The suspected data leaks from Social Health Insurance Administration Body (BPJS) and the Indonesia Health Alert Card (eHAC) demonstrates the urgent need to provide increased protection for citizens’ personal data. But, in reality, the discussion of the Bill on Personal Data Protection has reached a dead end. The reason is that parliament and the government both hold different opinions about the concept of an institution that will protect people’s personal data. The government wants this institution to be under the Ministry of Communication and Information as the executive power branch. Meanwhile, parliament wants the institution to be independent and report directly to the President.

There are many important factors for the ratification of this Personal Data Protection Bill, including:
First, the large number of citizens who, as legal subjects, will be protected. At least as many as 270.20 million Indonesians are data subjects or data owners who must be protected. Second, the extent and scope of the controller or processor of personal data includes public bodies, non-public institutions or corporations/the private sector, as well as individuals, starting from Indonesian and foreign entities with various interests or needs for the use of personal data. Third, the high level of variation in the standard of personal data protection arrangements in each sector. Various sectors currently manage personal data independently, thus requiring standardization, harmonization and synchronization, including regulatory vacuums. Fourth, the lack of public awareness about the importance of protecting their personal data and that of others. Fifth, asymmetric access between individuals such as data owners and controllers or processors, which are generally corporations, agencies and organizations. Based on these considerations, the proposal is to regulate with an institutional authority of Personal Data Protection that is independent and proactive (active system) with collaborative, regulatory and supervisory functions, enforcement of corrective actions and separate funding support.

Apart from the independence of authority, Personal Data Protection institutions must be proactive through regulation, supervision, cooperation and public awareness functions. Through the choice of an active system in the implementation of supervision/inspection, the institution is expected to act without having to wait for public disputes, reports or complaints.

Independent institutions must be designed collaboratively to work by operating, strengthening and utilizing other existing institutional ecosystems to strengthen guarantees for personal data protection. For example, certification and accreditation bodies, prosecutors, police and others.

In addition, the institutions will carry out regulatory and supervisory functions. Regulatory functions include setting implementation standards as a reference for controllers/processors and harmonizing Personal Data Protection arrangements that are currently still sectoral, including issuing various guidelines or other criteria as needed. The supervisory function includes supervision aimed at strengthening the system and early detection or prevention of potential violations.

Because of the urgency of personal data protection in Indonesia, Schinder Law Firm established a specific working group for data protection that can assist clients in consulting, guiding and drafting a code of conduct related to data protection, including client assistance in the event of a dispute/report. Should you wish to carry out these legal services, please drop us an email at info@schinderlawfirm.com.