International Data Protection Day 2024: A Year of Challenges in Implementing Personal Data Protection Law
International Data Protection Day 2024

International Data Protection Day 2024: A Year of Challenges in Implementing Personal Data Protection Law

Sunday, 28 Jan 2024

ELSAM Press Release

International Data Protection Day 2024

A Year of Challenges in Implementing Personal Data Protection Law

 

Every year on 28 January, at least 50 countries around the world, including Qatar, Nigeria, the United States, Canada and the 47 member states of the Council of Europe, celebrate Data Protection Day to commemorate the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) by the Council of Europe on 28 January 1981. The commemoration also aims to raise awareness and promote best practices on privacy and data protection. 

Indonesia itself passed Law No. 27/2022 on the Protection of Personal Data (PDP Law) on 20 September 2022, which came into force on 17 October 2022 (Article 76 of the PDP Law). Therefore, it is also important for Indonesia to cooperate and collaborate with other countries in the world to promote good practices in privacy and personal data protection. In addition, the PDP Law gives data controllers and processors two years (Article 74 of the PDP Law) to prepare standards for compliance with the PDP Law. The two-year period also includes time for the government to prepare various technical regulations in the form of government regulations on the implementation of the PDP Law, and to establish a PDP supervisory institution.

Unfortunately, one year after the enactment of the PDP Law, awareness and good practices of personal data protection in Indonesia do not seem to be improving. From the enactment of the PDP Law until the end of 2023, the Institute for Policy Research and Advocacy (ELSAM) found that there were at least 668 million allegations of unlawful disclosure relating to personal data, originating from 6 data controllers from both public and private entities. Regarding the alleged disclosure of personal data, 44 million allegedly came from the MyPertamina application in November 2022, 15 million data from the BSI incident in May 2023, 35.9 million data from MyIndihome in June 2023, 34.9 million data from the Directorate General of Immigration in July 2023, 337 million data from the Ministry of Home Affairs in July 2023, and finally 252 million data from the alleged leak of the KPU voter list information system in November 2023.

Low government awareness and attention

The series of alleged personal data leakage incidents described above illustrate the low attention paid by public sector data controllers to comply with personal data protection standards. Public bodies, particularly government institutions, place high value on innovation for digital public service transformation. This has implications for the massive mining of citizens' personal data. However, we see a lack of measures to ensure safeguards in data processing as an implementation of the PDP Law. This situation is different from the standard in many other countries with mature legislation on the protection of personal data, where the risks for data protection have shifted from public actors to private actors, involving different economic platforms.

This situation is exacerbated by misunderstandings about the applicability of the PDP Law. For example, some public statements made by the government have stated that the PDP Law will not come into force until 2024, or two years after its enactment. This statement is based on an incorrect reading of the transitional and final provisions of the PDP Law. This then acts as an excuse not to take appropriate action in the form of an investigation when an incident of suspected personal data leakage occurs, so that the incident continues to recur as no resolution is sought. Furthermore, the broad exceptions contained in the PDP Law, which use the phrase "in the public interest in the context of state administration" (Articles 15 and 50 of the PDP Law), are often misinterpreted by government institutions to exempt themselves from complying with the PDP Law. 

The Need for Clarity in Technical Regulations

Following the PDP Law, the Ministry of Communication and Informatics (Kominfo) has started drafting the Government Regulation on the Regulations for Implementing Law No. 27/2002 on the Protection of Personal Data (RPP PDP). The RPP PDP consists of 10 chapters, 245 articles and a total of 45 sections. In terms of technical wording, this draft RPP repeats many similar articles, which can basically be combined. Moreover, the phrase "in accordance with the provisions of laws and regulations" is found in almost all chapters. This is because of provisions in other laws and regulations that are directly or indirectly related to the legal framework for the protection of personal data. However, the use of these phrases in several articles tends to be unclear, which may lead to confusion in the implementation of this RPP. Therefore, it is necessary to make straightforward adjustments to Articles that overlap with other laws and regulations by clarifying the references made. 

There are a number of critical comments on the draft. First, the draft RPP does not address several crucial issues in the processing of personal data that intersect with the fulfillment of human rights. One of these is clarity on the implementation of several clauses, in particular the intersection between the right to privacy and other rights, such as the right to information and freedom of expression, including freedom of the press. In order to ensure that its implementation does not create tension and conflicts between a number of these rights, the materials of this Regulation should provide detailed specifications in this regard. 

Second, the draft RPP focuses on regulating the implementation of obligations and enforcement with respect to corporate (private sector) data controllers/processors, but leaves open a number of questions regarding the effectiveness of its application to public sector data controllers/processors. Moreover, taking into account the scope and capacity of data processing, the draft does not yet provide a clear gradation in the implementation of the obligations of data controllers. This includes the provisions on sanctions, in particular administrative fines, which also does not formulate a clear gradation of their enforcement, taking into account the size of the controller's business (small, medium, large). It also does not explain the reference to annual "total revenue/acceptance" as the basis for applying sanctions, and whether it refers to total revenue/acceptance (globally) or it is limited to their operations in Indonesia.

Third, due to the fact that much of the material regulates corporate data controllers/processors, the drafting process of this RPP seems to prioritize the involvement of the private sector. The main purpose of personal data protection law is to protect the rights of data subjects as part of the constitutional rights of citizens. Therefore, data subjects should be actively involved in the drafting process of this RPP, so that the final product can properly take into account the interests of data subjects. The involvement of data subjects should be central to the legal policy of drafting personal data protection legislation and can be represented by civil society organizations, consumer groups as service users, vulnerable groups, consumer advocates, professional associations and other parties whose data are collected and processed.

The urgent need for authority 

The obligations of controllers and processors and the authority of the supervisory body need to have a common thread. For example, the obligation of the controller to establish a privacy policy needs to be balanced with the authority of the institution to evaluate and order the controller to change its policy if it is suspected that it has the potential to violate the rights of data subjects. In addition, where it overlaps with the obligation of the controller who possesses the shared data to enter into an agreement, the institution needs the power to require the controllers to enter into an agreement as a key condition for a joint controller under this RPP. This is because, in practice, this type of data processing will mainly occur due to the technical configuration between the controllers.

The chapter on institutional authority also needs to clarify the relationship and involvement of other actors outside the PDP Law, taking into account the powers granted to other ministries/agencies under certain laws. For example, this would involve cooperation with sectoral regulators such as the Ministry of Health, the Financial Services Authority, as well as with respect to requests for legal assistance, which must take into account the limits of the prosecutor's authority as a public prosecutor. Similar attention must be paid to the provisions relating to the powers of the institutions in carrying out cooperation. Cooperation by PDP institutions with similar institutions in other countries, as referred to in Article 60 of the PDP Law, should be distinguished from international cooperation under Article 62 of the PDP Law, as formulated in this RPP (Article 197).

In addition, mutual legal assistance is basically limited to the handling of criminal cases, as contained in the Law on Mutual Legal Assistance in Criminal Matters (Law No. 1/2006). This mutual assistance also refers to international agreements between countries ratified by a special law (MLA ratification). On the other hand, the PDP institution is not a criminal law enforcement body and the cooperation referred to in Article 60(e) of the PDP Law relates solely to the resolution of alleged violations of the protection of personal data, which falls within the scope of administrative law. Therefore, the scope of cooperation that the PDP Supervisor can conduct with similar institutions in other countries is also limited.

In the institutional context, although the PDP Law establishes the PDP supervisory institution as non-ministerial government agencies (LPNK) which are accountable to the president, these institutions should be functionally independent. The institutional model of the PPATK (Financial Transaction Reports and Analysis Centre) can be used as a basis for a functionally independent model, which is considered to be an executive agency (LPNK) which remains independent in the performance of its functions. This model can be developed in the drafting of the presidential regulation that will establish this supervisory institution, including the design of its institutional structure, which will allow it to effectively carry out the mandate of the PDP Law, as well as the supervision and enforcement of compliance with the protection of personal data by both public and private data controllers and processors.

Jakarta, 28 January 2024

Lembaga Studi dan Advokasi Masyarakat (ELSAM)

For further information please contact: Wahyudi Djafar (ELSAM Executive Director), telephone: 081382083993; or Parasurama Pamungkas (ELSAM Researcher), telephone: 082232001783; or Annisa Noor H (ELSAM Researcher), telephone: 081344426673.

 

 

R E L A T E D A R T I C L E

Sunday, 28 Jan 2024
The series of alleged personal data leakage incidents described above illustrate the low attention paid by public sector data controllers to comply with personal data protection standards. Public bodies, particularly government institutions, place high value on innovation for digital public service transformation. This has implications for the massive mining of citizens' personal data. However, we see a lack of measures to ensure safeguards in data processing as an implementation of the PDP Law. This situation is different from the standard in many other countries with mature legislation on the protection of personal data, where the risks for data protection have shifted from public actors to private actors, involving different economic platforms.
+