertainties, this conundrum would remain unresolved just like past data breaches. Such a hands-off approach is unfavourable for users.  

Noticeably, since the inception of the task force, President Jokowi has remained silent on the issue. Instead, enquiries and developments on this issue is to be addressed by his ministers. This is not the first time the president has done so. This was previously seen when the country was tackling illegal fishing in its waters. Particularly for enquiries on the destruction of captured foreign fishing boats, then Minister of Maritime and Fisheries Affairs Susi Pudjiastuti was left to address the issue. What could truly be behind such silence when clear, unified responses are needed?

As investigation into the case progressed, the police arrested a 21-year Madiun youth on suspicions of being Björka’s assistant on a Telegram channel named Björkanism. This move initially confused the public as the youth resided in a village and did not possess a laptop. At the time of writing, he has been released to his family though still deemed a suspect. It was later discovered that he was a fan of Björka, admitted to reposting three of Björka’s public messages and sold the admin rights of the telegram channel to Björka for US$ 100. According to investigation, the sale of the channel proceeded after the real Björka contacted the youth. In response to the youth’s arrest, Björka told his followers that the Indonesian government had wrongly arrested the youth. To further suggest the government’s incompentence, he claimed that the government’s attempt to identify him was based on being misinformed by DarkTracer, a darkweb intelligence platform.

Bumbling on such serious issues affects the credibility of the Indonesian government, particularly as the country prepares for the G20 Summit later this year. Losing credibility on the international stage is detrimental to Indonesia as the country seeks to promote the country’s portfolio internationally. Previous efforts such as the president’s recent visits to the Ukrainian and Russian leaders become undone by the country’s digital insecurity.  In light of its digital insecurity, the Indonesian government has a huge homework to develop its cybersecurity capabilities which are critical to its digital economy framework.

Lessons Learnt

Björka exposes the very weakness of the Indonesian government, especially in addressing the rising issue of digital insecurity. While other actors conducted anti-government demonstrations or walked out of the Dewan Perwakilan Rakyat (DPR) Plenary Meeting, Björka operates in the shadows. Nothing is known about Björka yet he has captured the public’s attention, indirectly assisted by the government’s lack of effective responses. Recently, Björka has even posted political messages against the government.

It is likely that such actions be repeated especially by those seeking a change in Indonesia. These actions highlight that demonstrations and street protests are not the only means to catch the government’s attention. This assumption holds true if the situation remains status quo. Not helping the situation is that the pace of this learning process is swift and the government does not have past experiences to leverage on. Additionally, it would be unwise to solely depend on the Personal Data Protection Act that was recently passed. Sole reliance on this Act is akin to using a small water gun to extinguish a raging forest fire.

The importance of human resources in building an effective cybersecurity system has been highlighted by a police expert. This may be overlooked as the general understanding that digitalization is mainly about technological advancement. Having a strong cybersecurity technology without capable individuals is not a desirable outcome. Based on the recent hacking, the Indonesian government has yet to develop capabilities in both technology and people. The rapid development of such capabilities, coupled with an effective crisis communication strategy, would go a long way to soothe the public’s anxiety.

A final lesson is that every single data controller has to independently protect its stored data in order to maintain its own credibility and reliability. Björka has indirectly demonstrated the need to be aware of personal data breaches that could be a precursor to criminal actions against them. Björka has shown that data could be used for blackmail and instigate terror among the public. That means that people will have to learn to judge which data controllers are reliable before engaging their services. Through such learning, private corporations and government bodies would no longer arbitrarily manage stored data. In other words, development of cybersecurity in Indonesia could be a  bottom-up process post-Björka.

Introduction

In this digital era, data has become a commodity that states and businesses utilise. Data shapes strategies in the production of relevant and quality services or products. Moreover, they are also instrumental to steer current and future directions of consumer behaviour.  In other words, data acts as a compass for global actors of any scale and facilitates formulation of the tactics to achieve their goals.

Among the types of data, personal data is one of the most valuable. Personal data is the unique, accumulated information of a user, either recorded digitally or manually. Personal data encompasses the subject’s personal identity, home address, medical record, digital behaviour and other identifiable information.

In this era, Indonesians are not immune from personal data insecurity that might transpire from data theft by malicious actors or bad data management by data-collecting bodies. Several recent, notable cases of such issues have impacted major organizations including the Social Security Agency for Health (BPJS Kesehatan), Tokopedia, and e-Hac. This digital era is thus a double-edged sword, granting users access while also exposing them to risks. This dilemma has pushed the Indonesian government to initiate the creation of the Personal Data Protection Act. This Act is to ensure there is an adequate legal ground for relevant public bodies to properly conduct data protection measures. Two things the government should juggle: the protection of personal data as a human rights necessity and the creation of legal certainty for businesses.

Numerous domestic and international parties have submitted their views regarding how the Act should be developed. These parties included EU Commission, Meta, American Chambers of Commerce, coalitions of social and professional organizations, and academics. One aspiration is for this Act to regulate the public and private sectors fairly. This is understandable considering the public data retainers are storing the majority of Indonesians’ personal data such as their identity card numbers, home addresses, phone numbers, and tax registrations. Indonesia’s vast population has also invited many businesses, regardless of their sectors or scales, to operate in the Indonesian market. Many of these businesses are now reliant on public data to buttress their business models and increase productivity.

An independent Personal Data Protection Body should be created to ensure fair play. Though this ideal, it is a major point of contention between the DPR and the government during the debate. A majority of parliament members accept the idea of an independent body, but the government insists that such body should function under the aegis of the Executive. This contention is critical as it influences other aspects of regulation such as dispute resolutions and sanctions. The peak of this disagreement took place just when Indonesia became affected by the Covid-19 pandemic in early 2020. Consequently, further discussions were put on hold until two years later.

Progress in Restarted Talks Between the Government and DPR

The recent, multiple occurrences of personal data leakage and hacking cases, the increased use of digital services during the Covid-19 pandemic, and the approaching G20 hosted by Indonesia have pushed the government and the DPR to restart talks. This time, talks involved a heightened involvement from the Minister of Communication and Information, Johnny Gerard Plate, and the DPR chairwoman, Puan Maharani.

Current discussions between the government and the DPR have made significant progress. They agreed to omit the term “independent” or “autonomous” from the Personal Data Protection Body’s description. This is unlike any other regulation on public independent bodies in the country. Moreover, the Personal Data Protection Body is going to be formed and authorised by the President, who will also appoint the head of the Body. Thus far, only the general functions and job scopes of the Body have been approved by both sides.

However, the question of fairness persists. How could this Body ensure fairness between the public personal data controllers and private ones while safeguarding users’ interest? In other words, when managing future issues, would the Body be assertive only to those in the private sector and being hesitant to act against those in the public sector?

This concern continues to persist as this Body is being operationalised. The Personal Data Protection Body would now function under a particular Ministry and not under the President’s Office (despite obtaining authorisation from the latter), as regulated by the State Ministerial Act No. 39 Year 2008. Hence, it is still Executive in nature. Therefore, in any future occurrences of data abuse or mismanagement would lead to heightened public distrust particularly when the objectivity of the Body is questionable.

Issue of Fairness only tip of the Iceberg

Unfortunately, there are other concerns with the Act.

Dispute resolution is one example. With the Personal Data Protection Body being an Executive body, it cannot conduct an adequate dispute resolution (non-litigation adjudication) between the data subject (users) and the data controller. In current agreement on the Act, the role of the Body is to “facilitate” instead of “resolve” any dispute related to personal data protection. Resolution of any dispute will be by the court, which might have limited knowledge about the technical aspect of personal data protection. Though expert witnesses may be included in court processes, technical experts should be the ones presiding and passing judgements on cases. Ideally, this responsibly should be meted by the Body.  

Another is the role of the public prosecutor in dealing with personal data protection abuse/mismanagement allegations against the public personal data controller. As disputes would be brought to trial, public prosecutors will be called upon to process each case. Here is the issue: who should they defend in court? Should they defend data subjects, who are Indonesian citizens, and challenge the Executive body (which they are part of), or the opposite? Eventually, the Act only mandates the Personal Data Protection Body to submit requests to public prosecutors for legal assistance. The conundrum is that the Act is vague on requiring prosecutors to accept such requests. Therefore, decisions to accept could be politically influenced.

As the Personal Data Protection Body’s important features will be decided by the President, the DPR has seemingly tightened numerous technical aspects of the Act. For example, personal data controllers must respond to data subject’s request for personal data process delay, termination, update, access, or correction within 72 hours. Even the European Union General Data Protection Regulation (EU GDPR), which has been the benchmark for a similar act in Indonesia, permits personal data controllers to respond to such a request within a month.

This arrangement will invite negative sentiments from business actors that are burdened with such obligation. Responding to such a request is not an easy task since the requested data are stored by several different data processors. However, this burden could be lessened in the near future as technology develops. Therefore, for technical matters, it is ideal to rely on the Body’s regulation or any other sub-regulation under the Act to make sure the effective adaptability of the regulation to the development of technical technologies pertaining personal data management.

Conclusion

It is inevitable for Indonesia to implement the Personal Data Protection Act. However, whether or not the Act is adequate to answer recent occurrences of mismanagement and abuses remains to be seen. It is, understandably, a new regulation that has never existed before in the country. Personal data regulations in other countries, which are used as a benchmark for Indonesia’s own act, do not necessarily accommodate the needs and cultural sensitivities in Indonesia. Regardless, Indonesia as a nation should embrace how the digital revolution will continuously affect the lives of the people, even if the upcoming Personal Data Protection Act is yet to be an adequate safeguard against data-related woes. Indonesia is now at a crossroads of its digital journey with numerous foreseeable issues. Ideally, such issues be addressed prior to the implementation of this Act.