TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
How comprehensive is personal data protection bill?
With the increasing use of data in this digital age, the GDPR has tightened the liabilities of data controllers and processors through three principles of data protection by design, data protection by default and data protection impact assessment.
Change Size
T
he House of Representatives has suspended deliberation of the bill on personal data protection (PDP), which the government claims will serve as Indonesia’s General Data Protection Regulation (GDPR). Abdul Kharis Almasyhari, chairman of House Commission I overseeing defense and information said it would be impossible for the lawmakers to conclude the debate before the final sitting session of the year ends on Dec. 15.
Notwithstanding the suspension, Tifa Foundation has studied the comprehensiveness of the bill to see whether the bill stipulates: 1) a set of data protection principles in line with the relevant international standards, and 2) mechanisms to enforce those principles in the law. Our study compared the bill with the two leading international PDP instruments of Europe, the Convention 108+ of the Council of Europe and the GDPR. For the purpose of this article, we focus on a comparison with the GDPR.
Article 17 (2) of the bill emulates the GDPR’s data protection principles (Article 5), namely that data processing should be fair, lawful and transparent, be conducted in accordance with specified and limited purposes, be accurate, h ave storage limitations and maintain integrity and confidentiality.
While Articles 18-21 of the bill appear to form the legal basis for processing personal data and the workability of consent mechanism as the GDPR does in Articles 6 and 7, our study found some limitations in these arrangements in the bill. First, the bill still lacks clarity with regard to the two GDPR-based legal principles (compliance with legal obligation of data controller and for public interest) and its own legal basis, “the authority of the data controller” (Article 18 (d)). Moreover, while the bill specifies the conditions of consent and the right of data subjects to withdraw consent (Article 9), it does not mention any provision that necessitates that withdrawing consent should be as easy as providing consent.
The GDPR overall arranges the rights of data subjects into two sequences of data processing. First, a data subject has the right to be informed by the data controller before his or her personal data are processed. Second, the data subject has the rights to file requests regarding the processing of his or her personal data with the data controller.
On the right to be informed, Articles 4 and 7 (2f) of the bill do not mention a timeframe for a data controller to provide the necessary information to the data subject. Moreover, Articles 4-14 combine the rights of the data subject that are the responsibility of the data controller with those (the rights of data subject on remedies) that should be fulfilled by the supervisory authority in one chapter. Meanwhile, the GDPR arranges these rights in two different chapters. Such a mixed-up arrangement of the bill creates a lack of clarity as to who should be responsible for and how to ensure the fulfillment of those rights.
With the increasing use of data in this digital age, the GDPR has tightened the liabilities of data controllers and processors through three principles of data protection by design, data protection by default and data protection impact assessment. These three latest principles are to ensure that privacy and PDP are at the heart of data collection and use, including in digital innovation, from the beginning of the development process.
By contrast, the bill does not mandate these three fundamental principles. Moreover, while the GDPR explicitly requires the obligation of the data processor to notify the data controller of any data breach, the bill does not set out conditions. This arrangement is crucial especially whenever there are joint controllers or whenever a processor engages another processor in data processing. Lastly, unlike Article 28 of the GDPR, the bill does not stipulate the necessary information that should be included in the contract between the controller and processor to guide the relations between both parties.
Articles 44-50 of GDPR prioritize several measures to safeguard international data transfers in this order: the mechanisms of adequacy decision, appropriate safeguards, and then binding corporate rules to safeguard international data transfers.
Meanwhile, Article 49 of the bill mentions four mechanisms to safeguard international data transfers with no particular order of importance: adequacy, international agreement, contract, agreement from data subject. In the absence of any clear arrangement of data protection authority that is needed to act as a gatekeeper to ensure an appropriate level of protection in a state or organization before the data transfer is conducted, such an arrangement leaves room for data controllers or processors to pick a mechanism at their convenience.
Besides, the bill does not provide guidance on the indicators of adequacy, the examination procedures, and the monitoring mechanisms that will determine the adequacy status of a country or an international organization for data transfer. Also, the requirement of consent for international data transfer in the bill is very broad.
With regard to supervisory authority, the GDPR in essence stipulates two elements: The independence of and the scope of the supervisory authority. The first element regulates the independence of leadership, financial independence, and appropriate behavior of staff of the supervisory authority. Meanwhile, the second pertains to the clarity of competence, tasks and power as well as transparency and accountability of a supervisory authority.
The bill, in contrast, lacks clarity on the powers and roles of the data protection authority. The bill only stipulates that the implementation of PDP will be executed by the Ministry of Communications and Information Technology (Article 58(2)). Such absence has serious implications for its ability to ensure that data controllers and processors are held accountable.
In sum, our study revealed two major shortfalls of the bill. First, there is a lack of detail in the PDP provisions. Second, there is an absence of arrangements of the supervisory authority to enforce the law when enacted.
Formulating a comprehensive PDP regulation involves long processes, lots of challenges and meticulous details, but developing such a regulation along with building public literacy regarding the importance of privacy and PDP are necessities for a country and its society to thrive in this digital age. So, Indonesia must regulate carefully by ensuring that the bill contains all of the fundamental principles and enforcement mechanisms to implement the law effectively.
***
Sherly Haristya is a research fellow and Shita Laksmi, Executive Director, both of Tifa Foundation, Indonesia.
