Urgensi Undang-undang Perlindungan Data Pribadi di Indonesia 


This post, based on my interviews, had first appeared in Antara News Website on Tuesday, 6th March 2018 16:56 WIB at this link 

Kuala Lumpur, 6/3 (ANTARA News) – Dosen Cyberlaw Fakultas Hukum International Islamic University Malaysia, Dr Sonny Zulhuda, mengharapkan pemerintah dan Parlemen Indonesia segera membahas RUU Perlindungan Data Pribadi agar penyalahgunaan data pribadi tidak terjadi.

“Patut diakui Indonesia masih tertinggal dalam hal ini. Meskipun kita memiliki beberapa peraturan perundangan, hal tersebut masih bersifat generalis namun minimalis,” katanya.Dia mengemukakan hal itu di Kuala Lumpur, Selasa, ketika dimintai tanggapan adanya penyalahgunaan Nomor Induk Kependudukan (NIK) dan Kartu Keluarga (KK) terkait laporan masyarakat yang menemukan pendaftaran sejumlah nomor dengan satu NIK.

Ada peraturan yang agak spesifik, kata dia, namun hanya berlaku bagi data dalam media elektronik dan bentuknya berupa regulasi yang tidak menyediakan sanksi perdata maupun pidana.

Dia mengatakan, saat ini sudah ada usaha menyiapkan draf RUU Perlindungan Data Pribadi namun masih belum diketahui kapan akan dibawa ke parlemen untuk diperbincangkan dan diputuskan. Artinya masih panjang perjalanannya untuk disahkan menjadi undang-undang.

Dalam era “big data” ini, data merupakan aset dan komoditas. Juga menjadi obyek perlindungan hukum. “Di tengah-tengah eksploitasi data baik oleh pemerintah, industri maupun individu yang berkepentingan, perlindungan terhadap data pribadi menjadi keniscayaan,” katanya.

Di Indonesia, data-data pribadi terkait kependudukan dan demografis seperti NIK, KTP elektronik dan KK sangat penting dilindungi agar tidak mudah dieksploitasi.

Continue reading

Advertisements

March 17, 2018
Categories: Uncategorized . . Author: Sonny Zulhuda . Comments: Leave a comment

Data Breach a Test to Our Digital Resilience

By: Sonny Zulhuda
DSC_0025
Malaysian public has recently been perturbed by a series of personal data breach one after another. While the investigation is taking place, one can only expect that what has surfaced may only be a tip of an iceberg.
As the country embraces digital economy and aims at a cashless society by 2020, this data security crisis becomes a part of the equation. More digitised information and more synchronised data mean a bigger risk of data breach calamities. As a country, there is no backing out from this equation even though that means we have to learn it hard.
As a consequence, a data breach is not a matter of ‘whether’ but is a matter of ‘when’ it will happen. This requires us to adopt a risk management approach. Failure of managing the risks can be increasingly costly. The problem is, it is too often when we realise there is a data, it may be already too late. The alleged leak and illegal sale of Malaysian telecommunications data are said to have happened years ago. By now, we are already five years too late!
Time is of the essence here. As we start to learn about the breaches that took place, swift actions are warranted. There are few points to consider by all the stakeholders.
Firstly, data users can do the least by keeping the public informed about what is going on.
Even though our PDP law does not oblige data users to notify data subjects about any breach, this is warranted for transparency and trust preservation, and hence their business continuity plan.
Secondly, we should treat this as an issue of national security.
Not only because massive data of the majority of the public is affected, but also because those data come from the telecommunications and financial industries which are deemed among the ten critical national information infrastructures (CNII) as outlined by the Malaysian National Cyber Security Policy (NCSP) 2006. So, data security under this CNII must be given utmost priority. Both public and private sectors must cooperate in dealing with the crises.
Thirdly, it is time to test the mechanism of our law.
These incidents of a personal data breach either maliciously or negligently occurred, will need to be tested against the Personal Data Protection principles enshrined in the Act. The authority needs to speed up the activation of the Personal Data Protection Act (PDPA) 2010 after some “day-nap”. Other agencies need to help in accordance with the statutory powers granted to each of them.

7E3A8212

The year 2017 is notably the beginning of some successful prosecutions under the Act, which is a crucial milestone in itself. On a positive note, we should take this crisis as an opportunity to also prove our legal mechanism. 

On top of that, what we are facing now is something bigger: it is testing our resilience as a nation. The challenge is more than a damage control: it is to deal efficiently with the massive data crisis like what is happening now.

This is not a one-off duty as data security is a process rather than a result. As Vince Lombardi was once famously quoted, it is not so much about how we fall down, but rather on how to raise back. And by “we” I mentioned in this last paragraph, it is you and me and every one of us the individuals to whom the personal data actually belong to.

November 28, 2017
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Policing Cryptocurrencies

By: Sonny Zulhuda

This note was a reproduction of the same published by the New Straits Times here.

You-Can-Use-Bitcoins-Here

BANK Negara Malaysia (BNM) Governor Tan Sri Muhammad Ibrahim was recently quoted in theNew Straits Times as saying that guidelines governing cryptocurrencies were expected to be unveiled by the end of the year, which is less than three months from now.

Cryptocurrency is a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of the banking system. It is an emerging financial technology enabled by innovation and is increasingly popular among Internet users. It challenges financial and regulatory rules on currency and payment systems.

BNM’s statement could not have come at a better time as cryptocurrencies, such as Bitcoin, are increasingly popular in Malaysia. Not only do we see companies and communities accepting Bitcoin, but small businesses, such as a nasi kerabu stall in Kota Baru, Kelantan, were also reported as accepting payment in Bitcoin.

As with any new and disruptive technology-based business phenomenon, cryptocurrency has its pro and cons. Proponents view it as a natural solution for fast-growing electronic commerce through a ubiquitous technology like the Internet. They also argue that cryptocurrencies benefit people who are otherwise denied access to banking services.

While allowing cryptocurrencies may signal our business friendliness to the digital economy, it also triggers risks and uncertainties. The greatest of them is their potential use in crimes, such as money laundering and financing terrorism. There have been instances in other countries where Bitcoin has been used in the Dark Web for illicit transactions. Indeed, the anonymity that comes with the use of cryptocurrency is a cause for concern as it makes it harder to ensure consumer protection.

Continue reading

October 31, 2017
Categories: Uncategorized . . Author: Sonny Zulhuda . Comments: Leave a comment

Apapun Disiplin Ilmumu, Pelajarilah Ekonomi Digital!

APAPUN DISIPLIN ILMUMU, PELAJARILAH EKONOMI DIGITAL!

Oleh: Sonny Zulhuda

APAC Cyber Summit 2016_1

1. Indonesia dan Malaysia melalui pemimpinnya masing-masing telah menetapkan bahwa Ekonomi Digital menjadi fokus utama dalam membangun negara dan meningkatkan ekonomi bangsa. Tidak hanya jalur lebar Internet yang diperhebat, namun penguasaan konten lokal dan industri kreatif kini menjadi generator baru bagi kemajuan bangsa.

2. Pengalaman saya selama 15 tahun sebagai peneliti, akademisi dan praktisi hukum teknologi informasi, melihat semakin perlunya kita untuk memparalelkan segala ilmu, pengetahuan dan teori yang kita pelajari dengan perkembangan dunia digital. Ekonomi digital yang didominasi dengan penguasaan teknologi informasi dan optimalisasi data mengharuskan kita menjawab berbagai tantangan digital.

3. Saya saksikan sendiri di berbagai universitas top di dunia seperti Oxford, Sydney, UNSW, Tsinghua, Toronto dan Yonsei University mereka sudah mendirikan lembaga kajian yang fokus terhadap isu konvergensi teknologi informasi dalam berbagai aspeknya. Universitas Indonesia dan UNPAD saya pikir sudah memulai lebih awal dalam konteks Indonesia. Yang lainnya, belum kelihatan! Sementara, semakin banyak pula lembaga internasional yang menyediakan program, beasiswa, fellowship dan event-event yang bertujuan mencari bakat-bakat muda dalam kajian konvergensi informasi ini.  Continue reading

July 10, 2017
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda

seoul.jpg

Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

June 21, 2017
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

May 16, 2017
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

When Ransomware “WannaCry” Attacks

By: Sonny Zulhuda 

Alkisah aplikasi tebusan (Ransomware) “WannaCry” melanda dunia cyber global…

150 negara dilanda ributnya, ribuan dolar uang tebusan diminta, ratusan ribu komputer terinfeksi, jutaan data terancam musnah, dan pastinya kesusahan yang tiada ternilai menghantui para korbannya.. “princeless” – istilah sebuah iklan komersial.

Apa yang harus dilakukan? 

Menghadapi bencana digital seperti ini, berlakulah prinsip yang sama upaya “Penanggulangan Bencana” yang baru-baru ini saya pelajari dalam kursus Disaster Management bersama MDMC. Penanggulangan bencana dibagi kepada tiga fase:

  1. Fase pra-bencana
  2. Fase saat bencana
  3. Fase pasca bencana.

Ketika seseorang atau sebuah instansi sudah menjadi korban malware WannaCry ini, maka hal pertama adalah penanggulangan saat bencana.

Langkah-langkah yang diambil harus cepat, tepat dan bertujuan menghentikan bencana atau meminimalisirnya baik dengan cara teknis seperti menghentikan koneksi Internet sementara, menyetop aplikasi perkongsian data, atau mengoreksi setting sistem informatika sebuah organisasi. Selain itu, langkah non-teknis harus segera dibuat: notifikasi kepada segenap jaringan tentang masalah ini, dan mereduksi aktivitas yang memerlukan aplikasi jaringan. Kalau perlu bekerjalah menggunakan laptop lain yang tidak terinfeksi. Jangan lupa sampaikan ke jaringan kerja atau teman-teman di media sosial bahwa anda sedang menghadapi masalah ini sehingga komunikasi kemungkinan menjadi terhambat.

Saya jadi teringat adagium klasik “sebaik-baik obat adalah dengan menjaga kesehatan” yang sangat relevan dalam dalam dunia teknologi informasi. Dari segi teknis, langkah-langkah preventif seperti penggunaan aplikasi yg standard, anti-virus yang selalu ter-update, dan penyediaan back-up data menjadi keharusan. Karena jika piranti kita sudah diserang dengan berbagai “unsur jahat”, maka kadang-kadang upaya kuratif yang reaktif menjadi tidak bermakna.

Dalam perspektif hukum dan kebijakan, upaya preventif juga menjadi sebuah keharusan. Jika tidak ingin terjerat masalah cybercrime, misalnya.. maka jangan bermain dengan apinya. Jangan terpancing dengan rekayasa sosial (social engineering) yang menawarkan hadiah, romantika cyber, teman virtual atau sekedar promosi-promosi yang menggiurkan.

Jika sudah terpedaya dengan pancingan itu, jika sudah terkontaminasi komputer kita oleh virusnya, jika sudah diambil data-data penting kita.. maka langkah reaktif menjadi tidak berguna.

Masih inget Bang Napi? “Waspadalah!!”

May 15, 2017
Categories: Uncategorized . . Author: Sonny Zulhuda . Comments: Leave a comment

Previous page Next Page »
  • May 2018
    M T W T F S S
    « Mar    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  

  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,595 other followers