Finding a fix for Indonesia’s data protection problems - 360
Arif Perdana, Saru Arifin
Published on December 13, 2023
Addressing data breaches and government surveillance misuse requires a balanced approach that respects national security and individual privacy.
The increasing incidence of data breaches across government and private sectors in Indonesia has underscored the need for stringent data protection protocols.
In 2022, more than 21,000 companies in Indonesia experienced data breaches. The incidents affected critical sectors, including healthcare, finance, e-commerce and utilities, and highlighted widespread cybersecurity challenges for the country’s business operations.
In one notable incident, the healthcare sector encountered significant security breaches due to unauthorised access to the electronic health alert card (e-HAC) system and the Social Health Insurance Administration Body.
In addition to data breaches, the government’s potential misuse of data for surveillance and its risks to privacy have become serious issues. The most pressing concern is use of the data for illegal or unethical purposes (such as suppressing legitimate political opposition or targeting vulnerable communities).
The worry is about more than just losing privacy. It is about the dangers that arise when strong governments control a huge amount of surveillance data, which can lead to abuse of power and erosion of individual freedoms.
Addressing the risks of data breaches and government surveillance misuse requires a balanced approach that respects national security and individual privacy. This means legal reforms,  community vigilance, privacy-centric technologies, alignment with international standards, and promoting ethical practices in government and tech companies.
The active participation of civil society, media and technology companies is critical. By adopting these measures, Indonesia can forge a more transparent and accountable surveillance framework that better respects individual privacy.
The Personal Data Protection Law, or Act No. 27 of 2022 (UU PDP), is a significant advancement in this respect. There are still uncertainties, however, surrounding its execution, particularly with regard to the legal classification of data breaches.
Despite this, the law provides a broad provision stating that individuals whose data has been compromised have the right to take legal action against the data processor and seek compensation. It is not yet clear whether this law aligns with the European Union’s General Data Protection Regulation (GDPR) approach, which is mainly civil and allows individuals to assert their rights in civil court. The GDPR, which took effect in May 2018, is a comprehensive data privacy law that has significant implications worldwide. It sets stringent requirements and threatens substantial penalties for non-compliance.
The UU PDP does not measure up to the GDPR concerning penal measures for intentionally unlawful data processing and failure to adhere to directions from supervisory authorities. These aspects of the law require clarification to evaluate its overall effectiveness and scope.
Additionally, the UU PDP has expressed reservations regarding the practicality of implementing the required authority (namely, the Personal Data Protection Authority/PDPA), putting forth the notion of intensive governmental supervision and prioritisation.
The PDPA will be established within the President’s office and report directly to the President. According to this interpretation, the President has the authority to obstruct the PDPA’s responsibilities in the functioning of the state on the grounds of serving public welfare.
These doubts are dispelled when considering the limited authorities conferred upon the PDPA. These authorities encompass the formulation of crucial policies aimed at enhancing the protection of personal data, oversight of personal data protection practices, implementation of administrative regulations, and facilitation of alternative dispute resolution mechanisms.
Consequently, the PDPA predominantly wields administrative authority, further reinforced by its distinct law-enforcement competencies. Undoubtedly, it is not nearly as far-reaching as the all-encompassing, independent and resilient personal data protection authority established by the GDPR.
The implementation and enforcement of robust privacy laws similar to the GDPR is critical in Indonesia, so it is important to learn from the GDPR experience and to understand that data protection laws can be complicated and may have both positive and negative implications for innovation.
Legal flexibility is essential, such as adopting a risk-based approach that customises data protection techniques according to the level of risk, from minimal to unacceptable. This flexibility also involves recognising legitimate interests which permit organisations to process personal data without obtaining explicit consent, provided they have a valid business justification that supersedes the individual’s right to privacy.
Furthermore, exceptions for ‘statistical’ processing, which allows for the growth of big data and artificial intelligence, is also crucial. However, the use of sensitive labels requires rigorous justification, as the processing must be absolutely necessary for the benefit of a significant public interest, rather than merely beneficial for narrow interests. Furthermore, these laws are crucial in delineating the boundaries of government surveillance.
Establishing independent oversight bodies is necessary to complement these laws to monitor government surveillance activities. Without independent oversight bodies, there is a greater risk of unchecked, unaccountable government surveillance. Furthermore, the lack of transparency leaves the public uninformed about the motives and outcomes of surveillance, potentially eroding trust in government actions. Consequently, surveillance initiatives may face increased skepticism and resistance from the public.
Preventing data breaches and mitigating the risks of data misuse also require community involvement. Educating citizens on their digital rights is essential. Public awareness campaigns can effectively convey the extent of these rights and protect privacy.
Additionally, establishing community-based surveillance watch groups can be a vital link between the public and government, overseeing and reporting potential abuse. Equally important is implementing robust protection for whistleblowers who reveal illegal or unethical surveillance practices, as this promotes internal accountability within government agencies.
The role of civil society and the media cannot be overstated in this context. Non-governmental organisations and civil society groups are instrumental in monitoring government actions and advocating for citizen rights. Free and independent media is crucial for exposing any misuse of surveillance powers and holding the government accountable. Public protests and advocacy campaigns can effectively push for policy change and increase accountability.
Technology also offers solutions for enhancing privacy. Promoting privacy-enhancing technologies, such as encryption and anonymising tools, can protect individual communication and data.
Other technologies that can play a significant role in preventing data breaches include multi-factor authentication, firewall systems to block unauthorised intrusions, intrusion detection systems to monitor network traffic, secure cloud storage solutions, and regular software updates to address security vulnerabilities.
Collectively, these tools enhance cybersecurity and reduce the risk of unauthorised data access. Moreover, government agencies should be encouraged or mandated to adhere to data minimisation principles, collecting only the data essential for a defined purpose and retaining data no longer than necessary.
International collaboration and alignment with global standards are equally important. Indonesia should align its national surveillance laws with international human rights standards, as set forth by the Universal Declaration of Human Rights (UDHR) and International Covenant on Civil and Political Rights (ICCPR).
Participation in international dialogue (with United Nations bodies, regional forums, bilateral engagements and relevant international conferences and summits) can offer the opportunity to learn from the experiences and challenges of other countries.
Technology companies and data controllers are also responsible for this. Companies handling significant amounts of data should adhere to ethical practices and resist unjust requests for government data. Companies can also collaborate with civil society to develop and promote tools that protect individual privacy.
Arif Perdana is an Associate Professor at Monash University Indonesia, specializing in digital strategy, sustainable digital transformation, and data science and analytics. He is the director of Action Lab, Indonesia.
Saru Arifin has been a tenured lecturer in the Faculty of Law, Universitas Negeri Semarang, Indonesia. He is primarily interested in researching Public International Law, Human Rights Law, Constitutional Law, Law & Technology, and Legislation.
Originally published under Creative Commons by 360info™.