Indonesia urgently needs personal data protection law

The collection of huge data sets that can be searched, collected and cross-referenced is called Big Data. shutterstock.com

Google – a company with several data protection issues – recently invested more than US$1 billion in Indonesia’s popular ride-hailing app Go-Jek.

While transport apps such as Go-Jek and Grab have quickly grown in cities like Jakarta, they also have some problems with customer data.

Companies such as Google, Go-Jek and Grab not only provide services for their users. They also collect personal data of their users. Companies, individuals and government can all collect personal data.

The collection of huge data sets that can be searched, collected and cross-referenced is known as Big Data. Law scholar Yvonne McDermott argues that in the era of Big Data four key values must be upheld: privacy, autonomy, transparency and nondiscrimination.

In Indonesia, none of these values in regard to Big Data are enshrined under law. Indonesia does not have any comprehensive personal data protection law or regulation that protects Indonesians from misuse of data.

Increased foreign investment in the digital economy means a national conversation is needed to ensure citizens don’t get exploited.

Examples of personal data protection

Indonesians urgently need a comprehensive data protection framework. Around the world there are several instructive examples.

International human rights regulations already cover digital privacy, building on concepts in multiple declarations on human rights and freedom.

The United Nations General Assembly in 2013 agreed on the right to privacy, asking its members to be transparent and accountable when collecting personal data.

Indonesia’s neighbours, Singapore and Australia, have enacted privacy laws. Australia enacted its Privacy Act in 1988, while Singapore enacted its Personal Data Protection Act in 2012.

The European Union (EU) has the General Data Protection Regulation (GDPR) and will apply new data protection requirements in May 2018.

The principles in the EU GDPR were also evident in a presentation by technology and data protection law expert Berend van der Eijk, at a discussion of Personal Data Protection in the Digital Era in Jakarta. He explained the transparency principle that citizens have a right to access, amend and occasionally remove their personal data from companies’ registers. Companies must also be upfront about why they collect personal data and how they’ll use it.

Existing personal data protection under the GDPR on matters of race, ethnicity, politics, health, gender and sexuality continues to stand.

Daily breaches of privacy

This significantly contrasts with Indonesian practices. In Indonesia, health records data can and have been used to discriminate against individuals with HIV. Some Indonesian companies have chosen not to hire people with the illness. This is despite HIV being an illness that people can now live and work with for a nearly “normal” lifespan.

Another example of privacy breaches can be seen by checking the inbox of phone users in Indonesia. In Indonesia, businesses can easily send short message advertisements to millions of phone users based on their location. There are 371.4 million registered phone users in Indonesia, more than the total population of the country. The targeted ads through mobile phones violate privacy as providers never asked Indonesian phone users for their consent to give their data to third parties.

The government, too, can take advantage of data recording and use the information at its fingertips. Indonesia has recently taken steps to centralise citizens’ data online by creating an electronic identification system, e-KTP. But there is no regulation to govern Indonesians’ personal data on e-KTP.

Good news?

The good news is there are signs the Indonesian government is aware of this problem.

Donny Budi Utoyo, of the Ministry of Communication and Information Technology, said that civil society organisations and the government have tried to together to promote and push personal data protection law. Initiatives were established with the Institute for Community Studies & Advocacy, the Indonesian E-Commerce Association and ICT Watch.

Budi Utoyo was also concerned about patient autonomy with the rise of digitised public health records. In a public discussion, he asked: “Is there any right for Indonesians to ask Indonesian hospitals to remove or delete their medical records if they aren’t a patient?”

However, he said that Indonesian data protection regulation is still an ongoing process as it requires harmonisation of other regulations by related government ministries in Indonesia.

What next?

Experts in all sectors must collaborate with the Indonesian government to push and create personal data protection law. This should protect citizens from having their data used without their consent or used to discriminate against them.

It is also worth noting that the law will have potential flow-on effects for the country’s economy. It would enable a safer business environment, in turn creating opportunities and investment for more Indonesian companies.

At the same time citizens also need to be educated about digital privacy in order to understand the potential risks and their right to protect it.

Become a friend of The Conversation with a tax-deductible contribution today.