Jakarta – 31 January 2020. Data is now more valuable than oil, said Indonesian president Mr. Joko Widodo on Friday (24/1/20). This signals the more attention given by the government on regulations concerning data and its application in policymaking process. However, Indonesia has yet to be amongst 132 countries that already have regulation on personal data protection. The discourse of PDP in Indonesia has been on going since 2015 and the government is rushing to pass the legislation as soon as possible after the lawmaking process exceeds the 2019 deadline. But how will the regulation look like and what kind of approach will it be formulated on? That’s the topic for ISD’s discussion on 31st Jan 2020 gathering academics, government representatives, and businesses.
In general, there are two main approaches for personal data protection law. The first one being comprehensive approach that covers both public and private sector as exemplified in the EU’s General Data Protection Regulation (GDPR). The other being sectoral approach campaigned by the US, that limits government intervention and let the regulation formulated independently in sectoral (private) level.
The EU’s GDPR approach stresses the data purpose limitation for data controllers, which is responsible of how the data will be used. Most importantly, consumers must give explicit consent to have their data used and any breach to data privacy must be notified to them. Parties within and outside the regulator’s jurisdiction are also accountable when they breach the data privacy of the regulator’s subjects. GDPR itself has been followed by many countries but only Japan with is Act on the Protection of Personal Information (issued in 2003 and amended in 2017) that has achieved the status of GDPR adequacy which qualifies them cross-border data transfer with the EU under the GDPR law.
The pre-existing regulation (ministry of communication and informatics regulation 20/2016) was enacted to bypass the lengthy law-making process in the legislative body. This regulation gives room for sectoral regulators/ministries to define their own privacy mechanism and hence more in line with US’ sectoral approach as compared to the GDPR. However, whether or not the future legislation on data protection uses comprehensive or sectoral approach is yet to be determined and based on the on-going discussions it will incorporate GDPR aspects as well.
Some aspects of GDPR that are going to be incorporate, for example, is the categorisation of data into common private data and specific private data (such as health, criminal records, wealth, DNA, etc.). However, which data falls into which category is what currently debated between policymakers. A data may be viewed differently in different sector and what can be viewed as specific in a sector can be viewed as public in other sectors (such as criminal record, health, consumption). Conflicts with existing regulation may also arise. For example, medical records are private (owned by patients and any use must be authorised by their consent) but the document itself is owned by the hospital.
During the discussion, representatives from businesses also voiced their opinions. Some are concerned about the incorporation of the GDPR aspects into the law, citing the rigidity that may hamper small businesses that can’t follow the regulation in its entirety. Furthermore, it is also debated whether or not the regulation should encompass all sorts of data – including those outside the IT system. If this is the case then it requires an entire overhaul in how administrative process works in Indonesia.
The extent to which the regulation interferes with the free flow of data was also discussed, as cross-border data transfer is inevitable in the digital age. With a large population, Indonesia is a huge source of data that can be used for many purposes – such as medical/patient data for research purposes. How can Indonesia ensure the data from being misused and maintain its sovereignty while at the same time receiving the benefit of cross-border trade?
As lack of legal certainty and the large room for arbitrary interpretation themselves are the common problem faced by businesses in Indonesia, businesses advocate for a more precise provisions in the legislation. Furthermore, extensive socialisation must be given to key stakeholders to avoid multiinterpretation, law enforcer must understand the regulation thoroughly to avoid disputes and prevent vested interests from take advantage. Therefore, the need to establish an independent commission to oversee the implementation of data privacy is currently being considered.
Lastly, both businesses and academic researchers in the discussion are in agreement that the proposed 70-billion-rupiah penalty is too high. Even Japan with its Act on the Protection of Personal Information (2017 amendment) that has been declared GDPR-adequate only impose less than half of that amount.
However, everybody in the discussion agreed upon the need to enact the data protection regulation as soon as possible. For businesses, the regulation can provide certainty and ensure consumer trusts, therefore minimising disputes. For consumers, the regulation gives a safe-space for their private data, the embodiment of the constitution chapter 28 where every citizen’s privacy is a human right that is recognised under the law.