Earlier this year, Indonesia joined the ranks with the first four ASEAN countries including Malaysia, Singapore, Philippines and Thailand to have enacted laws relating to personal data protection.

On January 28th, Indonesia’s Ministry of Communication and Information Technology announced that the final draft for the Personal Data Protection Act has been submitted to the president of Indonesia.

The PDP Draft Law is now sitting with the House of Representatives and other concerned government officials. The press has been informed that they expect the draft law to be enacted this year.

Indonesia’s adaptation of the law heavily resembles the European Union’s GDPR. The draft bill accedes to almost all rights of data subjects as per the GDPR as well as the general regulations in regards to personal data processing. 

Some key highlights are:

  • “Explicit consent” is mandatory from users before processing any data that may constitute as personal data 
  • Responding timelines for data subject requests have been clearly defined
  • In case of a breach, all data controllers are liable to inform the user and the Minister within a span of 3 days
  • In case of non-compliance, the data controller can be subject to anywhere between 20 billion 70 billion Rp in fines or 2 to 7 years of penal servitude which is quite similar to GDPR penalties

Key Provisions

Some key provisions in the draft personal data protection law are:

  • Personal Data

Any data that can be identifiable on its own or combined with other information, both direct and indirect through electronic or non-electronic systems.

  • General personal data v. specific personal data 

In line with GDPR’s concept of sensitive personal data, the bill clearly differentiates between general personal data and specific personal data. 

  • Data controllers v. data processors 

Data controllers are the parties that determine the purpose and control the processing of data such as e-commerce platforms. Whereas data processors are the ones which process the data on behalf of the data controller, third party payment systems providers for eg.

The draft clearly differentiates that the data controller shall be held legally responsible for any data processing activities provided that the concerned data processor acts in accordance with the instructions given. If that isn’t the case, the data processor bears full legal responsibility. 

  • Prohibition on monetization and/or profiling 

The daft strictly prohibits monetization or profiling of personal data without “explicit consent”.

  • Offshore data transfers 

The draft has laid out strict regulations in regards to offshore data transfers. Offshore data transfer shall only be allowed if:

  • The receiving party (country or organization) has the same or higher level of data protection than the draft personal data protection law
  • There is a formal contract between the data controller and offshore receiver with due diligence for data protection
  • There is an international agreement between Indonesia and the receiving party’s country. 

How To Protect Your Data Until the Law Is Fully Implemented? 

The recent happenings in the Indonesian cybersecurity landscape suggest that the law shall be in full swing sooner than later. But until then, it falls upon users to safeguard their personal data from cyber snoopers and mongers. Here are a few things you can do.

  • Avoid Public WI-Fi

Public Wi-Fi networks such as cafes and bus stations are breeding ground for hackers. Never use them without proper security measures such as using a VPN. A VPN removes all traces leading back to your original IP address and encrypts your connection to allow safe and private browsing.

  • Keep Your Softwares Updated

Software updates often come with releases that patch bugs and security vulnerabilities upon discovery. Make sure that your softwares, especially the OS, is fully updated. 

  • Use Strong Passwords

Use a strong and complex password for your accounts. Ideally, a strong password must comprise at least 7-10 characters, including numbers, symbols, and capital and lowercase letters.

  • Turn Off On-Screen Notifications 

It sounds simple but this simple hack goes a long way in protecting your personal data. Disabling on-screen notifications for text messages and social media apps to keep prying eyes at bay. 

Govt to Expedite the Process Amid Massive Security Breaches 

In the light of the increasing influence of security breaches in 2020, the government is expected to expedite the adaptation process. 

In a recent security breach of Indonesian government’s database, private information of as much as 2.3 million voters’ was illicitly released on a hacker website. The General Election Commission (KPU) had also confirmed the authenticity of the data, such as home addresses and national identification numbers. 

Indonesia is the world’s fourth largest country in terms of population and the leak of electoral data can have grave consequences needless to say. However, one of the commissioners denied that the leak initiated from the commission’s servers. The same data had been legally shared with the electoral candidates and political parties, he further added. 

Earlier in June, another alleged breach of COVID-19 test results of Indonesian citizens shook the entire nation to its core. On June 18th, a hacker claimed to have infiltrated the test results as well as personal details of a whopping 230,000 people on an online forum. The information he claimed to have available included names, addresses, phone numbers, ages, and nationalities. The government has denied any incident of such nature but an investigation has been launched to get to the bottom of the story. 

Communication and Information Technology Minister Johnny G. Plate said in a recent interview that the president assigned him some special jobs when he was appointed.

“The first message from him is to ensure data sovereignty and security; secondly, to deal with cyber crimes; and thirdly, to develop the information technology industry,” Johnny. G. Plate said

“We are entering an era where data is an economic resource much more valuable than oil and gas,” he added.

The government is speeding up the consideration work of the bill with the house of representatives to make up for the “very late move” it has taken, another minister said in a recent interview.

Wrapping It Up

Indonesia is a developing country in the process of digitizing its economy. In the last few years, there has been an unprecedented surge in internet and mobile usage with rapid development of online portals such as e-commerce platforms. Needless to say that it brings forth more challenges for the government to protect the citizens’ personal data. With the full implementation of draft personal data protection law in Indonesia, it is safe to assume that the future seems more secure and private for Indonesians.

Author Name: Anas Baig

Author Bio: With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – SECURITI.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

[출처 : SecurityAffairs / 10.7.]