Dawn Raids: Towards A Better Security For Digital Citizens
by Yeselia Salim
The zeitgeist of this digital era is definitely the public concern towards personal data protection. Data has become a new commodity more valuable than oil in today’s “data economy”. Personal data of potential customers is undeniably a cornerstone for business and firms, particularly for technology companies such as Tokopedia, Google, Instagram, and Gojek. This technological advancement has put online privacy at risk, and this is where the law plays a role. There needs to be an equilibrium between the development of technology and law.
Although a comprehensive legal framework for personal data protection does not yet exist, the existing regulations concerning personal data protection in Indonesia are disseminated through various laws, such as Minister of Communication and Information Regulation №20 of 2016 on Protection of Personal Data in Electronic Systems (“MoCI Regulation №20/2016”), Government Regulation №71 of 2019 on Implementation of Electronic System and Transactions (“GR №71/2019”), and the list goes on to more than 30 regulations.[1] In this case, the current situation in Indonesia lacks a robust legal framework that acts as an umbrella for these scattered regulations.
For this reason, the government is currently pushing the legislation of the Personal Data Protection Bill. The bill is inspired by the General Data Protection Regulation from the European Union that regulates and sets the standard for data protection and privacy. In the meantime, the latest and most comprehensive regulations on personal data protection are provided by GR№71/2019 and MoCI Regulation №20/2016. Both laws set out the rights and obligations of electronic system operators, data controllers, data processors, and personal data owners. They also contain provisions on data protection and privacy, data localization, data breach notification, data deletion, electronic certifications, sanctions, and many more. Nonetheless, the bill and the regulations are not the main issue here as the material concerning both the bill and the regulations have mostly been addressed by the existing literature.
Unfortunately, in recent years, cases of personal data breach have become more common. These cases involved large e-commerce companies such as Tokopedia, Bukalapak, Bhinneka.com, and even government agencies such as stolen data on COVID-19 patients and the General Election Commission. The main problem with the current legal framework is on their enforcement. The current situation seems to only depend on each electronic system operator’s best practice. However, these “best practices” still do not seem to be enough. With 91 million stolen personal data in Tokopedia’s case, the e-commerce platform allegedly failed to notify personal data owners regarding the unlawful possession of the personal data by a third party. This data leak also proved the incompetence and unreliability of the Tokopedia’s security systems on personal data protection. Similarly, the weak security systems also apply to the listed case above. These putative violations breached the provisions of Article 14(5) of GR №71/2019 jo. Article 2(2)(f) and Article 28(c) MoCI Regulation №20/2016.
Without a doubt, there are still many operators or other small companies that experience data leaks but are not detected by law enforcement or media. The conclusion that can be derived from these unfortunate events is that the supervision towards electronic system operators in Indonesia should be optimized. As a matter of fact, Article 35(1) of GR №71/2019 grants the Ministry of Communication and Information Technology the authority to carry out supervision including monitoring (pemantauan), controlling (pengendalian), inspection (inspection), tracing (penelusuran), and securance (pengamanan). This raises a question whether the supervision by the Ministry is really effective.
Understanding the approach taken in a different legal system towards data protection may contribute positively to the development of Indonesian law. In this case, the particular practice of the United Kingdom (“UK”) will be observed. The UK has a special legislation which grants the Information Commission Office (“ICO”) the power to conduct dawn raids on companies that collect personal data. Through a written notice (assessment notice), the ICO may require a controller or processor that collects personal data to permit the Commissioner to assess whether they have been complying with the data protection law.[2]
Interestingly, the ICO plays an impactful role as an investigator. The ICO has the power to enter, search, inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for personal data processing.[3] This includes inspecting and searching for relevant documents, IT networks, hardwares, data storage, servers, and others.[4] Moreover, the Commissioner may seize and remove those relevant documents and hardwares.[5] They may further ask employees or anyone on the premises to provide more information or further explanation on any document found or other materials during the investigation.[6] Lastly, the Commissioner may also use reasonable force as may be necessary to execute the warrant.[7] However, there are some limitations to its power, where according to Section 147 of the Data Protection Law (“DPA”), the Commissioner is restricted from obtaining legally privileged information such as confidential communication between a legal professional with their client containing legal advice with regards to obligations, liabilities, or rights under the data protection law.[8]
The ICO dawn raid is certainly stressful for every controller or processor when handling personal data. Nonetheless, the ability to give significant warrants that the ICO holds certainly play an important role in facing the data-driven society. Since the enactment of DPA in 2018, the ICO has taken 58 enforcement actions in total, including the issuance of fines to firms that have breached the principles of data processing as regulated under the DPA. Lead Works Ltd was fined by ICO for a total of £330,000 for sending spam marketing text messages to more than 2 million individuals without their consent. Spam marketing text message is something that we receive more than 2 times on average on a daily basis. This proves that our personal information such as phone numbers has been exposed and exploited by irresponsible individuals or any legal entity. However, this simple act still becomes a challenge for us as digital citizens since there is very weak enforcement from the government regarding data protection.
Therefore, it is important that Indonesia has a separate government entity to conduct dawn raids on the data controller’s or data processor’s system which has complied with the regulatory requirements to ensure maximum enforcement of the current data protection legislation. Not just ensuring that the data controllers and processors comply with the relevant data protection laws, but the dawn raids of the ICO have certainly pushed consumers to be more aware of their personal information and build a digital culture that upholds the protection of every individual’s privacy and confidential personal information in every connected network.
To catch up with the zeitgeist of this era, the government has to quickly install a robust legal framework for personal data protection in Indonesia. A separate government agency that specializes in the implementation, supervision, and enforcement of data protection requirements such as ICO in the UK is necessary. The powers that ICO hold may seem very intrusive to a company, but undoubtedly, the power that personal data controllers or processors hold is just as intrusive to every individual as well. In this case, an Indonesian version of ICO will act as a specialized force to ensure that the provision and requirements related to data protection are implemented in every electronic operator system. In case of failure to comply with the requirements, this Indonesian version of ICO may also reward the data controller or processor with sanctions. To make it easier to visualize, this Indonesian ICO may have a similar authority and enforcement power as the Indonesian Competition Commission where it has the power to fine companies that practice unfair competition.
Reflecting from the UK’s system, it is hoped that the personal data protection bill can be passed at least within the year 2021 in Indonesia. Along with the bill, the government should also set out specific guidelines and framework for clear definitions of particular terms and standards. These guidelines may further be elaborated in a circular letter or by adding a more comprehensive explanation of the articles. As an example, there needs to be a clear illustration on what constitutes personal data and what does not, because non-personal data does not necessarily need to be protected with a special security system. Lacking substantiality and practical explanation from the government, it would be difficult for any data controllers or processors to match up their standard to what is intended by the government. This is also to avoid any misinterpretation by any party and prevent this misinterpretation or confusion to become a justification for certain parties to carry out data processing. In the end, all of the efforts in protecting personal data would be in line with the Constitution of the Republic of Indonesia (1945) which guarantees the protection of various rights, including privacy.[9]
[1] Indonesia, Minister of Communication and Information Regulation on Protection of Personal Data in Electronic Systems, №20 Year 2016, State Gazette №1829 Year 2016; Indonesia, Government Regulation on Implementation of Electronic System and Transactions, №71 Year 2019, State Gazette №185 Year 2019. Add. Gazette №6400 Year 2019.
[2] Data Protection Act. 2018. Section 146. United Kingdom: Parliament. https://www.legislation.gov.uk/ukpga/2018/12/section/146/enacted
[3] Data Protection Act. 2018. Schedule 15, para. (5). United Kingdom: Parliament. https://www.legislation.gov.uk/ukpga/2018/12/schedule/15/paragraph/5/enacted
[4] Ibid.
[5] Ibid.
[6] Ibid.
[7] Data Protection Act. 2018. Schedule 15, para. (7). United Kingdom: Parliament. https://www.legislation.gov.uk/ukpga/2018/12/schedule/15/paragraph/7/enacted
[8] Data Protection Act. 2018. Section 147. United Kingdom: Parliament. https://www.legislation.gov.uk/ukpga/2018/12/section/147/enacted
[9] Indonesia, 1945 State Constitution of the Republic of Indonesia, Art. 28 para. (G).
