The personal data protection bill, which has been in the works since 2014 and was put forward for passage by the Communications and Information Ministry, has become more pressing as the COVID-19 pandemic drives unprecedented levels of online activity.

Data privacy advocates have urged Indonesia to set up its own data protection framework, as simply having an email account can expose an internet user to cybercrime.

But differences in opinion between the government and legislators were still apparent on Tuesday, weeks before the House of Representatives goes into recess.

The main point of contention continues to be the design of a planned data protection agency.

The government has proposed that the agency be established under the Communications and Information Ministry, borrowing from similar arrangements in Singapore and Malaysia.

However, members of House Commission I overseeing defense, foreign affairs, information and intelligence, have insisted that the proposed agency be independent of the government.

Read also: More public-private talks needed to ensure effective data protection enforcement

“If there is no common ground here, the goods will never materialize,” said Yan P. Mandenas, a Gerindra Party lawmaker from Papua, during Tuesday’s hearing.

[https://www.youtube.com/watch?v=sDgMdIzbsWQ]

A January 2020 version of the bill, a copy of which was obtained by The Jakarta Post, stipulates in Article 58 that the state, through the communications and information minister, would be responsible for enforcing the bill’s provisions. The draft would also mandate the issuance of a government regulation (PP) to outline the minister’s scope of authority.

Lawmakers remain unconvinced by this arrangement, but Semuel A. Pangerapan, the ministry’s director general for the application of informatics, offered a possible solution inspired by aspects of Singapore’s approach to data protection oversight.

He suggested the introduction of a multi-stakeholder committee to advise the minister on the operational aspects of supervision. This committee would consist of representatives from the government, academia and civil society.

Commenting on concerns about possible conflicts of interest within the government, he said, “It is in the purview of the House to balance out the government.”

Experts have warned the government not to become too fixated on determining the actor and instead work to ensure that the appointed authority is given sufficient resources to enforce the law once it is passed.

Read also: COVID-19 patients become victims of Indonesia’s lack of privacy protection

Previously, Institute for Policy Research and Advocacy (ELSAM) director Wahyudi Djafar said the provision could result in overlapping authority.

“The personal data protection law will be legally binding and have far-reaching impacts not only for the private sector but also for the government. It will then be difficult for the government to provide oversight when, for instance, the government itself is found to have violated the law,” Wahyudi told the Post recently.

Communications and Information Minister Johnny G. Plate declined to comment, citing the bill’s ongoing deliberation.

Commission I deputy chair Abdul Kharis Almasyahri, who also chairs the working committee for the bill’s deliberation, adjourned the meeting until Thursday, when both sides are expected to present their positions on the data protection authority’s autonomy and scope of work.

“We will pit our findings against one another and talk it out so that we will be able to find some middle ground. Hopefully by the next parliamentary session we can speed through [deliberations], synchronization and harmonization so that by June, we will have a personal data protection law,” Abdul said on Tuesday.

Previously, the Prosperous Justice Party (PKS) politician told the Post that the commission aimed to conclude deliberations by the end of May, having failed to pass the bill into law last November because of the complexity of the issues and pandemic restrictions.

Read also: Can Indonesia introduce world-class data protection framework?

The bill was one of 33 pieces of priority legislation listed in the House’s 2021 national legislative program (prolegnas). It was initially included in the long-term 2015-2019 shortlist but was only properly deliberated in 2019, when it was called the personal data and information protection bill.

As home to some of Southeast Asia’s biggest tech start-ups, Indonesia is seeking to develop a robust data protection law to fill in regulatory gaps, provide a strong framework to support its rapidly growing digital economy and raise its profile as an attractive investment destination.

To date, the country has no comprehensive data protection law. Instead, relevant provisions are scattered across at least 33 different laws.

The Global World Digital Competitiveness Index ranked Indonesia 56^th of 63 countries in digital literacy in 2019, far below Singapore and Malaysia, which were ranked 2^nd and 26^th, respectively. As of January 2020, Indonesia was home to 175.4 million internet users.

Wahyudi of Elsam said the passage of the bill would allow Indonesia to catch up with neighbors who had enacted their own digital privacy laws, including the Philippines and Thailand.

As it stands, internet users have little control over their personal data, and internet service providers and other commercial actors are generally not held accountable for its use.

The current draft of the bill is modeled on the European Union’s General Data Protection Regulation (GDPR), which has been hailed as the gold standard of data privacy and protection.

Personal data leaks and identity theft are still rampant in Indonesia, with the recent breach of e-commerce platform Tokopedia jeopardizing more than 15 million users’ accounts and personal data. The breach occurred as e-commerce skyrocketed during the pandemic.

There has been a 250 percent surge in new sellers on Tokopedia, with a particular concentration in the personal health category. Business research and consultancy firm Inventure Indonesia has noted that e-commerce is one of the few sectors to have benefitted from social distancing.