Antonius Alexander Tigor
Information and communication technologies are currently proliferating throughout the modern world. Online users of technology and start-up companies are creating open and global access to information. Indeed, information and communication technologies are transforming the very ways in which we interact with each other, and digitalization within each sector of the economy is leading to various types of data being presented in an electronic format. As a result of this process, digital information is rapidly becoming one of the most valuable assets as we head ever deeper into the information age.
With the emergence of new technologies, the need to protect personal data and personal identifying information has increased considerably and has engendered a growing awareness of privacy across Indonesia. However, the current legal framework which addresses the whole area of data protection was only formulated at the ministerial level, eventually leading to the issuance of Ministry of Communication and Informatics Regulation No. 20/2016.
The House of Representative of the Republic of Indonesia included a Data-Protection Bill as an integral part of its 2017 legislative priority program. Unfortunately, however, as of the end of 2017, this Data-Protection Bill had still not been enacted. This failure occurred against a backdrop of many Indonesian companies struggling to transform themselves into digital businesses fit for purpose in this new information-saturated world. Furthermore, Indonesian start-up companies are starting to pop up with increasing frequency and are attracting capital from investors all across the globe. The goal is for customers and users of these digital and technology companies to ultimately produce information which can be monetized by the companies concerned, thus creating value for their businesses. As such, personal data has become a strategic and valuable asset for businesses and thus requires proper legal protections to be put in place. This is especially important as the amount of data as a proportion of business assets is set to increase exponentially, forcing companies to alter their business models as a consequence.
However, such personal data contains basic and often sensitive information relating to human rights. For instance, an internet user may be unwilling to share specific data with a particular company because of its potential to damage their privacy and the privacy of their family. Therefore, comprehensive data monitoring is likely to be specifically addressed in any Indonesian data-protection act. This is seen as vital, as slow progress is currently being made as regards breaches of data committed across several business sectors. For example, promotional activity undertaken by banks, insurance companies and travel agents often incorporates such data without any approval being granted by the data subject or customer. This phenomenon points to the urgent need for a comprehensive data-protection act which will balance rapidly expanding amounts of information, privacy and the various needs of communication technology.
The European Union has already introduced a set of comprehensive data-protection regulations that will be implemented across all European Union member countries. The General Data Protection Regulations (“GDPR”) are set to be implemented on 25 May 2018 and represent the most complex and comprehensive set of data-protection rules currently in force anywhere in the world. Under the GDPR provisions, transfers of any personal data of European citizens to countries lying outside the EU or to international organizations are permitted only if certain requirements are first met. One of these requirements is that the legal regulatory framework of the so-called “destination country” should meet an adequate level of data protection. From this perspective, the EU acknowledges that technology companies can distribute data to any countries across the world that they choose to and is thus attempting to protect the privacy of European citizens across the globe.
In the light of the GDPR having such extraterritorial powers, any countries who manage the data of EU citizens should familiarize themselves with this regulatory framework. The GDPR allows for data transfers to be undertaken to countries whose legal regimes are deemed by the European Commission to provide for an adequate level of personal data protection. The fact that Indonesia has not yet introduced legislation which protects personal data in this way means that Indonesian parties will have to find ways of transferring data between the EU and Indonesia that fulfill the GDPR principles and yet which do not infringe upon Indonesia’s current legal framework.
Indonesia’s immediate neighbors, Singapore and Malaysia, have already cemented data-protection acts into place. These countries are thus prepared for the ongoing transformation of communication and technology within their borders in ways that will protect the privacy of their citizens whilst also allowing for businesses, investment and innovation to flourish without too many obstacles being placed in their path. It should be noted that Singapore has produced the online store Lazada, while GrabTaxi was founded in Malaysia. The creation of companies such as these thus means that the relevant data-protection acts introduced in these countries have not led to any decrease in terms of creativity and innovation.
In another significant milestone for privacy in Indonesia, the executive and legislative branches of the Indonesian government should look to the Asia-Pacific Economic Cooperation (APEC) cross-border privacy rules system and implement its requirements. Indonesia has been a member of APEC since November 1989, however, to date, the country has been unable to join the APEC Cross-border Privacy Enforcement Arrangement (CPEA) due to its insufficient legal framework as regards data protection. An essential recognition that data flows and data protection are now truly global matters led to the creation of CPEA by APEC in the first place, as flows of information are a fundamental part of doing business within the global economy. APEC members, therefore, recognize the importance of protecting information privacy and maintaining information flows between the economies of the Asia-Pacific region and between APEC economies and their international trading partners.
It should be noted that any Privacy Enforcement Authority or Data Protection Authority which is part of an APEC member economy may participate in CPEA. It is also believed that cooperation in terms of balancing and promoting effective information-privacy protections, as well as the free flow of information throughout Indonesian territory, will be the key to improving consumer confidence and ensuring the growth of electronic commerce. As such, Indonesia should enact a data-protection act in order to ensure that it has a prominent position within APEC.
All in all, it seems clear that there is a pressing need for Indonesia to pass a comprehensive data-protection act into law. There is too much at stake, including a failure to keep pace with the various individual rights that citizens of many other countries are able to enjoy. Indonesia is also falling behind in terms of the general improvements which are being made to the realms of control over personal information and citizens’ privileges, business certainty in the new era of the digital economy, and the enabling of unrestricted transfers of personal data between the EU and Indonesia.
|The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official position of Hukumonline.com
 Antonius Alexander Tigor is a Legal Technology Expert, LL.M in Computer and Communications Law at the School of Law, Queen Mary University of London, and a Chevening Alumni.