US Requests For Personal Data Are Considered Risky, Alva Erwin: There Must Be Legal Certainty And Protection Of Citizens

Alva Erwin, Observer who is also an Artificial Intelligence and Big Data Practitioner (photo; faacebook @alvaa Erwin)

JAKARTA - Requests for personal data from the United States government to Indonesia in the context of trade cooperation between the two countries sparked concerns from a number of parties. Observer who is also an Artificial Intelligence and Big Data Practitioner, Alva Erwin, believes that the request must be responded to carefully and must not violate the principles of personal data protection that have been regulated in Indonesian law.

According to Erwin, until now there has been no official clarity from the Donald Trump administration regarding the details of the personal data request in question. However, he reminded that Indonesia already has the Personal Data Protection Law (UU PDP) Number 27 of 2022 as the main legal umbrella, although the implementation regulations in the form of Government Regulations (PP) and Presidential Regulations (Perpres) have not yet been issued.

The PDP Law was qiblatnya dari GDPR (General Data Protection Regulation) Uni Eropa. Di sedikian sangat tegas: data pribadi tidak boleh dibawa dariwisional kecualikan negara tersebut punya adequate protection, perlindungan data pribadi yang dinilai cukup, kata Alva, yang juga menjadi anggota Board of Expert di Center of Excellence for AI and Advance Technology di Universitas Trisakti.

He explained that in the European Union, there are special authorities such as the European Commission who periodically evaluate other countries and determine whether a country deserves an adequate protection status. If a discrepancy is found, this status can be revoked at any time.

Erwin assessed that Indonesia also needs to have a similar authority that has the authority to assess whether a country, including the United States, deserves personal data from Indonesian citizens. Without derivative regulations and institutions conducting these assessments, Indonesia could violate its own data sovereignty.

"If there is no adequate protection, it should not be submitted. So it is necessary to immediately create an official authority that can assess and establish the status of personal data protection for other countries," he said.

Although the US government could argue that data requests are made for business purposes, such as customer service or trading system needs, Erwin stressed that the aspect of user consent should not be ignored. Even in the event that users voluntarily provide their data when registering for services, there must still be restrictions related to management and distribution across countries.

He also mentioned that the ITE Law and its derivatives are already more advanced in terms of regulations, especially through Government Regulation (PP) Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions (PP PSTE), which requires domestic data storage. Meanwhile, the PDP Law, which should be the main reference, does not yet have implementing regulations.

"This momentum must be used to accelerate the issuance of derivative regulations from the PDP Law so that our data protection system runs optimally and efficiently," he said.

Responding to the possibility of US requests, Erwin also emphasized that the public has the right to know what type of data is being asked for and for what benefit. Do not let this issue create noise or confusion in society, because the handling is cross-sectoral and very complex.

"We have to make sure that the request remains in compliance with regulations in Indonesia. Otherwise, it has the potential to violate the PDP Law. So this is not just a technical matter, but also a matter of digital sovereignty and protecting citizens," he concluded.