As we witness open and global access to information, digital information is rapidly becoming one of the most valuable assets.
New technologies and the need to protect personal data have increased considerably, attracting significant privacy awareness in Indonesia. However, so far the legal framework on data protection lies only at the ministerial level, through the 2016 regulation of the Communications and Information Ministry.
The House of Representatives had included the data protection bill in its priority program last year. Unfortunately it has not been passed although many companies in the country have gone digital. Furthermore, various start-up companies have emerged, attracting investments from across the globe – the latest being Google’s investment in the GO-JEK ride-hailing service.
These companies possess information from and regarding its users and customers, which can be monetized for business insight. As such, personal data become a strategic and valuable asset for businesses that need to be protected. It is strongly believed that data will exponentially become a business asset and force companies to change their business models.
Meanwhile, personal data contains basic and sensitive information related to human rights. For instance, internet users may be unwilling to share specific data with a particular company because of potential risk to their privacy or family privacy. Comprehensive data monitoring should be mandated in the planned data protection law, given slow progress in addressing the breach of data by several business actors including in the promotion of banks, insurances and travel agents, without customers’ consent. Thus a comprehensive data protection law is urgent to balance rapid changes in information and communication technology.
The European Union has a comprehensive data protection regulation to be implemented in all member countries. The General Data Protection Regulations (GDPR) will be effective by May 25, by far the world’s most complicated yet most comprehensive data protection rule.
Under its provisions, the transfer of European citizen personal data to countries outside EU or international organizations is permitted only under particular conditions including that the regulatory framework of the destination country meets an adequate level of data protection according to the European Commission.Therefore the EU acknowledges that the technology company can distribute the data to any country across the world while it tries its best to protect the privacy of European citizens wherever they may be.
As the GDPR mandates extraterritorial power, each country managing data of EU citizens should be aware of the regulation. Without a relevant law, Indonesia would have to find several ways to transfer data from the EU to Indonesia that meets the GDPR principles without infringing the Regulation of the Communications and Information Ministry Number 20/2016.
Unlike Indonesia, neighboring countries such as Singapore and Malaysia have data protection acts in place. They have attempted preparations following the transformation of communication and technology in their countries to protect their citizens’ privacy with minimum constraints to business, investment and innovation such as the Singapore-based Lazada shopping portal and the Malaysia-based Grab ride-hailing service. This shows that a data protection act does not necessarily decrease creativity and innovation.
In another significant milestone for privacy in Indonesia, authorities and lawmakers should look to the cross-border privacy rules systems of the Asia-Pacific Economic Cooperation (APEC) forum and implement its requirements.
Though Indonesia was a member of APEC since November 1989, Indonesia cannot yet join its Cross-border Privacy Enforcement Arrangement (CPEA) because of our insufficient data protection legal framework. Recognition that data flows and data protection is truly a global matter triggered APEC to create CPEA. The flow of information is fundamental to doing business in the global economy. APEC members recognize the importance of protecting information privacy and maintaining information flows between economies in the region and between APEC economies and their international trading partners.
It is also believed that cooperation to balance and promote effective information privacy protection and the free flow of information in Indonesia is key to improving consumer confidence and ensuring the growth of electronic commerce. As such, Indonesia should enact the data protection act to have an adequate position in APEC.
There is clearly a pressing need for Indonesia’s comprehensive data protection act. There is too much at stake, including the risk of failure in keeping up with progress in protecting individual’s rights, business certainty in the digital economy, and enabling the unrestricted transfer of personal data between the EU and Indonesia.
The writer is a legal technology expert and Chevening Alumni at the School of Law, Queen Mary University of London.
We are looking for information, opinions, and in-depth analysis from experts or scholars in a variety of fields. We choose articles based on facts or opinions about general news, as well as quality analysis and commentary about Indonesia or international events. Send your piece to firstname.lastname@example.org.
Disclaimer: The opinions expressed in this article are those of the author and do not reflect the official stance of The Jakarta Post.