Saatnya Indonesia Memiliki UU Perlindungan Data Pribadi

By: Sonny Zulhuda

jual beli data pribadi4

Ada tiga hal yang memerlukan jawaban kita:

  1. Data Pribadi warga Indonesia semakin terekspos, disalahgunakan, dieksploitasi oleh kerakusan dan ketamakan penggiat Big Data.
  2. Data Pribadi warga Indonesia menjadi bulan-bulanan mereka yang tidak akan berhenti mengeksploitasi sumber dan kekuatan ekonomi Indonesia
  3. Data Pribadi warga Indonesia yang menjadi makanan sehari-hari media sosial, teknologi intrusif dan juga para kriminal yang sewaktu-waktu akan menerkam kita.

Dimana perlindungannya hukumnya? Disinilah signifikansinya UU Perlindungan Data Pribadi (Personal Data Protection Law).

Apa saja sebenarnya yang hendak diatur dan dilindungi dalam UU tersebut? Apa hak-hak individu terhadap datanya sendiri? Apa batasan yang dikenakan bagi mereka yang ingin menggunakan data pribadi orang lain, baik untuk kepentingan bisnis maupun lainnya?

Ini di antara pokok pikiran yang tertuang dalam presentasi saya di Universitas Muhammadiyah Purwokerto, 21 September 2019. Bagi para peserta, silakan mengunduh materi SLIDES disini: >> Hukum Data Pribadi UMP 210919

Dalam Seminar Nasional yang diselenggarakan oleh Fakultas Hukum UM Purwokerto ini, selain saya, ada sahabat saya yang juga akan ikut urun rembuk, yaitu Dr. Iwan Satriawan dari FH UMY dan Mas Bayu Setaiawan, S.H, M.H., dari FH UM Purwokerto. Selain itu juga ada Sdr Teguh Arifiyadi, S.H., M.H.

Semoga kesempatan silaturahim dan urun pikiran ini dapat kita manfaatkan bersama. Terimakasih Bapak Rektor Dr. Anjar Nugroho dan Ibu Dekan Susilo Wardana, SH., SE., M.Hum. atas kesempatan yang diberikan kepada saya.

Nashrun minallah wa fathun qariib.

UMP Seminar

Cryptocurrencies and Anti-money Laundering Laws: The Need for an Integrated Approach

By: Sonny Zulhuda


My latest book chapter co-worked with my colleague Dr Mohd Yazid Zul Kepli who also led the project.

“Cryptocurrencies and Anti-money Laundering Laws: The Need for an Integrated Approach”

This chapter attempts to clarify and describe the legal and regulatory framework for cryptocurrency with special focus on Malaysia and the threats that it poses from the anti-money laundering perspective.

Currently, very few countries have legislations that regulate cryptocurrency. Nonetheless, the crazy surge in prices (to more than 20-folds at some point) has sent both legitimate investors and criminals flocking to cryptocurrencies.

This chapter analyses and compares the official reports from various governments, writings of government officials, experts and scholars in journals and newspapers, interviews and draws conclusions on the legal framework of cryptocurrency, and money laundering challenges.

The study notes that the decision of the US regulators in allowing Bitcoin futures to trade on major exchanges to be one of the reasons behind the sudden surge. The study also finds that the South Korean regulators’ approach in banning its financial institutions from dealing with virtual currency is a positive one.

The chapter stresses that it is not adequate for regulators to warn the public to act with extreme caution and increase their understanding on the risks they take on if they choose to invest in cryptocurrencies. Instead, it is necessary to have comprehensive international and national laws and regulations for the control and management of cryptocurrencies. In addition, the anti-money laundering legal framework must be improved to cater to the new threats posed by cryptocurrency.


Kepli, M. and Zulhuda, S. (2019), “Cryptocurrencies and Anti-money Laundering Laws: The Need for an Integrated Approach”, Oseni, U., Hassan, M. and Hassan, R. (Ed.) Emerging Issues in Islamic Finance Law and Practice in Malaysia, Emerald Publishing Limited, pp. 247-263.

International Conference on Community Development (ICCD) 2019

By: Sonny Zulhuda

IMG_20190724_112400_1This ICCD Annual Conference 2019 is the sixth edition as a yearly academic activity held by the Association of Muslim Community in ASEAN (AMCA).

This edition it takes place in Bandar Seri Begawan, Brunei Darussalam.

IMG_20190724_091408The opening of the Conference was officiated by HE Dr Sudjatmiko the Ambassador of the Republic of Indonesia in Brunei Darussalam.

In his speech, the Ambassador congratulates the organisers and highly hopes that the participants would come up with concrete answers or proposals to many problems faced by people today.

In this Conference I will deliver a keynote inshaAllah.


By Sonny Zulhuda

I have an honour to deliver on cyberlaw and cybwr crimes as part of legal curriculum development at IAIN Padangsidimpuan, North Sumatera, Indonesia.

The event is aimed at sharing with the lecturers from the Faculty of Syariah and Law so as to integrate the cyberlaw issues into the curriculum. This is to answer the challenges of the Industrial Revolution 4.0.


The Rector Prof Dr Ibrahim Siregar opened the forum with an impressive message for all the participants.

In his speech, Prof Ibrahim encourages all the staff to pursue higher studies including achieving the professorship.




The Blue Oceans for the Data Protection Officers (DPO)

By: Sonny Zulhuda

I recently concluded my talk at this event called Data Protection Excellence Network Forum 2019 upon invitation by Singapore Management University (SMU) and Straits Interactive on Tuesday this week (11/6/2019).

Featured together in the opening panel session with me were Commissioner Raymund Enriquez Liboro (Chairman of the Philippines National Privacy Commission), Dr Yudhistira Nugraha (Ministry of Communications and Informatics of Indonesia) and Kevin Shepherdson (Straits Interactive Singapore) discussing the trends and challenges of data protection law in the region and the new market demands for Data Protection Officers (DPO). The event with over hundred attendees were officiated by Dr Lim Lai Cheng who is the Executive Director of the SMU Academy.

Each of us spoke about the regional development of the data protection laws in Malaysia, Philippines, Indonesia and Singapore respectively.

Malaysia had first enacted the law in 2010. Both the Philippines and Singapore followed the suit in 2012. Indonesia is currently preparing a draft bill and is expected to legislate by next year (2020). In term of enforcement, Singapore has recorded dozens of imposition of fines and notices against contravention of their personal data protection law. Meanwhile, the Philippines may only expect enforcement to begin next year in 2020.

In Malaysia, efforts to implement the law come in a combination of prosecution, inspection, establishment of codes of practices as well as public education.

There are in Malaysia at least five successful prosecutions of data users who contravened the PDPA 2010. Besides, it was noted that six sectoral data fora had registered their Codes of Practices (COP) including the banking and insurance sectors, electricity, telecommunications, aviation, and legal services.

In 2018 alone, the office of PDP Commissioner has carried out at least 57 inspections on data users nationwide. Empowered under section 101 of the PDPA 2010, such inspection is meant to promote the compliance of the law while trying to correct and improve the practices by data users in term of processing personal data.

There is one interesting finding from the talk session. Each of the four countries commonly view that it is necessary legally for the data users to appoint a Data Protection Officer, a specifically designated high-level official to oversee the increasing challenges of data governance. Singapore and the Philippines have this in their laws. Indonesian draft bill includes this. And Malaysian government looks out to consider this matter in their ongoing review of the law.

This DPO is a blend of new skill. Straits Interactive noted that each lawyers and IT professionals make up to about 30% of the DPOs. Others come from business managers, HR, accountants, marketing as well as others. Therefore there is now an emerging need to somehow standardise the skill, hence the need for certifications. The good news is, this skill is acquirable.

In that Forum crowded by more than hundred of data users and data protection professionals from Singapore and the region, the demand for this market could not be overstated. It is simply obvious and there to grab.

So the ultimate message we had for all the lawyers, IT professionals and virtually everyone.. Is that there is a blue ocean in front of us now for the highly demanded data protection professionals. Let us swim there!

Keandalan Sistem Informasi Pemilu – Mulai dari mana?

Oleh: Sonny Zulhuda

solution 6Bicara tentang masalah sistem IT (tepatnya sistem informasi) KPU bisa dimulai dengan membedahnya dengan menggunakan pisau bedah “CIA” – Yaitu aspek kerahasiaan, keutuhan dan ketersediaan sistem tersebut.

Aspek-aspek inilah yang mendasari kriteria keandalan sistem elektronik sebagaimana tertuang dalam pasal 16 Undang-undang No. 11/2008 (UU-ITE) dan juga telah menjadi dasar konseptual pemidanaan cybercrime dibawah Budapest Convention 2001.

Pertama, tentang KERAHASIAAN sistem (“Confidentiality”). Intinya adalah bahwa sebuah sistem informasi yang aman wajib menjaga kerahasiaan sistem informasi dan membatasi akses hanya kepada yang betul-betul berwenang.

Pertanyaan yang bisa disodorkan adalah seperti berikut:
1. Siapa saja yang bisa mengakses sistem IT KPU?
2. Siapa yang berwenang memiliki kode akses (password, PIN, etc) terhadap sistem tersebut?
3. Apakah pengelolaan sistem IT KPU dapat diakses dan dimanipulasi oleh orang yang tidak berwenang?

Kedua, tentang faktor keutuhan (integritas) sistem informasi. Pesan utamanya adalah bahwa sistem informasi termasuk segala data dan proses yang terkait tidak boleh diragukan validitasnya, kebenaran dan keutuhannya. Segala halbyang dapat mereduksi integirtas sebuah sistem harus dienyahkan.

Hal-hal yang dapat ditelisik termasuk:
1. Apakah data yang masuk sudah dipastikan akurasi, keutuhan dan kebenaran faktualnya? Contoh, apakah DPT sudah akurat? Apakah penghitungan suara tepat?
2. Apakah keandalan sistem tersebut sudah diuji kekedapannya terhadap peretasan?
3. Apakah ada sistem pengujian terhadap keabsahan data yang akan, sedang dan telah diproses?

Ketiga, perihal ketersediaan dan dapat diaksesnya sistem informasi (“Availability”). Intinya adalah bahwa sebuah sistem yang andal adalah yang dapat berfungsi sesuai tujuan dan linimasa yang telah digariskan. Sistem tersebut mesti andal dan bertahan dan mereduksi resiko kegamangan informasi.

Untuk itu bisa diselidiki antara lain:
1. Apakah sistem IT KPU kita selalu online dan dapat diakses dengan baik oleh pengguna (masyarakat)?
2. Apakah pengelola mengantisipasi resiko-resiko serangan terhadap sistem tersebut?
3. Apakah sistem informasi KPU memiliki prosedur pengamanan dan recovery yang tepat menghadapi krisis data seperti downtime, insiden peretasan, bencana dsb?

Sebagai pondasi penting ketiga faktor ini adalah isu pengaturan yang baik (“Good governance”) yang memprasyaratkan kepemimpinan teladan, transparan, jujur dan adil.

Sekian, sekadar urun sharing.
Artikel ditulis di <>

A New Boardroom Affairs is Called ‘Data Protection’

By: Sonny Zulhuda

IMG_20161118_122932_HDRData is an asset in today’s interconnected world. With the changing digital lifestyle and emerging digital workplace, managing personal data becomes a key trust factor for organisations.

The digitalisation of process and records, mobile workplace concept, synchronisation of gadgets and data, as well as emergence of smart contract have all contributed to this change.

Internally, managing data serves as a critical assets management. Externally, it becomes a shield of legal compliance as well as a key competitive value in a more increasingly regulated environment.

In many parts of the world, Personal Data Protection (PDP) is made as a critical trade issue, including a potential trade barrier in the event of trans-border data transfer.

The EU General Data Protection Regulations (GDPR) is setting a new global PDP benchmmark. Meanwhile in this part of the world, Malaysia, Singapore and the Philippines are already enforcing their respective PDP laws. Soon Indonesia and Thailand are following the suit with the drafting and enacting of the laws.

The requirement of PDP law raises a new set of data due diligence for organisations. Privacy Impact Assessment (PIA) and data breach notification (DBN) are among those legal regime that requires careful due diligence under the PDP law.

In short, all life cycles of data management have now to be embedded in a comprehensive, cross-sectoral governance within the virtually every data-reliant organisation.

The data management policies need to be comprehensive and up-to-date. Public communication has to be real-time. For that purpose, not only do we require a specially designated high-level data protection officer (DPO), but also a regular transparency report on our data affairs.

Gone are the days that data protection is only seen as technical and trivial issues. PDP is now a boardroom issue, looking out to both reputational and legal risks and opportunities.

  • April 2020
    M T W T F S S
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,634 other followers