The past few months have been especially alarming in Indonesia’s cybersecurity landscape. A data breach discovered on 21 August 2022 saw the stealing of 1.3 billion SIM Card data, consisting of national identity number (NIK). NIK is especially sensitive as it is linked to users’ personal data, phone number, telecommunication provider and SIM Card’s registration date.
This massive data breach incident was committed by Björka, who later instigated other scandalous cybercrimes such as stealing confidential data from state bodies (including the General Elections Commissions [KPU]) and doxing public officials.
Regrettably, the Coordinating Minister for Political, Legal, Security Affairs Mahfud MD, one of the doxed officials, responded with a statement lacking sensibilities in the subject of personal data protection. He stated that “I am not troubled or concerned. My personal data is not confidential. You may grab it from Wikipedia (Google), the back cover of books I’ve written and from LHKPN KPK. My personal data is open (to the public), no need to be leaked.”
Fundamentally, personal data protection is a subset of the right to privacy. Prof Daniel J. Solove from the Law School of the George Washington University argues that one of the elements of the right to privacy is secrecy. In the context of Indonesia, the right to privacy is constitutionally protected in Article 28G (1) of the 1945 Constitution. It is also guaranteed by the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, both of which have been adopted by the country.
Unfortunately, Björka’s series of data breach is not the first in Indonesia. During Covid-19 pandemic, we experienced a multitude of incidents including Tokopedia, BRI Life, Social Security Administrative Body (BPJS), Diponegoro University, e-HAC and others.
Thus, a pertinent question arises: how does the government of Indonesia protect personal data of everyone in the country? Answering this requires a scrutiny of the laws and regulations, public policy, as well as the government’s response to answer such fundamental concern.
Laws and Regulations on Personal Data Protection
Indonesia has been responding to data breach incidents with insufficient legal instruments for the whole time. The country has only utilized the following three instruments: 1) the Electronic Information and Transactions Law (ITE Law); 2) Government Regulation No. 71 Year 2019 on Electronic System and Transaction Operation (GR 71/2019), and 3) Minister of Communication and Information Technology Regulation No. 20 Year 2016 on Protection of Personal Data in Electronic Systems (Permenkominfo 20/2016).
Why are these not enough? First, the ITE Law does not focus on personal data protection and only dedicates limited sections on personal data, one of which states that “the use of each information through electronic media which related to individual personal data should be done by the consent of that individual, unless otherwise stipulated by laws and regulations.” In practice, the ITE Law is often only used to criminalize legitimate expression against individuals (particularly public officials), the business sector and the government.
Second, the GR 71/2019 was originally a derivative of the ITE Law, so it does not diverge radically from the ITE Law.
Third, the Permenkominfo 20/2016 is merely a minister’s regulation, which has lesser authority. According to Article 7 (1) of the Laws on the Establishment of Laws and Regulations, a minister regulation lies outside the laws and regulations hierarchy. Such regulations tend to have effect on government officers only.
On 20 September 20, 2022, the House of Representatives and the President of the Republic of Indonesia passed the Personal Data Protection Act (PDPA) and will soon come into force on the date of its promulgation (within 30 days of its passing, according to the Laws on the Establishment of Laws and Regulations). This step is breath of fresh air for Indonesians with personal data protection, despite some footnotes to the content and scope of the PDPA.
According to the press release by Advocacy Coalition on Personal Data Protection (KA-PDP), there are 10 critical issues on PDPA. One of the major weaknesses is the establishment of the Data Protection Authority (DPA) which will be under the control of the government. It will surely be ineffective considering that the law applies not only to the private sector but also to the public sector such as the government. The government’s dual role will thus be marked with a conflict of interest. On one hand, the government is the very institution that enforces and supervises the personal data protection law, but on the other hand the government is also the object of the supervision because its bodies or agencies could be a data controller or data processor. Furthermore, some of DPA’s responsibilities such as supervisory, administrative sanctioning and investigation would be hard to implement if the DPA is controlled by the government. That is why the DPA should be independent – without it, the enactment of the PDPA would be lacking effectiveness.
Reluctance, Half-Hearted Response and Buck Passing
The aforementioned e-HAC data breach incident illustrates the government’s ineptitude in responding to this problem. The first e-HAC data breach incident was discovered by vpnMentor on 15 July 2021, which they tried to convey to the Ministry of Health on 21 and 26 July 2021, but did not receive any response. The follow-up to the incident was only carried out a month later on 24 August 2021, when vpnMentor informed the findings to the National Cyber and Encryption Agency (BSSN). On 30 August 2021, vpnMentor published findings related to the occurrence of e-HAC data breach. The next day, the Ministry of Health responded by stating that the data breach occurred in the old e-HAC application, which had not been in use since July 2021, the exact month when vpnMentor discovered the data breach for the first time.
This account shows that the government will take a further step only if there is a massive and public information about data breach, insinuating their lack of consideration towards users’ rights. The statement “which has not been used” was especially questionable, considering the timing of the data breach detection in July 2021, which means the old application and its stored data were still in use at the time. Regardless, the Ministry of Health should have carried out thorough investigation from the first time the breach was reported, since medical data is sensitive data and thus, requires protection.
Moreover, medical data is defined as all data pertaining to the health status of a data subject which reveals information relating to the past, present and future of the data subject’s physical or mental health status (EU GDPR). Hence, the term “which has not been used” may indicate that the application’s stored data include the past and present health status of the users’ – the Ministry of Health should thus take responsibility for that breach. Unfortunately, the Ministry and the application’s developer has failed to notify users of the data breach until now.
In this and other incidents, the government seem puzzled as to how best to solve the issue. The core problem is the sectoral regulation in regulating personal data protection. There are so many sectors and actors inside—they usually pass responsibilities to each other. According to a yet to be published ELSAM study in 2020, there are at least 46 sectoral regulations (spread in multiple sectors such as health, telecommunication, administration and others) which are related to data protection.
Furthermore, the government does not tackle the root of the problem. The government’s responses thus far are limited to: 1) the blocking of sites and/or accounts that hack the system; 2) investigation, but one that is not transparent and accountable, and; 3) frequent buck passing among relevant bodies or agencies, including National Cyber and Crypto Agency (BSSN), the Ministry of Communication and Information Technology (Kominfo) and others. To solve the root of the problem, however, the government should improve on data protection governance, build an ecosystem of laws and regulations centered on the interests of data subjects, and establish the personal data protection infrastructure.
Government’s Response to Björka
Against this backdrop, it is then not a surprise that the government’s response to Björka’s hacktivism was reactive and insufficient, further accentuating the poor data protection ecosystem in Indonesia.
Kominfo released Press Release No. 377/HM/KOMINFO/09/2022 on 1 September 2022 in response to Björka’s activities. It states that the source of the personal data was not from within Kominfo, highlighting the Ministry’s denial of responsibility. Moreover, the response by the Head of BSSN was even more bizarre. He stated that Indonesians should remain calm because none of the electronic systems was attacked. These statements are problematic since evidently users’ personal data was misappropriated and potentially misused by unauthorized actors. Here there is a lack of emphasis by the government on the rights of the data subjects. Furthermore, after massive attacks from Björka, the government established an emergency response team which consists of BSSN, Kominfo, the National Police and the State Intelligence Agency (BIN), but this seems to be a reactive action and it remains to be seen whether the team would address the core problem effectively.
The passing of PDPA should not be seen as the final answer to all data breach incidents that could amount to a national crisis as Björka has demonstrated. Rather, it should be considered as a first step to a more effective response. The government wants to have a complete authority in carrying out the measures, but history and users would judge whether it has the capacity and capability to do so.