Policy Manager, Asia & US
Indonesia has huge potential for global businesses. With a vast local market and plenty of unmet consumer demands, a vibrant start-up community and a local pool of tech talent, the country is perfectly situated for companies to set up their bases here.
President Joko “Jokowi” Widodo has laid down ambitious plans for his second term to elevate Indonesia as the world’s fourth or fifth largest economy by 2045. Under his leadership, the government introduced the omnibus bills on taxation and job creation in February 2020 in a bid to simplify investment rules to make it easier to do business in Indonesia while amending the labor laws to attract more investors.
On the periphery, however, investors are also considering when and in what form the personal data protection bill will be passed as another factor in evaluating the extent to which they should engage in Indonesia.
Why does Indonesia need a stand-alone data protection bill?
In today’s digital world, personal data is collected, used and disclosed by service providers all day, every day. For example, an e-wallet app collects personal data for fraud prevention, and then connects the data to offer a rewards program for merchants to improve customer experience. While data flows are actually much more complex than this, it does highlight how often personal data moves from one place to another. Without a framework in place, individuals have less control over their personal data while service providers are not held accountable for the use of their consumers’ personal data.
Due to the globalized supply chain, personal data from other countries also flows through Indonesia. Foreign data protection authorities want assurances that their citizens’ data will still be protected as it flows in and out of the country. The European Union will accord “adequate” status to a country’s level of data protection only after the European Commission deems that the local data regulation has a high standard. Any weak link in today’s global data flow will create vulnerabilities. Therefore, it is important to create interoperable and global frameworks for data protection and level up across-the-board security standards to maintain the confidentiality, integrity and availability of personal data.
The Communications and Information Ministerial Regulation No. 20/2016 governs personal data in electronic systems, which was followed by Government Regulation No. 71/2019 that defines personal data as data that can identify a person directly or in combination with other information obtained both electronically and nonelectronically. However, these rules do not articulate well-defined obligations for data controllers and processors.
If we look at how the EU developed its data protection legislation, it started with the Data Protection Directive in 1995. Later, it realized that the different ways governments used in implementing the directive had created harmonization issues. The General Data Protection Regulation (GDPR) was thus crafted to provide a single rule across the EU. The GDPR also improved on the earlier directive by introducing stronger rights for individuals, establishing the “privacy by design and by default” principle to guide the development of new technologies as well as to impose greater accountability on organizations.
With Indonesia’s personal data protection bill under deliberation, this is an opportune time for the country to develop a world-class data protection law — one that addresses the gaps in existing regulations and builds a comprehensive and interoperable framework to raise its position as an attractive investment destination.
What are the shortcomings of the current draft bill?
A major criticism has been raised over the lack of provisions to set up a Data Protection Authority. The current draft appoints the Communications and Information Ministry to oversee implementation and enforcement once the bill has been passed into law. Instead of fixating on which institution will drive this future law, however, it is more important to provide sufficient resources to the appointed agency so it can effectively implement and enforce the law. For example, there must be adequate support to train staff on privacy issues, as well as to conduct investigations and run public awareness campaigns.
For instance, the Infocomm Media Development Authority (IMDA) is the statutory board responsible for Singapore’s Personal Data Protection Act. IMDA then created the Personal Data Protection Commission for the express purpose of administering the data protection act. The commission has strong internal capacity and is one of the most active data protection authorities, issuing enforcement decisions every month.
Another criticism of Indonesia’s draft bill on data protection is the seemingly low standards set for public authorities. Although public authorities are covered under the draft bill, it does not impose additional obligations on them, and some rules in the GDPR apply differently to government institutions and officials. For example, public authorities must have legally binding and enforceable instruments among them for personal data disclosure, and they may not rely on legitimate interests in processing personal data, given the imbalance in status between them and individuals. This is an area for potential improvement.
In the spirit of regulatory streamlining, the draft bill should also address the question as to whether the existing rules on the required approval for transferring personal data will be repealed. Investors also need assurances that old regulations will not be revived to haunt them in the future.
Policy-making is a complex art. With all the various data privacy frameworks out there among a variety of organizations, from the Organization for Economic Cooperation and Development to ASEAN, Indonesia has many international best practices to draw on.
Put simply, the draft bill on personal data protection should protect the citizens’ personal data while facilitating a data flow that would enable Indonesia to achieve its economic vision. With the rest of the global economy badly impacted by the novel coronavirus disease (COVID-19) outbreak this year, now is the critical time for Indonesia to act and prove that it is an attractive investment location.
This article was originally published at The Jakarta Post on 16 March 2020.