Surrender to Facing Data Leaks in Indonesia

What can we do as users of digital services when the data we submit is leaked and traded on the black market? In Indonesia, the answer is almost none. The series of data leak cases in recent times shows consumers are in the weakest position in this cycle.

Unclear fate data leak in Tokopedia and Kredit Plus, similar cases were repeated again. This time it was Cermati and RedDoorz who were targeted by hackers. Around 2,9 million data in Cermati that was stolen by hackers contained various data ranging from email addresses, passwords, addresses, telephone numbers, income, banks, tax numbers, identity numbers, to the names of biological mothers. This data set is sensitive and valuable for trading.

The amount of data stolen from Reddoorz more than 5,8 million data. The data is in the form of name, email address, phone number, and order details. The hackers sold the logs for US$2.000 or around Rp. 28 million.

Apart from taking preventive steps, what can we do as users if we are harmed by a data leak that has already occurred?

Pratama Prasadha, a cyber security researcher from the Communication and Information System Security Research Center (CISSRec), admitted that the current conditions make it difficult for digital platform consumers to sue electronic system and transaction providers (PSTE). The reason is indeed no legal liability can be imposed on PSTE for their negligence.

"In Indonesia, it is difficult for consumers to file lawsuits over leaks of personal data managed by PSTE. Meanwhile, consumers or the public are in a very weak position to hold PSTE accountable," said Pratama.

Pratama explained that there are actually sanctions that consumers can pursue in accordance with Minister of Communication and Information Technology Regulation Number 20 of 2016. Article 36 states that there are a number of administrative sanctions for those who violate the provisions in the form of verbal warnings, written warnings, temporary suspension of activities, and/or announcements on the website. in the network.

Viewed from any angle, this type of sanction is too light when compared to the risks that must be faced by users whose data has been scattered everywhere. Pratama believes that without the threat of serious punishment, it is almost certain that data leak incidents will continue to recur.

"PSTE has no obligation to secure it as well as possible because there is also no threat of punishment if it is negligent," added Pratama.

Damar Juniarto from the Southeast Asia Freedom of Expression Network (SAFEnet) emphasized that currently there is no mechanism that consumers can take, either civil or criminal, for the losses they suffer. Without regulations that truly protect the public as consumers and citizens, personal data protection is still just a matter of discourse.

"As long as there aren't any Personal Data Protection Act"It's hard to imagine there will be any improvement," said Damar.

Jumbo fine

Many people are clamoring for the PDP Bill to be immediately ratified as an official regulation. For years, the DPR has always pushed aside this regulation to be ratified immediately. In fact, the situation on the ground shows that the PDP Bill is increasingly needed to protect people who are increasingly exposed to digital services.

One thing that is said to be able to prevent widespread data leaks is fine system that will be imposed on PSTE. The process of drafting the PDP Bill is often said to be oriented towards the European Union's GDPR (General Data Protection Regulation). Imposing heavy fines is one of the characteristics of GDPR. Not infrequently, this regulation can ensnare a guilty entity with a fine of tens to hundreds of millions of euros.

The problem in discussing the PDP Bill so far is that there is no certainty whether the system of fines and administrative sanctions will be the main focus or the criminal system that will be chosen. However, member of Commission I DPR RI Charles Honoris said the regulation would leave out criminal sanctions to avoid overlapping with other regulations.

"In various debates, yes, and input we received from several stakeholder "It would be good if the rules for criminal sanctions that are already regulated in other laws are no longer regulated in the PDP Law," said Charles as quoted from Kompas.

An example of a jumbo fine is like England demanding Marriot paid a fine of 99 million pounds sterling or around Rp. 1,8 trillion for failing to protect their leaked consumer data. Not long ago, England also sued British Airways paid a fine of 183 million pounds sterling for their negligence. In the end, the two companies were forgiven with lower fines because they were facing financial difficulties due to the pandemic.

As long as these fines are not implemented in Indonesia, many parties doubt that there will be any meaningful changes in the digital security landscape. Without a serious threat to PSTE, a data leak incident is inevitable. Even worse, this could have a negative impact on consumer confidence.

However, it seems that the public should be more patient with the PDP Bill. The reason is that it is unlikely that the DPR will be able to pass the PDP Bill this year with the session period not being long.

"My hope is that in 2020 we can have a PDP Law. But considering that there is only 1 month remaining in the trial period, it seems a bit difficult to realize," said Charles in webinar with the Institute for Community Studies and Advocacy (ELSAM).

To date, not a single data leak case has been thoroughly investigated. In the Bukalapak, Tokopedia, Kredit Plus, Cermati and Reddoorz incidents, it is still unclear who is responsible. Questions should also be addressed to Kemenkominfo, Financial Services Authority (OJK), and the National Cyber ​​and Crypto Agency (BSSN) which is tasked with supervising and seeking PTSE accountability towards consumers.