Ever since Indonesia’s members of parliament introduced a personal data protection bill as part of the national legislation program in 2019, there has been an ongoing debate about the positioning of the regulatory body meant to oversee matters related to the security and privacy of the country’s internet users.
There are two sides to this debate. The IT ministry proposes that the personal data supervisory authority should be a wing of its organization, while most members of parliament believe the regulator should function independently, like the Indonesian financial authority (OJK) and the corruption eradication commission (KPK). With neither camp budging, the discussion is being extended, according to a decision made during a plenary meeting held at the end of September.
The government’s original plan was to pass this bill into law by the end of 2021, but the extension will move this act to a later date. The parliament will meet in November and discuss the rights of individuals who generate data, the obligations of entities that handle that data, and the sanctions that will be levied if user data is mishandled.
The IT ministry argues that if the supervisory authority for personal data is under its management, then regulatory decisions related to personal data will be shielded from external influence, especially in investigations of data breaches involving government agencies.
Teguh Aprianto, a cybersecurity consultant and a founder of Ethical Hacker Indonesia, believes that the country needs an independent authority for personal data protection, given the many high-profile data breaches that occurred in the public and private sectors in the past two years. “Investigations of these cases are progressing slowly. The IT ministry and National Cyber and Encryption Agency only take action when a case has gone viral on social media. I don’t think they are competent enough [to handle these investigations], let alone bear a bigger responsibility as a supervisory agency,” he told KrASIA.
The IT Ministry argues that a number of countries have successfully established their own data protection authorities under their respective IT ministries, including Singapore’s progress with its Personal Data Protection Act (PDPA). However, the PDPA only applies to data harvested, utilized, and maintained by private sector organizations.
Meanwhile, members of the Indonesian parliament and IT experts say their proposed regulatory body should supervise state institutions as well, considering that there are many government agencies that collect citizens’ personal data, including the country’s healthcare and social security agency BPJS, the health ministry through its electronic health card (eHAC), and general election commission (KPU). These institutions’ servers have been hacked, resulting in millions of citizens’ data being leaked online.
Aprianto is worried about potential conflict of interest if the authority is under the jurisdiction of the IT ministry. “We haven’t seen any transparent report on recent investigations like cases involving BPJS, Tokopedia, and more,” he said. Aprianto added that a number of countries already have independent regulatory frameworks for personal data, such as the European Union with its General Data Protection Regulation (GDPR).
Nailul Huda, a digital economy analyst at the Institute for Development of Economics and Finance (Indef) said that both ways of organizing Indonesia’s data regulation have weaknesses. “While an independent institution will be free from government interests, it will still have a bureaucracy element, considering that its commissioners will be elected by the parliament, just like KPK and KPU. The decision-making and selection process could take a long time,” Huda told KrASIA.
Meanwhile, the ministry might be able to form the authority in a quicker manner, he added. In addition, it will wield strong political power, especially against foreign influence, considering that the tech sector is packed with many foreign companies and investors. “I think if the authority will be independent, its members or commissioners should consist of both expert groups and people from the government, so the authority will have both strong governance and political elements,” said Huda.
Touted as the “new oil,” data is a valuable asset that gives tech companies references to create products and services for their customers, in turn generating massive profits. Consumers have little control over their personal data that is handed to or mined by these companies. With the rapid development of technology, governments around the world are defining strict regulations to protect their citizens’ personal data—a fundamental right of every individual. In August, China passed a new personal data privacy law that will come into effect in November. Its creation is part of a broader regulatory crackdown on the country’s tech sector.