By Adinova Fauri , Centre for Strategic and International Studies (CSIS) Indonesia
Considering the rapid advancement of digital technologies coupled with market externalities, consumer protection and data privacy has become key issues for governments to pay heed to. With the exploitation of data on the rise, Indonesia’s timely success in enacting the Personal Data Protection (PDP) Law warrants credit.
With the PDP Law passed on 17 October 2022 by Indonesia’s President and House of Representatives (DPR), Indonesia joins neighboring nations such as Singapore, Malaysia, Philippines, Thailand, and many other countries who have PDP Laws in place. This act demonstrates the government’s urgency in PDP issues as Indonesia continues to grow its digital economy.
Social and Economic Benefits of PDP Law
1. Data Protection Law as a human right
Under the PDP Law, personal data subjects are given more control over their own personal data. This includes, but is not limited to, the right to access and erase personal information. This provision ensures that personal data belongs to the individual and not to the corporation or institution that gathers and processes it, elevating data protection to that of a basic human right.
In the past, medical data of patients in Indonesia were not transferable between hospitals as the data was obtained by the hospital and thus regarded as the hospital’s data. With the PDP Law, it is believed that patient data would be more freely shared and accessible, boosting the efficiency of Indonesian health services.
2. Data Protection Law builds trust and promotes economic cooperation
The presence of a defined framework for consumer protection, particularly in personal data, will boost consumer trust in utilising digital services. In the context of the Digital Financial Services (DFS) in Indonesia, trust plays an important role in predicting positive attitudes towards DFS and the intention to adopt such services. Thus, with the PDP Law in place, this will enable financial services in Indonesia to be more inclusive and accessible.
In addition, a robust framework for personal data protection generates economic benefits for the country as it enables and encourages cross border data flow which is essential for economic transactions and enabling innovation. As highlighted in the 2023 World Economic Forum, cross border e-commerce is a $2.7 trillion industry that heavily depends on cross-border data transfer. In light of the increasing significance of data both the digital and traditional manufacturing sector, it is vital to promote public-private partnership in adopting Data Free Flows with Trust (DFFT) as a tool for trust-based data exchanges.
Key Challenges of PDP Law
Despite its social and economic benefits, the PDP is far from perfect. The Indonesian government still faces several challenges to establish a more robust system for citizens’ personal data.
1. Lack of education in the collection and processing of personal data
The current approach used by the Indonesian government on data protection is largely enforcement and compliance based, with the use of punishments such as fines to enforce cooperation. However, such an approach does not take into consideration the lack of education by the general public on how to protect and properly share their private information. In addition, entities that collect and process data should also be properly trained to handle data in accordance with PDP Law’s principles. Thus, a shift in approach is needed to educate consumers and entities alike on proper data principles, to fully realise the promise of the PDP Law.
2. Workforce Gap in Data Protection Officers
Another difficulty that Indonesia faces in its effort to strengthen data protection measures is a shortage of data protection officers (DPO). The Indonesia law currently mandates the appointment of DPOs in all organisations, be it digital or non-digital sectors, to ensure proper governance of PDP. With the mandate in place, only 27.3% of firms, according to a survey performed by the Ministry of Communication and Information in 2021, have designated DPOs, signalling a significant workforce gap in DPOs. As a result, the government has provided business incentives and support to organisations to train their employees on PDP competencies, as well as to hire overseas experts to fill the workforce gap.
3. Lack of harmonisation of existing regulations
Several government bodies in Indonesia such as the Bank Indonesia and Otoritas Jasa Keuangan (Financial Services Authority of Indonesia) have recently established their own internal policies to ensure data privacy. In addition, there are also existing regulations in place that currently restrict cross border data movement, making it illegal to store and process data anywhere other than within the country. According to the Information Technology & Innovation Foundation’s (ITIF) report, data localization and other restrictions to data flows negatively affect the economy. With the above regulations and constraints, it is pivotal for the various government agencies to work together and harmonise all existing regulations to comply with the PDP Law.
4. The Urgent Need for PDP Law Implementing Regulations
The Indonesian government’s initiative to establish a comprehensive personal data protection policy framework is far from finished. As the PDP Law only sets out normative provisions for personal data protection, there is a mandate to have 10 implementing rules to detail the implementation of the PDP Law. As part of the 10 implementing rules, there will be nine government regulations (PP) and one presidential regulation (Perpres). The implementing regulations are issued to provide explicit standards, for both the private institutions and public institutions, given that both types of institutions will collect, store, and process personal data. The implemented regulations will seek to address a myriad of issues such as risk-based data classification, data authorization and enforcement rights, mechanisms for data processing and transfer, administrative sanctions and compliance index indicators, and the establishment of an independent supervisory body to oversee personal data protection in Indonesia.
Thus, to fulfil the promise of the PDP Law, there is still much work to be done to address the above challenges. While these issues may be daunting, the enactment of the PDP Law has been a crucial step in the right direction: one that would require the cooperation of consumers, businesses, and government agencies, as only in partnership can an inclusive and confident digital society be built.
Adinova Fauri is a researcher at the Department of Economics, Centre for Strategic and International Studies in Jakarta, Indonesia. Currently, he undertakes several research projects related to digital economy, financial inclusion, international and industrial policy, and labour economic issues focusing on digital skills and literacy.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.