News Focus

Indonesia in urgent need of law on personal data protection

Indonesia in urgent need of law on personal data protection

Illustration. ANTARA FOTO/Puspa Perwitasari/pras.

Many Indonesians have shown a preference for online shopping ever since the Indonesian Government imposed large-scale social distancing measures to restrict public movement and curb the spread of the novel coronavirus disease, or COVID-19.

Data provided by ADA (Analytic Data Advertising) indicates a 300-400-percent increase in internet usage by adaptive shoppers last March, while internet use by WFH (work-from-home) professionals has climbed 400 percent.

Amid the jump in online shoppers, the Indonesian public was recently shocked to learn about the leaking of personal data of millions of users of e-commerce platform, Tokopedia.

According to some reports, a hacker put up a database containing the personal data of 91 million Tokopedia users for sale on the dark Web for US$5,000. Some reports say the data of 15 million users was breached.

Concerns over personal data safety have been gaining ground since the past several years, especially in view of the numerous credit and loan offers floating around via telephone and random short messages.

Last year, the Home Affairs Ministry, which is in charge of storing personal data of Indonesian citizens, admitted that at least 1,227 institutions, both government and private, have access to data on Indonesian citizenship.

However, private institutions still have to seek permission from the ministry to access citizens’ data, the then home affairs minister, Tjahjo Kumolo, said in July, 2019.

The protection of people's data is regulated in Law Number 24 of 2013 concerning Population Administration and the Minister of Home Affairs Regulation Number 61 of 2015, among others, but there is no strict sanction for any institution found leaking personal data.

Therefore, Sukamta, member of Commission I of the House of Representatives (DPR), has suggested that the Bill on Personal Data Protection (PDP) encompass regulations on obligations of data managers and sanctions for data breach.

He pointed to the recent data breach at Tokopedia while sharing his concerns.

Sukamta stressed that private data managers, such as public institutions and private companies, should guarantee the security of user data. Their cybersecurity system should always be updated and improved by utilizing the best technology.

"The importance of data is akin to oil a few decades ago, or spices in the ancient archipelago, which were believed to be more expensive than gold. In this digital world, data becomes (a) very tempting (source) to mine dollars," he pointed out.

In connection with the Tokopedia data leak, he urged the government, in this case, the Ministry of Communication and Informatics, the National Cyber and Crypto Agency (BSSN), the private sector, and the community, to jointly step up cyber vigil amid the COVID-19 pandemic.

"The Tokopedia (data leak) case is an eye opener and a matter of concern for the cyber world in Indonesia," Sukamta averred.

Meanwhile, Abdul Kharis Almasyhari, deputy chairman of the DPR’s Commission I, and Commission I member Farah Putri Nahlia have urged police to proactively investigate the data breach.

"Tokopedia’s user data leak is a big shame for an IT-based technology company," Farah, a politician from the People’s Mandate Party (PAN), said on May 6, 2020.

The same day, Brig Gen Raden Prabowo Argo Yuwono, spokesperson for the National Police (Polri), said Polri has not received a report on the data leak. Police is still waiting for the public to report it, he added.

Polri will follow up the case, but right now, it is still waiting for the result of an internal investigation by Tokopedia, he continued.

On May 12, 2020, Tokopedia CEO William Tanuwijaya released a message for users of the online shopping platform, explaining efforts taken by the company after the data breach was detected on May 2.

The company is working with the Ministry of Communication and Informatics and the BSSN to investigate the case, he said.

Meanwhile, the Indonesian Consumer Community (KKI) has filed a lawsuit in the Central Jakarta District Court against Tokopedia and the Ministry of Communication and Informatics over the data breach.

KKI's lawyer, Akhmad Zaenuddin, in a written statement on May 7, 2020, said Tokopedia's negligence was the reason behind the leak.

In line with existing laws, personal data is confidential and must be stored, maintained, and protected.

The state necessitates that every party that obtains personal data maintain confidentiality and protect the personal data and privacy of citizens conducting electronic transactions.

KKI chairman David Tobing also expressed regret over Tokopedia not divulging details of the data that was stolen and mishandled by a third party.

The Communication and Informatics Ministry is also facing legal action over its alleged ineptness in supervising the implementation of the electronic system to prevent the data breach.

The ministry is tasked with controlling, inspecting, tracking, and securing personal data, in line with Article 35 and paragraph (1) of Government Regulation (PP) Number 71 of 2019.

Minister of Communication and Informatics, Johnny Plate, had earlier spoken of his ministry having formed a team with the BSSN and Tokopedia to evaluate the data breach at the e-commerce platform.

BSSN ensures the protection and security of personal data of Indonesian citizens, according to the agency's director of Digital Economy Protection, Anton Setiyawan.

"If an e-commerce platform applies customer-oriented protection, the BSSN protects all Indonesian citizens. Regardless of being requested or not, the BSSN will ensure the protection and security of Indonesian citizens' personal data," he noted in a statement on May 13, 2020.

The BSSN is closely monitoring cybersecurity in the digital economy sector comprising 2,218 startups, four unicorns, one decacorn, and 227 fintechs, he remarked.

As no one has been held responsible for personal data breaches so far, Center for Indonesian Policy Studies (CIPS) researcher Ira Aprilianti has urged the DPR to pass the Bill on Protection of Personal Data into law.

In wake of the COVID-19 pandemic, a law that protects personal data is deemed urgent, since many people prefer to shop online, she pointed out.

Misuse of personal data stored by e-commerce service providers is quite common. In several cases concerning fintech companies, consumer data is disseminated and traded without the customer's consent, she said.

Currently, 32 laws and regulations on personal data protection exist, and their implementation and supervision lie in the hands of various ministries and institutions. However, there is lack of coordination in the implementation of the laws and regulations, and absence of sanctions against data breaches, she added.  

 Related news: Tokopedia CEO writes to users on personal data leak
Related news: KKI sues Tokopedia, Communication Ministry over data breach


Comments