Sat Set in Natural Disasters, Lemot in Digital Disasters
JAKARTA - Although it did not attach a national disaster status, the government under the command of President Prabowo Subianto moved quickly alias sat set in overcoming the impact of flash floods and landslides that hit Aceh, North Sumatra to West Sumatra. Cross-ministerial coordination and even the DPR RI ran smoothly in the face of natural disasters in Sumatra.
Unfortunately, the government and DPR's actions in dealing with the impact of natural disasters are not visible in anticipating other disasters, namely the digital disaster. Without intending to underestimate the impact of natural disasters in Sumatra, the impact of digital disasters, especially related to the protection of leaks and misuse of personal data in Indonesia, feels like it will also be 'terrible' for the community.
Just look at the report of the Indonesian Cyber Security Forum 2024, which revealed that more than 2.3 billion personal data, allegedly belonging to Indonesian citizens, have circulated in various dark forums in recent years. In 2023 alone, around 409 million data leaked from a number of services, including BPJS Health, PLN Mobile, and a number of major e-commerce platforms.
Data from the Community Study and Advocacy Institute (Elsam) in January 2024 also stated that at least 668 million personal data were spread from six major digital platforms. The leaked data includes identity numbers, family card numbers, transaction history, to biometric data. The latest is when KAI Services employees misused the personal data of a train passenger.
In fact, Indonesia already has Law Number 27 of 2022 concerning the Protection of Personal Data (PDP Law) which was enacted on October 17, 2022 which came into full effect on October 17, 2024 after passing a two-year transition period. Member of Commission III of the Indonesian House of Representatives, Bambang Soesatyo said, the high data leakage shows that Indonesia is in a serious threat regarding hundreds of millions of citizens' digital identities.
According to him, the PDP Law will not be effective in addressing the rampant leakage and misuse of personal data as long as the government has not formed an independent Personal Data Protection Agency as mandated by the PDP Law. Because, although the PDP Law has provided a strong legal basis, its implementation still faces various obstacles. Therefore, without an independent supervisory agency that has clear authority and is free from intervention, supervision and enforcement of rules are considered difficult to run optimally. "Supervision cannot be effective without an independent agency prepared to carry out the functions of supervision, mediation, and administrative enforcement," added Bambang.
He assessed that the very high data leakage rate after the PDP Law was passed showed a serious imbalance between the expectations of the norms in the Law and their implementation in the field. This situation is believed to arise, among other things, because there is still no independent supervisory authority. The politician from the Golkar Party Faction regretted the slow formation of an independent supervisory authority even though the PDP Law had been in force. Until now, the institutional structure of the authority is still being discussed internally without certainty about its formation.
Bambang urged that the PDP institution be immediately formed, including with the authority to independently supervise, mediate, and enforce administrative enforcement. This authority must also be free from interference, have a strong technical structure, and be transparent to the public. "Without it, the PDP Law is unable to provide effective protection," he said.
The coalition of 29 civil society organizations that are members of the Digital Democracy Resilience Network (DDRN) also urged President Prabowo Subianto to immediately ensure the guaranteed privacy rights of citizens through the establishment of the PDP institution and the issuance of the PDP Government Regulation as a derivative regulation of the PDP Law.
The DDRN coalition emphasized that the two instruments should have been present since the PDP Law came into full force on October 17, 2024. The absence of the PDP institution and the derivative rules has created a legal vacuum in the processing of sensitive data. This situation makes citizens have no place to ask for accountability when personal data is violated. "Without the PDP institution and the PDP PP, the public is left to face personal data violations without clear complaint mechanisms," said the written statement of the DDRN.
Need Audit and Check Standards for Personal Data Management
Meanwhile, Deputy Minister of Communication and Digital, Nezar Patria, revealed that the PDP institution has not been formed because there are around 200 articles for the drafting of derivative rules from the PDP Law. "The PDP institution is being harmonized again, it is being discussed again because there are many articles, more than 200 yes. So it has to be seen one by one and we hope it can be completed soon," he said.
The Secretary of the Directorate General of Digital Space Supervision of the Ministry of Communication and Information Technology, Mediodecci Lustarini, added that the derivative rules of the PDP Law, which will take the form of a government regulation (PP), are entering the final stage, including the establishment of the PDP institution. "The draft Presidential Regulation is in the stage of inter-ministerial harmonization. This coordinator of the harmonization process is the Ministry of Law with the initiative of the Ministry of PAN RB (Ministry of State Apparatus Utilization and Bureaucratic Reform), because this form is the institution yes," he explained.
He said that now the derivative rules of the PDP Law, which will take the form of the PP, are entering the final stage for the enactment of the draft government regulation (RPP). Later, this PP will become a regulation implementing the PDP Law. "The position is currently completed harmonization and the Minister of Communication and Digital has sent it to President Prabowo Subianto through the Mensesneg. So we just wait, hopefully in the near future it can be enacted if there are no concerns (issues) that must be discussed again," he added.
Cyber practitioner from Vaksincom, Alfons Tanujaya, stated that the leakage and misuse of personal data, including the latest case committed by an employee of KAI Service, is the tip of the iceberg of the management of data that is not standard and careless, and shows that the PDP Law has not effectively protected the personal data of citizens.
According to him, this 'ambulatory' data management allows sensitive data of the public to be easily hacked, accessed and misused by anyone. Therefore, he asked the Ministry of Communication and Digital and the National Cyber and Information Agency (BSSN) to immediately intervene to conduct a thorough audit to check the data management standards, at least ISO 27001.
"If, for example, someone does not meet it, it is true. That is the most important thing. We do not care about punishment. But if it has not been implemented for years and has not been carried out properly, yes, give sanctions," said Alfons.