Personal data is a new resource for economic value globally in this modern era, where global technology companies have a customer database containing information of identities, habits and behaviors to find new services to fulfil clients' needs. It is not only about how to manage the database of these customers, but also how to utilize the data bank. These circumstances trigger transborder data flow to other regions and the data processing for purposes that may be different than those for which they were originally collected, known as the big data phenomenon. Such projects typically involve the transfer of data from numerous sources without regard to geography and may have significant benefits for society if there is a certainty in policy and legal framework.
Nowadays, we are facing an information explosion in society, which is a new opportunity for business and provides a new framework for economic strategy. However, there is a massive growth both in the problems and volume of global data flows, as it may harm users and their personal daily life if no specific rules are applied.
The question regarding the global data transfer across the world is how Indonesia will handle this situation? Why should Indonesia keep an eye on this issue? As online activity is growing, the national regulatory authority should respond to this global phenomenon. The Internet world statistics says that Indonesia already has 132 million Internet users in 2016, these being the individuals who have access to Internet at home, including mobile smartphones.
In the European Union, three laws regarding data protection have been enacted, namely the EU Data Protection Directive which came into effect on Oct. 24, 1995, which protects individuals and the processing of personal data and the free movement of such data. The EU Directive of Privacy and Electronic Communications regulates the processing of personal data and the protection of privacy in the electronic communications sector.
Due to the strategic issue of defense and national security of each member state, the European Parliament and Council has issued the General Data Protection Regulation on April 27, 2016, which will come into force on May 25, 2018. This General Data Protection Law is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union. It also addresses export of personal data outside the European Union, as the regulation will replace the Data Protection Directive.
In contrast, Indonesia has no comprehensive laws and regulations specifically covering data privacy. Data privacy is principally regulated by the following legislation: the 2008 Law on Electronic Information and Transactions, or the ITE Law; and the 2012 Government Regulation on the Implementation of Electronic Systems and Transactions. As with other local laws and regulations, the ITE Law and the government regulation do not go into great detail, as the implementations are often driven by policies, including corporate policies, and rely on regulations issued at the ministerial level to interpret them.
The Indonesian government is working to propose a bill regarding data and personal information protection to the House of Representatives. However, there is no significant progress from the House to finalize the bill although it is included in the prioritized national legislative program. The main issue is not only the velocity of the bill, but also the accuracy on the needs of Indonesian citizens who are internet users. The government has to keep an eye on the bill because the global trend should respond proportionally to national interest.
There are some benefits for the government to accelerate the bill regarding data protection and personal information, such as having the government and public authorities increasingly cooperate in a variety of areas such as law enforcement, financial supervision, disaster relief, and many others that require the transfer of personal data. With the globalization of the economy, many businesses have structured their operations based on lines of business rather than geography, so that the ability to transfer data is instrumental to their success.
Many companies and private sector entities now routinely include data protection and trans-border data flows clause in their commercial agreement. This provision has been drafted on an ad hoc basis and had the advantage to be tailored fit on particular situations, where some of these companies apply the clause as a mandatory requirement in the commercial agreement.
The primary reason for the enactment of data protection and personal information is not only to ensure data protection rights and protect the privacy of the Indonesian citizens, but also to support companies or organizations' ability to use data for their business in technology and communications.
Ultimately, the focus should be on the sovereignty of information in the digital age, as transborder flow of personal data to other regions cannot be controlled.
Antonius Alexander Tigor is a master of law candidate in computer and communications law at the School of Law, Queen Mary University of London, United Kingdom. His views are his own.