First published in The Jakarta Post (23/08/2022)
A strong data protection framework will provide a solid legal basis for the government to enforce the law and act against cybercriminals, such as hackers and scammers, while also establishing a system of legal accountability for electronic service providers (ESPs).
Governments, however, may not have sufficient time and resources to deal with highly technical standards and mechanisms in a rapidly changing digital ecosystem. Consequently, a co-regulatory approach to the personal data protection ecosystem is needed.
This approach will complement the enforcement of professional and technical sector-specific standards while focusing on preventive measures and engaging non-state actors in enforcement mechanisms. A government-centric approach is no panacea to emerging digital threats.
Legal accountability will provide a checks-and-balances system to help the ESPs ensure they impose appropriate measures in identifying whether they were liable to data breaches, or implement sufficient measures to prevent such breaches as they may affect their business operation.
Having a solid data protection framework will help foster consumer trust and increased technological adoption of various digital platforms, which in turn can incentivize investment, competition and innovation in the Indonesian digital economy landscape.
The current regulatory framework for personal data protection employs a top-down approach with the Communications and Information Ministry as the main regulator and administrator.
Government Regulation (PP) No. 71/2019 on the implementation of electronic systems and transactions and its derivative regulation, Ministerial Regulation No. 5/2020 on private ESPs, provide the ministry the authority to require all platforms to register with the ministry via the Online Single Submission (OSS) system prior to commencing operation.
The registration deadline, initially set at six months after Ministerial Regulation No.5/2020 entered into force in November 2020 was later extended to mid-July 2022 after a few technical considerations and an amendment through Ministerial Regulation No.10/2021.
Not all private ESPs swiftly registered. Some opted to wait and see until past the deadline. Growing media attention and a public backlash finally prompted the ministry to block a few private ESPs who had failed to comply by the deadline.
The wait-and-see of some of the private ESPs was understandable as they would have to comply with some problematic provisions in the regulation related to data governance, content moderation and access to their systems.
The registration was mandatory for both domestic ESPs (Indonesian legal entities) and foreign ESPs providing services in the Indonesian territory, used in Indonesia or which do business in Indonesia.
The sanctions range from a reprimand, fines, revocation of an ESP’s registration license or an access cut-off that will affect an ESP’s operation in Indonesia. The last sanction means that the ESP would no longer be accessible in the Indonesian market.
This comes with the notion that the ministry has the authority to instruct internet service providers (ISPs) to cut off access to noncompliant ESPs.
The ministry’s effort to strengthen its supervisory authority is further complemented by a plan to impose monetary fines for personal data breaches. It is preparing a draft regulation that lists seven main categories of personal data breaches, each with detailed violations. Each violation is assigned a specific number of points, with each point equalling Rp 100,000 (US$6.72).
A long-awaited regulation is currently in the making, being deliberated at the House of Representatives. The personal data protection (PDP) bill is also seeing the emerging role of the private sector in the creation of rules and in ensuring compliance.
The private sector arguably has an alignment of incentives to uphold personal data principles in order to maintain the trust of its consumers. This fosters a potential avenue for co-regulation.
While the government deserves praise for its effort to assert its authority as personal data supervisor through diverse regulatory tools (from ESP registration, investigation, monetary fines and access cut-off and normalization of access), the current approaches are still missing meaningful involvement from, and interaction with, the private sector.
First, there has been no systematic effort to improve the quality of human resources to deal with privacy and security issues. Key to privacy and security best practices is a solid talent base of professionals who will safeguard platforms from data breaches or privacy violations.
There needs to be continuous professional education and executive learning programs for the relevant professionals. A similar model can be found in the financial sector, where continuous executive education for certain types of expertise, such as risk management, is mandatory.
Second, preventive measures are still lacking. As the ministry’s data suggest, 93 percent of incidents were the results of data breaches that had already happened. Preventive measures require more efforts in creating technical standards and ensuring that those standards are consistently applied, irrespective of any privacy incident.
Third, as the number of platforms is growing exponentially in line with the rise of the digital economy, the ministry may not have sufficient capacity and resources to oversee the entire industry. It will take the ministry a substantial number of investigators and supervisors to carry out its mandate.
Having a co-regulatory approach with a trusted partner will ease the burden of the ministry’s resources, combining the need to seriously enforce personal data protection rules while maintaining a light-touch approach to internet regulations. To conclude, the government’s vision of an inclusive and safe digital ecosystem and its efforts to achieve it need a co-regulatory approach. Dealing with sensitive and highly technical issues like personal data protection requires strategic and continuous public-private collaboration.