ALSA Legal Newsletter ALWAYS BE ONE
VOLUME 02
PERSONAL DATA PROTECTION An insight on Personal Data Protection laws around Asia.
May 2021
May 2021 / Volume 02
CONTENTS
03-05
Greetings from the International Board
07
featured article
PDP on COVID-19 Tracking Application in Indonesia
Daffa D. Prawira
09
13
Phishing in Indonesia
Fauzan Akhmad Dzaki
PDP: A Domestic Agent System
Oh Sang Heun
11 Indonesia and PDP
Resya Ananda Fadila
ALSA LEGAL NEWSLETTER
14
Use of PD on E-Commerce: Is Your Data Safe?
Diqa Qothrunnadaa A. N. S.
PAGE 1
16 Protection of PD in the COVID-19 Pandemic: The Use of "Pedulilindungi" Diqa Qothrunnadaa A.N. S.
18 Indonesia’s Lack of PDP Kerin Dharmawan
20 PDP in Indonesia: On-Going Issues and The PDP Bill Difa Zahra Afifah
22 PDP as Primary Concern Against Internet User Trust During COVID-19 Arya Putra R.
23 Urgency of the PDP Bill in Indonesia Khalisa Areta Savitri
25 South Korea's PDP Revision in the Age of COVID-19 Youn Juhae
ALSA LEGAL NEWSLETTER
featured article "...an Indonesian Consumers Community (KKI) was sued regarding privacy rights of each user since 91 million users’ data was leaked"
27
PDP Bill to Protect Consumers During COVID-19 Pandemic Kevin Akbar Sanabil
Asian Law Students’ Association (ALSA) is a non-profit, non-political organization that aims to connects law students from the corners of Asia.
PAGE 2
Greetings from ALSA International!
Griselda Audrey Chandra President of ALSA International Board 2020/2021 Greetings from ALSA International! I am Audrey as the President of ALSA International Board 2020/2021, proudly present the ALSA Legal Newsletter on “Personal Data Protection”. Data privacy has always been important. It’s why people put locks on filing cabinets and rent safety deposit boxes at their banks. As more of our data becomes digitized, and we share more information online, data privacy is taking on greater importance. The more you know, the better able you’ll be to help protect yourself from a large number of risks. I also would like to thank the contributors for your outstanding works and for those who have not contributed yet, I am looking forward to seeing your active contribution. Strong Inside and Leading Outside. ALSA, Always Be One!
Vishnu Varna Vice President of Academic Activities ALSA International Board 2020/2021 Greetings ALSA members far and wide! Ever since the outbreak of the Covid-19 pandemic, the world has been a big blue ball of chaos. Personal data protection has become increasingly important as the pandemic forced people to adapt to a more virtual lifestyle. For this edition, we've brought to you interesting articles from all our neighboring countries regarding personal data protection, and how it is regulated and protected. We hope you are thoroughly entertained, immersed, and most importantly, informed by the ALN. Warm Regards, Vishnu Varna Vice President of Academic Activities ALSA International Board 2020/2021
PAGE 3
Greetings from ALSA International!
Nasya Ayudianti Ramadhani Director of Academic Publications ALSA International Board 2020/2021 Greetings from ALSA International! It is with great pleasure that the Department of Academic Activities ALSA International Board 2020/2021 could bring you the second edition of the ALSA Legal Newsletter. Considering the urgency and awareness which needs to be raised on Personal Data Protection, this edition serves to bring you insight and knowledge on why it is important. We hope you enjoy this edition of ALSA Legal Newsletter. Best Regards, Nasya Ayudianti Ramadhani Director of Academic Publications ALSA International Board 2020/2021
Rafa Raasyidah Junior Editor ALSA International Board 2020/2021 Hello, fellow readers. It is a delight that this volume of the ALSA Legal Newsletter has been finished for you to read. I truly hope that the readers gain more insights and information regarding the latest matters about personal data protection around Asia. We are also thankful for our lovely contributors, to make such interesting articles for us to enjoy. We also hope that readers will gain interest to submit their own articles for the next submission. I would also like to thank my fellow partners on the board for making this publication happen in its best form. ALSA, Always Be One! Best regards, Rafa Raasyidah. PAGE 4
Greetings from ALSA International!
Priyadiana Junior Editor ALSA International Board 2020/2021 Greetings! On behalf of the board, we would like to introduce the second edition of the ALSA Legal Newsletter. I thank all the contributors for their submissions to this edition and their cooperation with the editorial staff during the production phase. I would also like to express my gratitude to my fellow editors, who worked tirelessly to make this publication possible. We hope the readers will enjoy the second edition as much as they enjoyed the first one! ALSA, Always Be One! Best regards, Priyadiana.
Vatthana Inthalucksa Junior Editor ALSA International Board 2020/2021 Hello, fellow readers. It is a wonderful moment that this volume of the ALSA Legal Newsletter has been published and ready for you to read it. I believe our readers will have an opportunity to learn and gain a lot of knowledge as well as information regarding our topic of Personal Data Protection. We would like to thank our contributors for their article to us. I hope that everyone enjoys the publication. We hope that the readers will be interested in participate and submit their own article for the next submission. Lastly, I want to say thank you to my fellow editors for making this incredible publication. ALSA, Always Be One! Best regard, Vatthana Inthalucksa (Banky) PAGE 5
PAGE 6
ALSA Legal Newsletter May 2021
Personal Data Protection on COVID-19 Tracing Application in Indonesia Daffa Deta Prawira Indonesia
COVID-19 has been one of, if not, the most significant threats that the planet has ever faced. In Indonesia alone, there have been 1.632.248 cases of COVID-19 with 44.346 people dying as of today (Haryanti, 2021). To deal with COVID-19, the Ministry of Communication and Informatics along with the Ministry of State-Owned Enterprises developed PeduliLindungi, a COVID-19 tracing application. The purpose of this application is to assist Indonesian health workers to recognize COVID-19 patients who have been in touch with them in the last two weeks using contact tracing.
Once a user of the app is infected with COVID-19, the app will send a warning to all smartphones in close proximity, alerting them to the possible exposure (World Health Organization, 2020). However, in this digital age, digital contact tracing can become a threat to our personal data. Individuals who have installed the application on their smartphone may not realize that their private data is being taken, for instance, to register the users’ full name and phone number is required where there is no clear limitation on the purposes for the Indonesian government to use the data.
PAGE 7
ALSA Legal Newsletter May 2021
Indonesia has not yet have a specific law regarding Personal Data Protection The Indonesian government monitors the users’ movements locations, with no indication of long the information will be (Norton Rose Fulbright, 2020).
also and how kept
Unfortunately, there are currently no special laws placed in Indonesia to coordinate personal data security, but the Minister of Communication and Information Technology's Regulation No. 20 of 2016 concerning the Protection of Personal Data in Electronic Systems regulates the rights of personal data owners, responsibilities of personal data users, and dispute resolution. Moreover, Article 26 Paragraph 1 of the Law on Electronic Information and Transactions governs a person’s personal data (Bernadetha, 2020). In conclusion, it is still unclear what is done with our personal data that we give to PeduliLindungi and how long the data is held by the government. The Indonesian law governing personal data privacy is still vague, and we must ensure that our personal information is protected by the government.
PAGE 8
ALSA Legal Newsletter May 2021
Personal Data Protection: A Domestic Agent System
The purpose of the domestic agent system is to give consumers substantial self-determination rights regarding their personal information to global business operators and [2] if the Korea Communications Commission requests data for domestic consumer protection from global operators, it is possible to promptly submit the data if necessary.
Oh Sang Heun South Korea
In spite of the good purpose of the domestic agent system, we should look upon the situation carefully. From a governmental perspective, the first problem is about the premature introduction of the policy. The scope of the regulation is not clear, which does not help in resolving reverse discrimination for companies (Kim, 2021).
Second, the state does not actively enforce sanctions against global companies. There are issues of effectiveness, such as whether it is possible to impose a fine on foreign companies and whether Korean laws are applicable towards foreign companies (Son, 2021).
These days, global platform companies such as Google and Facebook are increasingly monopolizing the market, possibly resulting in moral hazard to consumers' personal information leakage. In this situation, Korea implements a domestic agent system to regulate global platform companies with reference to the European Union's GDPR agent system (Jeon, 2021). PAGE 9
ALSA Legal Newsletter May 2021
Furthermore, a request for information disclosure must be made to the Ministry of Science and Technology as the law regulating this system does not mandate the notification system for domestic agents. From a corporate perspective, it does not abide the government's guidelines. They are established formally by operating as a “paper company” and operate poorly. The domestic agents of Google, Facebook, Amazon, and Apple were separate corporations, but it turned out that they were using the same address (Paeng, 2021). Another problem is, established corporations for agency business change the company's form in order to avoid regulations (Kim, 2021). This makes it hard to apply sanctions, even if it violates domestic law, needless to say that companies' actions are difficult to secure tax revenue. In essence, it does not fit with Environmental, Social, and Governance (“ESG”) management.
Thus, the Korean government must have sanctions like fundamental regulations and taxations. Furthermore, they must try to re-enforce policies, such as mandatory notification systems and occasional inspections to ensure that each domestic representative system is properly implemented.
PAGE 10
ALSA Legal Newsletter May 2021
Indonesia and Personal Data Protection Resya Ananda Fadila Indonesia
The House of Representative of the Republic of Indonesia Commission I member, Bobby Adhityo Rizaldi, stated that the legalization of the PDP Bill is expected soon in order to put Indonesia on the same level as other developed countries when it comes to protecting the personal data of the people. The absence of personal data protection in Indonesia can be seen as a weakness, causing many personal data to be leaked. Taking an example from May 2020 when the data of 90 million Tokopedia users were leaked and sold on the black market. The same incidence also happened to Bukalapak in 2019 and Gojek in 2016. These cases show the dangerous threats of personal data misuse of internet users and Indonesia clearly needs to provide a legal umbrella to protect its users’ personal data surfaced on the internet.
Privacy is a fundamental right that plays a crucial part in the protection of human dignity as it constructs the foundation of many other human rights. Following the trend of technology that evolves quickly in this time of era, personal data of individuals are often required to complete any registration matter on the internet. Therefore, the possibility of data leakage is higher than ever. Frankly, Indonesia has not yet established a specific legal protection towards personal data. However, recently, the Personal Data Protection Bill (“PDP Bill”) in Indonesia has entered the 2021 National Legislative Program. Thus, Indonesia should legalize the PDP Bill as soon as possible in order to accommodate regulations that protect the people’s personal data. Law of the Republic of Indonesia Number 17 of 2007 concerning the Long-Term National Development Plan of 20052025 also states that the use of science and technology is very much needed to build a competitive nation. PAGE 11
PAGE 12
ALSA Legal Newsletter May 2021
Phishing in Indonesia
Fauzan Akhmad Dzaki Indonesia
Phishing is categorized as a cyberattack that gathers personal information with the goal to trick someone (who receives the email) and make them believe that the substance of the email is worth checking. The email receiver then clicks the given link, leading to some installation of malware thus revealing their private or sensitive information. The perpetrator can have access to the victim’s social media account or use their private information to seek profit from the victim's data. Phishing has many kinds of techniques. One of them is when the perpetrators use email for phishing scams. In these techniques, they are going to make great lengths, designing the email messages in order to make them seem as real as possible.
Using the same logos, same phrasing, and signatures makes the messages give the same impression as original ones from the legitimate organization. The Indonesian National Cyber Security Operations Center (“Pusopskamsinas”) noted that the number of hacking cases in Indonesia during 2020 is quite large. This is due to the increase of internet users during the Covid-19 pandemic, which then amounted to a total of 2.549 cases. There are ways to prevent an increase in phishing cases that occur in Indonesia. An example can be seen through the government’s effort on being able to disseminate information to the public about the impact and threats caused by phishing itself. Another way to prevent phishing is to help the public to find the perpetrators of these acts.
"The Indonesian National Cyber Security Operations Center (“Pusopskamsinas”) noted that the number of hacking cases in ... amounted to a total of 2.549 cases." PAGE 13
ALSA Legal Newsletter May 2021
There are ways to prevent an increase in phishing cases that occur in Indonesia. An example can be seen through the government’s effort on being able to disseminate information to the public about the impact and threats caused by phishing itself. Another way to prevent phishing is to help the public to find the perpetrators of these acts. This is further reinforced through regulation and policy making that touches upon phishing by authorized subjects as it is a top priority obligation in order to provide legal certainty and protection. The protection of private data represents the needs of the people that must be carried out by a country’s government supported by the development of technology, the existence of appropriate regulatory arrangements, and the protection against various kinds of violations of private data protection which should remain a country’s priority.
Shopping is something that cannot be separated from humans, whether shopping for basic needs or other nonbasic things. Especially during a pandemic like today, many people who have flocked to change their shopping methods, previously shopping conventionally or meeting in person with sellers are now turning to e-commerce or online.
Use of Personal Data On E-Commerce: Is Your Data Safe? Bryant Christoper Indonesia
The number of e-commerce in Indonesia at this time can be said to be one of the largest in the world, in 2019 alone there were 16,277 businesses carrying out ecommerce activities. Of the tens of thousands of e-commerce, not a few e-commerce stores the personal data of their users, this is what becomes vulnerable to crimes that can occur. In 2020 alone in Indonesia, there were approximately six major data leaks, starting from Tokopedia, Bhinneka.com, KreditPlus, ShopBack, RedDoorz, and Cermati where each of these ecommerce leaks occurred ranging from hundreds of thousands to millions of data. The number of incidents regarding personal data leakage led to the birth of the Bill on Personal Data Protection in Indonesia. With the absence of a positive law regulating personal data protection in Indonesia, it does not mean that Indonesia does not have a legal basis regulating personal data. PAGE 14
So far the leakage of personal data in Indonesia is classified as a violation of the right to privacy, matters regarding violations of the right to privacy are regulated in Law 18 of 2008 concerning Electronic Transaction and PP 71 of 2019 concerning the Implementation of Electronic Transaction Systems were based on these laws the victims of violations of the right to privacy can commit civil lawsuits against e-commerce providers and in PP 71/2019 e-commerce providers can be subject to administrative sanctions by the government if user data leaks occur. However, the two laws and regulations are currently considered less relevant so that many people hope that the Personal Data Protection Bill can be passed immediately, because with the passing of the bill, it is hoped that it can protect the interests of consumers and provide economic benefits for Indonesia.
"The number of incidents regarding personal data leakage led to the birth of the Bill on Personal Data Protection in Indonesia"
PAGE 15
ALSA Legal Newsletter May 2021
Protection of Personal Data in the COVID-19 Pandemic: The Use of "Pedulilindungi" Diqa Qothrunnadaa A.N.S Indonesia
The Coronavirus Disease (“COVID-19”) pandemic has been going on for a year, with the number of cases continuing to increase. Various efforts have been made by the government to reduce the spread of the virus, one of which is by launching PeduliLindungi, an application designed by the Ministry of Communication and Information (“KOMINFO”) and the Ministry of Stateowned Enterprises (“BUMN”).
Pedulilindungi helps to stop the transmission of COVID-19 by relying on concerns (care) and community participation. The Ministry of Health and the Task Force use the application to overcome the COVID-19 pandemic in Indonesia by tracing and tracking through telecommunications infrastructure, systems, and applications connected to domestic data centers. Pedulilindungi helps to stop the transmission of COVID-19 by relying on concerns (care) and community participation, sharing location data with each other while traveling, thus tracing the history of contact with patients of COVID-19.
"The number of incidents regarding personal data leakage led to the The Minister of Communication and Information, Johnny Plate, argues that ofpersonal birth the Billdata protection is a personal right, including the right Personal Dataof to privacy and to beon free from all kinds interference, the right to communicate with other Protection in and people without the intention of being spied, the right to supervise access to information about Indonesia" one's personal life and data as the importance of data security (Article 26 Paragraph 1, Law No. 19 of 2016).
PAGE 16
ALSA Legal Newsletter May 2021
The Minister of Communication and Information, Johnny Plate, argues that personal data protection is a personal right, including the right to privacy and to be free from all kinds of interference, the right to communicate with other people without the intention of being spied, and the right to supervise access to information about one's personal life and data as the importance of data security (Article 26 Paragraph 1, Law No. 19 of 2016). To protect the users’ personal data, KOMINFO collaborates with the National Cyber and Crypto Agency (“BSSN”) which has carried out a security check called IT Security Assessment (Cyberthreat.id, 2020). At the beginning of the emergence of PeduliLindungi, many parties had doubts concerning the users’ personal data protection. KOMINFO published a Press Release on April 17, 2020 (No.57/Hm/Kominfo/04/2020), which guarantees the security of the PeduliLindungi from phishing and malware. However, researchers at the Communication and Information System Security Research Center (“CISSRec”) argue that a digital forensic audit is still needed. Indonesia’s cybersecurity is still deemed weak, thus urging the Personal Data Protection Law to be passed and enforced, preventing further problems. Until now, PeduliLindungi still lacks the society’s demand. It is hoped that more people will utilize PeduliLindungi in order to reduce the spread of COVID-19 and to immediately pass a clear personal data protection law to implement legal certainty.
PAGE 17
ALSA Legal Newsletter May 2021
Indonesia’s Lack of Personal Data Protection
Kerin Dharmawan Indonesia
It is becoming even more crucial now than ever, with the COVID-19 pandemic catalyzing for digital adoption. The increased number of digital activities during the pandemic has led to an increased number of cyberattacks in Indonesia. This is reflected in the National Cyber and Crypto Agency’s data, which shows a more than fourfold increase in cyberattacks during the pandemic. But unfortunately, there is no specific law that comprehensively stipulates personal data protection in Indonesia to date. In contrast to other ASEAN countries that have formed special rules regarding the protection of personal data, such as Malaysia (2010), Singapore (2012), Laos (2017), and Thailand (2019), a law specifically regulating the protection of personal data in Indonesia is still in an ongoing process.
Indonesia is home to 175.4 million internet users as of January 2020, but its digital literacy, including awareness of online safety, is relatively low. The Global World Digital Competitiveness Index, which includes digital literacy among other indicators, ranked Indonesia 56th out of 63 countries in 2019, far below Singapore and Malaysia, which were ranked 2nd and 26th , respectively. Given its low awareness of online safety, the existence of a data protection law is urgently needed, especially during this era, where simply having an email account could expose an internet user to cybercrime.
"The Global World Digital Competitiveness Index, which includes digital literacy among other indicators, ranked Indonesia 56th out of 63 countries in 2019..."
PAGE 18
ALSA Legal Newsletter May 2021
As a result, Indonesia's current personal data protection regulations are still guided by 32 sector-based laws and their scattered derivative regulations. According to the Institute for Public Policy and Advocacy (ELSAM), the spread of these regulations has resulted in overlapping regulations regarding personal data protection. ELSAM also stated that the scattered regulations have resulted in weak law enforcement for personal data breaches. As a result, Indonesia's current personal data protection regulations are still guided by 32 sector-based laws and their scattered derivative regulations. According to the Institute for Public Policy and Advocacy (ELSAM), the spread of these regulations has resulted in overlapping regulations regarding personal data protection. ELSAM also stated that the scattered regulations have resulted in weak law enforcement for personal data breaches.
As stated by the Ministry of Communication and Information, the existence of the data protection law in Indonesia is crucial, not only because it can strengthen and harmonize the 32 sector-based laws, but it will also establish a data protection authority that functions to supervise and enforce sanctions to ensure effective enforcement of personal data protection. Therefore, due to its importance, the government must continue to immediately and effectively discuss the data protection law.
PAGE 19
ALSA Legal Newsletter May 2021
Personal Data Protection in Indonesia: On-Going Issues and The PDP Bill Difa Zahra Afifah Indonesia
Indonesia is starting to take serious steps to safeguard its citizens’ privacy rights through the Personal Data Protection Bill (“PDP Bill”). However, before the PDP Bill was drafted, Indonesia had already recognized some of its regulations related to personal data protection (“PDP”), even if it was not explicitly mentioned. The Electronic Information and Transactions Law (“ITE Law”) was born in 2008 as the first cyber law in Indonesia with Article 26 regulating PDP. The implementing regulation is contained in Government Regulation No. 71 of 2019, most of which adopted the General Data Protection Regulation (“GDPR”). Ministerial Regulation of Communication and Informatics No. 20 of 2016 also regulates administrative sanctions if data controllers failed to notify data owners of data leaks occurrence.
"As a result, regulations related to offline PDP are regulated sectorially which then raises a new problem, that not all sectors have advanced regulations concerning offline PDP." PAGE 20
ALSA Legal Newsletter May 2021
Unfortunately, these regulations have not been able to tackle various PDP problems in Indonesia. The PDP regulations originate from the ITE Law that only addresses electronic matters. Thus, offline PDP is not regulated in the various existing PDP regulations. As a result, regulations related to offline PDP are regulated sectorially which then raises a new problem, that not all sectors have advanced regulations concerning offline PDP. For example, the Population Administration Law (“Adminduk Law”) protects personal data including one’s diseases or disabilities and Financial Services Authority Regulation (“OJK Regulation”) regulates consumer protection. The legal vacuum of offline PDP regulation is a hive of problems because in fact, not only digital players hold and control the most data, but public institutions such as banks, hospitals, post offices, or office buildings also hold visitors’ data massively. Therefore, a PDP Law is urgently needed (since it will also regulate offline PDP) to restrict and provide principle standards. It is also necessary for institutions and companies to promote policy making that touches upon proper risk mitigations in information technology, may it include employees as well as chief of information security. The more involved the people are (at any level), the more insights will be gathered in order to later construct the policies. Additionally, awareness of the data subjects towards the issue also plays a crucial role. Apart from the regulations inadequacy, preventive measures from the people are still low. The data owner can limit the spread of their data. For example, we often find identification numbers easily on the internet. As a data subject, we need to be proactive in practicing preventive measures, being aware of social engineering practice where we are often deliberately made unaware of giving our data to other people. PAGE 21
ALSA Legal Newsletter May 2021
Personal Data Protection as Primary Concern Against Internet User Trust During COVID-19
Arya Putra R. Indonesia
Data protection is the most important thing for many people as social media is used extensively these days. Cyberspace or cyber world is the virtual place that provides every internet user with information, communication, trade transactions and other activities. The Malfunction of Personal data has become a big problem with Information technology beneficial and communication in Indonesia. In 2019, Personal Data Protection regulation was a priority in the National legislation Program in Indonesia. For almost two years, this regulation is still a proposal and official regulation for enforcement. In the Database from Badan Siber dan Sandi Negara (BSSN), Since January until August 2020, almost one hundred ninety million Cyber crime attacks in-
Indonesia, which increased more than four times by comparing the same period in the last year that recorded an estimate of thirty nine million. The government should take action against eradication of cybercrime in Indonesia. During the Covid-19 pandemic, many activities became virtual. The Internet is part of the technological advance that followed the change of era, especially the revolution of Industry 4.0. The transformation of criminals from conventional to virtual is a sign to enact laws on eradication of cybercrime.
"The Indonesia Constitution states that “Everyone has the right with self protection, personal, family, honorable, dignity, and wealth in below of domination, and also have the right to comfortable, protection from scare threaten for do something or undo something is the meaning of human right” PAGE 22
.
In ASEAN countries like Singapore, Malaysia, and the Philippines, personal data protection regulation is implemented. Indonesia has personal data protection but it is not regulated. Personal Data Protection in Indonesia in Communication and Information Minister Regulation Law Number 20 of 2016 about Personal Data Protection in Electronic System. Cybercrime on a global scale has reached US$600 Billion or an average of IDR 8.160 Trillion (US$1= IDR 13.600) in 2017 due to a suspected increase in high volume crimes in online shops and digital money. Therefore, the Indonesian Government must prioritize this issue to ensure the trust of Internet users.
Urgency of the Personal Data Protection Bill in Indonesia Khalisa Areta Savitri Indonesia
The consecutive cases of a data breach involving Indonesia’s most prominent technological corporations have highlighted the vulnerability of users’ data on the digital marketplace. In Indonesia, regulations regarding personal data protection are spread across several laws which only reflect upon the protection of personal data in general. This prompts the urgency for the enactment of Indonesia’s Personal Data Protection Bill. For the past decade, Indonesia has become one of the leading start-up ecosystems within southeast Asia. PAGE 23
ALSA Legal Newsletter May 2021
However, this status has brought forth a multitude of cybercrime risks. In May 2020, one of the largest ecommerce players in Indonesia released a statement containing the recent breach of users’ personal data. Later that year, another data breach involving a fintech aggregator platform which includes financial data such as bank accounts and credit information was confirmed. Without proper regulations in place, customers who have fallen victim to these breaches can only rely on the platform to fix the issue with no authorities holding them accountable. Currently, the provisions of personal data protection are found in the Electronic Information and Transactions Law as amended by Law No 19 of 2016. While the procedural guidelines are contained in Government Regulation No 82 of 2012 regarding its implementations. The key regulator for data protection is the Ministry of Communication and Informatics (MOCI) with the issuance of the MOCI Regulation No. 20 of 2016. Later that year, another data breach involving a fintech aggregator platform which includes financial data such as bank accounts and credit information was confirmed. Unfortunately, the laws regarding PDP remain sporadic and siloed. Hence, an extensive set of regulations for personal data protection, both via the electronic system and also non-electronically, that acknowledges the rights and responsibilities of the stakeholders involved are needed. Through understanding Indonesia’s current socio-cultural landscape and its relation to technology, it is clear that the Personal Data Protection Bill should be passed. The ever-growing tech industry has caused a high risk of potential violations of personal data protection. Irregularities in the enforcement of the current regulations have caused legal uncertainty in affirming Indonesians’ right to privacy and protection. Therefore, the enactment of the Personal Data Protection bill is crucial. PAGE 24
ALSA Legal Newsletter May 2021
South Korea's PDP Revision in the Age of COVID-19 Youn Juhae South Korea
Before the spread of Covid-19, Korea's PDP had exclusive properties to protect individual information well. This is because as the Internet develops, the number of cases of personal information infringement and leakage has increased. However, Covid-19 has revised the PDP so that the country can use personal information well. Firstly, during the spread of infectious diseases such as Covid-19, information on the number of cases has become readily available to the masses. Since the MERS outbreak in 2015, personal information such as the route of movement and personal information of confirmed people has been disclosed under the revised PDP. In addition, the spread of Covid-19 has led to the revision of the PDP to disclose specific personal information such as age, gender, family name, and residence of the students.
Second, the protection of public data through alias processing or nonidentification has been enhanced. This is in line with efforts to protect personal information contained in public health care data. Previously, there was a greater risk of specifying an individual's identity if the confirmed person's movements or alias-treated data are combined with public health and medical data. In particular, if such public health data is provided to the private sector, it is highly likely to violate the basic rights of the people protected by the Constitution of the Republic of Korea. Therefore, even healthcare data provided through aliasing and de-identification is significant in that the PDP has been revised to specify constraints and limitations when provided to the private sector, and the scope of legally acceptable data has been clarified.
PAGE 25
ALSA Legal Newsletter May 2021
In conclusion, the above PDP revisions in the Covid-19 era have the same goal of ensuring the rights of information subjects and enhancing transparency. Korea has tried to prevent personal information from being leaked to the public, while at the same time preventing problems such as personal information leakage while effectively preventing the spread of diseases. I believe that the two seemingly conflicting amendments will serve as a model for future PDP amendments to deal with COVID-19.
"In particular, if such public health data is provided to the private sector, it is highly likely to violate the basic rights of the people protected by the Constitution of the Republic of Korea."
PAGE 26
ALSA Legal Newsletter May 2021
Personal Data Protection Bill to Protect Consumers During COVID-19 Pandemic Kevin Akbar Sanabil Indonesia
In the midst of massive development which encourages digitalization, personal data protection has become inseparable with consumer protection. Many people have resorted to online transactions due to the Covid-19 outbreak. Based on a report from Indonesian E-commerce Association (IdEA) data, there was an increase in buying and selling in online transactions up to 25 percent to 30 percent. At the same time, there were many cases of consumer data that leaked due to a system failure. In the case of Tokopedia, an Indonesian Consumers Community (KKI) was sued regarding privacy rights of each user since 91 million users’ data was leaked. Another report by Yayasan Lembaga Konsumen Indonesia (YLKI) recorded that from 277 data leak cases, around 54 cases were from E-commerce transactions.
PAGE 27
ALSA Legal Newsletter May 2021
Personal data has a market value for business owners or e-commerce companies. It is necessary to protect privacy rights to avoid data leaks that cause misuse of data.
Based on a report from Indonesian E-commerce Association (IdEA) data, there was an increase in buying and selling in online transactions up to 25 percent to 30 percent. Unfortunately, in Indonesia there is no legal policy that specifically regulates personal data protection. Currently, Indonesia only relies on regulations which are related to personal data protection in Law Number 19 of Electronic Information and Transactions 2016 which can be found in article 26 paragraph 1. Article 32 in Government Regulation Number 71 of 2019 concerning Electronic Systems and Transaction Operations can also be used to curb data leakage.
However, the regulations are unable to accommodate various problems related to data privacy. Therefore, the government with legislative parliament established a new legal draft in order to specifically regulate the right of privacy and provide protection to personal users. Hopefully, the PDP Bill will be able to enforce human rights especially. rights of privacy to encourage business owners or companies to implement these policies effectively.
PAGE 28
PAGE 29
ALSA Legal Newsletter May 2021
THANK YOU FOR READING ALSA LEGAL NEWSLETTER MAY 2021 Let us know your opinion by filling the Feedback Forms at bit.ly/ALNMay2021Feedback
PAGE 30
ALSA Legal Newsletter May 2021