After waiting since 2019, the Personal Data Protection Act (UU PDP) was finally approved for promulgation yesterday (20/9). This approval coincides with the increasing number of cases of leakage of residents’ data.

As stated in its considerations, this law guarantees citizens’ rights to personal protection and raises public awareness as well as recognition and respect for the importance of protecting personal data.

This law is expected to become a solid legal umbrella for managing and protecting citizens’ data and government administrators.

Protection of personal data is one of the human rights parts of personal safety. This particular protection is stated in Article 28G of the 1945 Constitution. This unique protection or privacy is universal because many countries recognize it.

Since May 2018, 28 member countries of the European Union (EU) have implemented the General Data Protection Regulation. This figure continues to grow in line with the need to protect citizens’ data.

In Indonesia, before this law was passed, personal data protection arrangements were spread across several rules and regulations, including Law Number 11 of 2008 in conjunction with Law Number 19 of 2016 concerning Information and Electronic Transactions, Law Number 39 of 1999 concerning Human Rights, Law Number 14 of 2008 concerning Public Information Disclosure, and Law Number 23 of 2006 in conjunction with Law Number 24 of 2013.

Industry 4.0 has driven the development of the digital world in Indonesia. Until now, Hootsuite (We are Social) 2022 data shows 204.7 million Indonesians use the internet and 93.5 percent are active social media users. The development of the digital world has also spawned several new cultures and behaviours, from uploading anything to online transactions.

This condition has yet to be followed by public and government awareness to protect personal data. Disclosure of personal data without control poses many risks of various criminal acts.

Bullying, threats, fraud, and account breaches are unavoidable. The most recent is hacker Bjorka who claims to have personal data belonging to Indonesian citizens, including several public officials.

Implementation Challenges

Many challenges will be faced in the implementation of the PDP Law. Minimizing risk is a shared responsibility, but the burden on the government’s shoulders is much heavier. The government manages residents’ data for public service needs.

There are those who, due to coercion, surrender their identities, such as identification numbers and family card numbers. Some are voluntary, for example, to apply as state civil servants. Against this, two essential things must be underlined: how to maintain its security and use it. Keep the information from becoming an economic commodity.

The second challenge is institutional. This law states that the implementation of personal data protection is carried out by an institution determined by and responsible to the president. There is no regulation regarding the position, institutional structure, or authority given to this institution.

The next challenge that will be closest to them is the 2024 Election. Many politicians are ready to fight for seats as president, regional heads, and assembly members. To avoid buying a cat in a sack, various attempts were made, including seeking information on the candidate’s background.

For the community, this information may be the basis for whether the candidate is eligible to be elected. Regarding this situation, controllers and processors of personal data must be careful because it could result in imprisonment of up to 6 years and a fine of up to IDR 6 billion. The information could be misused, even traded.

They were, finally, related to the behaviour of people who easily share personal data. For this reason, socialization in the form of digital literacy must be carried out massively so that people have the same understanding of the importance of protecting personal data. Collaborative governance needs to be encouraged to accelerate personal data protection goals.

The PDP Law is not the end of the struggle to protect personal data. There is still a long way to go for the government to implement regulations as soon as possible, especially in defining various embodiment concepts that are still very general, ensuring proper implementation and supervision, and synchronizing with other laws and regulations.

writing by Lina Miftahul Jannah, Lecturer in the Faculty of Administrative Sciences, the University of Indonesia, on