“Right to be Forgotten” in Indonesian Data Protection Law (A Focus Group Discussion with BINUS University)

By: Sonny Zulhuda

This report is based on what has been written on BINUS Website in the original Indonesian version. The Focus Group Discussion took place on 11th August 2018 in Kuala Lumpur. The participants were Prof. Dr. Shidarta, Prof. Dr. Bambang Pratama, and Reinhard Christian Surya from BINUS Law School, Jakarta and myself. The main topic was on the the right to be forgotten.

I reckoned in that meeting that the regulation on right to be forgotten as introduced in the latest 2016 amendment to the Indonesian e-transactions laws (namely UU ITE in Indonesian) was a drastic development bearing in mind that there is still no comprehensive legislation in Indonesia dealing with the protection of personal data which is now increasingly becoming a new global norm. In my view, Indonesia should first settle with the currently ongoing debate on the draft bill of the Personal Data Protection law.

Right to be forgotten is indeed a sub-set of many rights relating to personal data processing of an individuals. In many laws, this right to be forgotten is interchangeably discussed with the right to data deletion.

fgd binus 2018

In Malaysia this right is impliedly given because it mandates every data user (those who process personal data of individuals) to ensure data are deleted when they are no longer necessarily required. Similar provisions can be found in the laws of other countries such as UK, Hong Kong and Singapore. In Indonesia, there is still no law (Undang-undang) which defines and lays down similar requirements.

In its Indonesian report, the Website continues to note: Continue reading

Advertisements

Gaduh Data Facebook

This post was first published by Indonesian Daily Harian Republika in its Op-ed column on Monday, 26 March 2018. Reproduced here for educational and non-commercial purposes.

Oleh: Sonny Zulhuda

Berita terungkapnya penggunaan data 50 juta pengguna Facebook di Amerika Serikat (AS) menambah panjang daftar keresahan dan keluhan masyarakat internasional terhadap media sosial yang dipimpin oleh Mark Zuckerberg itu.

Terungkap, data tersebut digunakan konsultan pemilu Cambridge Analytica di AS untuk menganalisa pola dan kecenderungan warga calon pemilih di Pemilu AS. Perusahaan ini juga dianggap menyukseskan kemenangan Donald Trump pada Pemilu 2016 lalu.

Walaupun sepak terjang konsultan Pemilu sudah sering kita dengar, kali ini kita mendapatkan fakta gamblang bagaimana analisis big data dilakukan terhadap jutaan calon pemilih dengan tujuan melakukan pemetaan pemilih serta penyebaran propaganda peserta pemilu secara langsung ke sasaran.

Gambaran mudahnya, jika dalam pilkada daerah X diketahui sejumlah besar warga pemilih dalam di wilayah itu menyukai sepakbola, maka sang konsultan akan mengemas si cagub atau cabup sebagai seorang yang gemar sepakbola serta mengusung agenda terkait sepak bola untuk bahan kampanyenya.

Yang menjadi kegundahan dan kegaduhan adalah data analytics tersebut dilakukan berdasarkan data pribadi pengguna media sosial yang sebelumnya tidak pernah diberitahu bahwa datanya akan dipakai untuk keperluan komersial oleh konsultan pemilu itu.

Dalam konteks etika dan hukum, hal ini bisa dianggap breach of confidence atau breach of privacy, semacam pelanggaran atas privasi dan kerahasiaan yang bisa mengakibatkan kesalahan perdata bahkan pidana.

Apalagi, kita tahu data pribadi kita di Facebook bisa sangat menyeluruh. Mulai dari identitas (nama, tanggal lahir, nomor KTP/Jaminan sosial); data historis (asal daerah, pendidikan, pekerjaan, karier); data geografis (tempat tinggal, perjalanan, komunikasi); biologis (gambar wajah dan anatomi tubuh yang memaparkan tinggi dan berat badan, wana kulit, rambut dan mata); sampai data lainnya, seperti preferensi, anggota keluarga, pilihan politik, pertemanan dan lain-lain.

Continue reading

Personal Data Protection Law in Indonesia: The Law No. 11/2008 (“UU-ITE”) and its Amendment in 2016

By: Sonny Zulhuda

wonderful indonesiaIndonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.

Law No. 11/2008 (“UU-ITE”)

First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).

This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.

Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:

(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.

(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).

Meanwhile, the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:

  1. A right to enjoy a private life free from interference;
  2. A right to communicate with other persons free from spying/surveillance;
  3. A right to access to information about his private life and private information.

Continue reading

Data Protection in the Era of Big Data, the Internet of Things (IoT) & Cloud Computing

By: Sonny Zulhuda

ALB Conference 2015This is the second such conference being organised by ALB/Thomson Reuters on Data Protection following the successful event a year ago. I spoke in a panel session last year, and will be speaking again this time. The conference will be on Thursday, 7th May 2015 at the JW Marriott Kuala Lumpur.

Keynotes will be delivered by Trevor Hughes, President of the International Association of Privacy Professionals (IAPP); Dr. Zainal Abidin Sait, Deputy Director-General of the Personal Data Protection Malaysia Department (PDPD); and Prof. Abu Bakar Munir, who was the Data Protection Consultant to the Malaysian Government.

My panel session is the one slotted at 16:10, focusing on “Data protection in the era of Big Data, the Internet of Things (IoT) & cloud computing,” covering the Jurisdiction and marketplace: Asia Pacific, EU and US.

Continue reading

Whither Digital Privacy: Be afraid, be very afraid!

By: Sonny Zulhuda

imageA quick takeaway from a closed session on Students’ Digital Privacy yesterday at Le Meridien KL (June 7th, 2013), I’d like to share what California-based Jeff Gould presented.

The SafeGov.org CEO told the audience of their research findings, among others:

  • The high significance of Facebook “Like” in profiling the identity of FB users;
  • Real possibility of identifying a person via DNA reconstruction taken from a gum;
  • Telco’s effort to provide some form of customer’s surveillance as their enhanced service;
  • ISP’s role in protecting children privacy through contractual agreements with the users/subscribers

Many things shared which are not new issues but came with novel modus operandi. We just need to be vigilant.

The closed session was attended by representatives from Cybersecurity Malaysia, Parents Action Group for Education (PAGE), FOMCA, Microsoft Corp, India-based CUTS and some local universities. Mr. Rosly Yahil from Cybersecurity Malaysia spoke about various initiatives taken in Malaysian context in dealing with the issues.

During the Q&A session, I managed to share with the floor on several issues and development on data privacy in Malaysia: Continue reading

Consumers to take control of their Personal Data

My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s page HERE.

======================================

“Consumers, take control of your personal data”

The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.

Credit: The Star Online

Credit: The Star Online

EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.

It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?

This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.

Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.

Continue reading

PDP Act Compliance Program – Where to Start?

By: Sonny Zulhuda

success manThis New Year was marked by concerns about complying with the Personal Data Protection (PDP) Act 2010 for Malaysian data users: Bankers, Telco’s, Insurers, Hospitals, Marketers, Airliners, Property Sellers, and many more.

For data users, this is what you may consider:

1. Get to know about the law and its implication to you;

2. Make self-assessment on your current business processes to what extent it complies (or not) with the law;

3. Plan a massive personal-data compliance programme.

For the first one, the shortcut is to attend forum, workshops or training on Personal Data Protection law. There are now few such training in the market. Identify them and get involved. There are few types of training you can consider, according to your needs:

Continue reading

  • March 2019
    M T W T F S S
    « Feb    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,613 other followers