Digital Privacy and Cybersecurity Regulations in Indonesia: What You Need to Know
Jack Wiston
Introduction
Digital privacy and cybersecurity have become paramount legal concerns in Indonesia. As the nation embraces digital transformation, safeguarding personal data and countering cyber threats are pivotal.
In 2022, the Indonesian government enacted the Personal Data Protection Law (PDP Law), scheduled for implementation in 2024. This comprehensive legislation governs the collection, use, and storage of personal data while establishing a dedicated data protection authority for oversight.
Moreover, the government is actively working on new cybersecurity regulations. A draft Cybersecurity Bill, introduced in 2021, is currently under review. Expected to create a cybersecurity agency and framework for responding to cyberattacks, this legislation marks another significant step in Indonesia’s digital regulatory landscape.
Background
Indonesia boasts a burgeoning digital population, with over 200 million internet users. This digital boom has fostered thriving sectors such as online banking, e-commerce, and social media. However, the nation faces challenges owing to a relatively weak regulatory framework, leaving it exposed to cyberattacks and data breaches.
In recent years, high-profile incidents have underscored these vulnerabilities, including the 2021 Tokopedia data breach affecting over 90 million users and the leak of millions of personal data records from the government’s COVID-19 vaccine database during the same year.
Regulatory Framework
The PDP Law reigns supreme in governing digital privacy in Indonesia. It introduces various requirements for businesses handling personal data, including:
- Obtaining explicit consent before collecting personal data.
- Granting individuals access to their data and the right to rectify or delete it.
- Mandating robust security measures to prevent unauthorised data access, use, or disclosure.
Legal Insights: The PDP Law brings a significant shift in Indonesia’s approach to personal data protection. It aligns the nation with international data privacy standards, offering individuals greater control over their data. One crucial legal aspect is the requirement for businesses to obtain explicit consent. This means that businesses must not only collect data transparently but also respect an individual’s choice to provide or withhold consent.
Moreover, the law’s stipulation of substantial fines, up to 2% of annual revenue, for non-compliance underscores the seriousness of data protection. For businesses, this means not only safeguarding data but also implementing robust compliance measures.
In addition to the PDP Law, Indonesia has several other laws and regulations pertinent to digital privacy and cybersecurity:
- The Electronic Information and Transactions Law (EIT Law) deals with electronic transactions and cybercrime.
- The Cybersecurity Regulation (Reg No. 71/2019) outlines cybersecurity requirements applicable to all entities.
- The Government Regulation on the Protection of Personal Data in Electronic Systems mandates safeguards for electronic personal data.
- National Cyber and Encryption Agency Regulation No. 8 of 2020 establishes cybersecurity measures for electronic system providers.
Recent Developments
Beyond legal enactments, the Indonesian government established the National Cyber and Encryption Agency (BSSN) in 2021. BSSN’s role encompasses coordinating national cybersecurity endeavours and raising public and business awareness about digital privacy and cybersecurity issues. In 2022, BSSN launched the “Cybersecurity is Our Shared Responsibility” campaign to underscore the significance of these concerns.
Recent incidents further underscore the importance of digital privacy and cybersecurity. These include the 2022 conviction of an individual who hacked the Indonesian Supreme Court’s website and the ongoing legal dispute between the government and Telegram over the storage of user data within Indonesia.
How This Affects You
Individuals:
- You possess the right to safeguard your personal data from unauthorised access, use, and disclosure.
- You can access your personal data and request corrections or deletions.
Businesses:
- Compliance with the regulations mentioned above is obligatory.
- Acquire explicit consent before collecting personal data.
- Facilitate individuals’ access to their data and their ability to rectify or delete it.
Challenges
Several challenges and concerns are inherent in Indonesia’s digital privacy and cybersecurity landscape:
- Insufficient awareness of cybersecurity among businesses and individuals.
- Widespread inadequacies in cybersecurity measures among entities.
- Escalating sophistication of cyberattacks, notably ransomware and cryptojacking.
- Fragmented coordination among government agencies responsible for cybersecurity.
Best Practices
Enhancing digital privacy and cybersecurity entails proactive measures by individuals, organisations, and the government:
Individuals:
- Strengthen digital privacy through robust passwords and two-factor authentication.
- Exercise caution when sharing personal information online.
Organisations
- Bolster data protection through cybersecurity measures like firewalls and encryption.
- Train employees in cybersecurity best practices.
Government
- Develop and enforce robust regulations.
- Educate citizens and businesses on digital privacy and cybersecurity.
- Invest in cybersecurity research and development.
Conclusion
Digital privacy and cybersecurity are pivotal legal concerns in Indonesia’s digital era. While government initiatives have marked progress, there remains work to be done. By actively participating in enhancing digital privacy and cybersecurity, individuals, organisations, and the government can foster a secure digital environment that safeguards users from data breaches and promotes secure digital business operations.
To avoid any further legal issues, businesses should always consult with a lawyer to ensure their data policy and usage does not violate the PDP law and other applicable regulations.
