Apapun Disiplin Ilmumu, Pelajarilah Ekonomi Digital!


Oleh: Sonny Zulhuda

APAC Cyber Summit 2016_1

1. Indonesia dan Malaysia melalui pemimpinnya masing-masing telah menetapkan bahwa Ekonomi Digital menjadi fokus utama dalam membangun negara dan meningkatkan ekonomi bangsa. Tidak hanya jalur lebar Internet yang diperhebat, namun penguasaan konten lokal dan industri kreatif kini menjadi generator baru bagi kemajuan bangsa.

2. Pengalaman saya selama 15 tahun sebagai peneliti, akademisi dan praktisi hukum teknologi informasi, melihat semakin perlunya kita untuk memparalelkan segala ilmu, pengetahuan dan teori yang kita pelajari dengan perkembangan dunia digital. Ekonomi digital yang didominasi dengan penguasaan teknologi informasi dan optimalisasi data mengharuskan kita menjawab berbagai tantangan digital.

3. Saya saksikan sendiri di berbagai universitas top di dunia seperti Oxford, Sydney, UNSW, Tsinghua, Toronto dan Yonsei University mereka sudah mendirikan lembaga kajian yang fokus terhadap isu konvergensi teknologi informasi dalam berbagai aspeknya. Universitas Indonesia dan UNPAD saya pikir sudah memulai lebih awal dalam konteks Indonesia. Yang lainnya, belum kelihatan! Sementara, semakin banyak pula lembaga internasional yang menyediakan program, beasiswa, fellowship dan event-event yang bertujuan mencari bakat-bakat muda dalam kajian konvergensi informasi ini.  Continue reading


Personal Data Protection Law in Indonesia: The Law No. 11/2008 (“UU-ITE”) and its Amendment in 2016

By: Sonny Zulhuda

wonderful indonesiaIndonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.

Law No. 11/2008 (“UU-ITE”)

First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).

This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.

Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:

(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.

(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).

Meanwhile, the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:

  1. A right to enjoy a private life free from interference;
  2. A right to communicate with other persons free from spying/surveillance;
  3. A right to access to information about his private life and private information.

Continue reading

Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda


Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda


No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

When Ransomware “WannaCry” Attacks

By: Sonny Zulhuda 

Alkisah aplikasi tebusan (Ransomware) “WannaCry” melanda dunia cyber global…

150 negara dilanda ributnya, ribuan dolar uang tebusan diminta, ratusan ribu komputer terinfeksi, jutaan data terancam musnah, dan pastinya kesusahan yang tiada ternilai menghantui para korbannya.. “princeless” – istilah sebuah iklan komersial.

Apa yang harus dilakukan? 

Menghadapi bencana digital seperti ini, berlakulah prinsip yang sama upaya “Penanggulangan Bencana” yang baru-baru ini saya pelajari dalam kursus Disaster Management bersama MDMC. Penanggulangan bencana dibagi kepada tiga fase:

  1. Fase pra-bencana
  2. Fase saat bencana
  3. Fase pasca bencana.

Ketika seseorang atau sebuah instansi sudah menjadi korban malware WannaCry ini, maka hal pertama adalah penanggulangan saat bencana.

Langkah-langkah yang diambil harus cepat, tepat dan bertujuan menghentikan bencana atau meminimalisirnya baik dengan cara teknis seperti menghentikan koneksi Internet sementara, menyetop aplikasi perkongsian data, atau mengoreksi setting sistem informatika sebuah organisasi. Selain itu, langkah non-teknis harus segera dibuat: notifikasi kepada segenap jaringan tentang masalah ini, dan mereduksi aktivitas yang memerlukan aplikasi jaringan. Kalau perlu bekerjalah menggunakan laptop lain yang tidak terinfeksi. Jangan lupa sampaikan ke jaringan kerja atau teman-teman di media sosial bahwa anda sedang menghadapi masalah ini sehingga komunikasi kemungkinan menjadi terhambat.

Saya jadi teringat adagium klasik “sebaik-baik obat adalah dengan menjaga kesehatan” yang sangat relevan dalam dalam dunia teknologi informasi. Dari segi teknis, langkah-langkah preventif seperti penggunaan aplikasi yg standard, anti-virus yang selalu ter-update, dan penyediaan back-up data menjadi keharusan. Karena jika piranti kita sudah diserang dengan berbagai “unsur jahat”, maka kadang-kadang upaya kuratif yang reaktif menjadi tidak bermakna.

Dalam perspektif hukum dan kebijakan, upaya preventif juga menjadi sebuah keharusan. Jika tidak ingin terjerat masalah cybercrime, misalnya.. maka jangan bermain dengan apinya. Jangan terpancing dengan rekayasa sosial (social engineering) yang menawarkan hadiah, romantika cyber, teman virtual atau sekedar promosi-promosi yang menggiurkan.

Jika sudah terpedaya dengan pancingan itu, jika sudah terkontaminasi komputer kita oleh virusnya, jika sudah diambil data-data penting kita.. maka langkah reaktif menjadi tidak berguna.

Masih inget Bang Napi? “Waspadalah!!”

Ketahanan Digital

By: Sonny Zulhuda


Jika ingin sukses di era digital ini, Indonesia mesti memiliki ketahanan digital yang kuat. Apa maksudnya? Artinya ruang cyber kita harus memiliki resistensi yang cukup terhadapa potensi serangan cyber yang bisa melumpuhkan integritas bangsa.

Ya, integritas bangsa Indonesia tidak bisa hanya dipertahankan melalui pengamanan darat, laut dan udara. Namun juga pengamanan ruang cybernya! Saya kasih contoh diantaranya sebagai berikut:

1. Tentang keamanan piranti (lunak dan keras) dari ancaman pengrusakan: Apakah sistem komputerisasi yang digunakan oleh berbagai sektor publik dan swasta dilengkapi dengan standardisasi pengamanan? Apakah sudah cukup SOP bagi individu yang terlibat dalam penggunaan piranti tersebut?

2. Tentang integritas sistem komunikasi kita dari ancaman penyusupan; Apakah sistem telekomunikasi kita aman dari penyadapan pihak-pihak yang tidak bertanggungjawab?

3. Tentang ketahanan data publik dan privat dari ancaman pembocoran; apakah kita memiliki sistem teknologis dan perundangan yang cukup untuk mencegah pencurian data, pembobolan rahasia negara dan pembajakan rahasia dagang kita?

4. Tentang keamanan dan integritas data pribadi warga Indonesia dari ancaman penyalahgunaan; apakah sistem data e-KTP kita aman dan baik-baik saja? Siapakah yang menyimpan data serta mengontrol server back-upnya?

Tak ayal, insiden aplikasi jahat “WannaCry” baru-baru ini menjadi cambuk pedih yang mengingatkan kita, bahwa ketahanan digital menjadi sebuah keniscayaan.

Mari berbenah!

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.


The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading

  • October 2017
    M T W T F S S
    « Jul    
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,574 other followers