Privacy law a paper tiger: The Jakarta Post

October 23, 2024

However, the government has still not established a data protection agency as mandated by the law, despite the recent slew of data breaches in which millions of items of data were stolen and sold on the dark web.

The government of former president Joko “Jokowi” Widodo was in the process of drafting the implementing regulations for the privacy law, including one on the establishment of the new agency, but had still not produced them as his term ended and President Prabowo Subianto assumed power on Sunday.

The Communications and Digital Ministry insists that the law is already fully in effect as of last week, even though the government has yet to finish devising the necessary regulations required to form the agency, which will be answerable to the President.

The new agency will oversee data protection and impose administrative sanctions and non-judicial fines on any organizations, private or public, that fail to protect the personal data they collect, manage and process.

Having the new law come into force means that all data controllers or processors must have their security systems in place. This also means that any data handlers must already have appointed so-called data protection officers, who are tasked with ensuring compliance with the privacy law.

The communications ministry is the caretaker of the protection of personal data until the mandated oversight agency is formed.

The absolute lack of clarity as to when the definitive agency will be established is concerning for several reasons.

Who will keep tabs on which data handlers have set up firewalls or encryption systems? Who will identify which organizations already have data protection officers?

And most importantly, who will be authorized to act against non-compliant data handlers or those who fail to protect data privacy?

Security remains an unaddressed issue within government-built digital infrastructure, even after lawmakers passed the privacy law two years ago.

One of the most notable incidents was the major ransomware attack in July on a temporary national data center, which affected the databases of some 280 central and regional institutions and caused nationwide disruption to public services connected to the data center, including immigration services.

No one was held responsible for this failure to protect citizens’ personal data. Calls mounted on then-communications minister Budi Arie Setiadi to quit his job, even after he apologized for failing to prevent the chaos.

Other past cyber incidents have targeted the customer database of state-owned Bank Syariah Indonesia (BSI), as well as the government’s voter database, which was reportedly breached late last year at the start of campaigning for the 2024 general election.

Less than two months later, in August, a hacker going by the pseudonym TopiAx claimed to have stolen the data of 4.7 million civil servants from the National Civil Service Agency (BKN) database and uploaded them to sell on the hacking site BreachForums. The stolen data allegedly included the civil servants’ full names, employment records, email addresses and national identification numbers.

Digital rights group the Southeast Asia Freedom of Expression Network (SAFEnet) recorded at least 133 cases of personal data leaks in Indonesia since the lawmakers passed the privacy law, while cybersecurity company Surfshark found that 13.2 million internet accounts in Indonesia were breached throughout the same period.

Now that the law has come into force, an apology will not suffice whenever a personal data breach occurs.

But the privacy law will remain a paper tiger without any means of enforcement, unless the agency is established. This is particularly evident in the fact that no data handlers have been sanctioned for any data breach since the enactment of the law.

It will be the responsibility of the new communications and digital minister to complete the drafting of the government regulation to set up the cyber privacy agency. Data security cannot wait.