The long and winding road : Striving for data protection in Indonesia

Juliana Harsianti is an independent researcher and journalist working at the intersection of digital technology and social impact.

The long awaited Indonesian Personal Data Protection Bill was approved by the parliament on 20 September 2022. Despite the initial draft being submitted to parliament in 2016, this long-pending legislation experienced delays due to disagreements between Government, the Parliament, and civil society over important details such as who would serve as the supervisory body which administered the bill.

The Government preferred the Ministry of Information and Technology to be the supervisory body, a preference criticized by Parliament and civil society organizations who advocated for an independent supervisory free from government intervention. The debate led nowhere, resulting in a legislative deadlock.

To resolve the impasse, the Government and Parliament are now turning to the President, Joko Widodo, who is authorized to decide who will serve as the supervisory body. 

Until President Widodo nominates or forms the oversight body, its exact nature or makeup is not known.

The data is in danger

Although the data protection bill includes serious penalties including corporate fines or even imprisonment, its approval by no means settles the debate over data protection in Indonesia. 2022 has seen heated debate and discussion about digital rights, digital regulation and data protection in Indonesian news and cyberspace, stemming from repeated fiascos including data breaches from government institutions, mandatory registration for private electronic system operators (ESOs), and company breaches resulting in citizen information being stolen and sold by hackers. 

Mandatory registration of ESOs sparked concerns over data privacy and censorship. Some companies, such as Yahoo, PayPal, and Steam, were blocked when they failed to register. This quickly sparked protests, as the hashtag #BlokirKominfo spread around cyberspace as people protested against the Indonesia Ministry of Information and Technology (KOMINFO) — who caused all the chaos. 

The ESO regulation was supposed to protect the data of Indonesian citizens and give Indonesian authorities the ability to supervise the operation of ESOs. However, some doubts about the efficacy of the data protection regulation were raised when the government launched the PeduliLindung, a COVID-19 tracking application, which was a must-install application during the pandemic. The application crashed several times, and the Government promised improvement in the application. Digital activists remained concerned about how the app processed sensitive health data, and fears the government could not keep citizen data secure were re-ignited when President Joko Widodo’s own vaccine certificate was leaked online. 

Digital technology has become the staple in daily life, resulting in an urge within the Indonesian government to create laws regulating and protecting people in cyberspace. Some cyber regulation, such as the infamous Electronic Information and Transaction Law, is problematic when it is enforced. 

Instead of protecting people from cyberbullying and fraud, this regulation has been used to attack those who criticize government regulation or policies. It goes further, also victimizing people who criticize others in daily life. Many people have been criminalized simply because of complaining about something to someone on social media such as Facebook and Twitter. Journalists writing about certain problems also become the victim of this regulation. The Institute for Criminal Justice Reform said the government should pay attention to five crucial issues in this law, because it threatens freedom of expression.

Data protection also remains weak against private digital applications and ecommerce platforms which constantly collect more and more personal information from their customers. When BukaLapak and Tokopedia’s (both are e-commerce platforms in Indonesia) data was breached and reportedly sold on the dark web, there was no significant action from the government. The platforms said that they would upgrade their security, however there was no compensation or tangible support provided to their customers. 

In September 2022, there was another very large data breach containing information on over 105 million citizens from a government institution. The hackers were selling to buyers through a forum site. Again, there is no mechanism for citizens to complain or take action regarding the incident, and there has been little done from the government to respond to the leak. 

What’s next?

Ideally, when there are some parties (private sector, government etc) collecting citizen’s data for their own purpose, they should be required to declare how they handle the data, including protection and what they will do in case of a data breach. Customers also have a right to sue the parties who neglected the data protection, in the form of class action.

Some civil society organizations in Indonesia have joined forces and collected the complaints from citizens or the groups who were affected by the leak. This group would facilitate the class action against the government because they are negligent to protect the citizen data.

The ideal situation only happens when there is a data protection regulation which protects the citizen among the data traffic, e-commerce practice and private data collection from institutions (including government institutions). Not to mention the system where citizens can file complaints when they think their data might be misused. Then, the complaint needs to be handled by the regulator who then investigates the case and decides the degree of mistake of the institution.

There is a lot of homework to do after the personal data protection has been passed. Joint civil society organizations mentioned there are some problems in this bill, including the government seems excluded from the obligation to protect the data, where they also collect citizen data in massive volume. 

Also, still no clear about the institution who works together to process the data, for example who will be in charge when there is some leak. It’s expected that those institutions won’t be off the hook and leave the victim alone. Still, there is a long way to go to achieve stronger data protection in Indonesia.