First published in The Jakarta Post (29/10/2022)
On Oct. 17, the President signed the long-awaited Personal Data Protection (PDP) Law No. 27/2022, which formalizes long-held expectations around data protection.
Modelled on the European Union’s General Data Protection Regulation (GDPR), the new law establishes responsibilities for the processing of personal data and rights, stipulating penalties for violations and importantly mandating the President to appoint an Indonesian Data Protection Authority (DPA).
Entities, those who own or process the data, whether public or private, are given a grace period of two years to prepare the mandatory data protection officers (DPOs) and other requirements set by the law. In the interim, the law provides the President with the authority to appoint a DPA that would be perceived as a neutral and trusted agency.
The authority will be responsible for supervising compliance of data controllers, receiving complaints and imposing sanctions for violations committed by data controllers and/or data processors as well as for resolving alleged cross-border violations by collaborating with foreign DPAs, as stipulated in Article 60.
How can this agency be independent in dealing with data protection conflicts, which may involve one of the government agencies, therefore, falling under the President’s auspices?
Until today, the government is still preparing a presidential decree on the new DPA, yet it remains unclear who the President will appoint as the head of the agency and whether or not the specialized independent DPA will be having strong enforcement powers.
Within the two-year grace period, the government should prioritize the establishment of the DPA along with a clearly defined structure and responsibilities. This is especially important because an independent DPA is a precondition for legal certainty. With this, there are several points that are worth considering.
First, the agency must be free from all outside influences and insulated from vested interests. Lately, a series of controversial events has spooked analysts and businesses that the DPA might follow its predecessor-like path, such as the Corruption Eradication Commission (KPK), which has gradually lost its autonomy with the passage of the new corruption law last year.
A draft of a financial sector development bill submitted by the Indonesian legislature in late September has also raised concerns that the bill would target Bank Indonesia’s (BI) hard-won independence. Not only does the bill widen the central bank’s mandate to buy government bonds and include economic growth, but it also allows politicians to sit as members of the BI’s board of governors.
Put simply, such subsequent legislation efforts have undermined much lauded-independent institutions that had been the poster children of institutional reform. This raises fears whether regulating data protection practices will be construed as part of a broader effort to ensure the control of information circulated online under the mantle of national security interests.
Keeping the DPA independent is in the interest of citizens. Under such a complaints-making mechanism, when a data privacy concern is raised with the DPA against particular institutions, either a data controller or data processor, it is clear that conflicts of interest could emerge, especially where complaints against state-linked institutions apparently must be made to a regulator whose neutrality is contested.
In August alone, Indonesia witnessed five data breaches, three of which were linked with state-owned firms, comprising electricity firm PLN, construction firm Jasa Marga and telecom firm PT Telkom Indonesia, holding the data of millions of customers. Hence, neutrality would enable the agency to pursue significant systemic noncompliance through regulatory actions.
However, given the complex landscape of data protection, it is unavoidable that a DPA would need to continue to increase its workforce to handle complaints, especially those that implicate big tech firms or carry cross-border components. Ireland, for example, a digital economy with a current population of 5 million raised its workforce from 145 in 2021 to 190 in 2022 to foster an effective performance.
A recent study by the World Bank showed that the European parliament even called for infringement proceedings against member states that failed to meet Article 52 of the GPRD, namely providing a sufficient budget for DPAs.
It is without a doubt that the Indonesian DPA will operate in a high privacy risk environment – replete with social media platforms and companies that trade in personal information – and it should be provided with the financial and human resources necessary for fulfilling its obligation.
Finally, the presidential decree on the DPA should provide further clarity on how to determine which complaints are investigated and resolved by DPA. The law in its current form echoes a typical problem in Indonesia – overlapping authorities – which add confusion for citizens, businesses and other legal subjects.
For example, in the event of data cracking, the PDP Law requires an electronic system provider to notify a personal data owner of any breach involving his or her personal data through a written or electronic form within 3 times 24 hours subsequent to the occurrence of the breach. The data subject can submit an official complaint – in this case to the DPA – if the provider fails to meet its obligation. However, Article 43 of the Electronic Information and Transaction (ITE) Law states otherwise, requiring personal data owners to submit an official complaint to the Communications and Information Ministry or the police.
The government should ensure that all technical rules and practices are rectified and keep multiple regulators/state agencies from regulating the same activity.
Strong data protection and privacy rights are both fundamental to ensuring a safe and inclusive digital ecosystem and likewise the DPA is a precondition for digital trust. The DPA must be aimed at addressing “declining levels of trust” and responding to the community’s demand for something more to be done to address privacy risks and harms.