It has been over six months since the Communication and Information Ministry claimed that the law on data protection would be enacted in 2018. Yet, there is no promising sign, which indicates lack of seriousness to finalize the bill into a law.
Presently, consumer data protection only relies on a ministerial regulation. However, Regulation no. 20/ 2016 does not adequately protect data owners. The researcher says the regulation only imposes administrative penalties on those who breach personal data.
Furthermore, it does not offer a remedial system enabling personal data owners to recover damages. Instead, the regulation only enables the ministry to mediate settlements between personal data owners and electronic system providers (ESP) that collect and process personal data. It does not grant power to the Ministry to push for remedy to recover damages of the data owner.
The bill, however, seems to accommodate the weakness of the 2016 regulation, with its penalty for violating personal data protection. Further, it grants power to an independent commission to fine wrongdoers and grant remedy for data owners. It seems promising as the penalty, fine, and mandatory remedial payment should have a deterrent effect to the relevant ESP. However, is it really effective?
One potential issue is the extraterritoriality of the bill. The bill states it applies both within and outside Indonesia; however the parties that can be penalized or fined are limited to Indonesian business entities or persons present in Indonesia. Thus, cloud-computing or over the top (OTT) companies, which operate remotely and mainly rely on consumer data, are immune to such provisions.
Indonesian laws are not sophisticated enough to reach companies overseas who do business with Indonesian customers through electronic systems, such as Amazon, Instagram, and WhatsApp. Those companies can freely operate without establishing entities in Indonesia.
The Ministry has indeed issued a circular encouraging the OTT to establish at least permanent establishments in Indonesia; however, the circular is not binding.
Former Constitutional Court justice Maria Farida Indrati has emphasized that a circular letter is not a regulation in Indonesia because it only applies internally within the institution that issues it.
This is a significant loophole that the bill must address. The absence of obligation to establish an entity or legal presence in Indonesia may lead to ineffective legal enforcement. For instance, if a social media platform company leaks personal data of Indonesian customers to an overseas company, there would be nothing that the government can do. Even if the court grants remedy to the Indonesian users, there is no tool to enforce the judgment because there is no presence of such media platform company in Indonesia, whether in the form of assets to be executed or entity to be penalized.
According to Statista, Instagram users in Indonesia during April 2018 reached 56 million users, the fourth biggest in the world. Social network users in Indonesia reach 96 million people, and this number is still increasing. Yet, the country’s legal platform is not sophisticated enough to accommodate protection for such users.
With a proper legal platform, the enormous number of Internet platform would indeed be exciting given the great efficiency the internet offers. It is now up to the government to carve this potential into a new economic power of the country.
The writer is a foreign investment lawyer at Roosdiono & Partners (Zico), who studied corporate and business at University of Pennsylvania Law School and Wharton Business & Law Certificate.
Disclaimer: The opinions expressed in this article are those of the author and do not reflect the official stance of The Jakarta Post.