Bjorka And Personal Data Protection
The DPR and the government have agreed to ratify the Bill (RUU) for the Protection of Personal Data (PDP) into law. The agreement between the DPR and the government was taken during a working meeting between Commission 1 of the DPR and the Ministry of Communication and Information (Kemenkominfo), the Ministry of Home Affairs (Kemendagri), and the Ministry of Law and Human Rights (Kemenkum HAM) early last September.
That is a forward step. It is undeniable that Indonesia urgently needs a Personal Data Protection Law (PDP). Why? Not long ago, of course, the public still remembered the hacker with the nickname Bjorka. Bjorka bravely announced via social media for succeeded in hacking the data of BIN, President Jokowi, and other public officials. For example, Bjorka announced the personal data of the Minister of Communication and Information Johny G Plate to the public via social media. Bjorka also leaked the personal data of DPR Speaker Puan Maharani and claimed to have the personal data of President Jokowi.
There are two things from the Bjorka case. First, the personal data protection system in the country is weak. Because this is not the first time that personal data has been leaked or information from state institutions has been hacked. Second, there really needs to be a PDP Law. It's not just the ITE Law. There must be a legal umbrella regarding the protection of personal data.
Chairperson of Commission I of the House of Representatives, Meutya Hafid, as published in VOI, hopes that the ratification of the PDP Bill will stop cases of leaking personal data of the Indonesian people. According to her, the PDP Bill will provide legal certainty that has permanent strength in protecting people's personal data in the digital realm.
Meutya said the PDP Bill would become the legal basis for protecting personal data which is the right of all citizens. With the ratification of the PDP Bill, it is hoped that cases of personal data leakage that are increasingly occurring can be stopped. Because through this rule that will soon be formed, the state has regulations in setting rules for the protection and security of people's personal data.
To note, the final draft of the PDP Bill consists of 371 Problem Inventory Lists (DIM) and produces 16 chapters and 76 articles. Meanwhile, the number of articles in the PDP Bill increased by 4 articles from the government's initial proposal at the end of 2019, which was 72 articles.
And once again, it's non-negotiable. Even though it is denied, it is very embarrassing if it is true that data from the State Intelligence Agency (BIN) or President Jokowi is leaked.
Moreover, Kominfo and the National Cyber and Crypto Agency (BSSN) seem to be throwing responsibilities at each other. Ideally, these two institutions cooperate with each other. It is true what BSSN spokesman Ariandi Putra said, that the issue of cyber attacks and data leakage is the responsibility of all stakeholders.
What the European Union did might be a reference. That the threat of cyber attacks is increasing. Now in the European Union countries, it is not only computers, gadgets, or smartphones that need to be upgraded. Internet-connected smart devices such as refrigerators and TVs must also comply with the European Union's strict cybersecurity rules. They risk being fined or banned from the block.
As VOI notes, the EU Executive will announce a proposed Cyber Resilience Act this September which is likely to become law after input from EU countries.
The draft law states that manufacturers must assess the cybersecurity risks of their respective products and take appropriate procedures to fix problems. Companies must also notify EU cybersecurity agency ENISA of incidents within 24 hours of becoming aware of the problem, and take immediate action to address the issue. Even importers and distributors of electronic products will be required to verify that the imported products comply with EU regulations.
If the company does not comply, the national regulatory authority may prohibit or restrict the product from being available in its national market, or either withdraw it from that market or recall it. Violating these rules can also incur a fine of up to 15 million euros or up to 2.5% of their total global turnover. Whichever is higher, with lower fines for less serious offences.
Meanwhile in Indonesia, there is no law on cyber itself. It hasn't even been suggested. So far, cyber issues in Indonesia have only been regulated according to Law Number 19 of 2016 concerning Amendments to Law Number 11 of 2008 concerning Information and Electronic Transactions ("Law 19/2016"). However, the ITE Law also does not provide a definition of cybercrimes, but divides it into several groupings referring to the Convention on Cybercrimes.
Indonesia itself already has a National Cyber and Crypto Agency (BSSN) whose formation was based on PERPRES No. 133 of 2017 concerning Amendments to Presidential Regulation Number 53 of 2017 concerning the National Cyber and Crypto Agency.
If you want to be more serious in dealing with the problem of cyber attacks that result in data leakage, then the Indonesian government should strengthen the BSSN and start making this law on cyber more seriously. It's not enough just the ITE Law. Perhaps, the drafting team of the PDP Bill which is claimed to be the legal protection for the personal data protection can use the European Union as a reference.