INTERNATIONAL JOURNAL OF SOCIAL SERVICE AND RESEARCH

 

MANDATE OF PROCUREMENT OF INDEPENDENT COMMISSION FOR PERSONAL DATA PROTECTION IN INDONESIA REVIEWED FROM INTERNATIONAL LEGAL INSTRUMENTS

�

Bella Christine

Tarumanagara University, Jakarta, Indonesia

Email: [email protected]

 

Abstract

Indonesia has entered the era of society 5.0 where technology is part of people's lives that have been closely attached and become a major part of people's lives themselves. In using this technology, it is not uncommon for users to first register by entering personal data. The number of cases of leaked personal data, both in private and government agencies, shows the weakness of personal data protection in Indonesia. Therefore, it is necessary to have a law that explicitly regulates and an independent commission for the protection of personal data is needed in order to monitor, take action and enforce justice for victims whose data has been leaked either intentionally or unintentionally. When compared to neighboring countries such as Malaysia and Singapore, Indonesia does not yet have an independent commission to protect and monitor personal data. In addition, referring to several international legal instruments, actually an independent commission for the protection of personal data is a necessity as well as an obligation. Therefore, in this paper, we will discuss the mandate of establishing an independent commission for the protection of personal data in terms of international legal instruments.

 

Keywords: Mandate, personal data, independent commision, personal data protection

 

Received 15 September 2021, Revised 25 September 2021, Accepted 1 October 2021

 

 

INTRODUCTION

Information and communication technology has changed people's behavior and lifestyles globally (Pratama & Suradi, 2016).

According to the Regulation of the Minister of Communication and Information Technology Number 20 of 2016, what is meant by personal data is certain personal data that is stored, maintained, and kept true and its confidentiality protected. The scope of personal data is facts about an individual, communication or opinion of an individual that is private, confidential, or sensitive so that the individual concerned stores and distributes it in a limited manner to others (Sautunnida, 2018).

Personal data protection is one of the problems that society inevitably has to face in today's global era (Pratana, 2021). Based on data obtained from Id-SIRTII/CC (Indonesian Security Incident Response Team on Internet Infrastructure/Coordination Center), since 2013 the number of cybercrimes in Indonesia has continued to increase (Latumahina, 2014). The number of cases of personal data leakage in Indonesia that also occurred during the last few years, also shows how weak the protection of personal data in Indonesia is. From May to November 2020, there have been at least 7 cases of personal data leaks which have resulted in more than 100 million Indonesian people's personal data being sold to various dark web forums. Furthermore, in May 2021, there was also a leak of population data by a government agency, BPJS. As a result of the data leak, as many as 279 million population data of BPJS participants were sold on the dark web and material losses amounted to Rp600 trillion. Looking at the examples of these cases proves that data leakage does not only occur in private agencies or companies but also occurs in government agencies. This has also proven that the protection of personal data in Indonesia is very weak and poor. In fact, the right to privacy or personal protection is one part of human rights whose mandate is contained in the 1945 Constitution of the Republic of Indonesia. Regulations regarding the protection of personal data must be considered as one of the urgent areas by Indonesia (Perbawa, 2021). Moreover, the PDP Bill which has not been passed has caused losses for victims whose personal data has been leaked, but the perpetrators have not received any sanctions or punishments.

After the amendment to the 1945 Constitution, the right to privacy which also includes the right to personal protection is one of the human rights and constitutional rights of citizens. (Wahyudi Djafar, 2019). This constitutional right is contained in Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia which reads "Everyone has the right to protect himself, his family, honor, dignity and property under his control, and has the right to a sense of security and protection from threats of fear." to do or not to do something which is a human right.�. In addition, referring to the Constitutional Court Decision No. 5/PUU-VIII/2011, it is written that the right to privacy is also a part of human rights, and its scope includes information (right to information privacy) or also known as data privacy (Niffari, 2020). Therefore, providing protection of citizens' personal data is a government obligation that must be fulfilled.

Indeed, the Indonesian government has begun to care about the protection of citizens' personal data. This can be seen from the Personal Data Protection Bill which has been included in the 2021 Priority National Legislation Program (Prolegnas). In addition, the Ministry of Communication and Information has also planned to establish an independent commission for personal data protection. With the existence of an independent commission for the protection of personal data, this can be the spearhead to ensure that efforts to protect personal data are carried out and the compliance of controllers and processors of personal data, both individuals, private legal entities, and public institutions in protecting the data. In addition, with the establishment of an independent commission for personal data protection, later this independent commission will have limited authority which will only handle cases related to data privacy through the courts.

Apart from being one of the next steps by Kominfo to realize the constitutional rights of citizens, the mandate to establish an independent commission for the protection of personal data is also contained in various laws and international agreements. Therefore, in this paper, the author will comprehensively discuss how the mandate of the procurement of an independent commission for personal data protection is reviewed from international legal instruments. In this paper, the authors focus on the United Nations Guidelines for the Regulations of Computerized Personal Data Files 1990 and the (Secretariat, 2017). In addition, this paper will also present about 2 (two) neighboring countries that already have independent commissions specifically for the protection of personal data so that it is hoped that Indonesia can follow the example of these 2 (two) countries.

 

METHOD

The research method used in writing the journal entitled Mandate of Procurement of Independent Commission on Personal Data Protection in terms of International Legal Instruments was researched using normative juridical research methods. Normative juridical research is one of the legal research methods carried out by examining library materials and secondary materials (Soerdjono, Soekanto & Mamudji, 1995). Normative juridical research is based on legal norms and literature that can be obtained from books, scientific works, journals, articles, encyclopedias, and other literary sources. The approach used is using a statutory approach.

 

RESULTS AND DISCUSSION

1.  Overview of the Procurement of an Independent Commission for the Protection of Personal Data Based on the United Nations Guidelines for the Regulations of Computerized Personal Data Files 1990.

When talking about how to protect personal data as a humanitarian action, the main legal instrument reference is the United Nations Guidelines for the Regulations of Computerized Personal Data Files 1990. In the international legal regulations it is explicitly stated that the minimum requirements for protection of personal data in a country, is the existence of an independent personal data protection supervisory agency. The supervisory agency must be independent because the protection of personal data is binding on the public sector which includes individuals, private entities and government agencies. So to ensure that adequate and strong protection or protection is provided for the subject of personal data protection, this authority must be established as an independent public institution and free from all political power, government control in financial matters and so on.

In the United Nations Guidelines for the Regulations of Computerized Personal Data Files 1990 there are 10 principles regarding minimum guarantees related to the protection of personal data that must be provided in the legislation of a country. These principles are: the principle of lawfulness and fairness; the principle of accuracy (principle of accuracy); the principle of the purpose and specification (principle of the purpose-specification); the principle of interested-person access; the principle of non-discrimination (principle of non-discrimination); the power to make exceptions; the principle of security (principle of security); supervision and sanctions (supervision and sanctions); cross-border data flows (transborder data flows); and the last is the field of application. These principles are explained in detail and unequivocally. In addition, there are also provisions that explicitly explain that the application of the personal data file guidelines is guarded by government international organizations.

Although the contents of the United Nations Guidelines for the Regulations of Computerized Personal Data Files 1990 in general are also about the necessity of a country to make and ratify a national law on the protection of personal data, the regulation also mentions and encourages each country to establish a special authority that handles the protection of personal data. The provisions regarding the establishment of a special authority for the protection of a country's personal data according to the United Nations Guidelines for the Regulations of Computerized Personal Data Files 1990, are contained in the fourth principle, namely the principle of interested-person access. In this principle there is a phrase that reads "Provision should be made for a remedy, if need be with the supervisory authority specified in principle 8 below." the eighth principle below.� By emphasizing the phrase �if necessary with supervisory authorities�, it can be interpreted that each country is encouraged to establish or establish a special supervisory authority regarding the protection of personal data. Furthermore, in the last phrase of the fourth principle which reads "It is desireable that the provisions of this principle should apply to everyone, irrespective of nationality or place of residence.", which if translated means "This provision should be applied to everyone, regardless of of nationality or place of residence.�. Based on this phrase, it further makes it clear that the establishment of an independent commission or authority for the protection of personal data is a must which applies to everyone and is not limited to the nationality of any country.

Regarding the establishment of a special authority, it is further regulated in the eighth principle on supervision and sanctions. The sound of the first phrase of the eighth principle is �The law of every country shall designate the authority which, in accordance with its domestic legal system, is to be responsible for supervising observance of the principles set forth above.� Which when translated means "The law of each country must designate an authority according to the domestic legal system, which is responsible for overseeing the observance of the principles set out above.". The principle expressly states that each country must appoint an authority for the protection of personal data to oversee other principles. The next phrase in the eighth principle is "This authority shall offer guarantees for impartiality, independence vis-avis persons or agencies responsible for processing and establishing data, and technical competence." independence of the person or institution responsible for processing and establishing data, technical competence. The fact can be found again, that the authority must be impartial, and independent of a particular person or institution. These institutions include both private institutions and government agencies.

Therefore, based on these 2 (two) principles as regulated in the United Nations Guidelines for the Regulations of Computerized Personal Data Protection Files 1990 (Herold, 2001), it clearly explains that the establishment of an independent commission for personal data protection, apart from being a necessity for citizens, is also a mandate or obligation. published by the UN international organization. The authority or commission established must guarantee independence and be free from any party or influence. This provision also confirms that it is not limited by nationality and applies to all people and countries.

2.  Overview of the Procurement of an Independent Commission for the Protection of Personal Data Under the APEC Privacy Framework.

APEC Privacy Framework, is a privacy framework by the economic cooperation organization of countries in the Asia Pacific region, namely the Asia Pacific Economic Cooperation (APEC). The privacy framework formulated by APEC was issued in 2004 and then amended in 2015 (Wahyudi Djafar, 2019). The establishment of a privacy framework by APEC is based on the importance of proper privacy protection for individual personal data, especially to protect against the negative impacts that are feared to arise from unauthorized institutions and misuse of personal data (Wahyudi Djafar, Sumigar, & Setianti, 2016). The APEC Privacy Framework recognizes the importance of developing effective privacy safeguards that avoid impediments to the flow of information, ensure sustainable trade, and economic growth, particularly in the Asia Pacific region. The basic principles in the APEC Privacy Framework are: the principle of preventing harm; the principle of notification (notice); the principle of limiting the use of personal data (collection limitation); the principle of the use of personal data (uses of personal information); the principle of choice (choice); the principle of integrity of personal data (integrity of personal information); the principle of security protection (security safe guards); the principle of access and correction (access and correction); and the principle of accountability (Wahyudi Djafar, 2019). It is explicitly explained in the sixth article of the APEC Privacy Framework that this framework (privacy framework) specifically addresses basic concepts regarding the protection of personal data, as well as issues of special relevance to APEC members.

An independent commission on the protection of personal data, defined in article 10 of the APEC Privacy Framework. In that article the term used is �Personal Information Controller� which if translated into Indonesian is the controller of personal information. According to the APEC Privacy Framework, a personal information controller is a person or organization that controls the collection, storage, processing or use of personal information (Greenleaf, 2021). Such controllers also include persons or organizations that instruct other persons or organizations to collect, store, process, use, transfer or disclose personal information on their behalf. In the explanation of article 10 it is explained that APEC agrees that in order to achieve the objectives of this framework (privacy framework), a person or organization (country) can instruct an individual or an organization to collect, store, use, process, transfer or disclose personal information on its behalf. The controller of personal information is responsible for ensuring that the protection of personal data of citizens of APEC member countries is in accordance with the nine basic principles.

According to Wahyudi Djafar in the seminar on the Urgency of an Independent Supervisory Authority in the Protection of Personal Data, he explained that the APEC Privacy Framework emphasizes the establishment of a personal data protection enforcement agency or institution with a model submitted to each country. This is in line with article 31 of the APEC Privacy Framework which explains that in the implementation of the provisions of the APEC privacy framework, it is intended to be implemented flexibly that is able to accommodate various implementation methods, including through a central authority, multi-agency enforcement, a network of designated industry bodies and such combination, or such other as the APEC member deems appropriate.

3.  Countries That Have Succeeded In Establishing Independent Commissions for the Protection of Personal Data.

a.     Singapore

The Personal Data Protection Commission (PDPC), is an independent commission for personal data protection in Singapore since 2013. This commission is attached to a previously existing institution, namely The Info-communications and Media Development Authority (IMDA) where IMDA is a former form of PDPC (W. &. Santoso M. J. Djafar, 2019). �The structure of the PDPC is selected and formed by the relevant ministers. The total membership of the PDPC is a minimum of 6 (six) members and no more than 20 (twenty) members (W. &. Santoso M. J. Djafar, 2019).

Based on Singapore Act No. 20 of 2016: Info-communications Media Development Authority Act 2016, PDPC has 9 (nine) functions and duties, namely:

1)    Conduct socialization and encourage awareness of Singaporean citizens regarding the importance of personal data;

2)    Receive consultation, advocacy, technical, management, or services related to the protection of personal data of Singapore citizens;

3)    Provide input to the government on issues related to the protection of personal data;

4)    Conduct research, education, and education on the protection of personal data.

5)    Represent international governments with regard to personal data;

6)    Regulate technical cooperation and exchanges related to the protection of personal data with other organizations and institutions;

7)    Enforce and enforce Singapore's personal data protection laws;

8)    Confirming the functions and duties of this commission (PDPC) according to other laws;

9)    Participate in other activities and carry out tasks with the permission of the minister or appoint commissions on orders from law.

b.     Malaysia

Pesuruhjaya Personal Data Protection Malaysia is an independent commission for personal data protection in Malaysia. The main differentiator between Malaysia's personal data protection law and other countries is its enforcement. In Malaysia only the private sector is bound by the country's Personal Data Protection Law, while the government sector is not subject to the Act (W. &. Santoso M. J. Djafar, 2019). �Malaysian Personal Data Protection Commission, headed by a Commissioner. The commissioners are elected, inaugurated, and are responsible to the Minister.

Based on Malaysian Law AKTA 709: Personal Data Protection Deed 2010, the functions of the Commissioner are:

1)    Provide advice to the Minister regarding personal data protection policies;

2)    Implement and enforce the law on personal data protection, along with the formulation of policies and operating procedures;

3)    Socialize to associations or bodies representing data users to provide a code of practice and disseminate the code;

4)    Monitor developments that occur in relation to the processing of personal data, in which further calculations will be made of the possible impact of such developments;

5)    Monitor and oversee the implementation of Malaysia's Personal Data Protection Act, along with the issuance of circulars, notifications against law enforcement or other instruments;

6)    Communicate and cooperate with parties who perform the function of protecting personal data outside the country of Malaysia which are of common interest;

7)    Commissioners are also given the freedom to carry out necessary activities and others as well as provide good and appropriate to what is regulated in the Malaysian Law AKTA 709: Personal Data Protection Deed 2010, or other purposes as directed by the Minister.

 

CONCLUSION

The case of leakage of personal data is a serious problem and the case has been increasing steadily over the last few years, which is not only happening to private institutions but also government agencies. Whereas the protection of personal data which includes the right to privacy is guaranteed in Article 28G of the 1945 Constitution. Therefore, the government must seek to protect the personal data of citizens. Steps that can be taken to realize the protection of personal data is to establish an independent commission for the protection of personal data. The establishment of an independent commission for the protection of personal data is actually a mandate by several international organizations such as the United Nations and APEC.

According to the UN organization, the creation of an independent commission is a minimum requirement for the protection of personal data. The personal data protection commission must be independent so as not to be affected by political intervention, and government control. The order regarding the establishment of an independent commission is explicitly stated in the eighth article. Meanwhile, according to the Asia Pacific economic international organization, it recognizes the importance of developing effective personal data protection. The mandate for establishing an independent commission for the protection of personal data is contained in Article 10 of the APEC Privacy Framework. In addition, Indonesia's neighboring countries, such as Singapore and Malaysia, have independent commissions for the protection of personal data. If this can be an example for the Indonesian state to develop and protect the personal data of citizens.

Based on the content and results of the research, it can be concluded that international organizations such as the United Nations (UN) and APEC encourage each country to protect the personal data of its citizens by establishing an independent commission for the protection of personal data. This encouragement is evident in the regulations he issued, namely the United Nations Guidelines for the Regulations of Computerized Personal Data 1990 and the APEC Privacy Framework. Therefore, the establishment of an independent commission for the protection of personal data in Indonesia is not only a necessity, but also a mandate of international legal instruments. We can also reflect from neighboring countries that have held independent commissions for personal data protection, such as Singapore and Malaysia.

 

REFERENCES

Djafar, W. &. Santoso M. J. (2019). Perlindungan Data Pribadi Pentingnya Otoritas Pengawasan Independen. ELSAM. Google Scholar

 

Djafar, Wahyudi. (2019). Hukum Perlindungan Data Pribadi di Indonesia: Lanskap, Urgensi dan Kebutuhan Pembaruan. Seminar Hukum Dalam Era Analisis Big Data, Program Pasca Sarjana Fakultas Hukum UGM, 26. Google Scholar

 

Djafar, Wahyudi, Sumigar, B., & Setianti, B. (2016). Perlindungan Data Pribadi di Indonesia: Usulan Pelembagaan Kebijakan dari Perspektif Hak Asasi Manusia. Lembaga Studi Dan Advokasi Masyarakat (ELSAM). Google Scholar

 

Greenleaf, Graham. (2021). Asia�s privacy reform Bills: Variable speeds. Google Scholar

 

Herold, Rebecca. (2001). International Privacy Laws. In The Privacy Papers (pp. 649�658). Auerbach Publications. Google Scholar

 

Latumahina, Rosalinda Elsina. (2014). Aspek Hukum Perlindungan Data Pribadi di Dunia Maya. Google Scholar

 

Niffari, Hanifan. (2020). Perlindungan Data Pribadi Sebagai Bagian Dari Hak Asasi Manusia Atas Perlindungan Diri Pribadi (Suatu Tinjauan Komparatif Dengan Peraturan Perundang-Undangan Di Negara Lain). Jurnal Yuridis, 7(1), 105�119. Google Scholar

 

Pratama, Geistiar Yoga, & Suradi, Aminah. (2016). Perlindungan Hukum Terhadap Data Pribadi Pengguna Jasa Transportasi Online Dari Tindakan Penyalahgunaan Pihak Penyedia Jasa Berdasarkan Undang-Undang Nomor 8 Tahun 1999 Tentang Perlindungan Konsumen. Diponegoro Law Journal, 5(3), 1�19. Google Scholar

 

Pratana, I. Wayan Atmanu Wira. (2021). Urgensi Pengaturan Mekanisme Pemanfaatan Data Pribadi dalam Rancangan Undang-Undang Perlindungan Data Pribadi. Jurnal Hukum Lex Generalis, 2(8), 701�721. Google Scholar

 

Sautunnida, Lia. (2018). Urgensi Undang-Undang Perlindungan Data Pribadi di Indonesia: Studi Perbandingan Hukum Inggris dan Malaysia. Kanun Jurnal Ilmu Hukum, 20(2), 369�384. Google Scholar

 

Secretariat, APEC. (2017). APEC Privacy Framework (2015). Google Scholar

 

Soerdjono, Soekanto & Mamudji, Sri. (1995). Penelitian Hukum Normatif Suatu Tinjauan Singkat. Jakarta: Raja Grafindo Persada. Google Scholar

 

� 2020 by the authors. Submitted for possible open access publication under the terms and conditions of the Creative Commons Attribution (CC BY SA) license (https://creativecommons.org/licenses/by-sa/4.0/).