Data Protection: Indonesia’s Long-Overdue Homework

By: Sonny Zulhuda

The above is the title for my presentation at the international virtual lecture held by Universitas Al-Azhar Indonesia (UAI). This is the second of the lecture series as part of the collaboration between IIUM and this Jakarta-based University.

Attending the lecture was among others the Rector of UAI Prof. Dr. Ir. Asep Saefuddin, Dean of Ahmad Ibrahim Kulliyyah of Laws, IIUM Prof. Dr. Farid Sufian Shuaib and Deputy Dean of UAI Law School Dr. Ahmad Safik. Kudos to all the leaders of both universities who have made this lecture series a reality, especially the Head of the UAI International Affairs Bpk Ghozali. Rector Prof Asep has been very very supportive. IIUM Rector’s Tan Sri Prof Dzulkifli Radzak and Prof Asep have known each other for quite some time and this collaboration has indeed enhanced the relationship of the two institutions and the two visionary rectors.

In this presentation I express the hope that Indonesian law on Personal Data Protection will be come the reality sooner rather than later. The Slides for the UAI Lecture can be downloaded here.

Excerpts from the discussion with participants:

Erwin Owan Hermansyah: Pertanyaan untuk Prof Sonny, bagaimana undang-undang yang baik yang dapat melindungi data pribadi dari kejahatan?
Sonny: The key here is 1. Clarity of law; 2. Awareness of people; and 3. Efficient enforcement.

Rinaldi: My Question is for pak Sonny Zulhuda. One of the many important aspects of the data in consideration (the PDP) is the correctness of the data. When a bad person (hacker) is able to change the data or has already made changes to the data then the effect may become overwhelming. For example, in the US right now, people are worry if the so called “Russian” hacker may change (among other thing) the medical records. My question is how the law look at this problem ?, can the organization who are unable to keep its data safe, be also taken responsible? Terima kasih.

Sonny: the answer is clearly YES. The organisation who allows hacking, intrusion, data damage, etc to happen will have to be answerable IF they fail to prove that they have taken sufficient due diligence to the data processing. Very important element of the law.

Bambang_MHUAI: With the exchange of information between state institutions, for example banks with taxes, etc., how the Malaysian government protects the citizen data? thank you

Answer: In Malaysia, the enforcement is under the PDP Commissioner’s Office. They receive complaints from people and take action based on it. They also do regular audit and issue enforcement notices. They open hotline for people to submit their complaints. There is an important principle under the PDP Law, ie Disclosure Principle, which mandates that any sharing to other institutions must be authorised or consented. in short it must be legally and legitimately done. If not, it will be an offense under the Law.

Pak Bambang: Thank you for the answer Prof.. Sony, does the government have online detection tools to pre-detect data crimes? Does the law guarantee data security for foreigners transacting in Malaysia?
Sonny: No, Malaysian government does not have that tools. Now they relied on this complaint system as well as able in law to initiate audit or investigation on their own initiative. And yes, this PDP law is also applicable and protecting foreigners without discrimination.

Erwin Owan Hermansyah Soetoto: is there any differences between Malaysian and Indonesian Legal System since Malaysia implements the Common Law System and Indonesia has the Civil Law System, from your explanation I read that PDP Commissioner’s Office received complaints, is this not similar like Ombudsman (Complaint Filing) in the Scandinavian countries.
Sonny: The complaint system may resemble the Ombudsman system, but now it is common in Malaysia or any other Common law countries that any agencies or commission will receive complaints from people so they will act based on that complaint.

Lora: I would like to ask about the international regulation on data protection. Are there an international convention or international organization that concern on data protection regulation? Thank you.
Sonny: So far, there is only ONE convention: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was signed in Strasbourg in 1981.

Andini Wijayanti: Assalamu’alaikum, saya ingin bertanya. Bagaimana cara menghindari kecolongan data yang mungkin terjadi saat membuka website atau mendownload sesuatu di website? Thankyou.
Sonny: Thank you for this. First prerequisite is an awareness about the risk in Internet browsing activities. Not to click on link or visiting pages which you are not sure about. Do not take the bait from phishing email or messages. And don’t forget to keep on cleaning your gadgets from time to time.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s