The long-awaited Indonesian Personal Data Protection Bill was approved by the parliament on September 20, 2022. Despite the initial draft being submitted to parliament in 2016, this long-pending legislation experienced delays due to disagreements between the government, parliament, and civil society over important details, such as who would serve as the supervisory body in enforcing the measure.
The government preferred the Ministry of Information and Technology to be the supervisory body, a preference criticized by parliament and civil society organizations, which are pushing for an independent supervisory free from government intervention. The debate resulted in a legislative deadlock as stakeholders wait for Indonesian President Joko Widodo (Jokowi) to appoint an oversight body.
The data is in danger
Although the data protection bill includes serious penalties, including corporate fines or even imprisonment, its approval by no means settles the debate over data protection in Indonesia. In 2022 there have been heated debates and discussions about digital rights, digital regulation, and data protection in Indonesian news and cyberspace, stemming from repeated fiascos, including data breaches from government institutions, mandatory registration for private electronic system operators (ESOs), and company breaches resulting in citizen information being stolen and sold by hackers.
Mandatory registration of ESOs sparked concerns over data privacy and censorship. Some companies, such as Yahoo, PayPal, and Steam, were blocked when they failed to register. This quickly sparked protests, as the hashtag #BlokirKominfo spread around cyberspace as people protested against the Indonesia Ministry of Information and Technology (KOMINFO) for causing chaos.
The ESO regulation was supposed to protect the data of Indonesian citizens and give Indonesian authorities the ability to supervise the operation of ESOs. However, doubts about the efficacy of the data protection regulation were raised when the government launched the PeduliLindung, a COVID-19 tracking application, which was a mandatory application during the pandemic for those who wished to fly, use public transport, enter malls, or visit any public spaces. The application crashed several times despite the government's assurance that it would improve the app. Digital activists remained concerned about how the app processed sensitive health data, and fears the government could not keep citizen data secure were reignited when President Joko Widodo’s own vaccine certificate was leaked online.
Digital technology has become a staple in daily life, resulting in an urge within the Indonesian government to create laws regulating and protecting people in cyberspace. Some cyber regulations, such as the infamous Electronic Information and Transaction Law, became problematic when enforced.
Instead of protecting people from cyberbullying and fraud, this regulation has been used to attack those who criticize government regulations or policies. It goes further by victimizing people who criticize others in daily life. Some internet users’ posts have been criminalized simply because they contain complaints about something or someone via social media. Journalists writing about state problems have also become victims of this regulation. The Institute for Criminal Justice Reform said the government should pay attention to five crucial issues in this law, because it threatens freedom of expression.
Data protection also remains weak against private digital applications and e-commerce platforms which constantly collect more and more personal information from their customers. When BukaLapak and Tokopedia’s (both are e-commerce platforms in Indonesia) data was breached and reportedly sold on the dark web, there was no significant action from the government. The platforms said that they would upgrade their security. However, there was no compensation or tangible support provided to their customers.
In September 2022, there was another very large data breach containing information on over 105 million citizens from a government institution. The hackers were selling to buyers through a forum site. Again, there is no mechanism for citizens to complain or take action regarding the incident, and little has been done by the government in response to the leak.
Activists say that ideally when there are some parties (private sector, government, etc.) collecting citizens’ data for their own purpose, they should be required to declare how they handle the data, including protection measures, and what they will do in case of a data breach. Customers should also have the right to sue the parties who neglect data protection in the form of class action lawsuits.
Some civil society organizations in Indonesia have joined forces and collected complaints from citizens or the groups who were affected by large-scale leaks. This group hopes to facilitate a class action lawsuit against the government for being negligent in protecting citizen data.
However, justice will only be served if there are data protection regulations that protect citizens overwhelmed by data traffic, e-commerce practices, and private data collection from institutions (including government institutions). Not to mention a system where citizens can file complaints when they think their data might be misused. Then, the complaint needs to be handled by the regulator, who then investigates the case and decides the degree of mistake of the institution.
Within the digital rights sector, there is a lot of work to do now that the personal data protection bill has been passed. Civil society organizations have pointed out that the government seems excluded from the obligation to protect data even if it also collects citizen data on a large scale.
Also, there is still no clarity about which institution will process the data and will be held accountable if there is a leak. Still, there is a long way to go to achieve stronger data protection in Indonesia.
*Juliana Harsianti is an independent researcher and journalist working at the intersection of digital technology and social impact.