Implementing the strong Personal Data Protection in Indonesia
By: Puspa Amelia (firstname.lastname@example.org)
Issues on the importance of protecting personal data, become strengthened along with the increasing number of telephone users, cellular and internet. Number of cases are sticking out, especially related to personal data breach and lead to fraud or action pornography crime. This will reinforce the importance of making legal regulation to protect personal data.
The cases that happen several times in Indonesia are both buying and selling consumers data, as well as the minim security protection in a company that causing a data breach. Those data that are successfully obtained, being targeted by several parties to do some adverse actions, such as cyber phishing as well as cybercrime. Quite a few of internet users offer this buying and selling consumers data services that leaked or stolen by hacker or non-liable parties. This practice opens up space for misuse of consumer's data to commit cybercrime in the current technological developments.
There is no specific law in Indonesia that regulates protection of privacy. The most relevant regulation for the protection of privacy is related to personal data protection. Provisions on the protection of personal data can be found in the principal law governing data protection in Indonesia is Law No.11 of 2008 on Electronic Information and Transactions as amended by Law No.19 of 2016 (EIT Law) which the procedural guidelines for the EIT Law are regulated in the Government Regulation No. 82 of 2012 as revised by Government Regulation No. 71 of 2019 on the Implementation of Electronic Transactions and Systems (GR 71/2019) and Minister of Communication and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data (MOCI Reg. 20/2016).
The efforts to protect personal data require a stronger ‘umbrella regulation’ in order to guarantee the rights of the public to the security of their personal data. To create a protection system that applies principles that uphold the protection of users privacy on the regulatory and technical levels are very important. The Indonesian Communication and Information Technology Minister, Johnny G.Plate said Indonesia is lagging behind because there are already 126 countries in the world who have adopted the general data protection regulation (GDPR).
The GDPR sets out seven principles for the lawful processing of personal data. The seven data protection principles that must be complied when processing a personal data are as follow:
1. Lawfulness, fairness and transparency
Any collection of personal data shall be lawful and fair. It should be clear for individuals to collect, use, review or otherwise process personal data relating to them and to what degree the personal data are or will be processed.
2. Purpose limitation
Personal data should only be collected for clear, explicit and valid purposes, and should not be further handled in a manner inconsistent with those purposes. In particular, at the time the personal data is obtained, the precise reasons for which personal data are processed should be clear and valid and decided.
3. Data minimisation
Personal data processing must be sufficient, accurate and restricted to what is required in relation to the purposes for which it is processed.
Controllers must ensure that personal data is correct and, where possible, kept up-to-date; take every rational step to ensure that incorrect personal data, taking into account the purposes for which they are stored, are promptly erased or rectified.
5. Storage limitation
Personal data should be stored only in a way that allows data subjects to be known for as long as is appropriate for the purposes for which the personal data are collected.
6. Integrity and Confidentiality
Personal data should be handled in such a way as to ensure proper security and confidentiality of personal data, including protection against unauthorized or unlawful access or use of personal data and equipment used for processing and against accidental loss , destruction or harm, using reasonable technological or organizational steps.
Ultimately, the controller is responsible for their compliance with all the above-named Principles of Data Protection and must be able to demonstrate them.
Therefore, we hope that the Protection of Personal Data Bill that was submitted and currently in the discussion stage at the House of Representatives (DPR) on 24 January 2020 can accommodate all of the seven principles above.