The bill has been in the works since 2014 and was pushed forward by the government in hopes of providing some guidelines for the use of personal data, without much incentive apart from riding the wave of Indonesia’s digital economy boom. The legislation then grew in importance following a surge in personal data leaks in recent years.

The bill was initially included in the 2015-2019 priority legislation shortlist but was only deliberated in earnest beginning in 2019. It is one of 33 priority legislation in the 2021 House national legislative program (Prolegnas).

One of the biggest sticking points of the current draft bill has to do with a provision governing the establishment of a data protection agency. The Communications and Information Ministry wants the agency to come under its authority, while lawmakers insist the agency must be independent and report directly to the president.

Read also: State intelligence hacked in alleged breach of government networks

Meanwhile, illegal data breaches have continued to occur, often to the detriment of ordinary citizens who are left in the dark on what to do when their personal data is stolen, said Teguh Aprianto, a cybersecurity consultant.

The researcher cited the massive data breach earlier in May that saw the personal data of more than 279 million Indonesians put up for sale on an online hacking forum. The leaked data reportedly belonged to national health insurance (JKN) policyholders managed by the Health Care and Society Security Agency (BPJS Kesehatan).

Teguh said that when such incidents occurred, officials usually denied the public any information and only launched an investigation when reports of a breach had occurred.

“The public was never properly informed what had happened and what the impacts of the data breaches were,” Teguh said in a recent online discussion.

From his own research, he said there were signs that many of the data breaches occurred as a result of bad governance and that ordinary people were paying the price.

According to one estimate from the Indonesian Cybersecurity Independent Resilience Team (CSIRT), the alleged BPJS Kesehatan data breach resulted in Rp 600 trillion (US$ 42.27 billion) in damages, notwithstanding the psychological damages that people may suffer from not having their data in safe hands.

Experts have previously called on the state to audit the country’s data breaches and impose measures to prevent similar incidents from occurring in the future.

The head of the National Cyber and Encryption Agency (BSSN), Hinsa Siburian, was summoned on Monday to a closed-door hearing with House Commission I overseeing defense, foreign affairs, information and intelligence, as part of a string of accountability meetings.

Muhammad Farhan, a lawmaker from the Nasdem Party who attended the meeting, told The Jakarta Post that the commission had called on the government to fast-track the issuance of relevant presidential regulations that would help bolster the BSSN’s authority.

He also said legislators had put pressure on the agency to set up recruitment and human resources development programs to scout high-quality talent.

Asked whether the commission demanded accountability from the BSSN as regards to the various personal data leaks, Farhan said the issue would be specifically broached during another hearing with the BSSN on Thursday in Batam, Riau Islands province – the site of one of four national data centers.

Read also: Recent breach throws spotlight over deadlock in data protection bill’s deliberation

Question of agency

Meanwhile, Institute for Policy Research and Advocacy (ELSAM) executive director Wahyudi Djafar reiterated his concerns about ensuring that the proposed data protection agency that would handle future data leaks remained an independent body.

If this can be achieved, then it could ensure that personal data protections would be monitored more fairly and reduce the risk of getting the agency dissolved at the whim of a politically invested government, he said.

“It would be as if the government was a player and a referee at the same time if the planned data protection agency is under government control. It’s irrational,” Wahyudi exclaimed during the webinar.

The slew of cyberattacks has piled more pressure on the House and the Joko “Jokowi” Widodo administration to ensure the smooth passage of the bill, despite initial agreements over the design of the proposed agency.

But now, House lawmakers are saying that they have started to meet in the middle on unfinished provisions.

House Deputy Speaker Sufmi Dasco Ahmad of the Gerindra Party said lawmakers would see to it that the bill was passed into law during the current legislative period.

“Alhamdulillah [Praise be to God], it seems that the House Commission I and the government are almost eye-to-eye on the data protection bill, which is widely anticipated and will be useful for the people and the country,” he said in a statement last week.

Another Commission I lawmaker, Bobby Adhityo Rizaldi of the Golkar Party, said the government’s working group on the bill had started formulating provisions on the data protection agency to be more in line with the legislature’s vision for a “professional, accountable, independent and representative” entity. He said the issue was the “only main hurdle” left in the commission’s talks with the state.

“[Those markers] are important because the bill also regulates the government as a public data controller, not just the private sector,” Bobby told the Post on Saturday.

— Nur Janti contributed to the story.