Because Personal Data Protection Cannot Be Based On A Commodity Perspective
Ilustrasi (Ilham Amin / VOI)

We have seen what the GDPR is and why the rules adhered to by the European Union are ideal through the article "Rules on Private Data which Unfortunately Doesn't Exist in Indonesia". Now, we look at the draft regulation that is being drafted by the government, the Personal Data Protection Bill (PDP). Continued article VOI's signature Series, "No Privacy for Personal Data".

"We must be prepared to face the threat of cyber crime, including data abuse crimes. Data is a new type of wealth for our nation. Now data is more valuable than oil," President Joko Widodo (Jokowi) gave a speech at the MPR Annual Session, Friday, August 16, 2019.

Not once did Jokowi make that call. October 2019, Jokowi made the same call in his speech. The government, through the Ministry of Communication and Information Technology (Kominfo) then compiled the initiation of regulations on personal data issues. The Personal Data Protection Bill (RUU PDP) was signed by Jokowi on January 24, 2020. Since then, hot balls have been shared with the House of Representatives (DPR).

Based on the draft as of December 2019, the PDP Bill contains 72 articles with 15 chapters in them. The Minister of Communication and Information, Johnny G. Plate, explained the five basic principles set out in the PDP Bill. "First, personal data collection is carried out in a limited and specific manner, legally valid, properly and transparently," said Johnny, Wednesday, August 5.

The second principle is that the processing of personal data is carried out according to purpose, is accurate, complete, not misleading, up to date, and can be accounted for. Third, the processing of personal data is carried out by protecting the security of personal data from unauthorized access, disclosure and alteration, as well as misuse, destruction and / or loss of personal data.

Fourth, when there is a failure to protect personal data (data breach), the personal data controller is obliged to inform the failure. Owners of personal data must be the first to be informed. Finally, personal data must be destroyed and / or deleted after the retention period ends or based on a request from the owner of the personal data (right to erasure) unless otherwise stipulated by laws and regulations.

If based on commodities

The good spirit of the government to protect the personal data of its people. However, there are still many holes in the Personal Data Protection Bill (PDP). In the article containing the rights of the owner of personal data, for example. Articles 4 to 16 of the PDP Bill regulate a number of rights for owners of personal data.

However, Article 16 Paragraph 1 also provides for exceptions to Article 8, Article 9, Article 10, Article 11, Article 12, and Article 14. All rights contained in these articles do not apply to the interests of national defense and security, the interests of the enforcement process. law, the interest of monitoring the financial services sector, monetary, payment system and financial system stability, as well as the public interest in the framework of state administrators.

Deputy Director of Research at the Institute for Studies and Community Advocacy (ELSAM) Djafar Wahyudi said the above formulation could cause confusion, even potentially rubber in the law enforcement process. "Our recommendation is the formulation of exceptions. So there is no need to formulate three confusing parts. The two are about the consistency of what can be the exception, the requirements so that it is more detailed and limitative," he told VOI, Thursday, August 6.

Legal construction that is built in the context of the data owner's right is contrary to the principles that must exist in law enforcement based on human rights (HAM): the principle of urgency and the principle of proportionality. Another issue concerns the use of data aggregates whose processing is intended for statistical and scientific research purposes in the context of state administration.

The state must ensure that there is no other interest in managing aggregate data. "Now this is what actually sparked debate yesterday because several parties asked for the exception of aggregate data, but what form is the aggregate data," said Djafar.

What is meant by aggregate data is when a unit of data on population events, important events, gender, age group, religion, education and occupation is collected. Usually the collection is in the form of statistics.

In addition, it is feared that the PDP Bill will be based on a false spirit that is not based on the interest of protecting the privacy rights of data owners, but rather accommodates other interests, both political and economic. Djafar highlighted the statements of government officials which showed a wrong perspective regarding data, that data is a commodity, that data is now more valuable than petroleum.

Data management cannot be seen as a commodity. Basically, data management must be based on the principle of protecting the privacy rights of individuals. "Oil is clear. The control is clear. There are natural elements inherent in a country's territory. The data is different. Individuals. The power is in the subject. Data cannot be equated with oil. I don't agree with the concept of data is new oil. "

Meanwhile, DPR Commission I member Abdul Kadir Karding explained the pace of deliberating the bill in parliament. The DPR, Karding said, had formed a Working Committee on the PDP Bill. "Before yesterday's recess we had invited the RDPU to a meeting with public opinion with various groups ... That's what is being done. Just waiting for the recess to finish, after the 14th we will push again so that it can be discussed more intensively. However, we still pay attention to quality," he told VOI, Friday, August 7.

Karding said that the PDP Bill was designed to protect people's personal data from being used for business or criminal interests, especially in the political context that often occurs.

"That is precisely why we will ask for opinions from all parties and the public so that this law is not too flexible ... That's why I think this bill must be regulated in detail. Later, when the details have been made of the rules of the game, it can't be like this, it can't be like that," said Karding .

The PDP bill, however, is hopeful. However, with all the holes still visible, the PDP Bill has the potential to harm data owners. So, supervision must be carried out. We must ensure sovereignty over each of our own personal data. The state may store and manage our data. However, all data utilization authority remains in the hands of each of us.

"This means that all processing actions must have a specific and appropriate purpose. So if the state says this is for social assistance, for assistance, for education, for statistics, that's only for that. And we must know. If we are not willing, this law must accommodate our refusal, "said Djafar.

Follow This Issue Series Writing: No Privacy on Personal Data


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)