The Urgency of Personal Data Protection Law

ELSAM, Jakarta – Seeing its distribution pattern in the world, Indonesia is one small part of all countries which has not had specific regulation to protect its citizens’ personal data. In ASEAN region, Indonesia is the lagging. Meanwhile, few years previously, there is a trend to collect data, whose number is raising, in a big data scheme. This collection was carried out by government for the sake of development goals and citizens’ registration, and by private sector for business. The growing of digital business and the better penetration for internet users in Indonesia have increased the frequency of customers’ (citizens) personal data record and collection.

The chance of citizens’ personal data abuse gets more open after so many regulations which provide spaces for government institutions and private sectors to collect and open citizens’ personal data. Such situation is depicted in at least so many laws in Indonesia whose materials contain personal data, whether they have aspect to protect or in reverse, open the opportunity for data disclosure. The study conducted by ELSAM, for example, found that at least 30 laws in Indonesia have the connection with personal data protection. Unfortunately, those laws are overlapping one another. For instance, the purpose of data processing, notification, purpose of data disclosure, duration of data collection and disclosure, data destruction, permission of data disclosure, sanction and remedy.

Government, through its Directorate General of Public Information and Communication (IKP) of Ministry of Communication and Information, currently prepares Personal Data Protection Bill. The process has commenced the harmonization in Directorate General of Laws and Regulations of Ministry of Law and Human Rights. Government plans to submit the Bill to be the prioritized National Legislation Program (Prolegnas) 2018. ELSAM has involved in two coordi nation meetings held by Coordinating Ministry of Politic, Law and Security; and Ministry of Law and Human Rights, to specifically discuss the contents and formal steps for the submission of Personal Data Protection Bill. Next, it will need broader public consultation to obtain the aspiration and participation from public about the contents and materials regulated by this law.

Seeing its content, the Bill regulates a number of materials related to personal data, such as definition of personal data, types of personal data categorised into several qualifications: general and specific, parties being responsible for personal data management, data processing and saving mechanisms, personal data disclosure procedure, and the remedy mechanisms if violations occur. The scope regulated by the law is broad, from population, health, banking and financial, social security data, as well as data collected and managed by private sectors in the digital business framework.

The last issue related to electronic ID (e-ktp) has made the establishment of Personal Data Protection Bill become more urgent. Through the e-ketp project, government has collected almost all types of personal data of the citizens, including biometric special characteristics by retina scanning. In contrast, government cannot explain well about the procedure of managing, processing and saving of the collected personal data. Presidential Regulation No. 67/2011 as the reference of the project does not even regulate the personal data protection related to e-ktp. Furthermore, this project has been made the land of corruption by many actors in the government, parliament, and the involved private sectors. This surely puts us in concern on our collected personal data.  [ ]