ALSA Law Review Magazine Template

A L S A L A W R E V I E WV O L U M E 9 • I S S U E N O . 1

M A G A Z I N E

J U L Y 2 0 2 1

P E R S O N A L D A T A P R O T E C T I O N

A L S A L A W R E V I E WM A G A Z I N EV O L U M E 9 • I S S U E N O . 1

The ALSA Law Review Magazine (ALRM) is a student-edited academic law journal published by ALSA. ALRMaims to enhance the understanding of various nations’point-of-view on a particular legal issue. ALRM also endeavours to be a platform for ALSA members toimprove their research and writing skills by engaging indialogue regarding current legal issues of internationalinterest. It serves to broaden the knowledge of readersincluding law students, with regards to the legal issues inAsia.

EDITORIAL ADRESSSecretary Office of ALSA International

Faculty of Law Universitas IndonesiaUniversitas Indonesia,16424, Indonesia, Kampus UI Depok

alsainternational.org

President ofALSA International Board

2020/2021

Griselda Audrey Chandra

Vishnu Varna Vice President of

Academic Activities of ALSA International Board

2020/2021

Greetings from ALSA International!

I am Audrey, the President of ALSA InternationalBoard 2020/21. I proudly present the first ALRMon “Personal Data Protection”. Data privacy hasalways been important. It’s why people put lockson filing cabinets and rent safety deposit boxesat their banks. But as more of our data becomesdigitized, and we share more information online,data privacy is taking on greater importance.Data privacy isn’t just a business concern. You,as an individual, have a lot at stake when itcomes to data privacy. The more you knowabout it, the better able you’ll be to help protectyourself from a large number of risks.

I also would like to thank the contributors for youroutstanding works and for those who have notcontributed yet, I am looking forward to seeingyour active contribution.

Strong Inside and Leading Outside

ALSA, Always Be One

Greetings ALSA members far and wide!

As neighboring countries, we should be attentivetoward the problems, changes, and advancementsexperienced in each country to serve as examples,lessons, and even precedences in order to advancetoward a better Asia. This ALRM serves to bring youan analysis on the issue of Personal Data Protectionin Asia.

We hope you are immersed and able to gain a newlegal perspective through this publication.

Warm Regards,Vishnu

I | A L R M V O L . 9 I S S U E 1

G R E E T I N G S !

Director ofAcademic Publication of ALSA International Board

2020/2021

Nasya Ayudianti Ramadhani

Franz Albert LantinSenior Editor of

ALSA Editorial Board2020/2021


In the digital era where access to informationbecomes easier, the issue of data privacy naturallyarises. With the fast development of technology, thereneeds to be an adequate development of legalinstruments, to protect said data privacy. That is whythe theme of Personal Data Protection is chosen forthis ALRM to further understand the current legalinstrument of personal data protection from diversecountries in Asia.

Thank you for the author's contribution to the lawreview magazine.

ALSA, Always Be One!

I I | A L R M V O L . 9 I S S U E 1

Senior Editor ofALSA Editorial Board

2020/2021

Antonio Castillo


I would like to thank all contributors of ALRM fortheir hard work and participation in submittingthe article.

We look forward to your contribution towardsother ALSA academic publications!


G R E E T I N G S !

“Civilization is the progress of a society towardsprivacy” -Ayn Rand

In the current technological zeitgeist, whereinformation is not just conveniently disseminatedand accessed but also transformed andcommodified, there is a question of how suchopenness of information interplays with thefundamental right of privacy. The articles in thisissue of ALSA Law Review explores how the variousAsian jurisdictions address this question and offernuanced legal perspectives on the ever-evolvingconcept of personal data privacy.

G R E E T I N G S !


2020/2021

Aaron Tan Kai Ran

M. Izzhar Aiman Bin Hamdan


Hi everyone! I am happy to present to you the ALRM!

This edition features a collection of thoughtfulpieces on personal data protection that the teamfeels captures a wide breadth of commentary onthe subject. Personal data protection is a constantlygrowing and evolving issue and I hope you can takeaway as much I have from these articles!


I I I | A L R M V O L . 9 I S S U E 1


I hope that reading this magazine will have animpact on and encourage you to have an impacton others. We may never know how much ourwords or actions influence the lives of thosearound us, but we can choose daily to be apositive influence on others in a way that couldchange the rest of their lives even if it is justwithin the walls of where you work.


Jyrus Buban Cimatu


The process of publishing ALSA Law ReviewMagazine has been a very eventful one and I hopeeveryone enjoys this academic publication. Thankyou very much to all authors of ALRM who havededicated their time and effort in contributing tothe publications.



2020/2021


2020/2021

I V | A L R M V O L . 9 I S S U E 1

Dr. Izura MasdinaFaculty of Law, Universitas Malaya, Malaysia.

Mr. Romel BagaresLyceum of the Philippines University College of Law, The Philippines.

Dr. Syahirah ShukorFaculty of Law, Universiti Sains Islam, Malaysia.

1

2

3

4

Mr. Fajri Matahati Muhammadin, S.H., LL.M., Ph.D. Faculty of Law, Universitas Gadjah Mada, Indonesia.

A L R M R E V I E W E R S

The Challenges of Personal Data Protection andPublic Information Disclosure in IndonesiaRidea Oktavia, Indonesia

1

2

3

4

5

6

7

8

V | A L R M V O L . 9 I S S U E 1

T A B L E O F C O N T E N T S

Dual Challenges in Korea Arising from Current Data Governance RegulationsBo Hyun Kim, South Korea

Health Data and the Internet of Things in Indonesia:New Legal ChallengesNuzul Quraniati Rohmah, Indonesia

Analysis of the Planned Personal Data ProtectionLaw of Indonesia, Article 54 Paragraph (2)Muhammad Ardiansyah Arifin, Indonesia

Is the Rights to be Let Alone Protected Under thePersonal Data Laws?Basil Rhodes Ghazali, Indonesia

Indonesia Virtual Police and Tokopedia Data Breach:Urgency for Data Protection LawAulia Shifa Hamida, Indonesia

Protecting Personal Data in the Era of Platform EcosystemsTran Ngoc Minh,Nguyen Van Thu, and Tran Duc Long, Vietnam

Legal Issue on Data Protection in Malaysia: A Way ForwardsSea Jia Wei, Malaysia

1-4

5-10

17-24

25-35

36-41

42-29

56-62

50-55

9 Fintech’s Rise in the Time of Pandemic: Data Privacy RequirementsGisela Tracy Gracia King, Indonesia

63-67

Personal Data Protection ALSA Law Review Magazine

THE CHALLENGES OF PERSONAL DATAPROTECTION AND PUBLIC

INFORMATION DISCLOSURE ININDONESIA

By Ridea Oktavia

This paper discusses the challenges of protecting personal data and public information disclosure inIndonesia. This paper examines extensively the challenges in ensuring the protection of personal datain Indonesia. This article will give readers an understanding of how important it is to maintainpersonal privacy in order to avoid the impact of the misuse of personal data which is very detrimentalto the victim. The research undertaken to compile this paper is normative juridical research, basedon primary data in the form of legislation, namely the Republic of Indonesia Law 1945 and theLaw on Public Information Openness, and the secondary data, namely academic papers andjournals. The data analysis was carried out by using a qualitative approach, namely the analysisthat was formed indirectly in the form of statements and writing. Conclusions are drawn usingdeductive logic by analyzing the challenges of protecting personal data and their relation to publicopenness. Based on the results of the analysis, it can be concluded that the main challenge ofprotecting personal data lies in public understanding and awareness of the privacy data itself. Theopenness of public information basically has an objective that is mutually exclusive from andcomplementary to the protection of personal data, even though in its implementation there areclashes, therefore it is important to harmonize the regulations, both on the side of personal dataprotection and on the side of openness of public informationso that it does not conflict in the future.

BACKGROUND

The development of information technologytoday is much different and very fastcompared to its early days. The era ofglobalization has placed informationtechnology in a very important positionbecause it presents a world without borders,time and space and can increase productivityand efficiency. Information technology haschanged the attitudes and behavior of peopleglobally which has led to significant changes

in the economic, socio-cultural, and legalframework.1

The role of technology is an inseparable partof all aspects of human life. In almost allactivities, humans take advantage oftechnology, both simple technologies, andvery sophisticated ones; even currenttechnological developments can change theway or pattern of communication in the

1 Ahmad M. Ramli, Cyber Law and IntellectualProperty Rights in the Indonesian Legal System,Bandung: Armico, 1 (2013).

1


public. Communication is made easier withthe internet through social media that can beaccessed by all groups. This certainly has thepotential for data misuse during interactionbetween social media users. For example, thiscan happen when personal data of a socialmedia user is used by other parties who areconsidered to be disturbing and endanger theowner of the personal data himself.

In recent years, the right to privacy protectionhas become a subject that has been to bediscussed in depth among academics,governments, and human rights activists.Discussions on the right to privacy protectionsurfaced with the widespread use ofinformation technology and demands forinformation and data disclosure, especiallythose concerning information and datacontrolled by government agencies.

In the Indonesian context, privacy protectionhas actually been recognized for a long time.At least the Criminal Code contains severalarticles of criminal acts related to privacy, suchas the prohibition of opening documents,2 theprohibition of entering private land orproperty,3 and other crimes related tooccupation.4 Although it has been around fora long time, only on August 18, 2000, didprotection of the right to privacy become partof constitutional protection.5

The government's efforts to disclose itsinformation and data deserve to be wellappreciated, because disclosure can alsosuppress corruption in the public sector. Butat the same time, openness also creates aconflict of interests, namely the interest of

5 1945 Constitution of the Republic of Indonesia, art.28G.

4 Criminal Code of Indonesia, Chapter XXVIIIconcerning Crimes of Position.

3 Criminal Code of Indonesia, art. 167(1).2 Criminal Code of Indonesia, art. 431.

openness with the interest of protecting theright to privacy. Law No. 14 of 2008 onFreedom of Information also puts specialemphasis on personal information and datathat are classified as exempt information.6 Forthis reason, these two rights must be balancedby making regulations or policies that protectinformation disclosure while also protectingthe right to privacy.

ANALYSIS

The development of information technologytoday opens up great opportunities to obtainpersonal data information, but it also has ahigh potential for opportunities to violate theprivacy rights of people in society. Threatsoccur not only due to the global developmentof information technology but also theresultant blurring of boundaries betweennational jurisdictions. Current developmentsalso allow the transfer from one form of datato another.7 On the other hand, informationdisclosure and the right to privacy are twoimportant things that go hand in hand, andboth play an important role in making thegovernment responsible to its citizens.

Sociologically, Indonesian people are veryopen to personal information. The low levelof public understanding regarding personaldata privacy is the main reason. The Ministryof Communication and Informatics(Kominfo) found that public awareness ofpersonal data is still lacking, even as 93percent of the public shares their personaldata digitally, through social media.8 This has

8 Kominfo, Lindungi Data Pribadi, Jangan PasangAplikasi Sembarangan! (2020) available athttps://www.kominfo.go.id/content/detail/28293/lind

7 Electronic Privacy Information Center & PrivacyInternational, Privacy and Human Rights: AnInternational Survey of Privacy Laws and Practices, 4(2006).

6 Law No. 14 (2008) concerning Freedom ofInformation, art. 17(g) & (h).

2


the potential for misuse of personal data byirresponsible persons. Examples includesubmitting a loan request with someone else'sidentity, online fraud using a stolen identity,and other heinous acts.

However, the public generally has not placedpersonal data as part of the property thatmust be protected. This can be seen from thenumber of posts containing personal datacontent, both on a number of social mediaplatforms as well as in various socialnetworking groups. In addition, when using anumber of electronic system platforms(e-commerce, online transportation, fintech,etc.), users generally do not fully understandthe privacy policy, terms and conditions ofservice of each of these applications,especially those related to use of personaldata. Protection of personal data is veryimportant because if it is misused by dataproviders or third parties, then this canconflict with basic human rights to obtainprivacy protection for personal data as well aslosses arising from the misuse of data by theseindividuals. Unfortunately, the need forcomprehensive personal data protectionregulations has not been accompanied by agrowing public awareness in protectingpersonal data.

In addition, if we look at the issue juridically,Article 28F and Article 28G(1) of the 1945Republic of Indonesia Law apparentlycontradict. Article 28F reads:

“Setiap orang berhak untukberkomunikasi dan memperolehinformasi untuk mengembangkanpribadi dan lingkungan sosialnya, sertaberhak untuk mencari, memperoleh,memiliki, menyimpan, mengolah dan

ungi-data-pribadi-jangan-pasang-aplikasi-sembarangan/0/berita_satker (last visited July 7, 2021).

menyampaikan informasi denganmenggunakan segala jenis saluran yangtersedia”.9

This article gives freedom to everyone toobtain information and even has the right tostore, process and convey information. Incontrast, Article 28G(1) reads:

“Setiap orang berhak atasperlindungan diri pribadi, keluarga,kehormatan, martabat, dan hartabenda yang di bawah kekuasannya,serta berhak atas rasa aman danperlindungan dari ancaman ketakutanuntuk berbuat atau tidak berbuatsesuai yang merupakan hak asasi.”10

In the article, it is stated that every person hasthe right to personal protection, includingprotection of data privacy. The next conflict isbetween article 28F which states the right of aperson to obtain information, with theprovisions of Article 28H paragraph (4) whichregulates the provisions regarding the right tohave personal rights where these rights cannotbe taken arbitrarily. This personal rightincludes the right to a person's personal data.Thus there is a potential conflict between theright to information and the right to privacyin its implementation aspect. On one hand,the right to information prioritizes theindividual's freedom to seek all theinformation he wants; on the other hand, theright to privacy exists and limits the space forindividuals to seek certain information abouta person's personal data. This certainly createsmultiple interpretations and regulatoryweaknesses, because the law does not stateclear boundaries regarding what and who hasthe right to obtain, own, store, manage one's

10 1945 Constitution of the Republic of Indonesia, art.28G(1).

9 1945 Constitution of the Republic of Indonesia, art.28F.

3


personal data, so this is a great opportunityfor individuals to misuse someone's personaldata. Therefore, both must be limited andimplemented in a balanced manner for therealization of security and convenience ofinteraction between the government andcitizens and among fellow citizens.11

Limitation can be done by making a legalproduct in the form of a law that containsmore detailed regulations related to theprotection of personal data, where thisregulation will clearly and precisely determinethe restrictions so as not to create ambiguity,this is the urgency of the enactment of thePersonal Data Protection.

CONCLUSION

Based on the results of the above analysis, theauthors conclude that there are severalchallenges in protecting personal data andpublic information disclosure in Indonesia.First, the public is very open to personalinformation, especially on social media. Thelow public awareness of personal data privacyis one of the main causes and challenges, so itis necessary to increase the literacy of personaldata protection to provide understanding as towhat kind of data can be shared and vice versaand the impact in the event of misuse ofpersonal data.

Second, at the constitutional levelthere are several clauses that havecontradictory meanings, namely in article 28F,28G paragraph (1), and 28H paragraph (4) ofthe 1945 Constitution of the Republic ofIndonesia. Article 28F provides for thefreedom to obtain information and the rightto obtain information to store, process and

11 Dani Primary Huzaini, Kebebasan Informasi VersusHak Warga Negara atas Privasi (2018), available athttps://www.hukumonline.com/berita/baca/lt5a810824d134a/kebebasan-informasi-versus-hak (last visitedJuly 7, 2021).

convey information; however, Article 28Gparagraph (1) states that everyone has theright to personal protection, includingprotection of privacy data. Furthermore,Article 28H paragraph (4) regulates theprovisions regarding the right to havepersonal rights where these rights cannot betaken arbitrarily, which includes the right topersonal data. This raises ambiguity becausethe articles do not include clear limitationsand open up greater opportunities regardingthe misuse of someone's personal data whichof course causes harm to the victim.Therefore, it is important to providelimitations on a provision so that regulationscan be understood and can be firmlyenforced. The way that can be done for thisrestriction is to legalize the Draft Law onPersonal Data Protection so that it has astandard and comprehensive rule to ensurethe protection of personal data of Indonesiancitizens.

4


DUAL CHALLENGES IN KOREAARISING FROM CURRENT DATAGOVERNANCE REGULATIONS

By Bo Hyun Kim

1. INTRODUCTION

The National Assembly passed amendmentsto Korea’s three main data privacy laws(effective August 5, 2020), paving the way fora digital economy under the Moonadministration’s Korean New Deal plans.Marking a shift from previously stringentregulations, such changes appear to be highlybeneficial. They create favorable regulatoryconditions for the domestic data market,whose growth had been sluggish compared toits global counterparts.

However, recent events have raised tides ofconcern regarding data governance. It beganwith the data leak dispute involving 5 millionusers from Korea’s popular GPS locationservice, Kakao Map. The second tide surgedwhen Luda, a deep learning AI chatbot,collected without the consent of 10 billionuser conversations on Kakao Talk, thenation’s no. 1 messenger application. Againstthis backdrop, the challenge here is two-fold.On the domestic level, there are severalquestions that have to be answered. Whatconstitutes ‘reasonable grounds’ for personaldata use without the data subject’s expressconsent under the amendments? What is thescope of ‘personal information’ within themeaning of current privacy laws? On theinternational level, what are the implications

of the amendments on the ongoingEU-Korea dialogue related to the EU’sadequacy decision?

This article seeks to offer a framework foranswering the above questions. First, it willprovide a tour d’horizon of the current stanceof the three main Korean data privacy laws.Second, it will examine whether recentcontroversies can be adequately addressed byexisting normative regulations. Lastly, it willprovide proposals to foster accountability ofdata-driven sectors without subjecting them tounduly burdensome compliance of privacylaws.

2. RECENT AMENDMENTS TO THETHREE MAJOR DATA PRIVACY LAWS

Korea’s three major data privacy laws are: thePersonal Information Protection Act(“PIPA”), the Act on Promotion ofInformation and Communications NetworkUtilization and Information Protection(“Network Act”), and the Credit InformationUse and Protection Act (“Credit InformationAct”).

2.1. General Legislation: the PIPA

The PIPA is a general legislation that purportsto regulate the use of data by prescribing theprocessing and protection of personal

5


information. Under the amendments, thePIPA conferred centralized power to thePersonal Information Protection Commission(“PIPC”), elevating its status to anindependent, ministerial-level regulatory bodyunder the auspices of the Prime Minister’sOffice. The PIPC (i) implements andfacilitates consultation on personalinformation protection among pertinentcentral administrative agencies, (ii) assessesdata breach incident factors and investigatesviolations, (iii) imposes payment of penaltysurcharges on the violator as necessary, (iv)develops guidelines on implementation plans,sub-plans by sector, policies, etc. related topersonal information protection, and (v)oversees the Dispute Mediation Committeecharged with mediating and settling individualand collective disputes related to personalinformation.12

Another principal amendment to the PIPA isthat it permits data controllers’ use ofpersonal data without the data subject’sconsent ‘within a scope reasonably related tothe initial purpose of collection.’13 Theambiguity underlying this language regardingthe extent of reasonable scope of data usewithout consent implicates interpretativequestions as will be discussed in later sections.Also noteworthy are the special provisionsregarding the processing of anonymizedinformation under the PIPA. Anonymizedinformation refers to personal informationprocessed in a way that the data is no longeridentifiable to an individual without some useor combination of additional information.Such data may only be used without the datasubjects’ consent for statistical information,scientific research, or for public recordkeeping and does not extend to use forcommercial or business purposes. While the

13 Id. at art. 15(1)(6)12 Act No. 16930 of the Republic of Korea (2020), art.7

concept of anonymized data purports tofoster flexible data use, it is not withoutattendant risks because mischaracterization of‘personal data’ as ‘anonymized data’ maysubject the violator to criminal sanctions, suchas fines up to 3% of its total revenue.14

2.2. Sector-Specific Legislations: TheNetwork Act and the Credit InformationAct

The Network Act and the Credit InformationAct pertain to sector-specific data protectionlegislations. The Network Act previouslyincluded provisions governing personal dataprotection by information andcommunications service providers. However,such provisions were transferred to the PIPAafter the amendment.15 Finally, the CreditInformation Act, which was enacted toestablish sound credit transactions bypromoting efficient management andpreventing misuse of credit information, sawan expansion in its scope of applicability toencompass not only financial institutions, butalso all commercial companies under theamendments.16 Such extensive changes seemto be a conscious response to achievingcompliance with the GDPR, which theKorean data privacy regulatory framework ismodeled after.

3. THREE ISSUES RAISED BY THEKAKAO MAP AND LUDACONTROVERSIES

Pertaining to the aforementioned Kakao Mapand Luda controversies, a review of case lawreveals an absence of precedents on (1) therequisite specificity of language and proper

16 Exec. Order No. 17354 of the Republic of Korea(2020).

15 Act No. 16930 of the Republic of Korea (2020), Ch.VI.

14 Id. at art. 28-6(1).

6


means of obtaining users’ consent incollecting personal information; (2) theinterpretation of ‘reasonable scope’17 forcollecting personal data without expressconsent; and (3) the scope of ‘personalinformation’ within the meaning of currentdata privacy laws. These three issues will beexamined in connection with the two events,followed by an analysis in light of currentlegislations and pertinent case law.

3.1. The Concept of ‘Proper Means’ ofObtaining Users’ Consent

First, the Kakao Map controversy illustratesgrey areas arising from questionable consentclothed with a "fig leaf." Kakao MapFavorites, a popular feature of the locationservice application, allows users to savefrequently visited sites, such as theirworkplaces, children's schools, friends' homes,and favorite restaurants. Following the leak ofdata collected from the feature, Kakao Mapdenied having violated any personalinformation protection laws on grounds thatthey had provided clear guidelines beforeobtaining users' permission to collect suchdata.18

However, Kakao Map users pointed out thatthe verification message regarding thedisclosure of information for public accessmay be inconspicuous or hardly recognizabledepending on users' mobile phone displays.19

When saving a place on the application forthe first time, the application generates apop-up window seeking consent that may notbe immediately visible if, for instance, it is

19 Id.

18 Hae-yeon Kim, Kakao Map faces user data leakdispute, The Korea Herald (Jan. 15, 2021, 5:42 PM),http://www.koreaherald.com/view.php?ud=20210115000801.

17 Act No. 16930 of the Republic of Korea (2020), art.15(1)(6).

covered by keyboard layouts. Accordingly, theoblivious user that swipes "next" wouldautomatically be subjected to the defaultsetting allowing disclosure of itsinformation.20 Hence, this raises the first pointas to whether the service provider’s specificmethod of collecting information was explicitand in a manner easily identifiable by averageusers.

3.2. The Interpretation of ‘ReasonableScope’ of Collecting Personal Data and‘Personal Information’ under the PIPA

Likewise, the Luda controversy invokes thesecond and third issues on statutoryinterpretation. The initial input data for theconversational AI Chatbot, Luda, was basedon conversation patterns between youngcouples from actual KakaoTalk message dataretrieved from the application, Science ofLove launched by Scatter Lab, Luda'sdeveloper. Launched in 2016, Science of Loveprovides dating advice by analyzing the degreeof affection between its users as manifested intheir text exchanges.21 Catter Lab apologized,commenting that it had attempted to adhereto guidelines for personal information use butdid not "sufficiently communicate" with itsdata subjects which amounted to 750,000users since its launch.22 Scatter Lab furtherstated that in developing the chatbot, it hadadmittedly failed to remove all personal datadepending on the context, despite efforts torender all data unidentifiable to individualusers by removing sensitive personal

22 Id.

21 Eun-jung Kim, (News Focus) Chatbot Ludacontroversy leave questions over AI ethics, datacollection, Yonhap News Agency (Jan. 13, 2021, 2:22PM),https://en.yna.co.kr/view/AEN20210113004100320.

20 Id.

7


information (names, addresses, phonesnumbers) via filtering algorithms.23

Accordingly, Scatter Lab utilized such datawithout notice and prior consent from usersto channel their data into developing its newAI chatbot business. Thus, this addresses thefirst and second issues regarding thespecificity of language or lack thereof inobtaining users' consent and in assessingjustifiable grounds proffered by businesses ininterpreting the 'reasonable scope' of personaldata collection without express consent.

Moreover, although Scatter Lab has obtainedcomprehensive consent from end usersregarding personal information use formarketing and advertising purposes, its failureto obtain consent for personal informationuse from a third party that does not use itsservices may constitute an invasion of privacy.This is because in transmissions of electroniccommunications data, a chat room participanton the other end of the conversation may beas much a data subject as the chat user fromwhich express consent has been obtained.24

Therefore, this directly relates to the thirdissue: defining 'personal information' withinthe meaning of current privacy laws andwhether it encompasses such third parties thatcould inevitably be involved, depending onsector-specific treatment of data. At present,there is no relevant case law. However,ascertaining whether collecting data withoutconsent from chat room participants on theother end of the conversation thread likewisebrings it within the proscriptions of the PIPA

24 In Hae Sohn, '개인정보유출논란'이루다개발사,'고지·안전조치 의무 위반' 쟁점[Developer of Ludamired in ‘dispute over personal information leak’ facedwith ‘violations of notification requirements andprocedural safeguards’], News1 (Jan. 15, 2021, 7:20AM), https://news1.kr/articles/?4181567.

23 Id.

is a matter warranting attention for serviceproviders.

4. SEEKING THE DATA SUBJECT’SCONSENT AND CONSTRUING“FRAUD, IMPROPER OR UNJUSTMEANS” AS DEFINED IN THEHOMEPLUS CASE

4.1 The Homeplus Case and its AnalyticalFramework

Notwithstanding the absence of a case inpoint, the Homeplus case25 may shed somelight, suggesting the determinative issue to bewhether information was acquired by “fraud,improper or unjust means” in violation ofArticle 59 of PIPA.26 In Homeplus, thedefendant, Homeplus Co., Ltd. organized 11giveaway events from 2011 to 2014, collecting7.12 million items of personal information, ofwhich roughly 6 million items were sold tothird party insurance companies for KRW11.9 billion. Prizes for the giveaways rangedfrom a Mercedes-Benz car, a diamond ring, toSamsung air conditioners. The defendantadvertised the event via multiple channels ofmarketing such as fliers, online channels, andeven receipts. The advertisements includedimages of the prizes along with the phrases,“14th anniversary festival,” “celebration of thegroup’s 5th anniversary,” “rooting for victoryin the Brazil World Cup Games,” etc. Raffletickets for the events printed details in1mm-sized font the following provisions:“[Consent to Collection, Management,Entrustment, and Use of PersonalInformation] The purpose of the collectionand use of personal information is to sendnotices on giveaway events and winners,provide information for insurance marketing

26 Act No. 16930 of the Republic of Korea (202), art.59(1).

25 2016Do13263, Supreme Court Library of Korea(2017).

8


purposes, and promote products and servicesof the company’s partners.”27

The barely legible fine print on the back ofthe raffle tickets and promotional websiteincluded a “[Provision of PersonalInformation to Third Parties]” listingrecipients of the personal information andinforming customers that the informationcollected “will be used for marketing purposessuch as telephone marketing of insuranceproducts.”28 The acquired information wassold for KRW 1,980 each, pursuant to abusiness partnership agreement with twoinsurance companies.

The Court held that despite seeking consentin acquiring and managing personalinformation from its customers, the defendanthad used “fraud or unjust means'' to do sounder Article 72(2) of the PIPA.29 Hence, itsconduct constituted a violation of the PIPAwhen it acted with a hidden intent to collectand sell its customers’ personal information toinsurance companies for a price, rather thanfor legitimate purposes such as increasingsales by attracting a wider customer base. Itreasoned that the defendant (a) printed thedetails related to personal informationcollection and management in barely readable1mm-sized font; (b) took full advantage of thehectic atmosphere during the period of theevent to lure participants with images ofexpensive prizes on its advertisements; and (c)had participants provide consent withoutknowledge of the third party provisionregarding information acquisition andmanagement, deceiving or misleadingcustomers into perceiving it as a merethank-you event.30

30 Id.29 Id. at Na(3)(3).28 Supra, note 16, at Na(2)(4).


Moreover, the Homeplus Court establishedthat a personal information manager’s act ofseeking consent thereof should not be thesole factor in determining the use of false orother unlawful means to obtain consent onacquisition or management of personalinformation. Rather, it provided anon-exhaustive list of factors to take intoaccount when examining the personalinformation manager’s obtaining consent:

(i) motive and purpose of collecting,etc. personal information; (ii)relevance between the purpose ofcollection and personal informationto be collected; (iii) specific methodused to collect, etc. personalinformation; (iv) compliance withrelevant statutes such as the PIPA;and (v) contents and volume ofpersonal information acquired,namely, whether sensitive and uniqueidentification information wereacquired.31

Thus, such a list of inquiries laid thefoundation for further expansion in progenycases.

4.2 Implications of the Homeplus Case onthe Two Controversies

Applied here, the lack of an easily identifiablemethod of personal information collectionin the Kakao Map controversy; the attenuatedrelevance between the initial purpose ofcollection and subsequent use of personalinformation in the Luda controversy; andHomeplus’ transfer of personal informationcollected under the pretense of a giveawayevent may all constitute failure to obtainlawful consent without justifiable grounds.

31 Id., at Na(1).

9


4.2.1 Reflecting on Active Consent and ConsumerSovereignty through Kakao Map

In Homeplus, the barely legible 1mm-sizedfine print on the back of raffle tickets was oneof the pertinent factors in the Court’sdecision. This is because the provision ofpersonal information to third parties (i.e.insurance companies) was a critical elementthat could have influenced a consumer’sdecision to participate or not in the giveawayevent.32 Likewise, due to the lack of visibilityof the pop-up window verifying consent,Kakao Map users had unwittingly consentedto disclosing their personal information forpublic access. Had the message been clearlydisclosed and communicated to consumers, itwould have prevented them from blindlyproceeding to the next step in using theapplication feature. Such a method ofobtaining consent seemingly falls short of anexplicit method average users can easilyidentify with, or one that would ensure themthat their personal information would becollected based on their express consent.33

Further, the fact that the default setting waspreconfigured to allow public disclosure ofinformation even without users’ activeconsent is a point of concern. In response,Kakao Map raised the defense that locationdata pertains to information open to anymember of the public, and that informationadded to the list of favorite places would notnecessarily fall under personal informationbecause location data alone, without more,cannot be used to identify an individual.Nevertheless, Kakao Map proceeded tochange its default settings to private shortlythereafter. Some professionals and usersopined that depending on the circumstances,

33 2014Du2638, Supreme Court Library of Korea(2016).

32 Supra, note 16, at Na(3)(1).

location data may also be used to identifyindividual users;34 Hence, location data wouldalso fall within the scope of personalinformation. As such, adopting regulationsor platforms enabling consumer sovereigntyin data processing like Personal InformationManagement Systems (PIMS) may be aprudent solution to privacy issues companiesface in their current data managementpractices in their roles as data collectors.

Meanwhile, regulations such as the EUGDPR require privacy by default, ensuringthat only the data necessary to achieve thepurpose specified and informed beforehand isdisclosed, while minimizing accessibility topersonal data. Cases such as Planet 49GMBH35 are illustrative of this point. There,an internet user was confronted with twocheckboxes before pressing the ‘participationbutton’ in order to participate in a lotteryorganized by Planet49.36 The pre-checkedboxes required the user to accept contact forpromotional offers and to consent to theinstallation of cookies, which the user leftchecked per the default setting. The Court ofJustice of the European Union (“CJEU”)dealt with the issue of whether the user’saction of leaving the boxes checked could bedeemed consent. The CJEU found there wasno “valid consent” under Articles 2(f) and5(3) of the e-Privacy Directive37 of theEuropean Parliament. It emphasized consentas a feature underlying EU data protection

37 Directive 2002/58/EC, arts. 2(f), 5(3), 2002 O.J. (L201) 43, 44.

36 Id. at paras. 26-28.

35 Case C-673/17, Planet49 GmbH v Bundesverbandder Verbraucherzentralen und Verbraucherverbände –Verbraucherzentrale Bundesverband e.V.,ECLI:EU:2019:801 (Mar. 21, 2019).

34 Jong Hyun Lee, 이루다,카카오맵 개인정보유출…데이터 활용 기조가 흔들린다 [Luda andKakao Map Personal Information Leaks…ShiftingTrends in Data Use], Digital Daily (Jan. 19, 2021)http://www.ddaily.co.kr/news/article/?no=208085.

10


law, which stipulates that the data subjectindicates its wishes with active, rather thanpassive behavior, such that it hasunambiguously given consent.38 Thus, theuser’s declaration of consent was foundinsufficient because it had beenpre-formulated.

In light of the fundamental principles ofpersonal information protection prescribed bythe GDPR, it may seem reasonable toimplement measures ensuring that the strictestprivacy settings apply by default. On the otherhand, industry professionals have also pointedout that ‘opt-out’ methods, wherein usersprovide comprehensive consent whileobjecting to use of data for certain purposes,have proven more advantageous for big dataservice providers launching new services.39

This is because the current big data erainevitably relies upon tailored content createdby amalgamating different data. Consideringthis, subjecting domestic businesses toregulations differing from their globalcounterparts may decrease theircompetitiveness in the market.40

4.2.2 Luda and the Collection of InformationDisparate from its Original Purpose

The Homeplus case suggests that the mereseeking of consent in obtaining personalinformation for the possibility of usingcollected data to develop new services maynot be able to take the case out of theproscriptions of the PIPA. Homeplus soughtconsent and obtained personal information

40 Id.

39 Mi Seon Kang et al., 동의 받으면 또 동의 버튼,국내기업은 괴롭다 [Consent after consent, a hasslefor domestic businesses], Money Today (Oct. 4, 2019,4:30 AM),https://news.mt.co.kr/mtview.php?no=2019100319315152455.

38 Id. at para. 52.

under the pretenses of giving away free prizesas part of a consumer appreciation event.Likewise, Scatter Lab collected personalinformation like the users’ name, sex, age,marriage status, which users had deemed to bepurely for purposes of providing paid datingadvice.41 While Scatter Lab did include aminor provision informing users theirinformation would also be used for purposesof developing new services and marketing, theprovision was ambiguous on its face regardingthe possibility of utilizing their personal chatroom data as the basis of a deep-learningalgorithm platform.42 This is because it maybe found to have misled Science of Love usersby collecting and reusing such information fora purpose disparate from its original one.Consequently, such practices may constitute“a violation of the principle of safe-guardingpersonal information and relevant obligationsunder the PIPA...as well as relevant provisionsunder the PIPA which provide for a personalinformation manager to collect only theminimum information necessary to achievethe relevant purpose … ”.43

Because the aforementioned issues have yet tobe adequately addressed by the Koreanjudiciary, it is expected that seminalprecedents will be established for future cases,should the two much-debated incidentsproceed to court.


42 Id.

41 Min Seon Kim, 개인정보 유출 논란 '이루다' DB및 대화 모델 폐기 [‘Luda’ to discard DB and deeplearning algorithms after personal information leak],ZDNetKorea (Jan. 15, 2021, 2:23 PM),https://zdnet.co.kr/view/?no=20210115114216.

11


5. OUTLOOK ON FUTUREREGULATORY DEVELOPMENTS INKOREA

In response to such ramifications, generalregulatory safeguards would likely be fortified,rather than limit penalization to a case by casebasis. While privacy should not be overlookedincidental to technological development, theconsensus seems to be that regulations shouldnot go too far as to inhibit growth.44 Ratherthan exploit loopholes by foregoing processesof obtaining consent, private actors mustclearly notify end users regarding datamanagement procedures so privacy protectionmay accord with, rather than diverge from,technological advancement. In the meantime,it would be prudent for businesses to closelymonitor the PIPC’s administerial andenforcement activities, re-evaluating andrevising their compliance measures atappropriate intervals.

Of note is the PIPC’s announcement toconduct investigations on approximately 400infringement cases during the first half orthird quarter this year, including the KakaoMap and Luda incidents.45 Based on theinvestigation results, it intends to issueregulations on AI personal informationprotection in March to serve as guidelines for

45 Hong Seop Lee, 개인정보위 "밀린 사건 400건상반기에 정리…이루다 관련 다각도로 검토 중"[PIPC to deal with 400 cases pushed back in the firsthalf of this year…Luda controversy and its attendantissues under review froma macro perspective], Edaily (Feb. 24, 2021, 3:44 PM),www.edaily.co.kr/news/read?newsId=04073766628953800&mediaCodeNo=257&OutLnkChk=Y.

44 Jong Hyun Lee, 이루다,카카오맵 개인정보유출…데이터 활용 기조가 흔들린다 [Luda andKakao Map Personal Information Leaks…ShiftingTrends in Data Use], Digital Daily (Jan. 19, 2021, 7:58AM),http://www.ddaily.co.kr/news/article/?no=208085.

big data service providers.46 The regulationswill embody the following three principles: (1)‘legality,’ allowing users to clearly recognizethe purpose of collecting personalinformation and consent in advance; (2)‘safety,’ dealing with mechanisms such asencryption and de-identification of personalinformation; and (3) ‘transparency,’ in relationto the scope and duration of personalinformation use and AI service operations.47

By reverse token, AI technology will not onlybe subject to regulation, but will also beutilized for regulation. In its recent pressrelease, the PIPC announced plans to developan ‘AI personal information infringementprevention support system’ to evaluatewhether only a bare minimum of strictlynecessary personal information is legitimatelybeing collected under current bills andordinances.48 Unlike legislations, bills andordinances are not subject to mandatoryassessments by central administrative agenciesin determining whether they infringe personalinformation,49 forming a blind spot forregulating personal information management.However, with the implementation of the newsystem, the PIPC seeks to prevent excessivecollection of personal information by thegovernment and public sector actors. Thisglobally unprecedented AI system will beutilized to (1) analyze whether new andcurrent bills and ordinances involve personalinformation infringement risks, (2)recommend analogous precedents to assessinfringements and suggest new standardsbased on processes driven by

49 Id.

48 Press Release, Personal Information ProtectionCommission (PIPC), PIPC to enhance personalinformation protection of Korean citizens usingAI-driven technology, (Feb. 24, 2021).

47 Id.46 Id.

12

http://www.edaily.co.kr/news/read?newsId=04073766628953800&mediaCodeNo=257&OutLnkChk=Y

http://www.edaily.co.kr/news/read?newsId=04073766628953800&mediaCodeNo=257&OutLnkChk=Y


machine-learning, and (3) draft infringementevaluation reports and resolutions.50

6. KOREA-EU GDPRDEVELOPMENTS AND ITSIMPLICATIONS FOR DOMESTICACTORS

On the international level, coherentcoordination seems to be taking place towardenhancing prospects of receiving themuch-awaited adequacy decision from theEuropean Commission (“EC”) which willprovide the requisite legal basis for datatransfer pursuant to Article 45 of the GDPR.This is due, in part, to recent legislativechanges and transformation of the PIPC intoa centralized privacy regulatory authoritywhich the EC previously found lacking.51

Indeed, such centralization will greatlyenhance efficiency in promoting complianceby businesses, and in ensuring the PIPC’sindependence in administering data protectiontasks.52 Once the EC approves the level ofKorean data protection, cross-border datatransfers and Korean businesses’ collection ofdata from EU residents will be facilitated andaccelerated to a greater degree.

6.1 Regulatory and Business Implications

Meanwhile, businesses should systemizemeasures to address pervasive challenges byestablishing cross-functional teams to engagein regular monitoring of data subjects on alarge scale. Designating a Data ProtectionOfficer pursuant to Article 37 of the EUGDPR would facilitate compliance not onlywith internal policies and GDPR, but alsowith other EU data protection laws, whileenhancing cooperation with supervisory

52 Supra, note 40.

51 Nicola Casarini, EU-Korea Security Relations (NicolaCasarini ed., 1 ed. 2021).

50 Supra, note 48.

authorities. Moreover, periodic exchanges ofinternal reports tracking GDPR infringementcases from other jurisdictions andimplementing changes that are foundnecessary upon re-evaluating their practices,would ensure compliance with the GDPR.This is particularly important in the face ofspecial events like mergers and associatedcost-cutting that may potentially trigger cyberbreaches. The Marriott case53 is illustrative ofpractical considerations for regulators andsenior business managers in this regard.

In 2014, an estimated 339 million guestrecords worldwide from the Starwood Groupwere leaked, of which approximately 30million were residents of 31 countries in theEuropean Economic Area at the time,including 7 million UK residents. However,the data breach was only revealed in 2018,after Marriott acquired Starwood Group(“Starwood”) in 2016. Where a case involvescross-border data processing as in Marriott,“the supervisory authority of the mainestablishment…of the controller orprocessor” is designated to act as a leadsupervisory authority under Article 56 of theGDPR.54 Accordingly, in that case, the UK’sInformation Commissioner’s Office (“ICO”)acted as the lead supervisory authority onbehalf of all EU authorities since the breachoccurred before Brexit.55 The ICO ultimatelyissued a monetary penalty notice, finingMarriot £18.4 million (mitigated from aninitial £99 million) on grounds that it hadfailed to process personal data in a manner

55 Supra (Nicola Casarini), at 2.19.

54 Council Regulation 2016/679, of the EuropeanParliament and of the Council of 27 April 2016 on theProtection of Natural Persons with Regard to theProcessing of Personal Data and on the FreeMovement of Such Data, and Repealing Directive95/46/EC, 2016 O.J. (L 119).

53 COM0804337, ICO v. Marriott International, ICOPenalty Notice (2020).

13


ensuring appropriate security of the personaldata pursuant to Articles 5(1)(f) and 32 of theGDPR. Namely, it identified several securityfailures on the part of Marriott, including,inter alia, insufficient monitoring of privilegedaccounts that would have detected the breachand failure to apply wider encryption to othercategories of non-payment related personaldata (e.g. passport numbers).

Marriott later pointed out that during itsacquisition of Starwood, it had only been ableto conduct limited due diligence onStarwood’s data processing systems anddatabases. Additionally, it was revealed that tosave costs stemming from the merger, moststaff, including IT and cybersecurityprofessionals, had been dismissed. However,while acknowledging that there may becircumstances where in-depth due diligence ofa competitor may not be possible during atakeover, the ICO held that the periodrelevant to its finding of infringement waswhen the GDPR entered into force. At thatpoint, the question turned on Marriott’sadequate management of Starwood systems.Hence, as the controller of its guests’ personaldata within the meaning of Article 4(7) of theGDPR, Marriott’s infringements constituted aserious failure to comply with the GDPRbecause it had been retaining and continuingto use Starwood’s IT systems post-acquisitionwithout securing the requisite technical andorganizational measures.

Considering the foregoing, it has beensuggested that to ensure transparency,regulators may consider compelling boards ofdirectors to make representations on thecybersecurity exposure of their company or toimpose disclosure requirements about thecompany’s plan to protect the data

infrastructure after a takeover.56 Moreover, aprospective purchasing firm could hedge itsrisk by implementing due diligencequestionnaires with a chain of inquiriesregarding the IT, security, compliance, andother crucial areas controlled by the targetcompany, binding the latter with warranties tothose questions. Even after the purchasingfirm acquires the target company, it shouldexert reasonable efforts to conduct anexamination verifying whether any potentialrisks have indeed been adequately addressed,thereby avoiding risks of inheriting liabilitiesfrom the acquired business as in Marriott.

6.2 Other Emerging Trends

Another emerging trend in the CJEU’spreliminary judgments is that whereas themajority of cases involving GDPRinfringements were previously concentratedamongst EU Member States, recent casesincreasingly impose hefty fines for violation ofregulations relating to personal data transfersto a third country.57 Accordingly, the nationalprofiles of regulated companies are becomingmore diverse as it relates to data controllersand processors.58As such, data exporters andimporters should identify and document allcross-border data transfer and assess whetherthe third country’s legislation allows adequateprotection compliant with GDPR and CJEUjudgments.

58 Kyu Yub Lee & Jun Hyun Eom, A Study on CJEUCases on GDPR and Their Implications for Korea.102. (2020).

57 See, e.g., PS/00059/2020, Resolución deProcedimiento Sancionador [Resolution of SanctioningProcedure] re Vodafone España, S.A.U (2020).

56 Shivaram Rajgopal & Bugra Gezer, The MarriottBreach Shows Just How Inadequate Cyber RiskDisclosures Are, Harv. Bus. Rev. (Mar. 5, 2019),https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are.

14


Moreover, current data privacy regulationstend to impose broad-sweeping liabilities,requiring managers to secure organizationaland technical measures to negate attendantrisks even for incidents which they may fallvictims to, thus rendering themnon-compliant with the GDPR, including, butnot limited to, cyber-attacks, data theft, andcyber fraud.59 For instance, the French dataprotection authority recently issued anenforcement action against a data controller(EUR 150,000) and its data processor (EUR75,000) for failure to take adequate securitymeasures related to credential stuffing60.Contractual measures may also be taken inconjunction with organizational and technicalmeasures, via language including obligationsfor data importers to employ necessarymeasures to protect transferred data.61

Therefore, raising cyber security awarenesswould be key to integrating such measuresinto practice, and may be achieved byimplementing internal policy actions andeducational programs to fill in the gaps.

Finally, last November, the EC published aProposal for a Regulation on European datagovernance (Data Governance Act)facilitating the reuse and sharing of dataacross sectors and Member States, thusbuilding a European single market for data.62

62 Proposal for a Regulation of the EuropeanParliament and of the Council on European data

61 Eur. Data Prot. Bd., Recommendations 01/2020 onmeasures that supplement transfer tools to ensurecompliance with the EU level of protection of personaldata (2020).

60 Commission Nationale Informatique et Libertés,«Credential stuffing»: la CNIL sanctionne unresponsable de traitement et son sous-traitant[“Credential stuffing”: CNIL sanctions a data controllerand its data processor] (Jan. 27, 2021),www.cnil.fr/fr/credential-stuffing-la-cnil-sanctionne-un-responsable-de-traitement-et-son-sous-traitant.

59 See, e.g., IN-19-1-1, Decision of the Data Prot.Comm’n in the matter of Twitter Int’l Co. (2020).

While the proposal is still undergoing debateby the European Parliament, it adds a layer ofuncertainty for businesses, for instance, in thecontext of non-personal data. This is becauseunder the proposal, non-personal data subjectto the rights of others “should be transferredonly to third-countries where appropriatesafeguards for the use of data are provided”to "ensure the protection of fundamentalrights…of data holders.”63 Ascertaining thelevel of appropriateness will be challenging,while it is unclear whether model contractclauses from the EC will be provided toensure the requisite standards are met. This ispertinent as model clauses add complexity,considering that they have been the frequentsubject of legal disputes.64Futuredevelopments should be closely monitored inanticipation of the adoption of the Act.

7. Conclusion

Notwithstanding transformative changes toprivacy laws compliant with the data era,practice reveals weak procedural safeguardsand ambiguity in statutory interpretation,contributing to a lack of accountability fordata processing. This calls for a heightenedunderstanding of the obscure risks inherent inpersonal data use. While current case law maybe insufficient to account for suchunprecedented challenges, the Homeplus casecarries meaningful implications for aburgeoning shift from a business-centric to auser-centric data governance model that mayserve as a guidepost in revamping regulatory

64 Matthew Newman & Mike Swift, SCC guidance inwake of Schrems II decision landing 'very soon,' EUofficial says, mlex (Oct. 27, 2020, 10:09 PM)https://mlexmarketinsight.com/news-hub/editors-picks/area-of-expertise/data-privacy-and-security/scc-guidance-in-wake-of-schrems-ii-decision-landing-very-soon.

63 Supra, note 51, at par. 15.

governance (Data Governance Act), COM (2020) 767final (Nov. 11, 2020).

15


schemes. Further, as it relates to EU-KoreaGDPR compliance, recent developments arecorroborative of a positive alignment of acommon understanding between the twoparts. Nonetheless, substantive and diversemeans of bilateral cooperation andcoordination may be further enhanced.

16


HEALTH DATA AND THE INTERNETOF THINGS IN INDONESIA: NEW

LEGAL CHALLENGESBy Nuzul Quraniati Rohmah

1. INTRODUCTION

The terms of the Internet of Things were firstmentioned by Kevin Ashton in 1999 when hewas doing a presentation when he worked atProcter & Gamble.65 The Internet of Things(IoT) is a new concept of the internet, wheredevices around us can link to each other byusing internet networks. An example is asmartphone that connects with wearabledevices, this gives the impression that thedevices can communicate or understand eachother. However, the Internet of Things (IoT)spread its wings and is able to cover allsectors, such as education, business,agrotechnology, and health.

The use of the Internet of Things (IoT) in thehealth sector is a renewal from clinical medicalactivities and the intention of relying on thistechnology in the health sector to increaseefficiency and effectiveness related to healthservice. The form of the Internet of Things(IoT) that is often found is EHR (ElectronicHealth Record), EHR is a renewal from theuse of paper that is still often used to fill inand store health data.66The Electronic Health

66 Nina Rahmadiliyani, Putri, Rina Gunarti,Implementation of Electronic Health Record (EHR) inOutpatient Polyclinic at the General Hospital of Ratu ZalechaMartapura, IX Indonesia Health Journal, 1-10, (2019).

65 Somayya Madakam R, Internet of Things (IoT) : ALiterature, 3 Journal of Computer and Communication1-10, (2015).

Record (EHR) is a digital version of the healthdata files, which is efficient for medical staffin finding patient's data in thousands of filesof other patients. However, behind theconvenience, there remains a threat there ispotential for personal data leakages.

In the General Data Protection Regulation(GDPR), All data personal is defined as anyinformation relating to an identified oridentifiable person, must be collected inaccordance with Article 5 of the GDPR, datamust contain:

1. Collected for specified, lawful and explicitpurposes and not processed in a mannerincompatible with it.

2. Processed legally, fairly, and transparently.

3. Processed to ensure proper data security.fair, relevant and limited to what isrequired in relation to the purpose forwhich it is processed.

4. Accurate and up to date.

5. Stored in a form that allows identificationof data subjects no longer than thatrequired for processed purposes.

17


6. Controlled by controllers who are incharge of data and are able to demonstratecompliance.67

The technological development is alsofollowed by the development of crimes, thecases of leakages and misuse of personal datacontinues to increase every year, especiallyduring COVID -19 Pandemic. In June 2020,the public was shocked by the news of theleakage of the Indonesian COVID-19 patientdata. An account on the dark web named"Database Shopping" is known to have230.000 Indonesian COVID-19 patient data,where the data was found to contain personalinformation of the patients such as theirname, telephone number, PCR results, and theplace that patient is treated.68 Following thisincident, the government has received plentyof public criticism, the government hasperceived to have neglected patient rights asregulated in Article 32 of Law No.44 of 2009mentioned the right of every patient to obtainprivacy and confidentiality of the illness,including medical data.69

This is not the first time that Indonesia hasexperienced data leakages. There has been aleak of personal data concerning e-commerceusers of Tokopedia amounted to 91 million inJuly 2020.70 The incidence of leakages of

70 Mohammad Bernie, 91 Million Tokopedia User DataLeaked and Spread on Internet Forums (2020), availableathttps://tirto.id/91-juta-data-pengguna-tokopedia-bocor-dan-disebar-di-forum-internet-fNH1 (last visited July7, 2020).

69 Law No.44 of the Republic of Indonesia (2009), onHospital, art.32.

68 Vina Fadhrotul Mukaromah Covid-19 Patient DataSuspectedly Leaked, Why Could This Happen? (2020),available athttps://www.kompas.com/tren/read/2020/06/20/180500065/data-pasien-covid-19-diduga-bocor-mengapa-hal-ini-bisa-terjadi?page=all (last visited July 7, 2020).

67 The General Regulation Data Protection (GDPR)2016/679, art 5.

personal data is continuously happening inIndonesia, but there is no action that thegovernment addresses to prevent andminimize data leaks in Indonesia.Furthermore, Indonesia doesn't have acomprehensive regulation regarding personaldata protection until these days. The currentregulations are still sectoral and do notadequately protect personal data, even thePersonal Data Protection Bill is still beingdiscussed in the House of Representatives.71 Ifthis situation is continuously allowed withoutany completion, it will harm constitutionalvalue considering Indonesia is a constitutionalstate as stipulated in Article 1 Paragraph 1 the1945 Constitution. A constitutional state isclosely related to legal certainty because mostof the constitutional state applies oneprinciple known as "nullum delictum nulla poenasine praevia lege poenali" which means that an actcannot be punished if there is no regulationgoverning it.72 The other issue is related tohow strict the government is in supervisingproviders when they manage people'spersonal data, it is intended to prevent the saleof personal data by providers.

2. ANALYSIS

2.1. The Impact of Internet of Things(IoT) on the Indonesian Health Sector

The use of this technology in the health sectoraims to increase the efficiency andeffectiveness between the patient, medicalstaff, and healthcare facilities. The Internet ofThings (IoT) has revolutionized healthcare byempowering not only medical professionals

72 Sri Rahayu, Implications of the Principle of Legality on LawEnforcement and Justice, 7 Innovative Journal, 1-12 (2014).

71 Sulaeman, Jokowi's Government Rushes to DiscussThe Personal Data Protection Bill (2021), available athttps://www.merdeka.com/uang/pemerintah-jokowi-kebut-pembahasan-ruu-perlindungan-data-pribadi.html(last visited July 7, 2020).

18

https://tirto.id/91-juta-data-pengguna-tokopedia-bocor-dan-disebar-di-forum-internet-fNH1

https://tirto.id/91-juta-data-pengguna-tokopedia-bocor-dan-disebar-di-forum-internet-fNH1

https://www.kompas.com/tren/read/2020/06/20/180500065/data-pasien-covid-19-diduga-bocor-mengapa-hal-ini-bisa-terjadi?page=all




https://www.merdeka.com/uang/pemerintah-jokowi-kebut-pembahasan-ruu-perlindungan-data-pribadi.html

https://www.merdeka.com/uang/pemerintah-jokowi-kebut-pembahasan-ruu-perlindungan-data-pribadi.html


but also medical devices, opening up wideopportunities in all medical fields, and it willspeed up healthcare service, diagnose illnesses,and communicate with patients. The Internetof Things (IoT) certainly has changed people'slives, the technology enables constantmonitoring of health conditions, and with thistechnology, the community is able to obtainmedical information through devices or theinternet.73

In Indonesia, the use of the Internet ofThings (IoT) in the health sector is stillunequal and only can be accessed in areaswith internet connections and well-equippedhealth facilities. However, the use of theInternet of Things (IoT) in the health sectorwas started in 2012 by the Ministry of Healthand was named "Telemedicine." Telemedicineconsists of several items that aid for medicalexamination such as Tele-ECG to measureblood pressure, Tele-radiology to viewradiological results, Tele-USG (simple) to viewthe digital development of the fetus, andTele-consultants.74 The examination resultsare then sent to smartphones, PCs, laptops,and tablets. This allows for greaterconvenience for medical staff as it enableseasier determination of the next medicaltreatment, as well as the transparency of theresults of the patient examination itself.

In the medical services, the medical staffdefinitely have patient health data whichcontains personal information, diseasediagnosis, medical records, and prescribeddrugs. The health data is usually done inwriting by medical staff, but over time this isnot effective given that the number of patients

74 Ministry of Electronic Information and Transaction,Implementation of the Internet of Things for theHealth Sector (2016).

73 Oleksandr Gersymov, Internet of Things in Healthcare,(27 February 2020)https://codeit.us/blog/internet-of-things-in-healthcare

is not proportional to the number of medicalstaff in health facilities. In response to theneed to improve the situation, Indonesia hasstarted to implement the Electronic HealthRecord (EHR). Electronic Health Record(EHR) is an electronic database consisting ofa collection of patient health data and aninformation system that has a broaderframework and fulfills a set of health datafunctions that integrates health data fromvarious sources, collects data at health service,and supports service providers in decisionmaking.75 The use of Electronic HealthRecord (EHR) has been found to be moreeffective and efficient in healthcare delivery.Additionally, the use of EHR is advantageousboth for patients and medical staff as itreduces medical errors, reduces time spent ontest results, accurate diagnosis, medicalinterventions, and saving costs from usingpaper for record-keeping.

Currently, there is a form of Internet ofThings (IoT) in the health sector that is beingused by the community, one of which isElectronic Health (E-Health). ElectronicHealth (E-Health) is an online health serviceused to make appointments or to consult adoctor, obtain medical results, and ordermedicine.76 Electronic Health (E-Health) aimsto facilitate access to health services, improvethe quality of health services, and save thecost of health services in health facilities.Currently, there are many types of E-healthapplications used by the public such as

76 Handryas Prasetya Utomo, Elisatris Gultom, AnitaAfriana, Urgention of Legal Protectiom of Patient PersonalData in Technology-Based Health Serbice in Indonesia, 8Galuh Justisi Scientific Journal, 168-185, (2020).

75 Prihartono & Muhamad Fadhil Nurdin, MedicalRecords and Health Information Based on InformationTechnology,http://pustaka.unpad.ac.id/wp-content/uploads/2015/12/MEDICAL-RECORDS-AND-HEALTH-INFORMATION-BASED-ON-INFORMATION-TECHNOLOGY.pdf.

19

https://codeit.us/blog/internet-of-things-in-healthcare

https://codeit.us/blog/internet-of-things-in-healthcare

http://pustaka.unpad.ac.id/wp-content/uploads/2015/12/MEDICAL-RECORDS-AND-HEALTH-INFORMATION-BASED-ON-INFORMATION-TECHNOLOGY.pdf






consumer informatics, medical informatics,and bioinformatics. However, behind theconvenience provided by E-Health there aresome usage-related issues, one of which ishow strict the security on the E-Healthapplication is, considering that so many casesof data leakage have happened in Indonesiarecently.

2.1. The Privacy of Health Data inIndonesia

The patient can be categorized as a consumerin health services at health facilities. LawNo.8 of 1999 concerning ConsumerProtection in Article 4 describe the rights thatcan be obtained by patients and obligationthat must be fulfilled by the hospital as ahealth service provider,77 consist of :

1. The right to comfort, security, and safetyin consuming goods and/or services.

2. The right to choose goods and/orservices and earn the goods and/orservices are appropriate with exchangerates and conditions the guaranteepromised.

3. The right to correct, clear, and honestinformation regarding the conditions andguarantee of goods and/or services.

4. The right to be heard and complaintsabout goods and/or services used.

5. The right to get advocacy, consumerprotection, and efforts to properly resolveconsumer protection disputes.

77 Andrea Sukmadilaga, Sinta Dewi Rosadi, Legal EffortsOn Violation Of Internet Of Things (Iot) Implementation InHealth Services According To Provisions Of Personal DataProtection, 21 Journal of the Voice of Justice, 205-221,(2020).

6. The right to receive consumer guidanceand education.

7. The right to be treated or served correctlyand honestly and not to discriminate.78

Health data is a set of medical informationthat is stored and collected in a document andused for diagnosis, medical examination, andmedical treatment. Health data is sensitivepersonal data, which in the data containsseveral private information such as medicalexamination results, lab results, history of thedisease, and list of the drugs.79Health data,called sensitive data due to contains a lot ofinformation that directly links with patients,that is why health data only can be accessedby the relevant medical staff and must beauthorized by the patient. The issue is then,whether the data we provide is guaranteedprivacy, which will not take any other actionthan that offered considering that health datacontains sensitive information.

According to Black's Law Dictionary, the rightto privacy is defined as several protectedrights of human freedoms, includinggovernment interference or intervention inpersonal matters, whether it is family mattersor how to organize parties with otherparties.80 The opinion of Warren and Brandeisin their work entitled "The Right to Privacy"states that privacy is the right to enjoy life andthe right to respect one’s feelings andthoughts.81 The right of privacy in Indonesia isimplicitly stated in Article 28G of the 1945Constitution "Everyone has the right to

81 Samuel D. Warren, Louis D. Braindes, The Right ToPrivacy, 4 Harvard Law Review, 193-220, (1890).

80 Black Henry Campbell, Black’s Law Dictionary, FifthEdition, USA, 1979, hlm. 1075.

79 Ministry of Health Decree No.269 of 2008 on HealthRecord, art.1.

78 Law No.8 of the Republic of Indonesia (1990), onConsumer Protection, art 4.

20


personal protection, family, honor, dignity,and property under their control, and areentitled to a sense of security and protectionfrom the threat of fear to do or not dosomething that is a human right".82

Accordingly, within the realm of personalhealth data, every person has the right toobtain protection for health data, given thathealth data contains sensitive information thatcould pose a threat in the event of a leak.Furthermore, the privacy of health data is oneof the patient rights that must be fulfilled byhealth facilities and medical staff, both duringand after medical treatment.

Privacy of health data in Indonesia has beenregulated in Law No. 36 of 2009 concerningHealth in Article 57, "Every person has theright to the confidentiality of his personalhealth condition that has been disclosed tothe health service provider and the right toclaim damages for mistakes or negligence inthe health services he receives."83 It is clearlystated that health providers have an obligationto keep health data confidential, and if there isany leakage due to the negligence of healthservice providers, the patient can suecompensation to the health service providers.Furthermore, Article 38 Law No. 44 of 2009concerning hospitals also affirm that healthdata only can be accessed for patient's health,requests from law enforcement agencies forlaw enforcement, and based on statutoryprovisions.84 And we can conclude that theprivacy of health data must bewell-maintained, and no one can access thepatient's health data without the patient'spermission and by statutory provisions.

84 Law No. 44 of the Republic of Indonesia (2009), onHospital, art 38.

83 Law No. 36 of the Republic of Indonesia (2009), onHealth , art.57.

82 Undang-Undang Dasar 1945 [UUD 1945][Constitution] Aug.18,1945, art 28G.

The obligation of medical staff to keep healthdata confidential also stated in Minister ofHealth Decree No.36 of 2012 concerningMedical Secret, in Article 1 mentioned,"Medical secret is data and information aboutthe health of someone who acquired healthpersonnel at the time of running work orprofession."85 and in Article 3 regulated thatmedical secrets include data and informationregarding:

a. Patient identity;

b. Patient's health includes the results of thehistory, physical examination,investigations, diagnosis, and medicaltreatment; and

c. Other matters concerning the patient.

In the Internet of Things (IoT) era, healthdata is not only used in public health facilitiessuch as hospitals. Currently, there's a lot ofinternets provides that provide online healthfacilities or platform and applications thatcurrently that not just asking about our basicpersonal information but also our sensitivepersonal information such as a history of thedisease, allergy, physical information (height,weight, bust, and thigh circumference), andthis information considered same as healthdata that used in health facilities. And thisinformation is considered the same as healthdata due to this information being related toour physical condition, and not just anyonecan get this information.86

Indonesia currently does not havecomprehensive regulations both on theprotection of health data and personal data.

86 Sinta Dewi Rosadi, Implication of Implementing E-HealthPrograms Linked to Personal Data Protection, 9 Legal Arena,403-418, (2017).

85 Ministry of Health Decree No. 36 of the Republic ofIndonesia (2012), on Medical Secret, art.1.

21


But related to the use of personal data inmedia electronic has been regulated in LawNo.19 of 2016 in Article 26 Paragraph 1mentioned "Unless otherwise stipulated bythe Laws and Regulations, the use of anyinformation through electronic mediaconcerning a person's personal data must becarried out with the consent of the personconcerned.”87 All the activities related topersonal data must be done with the person'spermission, and if found to be a violation ofthe data, then the person has the right to file alawsuit for the losses incurred.

2.3. Health Data Protection in Indonesia

The GDPR divides the regulated legalsubjects into (two), namely a Personal DataController / Controller and a Personal DataProcessor / Processor. A controller is aperson or legal entity, public authority, privatesector, or other body that determines thepurpose and means of data processingindependently or in collaboration withothers.88 In the meantime, a processor is aperson or legal entity, public authority, private,or other entity that processes personal data onbehalf of the controller. As a result, theexistence of a processor is dependent on thedecisions made by the controller. Related tothe use of the Internet of Things (IoT), thehospital is definitely categorized as a personaldata controller because of their determinantsof policy directing in determining dataprocessing, but a hospital not necessarily apersonal data processor because it is possibleto hospital to give this authority to externalparties to process data.89 Indonesia has a

89 Andrea Sukmadilaga, Sinta Dewi Rosadi, Legal EffortsOn Violation Of Internet Of Things (Iot) Implementation InHealth Services According To Provisions Of Personal Data

88 The General Regulation Data Protection (GDPR)2016/679, art 4.

87 Law No. 19 of the Republic of Indonesia (2016), onElectronic Information and Technology, art 26.

similar legal subject as in GDPR, which iscalled Electronic System Operator (ESO).ESO is every Person, state administrator,Business Entity, and the public who provide,manage and/or operate Electronic Systemsindividually or collectively to ElectronicSystem Users.90

Health data protection in medical activities isstipulated in Article 79 of Law No. 29 of 2004concerning Medical Practice, "Shall bepunished with imprisonment of 1 (one) yearor a maximum fine of Rp. 50.000.000,00 (fiftymillion rupiahs), each a doctor or dentist whodeliberately does not fulfill the obligations, theobligation that referred is to keeps everythingthat doctor, dentist, and medical staff knowabout the patient, even after the patient hasdied.”91 Then it can be concluded thatdoctors, dentists, and medical staff have anobligation to keep the patient dataconfidential, and if doctors, dentists, andmedical staff have been found to not fulfilltheir obligations, they will be subjected to thesection covered under Article 79 of LawNumber 29 of 2004. Furthermore, the currentissue is how strict the protection of healthdata is in electronic media or online healthproviders, considering that many healthapplications already use health data as arequirement.

Indonesia currently does not have specificregulation governing health data protection inelectronic media, and if there is misuse of datathen it is adjusted to the provisions in LawNo. 11 of 2008 concerning ElectronicInformation and Technology. Protection of

91 Law No. 29 of the Republic of Indonesia (2004), onMedical Practice, art. 79.

90 Government Regulation No.71 of 2009, art.1Regulation of the Implementation of Law No. 16 of2019 on Electronic Information and Technology.

Protection, 21 Journal of the Voice of Justice, 205-221,(2020).

22


personal data in electronic systems includesprotection against the collection, processing,analysis, storage, appearance, announcement,transmission, distribution, and destruction ofpersonal data.92 However, the regulationsregarding the protection of personal data arestill separate from several regulations. One ofthe regulations that govern related to personaldata protection is contained in Law No. 11 of2008 in Article 30, 93

1. Any person who knowingly and withoutright or unlawfully accesses otherpeople's computers and/or electronicsystems in any way.

2. Any person who knowingly and withoutright or against the law accessescomputers and/or electronic systems inany way to obtain ElectronicInformation and/or ElectronicDocuments.

3. Any person who knowingly and withoutright or unlawfully accesses computersand/or electronic systems in any way byviolating, breaking through, bypassing,or breaking into security systems.

Subsequently, if we relate these provisions tothe leakage of patient data COVID-19 in June2020, we can conclude that the perpetratorhas committed an act against the law byaccessing electronic systems by violating,bypassing, and breaking into the securitysystem, and even the perpetrator distributesand trades the data publicly on the dark web,

93 Law No.11 of the Republic of Indonesia (2008), onElectronic Information and Technology, art.30.

92 Bernadetha Aurelia Oktavira, Legal Basis for InternetUser Personal Data Protection, (4 August 2020)https://www.hukumonline.com/klinik/detail/ulasan/lt4f235fec78736/dasar-hukum-perlindungan-data-pribadi-pengguna-internet/.

and of course, the perpetrator's actions haveviolated the law and disturbed the society.

Then, it would be appropriate sanctions onperpetrators as described in Article 30, wasregulated in Article 46 of Law No.11 of 2008concerning Electronic Information andTransaction that is, shall be punished withimprisonment for a maximum of 6 (six) yearuntil 8 (eight) year and maximum fine fromRp. 600.000.000,00 (six hundred millionrupiahs) until Rp. 800.000.000,00 (eighthundred million rupiahs)94 Related to theprotection of health data by the internetproviders or health providers was regulated inMinister of Communication and InformationTechnology Regulation No.20 of 2016 inArticle 36, “Every person who obtainscollects, processes, analyzes, stores, displays,announces, sends, and/or disseminatespersonal data without rights or not followingthe provisions of this ministerial regulation orother statutory regulations will be subject toadministrative sanctions following theprovisions of laws.” The administrativesanctions are done by an oral warning, writtenwarning, temporary suspensions of activities,and announcements on the website online.95

Furthermore, what if there is data leakage by afailure of the Electronic System Operator(ESO) to protect the data. The ElectricSystem Operator (ESO) has obliged to informthe owner of the personal data in writing.96

The failure that is referred to here is thecessation of part or all of the functions of anessential electronic system so that the

96 Government Regulation No.71 of the Republic ofIndonesia (2009), Regulation of the Implementation ofLaw No. 16 of 2019 on Electronic Information andTechnology, art.14.

95 Law No.16 of the Republic of Indonesia (2019) onElectronic Information and Technology, art.36.

94 Law No.11 of the Republic of Indonesia (2008), onElectronic Information and Technology, art.46.

23

https://www.hukumonline.com/klinik/detail/ulasan/lt4f235fec78736/dasar-hukum-perlindungan-data-pribadi-pengguna-internet/





electronic system does not function properly.97

And one of the factors that often arises is thefailure of Electronic System Operator (ESO)is the resulting escalation of cybercrime.Judging from the type of activity, cybercrimecan take the form of hacking, cracking,phishing, identity theft, and so on. The impactof this activity is losses that arise includingpersonal data leakage, data manipulation,privacy breaches, system damage.98

The advancement of technology andinformation, whether in IoT-based applicationdevelopment or other technologies, must beaccompanied by comprehensive regulationand also strict oversight by the government.On a global economic level, Indonesia is acountry with a strategic position ininternational trade, including electronictransactions that allow for the greaterdistribution of personal data in Indonesia.99

The technical standardization of tools andequipment for IoT has been regulated in theRegulation of the Minister of Communicationand Information Number 35 of 2015concerning Technical Requirements for NearDistance Telecommunication Tools andEquipment, but only in the form of anexplanation of which components arerequired to be used, implying that there isinsufficient clarity. Related to IoTimplementation in the health sector or otherfields, The government should strictlymonitor both health care facilities and

99 Andrea Sukmadilaga, Sinta Dewi Rosadi, Legal EffortsOn Violation Of Internet Of Things (Iot) Implementation InHealth Services According To Provisions Of Personal DataProtection, 21 Journal of the Voice of Justice, 205-221,(2020).

98 Jenis, Types Of Cyber Crime And Legal Protection,https://www.legalku.com/jenis-jenis-cyber-crime-dan-perlindungan-hukumnya/.

97 Government Regulation No.71 of the Republic ofIndonesia (2009), Regulation of the Implementation ofLaw No. 16 of 2019 on Electronic Information andTechnology, art.24.

electronic system operators (ESO). Thissupervision can be carried out by the Ministryof Communication and Information or byanother institution with a supervisoryauthority. In terms of data processing,standardization should include not onlycomponent devices but also data processingflow and data security.

3. CONCLUSION

The current development of the internet hasan impact on various sectors, one of which isthe health sector, the use of this technology inthe health sector was already started in 2012by the Ministry of Health namedTelemedicine. Health data is one of the datathat is prone to be used because it containsimportant information, starting from thepersonal information and financialinformation of the owner of the data, and ifthere is any leakage or misuse, it will have aprofound impact on the victim. Especially atthis time, there are numerous cases of datamisuse via electronic media. Therefore, acomprehensive regulation is required toaddress issues relating to this personal data.

Currently, health data has become importantbecause it contains several sensitiveinformation related to the patient's condition,such as the history of disease, medical result,and list of drugs used. The misuse of healthdata has occurred several times in Indonesia,but it seems that it has not been takenseriously by the government, disregardingregulation and data management for internetproviders and health providers. Thegovernment should strictly monitor bothhealth care facilities and electronic systemoperators (ESO) and the supervision can becarried out by the Ministry of Communicationand Information or by another institutionwith a supervisory authority.

24

https://www.legalku.com/jenis-jenis-cyber-crime-dan-perlindungan-hukumnya/




LEGAL ISSUE ON DATA PROTECTIONIN MALAYSIA: A WAY FORWARDS

By Sea Jia Wei

BACKGROUND

‘Cyberspace’ is defined as a virtual computerworld, and more accurately, is an electronic

medium which is being utilised to create aglobal computer network to allow and tofacilitate online communication.

100 Due to the rapid development oftechnologies, the Internet has been given ahugely unregulated landscape and enormousoverseas access to the information of thewhole world. In 2019, Malaysia’sCommunications and Multimedia Ministerannounced that the government is currentlyreviewing the PDPA to ensure it is in line withglobal developments. The Ministry is keen toincorporate key points of the EU GeneralData Protection Regulation into the PDPA.101

In dealing with cybercrimes, the role ofInternet Service Provider (‘ISP’) should alsobe considered. ISP refers to a company thatprovides Internet access to its subscribers.S.43B of Copyright Act 1987 (‘CA1987’)defines the terms ‘service provider’ widely toinclude both companies that provide access tothe Internet and entities that provide facilities

101 Jillian Chia Yan Ping, Malaysia - Data ProtectionOverview (2021), available athttps://www.dataguidance.com/notes/malaysia-data-protection-overview (last visited July 7, 2021).

100 Technopedia, What does Cyberspace Mean? (2020),available athttps://www.techopedia.com/definition/2493/cyberspace (last visited July 7, 2021).

for online services. 102 The former refers toISPs such as Digi, Maxis and Celcom, whereasthe latter refers to the operators of websitessuch as Facebook, YouTube and Twitter. Inthis paper, we will discuss the legal issues ofcyberspace and also give recommendations tosolve the unsettled legal issues so as tostrengthen data protection in Malaysia.

ANALYSIS

Generally, the Malaysian Communications andMultimedia Commission (‘MCMC’) was set uppursuant to the enactment of the MalaysianCommunication and Multimedia Act of 1998(‘CMA1998’). The body acts as a regulator,that is to say, it governs the communicationsand multimedia industry in Malaysia.103 S.3(3)provides that nothing in the Act shall be takento permit the censorship of the Internet.104 Itis pertinent to note that this section hasalways been wrongly interpreted by manypeople. They have the tendency to assumethat anyone can say whatever he or she likes

104 Id., §3(3).

103 Act 588 of Malaysia (1998), MalaysianCommunication and Multimedia Act1998.

102 Act 332 of Malaysia (1987), Copyright Act 1987,§43(B).

25

https://www.dataguidance.com/notes/malaysia-data-protection-overview

https://www.dataguidance.com/notes/malaysia-data-protection-overview

https://www.techopedia.com/definition/2493/cyberspace

https://www.techopedia.com/definition/2493/cyberspace


so long as it is done through the use of theInternet. If past legislations were to be takeninto account, then this specific interpretationis not necessarily wrong as the earlier restraintagainst publication has already been removed.“Earlier restraint” here may be defined as theneed to be subjected to censorship or therequirement to obtain a permit.105 However,there are already such laws in place which willbe given more scrutiny in the latter part ofthis discussion. As such, there are several legalproblems which are being addressed by theCMA, namely dissemination of obscene andfalse materials.

First, dissemination of obscene material. Tobriefly define the term “obscene” in its literalsense, it relates to a narrow category ofpornography that goes against contemporarysocietal standards and has absolutely noartistic, literary or scientific value.106 Inaddition, the term will be discussed later in itslegal sense using the Hicklin test. Basically,pornography on the Internet can becategorised into two: adult pornography aswell as child pornography. In relation to this,it is also of paramount importance to identifythe possible classes of victims of obscenity.They comprise minors, unsuspecting viewers,women put at risk of violence ordiscrimination, pornography users, and lastlyall of us. The vulnerability of these victims canbe traced back to two sources: (i) websites –they collectively serve as a pornographyplatform; and (ii) the trading of pornography– child or adult pornography.

106 David L. Hudson, Obscenity and pornography(2009) available athttps://www.mtsu.edu/first-amendment/article/1004/obscenity-and-pornography (last visited July 7, 2021).

105 B. Singh, Enforcement is key when it comes to thenet, The Star Online (2015) available athttps://www.thestar.com.my/opinion/columnists/law-for-everyone/2015/08/13/enforcement-is-key-when-it-comes-to-the-net (last visited July 7, 2021).

With regard to the former, the MCMC hasalready taken some drastic moves bycompelling most Internet service providers(ISPs) to block or ban porn websites such asPornhub, xHamster and Brazzers to name afew. The government’s battle against porn isdue to the fact that pornography is becominga more pressing issue in the nation, affectingmainly children (cases of statutory rape andsexual assaults) and adults (issues of spermcount and fertility due to excessivemasturbation). Industry sources also statedthat the MCMC blocks approximately 4,000websites each year. 107 In the case of the lattersource, it involves the sale of pornography inthe form of compact discs (‘CDs’) tocustomers who are interested. The relevantauthorities have also cracked down on theseblack-market operations. One similarity thatcan be inferred from both these sources istheir objective to obtain profits illegally,considering these operations are cash cows.Nonetheless, there are more seriousconsequences of the dissemination ofpornography to be highlighted such as theloss of human dignity and exploitation of civilrights.

In the case of R v Hicklin108, one Henry Scottresold copies of an anti-Catholic pamphletentitled “The Confessional Unmasked”.When the pamphlets were ordered to bedestroyed, Hicklin, the Recorder, revoked theorder of destruction and held that Scott’spurpose had not been to corrupt publicmorals but to expose problems within theCatholic’s Church. On appeal, it was held thatScott’s intention was immaterial if thepublication was obscene in fact. Here, the

108 Regina v. Hicklin (U.K. Jurisprudence), LR 3 QB 360(1868).

107 F.S. Nokman, MCMC engages ISPs in battle againstporn, NST Online (2015) available athttps://www.nst.com.my/news/2015/09/mcmc-engages-isps-battle-against-porn (last visited July 7, 2021).

26

https://www.mtsu.edu/first-amendment/article/1004/obscenity-and-pornography

https://www.mtsu.edu/first-amendment/article/1004/obscenity-and-pornography

https://www.thestar.com.my/opinion/columnists/law-for-everyone/2015/08/13/enforcement-is-key-when-it-comes-to-the-net



https://www.nst.com.my/news/2015/09/mcmc-engages-isps-battle-against-porn

https://www.nst.com.my/news/2015/09/mcmc-engages-isps-battle-against-porn


Hicklin test being laid down dictates thatwhether the impugned matter tends todeprave and to corrupt a person’s moral. Ifthe matter had a tendency to corrupt and todeprave a person’s morals, the matter is thenheld to be obscene.109 However, the Hicklintest is not a good test as it is deemed to bevery subjective.

The judgement in the case of Mohamed Ibrahimv Public Prosecutor110 is the landmark case thatinitiates the application of the Hicklin test inMalaysia and has provided for the meaningand scope of the term “obscene” as stated inS.292 of Penal Code (‘PC’). Here, theappellant was charged for possessing 65copies of an obscene book entitled “Tropic ofCancer” intended for sale. The book consistedof the description of the male lead’s acts ofsexual intercourse with numerous prostitutes.The learned Chief Justice applied the Hicklintest in determining whether the tendency ofthe said book was to deprave and to corruptthose whose minds were open to suchimmoral influences and into whose hands itmight fall. In other words, the purpose ofS.292 of PC was to protect the general public,particularly the younger ones who may betempted to purchase and so exposethemselves to the corrupting influence ofobscene materials. As such, the appeal wasaccordingly dismissed.

Apart from the aforementioned laws, thereare S.211 as well as S.233 of CMA1998 whosefunctions are more or less similar to eachother. Both these sections provide that anyperson who posted an offensive content ormaterial must have had the intention to annoy,abuse, threaten or harass another person. Thepunishment provided by these sections is also

110 (Malaysian Jurisprudence), 29 MLJ 289 (1963).

109 M. Cooray, The ‘tendency to deprave and corruptmorals’ in R v Hicklin and the law of obscenity inMalaysia, 1 M.L.J. 148 (2017) 3-4.

the same whereby a convicted person is liableto a fine not exceeding RM50,000 or to a jailterm not exceeding 1 year or to both and shallalso be liable to an additional fine of RM1,000for every day or part of a day during thecontinuance of the offence after conviction.On top of that, there is also another relevantprovision besides S.292 of PC. For instance,S.293 of PC further specifies the formersection whereby it makes the sale of anyobscene object or document to a personunder 20 years of age punishable with a jailterm up to 5 years, or with a fine, or withboth.111

It is often said that with a change of time, therequirement of law changes. However,Malaysian laws do not seem to keep up withthe changing times as the Hicklin test which isrendered obsolete by other countries is still inuse by the courts. The Hicklin test hasattracted widespread criticism as it not onlyallowed obscene works to be judged based onisolated passages, but it also focused onparticularly susceptible persons rather thanreasonable persons. The application of suchbroad tests has led to the suppression of freeexpression.

The leading test for obscenity in the US hasbeen laid down in the case of Miller vCalifornia112. The court has formulated athree-fold test to replace the Hicklin’s test andthe Roth test: (1) whether the average person,applying contemporary community standardswould find that the work, taken as a whole,appeals to the prurient interests; (2) whetherthe work depicts or describes, in a patentlyoffensive way, sexual conduct specificallydefined by the applicable state work; and (3)whether the work, taken as a whole, lacks

112 (U.S. Jurisprudence), 413 U.S. 15 (1973).

111 Act A327 of Malaysia (1976), The Penal Code, asrevised by Act 574 (1997).

27


serious literary, artistic, political, or scientificvalue. Additionally, in the Australian case ofCrowe v Graham113the court has rejectedHicklin's test and replaced it with acommunity-standards test which dictateswhether the impugned material offendsagainst the modesty of an average man, or thecontemporary community standards.Compared to the Hicklin’s test, the courts inUS and Australia have adopted an objectiveapproach to deal with obscenity.114

Second, the rapid transmission of informationhas indirectly encouraged the spreading offalse information on the Internet, and this hasbecome a major global concern as the amountof false information in circulation has createdconfusion among Internet users, misleadingmany of them to believe false information astrue due to its widespread coverage. InMalaysia, the term “fake news” carries thedefinition of any news, information, data andreports, which is or are wholly or partiallyfalse, whether in the form of features, visualsor audio recordings or in any other formcapable of suggesting words or ideas.115

Dissemination of false information normallyrevolves around politics, religion, health andcrime in Malaysia and most of the time, itcauses a huge impact before it disintegrateswith time. For example, a company received ahuge financial blow when religious concernswere manipulated to damage their business.The renowned shoe company Bata suffered aloss of more than RM158,000 within the

115 Library of Congress, Initiatives to counter fake news(2020), available athttps://www.loc.gov/law/help/fake-news/malaysia.php (last visited July 7, 2021).

114 Australian Law Reform Commission, History ofcensorship and classification (2011), available athttps://www.alrc.gov.au/publication/national-classification-scheme-review-dp-77/2-the-current-classification-scheme/history-of-censorship-and-classification/ (lastvisited July 7, 2021).

113 (Australian Jurisprudence), 121 CLR 375 (1968).

period of one month, and was forced to takedown 70,000 pairs of shoes from 230branches after a false news about them sellingshoes with the Arabic word “Allah” on thesoles of its shoes broke out.116 Disseminationof false information is detrimental to acountry as it may distort people’s perceptionsand divert them from the path of truth. InMalaysia, this is in fact used commonly as anincitement tool due to the deterioratingtolerance of the people on religious, racial andsexual orientation issues. Should this issue beleft unchecked, then our country will only facea greater peril in the future?

S.233 of the CMA comes in handy whendealing with dissemination of falseinformation as the provision criminalizes theuse of network facilities or network servicesby a person to transmit any communicationthat is deemed to be, inter alia, false. 117 Dueto its widely drafted wordings, former PrimeMinister Dato’ Seri Najib Tun Razak’sadministration favoured this provision as anapproach to target political opponents.Nevertheless, the present government hasvowed to revise and tighten the scope of thissection to prevent further abuse of itsambiguous terms.

The laws in Malaysia seem to have an edgeover those in the UK as the CMA1998 iscommonly used to tackle cases ofdissemination of false information while onthe other hand, the UK has no specificprovision to do the same. Moreover, the

117 Act 588 of Malaysia (1998), MalaysianCommunication and Multimedia Act 1998, §233.

116 M. Mohd Yatid, Truth tampering through socialmedia: Malaysia’s approach in fighting disinformation& misinformation, 2 IKAT 2 (2019), available athttps://www.researchgate.net/publication/330450786_Truth_Tampering_Through_Social_Media_Malaysia's_Approach_in_Fighting_Disinformation_Misinformation (last visited July 7, 2021).

28

https://www.loc.gov/law/help/fake-news/malaysia.php

https://www.loc.gov/law/help/fake-news/malaysia.php

https://www.alrc.gov.au/publication/national-classification-scheme-review-dp-77/2-the-current-classification-scheme/history-of-censorship-and-classification/



https://www.researchgate.net/publication/330450786_Truth_Tampering_Through_Social_Media_Malaysia's_Approach_in_Fighting_Disinformation_Misinformation





MCMC is entrusted with legal powers toenforce laws specifically related to fake news.It has been reported that MCMC opened 40investigating papers related to fake news in2017 and 4 cases even reached the court oflaw for adjudication.118 In comparison, theUK has communication regulators like Ofcomwhich regulate broadcast media and theIndependent Press Standards Organisation(IPSO) and Impress which regulate online andoffline newspapers, but none of theseregulators are vested with legal powers thusno significant action has been taken to dealwith the dissemination of false information.119

Besides, copyright protection inMalaysia is governed by the CA1987. CApunishes any unauthorised access to ordissemination of protected works. S.7 ofCA1987 states that the works such as literaryworks, musical works, artistic works, films,sound recordings and broadcasts are eligiblefor copyright. However, in order for literary,musical or artistic work to be eligible forcopyright, there must be sufficient effort andthe work must be reduced into material form.All these works shall be protected regardlessof their quality and purpose. There are twotypes of copyright infringement under S.36 ofCA1987, that is, direct infringement andindirect infringement. Direct infringementoccurs when someone does an act which isdeemed to infringe the rights of the ownerand these acts are done without the licence of

119 G. Moir, Regulation of online falsehoods: ‘Fakenews' – The UK, Singapore And Europe (2019),available athttp://www.mondaq.com/uk/x/808480/Media+Entertainment+Law/Regulation+Of+Online+Falsehoods+Fake+News+The+UK+Singapore+And+Europe (lastvisited July 7, 2021).

118 K. Buchanan, Initiatives to counter fake news(2019), available athttps://www.loc.gov/law/help/fake-news/malaysia.php#_ftn52 (last visited July 7, 2021).

the owner. On the other hand, the examplesof indirect infringement are stated underS.36(2), that is, selling, distributing orexhibiting the article in the public without theconsent of the owner of the copyright. Inorder to amount to copyright infringement, awhole or substantial part of the copyrightedwork must be copied. In Autodesk Inc vDyason120, the defendant had infringedcopyright in the ‘Autocad’ that was owned bythe plaintiff by cracking the code andreproducing a substantial part of the program,‘Autokey’, in the device.

One of the critical issues that has beenraised is whether the Internet user’s act ofcopying the author’s works constitutes aninfringement of the author’s copyright. 121 Bycomparing Malaysian legislation with USlegislation on the right of reproduction of awork in cyberspace, the laws seem to be betterin the US. This is because it is easier for thecopyright owner to prove that the copyrightover software has been infringed. In GamesCorporation v Nintendo of America Inc122, thecourt held that even though only limitedcopyright protection was provided for certainworks, verbatim copying would still amount toan infringement. This statement signifies andemphasises on two important points wherethere will be no impediments for the plaintiffto prove that the two works are ‘substantiallysimilar’ in an internet copyright infringementand this test might be reduced to a virtualnullity in cases of verbatim software copying.Besides, with regards to public performance

122 (U.S. Jurisprudence, Court of Appeals) 975F.2d, 832(1992).

121 N. Ahmad, Copyright protection in cyberspace: A criticalstudy with reference to Electronic Copyright ManagementSystems (ECMS) in COMMUNICATIONS OF THE IBIMA(2009), 7, available athttps://ibimapublishing.com/articles/CIBIMA/2009/873738/873738.pdf (last visited July 7, 2021).

120 (Australian Jurisprudence), HCA 2; 173 CLR 330(1992).

29

http://www.mondaq.com/uk/x/808480/Media+Entertainment+Law/Regulation+Of+Online+Falsehoods+Fake+News+The+UK+Singapore+And+Europe



https://www.loc.gov/law/help/fake-news/malaysia.php#_ftn52

https://www.loc.gov/law/help/fake-news/malaysia.php#_ftn52

https://ibimapublishing.com/articles/CIBIMA/2009/873738/873738.pdf

https://ibimapublishing.com/articles/CIBIMA/2009/873738/873738.pdf


and display rights of computer software, theterm ‘display’ is not defined under USlegislation. By referring to the terms ‘publicperformance’ and ‘communication to thepublic, if one displays the computer softwareor the operation of the computer softwareover the Internet, it will be deemed to displayto the public and this amounts to a violationof the right of the copyright owner under thestatute. US legislation can be one of the goodreferences for us to improve our provisionand reduce loopholes in our law.

Lastly, the issue of privacy based onPersonal Data Protection Act 2010 (PDPA).123 Personal information of a person may beobtained through the Internet in order toobtain exploitation or benefit. Internet usersmay be exposed to danger of violation of theirprivacy right as cyberspace seems to reacheveryone and become increasinglysophisticated.124 More legal issues will arisedue to the increasing amount of peopleengaging online by interacting in aspectsregarding social, economic and even politicalissues. For instance, one may face the risk oftheir email addresses, banking passwords,hand phone numbers, physical addressesbeing exposed to others including undesiredmarketers, hackers or even scammers. 125Legalissue of privacy in cyberspace is said to be asubset of data privacy in the larger world. Itinvolves personal privacy covering storage,collection, repurposing, collection, use as well

125 Thomson Reuters, Internet privacy laws revealed -how your personal information is protected online(2015) available athttps://legal.thomsonreuters.com/en/insights/articles/how-your-personal-information-is-protected-online(last visited July 7, 2021).

124 Mark S. Kende. The issue of email privacy andcyberspace personal jurisdiction (2002), available athttps://scholarship.law.umt.edu/cgi/viewcontent.cgi?article=2251&context=mlr (last visited July 7, 2021).

123 Act 709 of Malaysia (2010), Personal DataProtection Act 2010, §233.

as display of personal information via theInternet generally.126 Privacy in cyberspace ispertaining with exposure of personalinformation on the Internet either throughsharing of data, collection of data, cybersecurity threat and tracking as well.127 Thereare many issues relating to attempt to invadeone’s privacy in cyberspace by stealing one’sidentity as well as monetary assets.Furthermore, they may be subjected toInternet attacks and software which isharmful. Crimes such as phishing, spyware,web bugs and others are an intrusion to theprivacy of Internet users. For example, webbugs often are being placed in email orwebpages to track views of a person’s onlineactivity with the objective to learn passwordsof the person while phishing involves theprocess of attempting to obtain names,passwords, banking information of usersthrough targeted attacks.128 Thus,establishment of laws and regulations with thepurpose to protect privacy as well as data ofInternet users is of utmost importanceespecially in modern day as cyberspacereaches enormous amounts of people. Therecognition of right to privacy can be seen inthe case named Campbell v. MGN Limited129

where the judgement of the court stated thatmisuse of personal and private informationwas established when Mirror newspaperpublished articles in regard to a famous model

129 (U.K. Jurisprudence), UKHL 22 (2004).

128 Jose Rivera, Cyberspace Law (2019), available athttps://www.legalmatch.com/law-library/article/cyberspace-law.html (last visited July 7, 2021).

127 Thomson Reuters, Internet privacy laws revealed -how your personal information is protected online(2015) available athttps://legal.thomsonreuters.com/en/insights/articles/how-your-personal-information-is-protected-online(last visited July 7, 2021).

126 Anne Meredith Fulton, Cyberspace and the Internet:Who Will Be The Privacy Police?, (2018), available athttps://scholarship.law.edu/cgi/viewcontent.cgi?article=1033&context=commlaw (last visited July 7, 2021).

30

https://legal.thomsonreuters.com/en/insights/articles/how-your-personal-information-is-protected-online


https://scholarship.law.umt.edu/cgi/viewcontent.cgi?article=2251&context=mlr

https://scholarship.law.umt.edu/cgi/viewcontent.cgi?article=2251&context=mlr

https://www.legalmatch.com/law-library/article/cyberspace-law.html

https://www.legalmatch.com/law-library/article/cyberspace-law.html



https://scholarship.law.edu/cgi/viewcontent.cgi?article=1033&context=commlaw

https://scholarship.law.edu/cgi/viewcontent.cgi?article=1033&context=commlaw


attendance at Narcotics Anonymous meetingsas well as her efforts to solve the problem ofaddiction to drugs and drinks. It shows thatthis tort basically aims to protect informationwhich is considered private. Individual’sprivacy should be respected.130

In Malaysia, Personal Data Protection Act2010 (PDPA) is an act gazette in the date ofJune 2010 with the purpose of regulating andprotecting personal data regarding commercialtransactions.131 It is a legislation that mainlygoverns data protection. Data generally meansinformation. Personal data generally refers todata about identification of individuals or anyinformation to which other organizations canaccess it. It can be a term relating to specificinformation that includes private details of aperson such as names, address, telephonenumbers and others.132 In relation to Section2(1) of PDPA 2010, 133 it provides applicationof such Act to the persons who process,control as well as authorize processing ofpersonal data. There are three parties involvedin obligations in respect to data which isconsidered as private and personal includingdata users, data processors as well as datasubject. Data user is also known as acontroller which has been defined as anyindividual who controls or authorizesprocessing personal data. If we see fromanother perspective, a data processor meansan individual who processes data on behalf ofthe data users. Procession of data is not for

133 Id., at §2(1).

132 Act 709 of Malaysia (2010), Personal DataProtection Act 2010, §4.

131 Glenda Eng Hui Sian, Personal Data Protection Act2010 (PDPA) (2013), available athttps://www.pwc.com/my/en/services/assurance/pdpa.html (last visited July 7, 2021).

130 Foong Cheng Leong, Right to Privacy in Malaysia:Do we have it? (2011) available athttps://www.loyarburok.com/2011/02/21/right-to-privacy-in-malaysia-do-we-have-it/ (last visited July 7,2021).

his or her own purpose while data subjectmeans individual who is considered as subjectof personal data.134

According to Section 5(1) of PDPA 2010,punishment of fine of RM 300 000 orimprisonment for a term maximum 2 yearswill be imposed on data users if Personal DataProtection Principle does not comply withwhen coming with processing of personaldata which is stated under Section 6 to 12 ofsuch Act. Section 6 of such Act providesgeneral principles where processing ofpersonal data requires consent unless it fallsunder Section 6(2) where processing isnecessary for various conditions including toperform the contract, administer justice,protect data subject’s interest and others. Onthe other hand, Section 7 of PDPA 2010requires data users to notify data subjectsabout objective data being collected as well asright to request access to such data. This isknown as the notice and choice principle.Protection of personal data can be seen fromSection 8 of such Act which providesdisclosure principle. This provision states thatpersonal data cannot be disclosed in absenceof approval of the data subject. On the otherhand, Security Principle is provided in Section9 of such Act where it provides practical stepsthat should be used by data users for thepurpose of protecting personal data frommodification, loss, alteration and others.Moreover, Section 10 and Section 11 of suchAct provide retention and data integrityprinciple. Retention principle providesreasonable steps should be taken so thataccuracy can be ensured and data current maybe maintained for the purpose it was collectedfor. Last data protection principle is providedin Section 12 of PDPA 2010 that is the access

134 Deepak Phillai, Malaysia: Data Protection (2019),available athttps://iclg.com/practice-areas/data-protection-laws-and-regulations/malaysia (last visited July 7, 2021).

31

https://www.pwc.com/my/en/services/assurance/pdpa.html

https://www.pwc.com/my/en/services/assurance/pdpa.html

https://www.loyarburok.com/2011/02/21/right-to-privacy-in-malaysia-do-we-have-it/

https://www.loyarburok.com/2011/02/21/right-to-privacy-in-malaysia-do-we-have-it/

https://iclg.com/practice-areas/data-protection-laws-and-regulations/malaysia



principle where power to correct as well asaccess to such personal data is given to thedata subject. 135 There are some exemptionsfrom Data Protection Principles which areexpressly stated in Section 45 and 46 of PDPA2010. Exemptions for objectives of personal,family or household affairs of individualsincluding recreational purposes are providedin Section 45 while Section 46 of such Actgives power to the Minister in order to makefurther exemptions upon recommendation ofCommissioners. 136

Furthermore, Section 34 of PDPA 2010 statesthat the right of correcting personal data inpresence of data is inaccurate and incompleteas well as misleading. Section 35 of such Actprovides certain data correction requests thatneed to be complied with. On the other hand,Section 36 of such Act states circumstanceswhere data users refuse to accord with it.Where a data user refuses to accord with it,notification of refusal to comply with dataaccess request should be issued by him underSection 37 of such Act. 137

CONCLUSIONS

The vast development in cyberspace had ledto several negative legal implications to theusers and despite laws and regulations beingspecifically made to curb such issues,unfortunately it was able to solve the mattersonly to a certain extent as the laws andregulations by itself have some loopholes andflaws within it. To this date, issues which areoften deemed as the tip of the iceberg havebeen taken into consideration and solved but

137 Id.

136 Act 709 of Malaysia (2010), Personal DataProtection Act 2010.

135 Yong Shih Han, Malaysia: Data Protection (2019),available athttps://iclg.com/practice-areas/data-protection-laws-and-regulations/malaysia (last visited July 7, 2021).

there are more underlying issues which are yetto be resolved on whole due to its complexityin nature. As such, more concerns have to begiven by relevant authorities as well as theusers of cyberspace to legal issues discussedearlier such as the unresolved copyrightinfringement and the liability of InternetService Provider (ISP), concerns on privacy aswell as obscenity.

The threat to copyright since the emergenceof digital technology, especially the Internet,has been a persistent issue till date and nodecisive solution has been taken to curb thisissue overall. As per the survey conducted byRaven’s site auditor over 200 million Internetpages from the year 2013 till 2015, 29% of thepages are an copy of another138 and this figureis expected to only increase as not all netizensare aware that the Internet isn’t a publicdomain overall and there are several contentswhich are protected under the copyright law.The indications that the site is protectedunder copyright law often can be seen underthe headings such as “term of use” and“copyright” but this leads to the question onhow many people actually take initiative tonotice those and abide by the copyright law?Studies clearly established that in fact majorityof netizen tend to skip those and this can beseen in the experiment conducted by twoprofessors where they made several studentsto sign up for the fake social network called“Namedrop” and hundreds of them signed upwithout realizing the existence of clause in theterms and conditions which states they mustname their first child as Namedrop139. This is

139 David Berreby, Click To Agree With What? No OneReads Terms Of Service, Studies Confirm. The

138 Neil Patel, How To Deal With Duplicate ContentIssues (Including Those Created By Your CMS),available athttps://neilpatel.com/blog/how-to-deal-with-duplicate-content-issues-including-those-created-by-your-cms/(last visited July 7, 2021).

32



https://neilpatel.com/blog/how-to-deal-with-duplicate-content-issues-including-those-created-by-your-cms/

https://neilpatel.com/blog/how-to-deal-with-duplicate-content-issues-including-those-created-by-your-cms/


the harsh reality of netizens today where thetendency to neglect the existence of copyrightin a particular site is huge.

To overcome the problem stated earlier,merely enforcing the copyright laws inMalaysia wouldn’t be sufficient if the Internetusers are not even aware or perhaps neglectthe existence of previous laws to protect theInternet sites. Thus before taking into theconsideration of enforcing the laws, stepsneeded to be taken to change the mindset ofthe netizen overall. The ideal suggestion willbe to modify the websites to alert the Internetusers regarding their site and the materialsthey publish are being protected by copyrightlaws of the respective countries. Just like“pop-up advertisement”, a similar conceptcan be used to alert the users on theimportance of not duplicating the protectedsites whenever the Internet users access thewebsite. Certain people may argue that the useof “ad blocker” software can prevent the usersfrom seeing the notice but that argument canbe rebutted since some websites are designedin a way that it can only be accessed if the adblocker software is inactive. The usage ofad-blocker software is indeed legal and thiswas established in the regional court ofHamburg, Germany where a couple ofpublishers were not satisfied with theexistence of a software called “Adblock Plus”.However, using such software will be indeedturn illegal if the creator of the sites decidedto come up with an access-controltechnologies to prevent the Internet userswith ad block software from accessing thecopyrighted materials in their website withoutthe accompanying advertisement140. Under

140 Ben Williams, 'Are Ad Blocker Programs Illegal ForYou To Use?', Adblock Plus/WhatIsMyIPAddress,

Guardian (2017), available athttps://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print (lastvisited July 7, 2021).

section 36A of Copyright Act (CA) 1987141,circumvention of access control is prohibitedthus it will be an offence if ad blocker is usedwhen accessing the site which is built inaccess-control technologies.

If the Internet users still hesitate or fail tocomply with the copyright laws despite beingalerted multiple times then the court wouldhave no second thought to find the userssince a reasonable man wouldn’t be doing anillegal action after being alerted multiple times.When more cases emerge, the public will bemore aware of the importance of copyrightlaw in protecting internet sites and materials.Another solution to be looked upon iswhether copyright holders can opt to sue theISP which holds indirect liability to allowinfringement of copyright to occur instead ofsuing individual Internet users who infringedthe copyright. The drawback of applying thissolution in Malaysia is section 36(1) of the CA1987142 vague in nature where the literalinterpretation of the words in the provisiononly leads to vicarious liability and nothingmore than that. Even the doctrine of vicariousliability under section 36(1) of the CA 1987 iscomplicated where “full knowledge” from thedefendant’s side must be established accordingto the case of Television Broadcasts Ltd &Ors v Mandarin Video Holdings Sdn Bhd143

unlike US doctrine of vicarious liability wherethe defendant’s knowledge of infringement isimmaterial. The theories of contributory andinducement liability is not adopted by thecourts in Malaysia which lessen the scope ofholding the particular firm which infringescopyright to be liable. Malaysian courts should

143 (Malaysian Jurisprudence), 1 LNS 32 HC (1983).142 Id., §36(1).

141 Act 332 of Malaysia (2010), Copyright Act 1987,§36A.

available athttps://whatismyipaddress.com/ad-blocker-legal (lastvisited July 7, 2021).

33

https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print

https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print

https://whatismyipaddress.com/ad-blocker-legal


start adopting the overall secondary liabilitytheories of the US and amend section 36(1) ofthe CA 1987 in order to expressly allow thecourts to use such theories instead of relyingon the literal approach of the word ‘cause’ inthat provision.

When it comes to the protection of dataprivacy, mere reliance of Personal DataProtection Act 2010 is not sufficient to curbthis issue overall as the Act only protectspersonal data which are used for commercialpurpose and there are no provisionsspecifically address the issue of onlineprivacy144. Another flaw which can be tracedin the Personal Data Protection Act 2010 isthe existing of section 3(2)145 which expresslystated that the Act is extraneous if thepersonal data is processed outside Malaysia.As the cyberspace is global in nature and it isever expanding beyond the concept ofborders, such provision can provide a getawayfor Malaysia to be a victim of large scaleexploitation of online private data. As such,Malaysia should adopt a new set of laws andamend the already existing laws to protecttheir own netizens from being a victim ofinvasion of privacy. Inspiration to create newsets of laws in Malaysia can be taken fromseveral developed countries such as the US,Canada and Australia where they have theirown specific laws to govern online privacy. InUS, there are numerous federal and state lawsimplemented to protect Internet privacy suchas the “Children’s Online Privacy ProtectionAct 1998” which requires several websites andISP to obtain verifiable parental consent priorto the collection, use or disclosure of personal

145 Act 709 of Malaysia (2010), Personal DataProtection Act 2010, §3(2).

144 Naufal Fauzi, (NST Online, 2019). 'Data PrivacyLaws: Malaysia Has A Long Way To Go'. Retrievedfromhttps://www.nst.com.my/opinion/columnists/2019/02/459321/data-privacy-laws-malaysia-has-long-way-go.

information given by the minors146.Meanwhile Canada’s “Digital Privacy Act2015” brought numerous amendments to thealready existing “Personal InformationProtection and Electronic Documents Act(PIPEDA)” such as the addition of whatgenerally constitutes valid consent for thecollection, use, or disclosure of personalinformation and the introduction ofmandatory data breach notificationrequirements147. The Prime Minister ofCanada had also delivered a mandate letter tothe Minister of Innovation, Science andIndustry recently in order to establish a newset of rights for online users including theright to data portability or privacy. Meanwhilethe Privacy Act 1988 provide provisions forthe protection of personal information andother form of data protection for online usersin Australia148.

When it comes to obscenity, the main concernarises from the fact that obscene materials canstill be viewed using “Virtual PrivateNetwork” (VPN) despite the MalaysianCommunications and MultimediaCommission (MCMC) had blocked severalsites which explicitly provide obscenematerials149 such as pornography. At such, it is

149 S. Matdura, Are Vpns Illegal In Malaysia? (2019),available athttps://asklegal.my/p/VPN-malaysia-legal-MCMC-restrictions-illegal (last visited July 7, 2021).

148 Kelly Buchanan, Online Privacy Law: Australia, LawLibrary of Congress (2017) available athttps://www.loc.gov/law/help/online-privacy-law/2012/australia.php (last visited July 7, 2021).

147 Tariq Ahmad, Online Privacy Law: Canada, LawLibrary of Congress (2017) available athttps://www.loc.gov/law/help/online-privacy-law/2017/canada.php (last visited July 7, 2021).

146Thomson Reuters, Internet Privacy Laws Revealed -How Your Personal Information Is Protected Online,available athttps://legal.thomsonreuters.com/en/insights/articles/how-your-personal-information-is-protected-online(last visited July 7, 2021).

34

https://asklegal.my/p/VPN-malaysia-legal-MCMC-restrictions-illegal

https://asklegal.my/p/VPN-malaysia-legal-MCMC-restrictions-illegal

https://www.loc.gov/law/help/online-privacy-law/2012/australia.php

https://www.loc.gov/law/help/online-privacy-law/2012/australia.php

https://www.loc.gov/law/help/online-privacy-law/2017/canada.php

https://www.loc.gov/law/help/online-privacy-law/2017/canada.php




essential for Malaysia to follow the footstepsof China in banning the use of unauthorizedVPNs to prevent the netizen from accessingobscene materials including childpornography.

In conclusion, cyberlaw is any law that appliesto internet-related technologies, and is one ofthe legal system's newest fields. The reason isbecause Internet technology is evolving atsuch a fast pace. Cyber law provides legalprotections for internet users. This includescorporations as well as people of everyday life.Thus, learning cyber law is vital to anyonewho uses the internet. Although we do nothave a standalone cyber security law inMalaysia, a range of sporadic laws to combatcybercrimes in this region. This includesComputer Crimes Act 1997, Communicationsand Multimedia Act 1998, Penal Code,Copyright Act 1987, Personal Data ProtectionAct 2010, Sedition Act 1948, case laws andother policies guidelines. In conclusion, bylooking at technological advancementnowadays, sufficient methods and regulationto data protection and to safeguard against theessential privacy right is inevitably importantwithout taking into account whether the statusis consciously abandoned or not.

35


ANALYSIS OF THE PLANNEDPERSONAL DATA PROTECTION LAW

OF INDONESIA, ARTICLE 54PARAGRAPH (2)

By Muhammad Ardiansyah Arifin

BACKGROUND

Indonesia has planned to promulgate thePersonal Data Protection Law (RUU PDP)with the latest draft dated January 2020.150

Article 54(2) stated ‘Every person isprohibited from selling or buying personaldata’. RUU PDP contains criminal sanctionsfor its violators. For the violation of Article54(2) a quo the sanction is stated in Article64(2) where violators could be convicted witha maximum of 5 (five) years of imprisonmentor a maximum fine of Rp50.000.000.000 (fiftybillion) rupiah.151

However, in the elucidation of Article 54(2), it

151 Wahyunanda Kusuma Pertiwi, RUU PDP, AncamanDenda Puluhan Miliar Menanti Penjual dan PemalsuData Pribadi Halaman all - Kompas.comKOMPAS.com (2020), available athttps://tekno.kompas.com/read/2020/01/30/11395917/ruu-pdp-ancaman-denda-puluhan-miliar-menanti-penjual-dan-pemalsu-data-pribadi?page=all (last visitedJan 31, 2021).

150 Ferdinandus Setu, Siaran Pers No.15/HM/KOMINFO/01/2020 Tentang PresidenSerahkan Naskah RUU PDP ke DPR RI Website ResmiKementerian Komunikasi dan Informatika RI (2020),available athttps://kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-presiden-serahkan-naskah-ruu-pdp-ke-dpr-ri/0/siaran_pers (last visited Jan31, 2021).

is stated that buying or selling prohibitiondoes not include ‘monetization’. This impliesthat ‘monetization’ of personal data is allowed.However, the article does not elaborate on thethreshold of monetization that is allowedunder the elucidation of Article 54(2). As thesanction is severe, a threshold to define theallowed ‘monetization’ is needed. This articlewill try to explain the threshold of allowedmonetization under RUU PDP with hopesthat such a threshold will be taken intoaccount in the promulgation process of RUUPDP. The research method used in this articleis qualitative research using secondary dataincluding primary legal sources, secondarylegal sources, and other relevant online andoffline sources.

ANALYSIS

The RUU PDP is a law under promulgation toanswer society’s concern about the lack ofcomprehensive regulation regarding personaldata protection. Therefore, because the law isnot yet in force, it is classified as iusconstituendum that is a law that is hoped to bepromulgated or a law that would be enacted inthe future.152 The need for RUU PDP is

152 Tri Jata Ayu Pramesti, Ulasan lengkap : Arti IusConstitutum dan Ius Constituendum, Hukumonline.com(2015), available athttps://www.hukumonline.com/klinik/detail/ulasan/lt

36


caused by several factors. (a) The currentexisting regulations are uncodified;153 (b)provide unequal protection because of theirsectoral limitation nature; (c) And obsoletebecause other 130 countries already havepersonal data protection law.154

There are concerns about the current draft ofRUU PDP such as the importance of anindependent oversight committee that iscurrently absent from the draft,155 and thepotential for the law to be a tool for statesurveillance.156 In contrast, concerns about theabsence of monetization thresholds forpersonal data are overlooked. This isimportant because the definition of ‘monetize’is absent from state law and the definition of‘monetize’ according to Investopedia is “theprocess of turning a non-revenue-generatingitem into cash, essentially liquidating an assetor object into legal tender”.157 This could leadto an implication that all other monetization

157 AKHILESH GANTI, Monetize Definition,Investopedia (2020), available athttps://www.investopedia.com/terms/m/monetize.asp (last visited Feb 1, 2021).

156 Dani Prabowo, RUU PDP Berpotensi Jadi Alat NegaraIntai Warga, Kompas, July 29, 2020, available athttps://nasional.kompas.com/read/2020/07/29/13555981/ruu-pdp-berpotensi-jadi-alat-negara-intai-warga(last visited Feb 1, 2021).

155 Knowledge Sector Initiative, Mendesaknya RegulasiPelindungan Data Pribadi yang Kompherensif - Wawasan |Knowledge Sector Initiative (KSI), Knowledge SectorInitiative (2020), available athttps://www.ksi-indonesia.org/id/insights/detail/1292-mendesaknya-regulasi-pelindungan-data-pribadi-yang-kompherensif (last visited Feb 1, 2021).

154 Jawahir Gustav Rizal, Apa Itu RUU Pelindungan DataPribadi? Halaman all - Kompas.com, Kompas (2020),available at https://www.kompas.com/tren/read/2020/11/09/184724165/apa-itu-ruu-pelindungan-data-pribadi?page=all (last visited Feb 1, 2021).

153 Glenn Wijaya, PELINDUNGAN DATA PRIBADIDI INDONESIA: IUS CONSTITUTUM DAN IUSCONSTITUENDUM, XIX LAW Rev. 326–361 (2020).

56777c031ec1c/arti-ius-constitutum-dan-ius-constituendum/ (last visited Feb 27, 2021).

activities are allowed as long as the data is notdirectly bought and sold.

To answer the question upon monetizationthreshold, this article seeks to answer: Thethresholds of monetization allowed underArticle 54(2) elucidation. The analysis of thisquestion shall include explanations. First, onthe types of personal data monetization, thearticle will explain the varieties of personaldata used for monetization by private partiesin Indonesia. Second, the limits ofmonetization will explain personal data thatcould not be monetized by parties inIndonesia. Finally, real-life examples willinclude case studies of personal datamonetization in Indonesia's private sector.

Types of Personal Data Monetization

Before we discuss the types of personal datamonetization, first we shall discuss the scopeof personal data in Indonesia and howpersonal data could be monetized. Accordingto Government Regulation Number 71 theYear 2019 (PP no. 71/2019) Article 1(29),Personal Data is any data about a person thatis identified and/or could be identified on itsown or when the data is combined with otherinformation directly or indirectly by electronicand/or non-electronic means.

The protection of personal data is guaranteedby the Indonesian Constitution 1945 postamendment 2002 (UUD 1945), and nationallaw or Undang-Undang (UU) from which theGovernment Regulation was based. The UUD1945 Article 28G(1) states that “Each personis entitled to the protection of self, his family,honor, dignity, the property he owns and hasthe right to feel secure and to be protectedagainst threats from fear to do or not to dosomething that is part of basic rights”.Although not explicitly mentioned in theconstitution, personal data is part of basic

37

https://www.investopedia.com/

https://www.kompas.com/tren/%20read/2020/11/

https://www.kompas.com/tren/%20read/2020/11/


rights. This is shown in UU No. 19/2016 onElectronic Information and Transaction Law(EIT Law) Article 26(1) which in summarystates that unless provided by regulations, theuse of any information through electronicmedia must be made with the consent of theperson whose personal data is used.158

On how personal data is monetized, privatecompanies use such data to cut down costs ofmarketing by using a large amount of personaldata to find out the preferences of the publicto formulate marketing strategies, by buyingsuch data from its providers.159 This industryhas profited in millions of dollars.160 Theproviders of the data could be in the form ofdata vendors that are an organization orindividual who in some ways have the rightover the data and offer it to others for a priceor free in a data marketplace which is a placein a digital platform where data products aretraded or closed platforms for bilateralexchange.161

However, not all companies bring the requireddata from the market, those who have themeans such as Google and Facebook amongothers will offer digital goods and/or servicesfor free in return for personal data.162 It is aneffective marketing strategy with Facebookmanaging to gather advertising revenue of

162 C.Y. LI Wendy, Makoto Nirei & Kazufumi Yamana,Value of Data: There Is No Such Thing as a Free Lunch inDigital Economy, in Research Institute of Economy,Trade and Industry (RIETI) (2018), 3, available athttps://www.bea.gov/system/files/papers/20190220ValueofDataLiNireiYamanaforBEAworkingpaper.pdf.

161 Markus Spiekermann, Data Marketplaces: Trends andMonetisation of Data Goods, 54 Intereconomics 208–216(2019), 210.

160 Id.

159 Edmon Makarim, Pengantar Hukum TelematikaSuatu Kompilasi Kajian. 185. (1 ed. 2020).

158 Dewa Gede Sudika Mangku et al., THEPERSONAL DATA PROTECTION OF INTERNETUSERS IN INDONESIA, 56 J. SOUTHWESTJIAOTONG Univ. 203–209 (2021).

USD 39.9 billion from their business modelof providing free social media services tousers in exchange for data collected from theirusers that will be licensed to third parties.163

From the scope of personal data, and fromthe example on how data could be monetized,we could narrow the types of personal datacollected by private parties used for suchpurposes. Namely, personal data informationcould be used to predict customer preferencesbased on criteria set by each data controllersuch as gender, name, nationality, searchpreferences, profession, and/or other datathat could be procured based on their needs.

For example, a shopping platform will use‘cookies’ which is a tool that is stored in avisitor/customer hardware when said personis using the shopping platform. The ‘cookies’will collect information about what the persondid on the shopping platform, such as whatare that person's search preferences, creditcard, and visited webpages among others.164

The information collected by the cookiesshould not personally identify the personusing the platform, but given the fact that aperson most likely must register into theshopping platform before being able to makea purchase, the online registration added withthe stored ‘cookies’ would allow a person’sspecific digital profile to be built.165

Limits of Personal Data Monetization

Indonesia has limits on what data could bedisclosed for monetization and what is not.We shall discuss the actions that are needed tobe taken by private actors before they coulddisclose personal data for monetization, andthe limit of such monetization. Currently,

165 Op cit. Edmon Makarim. P. 186.164 Op cit. Edmon Makarim. P. 185.

163 Op cit. C.Y. LI Wendy, Makoto Nirei & KazufumiYamana. P.3-4

38


several regulations in Indonesia regulatespersonal data which consists of UU No.11/2008 EIT Law amended by UU No.19/2016 EIT Law, Government RegulationNo. 82/2012 on Operation of Electronic andTransaction Systems and its complementaryGovernment Regulation No. 71/2019 onOperation of Electronic and TransactionSystems, and Ministry of Communication andInformation Regulation No. 20/2016 onPersonal Data Protection in ElectronicSystem.166

Article 26(1) of EIT Law 2016 states thatevery information used from electronic mediaabout personal data must first obtain theperson’s consent unless stated otherwise bylaw, else the owner of the personal data couldfile a claim against the person using his/herdata according to Article 26(2) of EIT Law2016.167 This is echoed in Article 15(1)c ofGovernment Regulation No. 82/2012 whereconsent must be given when the data isprocessed.168 The activities of data ‘process’are elaborated under Article 14(2) ofGovernment Regulation No. 71/2019 whichincludes the collection, analysis, storage,repair, and revision, showing, announcing,transfer, publication, revelation, erasure,and/or destruction.169

169 Peraturan Pemerintah Nomor 71 Tahun 2019Tentang Penyelenggaraan Sistem dan Transaksi

168 Peraturan Pemerintah Republik Indonesia Nomor 82Tahun 2012 Tentang Penyelenggaraan Sistem danTransaksi Elektronik (Lembaran Negara RepublikIndonesia Tahun 2012 Nomor 189), art. 15(1)(c).

167 Undang-Undang Republik Indonesia Nomor 19Tahun 2016 Tentang Perubahan Atas Undang-UndangNomor 11 Tahun 2008 Tentang Informasi DanTransaksi Elektronik (Lembaran Negara RepublikIndonesia Tahun 2016 Nomor 251), art 26(1-3).

166 Ridha Aditya Nugraha, Perlindungan Data Pribadi danPrivasi Penumpang Maskapai Penerbangan pada Era BigData, 30 Mimb. Huk. - Fak. Huk. Univ. Gadjah Mada262 (2018), 273; note that the list mentioned in thejournal is complemented with author knowledge overnew regulations in present time.

Furthermore, aside from consent, there areadditional requirements in the process ofpersonal data. Article 14(4) states therequirements.170 (a) The process must fulfill itscontractual obligations in obtaining the data;(b) The fulfillment of obligations must beunder the law; (c) The vital interest of the dataowner must be fulfilled; (d) data controllermust fulfill its authority following the law; (e)The data controller must comply with thepublic interest; (f) Data controller must fulfillother interests that could arise from the dataowner.

Therefore, before a data controller couldbegin the process to monetize personal data, itmust obtain consent from the data owner, andfulfill additional obligations stated in thearticles. It is important to note that theJanuary 2020 draft of the RUU PDP willdifferentiate between general and specificdata. It is currently not clear how suchdifferentiation will affect the public, howeverspecific data may be more regulated comparedto general data.

Examples of Personal Data MonetizationPractice

There are transactions about personal dataeven before the RUU PDP promulgation.Even now, the monetization of personal datais still lacking a legal framework for countriesaround the globe, making trading data a riskyendeavor.171 Indonesia has cases of datamonetization. This section will elaborate onlegal data monetization and illegal datamonetization.

171 Markus Spiekermann, Data Marketplaces: Trends andMonetisation of Data Goods, 54 Intereconomics 208–216(2019), 214.

170 Op cit. art.14(4).

Elektronik (Lembaran Negara Republik IndonesiaTahun 2019 Nomor 185), art. 14(2).

39


Legal data monetization is done in compliancewith the law mentioned in the second sectionon the limits of personal data monetization. Itis often obtained by making customers orvisitors accept terms of use (also known asterms and conditions) and privacy policy. Agood privacy policy contains informationabout what information is collected fromvisitors and customers, how the informationcollection is conducted, how the informationis used, to whom the information will beshared, options for data owners to vary thecollection process, security procedure forprotection against loss and misuse ofinformation under the control of the datacontroller, and procedure to correctinaccurate information.172

A case example of lawful data controllers isTokopedia,173 Rumah123, and Bukalapakamong others.174 This is because all of suchentities have fulfilled the thresholds of thegood privacy policy mentioned in the previousparagraph, from how the information iscollected to the procedure to correctinaccurate information.

There are cases where data controllers did notmeet the good privacy policy threshold. Forexample, BolehMail.com which tried to waiveits responsibility for their collected data byannouncing that it could not be claimedagainst resulting from negligence.175 Whilesuch a waiver is inadmissible because it

175 Op Cit. Edmon Makarim, 195.

174 Rumah123, Privacy Policy, Rumah123 (2020),https://www.rumah123.com/en/privacy-policy/ (lastvisited Feb 28, 2021);Bukalapak, Kebijakan Privasi, Bukalapak (2020) availableat https://www.bukalapak.com/privacy (last visited Feb28, 2021).

173 Tokopedia, Term & Condition | Tokopedia, Tokopedia(2021), available at https://www.tokopedia.com/privacy#pengguna-transparansi (last visited Feb 28,2021).

172 Op cit. Edmon Makarim, 194.

contradicts the law, such statements couldmislead the general public. A worse caseexample is glodokshop.com, which did nothave a privacy policy on their site despiteprocessing their customers’ data.176

From these examples, the practice of datamonetization in Indonesia is within theframework of the law, although there are casesof non-compliance caused by either the lackof knowledge or awareness about the value ofpersonal data. It is important to note thatnone of the previous examples are aboutdirect data selling that could be outlawedwhen RUU PDP is promulgated because ofthe lack of data regarding this in Indonesialegally.

On the other hand, cases of direct selling ofpersonal data that happens illegally haveexisted. One example is the case wherein 2019Kompas investigated that data regarding bankclients are sold by marketing personnel forhundreds of thousand rupiahs abulk.177Another example is when a hacker isselling 15 million raw data stolen fromTokopedia in an online forum in 2020.178

CONCLUSION

Based on the analysis, there are thresholds ofpersonal data monetization that are allowedunder Article 54(2) and its elucidation based

178 Sorta Tobing, Mengenal RaidForums, Forum HackerTempat Jual-Beli Data yang Bocor - E-commerce Katadata.co.id,Dkatadata.co.id (2020), available at https://katadata.co.id/sortatobing/digital/5eb28857e2903/mengenal-raidforums-forum-hacker-tempat-jual-beli-data-yang-bocor(last visited Feb 28, 2021).

177 Kompas, Data Pribadi Dijual Bebas, dari Gaji hingga InfoKemampuan Finansial Halaman all - Kompas.com, Kompas(2019), available at https://money.kompas.com/read/2019/05/13/081753626/data-pribadi-dijual-bebas-dari-gaji-hingga-info-kemampuan-finansial?page=all#page2 (last visited Feb 28, 2021).

176 Id., at 194-195.

40

https://www.tokopedia.com/

https://money.kompas.com/read/


on current practices by private actors whichare licensing personal data while a form ofmonetization that is not allowed is to directlybuy and/or sell the personal data. However,due care before conducting monetization isneeded to avoid possible indictment ofcriminal sanction when RUU PDP comes intoforce, as there might be more rigidimplementing regulation concerning theprocessing of data.

We hope that the government takes intoaccount the elaboration of differencesbetween buy/sell and monetization in Article54(2) and its elucidation in the promulgationprocess to avoid confusion between theseterms.

41


IS THE RIGHTS TO BE LET ALONEPROTECTED UNDER THE PERSONAL

DATA LAWS?By Basil Rhodes Ghazali

ISSUES

The combination of computer technologywith telecommunications has resulted in arevolution in the field of information systems.Data or information that in decades ago hadto take days to process before being sent tothe other parties can now be done in seconds.On the other hand, the rapid development ofinformation technology creates opportunitiesso that people are connected to one another

without national borders. For example,electronic commerce, electronic education,electronic health, and electronic government.However, these developments make it veryeasy for a person's personal data to betransferred to other parties without theirpermission. The threat of leakage of personaldata is also becoming increasingly prominentwith the development of the e-commercesector in Indonesia.

179 The 1000 Start Up movement launched byPresident Joko Widodo, as one of the pillarsin the development of the digital economy,has at least succeeded in encouraging thegrowth of four Unicorn startups fromIndonesia and that is Go-Jek, Tokopedia,Traveloka, and Bukalapak.180

The growth of this digital startup has alsotriggered massive collection of consumerpersonal data, not only personal data, but also

180 Tempo, Gerakan Nasional 1000 Startup Digital,Rudiantara: Tambah Unicorn (2021) available athttps://kominfo.go.id/content/detail/20780/gerakan-nasional-1000-startup-digital-rudiantara-tambah-unicorn/0/sorotan_media (last visited Feb. 23, 2021).

179 Bernadetha Aurelia Oktavira, Dasar HukumPerlindungan Data Pribadi Pengguna Internet (2021)available athttps://jurnal.hukumonline.com/klinik/detail/lt4f235fec78736/dasar-hukum-perlindungan-data-pribadi-pengguna-internet (last visited Feb. 23, 2021).

consumer behavior data. Referring to theterms of services of a number of e-commercein Indonesia, they collect consumer personaldata. In fact, almost all applications, if apotential user wants to run, will force the userto provide access to other data, such as accessto personal identity, contact list, location,SMS, photos / media / files. So, if the userreally wants to run the application, he has nochoice but to agree to access the data.Unfortunately, the absence of a Law onPersonal Data Protection results in theabsence of standardization of data protectionprinciples, which results in minimalrecognition of privacy itself. For example, in2020 there was a leak of personal data inIndonesia related to BUMN ( Badan UsahaMilik Negara) and start-up unicorncompanies.181

181 Kasus Kebocoran Data di Indonesia dan Nasib UUPerlindungan Data Pribadi (2021) available athttps://tekno.kompas.com/read/2020/05/05/190800

42

https://kominfo.go.id/content/detail/20780/gerakan-nasional-1000-startup-digital-rudiantara-tambah-unicorn/0/sorotan_media



https://jurnal.hukumonline.com/klinik/detail/lt4f235fec78736/dasar-hukum-perlindungan-data-pribadi-pengguna-internet



https://tekno.kompas.com/read/2020/05/05/19080067/kasus-kebocoran-data-di-indonesia-dan-nasib-uu-perlindungan-data-pribadi?page=all


At Telkomsel, a leak of personal datahappened because the customer serviceofficer committed a violation, but atTokopedia and Bukalapak it happenedbecause of a server breach.182 Another securityhole in Gojek for Android and iOS, whichhackers could potentially use to steal user'sconfidential information, such as phonenumbers, e-mails, and usernames. Some of theabove events show the low respect forpersonal data as privacy in electronic systems.This proves the digital transformation inIndonesia, which has developed rapidly in thelast decade, has not been matched by theability of the public to understand theimplications of the use of personal data ininformation and communication technology.The neglect of privacy protection and the lackof public awareness of the protection of theirprivacy provides room for a number ofviolations and misuse of a person's personaldata.183

In this modern era, there is a need to maintainprivacy so that data becomes confidential. Onthe other hand, in line with the developmentof freedom, people often prioritizeexpression. This shows the controversybetween privacy and expression. “Privacy and

183 Wahyunanda Kusuma, Data Tokopedia, Gojek, danBukalapak Bocor di Tengah Absennya RUU PDP(2020) available at https://tekno.kompas.com/read/2020/05/04/20170027/data-tokopedia-gojek-dan-bukalapak-bocor-di-tengah-absennya-ruu-pdp (last visitedFeb. 24, 2021),

182 Lazuardi Utama, Kasus Bobolnya Data PribadiKonsumen Indonesia, Serupa tapi Tak Sama, (2021)available at https://www.viva.co.id/digital/digilife/1285857-3-kasus-bobolnya-data-pribadi-konsumen-indonesia-serupa-tapi-tak-sama (last visited Feb. 23,2021).

67/kasus-kebocoran-data-di-indonesia-dan-nasib-uu-perlindungan-data-pribadi?page=all (last visited Feb. 23,2021).

expression are oxymoronic. While privacyrequires privacy and expressiveness,expression entails publicity, and this inevitablyleads to friction.”184Thus, certainty is neededin the form of regulations to maintain abalance between the two interests. Theregulations must be clear and detailed.Unfortunately, until now there has been nomajor legal umbrella that specifically regulatespersonal data in Indonesia. As for today, theregulations regarding personal data inIndonesia are still separate and scattered invarious regulations, namely in 32 laws and aresectoral in nature while there are around 132countries that have regulated laws on personaldata protection. This also proves that publicawareness regarding personal data is still verylow.

In the current scenario, the attitude of thegovernment to form the Personal DataProtection Bill (RUU PDP) is crucial to beresolved at this time, especially with theemergence of numerous cases of public dataleakage, even the PDP Bill has developed intoa problem of need. The government and theDPR (Dewan Perwakilan Rakyat) willimmediately step on the gas to complete thebill. One of the reasons is because othercountries already have PDP regulations.Friendly countries require Indonesia to have aPDP law (Act) that is equivalent to that of itscountry. The particular reason for thesecircumstances is because the PDP Bill canprovide a sense of security to the public inusing various internet application platformsand also the PDP Bill is necessary toguarantee national interests. The increasinglymassive hacking incidents, the use of data

184 Althaf Marsoof, Online Social Networking and theRight to Privacy: The Conflicting Rights of Privacy andExpression, 19. Oxford I. L. J. 111, (2011).

43

https://tekno.kompas.com/read/%202020/05/04/20170027/data-tokopedia-gojek-dan-bukalapak-bocor-di-tengah-absennya-ruu-pdp



https://www.viva.co.id/digital%20/digilife/1285857-3-kasus-bobolnya-data-pribadi-konsumen-indonesia-serupa-tapi-tak-sama






without permission, have further strengthenedthe need for the PDP Law itself.

With the certainty of the PDP, it will putIndonesia on a par with countries that havepreviously implemented the PDP law. Thegovernment and the DPR have agreed toimmediately finalize the draft law on PersonalData Protection (RUU PDP). Currently, thegovernment and the DPR Commission didnot have sharp differences in their views onthe needs of the law. In this case, BPHN(Badan Pembinaan Hukum Nasional) hasprepared an academic paper to provide aninitial concept of what personal data orprivacy actually is and explain that concept.The concept of privacy itself is the idea ofmaintaining personal integrity and dignity. Theright to privacy is also an individual's ability todetermine who holds information about themand how that information is used. Theconcept of data protection implies thatindividuals have the right to determinewhether they will share or exchange theirpersonal data or not. In addition, individualsalso have the right to determine theconditions for carrying out the transfer ofpersonal data. Furthermore, data protection isalso related to the concept of the right toprivacy.185 The right to privacy has evolved sothat it can be used to define the right toprotect personal data.

Thus, the legal issue is whether privacy in theregulation of personal data for electronicsystems in Indonesia has been well protected.

185 Pamela Samuelson, Privacy As Intellectual Property?Stanford L.R. 52. 1125-1173, (2000).

REGULATIONS

The main source of regulating personal data isactually in Article 28G of the 1945Constitution which states the right toprotection, security right, right to choose toact over not doing. The provisions of thearticle read: "Every person has the right toprotection of himself, family, honor, dignityand property under his control ...".Technically, the regulation of personal dataregulation can be distinguished between thosethat are general (which are not examined inthis paper) and those that are specific becausethey are in an electronic system.General regulations are contained in:

1. Act Number 7 of 1992 on Banking asamended by Act Number 10 of 1998concerning Amendments to Act Number7 of 1992 on Banking;

2. Law Number 8 Year 1997 on CompanyDocuments;

3. Law Number 36 Year 1999 onTelecommunication

4. Law Number 23 Year 2006 on PopulationAdministration as amended by LawNumber 24 Year 2013 on Amendments toLaw Number 23 Year 2006 concerningPopulation Administration;

5. Law Number 36 Year 2009 on Health; and

6. Law Number 43 of 2009 on Archives.

While the special regulations are contained in:

1. Law Number 19 of 2016 on Amendmentsto Law Number 11 of 2008 concerning

44


Electronic Information and Transactions(hereinafter referred to as the ITEAmendment Law);

2. Law Number 11 of 2008 concerningElectronic Information and Transactions(hereinafter referred to as the ITE Law);

3. Government Regulation Number 71 of2019 concerning Implementation ofElectronic Systems and Transactions(hereinafter referred to as PP PSTE);

4. Regulation of the Minister ofCommunication and InformationTechnology Number 20 of 2016concerning Protection of Personal Data inElectronic Systems (hereinafter referred toas Permenkominfo PDP).

ANALYSIS

To examine the problems in this paper, lawresearch was conducted. This research isrelated to legal problems, issues, andquestions, it requires theoretical, pure, ordoctrinal legal research.186 By choosing thistype of research, the writer hopes to get legalprinciples, rules of law, or judges' decisionsrelated to regulations regarding privacy ofpersonal data.187

According to the Kamus Besar BahasaIndonesia (KBBI), privacy is "freedom orprivacy."188 Meanwhile, according to theCambridge Dictionary, privacy is "the state ofbeing alone, or the right to keep one's

188 KBBI, Privasi, https://kbbi.web.id/privasi.

187Sutandyo Wignyosubroto, Hukum, Paradigma,Metode, dan Dinamika Masalahnya. 147-160. (2002).

186 Anwarul Yakin, Legal Research and Writing (2007),10.

personal matters and relationship secret."189

The concept of privacy was first developed byWarren and Brandeis. In early times, the lawgave a remedy only for physical interferencewith life. Right to life served only to protectthe subject from battery in its various forms.Later, came recognition of man's spiritualnature, of his feelings and his intellect.190 Thescope of these legal rights broadened. Theright to life has come to mean the right toenjoy life, the right to be let alone. In thisregard, Judge Cooley insists on theimportance of the right to be let alone.191

Article 12 of the Universal Declaration ofHuman Rights enunciates that “No one shallbe subjected to arbitrary interference with hisprivacy, family, home, or correspondence, norto attack upon his honor and reputation.Everyone has the right to the protection ofthe law against such interference or attacks ”.Based on that, many jurisdictions, includingSouth Korea, Spain, Switzerland, Thailand,the United States, and the United Kingdomhave recognized the right to privacy.192

Based on the provisions that are statedexplicitly or implicitly regarding privacy, it isclear that the protection of the right to privacyas part of human rights has been regulated ininternational regulations as follows:

1. Universal Declaration of Human Rights(1948);

2. International Covenant on Civil andPolitical Rights (1966);

192 Althaf Marsoof, p. 111191 Id., 195.

190 Samuel D. Warren and Louis D. Brandeis, The Rightto Privacy, 4. Harvard L.R. 193, (1890).

189 Cambridge Dictionary, Privacy, https://dictionary.cambridge.org/dictionary/english/privacy.

45

https://kbbi.web.id/privasi


3. European Convention on Human Rights(European Convention for the Protectionof Human Rights and FundamentalFreedoms, 1950);

4. American Convention on the Protectionof Human Rights (American Conventionon Human Rights, 1979); and

5. Cairo Declaration of Islamic HumanRights (Cairo Declaration of IslamicHuman Rights, 1990).

In the Indonesian legal system, the right toprivacy is classified as derogable rights, whichmeans that its fulfilment can be reduced. Thisright is different from non-derogable rights,namely human rights that cannot be reducedunder any circumstances.193 Non-derogablerights are regulated in Article 28 G paragraph(1) of the 1945 Constitution. Thus, it can besaid that reduction, limitation, or violation ofprivacy cannot necessarily be considered aviolation of human rights.

The basic concept of protecting personal datafirst appeared around 1960. In 1970 theGerman state of Hesse became the first stateto enact data protection regulations. This wasfollowed by national law in Sweden in 1973,West Germany in 1977, the United States in1974, and France in 1978, and the UK in1984.194

194 Andrew Murray, Information Technology Law,(2010), 466.

193 The meaning of "under any circumstances" includesa state of war, armed dispute, and / or a state ofemergency, in accordance with Law No. 39 of theRepublic of Indonesia (1999), concerning HumanRights, art. 4.

Data protection is often seen as part ofprivacy protection. Basically, data protectioncan specifically relate to privacy as stated byAllan Westin: "Privacy is the claim ofindividuals, groups or institutions todetermine for themselves when, how, and towhat extent information about them iscommunicated to others." He was the first todefine privacy as the right of individuals,groups or institutions to determine whetheror not information about them iscommunicated to others. This understandingof privacy is called information privacybecause it involves personal information.195

Therefore, in order to respond to today'schallenges, including the global trend inpersonal data protection, as part of protectingthe right to privacy of every citizen, it isimportant for Indonesia to have acomprehensive Personal Data Protection Actimmediately. Protecting privacy also meansprotecting one's dignity, which is part of theindividual's sovereignty in cyberspace, becausewith that sovereignty one can exercisefreedom of expression in a democratic system.

In order to find out whether protection ofprivacy has been included in the existingregulations, the author uses the parameterscompiled by Althaf Marsoof, to examine thefollowing four aspects.

a. Breach of Confidence

Privacy can be protected in numerous ways asthe law stands today. In most common lawjurisdictions, breach of confidence issanctioned seriously. Therefore, breach of

195 Alan F. Westin, Privacy and Freedom (1967), 7.

46


confidence can be resorted to as a suitablecause of action in fighting the threat toprivacy. Traditionally, in order to form abreach of confidence action, the plaintiff wasrequired to establish, inter alia, that theinformation was capable of being protected. Itis clear that only information that wasintended to be kept confidential satisfies thecriteria.196

According to Article 32 (1) of the ITE Law,any changes to electronic information areprohibited. According to Article 48 (1) of theITE Law, offenders can be subject to amaximum imprisonment of 8 years or amaximum fine of Rp. 2 billion. Moreover,actions that result in electronic informationbecoming no longer confidential because itcan be accessed by the public, in accordancewith Article 32 paragraph (3) of the ITE Law.This action is punishable by imprisonment fora maximum of 10 years or a maximum fine ofRp. 5 billion, in accordance with Article 48paragraph (3) of the ITE Law.

Meanwhile, Article 9 paragraph (1) PP PSTEstates that electronic system operators arerequired to guarantee the confidentiality ofthe software source code used. Article 2paragraph (2) Permenkominfo PDP statesthat privacy is a form of respect for personaldata. This is the owner's freedom to declare asecret or not, as determined by Article 2paragraph (3) Permenkominfo PDP.Therefore, the owner of the data has the rightto keep confidential, complain for disputeresolution, amend, obtain history, and destroypersonal data that has been submitted toelectronic system administrators, inaccordance with Article 26 Permenkominfo

196 Althaf Marsoof, 116.

PDP. If there is a party who withoutpermission violates the privacy of the ownerof personal data, then according to Article 36paragraph (1) Permenkominfo PDP, it will begiven administrative sanctions such as oral,written warnings, cessation of activities, orannouncements on the website.

b. Copyright in Confidence Material

Certain personal information may includecopyright as literary or artistic work. Forexample, a digital diary or a blog or wall postmaintained in a website and shared betweenlimited contacts would undoubtedly attractthe website-user's copyright. It provided thatthe material is “original” and involved“sufficient skill, labor and judgment” towarrant copyright protection.197 Elucidationof Article 25 paragraph (1) of the ITE Lawstates that electronic information is protectedas intellectual property rights, includingcopyright, must be protected by thisregulation.

This provision applies to databases or datacompilations, in a format that can be read bycomputer programs or other media, asstipulated in Article 10 paragraph (1) of LawNumber 28 of 2014 concerning Copyright.Based on Article 3 (2) a of PDP MinistryDecree, in obtaining and collecting personaldatabases, electronic system operators mustrespect the owners of the database for theirprivacy. So that it can be concluded that thedatabase is a confidential document whoseprivacy must be respected.

c. Personality in Merchandising

197 Supra, note 18, at 117.

47


The question is “Can the law of personal dataprotect the unauthorized commercial use ofcelebrity photographs in websites?”. Thisspecifically relates to the possibility of creatingfalse profiles in the name of well-knownindividuals and the ability to liberally tagphotographs. Given the possibility of creatinggroups and interactive applications inwebsites, such as Facebook, websites are apromising tool for advertising and promotingone's businesses.198 According to Article 26paragraph (1) of the ITE Law, the use ofelectronic information related to personal datamust be subject to the consent of the owner.Although violations of this provision are notsubject to criminal sanctions, the injured partycan file a claim for compensation, inaccordance with Article 26 paragraph (2) ofthe ITE Law.

The Electronic System Operator is obliged toguarantee that the processing of personal datais based on the approval of the owner, basedon Article 15 paragraph (1) b PP PSTE. As inIndonesia, everyone is prohibited frommaking commercial use, that he has made forcommercial purposes of advertising oradvertising without written consent. So theuse of personal data by other parties mustobtain the owner's permission, even in writtendocuments, according to the Article 6Permenkominfo PDP.

d. Defamation, Slander, and Libel

From the above observation, it is manifestthat a remedy against a breach of individual

198 Id., at 118.

privacy exists in the realm of the law ofdefamation. However, it must be noted thatthe remedy has its limitations. Firstly, theplaintiff must establish a defamatorystatement (oral or written) injurious to theplaintiff's reputation. Second, it must beestablished that the statement had beenpublicized. Third, the defendant must haveknown or should have known that thestatement was false. Given these limitations,privacy breaches lacking defamatorycharacteristics cannot be prevented orredressed through the law of defamation.199

There is a prohibition on insulting ordefamation when transmitting, distributingand accessing electronic information, inArticle 27 paragraph (3) of the ITE Law. Thisviolation is punishable by imprisonment for amaximum of 6 years or a maximum fine ofRp. 1 billion, as regulated in Article 45paragraph (1). Regarding this matter, PPPSTE and Permenkominfo PDP do notregulate it at all.

CONCLUSION

Based on the discussion on the four aspectsof regulations related to personal data, it canbe argued that the regulations in the existingelectronic systems are adequate. Indeed, thereare opinions that the regulation of personaldata protection in Indonesia is still weak.Looking back on the analysis that has beenwritten above, the question of whether thePersonal Data Protection Law should belegalized or not is no longer a question,because the answer is affirmative, legalized.After knowing the information about the highpotential of crimes committed by data keepersagainst data collectors, it is clear that there is

199 Supra, note 18, at 122.

48


an urgency to pass a law as soon as possiblewhich includes clear provisions protecting thepersonal data and privacy of Indonesiancitizens. The regulation regarding the right toprivacy over personal data is a manifestationof recognition and protection of basic humanrights and also a necessity that cannot beunderestimated. In fact, there are manyaspects that should be assessed from theexisting regulations. But partially, it can beconsidered that the PDP law has touched onthe essential thing.

This proves that we no longer rely onfragmented laws and regulations that have nolegal certainty. If the ITE Law is passed onthe basis of awareness of rampant crimes inthe cyber world, the Personal Data ProtectionLaw must also be passed as soon as possiblewith the same awareness or even moreurgently. Basically personal data is personalidentity, whose existence is a constitutionalright of citizens to be left alone. Theirregularity regarding this matter causes lossesfor citizens whose rights to privacy arebypassed by those who kept their personaldata. Seeing how many countries haveimplemented similar laws, Indonesia as one ofthe largest cyber citizens in the world, shouldas soon as possible enact a similar draft law,into binding legislation.200

From the author point of view, the weaknessmay occur due to the protection of personaldata for conventional activities, not in the field

200 The Conversation, RUU PDP masih memilikibanyak kekurangan dibandingkan standar internasionaldalam melindungi data pribadi, (Feb. 25, 2021, 5.50PM)https://theconversation.com/ruu-pdp-masih-memiliki-banyak-kekurangan-dibandingkan-standar-internasional-dalam-melindungi-data-pribadi-151212.

of electronic systems. In this case, a legalumbrella is needed that can be held by theperpetrators, whether they have personal data,process personal data, or who controlpersonal data.201 Personal data management isrelated to privacy, which is part of humanrights. Therefore, the author suggests that aspecial law be established thatcomprehensively regulates personal data,whether related to electronic systems orconventional means. Given the low level andlimited scope of the ministry of decree, it isnecessary to establish a more robust,dependable and also persistent regulationwhich is summarized in one personal dataprotection law. Seeing how many countrieshave implemented similar laws, Indonesia asone of the largest cyber citizens in the world,should as soon as possible enact a similardraft law, into binding legislation

201 Merdeka.com, Indonesia Butuh Aturan KhususPerlindungan Data Pribadi, 9 November 2020, (lastvisited Feb. 23, 2021, 7. 47 PM)https://www.merdeka.com/uang/indonesia-butuh-aturan-khusus-perlindungan-data-pribadi.html.

49


INDONESIA’S VIRTUAL POLICE ANDTOKOPEDIA DATA BREACH: URGENCY

FOR DATA PROTECTION LAWBy Aulia Shifa Hamida

INDONESIA’S VIRTUAL POLICEAGENDA

In the aftermath of the appointment of thenew Chief of Indonesian National Police,Listyo Sigit Prabowo, and later of hisinauguration by President Joko Widodo on 27January 2021, several of his proposed policieswith regard to the reform of IndonesianNational Police have since come toprominence and gained national criticalacclaim, among which is the initiative ofVirtual Police which has been very much onhis high agenda.202203204 It has been taking

204 Syailendra Persada, “Kompolnas Sebut ReformasiPolri Jadi Salah Satu PR Kapolri Terpilih”, Tempo, (2021), available at https://nasional.tempo.co/read/1424033/kompolnas-sebut-reformasi-polri-jadi-salah-satu-pr-kapolri-terpilih/full?view=ok (last visited July 7,2021).

203 Merlion Gusti, “Kapolri Baru, MomentumReformasi Polri”, Kompas TV (2021), available athttps://www.kompas.tv/article/141889/kapolri-baru-momentum-reformasi-polri

202 BPMI Setpres, “Presiden Jokowi Lantik Listyo SigitPrabowo sebagai Kapolri”, Presiden RI, (2021), availableathttps://www.presidenri.go.id/siaran-pers/presiden-jokowi-lantik-listyo-sigit-prabowo-sebagai-kapolri/ (lastvisited July 7, 2021).

effect as of 25 February 2021 and there havebeen different moral judgments pertaining tothe initiative. What makes it criticallyacclaimed has been its possession of values ofcompromise and mediation, which Mr. Listyoregards as a manifestation of restorativejustice system, which on the other side makesit critically condemned and people have beenquestioning its legitimacy, whether it iscontrary to the basic principles of democracy;freedom speech, press and expression.Nevertheless, in a utilitarian point of view, byvirtue of its restorative justice values, thisinitiative is said to be, substantively andprocedurally, based on the ground that theapproach of restorative justice in lawenforcement can and will decreasecriminalisation, hence convictions, andotherwise resort to that of cyber, social mediaethics and etiquette education, remedy theprolonged public opinion towards police andprevent the tendency of police prejudicetowards conviction by means of partially andin a prejudiced manner interpreting laws thatare in fact, subject to multi-interpretation.

50

https://nasional.tempo.co/read/%201424033/kompolnas-sebut-reformasi-polri-jadi-salah-satu-pr-kapolri-terpilih/full?view=ok



https://www.kompas.tv/article/141889/kapolri-baru-momentum-reformasi-polri

https://www.kompas.tv/article/141889/kapolri-baru-momentum-reformasi-polri

https://www.presidenri.go.id/siaran-pers/presiden-jokowi-lantik-listyo-sigit-prabowo-sebagai-kapolri/

https://www.presidenri.go.id/siaran-pers/presiden-jokowi-lantik-listyo-sigit-prabowo-sebagai-kapolri/


VIRTUAL POLICE PROCEDURE,CRITICAL ACCLAMATIONS ANDCONDEMNATIONS

The procedure itself begins with people, whoare thought to be violating the law especiallyLaw No. 11 of 2008 on ElectronicInformation and Transactions as amended byLaw No. 19 of 2016 on ElectronicInformation and Transactions (EIT) will bereceiving digital warning through their directmessages and they will be obliged to deletetheir post, whatever the form it may take.205 Itis worth noting that how the judgment isbeing made and the law is being interpreted tofinally convict and summon a person, will notbe carried out solely by subjective judgment ofthe police personnel. Instead, this phase inadvance of giving people virtual warning todelete whatever they share on social mediawhich is thought to be unlawful will bepreceded by deliberation among severalprofessional experts, that are to say, languageexperts, criminal law experts and experts ininformation and transactions law.206 If theperson were to refuse to undo their post, theywill be given a second warning. If one insistson not complying with what they are obligedto, they will be granted a fair audience at thepolice agency’s earliest convenience for thepurpose of thorough clarification.

206 Tim Detikcom, “Ini Langkah-langkah Virtual PoliceSesuai Pedoman Baru UU ITE”, Detik News (2021),available athttps://news.detik.com/berita/d-5407271/ini-langkah-langkah-virtual-police-sesuai-pedoman-baru-uu-ite (lastvisited July 7, 2021).

205 CNN Indonesia, Cara Kerja Virtual Police:Peringatan Polisi Dikirim via DM, CNN Indonesia(2021), available athttps://m.cnnindonesia.com/nasional/20210225093152-12-610643/cara-kerja-virtual-police-peringatan-polisi-dikirim-via-dm (last visited July 7, 2021).

Notwithstanding, a conviction is said to bethe last resort. This procedure applies to casessuch as libel, slander and humiliation. Itscritical acclamations have been the foreseeabledecline in criminalisation, prevention of policeprejudice in interpreting law, cyber, socialmedia ethics and etiquette education andpolice reform which is said to deal with thecurrent public opinion towards police.207 Itscritical condemnations have been the peopletaking stance on the matter saying that itpossesses a big tendency to restrict peoplefrom remaining vocal about their voice andcritics of government, and is contrary to thebasic principles of democracy; freedom ofspeech, expression and press.

THE LEGITIMACY OF VIRTUALPOLICE

Speaking of the legitimacy, the governmentand national legislature, People’sRepresentative Council of Indonesia, mustsecond guess its legitimacy as to whether it iscompatible with the country's legal system ofCivil Law along with its positivist and rigidnature, and as well as the rule of law; and thatthis Virtual Police agenda can not simply existwithout data protection law. First andforemost, the law per se is not supposed to becompromising, at least not in Civil Lawcountries, especially Indonesia, due to itspositivist nature of its Civil Law system, alongwith its written and codified laws, that are not,substantively and procedurally, easilyinterpreted. And if legal uncertainty or legalvacuum were to exist or if certain laws were tobe subject to multiple interpretations, the legalmeasures must be carried out by the national

207 Id.

51

https://news.detik.com/berita/d-5407271/ini-langkah-langkah-virtual-police-sesuai-pedoman-baru-uu-ite

https://news.detik.com/berita/d-5407271/ini-langkah-langkah-virtual-police-sesuai-pedoman-baru-uu-ite

https://m.cnnindonesia.com/nasional/%2020210225093152-12-610643/cara-kerja-virtual-police-peringatan-polisi-dikirim-via-dm




legislature, either by making, amending orrepealing any particular laws.

The presence of the restorative justice systemmay educate the community and decreasecriminalisation, but its manner in mediationand its compromising nature unequivocallyreflect the need for change in our law,especially the EIT Law and the lack ofthorough personal data protection law.Nevertheless, the legitimate role needed todeal with the gap in law, which may take theform of legal uncertainty or clauses that aresubject to multiple interpretations, must notbe carried out by a police agency and anoffender meeting each other halfway. Thereare four tendencies which can be inflicted bythe Virtual Police initiative. First, people willbe on their best behaviour, and beingfollowed suit by decline in law-breakingbehaviour, convictions and imprisonments.That being said, some people will only behaveafter being virtually warned or summoned toundo whatever they share on social media andbeing proven that the scheme is not a smokeand mirror; which means that some peopleare going to take law less seriously. Third, thelaw is now open to compromises and legalpositivism in Indonesia is likely to startwearing off, which is relatively good andrelatively bad. Fourth, the emergence of thisrestorative justice system with police agenciesand offenders trying to meet each otherhalfway, this can lead to more policy bribery.

Apart from that, this Virtual Police agendaaimed at preventing criminalisation andconviction in consequence of violatingElectronic Information and Transactions Lawunequivocally reflects the need for change inour laws and the existing loophole, which isthe absence of data protection law in

Indonesia. By preventing criminalisation andconviction of offenders, it is concrete that thecurrent law, that is to say EIT Law is nolonger compatible with the modern day. So,there is urgency for the coexistence betweenVirtual Police and the amendment of the EITLaw, thus people can still be educated on howto behave on social media legitimately withouthaving to diminish the legitimacy of thecurrent law.

POLICY RECOMMENDATIONS

The legal measures to deal with thisillegitimacy must be carried out by thenational legislature, not police agencies,resorting to amend or repeal the current law,or make new law. Notwithstanding, to beforward-thinking, if this Police Virtual agendawere to continue to exist and not to berescinded at a later time, the solution will beto pass the ius constituendum on Personal DataProtection, which will set guidance andstandards in the execution of Virtual Police,with the aim of protecting social media usersand technology companies, not only nationallybut also those who fall under anothercountry’s jurisdiction. The bill will definerights and obligations of parties involved, thatis to say, police agencies who have legitimateauthority, social media users and technologycompanies nationally and internationally. Thisis a matter of great importance because police,owing to their legitimacy, have authority togain access to personal data of social mediausers if they are thought to be violating thelaw. We know that law does not only regulatecitizens, markets and corporations. Politicians,legislators, administrators and public servantsare also being defined by their rights andobligations and thus are subject toadministrative law.

52


DATA PROTECTION LAW AS ANECESSITY

The continuing absence of data protection lawcan result in the abuse of power. In the midstof globalisation where science and technologyhave become the two most powerfuldeterminants in bringing forth favourableopportunities to those who remain vocalabout their interest, social and politicalactivism and are critical of government ingetting their voices publicly disseminated injust one glance, it is also of increasingcompetition following suit among those ofdifferent, if not irreconcilable voices andinterests. And as more social and politicalactivities are taking place online, data privacyis a matter of great importance. Nevertheless,what is more concerning than that of the needfor personal data protection law is that manyIndonesian citizens are yet to be aware of thedamage that can be inflicted by the absence ofsuch legislation protecting personal dataprivacy. Pro tempore, there are a considerablenumber of individuals who hitherto are noteven aware of what actual data protection lawis. The casualties inflicted due to thisignorance is thus the unfamiliarity of harmsinflicted by the likely data breach and theabsence of public participation as stakeholdersto call their government out pertaining to theurgency for personal data protection law.

TOKOPEDIA DATA BREACH

There are currently 128 out of 194 countriesand independent territories, including nearlyevery country in Europe, Latin America andthe Caribbean, Asia and Africa that haveadopted data protection laws.208 The

208 United Nations Conference on Trade andDevelopment, Data Protection and Privacy Legislation

European Union even has their General DataProtection Regulation (GDPR) which hasbeen taking into force since May 2018.209

However, Indonesia still has yet to pass its iusconstituendum, to wit, Bill on Personal DataProtection among the emerging breaches ofpersonal data and privacy committed byperpetrators, one of which is data breach ofboth consumers and merchants of one of thebiggest technology companies specializing ine- commerce, Tokopedia.210211

The data breach inflicted by third party notonly harms those of consumers datacomprising both general and specificinformation which can lead to fraught,racketeering and identity theft, thisunfortunate event can and will hold back theprospective investors in investing inIndonesia’s technology companies due to thelegal uncertainty on personal data protection.In the absence of personal data protection lawwhich to a great extent has inflicted legalvacuum, by no means do we have a party tobe held accountable if data breaches are to

211 Eisya Eloksari, Tokopedia Data Breach ExposesVulnerability of Personal Data, The Jakarta Post (2020),available at https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes-vulnerability-of-personal-data.html?utm_campaign=os&utm_source=mobile&utm_medium=ios (last accessed March 19,2021).

210 Paulina Herasmaranindar, “RI Butuh RUUPerlindungan Data Pribadi, Singapura hingga MalaysiaSudah Atur”, Kumparan News (2021) available athttps://m.kumparan.com/kumparannews/ri-butuh-ruu-perlindungan-data-pribadi-singapura-hingga-malaysia-sudah-atur-1v2usbz47hN

209 GDPR EU, What is GDPR, the EU’s New DataProtection Law?, GDPR EU (2021)https://gdpr.eu/what-is-gdpr/(last accessed March 19,2021).

Worldwide (2021) available athttps://unctad.org/page/data-protection-and-privacy-legislation-worldwide

53

https://m.kumparan.com/kumparannews/ri-butuh-ruu-perlindungan-data-pribadi-singapura-hingga-malaysia-sudah-atur-1v2usbz47hN



https://gdpr.eu/what-is-gdpr/

https://unctad.org/page/data-protection-and-privacy-legislation-worldwide

https://unctad.org/page/data-protection-and-privacy-legislation-worldwide


continue to take place. In the case ofTokopedia, not only has its users been put at agreat disadvantage, Tokopedia will also mostlikely forfeit their prospective investors.

POLICY RECOMMENDATIONS

It has always been a matter of greatimportance and Indonesia must have aconsistent and committed stance towards suchan issue. Government and the nationallegislature must put a greater concern on dataprotection by putting the Bill on PersonalData Protection into the National LegislationProgram. And in transition process, thegovernment will have to ensure that allcompanies within the legal jurisdiction ofIndonesia comply with the existing regulationsconcerning the use and management ofelectronic data, which are hitherto beingregulated in Law No. 11 of 2008 regardingElectronic Information and Transactions(EIT Law) as amended by Law No. 19 of2016 (EIT Law Amendment); GovernmentRegulation No. 71 of 2019 regardingProvisions of Electronic Systems andTransactions (Reg. 71); Minister ofCommunications & Informatics RegulationNo. 20 of 2016 regarding the Protection ofPersonal Data in an Electronic System (MOCIRegulation); Article 40 & 42 of Law No. 36 of1999 regarding Telecommunications aspartially amended by Law No. 11 of 2020 onJob Creation or generally referred to as theOmnibus Law; Article 6 & 17 of Law No. 14of 2008 regarding Disclosure of PublicInformation; Law 7 of 1992 as amended byLaw 10 of 1998 on Banking and as partiallyamended by Law No. 11 on Job Creation(“Banking Law'') and Law 8 of 1995 onCapital Markets (“Capital Markets Law”)respectively; and Article 21 of Financial

Services Authority Regulation No.38/POJK.03/2016 as partially amended byFinancial Services Authority Regulation No.13/POJK.03/2020 on the Implementation ofRisk Management in the Utilization ofInformation Technology by the Bank.212

CONCLUSION

As more social and economic activities aretaking place online, data privacy is a matter ofgreat importance. We are constantly beingasked to grant general and specificinformation such as our ID, credit cardnumber, driving licence, health insurance,criminal record, so on and so forth as a keyprovision in exchange for the products andservices we use. And what is currently beingconcerned with is the absence of dataprotection law in Indonesia which is to defineand regulate the rights and obligations of theparties involved, that are to say, personal dataowner; personal data controller; personal dataprocessor; personal data protection officer;and the events occurring within such asystem, such as personal data transfer insideand outside Indonesia’s jurisdiction,end-to-end encryption, third party regulation,up to compliance with the regulation andadministrative and criminal sanctions imposedfor data breach. The absence of suchregulation has inflicted a state of legalvacuum. The casualties inflicted due to legalvacuum is very much detrimental since therewill be no party to be called to account whendata breaches are to occur. This is why thenational legislature should unanimously passthe bill, because the bill will not only protect

212 DLA Piper, Data Protection Laws of the World:Indonesia (2021), available athttps://www.dlapiperdataprotection.com/index.html?t=law&c=ID (last accessed March 19, 2021).

54

https://www.dlapiperdataprotection.com/index.html?t=law&c=ID

https://www.dlapiperdataprotection.com/index.html?t=law&c=ID


citizens, it will protect everyone. Citizens,politicians, activists and companies. It is toprotect all of us. And it should not bepoliticised. It should be humane.

55


PROTECTING PERSONAL DATA IN THEERA OF PLATFORM ECOSYSTEMS

By Tran Ngoc Minh; Nguyen Van Thu; Tran Duc Long

Industry 4.0 was born with the explosion of high technologies such as cloud computing, the Internetof Things, and Big Data analytics, among others. Together, it is blurring the boundaries of threerealms: the physical, the digital and the biological. This creates a digital economy platform called aplatform ecosystem. Within this ecosystem, consumers have enjoyed the full package of fast andmodern products and services that enable them to just sit at home and enjoy all conveniences such asonline learning, therapy products, ordering, catering services, relaxation services, online medicalassistance, among many others. In recent years, digital platforms and ecosystems are quicklyadvancing as the business model that flourishes the most in the digital economy. However, in contrastto the fast, low-cost utilities, data scandals like the Facebook-Cambridge Analytica incidentinvolving the illegal collection and sale of consumers’ personal information have shocked the world.More importantly, it sparked a series of legislative debates in the United States and Europe, as wellas a shift in consumer perceptions of privacy and in the protection of personal information ofconsumers. This raises two questions of data protection in the use of platforms and platformecosystems: “Do users freely make a choice in sharing data in an ecosystem?” and “What are thecoping mechanisms enacted by lawmakers to protect users’ information from leaking from oneplatform to another in an ecosystem?” To address these questions, this article will cover restrictionsfrom a legal perspective and thereafter give an analysis on protecting user information in theecosystem platform.

INTRODUCTION

“Ecosystem” is not a new word, especially inthe field of technology. In 2003, Apple firedthe first shot when it released iLife, a bundledpackage that included iPhoto, iTunes, iMovieand iDVD. Not long after the first iPhone,Android was presented by Google as acounterweight to iOS. Since then, the worldwitnessed the rapid change in user experience,and the fall of giants in the mobile phoneindustry, Nokia and Blackberry. Those two

companies had wrongly predicted the coursethat the modern citizen would take in usingphone and smartphones—that people wouldstill only pay attention to performance,security, or celebrity endorsement—andthereby capitalized on their advantages, butiOS and Android instead created a place forcontent creators and game developers to meetusers, called a platform. In fact, digitalplatforms and ecosystems are quicklyadvancing as the business model thatflourishes the most in the digital economy.

56


Users have always had various options in appsand games, while for operating systems, theyhad only two or three to choose from. But inthose two or three systems, users could fulfillevery need such as studying, working,entertainment, and even security fromsmartphone viruses. While the basic platformecosystem model alone has disruptedindustries like retail, travel, and mobility, somecompanies that aren’t digitally native areshaping their platform and ecosystemstrategies to create value and stay competitive.More and more companies present users’ IDsso that they can receive gifts and vouchers intheir “ecosystem,” mostly in fintech and retail.Through their dominant position in aparticular market, they can attract users, sellmore and make higher profits. For example,one corporation in the real estate industryinvested in retail and created a platform topromote offers to customers in otherbranches, then successfully converted the datathey collected into outstanding sales. Whilethis success was made possible by manyfactors, still, a platform strategy grounded onunderstanding customers and creatingproducts that target customer segments is notthe least among them. This situation is similarto what Lundqvist (2020) mentioned on firmsthat pool business data and may use the same,not to advance their services or products, butto collude, to exclude competitors or to abusetheir market position.

To clarify the risks of consumer rightsviolations respecting personal information ina platform ecosystem, the authors proceed inthe following order:

1. Consumer data protection concepts inplatform ecosystems; and

2. Cross-country legal analysis onconsumer data protection on platformecosystems.

CONSUMER DATA PROTECTIONCONCEPTS ACROSS PLATFORMECOSYSTEMS

In defining consumers, there are many differentconcepts and perspectives to consider. Froman economic perspective, “The consumer isany economic unit that has the need to end upconsuming goods and services … Normally,the consumer is considered an individual butin reality, consumers can be agencies,individuals and groups of individuals.”213

From a legal perspective, consumer means aperson who buys goods or services forpersonal, family or household use without thepurpose of reselling.”214 This definition onceagain affirms that consumers are characterizedby an individual or organization directly usinggoods or services. Such a definition makes iteasier and more reasonable to solve problemsdirectly related to products and servicesbecause here, consumers are the ones directlyusing and experiencing them.

As for the definition of personal data, the 1980OECD Guidelines215 defines it as anyinformation relating to an identified oridentifiable individual, called the data subject.Similarly, Article 4.1 of the EU's General DataProtection Regulation (GDPR) defines it as

215 OECD, Guidelines on the Protection of Privacy andTransborder Flows of Personal Data (1980).

214 Bryan A. Garner, & Black, Henry C. Black, Black'sLaw Dictionary (9th ed. St. Paul, MN: West, 2009).

213 David W. Pearce, The Dictionary of ModernEconomics, Aberdeen Economic Consultants, PalgraveMacmillan, London (1983), available athttps://doi.org/10.1007/978-1-349-17125-5 (last visitedJuly 7, 2021).

57


“any information relating to an identified oridentifiable natural person.”216

The right of consumers to protect theirpersonal information is accessed through theangle of human privacy. Privacy is afundamental human right. Privacy has twomain functions: freedom from physical accessand promoting liberty of action. Wheninfringements of this right are prevented, theindividual is separated from distractions andhindering factors resulting from contact withothers. Protecting individual privacy isessential for a democratic society because itpromotes the autonomy of every citizen.217

To understand the concept of across-platform ecosystem, we first need toanalyze the fundamental concept. In general,platforms are connected by a network ofnodes. In the past, the network was oftenenvisioned in tangible terms, such as thetransportation network, the electricity andwater networks. Nowadays, under thedevelopment of information technology,invisible networks like the internet developand become popular. Since then, thedefinition of multi-platform ecosystem has beendeveloped as follows: “A multi-platformecosystem is a system of digital platforms withseparate functions but links to create a varietyof types of goods and services to serve theneeds of consumers under an integratedexperience.”

Developing business models towards buildinga multi-platform ecosystem has become a

217 Ruth Gavision, Privacy and the Limit of the Law,444–445 (2012).

216 General Data Protection Regulation (GDPR), art.41, available at https://gdpr-info.eu (last visited July 7,2021).

trend because it helps businesses in theecosystem to maximize profits, and at thesame time help consumers to have moreaccess to goods and services on the market. Itentails the need to protect consumers’ data onmulti-platform ecosystems for two (2)reasons: inequality in the position ofconsumers in the platform ecosystem andconsumer data protection being the drivingforce behind a platform ecosystem.

Inequality in the position of consumers inthe platform ecosystem

It must be emphasized that consumers havealways been identified as the weak side in therelationship of transactions with suppliers ofgoods and services, especially in view ofidentifying consumers as individuals, due tothe typical consumer’s lack of information orunderstanding. Set in a cross-platformecosystem, where consumers are mostly singleindividuals with Internet-enabled devices,where it is virtually impossible to stayanonymous, the digital platform requires thatconsumer rights be extended. According tothe European Consumer Organisation(BEUC), on digital platforms, many servicesdo not require payment in money, but areoften served based on data in the form ofremuneration. In this sense, services are notfree. Consumers actively provide personal andnon-personal data in exchange for services,products, or content or to allow serviceproviders to track them and collect data abouttheir habits and preferences passively. Thisdata is then typically sold to advertisingnetworks, and in return, the service providerpays a fee.218

218 The European Consumer Organisation, Ensuringconsumer protection in the platform economy, 8(2018).

58


According to the above theory, usersvoluntarily share their personal information,purchase and search behavior for platforms inexchange for a "free" service. But consumersare often unaware of what information theyvoluntarily and actively provide and how it isused; moreover, with the expansion ofplatforms, consumers are forced to choosebetween sharing information in exchange forconvenience and connection with a seller onone hand and being outside and not enjoyingthe benefits offered by the platform on theother. And as consumers step into theseonline platforms, the platforms also use anumber of techniques to keep users in theirown ecosystems. One of these techniques is topush users towards the so-called "filterbubble."219 While platforms may representthese functions as “personalizing the userexperience,” the filter bubble is designed tomaximize the amount of platform-specificuser attention and to keep giving them asmuch time as possible on the platform itself,generating as much advertising revenue aspossible. Real users are not aware of this, andthese actions have been referred to by theEuropean Data Protection Supervisor as aform of online manipulation.220

220 European Data Protection Supervisor, EDPSOpinion on online manipulation and personal data(March 2018), available athttps://edps.europa.eu/sites/edp/files/publication/18

219 A filter bubble is a term coined by the Internetactivist Eli Pariser to refer to a state of intellectualisolation that can result from personalized searcheswhen a website algorithm selectively guesses whatinformation a user would like to see based oninformation about the user, such as location, pastclick-behavior and search history.Engin Bozdag, Bias in algorithmic filtering andpersonalization, Ethics and Information Technology. 15(3): 209–227 (September 2013).

Consumer data protection being thedriving force behind a platform ecosystem

Consumers are a very important factor for thedevelopment of commercial activities, and arethe target of most businesses. Consumers'needs and preferences are the driving forcebehind competition among businesses. Thesuccess or failure of a business depends onconsumer confidence in that business.Platform ecosystems activities are not anexception: the larger the number ofindividuals participating in platformecosystems, the higher the level ofsocialization. This creates a large market forbusinesses, prompting them to chooseplatform ecosystems as their productdistribution channel.

In platform ecosystem activities, a feature ofthe collection and use of consumer personaldata is the intervention of technologicalfactors in the process. Platform ecosystemsserve as a vehicle for transactions associatedwith electronic data transmission. Personaldata of consumers are stored electronically.Therefore, customer's personal data areregularly collected and used not only for thepresent transaction but also for futuretransactions. For example, today's businessesoften focus on building and exploitingcustomer data through what is called"customer relationship management" (CRM).Through CRM, businesses approach andcommunicate with customers in a systematicand effective way to better serve customers, tomaintain relationships with customers, tobring back old customers, and to reducespending, marketing fees and customerservice extensions. By detecting and analyzing

-03-19_online_manipulation_en.pdf (last visited July 7,2021).

59

https://edps.europa.eu/sites/edp/files/publication/18-03-19_online_manipulation_en.pdf

https://edps.europa.eu/sites/edp/files/publication/18-03-19_online_manipulation_en.pdf


data, businesses can identify a list of potentialand long-term customers to come up with areasonable customer care strategy. With thesupport of the new technological trendsbrought about by the Industrial Revolution4.0, modern data-processing and analysischips have been designed to extract everypiece of data of the consumer and eveninformation that consumers provide toentirely separate channels (causinginformation externalities).

CROSS-COUNTRY LEGAL ANALYSISON CONSUMER DATA PROTECTIONON PLATFORM ECOSYSTEMS

The first country to enact a complete personaldata protection law was Sweden in 1973. In2020, about 120 countries around the worldhave issued laws related to the protection ofpersonal data under different forms. Somecountries enact their own laws on dataprotection that are specified in otherspecialized laws; others also note generalprovisions in their constitutions and civil laws.The law on protection of personal data in theworld can be divided into 3 main models:

The European model with a central ideologyof individualism and protection of privacy forpersonal data. The EU GDPR is consideredto be one of the world's strictest laws onpersonal data protection. The GDPR is aprivacy law that gives individuals muchcontrol over data collection, use, andprotection. This act sets out strict rules aboutthe data security that organizations collect,including the use of technical protections suchas encryption and stricter accountability whencollecting data.

The US model approaches personal dataprotection at a level of more harmonybetween the rights and interests of sensitivesecurity information owners and otherentities. At the federal level, the US FederalTrade Commission (FTC) has broad authorityin enforcing data protection regulations.However, the US does not have acomprehensive federal law regulating theprotection and use of personal data. Personaldata protection is regulated by state laws andguidelines developed by government agencies,such as:

1. The US Privacy Act of 1974;

2. The Gramm-Leach-Bliley Act 1999(GLBA);

3. The Children's Online PrivacyProtection Act 2000 (COPPA); and

4. The Guide to Protecting theConfidentiality of PersonallyIdentifiable Information 2010 by theNational Institute of Standards andTechnology (NIST).

The US model is a minimalist approach inwhich lawyers play an important role inenforcement. However, there is growingpublic concern about the amount of privatedata that businesses collect. In fact, theprotection of consumers' privacy and data ine-commerce in the US is mainly done throughself-regulation methods within thee-commerce industry. Self-regulationmeasures are divided into four groups: (i)self-building guidance; (ii) e-commerceprivacy authentication program, wherebusinesses commit to protecting the privacyof e-commerce; (iii) technology protection

60


methods, focusing on protecting the privacyof consumers by using software technology toautomatically warn what information webpages will be collected, allowing consumers toboth decide in advance what data will becollected, and pre-select what data is allowed;(iv) the "safe harbor" method, a new methodcombining self-regulation with legislativerules. This method is used to update privacyprotection guidelines in e-commerce, issuedby specific online service providers.

The mixed model is a combination of the twoabove models applied in some Asian countriessuch as Japan and South Korea. Countriesfollowing this model often enact a separateprivacy law or protection law to centrally andcomprehensively regulate relevant issues. Incombining features of the European andAmerican models, this adjustment becomesmore reasonable and harmonious. A notableexample of this model is Japan's Act onProtection of Personal Information (APPI) of2003, as amended. The core principles inAPPI are based on a combination of theOECD Guidelines and the EU Directives.Japan is also a member of Asia-PacificEconomic Cooperation (APEC), so the APPIwas made in compliance with the APEC Codeof Conduct. The APPI does not establish acentral privacy protection enforcement andgovernance body. Instead, with theenforcement of industry-governed privacyregulations, each industry regulator isresponsible for regulating privacy in that area.The amendment to the APPI established aPersonal Information Protection Commission(PIPC). The PIPC has substantial powersincluding audit rights, auditing rights, andrequiring companies to submit reports on

privacy compliance.221 However, the degreeof harmonization is most reflected in the factthat the 2017 amendment to the APPI allowscompanies to purchase and sell personal datathat have been anonymized or aggregated toenable and encourage the use of big dataAnalysis in Japan. The APPI has a series ofEU-style guidelines that apply to data flows tobe transferred to domestic and internationalthird-party service providers, includingrequirements for data monitoring transferredto a third party. However, there is still a largedifference between the APPI and GDPR. Forexample, the purpose of the APPI is toprotect the legitimate rights and interests ofindividuals while ensuring properconsideration of the usefulness of personaldata according to the general principles ofpersonal data privacy. Meanwhile, the GDPRprioritizes protecting the privacy ofindividuals when moving data within the EU.

The APPI only applies to personal data use byenterprises, and personal data will not beconsidered infringed if the purpose of use ispromptly made known to data subjects orpublicly announced after the enterpriseacquires personal data, unless the intended usehas been made public. Meanwhile, the GDPRrequires that personal data be collected forspecific, explicit purposes and not furtherprocessed in a manner incompatible withthose purposes.

It can be seen that each country has atendency to adjust their own data privacy laws

221 Robert Healey, How the Japan APPI compares toGDPR Are you Compliant? (2021) available athttps://relentlessdataprivacy.com/how-the-japan-appi-compares-to-gdpr-are-youcompliant/?fbclid=IwAR008P7P6bRjdy3zvmxg1ZY3MH5OGJtCDGq7l-EK-glk3udiHfVfbd7h28U, (last visited July 7, 2021)

61


depending on their own economic, political,social, cultural, and geographical conditions,situation and needs. However, in the contextof strongly developed information technologyand increasing concerns about the privacyrights of personal data, countries around theworld have been tending toward legislatingtighter privacy regulations.

CONCLUSION

The first prerequisite for building across-platform ecosystem as well asimplementing digital transformation is to winthe trust of its users, creating a legal corridorfor protecting data. In the current context,ensuring security in the digital space is the keyto building trust in consumers. Because theyare vulnerable, cross-platform ecosystemsneed fitting protection measures. And bylooking at models of personal informationprotection in different countries, we find lawsthat regulate personal data privacy in differentways—whether tightly, minimally, orsomewhere in between—depending on theirunique considerations. However, we can seethe trend of increasingly stricter regulationson the protection of personal information ofcountries around the world in the context ofstrong information technology and privacyconcerns with increasing amounts of personalinformation.

62


FINTECH’S RISE IN THE TIME OFPANDEMIC: DATA PRIVACY

REQUIREMENTSBy Gisela Tracy Gracia King

“Data is the most valuable commodity on earthtoday.”

As the COVID-19 virus pandemic continuesto be highly transmissible, responses bydifferent governments to these healthemergencies differ but point toward the samedisruption of the normal occurrence inpeople’s lives. This ongoing outbreak hasposed various problems that immensely affectour daily lives, as the implementation ofGovernor Regulation No.79 of 2020 compelspeople to adhere to large-scale socialrestrictions and to stay at home. One by one,countries began to enact regulations thatestablished lockdowns to maintain disciplineand order, as well as to decrease the numberof infected cases. This led to schools,universities, offices, and businesses being shutdown, spreading economic sufferingworldwide. Hence, people are left with nooption but to utilize technology in their dailylives.

There has been a strong uptake in digitalsolutions, as people are turning into onlineoptions, making Financial Technology(“Fintech”) businesses largely resilient inspite of the pandemic. A joint study by theWorld Bank, the Cambridge Center for

Alternative Finance at the University ofCambridge’s Judge Business School, andWorld Economic Forum shows that thefintech market has continued to help expandaccess to financial services during theCOVID-19 pandemic—particularly inemerging markets—with strong growth in alltypes of digital financial services.222 Fintechsbased in Indonesia, such as Investree andTunaikita, have helped small and mediumenterprises (“SMEs”) to get loans at a lowercost with digital-friendly services that outstripconventional banks, as only 12% out of 60million SMEs in Indonesia can get financingor bank loans.223 In smaller aspects, fintechhas helped self-isolation much easier, sinceonline services that are practically coveringevery industry imaginable can be paid throughfintechs. It is safe to say that fintech has

223 Nurhastuty K. Wardhani and MarcBohmann, How �ntech can help Indonesia’s small andmedium enterprises survive the COVID-19 pandemic,The Conversation (Nov. 5, 2020, 09:30 A.M.),https://theconversation.com/how-�ntech-can-help-indonesias-small-and-medium-enterprises-survive-the-covid-19-pandemic-148528.

222 The World Bank,https://www.worldbank.org/en/news/press-release/2020/12/03/�ntech-market-reports-rapid-growth-during-covid-19-pandemic (last visited on Mar. 3, 2021)

63

https://theconversation.com/how-fintech-can-help-indonesias-small-and-medium-enterprises-survive-the-covid-19-pandemic-148528



https://www.worldbank.org/en/news/press-release/2020/12/03/fintech-market-reports-rapid-growth-during-covid-19-pandemic




played a role in helping people battling theCOVID-19 pandemic.

However, recent advances in informationtechnology threaten privacy and have reducedthe number of control over personal data, andopen up the threats as a result of access topersonal data.224 According to The JakartaPost, data on almost 3 million users fromfintech aggregator platform Cermati.com wasleaked and sold online for US$2,200 on Oct.28. The leaked data includes names, addresses,bank accounts, emails, mother's maidennames, tax numbers, and passwords.225 Similarcase happened at US fintech giant– Dave–as ithas admitted to a breach of customer’spersonal data via a third-party supplier afterresearchers found a database containingmillions of records for sale online.226 Fintechmay be bringing opportunities in the bankingand financial industry, but it also comes withchallenges. To address this challenge, manycountries are adopting policies similar toGeneral Data Protection Regulation(“GDPR”) as well as data sovereignty

226 Phil Muncaster, US Digital Bank DaveAdmits Customer Data Breach, Info Security (Jul. 27,2020),https://www.infosecurity-magazine.com/news/us-bank-dave-admits-customer-data/.

225 Eisya A. Eloksari, Fintech Cermati databreach points to urgency for data protection law:Experts, The Jakarta Post (Nov. 5, 2020, 03:13 P.M.),https://www.thejakartapost.com/news/2020/11/05/�ntech-cermati-data-breach-points-to-urgency-for-data-protection-law-experts.html.

224 Van den Hoven, Jeroen, Martijn Blaauw,Wolter Pieters, and Martijn Warnier, Privacy andInformation Technology, The Stanford Encyclopedia ofPhilosophy (2020),https://plato.stanford.edu/archives/sum2020/entries/it-privacy/.

regulations.227 This highlights the vulnerabilityof user data in digital platforms and thereforethe urgency to ratify Indonesia’s PersonalData Protection bill (“PDP Bill”).

First and foremost, Indonesia is yet to havea specific and comprehensive law aboutpersonal data protection. Article 28GParagraph 1 of the 1945 Constitution statesthat every person shall be entitled toprotection of his/her own person, family,honor, dignity, and property under his/hercontrol, as well as be entitled to feel secureand be entitled to protection against threat offear to do or omit to do something beinghis/her fundamental right–implicitlymentioning the right to protect personal data.In addition, there is a minimum of 30regulations that contain clauses on personaldata protection, such as Law No.11 of 2008on Electronic Information and Transactions,Law No.24 of 2013 on Amendment to LawNo.23 of 2006, Law No.8 of 1999 onConsumer Protection, Law No.36 of 1999 onTelecommunications, Ministerial RegulationsNo. 20 of 2016 on Protection of PersonalData in Electronic Systems, etc. Despite this,the existing regulations remain sporadic andsiloed. In addition, Indonesia’s progress ondata protection is slow in comparison to otherASEAN countries, such as Singapore,Malaysia, Thailand, and Philippines.228 This is

228 Agus Tri Haryanto, Bukti IndonesiaTerlambat Punya UU Perlindungan Data Pribadi, Detik(Jan. 28, 2020, 09:10 P.M.),https://inet.detik.com/law-and-policy/d-4877050/bukti

227 Subianto and Ravi Ivaturi, Personal dataprotection key as �ntech grows, The Jakarta Post (Dec.26, 2019, 10:58 A.M.),https://www.thejakartapost.com/academia/2019/12/26/personal-data-protection-key-as-�ntech-grows.html.

64

https://www.infosecurity-magazine.com/news/us-bank-dave-admits-customer-data/

https://www.infosecurity-magazine.com/news/us-bank-dave-admits-customer-data/

https://www.thejakartapost.com/news/2020/11/05/fintech-cermati-data-breach-points-to-urgency-for-data-protection-law-experts.html



https://plato.stanford.edu/archives/sum2020/entries/it-privacy/

https://plato.stanford.edu/archives/sum2020/entries/it-privacy/

https://inet.detik.com/law-and-policy/d-4877050/bukti-indonesia-terlambat-punya-uu-perlindungan-data-pribadi

https://www.thejakartapost.com/academia/2019/12/26/personal-data-protection-key-as-fintech-grows.html

https://www.thejakartapost.com/academia/2019/12/26/personal-data-protection-key-as-fintech-grows.html


where the PDP Bill came into the picture.Once the PDP Bill is ratified, Indonesia willbe the 127th country in the world toimplement regulations aiming at dataprotection.229

On 24th January 2020, the IndonesianPresident, Mr. Joko Widodo, signed the PDPBill that is now being finalized by the Houseof Representatives.230 Although the PDP Billwill not be the first personal data protectionlaw in Indonesia, it sure will be the mostimportant one yet since it has a greater scopeof protection and insurance, acknowledgingthe rights and obligations of the stakeholdersinvolved. The PDP Bill aims to protect theprivacy of individuals with respect to theirpersonal data and governs the relationshipbetween individuals and entities processingtheir personal data. It simultaneously strives tocreate a robust digital economy by ensuringinnovation through digitalgovernance.231Nonetheless, the House ofRepresentatives plans to concludedeliberations on the PDP Bill in the firstquarter of 2021, a delay from its initial targetof finishing it in October 2020.232

232 Imantoko Kurniadi, RUU PDPDitargetkan Rampung Maret 2021 Mendatang, SelularId (Dec. 29, 2020, 16:00 P.M.),

231 Trilegal,https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019. (last visitedon Mar. 3, 2021)

230 PwC Digital Services,https://www.pwc.com/id/en/publications/digital/digital-trust-news�ash-2020-02.pdf. (last visited on Jan. 15,2021)

229 Ibid.

-indonesia-terlambat-punya-uu-perlindungan-data-pribadi.

The PDP Bill adopted several principles andaspects of the European Union’s GDPR,which focuses on five main areas: datacollection, data processing, data security, databreach, and the right for individuals to havetheir personal data erased.233 However, thePDP Bill, in contrast to the GDPR, does notrefer to data owners as “identified oridentifiable natural persons or data subjects”;rather, it uses the term “persons orcorporations”, which thus calls forspecifications for applicable protections.234

The final draft law has 72 articles in 15Chapters discussing the following topics:235

1. The definition and types ofpersonal data;

2. The rights of data owners;3. The processing of personal data;4. The obligations of data controllers

and processors when processingpersonal data;

5. Transferring personal data;6. Administrative sanctions;7. Prohibitions against certain uses

of personal data;8. The establishment of behaviour

guidelines for personal datacontrollers;

235 Indonesia’s Personal Data Protection Bill.H.R., (2021).


233 News Desk, Indonesia to conclude dataprotection bill in November, The Jakarta Post (Sep. 2,2020, 07:38 P.M.),https://www.thejakartapost.com/news/2020/09/02/indonesia-to-conclude-data-protection-bill-in-november.html.

https://selular.id/2020/12/ruu-pdp-ditargetkan-rampung-maret-2021-mendatang/.

65

https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019

https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019

https://www.pwc.com/id/en/publications/digital/digital-trust-newsflash-2020-02.pdf

https://www.pwc.com/id/en/publications/digital/digital-trust-newsflash-2020-02.pdf



https://www.thejakartapost.com/news/2020/09/02/indonesia-to-conclude-data-protection-bill-in-november.html



https://selular.id/2020/12/ruu-pdp-ditargetkan-rampung-maret-2021-mendatang/

https://selular.id/2020/12/ruu-pdp-ditargetkan-rampung-maret-2021-mendatang/


9. The dispute resolution over theuse of personal data;

10. International cooperation; and11. The roles of the government and

the public.The current finalization of the bill begs thequestion, is the PDP Bill comprehensiveenough? A preliminary study at TifaFoundation comparing the PDP Bill with twoleading international personal data protectioninstruments, the Convention 108+ fromCouncil of Europe (“CoE 108+”) andGDPR, found two major shortfalls of thePDP Bill.236

The first problem is the lack of detail in thePDP provisions.237 This can be found inArticle 9, where it specifies the conditions ofconsent and the right of data subjects towithdraw consent without mentioning anyprovision that necessitates that withdrawingconsent should be as easy as providingconsent.238 It also fails to include thefundamental principles of data protection,such as privacy by design, privacy impactassessment, and privacy by default.239 It iscrucial to point out that there is the creationof a Personal Data Controller (“PDC”),which can be a person, a business, or even acorporation that is responsible for controllingand processing personal data that is collected,and a Personal Data Processor (“PDPr”) that

239 Ibid.


237 Ibid.

236 Sherly Haristya and Shita Laksmi, Howcomprehensive is personal data protection bill?, TheJakarta Post (Nov. 18, 2020, 01:00 A.M.),https://www.thejakartapost.com/paper/2020/11/17/how-comprehensive-is-personal-data-protection-bill.html.

process personal data on behalf of thePDC.240 However, the PDP Bill is not specificenough with regard to the obligations of PDCand PDPr in today’s digital age. The secondproblem is the absence of arrangements ofthe supervisory authority to enforce thelaw when enacted.241 Article 58 paragraph 2of the PDP Bill only stipulates that theimplementation of PDP will be executed bythe Ministry of Communications andInformation Technology, showing the lack ofclarity on the powers and roles of the dataprotection authority.242 Due to the absence ofsuch authority, one can only assume that whenthe data subject claims for his or her rights,the communication will be direct between thedata subject and the PDC and/or PDPr.However, this procedure has no guaranteesfrom the supervisory authority to ensure theimplementation of a request from the datasubject by the PDC or PDPr, making thefuture fulfillment of the law rely excessivelyon the knowledge of individuals to protecttheir personal data.243 Although the PDP Billto a large extent mimics the data protectionprinciples in current international standards,those two major gaps might obstruct theenforcement of the law once it is enacted.244

244 Ibid.

243 Sherly Haristya, Shita Laksmi, An Nisa TriAstuti, and Intan Fatma Dewi, Preliminary Study: AComparison of Indonesia’s Personal Data Protection Billwith Europe’s Convention 108+ and General DataProtection Regulation, Tifa Foundation (2020),https://www.tifafoundation.id/yayasan-tifa-preliminary-study-a-comparison-of-indonesias-pdp-bill-with-coe-108-and-gdpr/.

242 Ibid.

241 Ibid.

240 Ibid.

66

https://www.thejakartapost.com/paper/2020/11/17/how-comprehensive-is-personal-data-protection-bill.html

https://www.thejakartapost.com/paper/2020/11/17/how-comprehensive-is-personal-data-protection-bill.html

https://www.tifafoundation.id/yayasan-tifa-preliminary-study-a-comparison-of-indonesias-pdp-bill-with-coe-108-and-gdpr/




To address the problem raised, researchers atTifa Foundation propose a way forward. First,authorities must add more clarity on thedata protection rules and fill in the gaps ofthe roles and responsibilities of the dataprotection authority.245 There is still a needfor the government to identify the regulationsneeded to complement the PDP Bill and actin the principle of “lex superior derogat legiinferiori” whereby a statutory provision lowerin hierarchy shall act in accordance with thehigher ones, hence the local government canbe repealed if it is contradictory with thehigher regulation. Another way to address theproblem is for the government to establisha dedicated data protection authority thatcould lead the enforcement efforts, notonly of private sector actors, but also all theministries and government institutions.246

Lastly, the government needs toacknowledge the different types andcapacities of actors to comply with the lawwhen it is enacted.247 The bill has torecognize that the role of supervisoryauthority must be able to educate differentactors on the importance of personal dataprotection for the sustainability of theirbusinesses and empower them to comply withthe law.248

Indonesia is at the forefront of digitaltransformation. In order for this to continue,Indonesia must have effective ICT-relatedregulations, such as the proposed PDP Bill.Once the PDP Bill is ratified, it will be thefirst Indonesian law to provide comprehensiveregulations aiming at data protection, not only

248 Ibid.

247 Ibid.

246 Ibid.

245 Ibid.

via an electronic system but also via analogsystems, while also playing a critical part forpeople to have a sense of security in the digitalworld. The PDP Bill will enable Indonesia tobuild an environment that is conducive foreconomic growth. However, challenges informulating comprehensive regulationscannot be avoided, which is why Indonesianeeds to regulate meticulously by assuring thatthe bill accommodates all of the fundamentalprinciples and enforcement mechanisms toimplement the law effectively.

67

ALSA Law Review MagazineVolume 9 . Issue No. 1

July 2021

ALSA Law Review Magazine Template

Documents

Transcript of ALSA Law Review Magazine Template