Members of House Commission I overseeing intelligence and information said that the draft bill had been finalized and that the commission was prepared to pass it into law at the next scheduled plenary meeting.

Commission I deputy chairman Abdul Kharis Almasyhari of  the Prosperous Justice Party (PKS) offered scant details from the latest closed-door talks on Monday but insisted that his duty as chairman of the working committee responsible for the legislation was essentially complete.

He said the House would release a statement on the PDP bill and that the draft bill would be circulated publicly after the meeting with Minister Johnny wraps up.

“I could say that on Wednesday [my duties] are finished, we need only wait for the [next plenary’s] schedule to come out,” Abdul told reporters on Monday.

Once passed into law, Abdul said, the legislation would require data collectors and processors to guarantee the security of the personal data they handle. If a leak occurs, data controllers and processors can be held accountable. On top of that, any illegal use of personal data will be a criminal offense, although the politician did not elaborate further.

All eyes are on Wednesday’s meeting, with the House facing a wall of criticism for the opaque process of rushing the bill’s passage and the government offering little remorse for the rampant data breaches happening of late.

Due to the indiscriminate nature of online leaks targeting both private and public institutions, critics have demanded that a piece of legislation meant to protect Indonesians from such privacy breaches should be discussed openly so it is widely understood by the public.

“Deliberations have been happening behind closed doors, so there is no way for the public to monitor the extent of arrangements between lawmakers and the government,” said Wahyudi Djafar, executive director of the Institute for Policy Research and Advocacy (Elsam), on Monday.

He also demanded lawmakers to publicize the draft PDP bill before it gets passed into law.

An oversight

The draft legislation has progressed very slowly at the House since it was first tabled in 2014. One major sticking point has been the status of a soon-to-be-established data protection oversight agency, with the ministry seeking a direct line of authority to the entity on the one hand and lawmakers insistent on its independence on the other.

Abdul said the two sides had found common ground on the matter but stopped short of sharing details of the agency’s eventual duties and authority. He said it would all be disclosed at Wednesday's meeting.

As previously reported, the House and the government both compromised on the agency’s status, giving the authority back to the president’s office.

Another Commission I legislator, Rizki Natakusumah from the opposition Democratic Party, told The Jakarta Post the House would seek to ensure that the agency was capable of remaining objective in the handling of personal data breach cases, regardless of whether state agencies or private institutions were involved.

“The oversight agency must be able to act objectively, not only to the private [sector] but also to public institutions. What we’ve heard so far is that many [breaches] tend to originate from public institutions,” he said, citing the Healthcare and Social Security Agency (BPJS Kesehatan) as a prominent example.

In spite of this, critics insist it was also an oversight to leave the decision for the President to make, with Wahyudi saying that it does not offer any more clarity than when the agency’s status was first debated.

Serial breaches

The nation has continued to become the object of rampant cyberattacks, underscoring the importance of having a comprehensive legal framework to protect private data.

The Post reported that hackers were able to easily infiltrate the security infrastructure of state and private institutions in Indonesia, just as the government hosted a Group of 20 meeting to develop the digital economy.

The leaks, which originated from a spate of attacks last month that also allegedly targeted two state-owned enterprises (SOEs) with an entire nation’s worth of user data, have been put up for sale online and even freely distributed.

The communications ministry has denied that the leaks originated from its own servers or that of the SOEs and was still investigating the source of the leaks.

One of the alleged leaks, involving 1.3 billion private data points from registered SIM cards, was also being sold on hacking forums. Among the treasure trove of data are national identity card (NIK) numbers, associated phone numbers and other registration-related information.

Among the worst of the cyberattacks were perpetrated against the National Cyber and Encryption Agency (BSSN), which is authorized to investigate data leaks, and the Indonesian Child Protection Commission’s (KPAI) database, which includes sensitive data on child survivors of abuse, such as their names and other identifiers, but also details of the abuse cases themselves.

The repeated data breaches have raised questions about the government’s ability to protect its citizens’ information.

Minister Johnny, when asked about the leaks on the margins of the G20 meeting in Bali, said the onus was on individual users to protect their own data.