Like the steam engine of the first Industrial Revolution, data is the main fuel of the fourth industrial revolution. The data market has developed so rapidly over the last three decades supported by increasingly efficient data storage and the rapid development of data processing techniques. In the meantime, digital transformation breaks down the barrier to entry for consumers and producers, so that consumer meetings are not limited by space and time anymore. Consumers everywhere can meet producers (sellers) who are located anywhere.
Indonesia’s Internet economy in 2019 is estimated to reach USD 40 billion, a sharp increase compared to 2015 which was only USD 8 billion. This figure is estimated to soar to reach USD 133 billion in 2025 (Google, Temasek, and Bain & Company, 2019). Currently, people are living in a data-driven consumption era, where individuals become producers as well as consumers of today’s most valuable assets, namely personal data.
For producers, personal data becomes an input for the production process, encourages efficiency in resource allocation, helps create innovation for companies, encourages consumer-oriented products. On the other hand, data is a production asset that needs to be maintained so that the company remains competitive. Data leakage creates costs for companies, both direct costs (detection, notification, and operational costs), indirect costs (consumer reputation and trust), and hidden costs (loss of competitiveness, long-term protection costs). Based on IBM calculation, the average total cost of a data breach is around US$ 3,92 Million, whereas the cost per lost record is US$ 150.
For consumers, when strategically sharing a number of personal data, can get a number of benefits, such as more personalized services, getting information (advertisements) as needed, thereby reducing search costs, and enjoying various innovative products resulting from data management. Hence, personal data security is needed because personal data leakage has the potential to cause costs such as price discrimination and identity theft (Acquisti, Taylor, Wagman, 2016).
With the increasingly central role of personal data in the economy, the security of that data becomes a major issue. Therefore, personal data protection rules are absolutely necessary. As a policymaker, the Government is certainly experiencing a dilemma. On the one hand, the Government wants the role of data as an economic enabler to be as optimal as possible, on the other hand, it is necessary to consider the number of privacy costs incurred.
In order to encourage the rapid development of the digital economy, regulations related to personal data play an important role. During the last few years, the Government has formulated the Draft Law on Protection of Personal Data (RUU PDP) which was signed by President Joko Widodo on January 24, 2020. Currently, there are 32 regulations relating to personal data that are spread across various Ministries/Agencies. The PDP Bill can become a legal umbrella for all of these regulations.
In the context of economics, the rules for protecting personal data basically have two advantages, which are the signal effect and the consumption effect. The existence of rules is a signal to consumers that their data is protected, thereby increasing confidence in using online services. Meanwhile, the consumption effect is when the confidence is ultimately an encouragement for consumers to transact through cyberspace.
However, when not formulated optimally PDP has the potential to have negative implications for the economy. First, the Indonesia PDP Bill makes aggregate, encrypted, and pseudonymous data as personal data, this has the potential to reduce the analytical ability of data. Second, the Indonesia PDP Bill enforces only explicit consent, which has the potential to reduce the potential of the online market. Basically, the data owner has the choice to accept or reject the consent. On a number of occasions, data owners do not know what the data was collected for and what the consequences are. This, in turn, has the potential to make data owners eventually withdraw from the market
Third, the PDP Bill imposes 17 obligations on data controllers, from the obligation to ensure accuracy to data deletion, which has the potential to increase compliance costs. Some of them are set with a relatively short period of time, which is between 2-7 days of completion, compared to the GDPR which still provides 30 days. Fourth, regulatory rigidity in the Indonesia PDP Bill has the potential to disrupt the existing competition balance. Large companies certainly have the technical, financial, and human resources capabilities to comply with personal data protection regulations, but not with smaller companies. This may serve as a new barrier to entry.
Regarding Indonesia’s PDP Bill, ISD Council has several recommendations. First, Article 10 of the Bill states that data subjects have the right to object to decision-making actions based solely on processing. The current draft will limit automatic decision-making for security and other purposes that benefit automatic data subjects regarding a person’s profile. It is more feasible if the Personal Data Owner has the right to object to the decision making which is based solely on automatic processing of a person’s profile (profiling) which has legal consequences or similar to the Personal Data Owner concerned.
Second, Article 35 requires data controllers to “guarantee the accuracy, completeness and consistency” of personal data. In order to achieve this, this bill requires data controllers to carry out “verification”. This requirement is unlikely to be fulfilled because there is no way for any data controller to be sure that every piece of personal data they collect is 100% accurate, complete and consistent. This is not in line with the OECD data minimization principle and creates more data collection. It is more feasible if Personal Data Controller provided the means for the Personal Data Owner to correct any incorrect, incomplete, and/or inconsistent.
Third, data breaches should be should only be given if failure to protect personal data causes a significant negative impact. The limitation of the significant negative impacts can be regulated in a derivative regulation of this law. Last but not least, The flexibility of the time frame in terms of notifications, stopping processing, granting access, updating data, or being able to follow the GDPR standard, namely 30 days extended to 60 days.