The Growing Importance of Data Protection in Indonesia

By: Kyrena Ambarsia

The inevitable growth of technology and the revolution of the digital world has created
new innovative ways to acquire, store, manipulate and transmit volumes of data. Especially in
Indonesia where the estimated number of smartphone users has reached 81.87 million in 2020
and will continue to grow. This phenomenon poses a threat towards electronic service users in
Indonesia as their data could potentially be compromised, if this phenomenon increases and the
data collection is not carried out in the framework of respecting rights, then inevitably the
process and its objectives will be used in a way that neglects the rights of the community.
Legislation concerning data protection in Indonesia can be found in as much as 32 regulations
but with the Personal Data Protection Bill (PDP) on its way this will eventually bring competent
security for electronic service users as well as clarity and standardization for business owners in
the field of Electronic Service Providers (ESPs).

As an inherent right in every individual, the debate about the importance of protecting the
right to privacy of a person first arose in court decisions in the UK and later in the United States.
Then Samuel Warren and louis Brandeis wrote the legal conception of the right to privacy in the
Harvard Law Review Vol. IV No. 5, Its writing was entitled “The Right to Privacy” and was the
first to conceptualize the right to privacy as a legal right. Warren and Brandeis simply defined
the right to privacy as ‘the right to be let alone’, their definition is based on two levels: (i)
personal honor; and (ii) values such as individual dignity, autonomy and personal independence.
Under the Indonesian Constitution, the concept of privacy has been recognized and protected as
part of the general concept of human rights. However, Indonesia has shown lack of public
awareness about privacy, especially those related to protecting one’s personal data. Data
breaches has the potential to hurt both electronic service users and ESPs by compromising
sensitive information, the consequences of data breach heavily impact users as their privacy is
not only violated but also, they have the potential to be victims of cyber-attack done by
“unofficial third parties”. What the author means “unofficial third parties” are individuals whose
intention is to harm and exploit these users for their own benefit. Indonesia’s State Cyber and
Crypto Agency (BSSN) has said the country had more than 98 million cyber-attacks in 2020.
Significant data breach cases that happened in Indonesia such as online e-commerce platform
Tokopedia who suffered Indonesia’s biggest data breach with the theft of personal data,
including e-mail and passwords from 91 million accounts, which were put on sale on the Dark
web. Days after the Tokopedia heist, smaller rival Bhinneka, which specializes in business
supplies, that it too had been a victim of hacking, which had gained access to 1.2 million
accounts. Also, in May of 2020, the country’s election commission said the private information
of 2.3 million voters had been illegally copied. These recent tragedies are a reflection of the
current fragile legislation on data protection, and it shows how easy data breaches could happen
which puts an even bigger emphasize on the importance of data protection.
 As stated earlier, there are around 32 regulations concerning data protection, within the
past decades data Protection laws in Indonesia has been undergoing noteworthy advances and
enhancements. To date, Indonesia has sanctioned different laws relating to data protection in a
number or specific areas. Most notably, Indonesian citizens are entitled to the assurance of their
personal data collected under Law No. 23 of 2006, as amended by law No. 24 of 2013 on
Demographic Administration (The Demographic Law) which became effective on 24
December 2013. There are provisions overseeing the protection of personal data particularly
within the scope of electronic systems which apply to ESPs, such provisions can be found in
Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of
2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions
(The Electronic Information Law). The procedural guide for The Electronic Information Law
is contained in Government Regulations No. 71 of 2019 on the Implementation of Electronic
Systems and Transactions (GR 71/2009) which revokes the previous Government Regulation
No. 82 of 2012 on the Implementation of Electronic Systems and Transactions (GR 81/2012).

The Electronic Information Law stipulates that unless otherwise specified, the use of any
information related to a person’s personal data through electronic media requires the consent of
such person. The elucidation of The Electronic Information Law stipulates that the protection of
personal data is part of the right to privacy which includes (i) the right to enjoy a private life; (ii)
the right to communicate with other people without any espionage; and (iii) the right to monitor
access of information about a person’s personal life and data. In order to further clarify and
implement data protection in electronic system, the Minister of Communications and Information
(MoCI) issued Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems
(MoCI 20/2016). MoCI 20/2016 came into effect on December 1, 2016 and established consent
as the core basis for data protection in accordance with the Indonesian data protection laws.
Therefore, all processing can only be carried out after obtaining consent from the data subject.
Recently, the Indonesian government further clarified the scope of protection of personal data by
issuing Government Regulation No. 40 of 2019 on the Implementation of Laws No. 23 of 2006,
as amended by law No. 24 of 2013 on Demographic Administration (GR 40/2019). Activities in
trading through electronic systems is governed by Government Regulation No. 80 of 2019
regarding Trading through Electronic Systems (GR 80/2019). However, with so many
regulations issued as discussed above it still fails to protect the users from data breach, this is
because the rules governing personal data are scattered across various financial,
telecommunications, and employment regulations, which makes it difficult for electronic service
users to hold companies or ESPs accountable for misuse of information. The PDP Bill will be the
first to provide a comprehensive set of personal data protection regulations, not only through
electronic systems but non-electronically as well, acknowledging the rights and obligations of
the stakeholders involved. As of December 2020, the PDP Bill is still being reviewed by
Indonesian House of Representatives (DPR) and is expected in early or mid-2021.
 The PDP Bill regulates various matters, including the types of personal data, stakeholder’s
rights and obligations, processing and transferring, data protection officer appointments, dispute
resolutions, and even administrative and criminal sanctions. It is safe to say that the scope of this
PDP Bill is leaning towards the that of the General Data Protection regulation 2016/679 (GDPR)
issued by the European Parliament and Council of the European Union. Some key differences
from the PDP Bill compared to the existing PDP regulations as follows:

 Further subdivision of the concept of Personal Data, General Personal Data and Specific
Personal Data:
MoCI 20/2016 as well as GR 71/2019 does not make such distinction between General
Personal Data and Specific Personal Data. Only the concept of Personal Data is used and
defined. The PDP however does classify personal data into 2 categories. First, General
Personal Data, which includes, among others, a person’s full name, gender, nationality,
religion, and/or any other personal data which is combined to identify a person. Second,
Specific Personal Data, which includes, a person’s medical record, biometric data,
genetic data, sexual orientation, political view, criminal record, child data, financial data.

 Obligation to appoint an officer specifically designated to take charge of data protection:

MoCI 20/2016 as well as GR 71/209 does not specify such obligation. The PDP Bill
however introduces a requirement for controllers and processors to appoint a Data
Protection Officer (DPO), in certain circumstances, namely where: the data processing is
carried out for the public interest; the nature, scope, and/or purposes of the main activity
of the controller require organized and systematic supervision on a large scale; or the
main activity of the controller consists of large scale processing which is specific in
nature and/or which is related to criminal conduct.

 Concepts of Personal Data Controller and Personal Data Processor:

MoCI 20/2016 as well as GR 71/2019 does not specify concepts of Personal Data
Controller and Personal Data Processor. The PDP Bill Introduces such concepts, which
states that Personal Data Controller is the party that determines the purpose of and
exercises primary control over the personal data processing, while the Personal Data
Processor is the party that conducts the data processing on behalf of the Personal Data
Controller

 Form of consent from personal data owners:

MoCI 20/2016 and GR 71/2019 recognizes consent from the personal data owner, and it
must be done in writing. The PDP bill states that consent from the personal data owner
can be obtained either verbally recorded or in writing.

 Right of Personal data owners to complete their data prior to data processing:
 MoCI 20/2016 and GR 71/2019 is silent on this matter. The PDP bill however states that
personal data owners have the right to complete their data before the data are processed.

 Right to file an objection to decision based automatic profiling:

The PDP Bill recognizes such right and is stipulated in Article 10 of the PDP Bill. While
MoCI 20/2016 as well as GR 71/2019 is silent on this matter

 Opt-in or opt out of pseudonym processing of personal data for certain purposes:
The PDP Bill recognizes such right and is stipulated in Article 11 of the PDP Bill. While
MoCI 20/2016 as well as GR 71/2019 is silent on this matter. While

 The right of personal data owners to postpone or limit the processing of personal data:
The PDP Bill recognizes such right and is stipulated in Article 12 of the PDP Bill. While
MoCI 20/2016 as well as GR 71/2019 is silent on this matter. While

 Pre and Post notification obligations of Personal Data Controller to personal data owners
in the event of merger, spin-off, acquisition, or amalgamation:
The PDP Bill requires the Personal Data Controller to provide personal data owners with
both prior and subsequent notifications in the event of merger, spin-off, acquisition, or
amalgamation. While MoCI 20/26 as well as GR 71/209 is silent in this matter.

 Criminal sanction against unlawful acquisition or collection of personal data:

The PDP Bill states that imprisonment for a maximum of 5 (five) years or a maximum
penalty of IDR 50 billion for unlawful acquisition or collection of personal data. While
MoCI 20/26 as well as GR 71/209 is silent in this matter.
 Criminal sanction against unlawful disclosure of personal data:
The PDP Bill states that imprisonment for a maximum of 2 (two) years or a maximum
penalty of IDR 20 billion for unlawful disclosure. While MoCI 20/26 as well as GR
71/209 is silent in this matter.

 Criminal sanction against unlawful utilization of personal data:

The PDP states that imprisonment for a maximum of 7 (seven) years or a maximum
penalty of IDR 70 billion for unlawful utilization of personal data. While MoCI 20/26 as
well as GR 71/209 is silent in this matter.

 Criminal sanctions against falsification of personal data:

The PDP Bill states that imprisonment for a maximum of 6 (six) years or a penalty of
IDR 60 billion rupiah for falsification of personal data. While MoCI 20/26 as well as GR
71/209 is silent in this matter.
 Right of Personal data owners to receive compensation:
GR 71/2019 does not stipulate specific right. However, it does impose a general
obligation on Electronic Systems Operators to implement risk management and to protect
their users from any damage arising from their operation. While MoCI 20/2016 is silent
on this matter. The PDP Bill provides for the right of personal data owners to claim and
receive compensation for any damage that may arise from a breach of personal data

 Offshore personal data transfer by Indonesia-domiciles parties:

MoCI 20/2016 does require pre- and post-notifications to the MoCI in the event of off-
shore personal data transfer by Indonesia- domiciled parties. GR 71/2019 is silent on this
matter. The PDP does not require pre-and post-notifications to the MoCI for offshore data
transfer, however they do stipulate following requirements including: the country of the
domicile Personal Data Controller or the international organization receiving the Personal
data must have the same or higher security level of security for personal data protection;
there is an international agreement between the receiving country and Indonesia; there is
a contract between the Personal Data Controller and offshore Personal Data Controller,
with standard personal data protection in accordance with the provisions of the PDP Bill;
and/or the personal data owner’s consent has been obtained

 The right of data subjects to update their personal data:

MoCI 20/2016 states that data subjects have the right to update their personal data, GR
71/2019 is silent on this matter. The PDP Bill allows data subject to update their personal
data, also The PDP Bill requires the Personal Data Controller to update the information
within 1x24 hours after receiving a request from the data subject to rectify the
information.

In conclusion, the unavoidable growth of technology poses a potential threat

towards data users especially in Indonesia where regulations regarding Personal Data
Protection are sporadic and siloed resulting in numerous data breach cases as discussed
above. However, the Indonesian government has finally shown some urgency regarding
this matter, this reflects in the upcoming PDP Bill which will be the first bill to provide
complete set of personal data protection regulations, not only through electronic systems
but non electronically as well, acknowledging the rights and obligations of the stake
holders involved. The PDP Bill will have a significant impact within the Indonesian
digital ecosystem as well as a step to the right direction, as it would eventually bring a
sense of security and also clarity for both electronic system user and ESPs.
Bibliography

Laws and Regulations

Law No. 23 of 2006, as amended by law No. 24 of 2013 on Demographic Administration

Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of
2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and
Transactions

Government Regulations No. 71 of 2019 on the Implementation of Electronic Systems and

Transactions

Government Regulation No. 40 of 2019 on the Implementation of Laws No. 23 of 2006, as

amended by law No. 24 of 2013 on Demographic Administration

Minister of Communications and Information Regulation No. 20 of 2016 on Personal Data

Protection in Electronic Systems

Government Regulation No. 80 of 2019 regarding Trading through Electronic Systems

The Personal Data Protection Bill

Journal

Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review, vol.
4, no. 5, 1890, pp. 193–220. JSTOR, www.jstor.org/stable/1321160. Accessed 29 Jan.
2021.

Website or Webpage

“Rekap Serangan Siber (Januari – April 2020).” Bssn.go.id, bssn.go.id/rekap-serangan-siber-

januari-april-2020/.

The Jakarta Post. “Tokopedia Data Breach Exposes Vulnerability of Personal Data.” The Jakarta
Post, www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes-
vulnerability-of-personal-data.html.

The Jakarta Post. “E-Commerce Platform Bhinneka.com Reported to Be Latest Target of Data
Theft.” The Jakarta Post, www.thejakartapost.com/news/2020/05/13/e-commerce-
platform-bhinneka-com-reported-to-be-latest-target-of-data-theft.html.
“Indonesia Investigates Leak of More than Two Million Voters' Personal Information.” The
Guardian, Guardian News and Media, 23 May 2020,
www.theguardian.com/world/2020/may/23/indonesia-investigates-leak-of-more-than-two-
million-voters-personal-information.

Department, Published by Statista Research, and Jul 29. “Indonesia Smartphone Users.” Statista,
29 July 2020, www.statista.com/statistics/266729/smartphone-users-in-indonesia/.