T

he digital economy’s role in Indonesia is becoming increasingly important. McKinsey has reported that by going digital, Indonesia can unleash the next level of economic growth to the tune of US$150 billion, 10 percent of the gross domestic product (GDP), in annual economic impact by 2025.

This is supported by the commitment of the government to reach a value of $130 billion by the year 2020. The number of internet users in Indonesia in 2017 reached 112 million people, placing Indonesia in sixth place in the world.

This number will continue to grow in the foreseeable future; hence the digital market size in Indonesia will continue to grow.

The rise of the digital economy in Indonesia requires the use of big data. To understand the concept of data, we need to first define what data is. The dictionary defines data as facts and statistics collected together for reference or analysis.

For the purpose of this article, let’s limit this to personal data obtained through people’s use of digital services, such as web searches, electronic purchases and online interaction, such as social media interactions, news articles and web content. Such data may include names, birth dates, bank account and credit information, email addresses and passwords.

The challenges for data management are cybersecurity and cross-border data privacy. Cyberspace is different from physical space. Cyberspace has no territorial boundaries because the cost and speed of message transmission on the internet is almost entirely independent of physical location.

Many governments first respond to electronic communications crossing their territorial borders by trying to stop or regulate that flow of information as it crosses their borders.

However, this effort is likely to prove futile, at least in countries that hope to participate in global commerce.

Cybersecurity and data privacy risks have always existed when dealing with data. According to a recent study by the Internet Society, the number, size and cost of data breaches continue to increase.

In 2017, there were 159,700 cyber incidents targeting United States businesses. This number doubled from 2016, which saw 82,000 incidents. Such incidents include data breaches, ransomware targeting businesses, business email compromise, distributed denial service of attacks, as well as takeovers of critical infrastructure and physical systems.

Who is responsible for cybersecurity and data privacy? In theory, it is the responsibility of both private and public entities. In this regard, private entities; such as businesses, will bear the responsibility for securing their consumer data.

Public entities, such as the state, bear the responsibility of protecting consumers against businesses that fail to secure their consumer data.

Private entities are obliged to comply with contractual obligations they enter with their customers prior to electronic transactions, while states are obliged to comply with international law, including human rights, which includes the right to privacy. According to Article 12 of the Universal Declaration of Human Rights, no one shall be subject to arbitrary interference with their privacy. In this regard, such privacy includes personal data.

How do states regulate cybersecurity? The European Union is considered the pioneer of cybersecurity. In May 2018, EU will have a new data protection regime that extends the scope of the EU data protection law to all foreign companies processing data of EU residents.

The new law will provide EU citizens with right of access, which gives EU citizens the right to get access to their personal data and information about how this personal data is processed. The law also prescribes sanctions for entities failing to comply with the law.

The US took a different approach with regard to cybersecurity by developing a cybersecurity framework that is voluntary, consensus-based and industry led-standard. It is meant to be customized and only provides a common language and systematic methodology for managing risk. It is developed from the practices of US industry.

One consideration for this is that technology evolves faster than regulation, hence it needs to be continuously updated by the stakeholders.

Indonesia has yet to provide a comprehensive set of provisions for the protection of personal data. Such provisions in Indonesia are partially regulated by the Electronic Information and Transactions (ITE) Law and a government regulation on electronic systems and transactions. The House of Representatives, however, has delayed the deliberation of a personal data protection bill.

The enactment of such a law would give rise to the first comprehensive law in Indonesia that specifically deals with the protection of personal data.

Prevailing law states that a data center and disaster recovery center is to be located in Indonesia. It is a fact that the location where data is stored affects privacy and data.

Many experts advise that for sensitive data and data that is not in the public domain, it is advisable that data be hosted internally, and not on external servers. For this reason, many governments, including Indonesia, require data centers and disaster recovery centers to be located in their territory.

However, many small and medium enterprises (SMEs) in Indonesia cannot afford robust secure IT infrastructure that is typical in large global cloud service providers. SMEs would then benefit from access to world-class security provisions in global data center infrastructure.

It is advised that rather than requiring the localization of data centers, states should opt to take precautionary measures for cross-border data transactions. Such precautionary measures should be regulated through due diligence obligations for businesses to provide state of the art cybersecurity infrastructure. The government may prescribe this standard based from the input of the industry.
______________________________

The writer is an electronic commerce law observer. The views expressed are his own.