Be Careful Sharing Personal Data

The government has officially submitted a draft of the Personal Data Protection Law (PDP) to the Indonesian House of Representatives. This bill will be discussed immediately after the discussion of the Omnibus Law Bill is finished.

Based on the draft as of December 2019, the PDP Bill contains 72 articles and 15 chapters governing the definition of personal data, types, ownership rights, processing, exceptions, controllers and processors, delivery, authorized institutions that regulate personal data, and dispute resolution. In addition, it regulates international cooperation to sanctions imposed for misuse of personal data.

While waiting for the regulation to be passed, the authority of which is in the DPR, it is necessary to know more about how to translate it in daily life. What are the before and after impacts for the general public?

Understanding data types according to the draft PDP Bill

The draft PDP Bill defines personal data as any data about a person, whether identified and identifiable separately or combined with other information, directly or indirectly through electronic and non-electronic systems.

Types of personal data are divided into two, namely general and specific data. Enter general category when accessed through public services or listed on official identification. For example, full name, gender, nationality, religion and personal data must be combined to make it possible to identify a person.

Meanwhile, specific data is data that is sensitive to the security and comfort of the life of the owner of personal data, namely health data and information, biometric data, genetic data, sexual orientation, political views, criminal records, children's data, personal financial data, and/or other data in accordance with statutory provisions -invitation. To obtain this data, consent from the owner is required.

Which needs to be appreciated and needs to be improved

According to SAFEnet Executive Director Damar Juniarto, the PDP Bill refers to one of the basics of the 1945 Constitution, article 28 paragraph G, which contains the philosophical basis of the estuary of personal data protection, namely ensuring the self-protection of citizens.

Therefore, there are three things that must be included in the PDP Bill. The right to personal protection, family, honor, dignity and property; the right to security; and the right to protection from threats of fear of doing or not doing something.

The assessment he gave of the contents of the PDP Bill is a progressive step in ensuring certainty regarding the personal protection of citizens. "SAFEnet welcomes the presence of the PDP Bill which will soon be discussed in Commission I DPR RI," said Damar in a written statement.

This bill, he continued, succeeded in formulating the concept of enforcing data sovereignty; outlines a longer list of the April 2019 draft in specific personal data; provide recognition of important basic rights in the principle of the right to privacy such as the need for citizen consent in data collection, the right to correction, and the right to withdraw data; emphasize how long it takes when citizens withdraw their data; and provide sanctions for violations.

On the other hand, the part that needs to be improved is the reduction of important issues that have been causing public concern, such as questions Profiling, illegal wiretapping by state institutions and corporations, alleged buying and selling of personal data by state institutions, and discriminatory sanctions against individuals and corporations who commit violations.

"Profiling It can only be stopped if a citizen raises an objection as stated in article 10. Frankly, in SAFEnet's view, this is not enough. Profiling must be included in specific personal data because it is important protection from attempts to threaten a person's self and protects the right to do or not do something."

Illegal tapping means an attempt to extract personal data by planting it spyware on smartphone devices, collecting data via cloud whose existence is unknown, or the application of AI in the form of technology facial recognition.

Discrimination with different legal sanctions threatens the sense of justice expected by society regarding the right to privacy. The ITE Law, which was passed more than 10 years ago, has problems related to the number of people convicted and the criminal process during law enforcement and unfair trials.

"Reflection on the implementation of digital law needs to be taken into consideration in determining appropriate legal sanctions for those who commit personal data violations."

He views that in general the PDP Bill narrows the right to privacy to the protection of personal data only. So what should be the scope of this law is reduced to the issue of personal data. In fact, nowadays, data is closely related to the life of the human owner and if it is misused it will endanger that person's life because they are vulnerable to crime.

“There is a right to a sense of security attached to it [the PDP Bill]. Therefore, it is clearly felt in the PDP Bill that the meaning of personal data is considered to be just a commodity. "Even though personal data is not just a commodity, but rather concerns virtual human dignity, what must be protected in this PDP Bill is the person, not just the data."

When approved...

If this law is passed, there is the greatest power you can take against the companies that collect your data and obligations for them if you ask to delete it. Behind that, the biggest right - or perhaps the most contested - namely the ability to stop companies from selling your data to other parties, such as advertisers.

Selling data is the most annoying thing for consumers. This condition does not apply when you knowingly enter a photo in your Facebook account, or enter your home address in an e-commerce application. It's different if they cash in, so another company you've never visited creates a profile without your knowledge or consent.

The word "sell" literally does not mean it has to be in the form of money. If the company gets something or other benefit from your data for others. This can be categorized as sales. The only exception applies when a company sends data to a “service provider” if the e-commerce site shares your credit card number and processes payment to complete the sale.

The issue of selling data is very sensitive in the eyes of technology companies, especially titans like Google and Facebook, especially when the Cambridge Analytica scandal hit Facebook. Data is the new oil.

The PDP Bill also applies to office buildings which often ask for visitor data and facial photos. This regulation accommodates data takers to declare what their purpose is for taking data and guarantees to protect it. Because there are often concerns that data could be leaked anywhere and at any time.

Global companies' concern for data security

The report made by Ranking Digital Rights last year was entitled The 2019 Ranking Digital Rights Corporate Accountability Index, is an introductory basis to equip us all with how much global technology companies care about the security of their users' data.

Of the companies surveyed, several are present in Indonesia, so this report more or less has a correlation. It was stated that out of 24 well-known global technology and telecommunications companies, Microsoft was in first place, followed by Google and Verizon Media. Then, from telecommunications companies are Telefonica, Vodafone, and AT&T.

The 35 indicators for the 24 companies evaluated examine commitments, policies and practices that impact freedom of expression and privacy, including corporate governance and accountability mechanisms. This index score represents the extent to which a company meets minimum standards. There are several companies that get a score above 50 (out of a scale of 100).

Overall there has been some progress, although problems remain since the Index was released in 2015. It is that everyone still lacks basic information about who controls their ability to connect, talk online, or access information, or who has the ability to access their personal information within what situation?

Actions from governments in a number of countries are quite responsive by issuing various supporting regulations. The company's opposite steps to take firm steps have not been conveyed properly in respecting user rights. As a result, most companies still fail to disclose important aspects of how they handle and secure personal data.

“Despite new regulations in the European Union and other countries, most of the world's internet users still lack basic facts about who can access their personal information under what circumstances, and how to control its collection and use. "Some companies were found to be disclosing more than required by law," wrote the 2019 RDR Index report.

What data is collected and how to stop it

Facebook and other technology companies are essentially trying to create data banks, by taking as much information as possible from users to be able to view someone's profile. The aim is none other than to find inspiration for what products are and will be needed by consumers, so that when they are launched they are right on target.

For fintech applications, it is more or less similar. Why can they disburse funds quickly? because there is digital data whose access is opened by users to be analyzed by smart machines. Before the OJK intervened, they can access various data such as photo gallery, contact list, SMS, calendar, camera, microphone, and others which are actually less relevant to the function of the application itself.

After downloading, it will usually appear pop-up notification of various access requests without knowing or explaining why they are requesting that access. Unfortunately, if one of these access requests is intentionally denied – this applies to the majority of applications – feature defects arise that disrupt the user experience. Finally forces the user to grant all requested access.

Due to the emergence of illegal fintech players and victims, finally giving access to users' smartphone data is now limited to just the camera, location and microphone. These three are accesses permitted by the regulator for legal fintech players.

How to find out what data is requested by the application is actually quite easy and can be checked yourself. On Google Play, in the "About this app" section, try checking at the bottom for detailed information regarding the application. It will say “App permissions,” then select “See more.” There you will clearly see what information access is requested by the application.

Generally, companies also include on their website at the bottom the privacy policy. Contains what data they take from users, then explains the purpose of use, and their commitment to maintaining user privacy from third parties.

Unfortunately, because it is placed at the bottom, it is not in the spotlight of users. The composition is long and the size is small, adding reasons for users to be less interested in reading until the end. Even though the content of the information conveyed is very important.

Gojek

In the Privacy Policy they explain details of data collected directly from users or their mobile devices, each time they use an application or visit a website, and information collected from third parties.

All detailed data information is included on the site Gojek. Some of these include name, address, date of birth, occupation, telephone number, fax, e-mail, bank account, credit card details, gender, official identification number, biometric information.

In one of the clauses, Gojek open the opportunity to withdraw data with reasonable notice in writing. The consequence that users receive is that their account is terminated and they cannot use the application or service in the future.

Tokopedia

Tokopedia also not much different. They collect data submitted independently by users, not limited to data when filling out surveys on behalf of the company, interacting with other users with message features, product discussions, reviews, ratings, detailed transaction data. Continuing, real location data such as IP address, Wi-Fi location, geolocation, cookie data, pixel tags, data on the device used to access the site, and other data obtained from other sources.

When explored further, users are not given the freedom to delete data. Tokopedia will store information as long as the user's account remains active and can delete it in accordance with applicable legal regulations.

Bukalapak

Meanwhile, Bukalapak Open a request for data deletion by attaching valid proof of yourself and the reason for the deletion request. Bukalapak will grant the request if it meets the conditions requested by the company.

Just taking these three applications as an example can give a clear picture that the existence of the PDP Bill is very important to restore users to full control over their data. Indeed, companies have an obligation to protect users if there is potential fraud, but doesn't the data owner have more control over that?

Reflect on global technology company, some of them provide features that function to close data access exploited by third parties. Facebook and Google have released it, although there are still doubts about its intentions, but now users are given control to limit access to their data.

Google (including YouTube)

Google's main revenue is advertising. Advertising revenue from YouTube last year reached $15 billion, more than the combined advertising revenue of three private TV stations in the US, namely ABC, NBC and Fox. Google claims to operate its ad network internally. However, if you want to stop Google from sharing data with its own divisions, there are tools at your disposal. This option is called “Ad personalization.” Just slide the slide to turn off the personalization.

Facebook

Whether or not this company actually sells user data, this social media platform gives third parties access to a number of user information. For example, date of birth and email address. Spotify allows you to register as a user, if you register via Facebook.

To close this access, you simply go to Facebook page. Then go to Settings > Apps and Websites. In there, you will see which third parties can access Facebook data, just click on which one will be disconnected.

Twitter

Twitter provides an option for all users who want to opt out of personalized advertising based on habits. You do this by going to the Settings and privacy > Privacy and safety > page Personalization and data and slide the button to the left to turn it off.

Spotify

This music streaming application admits that it is not really sure whether the way they share data counts as a sale, referring to regulations in California. However, they provide tool for users who want to stop Spotify from advertisers by turning off the “toggle”Tailored ads” in the Privacy settings page. tool This allows Spotify to use any data from your Facebook account to target ads to you.