SIM Card Re-registration and Potential Threat to Privacy

ELSAM-Jakarta. Recently Ministry of Communication and Information (Kominfo) issued a policy to oblige the registration of SIM Card. Such policy is established due to the reason to minimize the use of communication devices as a crime medium. However, in the absence of comprehensive regulation on data protection, the policy has grown more potential threat to the protection on citizen’s privacy right.

As specified in Ministry of Communication and Information Regulation (Permenkominfo) No. 12 Year 2016 ammended to be Permenkominfo No. 14 Year 2017, and again ammended to be Permenkominfo No. 21 Year 2017, the cellular prepaid card users must re-register their personal data. They need to send their citizenship identity number (NIK), and Family Card (KK) number by short message (SMS). According to Kominfo, the NIK dan KK numbers sent and also the phone number of users will further be used to syncronize the users’ data, in Directorate General of Population and Civil Registration of Ministry of Home Affairs, which contains name, address, family, age etc.

In response to the policy, Institute for Policy Research and Advocacy (ELSAM) held a press conference on Wednesday, 18 October 2017. The response is made due to the vulnerability of the protection of users’ data privacy, collected based on the issued policy. Although Kominfo has released Permenkominfo No. 20 Year 2016 on personal data protection in electronic system, the absence of comprehensive regulation to protect data privacy  has made the collected personal data become vulnerable. That includes the regulation which binds all the ministries/institutions, private sector, as well as the availability of sanction and remedy if the violations on personal data misuse occur.

“If Personal Data Protection Law, which comprehensively regulates the obligation of personal data managers from the process of recording/collecting, processing and destructing, does not exist in Indonesia, the bigger is the potential threat to the citizen’s personal data,” Wahyudi Djafar, ELSAM’s Deputy Director of Research, explained in the ocassion.

In the global context, SIM Card registration is not a popular policy. Based on ELSAM’s study,  there are only 13 of 88 countries which have the policy to register the SIM card. Even more, there are only 6 of 57 countries, which have had comprehensive regulation on personal data protection, requiring the SIM card registration. Those six countries are South Africa, UAE, Norway, Malaysia, Mauritius and Germany. While the countries which have not had the personal data protection law, there are 2 countries out of 25 regulating such obligation.

Intensive Data System and Threat to Privacy

In practice, the advanced digital technology dan migration to fulfil our daily life have created a massive data collection method. But it does not mean that it can neglect privacy rights. Data collection without protection guarantee makes certain parties potentialy misuse the data record.

Previously, the policy produced by Kominfo (Permenkominfo No. 12 Year 2016) specified that SIM Card re-registration must fill out the birth mother’s name. According to ELSAM’s study, it was vulnerable since the name of birth mother was occasionally used as a super password for the financial/banking data. Fortunately, after ELSAM’s press conference on 18 October 2017, Kominfo did revise the policy, by eliminating the provision on filling out the birth mother’s name as specified in Permenkominfo No. 21 Year 2017.

As part of data intensive ecosystem, recently the state has all of our data. It started from our medical record, financial and banking data, taxes data, and also administrative and civil registration managed by Ministry of Home Affairs. Using these data, they have great power. Can you imagine if there is no clear data protection? It will potentially be misused.

In addition to the growing data industry, there are a lot of private companies of any sectors, namely, telecommunication, insurance, banking, and online transport service providers, competing to collect the personal data of their users. The massively collected data, further being processed as datafication, will be a highly valued item. Unfortunately, the strict regulation has not been applied to ensure the secrecy and dignity of the data.

As an example, the data of telecommunication service users. The contract between the user and operator was only related to the telecommunication service, but the operator cooperated with the third party to do product marketing, by utilising the BTS based geolocation technology. “It will happen if we use one of the operators which have partnership with the third party to spread the advertisement. If we go to the mall, we often receive sms from the tenants in the mall. It does not stop there. The customer occassionally receive sms from a lot of parties such as credit card telemarketing, and other products,” Wahyudi added.

Responding to the global trend, European Union specifically has issued General Data Protection Regulation (GDPR). It tries to build a data protection paradigm as civil and political rights of the citizen or customer, inluding those in digital industry, and to bind the giantic companies which collected the crossborder data collection. Therefore, Indonesia should prepare the solid data protection regulation so that our domestic rule will be pursuant to the data protection regulations in other countries. A number of countries, particularly in Europe, has required the countries which will transfer data  or export-import data comply with GDPR [ ]