Avicenna Hartojo Tirtosuharto
In the age of information, data continues to become an increasingly valuable resource used to maximize the efficiency of all industries, from agriculture to banking. As the world continues to digitize it is nearly impossible to go a day without leaving a digital footprint that can be collected by multi-billionaire companies to advertise the newest shiny products. Liking your favorite singer’s posts on Instagram, searching for recipes on google, and texting a friend about the school assignment you left, all leave a trail of information that can be used to create a digital profile. Science focus estimated that Google, Facebook, Microsoft, and Amazon stored 1,200 petabytes equivalent to 1.2 million terabytes of data, enough storage to hold 144 trillion photos. With so much information available online and more being added every day, privacy becomes the main concern for many countries attempting to regulate the use of personal data.
Internet privacy is the right for a person to have complete control over all personal information, which includes the ability to withhold certain information from being sold by companies, used for commercial purposes, or distributed publicly. To uphold internet privacy, many countries have Personal Data Protection Laws, that prohibit parties from utilizing consumer data without consent. However, only 126 countries have passed personal data protection laws, other countries like Indonesia, still lack a legal protection system leaving their internet users vulnerable. Indonesia’s situation is especially worrisome since it is the 4th largest population in the world and holds 175 million active internet users as of January 2020. As the number of internet users grows, the need for personal data protection laws intensifies.
In the absence of these data protection laws, Indonesia has been encountering an increasing amount of data breach incidents. In March earlier this year, 15 million users on Tokopedia, an Indonesian e-commerce giant, had their personal information—including their name, email, and password— leaked and sold. The Communication & Information System Security Research Center (CISSReC) expressed concerns about the situation, especially regarding the possibility that other e-commerce sites were breached but kept hidden from the public. That data may have been sold back to the company, protecting the companies reputation. All this exploitation comes as e-commerce quickly gains popularity as a result of the COVID-19 lockdowns. The global pandemic caused a 250% increase in purchases in the personal health category on Tokopedia.
Following the cyberattack in March, another data leak transpired in May, this time to the General Commission of Indonesia(KPU) who handle the general elections in the country. The information of 2.3 million Indonesian voters including there home address and identification numbers were released on a black market website. Additionally, the General Commission of Indonesia received threats that two hundred million more voters would have their information exposed. Then in June, personal data from two hundred thousand COVID-19 test results were sold on RaidForums an online marketplace for illegally downloadable digital commodities. What was alarming about the sale was that the data which included names, addresses, phone numbers, ages, nationalities, and private medical records, were all being sold for 300$ on RaidForum a site accessible to anyone through google.
With all the turmoil that has struck Indonesia’s digital community, it is critical that the Indonesian Personal Data Protection Laws or Undang Undang Perlindungan Data Pribadi(UUPDP) is passed by the parliament. It’s important to note that this is not a new discussion for the Indonesian Government. A Personal Data Protection Law has been circulating parliament for eight years now, since back in 2012. The main issue that has prevented this bill from passing is the definitions of personal data. Currently, there are 32 other regulations from different ministries all with definitions for personal data that contradict. The Ministry of Communication and Information Technology has been working with the other ministries to develop a definition that is agreeable. The 1st Chapter of the Personal Data Protection Law contains 22 articles defining personal data. In total, the bill is 16 chapters long with 46 articles aimed at establishing data privacy as a basic right for all Indonesians and protecting consumers’ data. The person leading the efforts is the minister of Communication and Information Technology, Mr. Johnny G. Plate, who is persistently pushing for the law to be passed by 2020 under the request of President Joko Widodo. Minister Plate plans to use the bill to confront data protection through all stakeholders in an approach he calls “multistakeholder.” This will involve cooperation between the ministries, national police, technology, and telecommunication companies, and the Indonesian citizens. The bill takes strong influence from the General Data Protection Regulation(GDPR), passed by the European Union in 2018, which is widely regarded as a rigid data security policy.
Passing the Personal Data Protection law will be a long awaited and monumental step for Indonesia’s data security. The bill will establish criminal charges including financial charges up to 1 billion rupiah and prison time up to 1 year for all stakeholders involved in data breaches, holding hackers and companies accountable. The law will ensure that personal data is not collected by “any person or party….for the benefit of themselves or another party in an unlawful manner or to the detriment of the personal data owner.” Additionally, the bill will require for companies to report data breaches within three days of an incident, an update from the fourteen days in KOMINFO No.20/2016. This will hold e-commerce companies criminally accountable for hiding data breaches by paying off hackers for stolen data. Still, even as the law continues to progress in parliament, concerns surrounding the vagueness of phrasing such as “for the benefit of themselves or another party,” pose serious delay concerns.
One question which still remains is whether or not significant change will happen when the bill is passed. The answer to that is still unknown, but the impacts will take time to be seen. Businesses must be trained to comply with the new regulations and Indonesian citizens must become acquainted with the new rights. In countries like Singapore, it took two years for companies to adapt to the changes set forth by their data protection laws. It may take even longer for Indonesia, which relies heavily on small medium enterprises that may not have the resources available to comply with new regulations. One thing is for sure, this law is long overdue, and it's an important step for a country like Indonesia to take as it steps into its digital future.
Bibliography:
https://www.sciencefocus.com/future-technology/how-much-data-is-on-the-internet/#:~:text=One%20way%20to%20answer%20this,one%20terabyte%20is%201%2C000%20gigabytes).
https://www.statista.com/statistics/254456/number-of-internet-users-in-indonesia/
https://jakartaglobe.id/tech/indonesia-expects-to-adopt-data-protection-law-sooner/
https://www.infosecurity-magazine.com/news/indonesia-denies-covid19-test-data/
https://indonesia.go.id/narasi/indonesia-dalam-angka/sosial/menunggu-uu-perlindungan-data-pribadi
Commentaires