As digital data retrieval and processing is becoming more widespread, there is an increasing urgency to finalize comprehensive personal data protection regulations. With a clear legal basis, personal data protection will have a stronger guarantee. Having such regulation is also important for the sustainability of the digital economy.
This was stated during KSIxChange#21 session titled “The Importance of Guarding the Personal Data Protection Bill” organized by the Knowledge Sector Initiative (KSI) in collaboration with the Institute for Community Studies and Advocacy (ELSAM) held online on Tuesday (28/4). KSIxChange is a forum to exchange knowledge that KSI routinely holds. Speakers at this session included the Director-General of Informatics Applications at the Ministry of Informatics and Communication Semuel Abrijadi Pangerapan, ELSAM Deputy Director of Research Wahyudi Djafar, Chair of the Cyberlaw Center at the Faculty of Law of Padjajaran University, Sinta Dewi Rosadi, and Member of Commission I of the House of Representatives (DPR RI) Bobby Adhityo Rizaldi. The discussion was moderated by Prasetya Dwicahya, Advisor with Data Science Indonesia.
Wahyudi said, today the practice of data mining to data theft is increasingly rife along with the development of digital devices. Various sectors are vulnerable to becoming nodes for data leaks, including the collection of population data, telecommunications data, consumer data, financial data in the banking industry, social media user data, and so on. Such data leakage can cause harm to data subjects, be it in the form of economic losses to safety threats. However, to this day there is yet to be a comprehensive regulation to protect personal data of citizens. “The potential for data leakage is quite large in various sectors,” he said.
In Indonesia, there are currently many regulations regarding personal data. According to a study by ELSAM, there are 32 laws related to personal data. However, these rules do not have the same model and do not entirely refer to the principle of personal data protection. It is very important, therefore, to push for the finalization of a comprehensive Personal Data Protection Act (UU PDP) to ensure legal certainty.
Wahyudi emphasized that personal data protection regulations are not made to complicate business practices in the digital age. Having regulations will only increase public confidence in digital businesses. By applying personal data protection principles, a digital business entity will be able to grow consumer confidence.
Some other points that Wahyudi addressed included the definition and type of personal data, the legal basis for processing, material, and territorial coverage, the rights of data subjects, the obligations of the controller and processor of personal data, the regulatory vacuum regarding vulnerable groups and exceptions in specific data processing, formulation of sanctions and the establishment of an independent institution for its implementation.
According to Sinta, the PDP Law deals with the protection of human rights, especially related to the right to privacy of personal information and data. “Personal data are human rights. When it is processed there must be legal reasons, among others, through the law,” she explained.
Sinta explained, in the concept of personal data protection, the protected party is each individual. The parties that carry the obligation are the government and the private sector. The PDP Law will be deemed comprehensive when it regulates all these parties. “The various current regulations are not comprehensive because they regulate in a piecemeal fashion only. So there must be a comprehensive law to cover all data processing activities,” she explained.
According to Semuel, the PDP Bill is drafted because there is a need for protection of personal rights in the digital age. He explained, the PDP Bill that has been drafted is indeed not yet perfect, considering how digital technology continues to develop rapidly. For him, the most important thing is to ensure that basic principles of personal data protection are included in the PDP Bill. “The important thing is the basic principle. We will refine the regulation mechanism when we discuss it. In the discussion there will be input from the parliament and the public,” he said.
Bobby said the PDP Bill was included in the 2020 national legislation program. Presently, the academic text has been submitted to the House of Representatives. However, the House, especially Commission I in charge of the discussion of the Bill, has not invited the public to provide input due to the COVID-19 pandemic. “We are looking for formulations to invite public participation, including possibly online. Nonetheless, each faction has started the studies and in the process will certainly get input from the public,” he said.
The Parliament, said Bobby, plays a role in bridging public aspirations with the wishes of the government. On the one hand, the PDP Bill must be able to protect the human rights of every citizen as the subject of data. On the other hand, there is a need for data monetization for business purposes. For that reason, in PDP Bill deliberations, three things need to be ensured, namely, having good governance, adequate technology management, and competent human resource.
To ensure that personal data protection principles in the PDP Bill would later work, Sinta stressed the importance of having an independent institution to oversee the application of these rules. Thus, the rules that have been passed will be effective in protecting the personal data of citizens. “It is useless if the rules are only normative but not effective. To be effective, there needs to be an independent body,” she said.
According to Sinta, ideally, there should be an independent commission that is independent of the government or private interests. Moreover, the proposed model in the PDP Bill for Indonesia is a comprehensive model governing both the government and the private sector. “If the supervisory agency function is carried out by the government, the government will oversee itself and that is not an easy thing,” she said.
In addition, to have an independent commission is also related to having equivalency with similar regulations in other countries. When there is an independent commission, PDP regulations in Indonesia will be recognized as equivalent to those of other countries. Only with this recognition of equivalency can data transfers between countries be carried out.
Wahyudi added, it is important to have an independent institution for the application of PDP regulations, not only in Indonesia but in all countries that already have this regulation. However, its application will depend on the mandate of the PDP Laws in force in those countries. In the UK, for example, the role of this institution is combined with the information commission by appointing competent people. In Scandinavian countries, that role is attached to the ombudsman institution. Some countries form their own institutions, for example, in Singapore and Malaysia. “In Indonesia, the most important thing is to emphasize the independence of this institution as it will oversee both the government and the private sector. So, it is not appropriate if this institution will become part of the executive branch,” he said.
Related to that, according to Semuel there are several choices regarding institutional forms. There is a mandate of the Law delegated to an independent institution, there are also those mandated to the government. “Whatever form it takes, the way it works must be independent. Independent is not from its formation, but how it carries out its functions. So more importantly, how will we determine the SOP for how this body works,” he said.
Meanwhile, from the DPR’s perspective, Bobby explained that the type of institution will be determined by the outcome of the PDP Bill deliberations. The most basic thing that needs to be agreed upon is the definition and scope of personal data. The definition, according to him, will influence what type of supervisory body that is most appropriate.
Prasetya reminded about the inevitability that individuals are forced to provide their personal data through digital applications. Such the data that enters these systems are vulnerable to misuse. With internet users comprising around 64.8% of the total population in Indonesia, a more comprehensive PDP Bill needs to be finalized urgently.
This online discussion involving more than 200 people is part of KSIxChange discussion series that has been held 21 times. This discussion is expected to not only be a forum for development actors but also to strengthen policies for better personal data protection for all levels of Indonesian society.**