The government is eager to establish a supervisory authority under the Directorate General of Information Application at the Communications and Information Ministry, while the lawmakers insist on an independent data protection authority, or at least one that directly answers to the President. As a result, the deliberation of the bill has reached deadlock.

There is no doubt that the nation badly needs such legislation. Just recently a suspected data breach of the Indonesia Health Alert Card (e-HAC) system, which put around 1.3 million users’ data at risk, was made known. Previously, the data of around 2 million clients of BRI Life were hacked and advertised online. The list can go on, only to show how vulnerable personal data remains at a time when we are shifting into a digital era.

Sadly, the perpetrators of data breaches have gone unpunished, hence there is no deterrence. One of the obstacles law enforcers are facing is the absence of a specific law on data privacy protection. The legal norm of data privacy has indeed been incorporated into several laws, but its legal substance is too general, partial and sectorial. Indonesia lags far behind, for example, the European Union, which has already enforced such a law.

Due to the rampancy of data breaches, both the government and the House must immediately settle the debate over the supervisory authority. Neither should be shackled by adversarial opinions. An agreement can be reached if the two sides can view the bill from the standpoint of human rights.

The bill states that data privacy protection constitutes a human right. It is therefore reasonable to place the bill within the framework of human rights enforcement, including the supervisory authority of data privacy protection.

From a human rights point of view, data privacy protection refers to Article 12 of the Universal Declaration of Human Rights (1948) and Article 17 of the International Covenant on Civil and Political Rights (1966). These international instruments emphasize two main principles, protection from arbitrary interference and the protection of the law. Accordingly, the right to privacy cannot be interfered with arbitrarily and legal protection of the right to privacy is necessary.

At the outset, the right to privacy within these instruments was not created explicitly to protect data privacy. The urgency of data privacy protection was not an issue at the time the instruments were adopted. Information and communication technology at the time was not as sophisticated as it is today. Algorithms, big data, artificial intelligence, cloud computing, the internet of things and biometric data were not yet invented. Likewise, data commodification and data crime were unknown.

In the wake of the digital revolution, the right to privacy has now been redefined and revitalized. The privacy of personal data is now acknowledged as a human right. The right to privacy includes the right to data privacy protection.

Given that personal data protection is a human right, there is a logical reason as well as a legal basis to assign an independent body that focuses on human rights to oversee data privacy protection.

Article 75 of the 1999 Human Rights Law stipulates that the establishment of the National Commission on Human Rights (Komnas HAM) “aims to (a) develop conditions conducive to the execution of human rights and (b) improve the protection and upholding of human rights”. This law, in fact, is the umbrella of all human rights regulations.

In the case of data privacy protection as a human right, the government must be supervised. Therefore, it is not appropriate for the government to hold the supervisory authority on data privacy protection.

In a report on the right to privacy in the digital age delivered at the United Nations Human Rights Council session in 2018, the United Nations Human Rights Office of the High Commissioner said surveillance conducted by the state was likely to threaten the right to privacy. Such a view is relevant for Indonesia. The data leaks of electronic ID cards (e-KTP), the Healthcare and Social Security (BPJS Kesehatan) and most recently the e-HAC application strongly prove that the government needs to be supervised and must be held responsible for any breaches.

On the other hand, establishing a new body will add another financial burden to the government amid the all-out efforts to contain the COVID-19 pandemic and its repercussions.

Some have suggested that the oversight be mandated to the Central Information Commission (KIP), but the problem is the definition of public information in the 2008 Disclosure of Public Information Law is not in line with the definition of personal data. Likewise, disputes under the jurisdiction of the KIP are limited to public institutions and nongovernmental organizations that receive state funding. The scope of personal data is broader than public information. Besides, this option would require revisions of the 2008 law, which would take time.      

If data privacy protection is construed as part of human rights enforcement, then Komnas HAM will qualify for the supervisory job. It would mean an extra workload, but the commission was founded to enforce human rights in the first place.

The tug of war between the government and the House should not justify withdrawal of the bill from the legislation program.

 ***

The writer is deputy chairman of the National Commission on Human Rights (Komnas HAM).