First published in The Jakarta Post (5/09/2022)
The government and the House of Representatives need to immediately approve the long-awaited bill on the protection of personal data. Personal data protection is not only essential to ensure data privacy and the process of safeguarding data from malicious actions, but is also pertinent in unlocking paths to greater connection and business value.
Furthermore, the protection of personal data demonstrates the government’s seriousness in supporting the digital transformation it has been championing.
Indonesia’s digital economy is the largest and fastest growing in Southeast Asia, with an economic value recorded at US$70 billion in 2021. The exponential growth of the Indonesian digital economy, however, takes shape at a quicker pace than the law.
To address the regulatory gap, the government is targeting to pass a data protection bill into law immediately in the upcoming House’s September sitting to build a sense of security among internet users and to provide reassurance to businesses.
The government has taken this step after nearly eight years. It has gone through multiple iterations, including an initial assessment of the bill in 2014, a review by the House in 2020 with reference to the European General Data Protection Regulation (GDPR) and a week-long rally of meetings on its deliberation in June 2022 amidst the mounting public pressure against a string of data breaches and cyberattacks.
Yet, it keeps getting pushed back due to the absence of compromise regarding some institutional standards, including the establishment of a data protection oversight agency.
While the bill’s completion in the House’s next sitting period is monumental to building a safe digital ecosystem in the country, the answer to Indonesia’s issue with digital best practices remains unclear. This is pertinent in the following three points.
First, the formulation of the draft bill is not underpinned by a risk-based approach, making it rather seem compliant. As with some preceding pieces of legislation, lawmakers tend to share little in the way of updates, leaving civil societies guessing about the outcomes.
Amidst limited information, some accessible clauses imply a strong emphasis on data compliance and sanctions. In this context, companies that are not complying with the legal conditions of data privacy, may be sanctioned, which may include fines and other penalties. While deliberations of the bill will bring a temporary relief to internet users, the clause-by-clause analysis shows the other way around.
For example, the provision of “the right to erasure” or known as “the right to be forgotten”, meaning a data subject has the right to request removal from data controllers, has rather posed risks to both users and smaller-scale companies.
A proposed provision requires companies originally collecting or processing the data to comply with a request for erasure without undue delay and within 3x24 hours since the request is made. When it comes to technical procedures, this clause is problematic as companies in fact require weeks to erase the data.
Where personal data has been especially made public in an online environment, the company needs to take reasonable steps to inform other controllers who are processing the personal data to erase links to or replicate that data. Failure to do so will cause the individual, whose data the company is processing, to become susceptible to risks.
Therefore, additional time is needed to help the data subject verify the lawfulness of the request and enable identification in case the potential indicator of identity fraud is found. As for comparison, the EU GDPR requires companies to respond to the request at the latest within one month to enable them to take reasonable steps.
Second, the data localization provisions are not convincing enough and seem to distance Indonesia from what it has pledged about cross-border data flow. The current general data localization provisions in the country have been somewhat relaxed since the issuance of Government Regulation No. 71/2019 on the Implementation of Electronic Systems and Transactions.
Under the regulation, only public electronic system operators must have an onshore data center and Bank Indonesia obliges all domestic transactions to go through the National Payment Gateway (NPG). The draft bill is still subject to changes but it reveals that the government will impose requirements on offshore data transfer.
The rationale behind data localization is to protect critical personal data, prevent money laundering and to protect small and medium local businesses from an adverse legal case beyond Indonesian jurisdiction who suffer equally from high quality and cost-effective offshore cloud services.
Third, the data authority agency needs to mandate an independent personal data management supervisory body free from the influence of ministries and other state institutions.
It cannot be ruled out only by “downsizing the institution” as stated by the government. This is important because later the institution will also supervise the management of public service data which incidentally is a fellow government institution and also the main authority in matters relating to personal data.
Trust starts from the domestic playing field. At the end of day, unclear procedures of data localization combined with risk-neutral clauses may backfire the government’s efforts to protect personal data and privacy. Provisions which lack proper ground are prone to be an easy surveillance tool by interest groups looking to gain an upper hand to control information and hamper freedom of expression.
Even though Indonesia has a number of laws and government regulations related to the digital economy, data localization and payment systems, some of it is not sufficiently updated or supported by a coherent legal framework that codifies data protection.
Legal gaps are evident in the case of data protection as most laws are silent on how data is handled, processed and distributed, and what technical and physical safeguards that preserve the rights to privacy are applied.
This is where the personal data protection law should take place and fill the gap.