Stuck in Authority Formation
Discussion on the Personal Data Protection bill is slow. The Indonesian government insists that the supervision is under the Ministry of Communication.
THE meeting on the Personal Data Protection Bill held on Thursday, April 8, proceeded slowly. For one and a half hours, the meeting between the Defense, Foreign Affairs, and Communication and Informatics Commissions at the House of Representative (DPR) and the ministry of communication and informatics had not come to an agreement on the formation of personal data supervisory authority.
“The discussion has yet to reach a common ground because we want the authority to be independent, instead of under the ministry of communication,” said Farah Puteri Nahlia, a member of the commission from the National Mandate Party (PAN), to Tempo on June 2.
The bill is a government proposal and is included in the 2021 National Legislation Program. The need for the law is increasingly urgent amid widespread cases of personal data leakage. Last May, 279 population data were leaked and traded on the Internet. The leaked data allegedly belongs to the Health Care and Social Security Agency (BPJS Health Care) which includes name, identification number, telephone number, e-mail address, home address, and salary.
Data supervisory requires a body or an institute that can impose a penalty to a negligent data manager. Article 58 of the bill states that the government has a role in realizing the implementation of personal data protection. Director-General of Informatics Application of the Ministry of Communication and Informatics Semuel Abrijani Pangerapan who represented the ministry for the commission meeting, persisted that the supervisory was under his ministry.
Minister of Communication and Informatics Johnny Gerard Plate said that his ministry had already had a team whose task was to solve problems regarding personal data of the private sector. “Why are we regarded as not being independent? Keep away the negative thoughts,” said Plate, who also holds the position as National Democrat (NasDem) Party Secretary-General.
According to Farah, the authority should not be under the ministry’s supervision to be free from intervention. She exemplified that provided there would be a data leakage in the ministry, it would be difficult for the institution to impose a penalty. Farah said that almost all factions wanted the supervisory authority to be independent.
Nico Siahaan, a member of the commission of the Indonesian Democratic Party of Struggle (PDI-P), also supported Farah’s opinion. According to Nico, his faction wanted the authority to be outside the ministry of communication. “How is it possible if the one who have done the negligence is the ministry and it imposed a penalty to itself? Is it fair?” asked Nico.
Without the agreement, the discussion meeting was again delayed. Muhammad Farhan, also a member of the commission from the NasDem Party, said that the stalemate had to end so that the bill could be deliberated. In his opinion, the supervisory authority should be under the ministry of communication. “This is an extension of the president, whose accountability is direct to the DPR,” he explained. Farhan admitted that he had attempted to lobby several parties to support the proposal.
Nico acknowledged that he had communicated with several NasDem members. However, he said, the communication was informal and not intensive. The PDI-P, according to him, until now wanted the supervisory institution to be free from the ministry of communication’s control.
Executive Director of the Institute for Policy Research and Advocacy Wahyudi Djafar said that the government should form an independent institution because the law would apply not only to the private sector, but also the government. The law, he added, would also determine the equivalence with the European Union’s General Data Protection Act (GDPR). “Therefore, one of the prerequisite is whether Indonesia forms an independent protection authority,” he said.
In Asia, only Japan has personal data protection law that is equal to the GDPR. As for South Korea, it is in the process to obtain equality statement from the European Commission.