Rules On Personal Data That Unfortunately Do Not Exist In Indonesia
Mastering personal data is controlling money. We have discussed this in "Who is the Master of Personal Data and Why It is Important to Master it". Through this article we will find out, is it true that there aren't any rules regarding personal data on the internet? Continued from VOI's signature Series, "No Privacy for Personal Data".
JAKARTA - In today's digital era, whoever manages to master data will be the winner. Such an expression may be familiar. Especially with the very rapid development of information technology through the presence of the internet.
In fact, it can be said, many people today are very dependent on the internet. Quoted by The Guardian, in a day there are at least 5 exabytes (one million terabytes, in terms of data) information going in and out via the internet. That amount is equivalent to 40 thousand films with a duration of two hours per second.
Then who can control the data traffic in cyberspace, especially the many digital activities carried out by modern humans today. Personal data is even referred to as new land commodities that exceed oil yields.
In comparison, one minute on the internet, the amount of digital activity that occurs will be the same as 156 million emails, 29 million messages, 1.5 million Spotify songs, 4 million Google searches, 2 million minutes of Skype calls, 350,000 tweets, 243,000 photos uploaded on Facebook. , 87,000 hours of Netflix, 65,000 images uploaded to Instagram, 25,000 Tumblr posts, 18,000 matches on Tinder, and 400 hours of video uploaded to YouTube.
According to technology company Cisco, the world community has become a part of internet traffic and they are all consumers. They spend their time online accessing digital sites or platforms, such as YouTube, Netflix, and maybe some of them accessing pornographic sites.
"The shift in the world that is increasingly digital causes the value of data to increase. Data is the most valuable commodity on earth today. In the past, black gold, oil. Now, the big ten (on Wall Street) is the average IT company. Oil companies are displaced. So, defacto, data is the most valuable commodity, "said cybersecurity expert Alfons Tanujaya.
At first glance, this internet traffic is neither guarded nor guarded. A very complex activity to describe one by one someone's data in the digital world. Moreover, the internet is a new world that can be accessed without borders or borderless.
In fact, with current technological developments, the Google search engine site only controls 60 percent of the global internet market. With details of nearly 2 billion web sites spread and only 0.1 percent (about 5 million) visited by internet users.
The complexity of data traffic is what makes most people, both countries and companies active on the internet, trying to protect their respective businesses. The reason is, anyone can without permission use or process data that is scattered on the internet.
General Data Protection RegulationSince April 2016, the European Union has successfully completed the General Data Protection Regulation (GDPR) or a general rule that regulates internet activities. The regulation, which was being deliberated for four years, contains a number of rules to regulate how internet companies, whether operating in Europe or not, treat data belonging to EU citizens.
Like it or not, the GDPR has an impact on the business climate around the world. GDPR binds stakeholders - in the context of digital technology activities - in all EU member territories, including organizations outside the European Union that wish to provide services or goods are required to comply with the GDPR.
There are four main points presented in the GDPR. First, the GDPR defines personal data as a marker for every individual on the internet. This means that every company operating in the European Union is obliged to protect individual data on their systems.
If a data leak occurs in the future, the company has a maximum of 72 hours to resolve the problem. Second, internet companies are required to give complete freedom over control of data belonging to their users originating from the European Union.
"EU citizens have the right to allow, partially allow or disallow their data to be used by internet companies," one of the points on the GDPR.
Third is the right to be forgotten. This right allows EU citizens to erase all digital traces of their property from the internet companies they use. Fourth, EU citizens are also empowered to have the right to data portability, that is, data that is formatted to be easily read on a computer machine.
In addition, through the GDPR, internet companies are required to create a system that protects EU citizens' data, namely "privacy by design", which means that their system has indeed been designed to provide maximum protection. If the GDPR rules are violated, internet companies can be subject to sanctions in the form of fines of up to 4 percent of global revenue.
In simple terms, the GDPR introduces new rules that will affect the internet business model. This is because the internet industry is closely related to the processing of this information and regulatory data, specifically protecting a person's personal data in cyberspace.
Unlike Indonesia, there are at least more than 30 laws that regulate partial protection of personal data. One of the main references at this time is Law Number 11 of 2008 concerning Electronic Information and Transactions (UU ITE) and its two implementing regulations.
The two regulations are PP Number 82 of 2012 concerning Implementation of Electronic Systems and Transactions (PP PSTE) and Permenkominfo Number 20 of 2016 concerning Protection of Personal Data in Electronic Systems (Permenkominfo for Personal Data Protection).
Indonesia is quite late in understanding the importance of protecting personal data for its citizens on the internet. Operators and regulators in this country do not explain in detail who the parties are responsible for ensuring the protection of personal data and who manages the data.
There are terms 'controllers' and 'processors' which are responsible for implementing sanctions for those who neglect to protect and protect the personal data of their citizens. In the European Union, the GDPR established The European Data Protection Board or a special institution that is tasked with overseeing the implementation of personal data protection rules.
Meanwhile, Indonesia does not have a special institution that will oversee the overall protection of personal data. Each agency or ministry has sectoral authority in protecting the information data it obtains.
If the cases of data leakage in Indonesia occurred in developed countriesA series of cases of personal data leakage have occurred in Indonesia. In fact, it was not until the last two months that more than hundreds of millions of personal data from the Indonesian people were leaked in underground forums.
The data is traded without the knowledge of the owner. For example, the leakage case of 90 million Tokopedia user accounts, then the alleged leakage of KPU website data, and finally 819.96 CreditPlus customer information.
Of course this is the main problem for Indonesia, which until now has not had a legal umbrella that can force electronic service providers to fully secure their data. So that the current public information data can still be exposed easily.
In this case, the state is obliged to have the responsibility to accelerate the discussion of the Personal Data Protection Bill. Later in the law it should be stated that any electronic transaction system service provider (PSTE) that does not secure public data can be sued for compensation and brought to court.
Cybersecurity observer from CISSReC, Pratama Husada, said that one of the most likely references to be applied in the current legal rules for protecting personal data in Indonesia is the General Data Protection Regulation (GDPR). Every data that is collected must be secured with encryption. And if proven negligent, the service provider could be subject to prosecution of up to a fine of up to 20 million euros or the equivalent of IDR 346 billion.
"You can imagine if KreditPlus is abroad, it could be subject to negligence articles in the GDPR. It is the same as the data leakage incident that has occurred in the country before," explained the man who is also a graduate lecturer at the State Intelligence College (STIN).
This is very different from administrative sanctions and criminal sanctions for electronic system operators who do not fulfill the right to protect personal data in Indonesia. Although there are still opportunities to receive compensation that can be filed in a civil suit for the losses incurred.
However, adopting the GDPR in the Indonesian legal framework cannot be done just like that. Citing Prof.'s interview. Jovan Kurbalija, Executive Director of the UN Panel on Digital Cooperation by Tirto, adopting the GDPR is perhaps the most effective way to provide personal data protection for citizens.
However, from various aspects and technological points of view, a country cannot simply follow a personal data protection policy without carrying out checks and balances of the regulations that will be made.
"In Europe the GDPR rules were born because of their history, including the history of World War. Personal data is a sensitive issue in Europe," he said in the interview.
According to him, Indonesia cannot simply follow data protection policies that have been implemented by other countries. Indonesia needs to understand how people view this issue from various perspectives, between focusing on digital economic growth or balancing it with data protection.
Follow the Writing of this edition of Series: No Privacy for Personal Data