The intensity of the use of digital applications has escalated sharply since the pandemic. This scenario catapulted the selling value of data commodities due to its various benefits for digital economic activity. At the same time, the discourse of overcoming data flow barriers began to emerge.
The authorities take advantage of the momentum of the ongoing legislative process on the Personal Data Protection Bill (RUU PDP) to accommodate the previous agenda into its substance in the hope of creating a new sector to boost foreign exchange. However, the ambition is quite worrying. This is because the issue of data privacy, which should be the main focus, can experience inferiority in the face of economic obsession, as seen in many existing law products.
Personal Data Protection Law in Indonesia
The absence of a personal data protection law is often used as an alibi, if not apology, in various polemics for data privacy violations in Indonesia. But, in fact, we actually already have similar rules even though they are scattered in many laws and regulations; each has its own terms and scope. Not only here, Boyne (2020) mentions that the United States faces a similar problem. At the statutory level regulation, the ITE Law and the Population Administration Law have more or less placed the responsibility for protection (on electronic information; personal data). The first legal product is lined up as the main reference in the governance of the electronic system while the second contains a formulation of obligations—though not specifically—regarding the confidentiality of population data.
Even at the level of implementing regulations, there is a Government Regulation on Electronic System and Transaction Operators (PP PSTE), as well as a Regulation of the Minister of Communication and Informatics concerning Protection of Personal Data in Electronic Systems (Permen Kominfo PDPSE) which is effective in 2016. The latter rule is even said to be quite comprehensive in adopting protection standards in EU PDP derivatives.
Unfortunately, instead of realizing a safe digital ecosystem, since the beginning of its enactment, the ITE Law has turned into a punitive instrument to prosecute netizens’ digital expressions. Various cases of illegal transmission of electronic information are still widely reported and in fact, most recently hundreds of millions of Indonesian population data were reported to be freely sold on the dark web. The existence of the Population Administration Law does not in fact prevent the government’s vulgarity in dealings with providing access to population data for thousands of corporations.
Such an anomaly seems to answer why documents as important as a photocopy of a Family Card can end up being wrap of rice as it went viral recently. Lessons to be learned: the existence of a law does not necessarily guarantee optimal protection; how to make sure similar incidents will not be repeated after the implementation of the PDP Law still seems to be a big question mark.
The Effect of Digital Economy Liberalization on the PDP Bill
The latent risks of data commodification and exploitation come out as a glaring argument as to why data processing and traffic need to be limited. The majority are not aware that the various conveniences offered by digital applications are in fact not free. User data becomes a bartered exchange rate; armed with the collected data sets and the help of artificial intelligence, consumer behavior can always be engineered and even manipulated by the collectors.
Therefore, in practice there are two types of policies to impede the data flow. First, the restriction policy; that data can only be transferred to a destination country that has privacy protection standards equal to or better than the country of origin. Second, the need for data localization; for example, strategic data can only be placed within the country.
The attitudes of the countries were divided. China, for example, tends to choose protectionist policies, such as localization of sensitive data, to protect national interests; while the home countries of giant IT corporations like the United States tends to want concessions in the form of self-regulation in the name of full commitment to free trade. For digital industry players, the localization policy will increase the cost of building new data centers so they tend to avoid it.
On the other hand, delays in discussing the PDP Bill have made Indonesia lose its peak momentum to formulate the best material. Now, the banging power expected in the PDP Bill has begun to be dictated by the dynamics of international level negotiations which have recently led to additional easing of cross-border data flows. In the region of origin of the best PDP pilot projects such as the European Union, for example, stakeholder resistance has begun to emerge due to declining revenues after two years of the GDPR being implemented.
From the proposals submitted by Indonesian representatives at the 2019 G20 meeting, Indonesia’s stance clearly supports the free flow of data and reciprocal treatment in the context of ‘economic collaboration’. The motive is implicit in the Minister of Communication and Information’s reasoning that the decision will attract ‘billion-dollar businesses’. Apart from being a factor slowing the pace of the PDP Bill legislation process, the government’s reluctance to lose the prospect of monetization is also a disincentive on efforts to maximize privacy protection. This is because in terms of profit maximization, policies such as strategic data localization are certainly not a ‘productive’ option. The signal in that direction has appeared in the revision of the PTSE PP in 2019 yesterday; the government which was initially quite protectionist in recent years began to soften, opening up to the option of a free-flow cross-border data policy for strategic data storage.
Practically, the inclusion of the liberalization agenda makes some parties doubt the government’s commitment to truly protect the privacy rights of data subjects. Because it encourages privacy and loosening the flow of data are two policies that are instinctively opposites. One side requires minimal data processing (even if it is based on the consent of the data subject), while the other side requires the flexibility of transfer or placement on behalf of the consensuality of the data owner and controller. In the case of the PDP Bill, economic ambition should be the number two theme after data subject privacy is truly guaranteed.
PDP Regulatory Reform
Many parties accept the PDP Bill as a solution considering the current regulations are inadequate. This need is also the result of the ‘Brussels effect’ after the GDPR became effective in 2018. The urge of civil society to immediately ratify the PDP Bill is understandable because, in addition to the existing regulations not being able to respond to the increased risk, the current number of regulations also makes it difficult to navigate for the search of the relevant legal basis. Due to this uncertainty, a comprehensive legal product such as the PDP Law is increasingly needed as a reference.
However, the big unanswered issue is why with the existing stack of regulations the protection of privacy data is not effective. Regulation life cycle reviews can be used to detect where things went wrong and evaluate them. This step is crucial because the success of a law is not only measured by the presence or absence of legal substance, but also from the dimensions of structure and culture. It is possible that the failure was not due to the absence of adequate PDP regulations, but rather the result of incompetent enforcement and supervision functions being carried out.
Moreover, in the light of regulatory reform, the addition of regulations does not always address the legal needs of the community. Not to mention, in the case of the PDP Bill, the substance will add new rules that are relatively similar to existing regulations. Even from a budget perspective, the phenomenon of overlapping regulations often burdens policy costs. Thus, the big challenge is how to ensure that with the substance of the PDP bill that we are waiting for, the policy can be implemented effectively according to the design of privacy protection best practices.
However, from a series of recent legislative controversies, the public has reason to be pessimistic. Many draft laws and regulations are eventually distracted by the superiority of other agendas beyond their initial interests. Don’t let the PDP Bill repeat the same mistake because it legitimizes new scenarios on top of the need for privacy protection.
Researcher at Pusat Studi Hukum dan Kebijakan
Email : [email protected]
