Privacy at stake with widespread trading of

personal data
Ghina Ghaliya

The Jakarta Post / Jakarta / Mon, August 5 2019

Ratri, 30, was appalled to receive a bill of Rp 3 million (US$211) from a loan company for
purchases she never made.

In an incident in May last year, the company insisted she pay because it had documents
containing her personal data that confirmed her loan application for the purchases. Five other
incidents then occurred. The most recent one was someone spreading her e-ID card picture on a
Facebook group, saying that she was an online shop fraudster.

The resident of Malang, East Java, became worried and reported to the police. But the case was
dropped, as the police said she did not incur losses.

“I don’t know what [the perpetrators] will do again with my data. I am scared and embarrassed to
death that my e-ID card picture has been spread online,” Ratri told The Jakarta Post recently.

Despite the existence of a number of laws, Indonesia is the “Wild Wild West” when it comes to
personal privacy and how companies collect data. Data theft and trading is so rampant that
anyone can easily get text messages, phone calls and emails offering loans and other items from
unknown individuals or companies.

It is also not uncommon that banks charge customers on their credit cards for purchases they
never made. The financial institutions were often as clueless as the purchases were often made
online by unknown parties that have retrieved the customers’ credit card information.

Ratri is not the only one receiving unknown bills. A similar incident happened to Vivi Permata
just a month ago. The 23-year-old suddenly received debt payment demands from an online
lender through SMS and phone calls for items she did not purchase.

The amounts ranged from hundreds of thousands of rupiah to Rp 2 million. As she did not
respond to the demands, the company began to contact people related to her.

Vivi said she had no idea how the company found her name or phone number and, even worse,
had access to her contact list.

“They’ve called my coworkers too. This is bad and disturbing,” Vivi said.
To the loan company that had charged her with the bill, Ratri explained that she never gave it to
any of the company’s officials.

Key points in draft personal data protection bill

 Personal data protection includes general and specific data. Former consists of information in
official identification documents. Latter includes medical records, financial records, biometric
data and criminal records.

 Data controllers or processors — either individuals or institutions — that share specific data
are punishable with imprisonment, a fine of up to Rp 5 billion (US$351,325)

 Data controllers or processors that utilize data for commercial use are punishable with
imprisonment and a fine of up to Rp 100 billion.

 Any individual who buys or sells personal data of other people will be fined up to Rp 5
billion.

 Buying and selling personal data of any kind is forbidden.

The company admitted there had been errors in its data verification. It apologized but refused to
explain how her personal information landed on their desk. It also refused to reveal the officials
related to the fictitious loan application.

The Home Ministry’s population and civil registration director general, Zudan Arif Fakrulloh,
said personal data leaks happened because many companies still asked people to fill in forms for
identification, which made it easier for anyone to collect, copy and sell it. Companies can also
trade or share data with their subsidiaries, he said.

“There is a risk when we submit our mobile number when opening a bank account, insurance
policy, checking in at a hotel or purchasing something at an online store. Many perpetrators
collect the data through these processes,” Zudan said.

He also explained that there were over 30 different laws, including the 2013 Citizenship
Administration Law and the 2016 Electronic Information and Transactions (ITE) Law, that deal
with personal data protection, but monitoring and supervision was still very low.

The 2013 law, for example, mandates a maximum of two years imprisonment for personal data
spreaders with a maximum fine of Rp 25 million.

“We suggest companies work with us to share citizens’ personal information so customers don’t
have to fill in forms. All they have to do is mention their ID card number for identification,” he
said.
The government is preparing a new draft bill on personal data protection, which would outlaw
the sharing of citizens’ personal data or trading it for commercial use without their consent.

Institute for Policy Research and Advocacy (ELSAM) researcher Wahyudi Djafar said existing
laws were very weak in protecting people’s privacy.

“Indonesia is considered very weak in personal data protection. Europe, for example, is still
reluctant to share data with Indonesia because of the weak regulations. We are behind Singapore,
the Philippines, Laos and Malaysia that have stronger regulations,” he said.

Wahyudi also said violations are underreported. According to ELSAM’s study in 2017, there had
been 33 cases since 2013, which include theft from personal data systems and individuals and
institutions leaking data that they have formal access to.

Indonesian Democratic Party of Struggle (PDI-P) lawmaker Charles Honoris said he welcomed
and looked forward to the deliberation of the personal data protection draft bill, which has shown
the government’s intention to protect citizens.

But Charles said the draft text was far from perfect. He said it had yet to define the institution
that would become the data protection authority that would monitor and analyze personal data
use and monitor violations.

The existence of the new authority, Charles said, was expected to improve law enforcement.

Other countries that have data protection laws have independent institutions as regulators that
also have the authority to investigate alleged violations.

“[The personnel of the authority] must be competent. They can be taken from [ministries] or
recruiting professionals,” Charles said.

But he emphasized that the authority should not be under existing ministries because the
institutions were prone to abuse.

The Communications and Information Ministry’s information applications director general,

Semuel Pangerapan, said the government would support the independent body’s establishment.

“The institution should be independent. We will discuss it with lawmakers,” he said.