Indonesia’s Personal Data Protection at a Crossroads

Recent cases of data abuses and mismanagement iterate the urgency for Indonesia to implement a Personal Data Protection Act. Without prior experiences, what challenges would Indonesia face in developing an adequate safeguard against data-related woes? Credit: KOMPAS.com/BILL CLINTEN

Introduction

In this digital era, data has become a commodity that states and businesses utilise. Data shapes strategies in the production of relevant and quality services or products. Moreover, they are also instrumental to steer current and future directions of consumer behaviour.  In other words, data acts as a compass for global actors of any scale and facilitates formulation of the tactics to achieve their goals.

Among the types of data, personal data is one of the most valuable. Personal data is the unique, accumulated information of a user, either recorded digitally or manually. Personal data encompasses the subject’s personal identity, home address, medical record, digital behaviour and other identifiable information.

In this era, Indonesians are not immune from personal data insecurity that might transpire from data theft by malicious actors or bad data management by data-collecting bodies. Several recent, notable cases of such issues have impacted major organizations including the Social Security Agency for Health (BPJS Kesehatan), Tokopedia, and e-Hac. This digital era is thus a double-edged sword, granting users access while also exposing them to risks. This dilemma has pushed the Indonesian government to initiate the creation of the Personal Data Protection Act. This Act is to ensure there is an adequate legal ground for relevant public bodies to properly conduct data protection measures. Two things the government should juggle: the protection of personal data as a human rights necessity and the creation of legal certainty for businesses.

Numerous domestic and international parties have submitted their views regarding how the Act should be developed. These parties included EU Commission, Meta, American Chambers of Commerce, coalitions of social and professional organizations, and academics. One aspiration is for this Act to regulate the public and private sectors fairly. This is understandable considering the public data retainers are storing the majority of Indonesians’ personal data such as their identity card numbers, home addresses, phone numbers, and tax registrations. Indonesia’s vast population has also invited many businesses, regardless of their sectors or scales, to operate in the Indonesian market. Many of these businesses are now reliant on public data to buttress their business models and increase productivity.

An independent Personal Data Protection Body should be created to ensure fair play. Though this ideal, it is a major point of contention between the DPR and the government during the debate. A majority of parliament members accept the idea of an independent body, but the government insists that such body should function under the aegis of the Executive. This contention is critical as it influences other aspects of regulation such as dispute resolutions and sanctions. The peak of this disagreement took place just when Indonesia became affected by the Covid-19 pandemic in early 2020. Consequently, further discussions were put on hold until two years later.

Progress in Restarted Talks Between the Government and DPR

The recent, multiple occurrences of personal data leakage and hacking cases, the increased use of digital services during the Covid-19 pandemic, and the approaching G20 hosted by Indonesia have pushed the government and the DPR to restart talks. This time, talks involved a heightened involvement from the Minister of Communication and Information, Johnny Gerard Plate, and the DPR chairwoman, Puan Maharani.

Current discussions between the government and the DPR have made significant progress. They agreed to omit the term “independent” or “autonomous” from the Personal Data Protection Body’s description. This is unlike any other regulation on public independent bodies in the country. Moreover, the Personal Data Protection Body is going to be formed and authorised by the President, who will also appoint the head of the Body. Thus far, only the general functions and job scopes of the Body have been approved by both sides.

However, the question of fairness persists. How could this Body ensure fairness between the public personal data controllers and private ones while safeguarding users’ interest? In other words, when managing future issues, would the Body be assertive only to those in the private sector and being hesitant to act against those in the public sector?

This concern continues to persist as this Body is being operationalised. The Personal Data Protection Body would now function under a particular Ministry and not under the President’s Office (despite obtaining authorisation from the latter), as regulated by the State Ministerial Act No. 39 Year 2008. Hence, it is still Executive in nature. Therefore, in any future occurrences of data abuse or mismanagement would lead to heightened public distrust particularly when the objectivity of the Body is questionable.

Issue of Fairness only tip of the Iceberg

Unfortunately, there are other concerns with the Act.

Dispute resolution is one example. With the Personal Data Protection Body being an Executive body, it cannot conduct an adequate dispute resolution (non-litigation adjudication) between the data subject (users) and the data controller. In current agreement on the Act, the role of the Body is to “facilitate” instead of “resolve” any dispute related to personal data protection. Resolution of any dispute will be by the court, which might have limited knowledge about the technical aspect of personal data protection. Though expert witnesses may be included in court processes, technical experts should be the ones presiding and passing judgements on cases. Ideally, this responsibly should be meted by the Body.  

Another is the role of the public prosecutor in dealing with personal data protection abuse/mismanagement allegations against the public personal data controller. As disputes would be brought to trial, public prosecutors will be called upon to process each case. Here is the issue: who should they defend in court? Should they defend data subjects, who are Indonesian citizens, and challenge the Executive body (which they are part of), or the opposite? Eventually, the Act only mandates the Personal Data Protection Body to submit requests to public prosecutors for legal assistance. The conundrum is that the Act is vague on requiring prosecutors to accept such requests. Therefore, decisions to accept could be politically influenced.

As the Personal Data Protection Body’s important features will be decided by the President, the DPR has seemingly tightened numerous technical aspects of the Act. For example, personal data controllers must respond to data subject’s request for personal data process delay, termination, update, access, or correction within 72 hours. Even the European Union General Data Protection Regulation (EU GDPR), which has been the benchmark for a similar act in Indonesia, permits personal data controllers to respond to such a request within a month.

This arrangement will invite negative sentiments from business actors that are burdened with such obligation. Responding to such a request is not an easy task since the requested data are stored by several different data processors. However, this burden could be lessened in the near future as technology develops. Therefore, for technical matters, it is ideal to rely on the Body’s regulation or any other sub-regulation under the Act to make sure the effective adaptability of the regulation to the development of technical technologies pertaining personal data management.

Conclusion

It is inevitable for Indonesia to implement the Personal Data Protection Act. However, whether or not the Act is adequate to answer recent occurrences of mismanagement and abuses remains to be seen. It is, understandably, a new regulation that has never existed before in the country. Personal data regulations in other countries, which are used as a benchmark for Indonesia’s own act, do not necessarily accommodate the needs and cultural sensitivities in Indonesia. Regardless, Indonesia as a nation should embrace how the digital revolution will continuously affect the lives of the people, even if the upcoming Personal Data Protection Act is yet to be an adequate safeguard against data-related woes. Indonesia is now at a crossroads of its digital journey with numerous foreseeable issues. Ideally, such issues be addressed prior to the implementation of this Act.


The views expressed are those of the authors and do not necessarily reflect those of STRAT.O.SPHERE CONSULTING PTE LTD.

This article is published under a Creative Commons Licence. Republications minimally require 1) credit authors and their institutions, and 2) credit to STRAT.O.SPHERE CONSULTING PTE LTD  and include a link back to either our home page or the article URL.

Author