Reporting from Tirto.id, in August 2019, the Jakarta Legal Aid Institute received thousands of complaints from the public regarding the misuse of personal data. The cases complained of varied, ranging from bullying, online money loans to buying and selling sex workers on social media. One of the issues that caught the public’s attention the most was the signing of a Memorandum of Understanding (MoU) by the Ministry of Home Affairs (Kemendagri) to provide access to population data toward 1,227 government and private institutions. Although the Ministry of Home Affairs has stated that the private sector can access not all data, the Ministry of Home Affairs has not explained its border.
According to the Advocacy Coalition for the Protection of Personal Data, population data’s use for development purposes still has to guarantee everyone’s right to protect personal data. Such use must not compromise the protection of personal data belonging to the community. Departing from this case, BALAIRUNG had the opportunity to interview Damar Juniarto, Executive Director of the Southeast Asia Freedom of Expression Network (SAFEnet). This regional organization focuses on defending digital rights in Southeast Asia. In the interview, Damar explained how important personal data protection is for the public.
What is personal data?
First, we need to know what is meant by public data and sensitive data. In Indonesia, there is a Population Administration Law, in which it is formulated that data relating to population have details. Our e-KTP (electronic ID card) data such as name, birth mother’s name, address, religion, fingerprints to the eye’s retina are referred to as population data. That name includes data for the public because everyone can know that Damar Juniarto is an Indonesian citizen.
Unlike sensitive data, which concerns itself, and if it is disseminated, it will be risky. For example, the name of the biological mother related to opening a financial account. Another example is health data, for example, the BPJS number, which is sensitive data because there is a history of health data. So, what is considered to be protected is sensitive data, not the whole.
How does the state manage people’s personal data?
The state requires every citizen who is 17 years old to submit their data in making e-KTP, which will be recorded as population data. UU no. 23 of 2006 concerning Population Administration stipulates that the state must create a protection and storage system not to be damaged or misused when citizens have submitted data.
How is personal data protection in Indonesia? Are there any specific rules?
Not available. The government is trying to formulate this regulation in the Personal Data Protection Bill (RUU PDP). However, until now, the internal government itself has not been finalized.
I saw its contents; apparently, in the drafting of the PDP Bill, there was more to understand that personal data is someone’s property right. That is, the emphasis is on the economic aspect. For example, in its formulation, if it is discovered that the collection and use of data are not under the agreement, citizens can file charges against the abusing party. If there are proven to have failed to protect, they can be given administrative sanctions or fines because the concept is property.
When formulated like that, we miss two crucial aspects of personal data protection: the overall security and behavioral elements. Personal data is not just an economy but a recognition of security. Because personal data misuse is not only for corporate or business interests, someone can misuse it for criminal purposes. For example, it is used to direct attacks against someone. Therefore, recognition of security should be stated in the formulation of the PDP Bill.
Then the second, behavioral aspects or data collection activities in a political context. For example, the Cambridge Analytica case, when personal data was used for political purposes. That case should also be stated in the PDP Bill because personal data protection must be discussed holistically. All aspects of a person’s personal data are protected in the PDP Bill.
What is the chronology of data abuse in the Cambridge Analytica case?
The chronology of the Cambridge Analytica case is when a user submits his data while taking a quiz. Users are not aware that their personal information is being misused for mapping, profiling political choices. The essence of submitting personal data to other parties is the awareness to use data for underwritten purposes. If the stated purpose or terms and conditions are changed or manipulated, then there is a possibility of a personal data breach.
What risks can arise with the development of the financial technology (fintech) industry in Indonesia?
There are two industries at risk, financial institutions and telecommunications institutions. Financial institutions are the source of the problem. In the past, before there was digital, there were often incoming messages in the form of offers for credit opening, especially now, it is increasingly chaotic.
Today, financial institutions are growing. One of them is the development of financial technology (fintech). Fintech, as a breakthrough in technological innovation that provides finance in a micro-context to society, seems to ask for too much data. In practice, fintech does not comply with OJK regulations. Fintech requests data to access contact lists, and some applications even request access to photos and documents.
This practice raises problems in fintech. There are about a thousand complaints related to fintech cases. The complaint arose because of a weak verification system which only armed with an identity card and selfie, a person could have an account and could apply for a loan of up to thirty million.
It appears that organized criminals are using this method to break into loans from companies. The mode is by tricking others first. Users only need to send an e-KTP photo and selfie holding the e-KTP to get the prize. The image is then used to open an account in an online loan. This scheme proves how weak the leverage system is, which then we cannot blame the community because they are also victims. There should be action against these organized crimes.
Then, the collection of debt payments made by fintech companies usually comes with crimes in the form of terror. Why can they do terror? They can message the contacts on someone’s cell phone and press them to tell the debtor to pay because they have access to contacts. With access to the gallery, they can share photos, manipulate, and add embarrassing words via social media.
Almost all applications require personal data, so how vulnerable is the user’s data being misused?
In my opinion, the odds are even; anyone can be a victim of abuse. If residents realize that they have the right to protect personal data, they can place restrictions on the use of the application. When there are applications that ask for personal data, they have the same opportunity because there is no personal data protection. So the key is that people know that the application can trick them. The challenge is whether or not they are prepared to raise objections about too many requests for data.
In online transportation, there are two data that often leak, namely geolocation data and telephone numbers. This leak is usually a complaint because the two data make someone usually get threats when he gives a low rating to the driver due to the phone number and geology are leaked. Indeed, the application provider system does not think about the concept of security, which should be someone’s right. In that case, if there are rules that have been enforced, the consumer can file a claim.
How much access does the government have to wiretap the citizens’ devices?
The aspect of security must be holistic. So the emphasis in many countries is that individual security takes precedence over state security. But in many countries, especially undemocratic countries such as China and Iran, individual security is not recognized. Instead, what takes precedence is state security. Fortunately, not in Indonesia, we are a democratic country. However, Indonesia tends to become an undemocratic country.
The state has the right to prioritize state security above individual security. However, there are prerequisites. For example, in wiretapping, the primary condition is that the tapped person has committed a criminal act. If it does not meet these prerequisites and there is no court order mechanism, then wiretapping may not be carried out. We need protection from tapping practices. It’s just that in the Indonesian context, the regulations regarding wiretapping have not yet become one; there are no specific rules regarding wiretapping.
In your opinion, how is the awareness of the Indonesian public regarding the importance of personal data?
That’s what I’m worried about; not everyone is aware that they have the right to protect their data. Education needs to be carried out by the state, academics, media, technology groups, and businesses and corporations. All sectors that are engaged in internet telecommunications must continue to socialize the importance of protecting personal data.
Not everyone is aware of the importance of maintaining privacy, for example, when we share locations on the internet. People don’t realize that it’s not just friends who can see it. However, the system can also see and record all the information we share, including our location. In fact, even there are still many gadget users who don’t know about this.
What challenges does Indonesia face in protecting personal data in the digital era?
The challenges in today’s era are more complex; in the past, privacy was inherent. When it has entered the digital world, on the contrary, privacy does not come by itself. Hence efforts to protect personal data should be encouraged.
The digital era’s biggest challenge is how everyone understands not to put sensitive data in public carelessly. Therefore, there needs to be a system to protect it. That is the criticism in the current condition.
Author: Afnan Karenina Gandhi, Syifa Hazimah Hana Aisyi, Isabella (Intern)
Editor: M Rizqi Akbar
Translator: Samuel Johannes