By: Sonny Zulhuda
On Wednesday this week the Indonesian Embassy in KL held a ceremony officiating the upcoming-election committee and its secretariat. The Ambassador attended the ceremony and so did most of the embassy officials. I was invited as a witness for the proceeding as a representative of the community in Malaysia.
What led me to write here was particularly an issue (among so many) that came up in my discussion with several members of election committee and reps from participating political parties after the function: privacy right of the voters.
Political party reps suggested that the election committee (PPLN in Bahasa) should allow them (all the participating parties) to have the full list of registered Indonesian voters in Malaysia. That means, the list that includes the name, addresses, ID/Passport numbers of the voters (like me and over-400 thousand others). The purpose was for the parties to ‘assist’ the committee to inform, socialize, remind and mobilze voters to go to the poll on the election day, given the forseeable limitation of the committee members to cover all these tasks, mainly due to limited human resources and the width of area covered (nine committee people to cover areas throughout Malaysia, basically).
Election committee members, however, do not fancy this idea of disclosing and sharing the full list of the voters, due to privacy concerns ever raised by some quarters. To justify that, they mentioned the new UU-ITE that stipulated something (only one section, actually) on privacy protection.
I was following this discussion with a great interest. I’m also glad that this issue has been in the minds of many people, especially at times when it really matters, just like this election days.
So, back to the issue at hand: should we or should not we allow the political party reps have the full list of the voters? Would it in anyway infringe the right of privacy?I remember my colleagues from the local election committee (PPLN) here kept arguing on that such protection is afforded by virtue of UU-ITE. to this, I beg to differ, as being explained below.
Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:
(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.
(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).
What we can draw from this provision is as follows:
First, that the recognition of right to privacy as far as this law is concerned is only limited to that of data/informational privacy, i.e. the right of every person to control what kind of information about him should belong to public domain. (Other aspects of privacy rights include right of anonimity, right of solitude and many more).
Second, be that as it may, the right to information privacy here is further restricted to the ‘use’ of such data. This is overwhelmingly restrictive bearing in mind that the international standard of data privacy covers so many dimension including the collection, processing, use, retention and disclosure of personal data. Here, on the other hand, restricts the matter only to the ‘use’ of personal information.
Third, more restriction was put in place that such rule on the use of personal data is only applicable as long as it is a use ‘by means of electronic media’. Therefore, any use of people’s personal data by which are documented not in electronic media, such as the usual paper archives, will not be subject of this law.
Fourth, the law mentions about the need to get the approval of a person whose personal data was to be used (by means of electronic media). This is never explained as to how such approval can be obtained. Is it sufficient to have it on the basis of ‘opt-iout’ principle, or does it require a more protective ”opt-in’ principle? There is a big gap between the two in terms of requirements, efforts and consequences. The more protective it is (i.e. with ‘opt-in’ principle), the better for the data subjects, i.e. people whose data is being used.
Fifth, with all these exceptions (a ‘data privacy’ in ‘electronic media’ to be ‘used’ with an ‘approval’).. it is foudn that the legal redress is also not very attractive. It allows civil suit for damages but is silent about criinal penalties. Thus, while compensation might be aimed at, a deterrence could be significantly absent.
Therefore, this Law (UU-ITE) with due respect, is not the best answer for protecting people’s privacy right be it in electronic and conventional media. Nevertheless, this law is perhaps a little solution for a huge problem. Do we require further law?
Discussion will proceed later on…