The Personal Data Protection Bill has not yet been enacted into law, what’s wrong?
Misuse of personal data for the benefit of economic activities, trade and education is increasingly being felt by the community, especially in the era of the economy migrating to the digital economy. The paradoxical situation is that the digital economy era is characterized by frequent data leaks, thus making Indonesia in an urgency to improve the personal data governance ecosystem because cases of personal data use are increasing. Therefore, the state must be present to provide protection for all citizens by providing protection of personal data through the Personal Data Protection Act (PDP) which needs to be ratified immediately. Currently, there are 126 countries that have statutory-level regulations regarding PDP. Out of 180 countries, Indonesia is one of the countries with the largest internet users without regulations.
Previously, the Ministry of Communication and Information and the Indonesian House of Representatives had agreed substantially and conceptually on the urgency of the presence of the Personal Data Protection Law (UU PDP) in Indonesia. This urgency is increasingly felt, especially during a pandemic, where electronic transactions become the main transaction which is motivated by filling in personal data before making certain transactions, so that protection is absolutely necessary as the state guarantees the data security of its citizens.
According to the author, there are a number of substance problems that have caused the Personal Data Protection Bill (PDP) to have not been ratified, because there are still a number of unfinished discussions, particularly regarding a number of issues/main issues, including: first, the Government to establish an independent data protection agency, who are not from groups that control or process personal data, so that the competence and accountability of the agency becomes authoritative and trusted by the public.
Second, there are 2 (two) weaknesses that are the source of the occurrence of personal data violations, namely the absence of a clear concept of norms in the PDP Bill due to the various definitions of personal data. regarding protection.
There are 46 sectoral regulations related to personal data, including the Minister of Communication and Informatics Regulation Number 20 of 2016 concerning Personal Data Protection in Electronic Systems which are considered unable to be implemented across sectors and there is no rigid/definitive mechanism related to data sharing between Ministries/Agencies.
Third, there is a debate about the data protection commission and the segregation of personal data which can be sold and closed, which has the potential to cause a “deadlock” in the discussion of the PDP Bill.
Indonesia already has regulations in which there are articles that regulate the protection of personal data. There are approximately 14 laws in Indonesia that have these articles but until now there has not been a comprehensive legal umbrella discussing the protection of personal data. This causes these regulations to be sectoral in nature, and also have different understandings or definitions related to personal data, resulting in increased cases of data leakage. Juridically the Draft Law on Personal Data Protection is a state obligation through the constitution regulated in Article 28G and Article 28J of the 1945 Constitution. The Personal Data Protection Law can be a solution as an important legal umbrella to protect individuals related to personal data in order to create a digital space safer for Indonesian citizens. Therefore, the regulation in the PDP Bill is needed to realize a more holistic legal instrument. The PDP Bill regulates the types of personal data, personal data subjects, obligations to control personal data, data processing, and data transfer, including regulations regarding sanctions, dispute resolution, international cooperation, and the role of the government and society in the PDP.
Regulations regarding the protection of personal data are considered not effective enough because they are still scattered in several sectoral settings so that they do not provide optimal protection, but such protection also needs to take into account the position of the state through state institutions/institutions which also act as regulators, facilitators and users. Substantively, the PDP Bill also has the potential to intersect with the wiretapping authority possessed by certain K/L based on the attribution of authority by laws attached to certain state institutions.
Many people think that the Indonesian government has not provided socialization and education for citizens to protect personal data so that citizens’ awareness about personal data protection has not been formed so that it becomes a supporting factor for the widespread theft of personal data. This misuse of personal data will have an impact on Indonesia’s political stability, namely the potential for exploitation of personal data in general elections in Indonesia. This is because in the 2019 and 2020 elections, the use of data for politics, including profiling, especially social media, has increased, so the potential for data exploitation for political purposes will also increase.
There are several impacts if the PDP Bill is not ratified for too long, including: first, Indonesia as a country with the fourth largest number of internet users in the world in 2021, with internet access users reaching 202 million people or 73% of the 274 million population in 2020, is one of the largest digital transaction market shares that are vulnerable to data theft. The enactment of the PDP Law can provide direct benefits to economic value, including guarantees of legal certainty and security of financial transactions as well as data protection.
Second, the existence of an Independent Supervisor who becomes the central point of personal data protection needs to be established so that it is able to gain legitimacy not only from the Government but also from the private sector. Meanwhile, the existence of such a supervisory agency may be attached to the function of the Central Information Commission (KIP) or the Indonesian Broadcasting Commission (KPI) in order to carry out the mandate of the PDP Law, before being established by the Government and filled by Commissioners who are able to work professionally and with integrity in providing oversight of security and safety. personal data protection.
Third, the leakage of personal data is due to the weakness of the Indonesian government’s cybersecurity system. Not only that, the absence of regulations that regulate and protect is also accused of being the cause of the rampant theft of personal data. The absence of this regulation makes state and private institutions tend to be careless in managing personal data because they cannot be prosecuted when there are cases of hacking and data leakage.
Regarding this serious problem, according to the author, the President can immediately order the Ministry of Law and Human Rights, the Ministry of Communication and Information, BSSN, KIP and KPI to oversee the PDP Bill as a priority agenda to maintain the security and sovereignty of national data in accordance with the rules and norms of the Act. In addition, he ordered the Ministry of Communication and Information and the BSSN to be able to identify and take down hoax content and negative propaganda related to the issue of personal data protection in various mass media that cornered the Government and put forward a persuasion strategy on social media related to the PDP Bill.
By : Iwan Kareung – The author is a mass media observer. Lives in Bireuen, Aceh
